Ranking Digital Rights - Phase 1 methodology Feedback
NOTE: The answers and information that you share in this form will be seen only by members of the Ranking Digital Rights team. If you would like to share your feedback publicly please do so via this link:

http://comments.rankingdigitalrights.org/indicators-general-human-rights/ 

Prior to filling out this form please refer to the project website for further explanation and context:

http://rankingdigitalrights.org/project-documents/phase-1-draft-methodology-v2/

Or download this PDF document:

http://rankingdigitalrights.org/wp-content/uploads/2014/05/RDRmethodology_v2_May28-FINAL.pdf   

Important points to remember when reviewing the indicators below:

Specifics of scoring and weighting are being developed as part of a more detailed Implementation Guide that will be tested during the pilot phase, then revised and finalized prior to implementation.

A few indicators are followed by bullet point lists headed “elements to be assessed in scoring.” When completed, the Implementation Guide will include much more detailed lists and precise guidelines on scoring. In this draft we have included these lists only in cases where we deemed their inclusion necessary at this stage to clarify the indicator’s meaning and purpose.

The detailed criteria for scoring most of the other indicators remain under development, to be finalized after the indicators themselves have been finalized at the end of this public consultation phase.

The question of how scoring will take into account subsidiaries, as well as differences across different jurisdictions in company policies/practices, will also be resolved during the course of the pilot study.
Sign in to Google to save your progress. Learn more
GENERAL HUMAN RIGHTS
The company demonstrates a commitment to respect the human rights—particularly the rights to freedom of expression and privacy as articulated by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights—of the users of its digital products and services.
G1. Does the company regularly conduct human rights impact assessments (HRIA)  addressing how the company’s products and services affect the freedom of expression and privacy of its users?
Elements to be assessed in scoring:
If the company publishes information about its HRIA process;
If the company publishes information about its HRIA results;
If the company publishes information about what progress it has made in implementing measures to mitigate negative outcomes for users’ freedom of expression and privacy.

G1 What do you think about this indicator?
For more information about Human Rights Impact Assessments and best practices in conducting them see this special page hosted by the Business & Human Rights Resource Centre: http://www.business-humanrights.org/UNGuidingPrinciplesPortal/ToolsHub/Companies/StepTaken/ImpactAssessment.
Clear selection
G1 comments and suggestions:
G2. Is the company’s HRIA process comprehensive?
Elements to be assessed in scoring:
Engagement with stakeholders, including human rights experts and potentially affected groups;
Examination of laws affecting privacy and freedom of expression in jurisdictions where the company operates to inform company policies and practices for mitigating risks to users’ rights;
Ongoing examination of existing products and services that may pose free expression and privacy risks;
Examination of free expression and privacy risks associated with the launch and/or acquisition of new products or services;
Examination of free expression and privacy risks associated with entry into new markets;
Examination of free expression and privacy risks associated with how the processes and mechanisms used to enforce the company’s Terms of Service unrelated to government requirements may affect the freedom of expression and/or privacy of those who use its products or services.
G2 What do you think about this indicator?
An HRIA whose existence is not made public does not exist for the purposes of this ranking. Note that this question is not seeking details or results of the HRIA. Rather, it seeks demonstrated commitment to include the listed issue areas as part of its HRIA. See methodology document linked above for list of elements to be assessed in scoring.
Clear selection
G2 comments and suggestions:
G3. Is the company’s HRIA process assured by an independent external third party?
Elements to be assessed in scoring:
If it is assured by an external organization hired by the company (e.g., accounting or consulting firm);
If the work of that assuring organization has been accredited and supervised by an independent and credible multi-stakeholder organization.  
G3 What do you think about this indicator?
A credible multi-stakeholder organization includes and is governed by members of at least three other stakeholder groups besides industry: civil society, investors, academics, at-large user or customer representatives, technical community, and/or government. Its funding model derives from more than one type of source (corporations, governments, foundations, public donations, etc.). Its independence, rigor, and professionalism are of a high standard, with strong participation by human rights organizations that themselves have solid track records of independence from corporate and/or government control. The implementation guidelines for this methodology should include further information about what constitutes a credible multi-stakeholder organization, with appropriate examples.
Clear selection
G3 comments and suggestions:
G4. Do/does the CEO and/or other top officers of the company make meaningful efforts to advance users’ rights, including freedom of expression and privacy?  
G4 What do you think about this indicator?
Full points for CEO involvement plus other top officers, partial for top officers but not CEO. May include membership in industry initiatives as well as multi-stakeholder organizations and initiatives if clearly supported by top corporate officers. Scoring will require substantial and specific guidance, with examples, in the implementation guidelines.
Clear selection
G4 comments and suggestions:
G5. Does the company commit to narrowly interpret government requests and seek clarification or modification from authorized officials before complying when government requests appear overbroad, unlawful, not required by applicable law or inconsistent with international human rights laws and standards on privacy and freedom of expression?  
G5 What do you think about this indicator?
See the Global Network Initiative’s Implementation Guidelines: http://globalnetworkinitiative.org/implementationguidelines/index.php
Clear selection
G5 comments and suggestions:
G6. Are the company’s Terms of Service (ToS) freely available in plain and accessible language without having to sign up or make a purchase?
G6 What do you think about this indicator?
Scoring includes whether the ToS are in major languages understood by its users. If terms are public for customer service or marketing websites but not actual core services, this score would be zero. For the purposes of this methodology “Terms of Service” are the same as “Terms of Use,” “Terms and Conditions,” etc.
Clear selection
G6 comments and suggestions:
G7. Does the company give meaningful notice when it changes its Terms of Service?
G7 What do you think about this indicator?
Meaningful notice not only relates to the visibility, format, and clarity of the notice but also the length of time between when notice is given and when the terms actually change. (For example, some companies provide notice one week in advance, others provide it two weeks in advance, etc.) Guidelines for scoring these distinctions will be spelled out in more detail in the Implementation Guide.
Clear selection
G7 comments and suggestions:
G8: Does the company allow anonymous or pseudonymous use of the service?
Elements to be assessed in scoring:
If anonymous or pseudonymous usage is permitted with no account verification;
If anonymous or pseudonymous usage is permitted after an account has been verified using another potentially anonymous service (e.g., email activation);
If anonymous or pseudonymous usage is permitted when using a third-party identity service that allows pseudonyms;
If anonymous or pseudonymous usage is permitted when using a third-party identity service that enforces a real ID policy;
If the ToS require “real name” usage but the company does not require users to verify by submitting government issued identification to company staff;
If users must submit a government-issued ID upon request or face account termination;
If users are required to submit a government-issued ID at time of service registration.
G8 What do you think about this indicator?
Clear selection
G8 comments and suggestions:
G9. Does the company have a mechanism to receive complaints and provide remedy to users who believe that their rights have been violated by the company?  
G9 What do you think about this indicator?
(For discussion of remedy in the ICT sector context please see Peter Micek and Jeff Landale, “The Forgotten Pillar:The Telco Remedy Plan,” Access, May 2013, at: https://s3.amazonaws.com/access.3cdn.net/fd15c4d607cc2cbe39_0nm6ii982.pdf and the European Commission’s “ICT Sector Guide for Implementing the UN Guiding Principles on Business and Human Rights” at: http://www.ihrb.org/pdf/eu-sector-guidance/EC-Guides/ICT/EC-Guide_ICT.pdf )
Clear selection
G9 comments and suggestions:
G10. If the company intercepts, examines, and/or filters data packets transmitted by or to its users does it disclose in plain and accessible language whether it does so?
Elements to be assessed in scoring:
If the company discloses the fact;
If it also discloses the purposes for doing so.
G10 What do you think about this indicator?
In the pilot phase we will work with technologists to establish a process for verifying companies’ claims. See methodology document linked above for list of elements to be assessed in scoring.
Clear selection
G10 comments and suggestions:
FREEDOM OF EXPRESSION
The company respects the right to freedom of expression of users and works to avoid contributing to actions that may interfere with this right, except where such actions are lawful, proportionate and for a justifiable purpose.
F1. Does the company publish information in plain and accessible language in its Terms of Service, or in another prominent location, that explains to users the reasons their accounts or access to the service may be deleted, removed, deactivated, or otherwise limited?
F1 What do you think about this indicator?
Clear selection
F1 comments and suggestions:
F2. Does the company publish information in plain and accessible language in its Terms of Service, or in another prominent location, about its process for evaluating and responding to government requests to remove, filter, or restrict access to content?
F2 What do you think about this indicator?
"Government requests" includes law enforcement, national security, regulatory bodies, courts of law, etc.
Clear selection
F2 comments and suggestions:
 F3. Does the company publish information in plain and accessible language in its Terms of Service, or in another prominent location, about its process for evaluating and responding to requests made by private entities (including private individuals)  to remove, filter, or restrict access to content?
F3 What do you think about this indicator?
Private requests include requests by businesses, non-governmental organizations, and any other entities that are not part of the government. Also includes subpoenas directly from attorneys in private litigation.
Clear selection
F3 comments and suggestions:
 F4. Does the company publish data at regular intervals about the number of government requests it receives to remove, filter, or restrict access to content, plus data about the extent to which the company complies with such requests, if permissible under law?
F4 What do you think about this indicator?
(See definition of government requests above)
Clear selection
F4 comments and suggestions:
 F5. Does the company publish data at regular intervals about the volume and nature of requests from private entities to remove, filter, or restrict access to content, plus data about the extent to which the company complies with such requests?  
F5 What do you think about this indicator?
(Includes copyright “notice and takedown”, defamation claims, etc.)
Clear selection
F5 comments and suggestions:
F6. Does the company publish data at regular intervals about the volume of content removed, filtered, or restricted for violating the company’s Terms of Service for reasons unrelated to government or private requests covered by F4 and F5?  
F6 What do you think about this indicator?
(For the implementation guide: Most ToS stipulate that illegal content/activity is not allowed on their service, but many companies also restrict content in their ToS that is not illegal in at least some jurisdictions where they operate. This question thus covers two types of situations: 1) content removal/restriction that companies carry out without having received a government request but based on an internal decision made by company employees that the content is illegal; 2) Removal/restriction of content that is legal but nonetheless violates the company’s ToS.)
Clear selection
F6 comments and suggestions:
F7. If the company removes, filters, or restricts access to content does it provide explanation to affected users?
F7 What do you think about this indicator?
For this question, the implementation guide will clarify what constitutes meaningful explanation.
Clear selection
F7 comments and suggestions:
F8. When the company complies with a request for content removal, filtering, or restriction in one jurisdiction, does it allow the content to remain visible in other jurisdictions where it is legal?
F8 What do you think about this indicator?
Clear selection
F8 comments and suggestions:
F9. (For telecommunications services) If the company prioritizes transmission or delivery of different types of content (e.g., bandwidth shaping or throttling) does it disclose the use and purpose of such techniques?
Elements to be assessed in scoring:
If it does not carry out content prioritization;
If it discloses that it carries out content prioritization;
If it discloses the purpose of any content prioritization.

F9 What do you think of this indicator?
Verification of this information will require collaboration with projects such as M-Lab.
Clear selection
F9 comments and suggestions:
F10. (For Internet services) Has the company entered into agreements with mobile and/or fixed line Internet service provider(s) for prioritization or special access by subscribers, and if so does it disclose basic information about the existence and nature of such agreements?
F10 What do you think about this indicator?
Clear selection
F10. comments and suggestions:
PRIVACY
Respects users’ right to privacy and shows a commitment to avoid contributing to actions that may interfere with users’ privacy, except where such actions are lawful, proportionate and for a justifiable purpose.  
P1. Does the company have a privacy policy, or policies, that are freely available in plain and accessible language?  
P1 What do you think about this indicator?
(Factors considered in scoring include whether the policies are in all the major languages understood by its users.)
Clear selection
P1 comments and suggestions:
P2. Does the company give meaningful notice to users when it changes its privacy policy?
P2 What do you think of this indicator?
Definition of meaningful notice (how many weeks or days) will be detailed in the implementation guide.
Clear selection
P2 comments and suggestions:
P3. Does the company disclose what personally identifiable information about the user (including metadata) is collected, how it is collected, and why?  
P3 What do you think about this indicator?
(This methodology defines PII as information connected to an identified or identifiable person.)
Clear selection
P3 comments and suggestions:
P4. Does the company disclose how long personally identifiable information about the user (including metadata) is retained, what data may be retained for longer periods in an anonymized form, and why?
P4 What do you think about this indicator?
(Includes when applicable clear disclosure about what data is stored in anonymized format, under what conditions, and to what uses.)
Clear selection
P4 comments and suggestions:
P5. Does the company publish information about which legal jurisdictions user data is known, or highly likely, to be subject to while in storage and/or in transit?
P5 What do you think about this indicator?
Clear selection
P5 comments and suggestions:
P6. Does the company disclose what personally identifying information (including metadata) may be shared with which government entities and why?
P6 What do you think about this indicator?
Clear selection
P6 comments and suggestions:
P7. Does the company publish its process for evaluating and responding to government requests for stored user data or real-time communications, including the legal basis for complying with such requests?
P7 What do you think about this indicator?
Clear selection
P7 comments and suggestions:
P8. Does the company publish its process for evaluating and responding to private requests for user data?
P8 What do you think about this indicator?
Clear selection
P8 comments and suggestions:
P9. When legally possible, does the company commit to notify users when their data has been shared with or accessed by a government authority?
P9 What do you think about this indicator?
(One demonstration of this commitment would be if the company publishes examples of this type of notification and general circumstances under which such notices are sent to a user.)
Clear selection
P9 comments and suggestions:
P10. Does the company commit to notify users when their data has been shared with private parties?
P10 What do you think about this indicator?
(One demonstration of this commitment would be if the company publishes examples of this type of notification and general circumstances under which such notices are sent to a user.)
Clear selection
P10 comments and suggestions:
P11. Does the company publicly report at regular intervals the number of government requests received for user data, and the number (or percentage) of requests complied with?
P11 What do you think about this indicator?
(Such requests include stored data as well as real-time intercepts from law enforcement, national security, regulatory bodies, courts of law, etc. Companies should categorize different types of data requests as and where applicable. Implementation guidelines for this question will be informed by ongoing research processes underway by several different organizations to develop best practice standards for transparency reporting.)
Clear selection
P11 comments and suggestions:
P12. Does the company publicly report at regular intervals the number of requests made by private entities for user data and the number (or percentage) of requests complied with?  
P12 What do you think about this indicator?
(Includes requests made through civil subpoenas or other requests connected to civil complaints. The implementation guide will provide more detail about the categories of private requests including: requests made through law firms, direct requests by family members   of deceased persons, etc.)
Clear selection
P12 comments and suggestions:
P13. Does the company have a clear published policy requiring third-party agents  that have access to personally identifiable information to abide by its privacy standards?
P13 What do you think about this indicator?
(Third-party agents refer to those who carry out tasks on a company’s behalf (e.g., payment processors, shippers). The term does not include “independent third parties,” which partner with the company and have their own privacy policies (e.g., app developers).)
Clear selection
P13 comments and suggestions:
P14. Does the company provide a comprehensive list of third parties with which it shares users’ personally identifiable information, indicating what information it shares with which specific third party and for what purpose?
P14 What do you think about this indicator?
Clear selection
P14 comments and suggestions:
P15. Does the company publish clear information about when user communications may be accessible to third parties (even when not actively shared with them)?
P15 What do you think about this indicator?
Clear selection
P15 comments and suggestions:
P16. Does the company publish clear information about whether it collects user data from third parties, and if so how and why it does so?
P16 What do you think about this indicator?
Clear selection
P16 comments and suggestions:
P17. Does the company allow users to opt in or opt out of the collection of personally identifiable information not essential to providing the company’s core services?  
Elements to be assessed in scoring:
If the user can opt out for some services but not all;
If the user can opt out for all services;
If the user is offered a mix of opt out and opt in for different services;
If the user can opt in for all services.
P17 What do you think about this indicator?
(Whether the company explains how in a clear and accessible manner is also considered. See methodology document linked above for list of elements to be assessed in scoring.)
Clear selection
P17 comments and suggestions:
P18. Does the company allow users to opt in or opt out of the sharing of personally identifiable information not essential to providing the company’s services?  
Elements to be assessed in scoring:
If the user can opt out for some services but not all;
If the user can opt out for all services;
If the user is offered a mix of opt out and opt in for different services;
If the user can opt in for all services.
P18 What do you think about this indicator?
(Whether the company explains how in a clear and accessible manner is also considered.)
Clear selection
P18 comments and suggestions:
P19. Do users have the right to view, download, or change all of the personally identifiable information about them that the company holds?
Elements to be assessed in scoring:
If the company allows users to view that data;
If the company allows users to receive a copy of that data;
If that data is in an interoperable format;
If the company allows users to make changes to (including permanently delete all or portions of) the personally identifiable information associated with their account.
P19 What do you think about this indicator?
Clear selection
P19 comments and suggestions:
P20. Does the company allow full and permanent account deletion for all of its services?
P20 What do you think about this indicator?
Clear selection
P20 comments and suggestions:
P21. Does the company deploy the highest possible industry standards of encryption and security for its products and services?
Elements to be assessed in scoring:
Implements encryption and other practices that best protect the security of user data, both in transmission and in storage;
Protects user credentials and other non-essential information (such as IP headers) in transmission and storage;
Enables or supports use of client-to-client encryption.
P21 What do you think about this indicator?
(This list includes elements of the Data Security Action Plan launched by Access and other organizations in March 2014.)
Clear selection
P21 comments and suggestions:
P22. Does the company engage in industry best practices to help users defend against hacking and phishing attacks?  
Elements to be assessed in scoring:
Maintains security of credentials with robust authentication safeguards;
Implements measures to alert users to unusual account activity;
Has a notification and patching system to promptly address known, exploitable vulnerabilities;
Educates users on improving their own digital security practices.
P22 What do you think about this indicator?
(This indicator like the previous one draws heavily from the Data Security Action Plan. See methodology document linked above for list of elements to be assessed in scoring.)
Clear selection
P22 comments and suggestions:
P23. Does the company conduct a security audit on its technologies and practices affecting user data?
Elements to be assessed in scoring:
If the company discloses the existence of an audit conducted by an organization hired by the company;
If the identity of the auditor is disclosed;
If the auditor’s work is publicly assured by an independent third-party.
P23 What do you think about this indicator?
Clear selection
P23 comments and suggestions:
Name (optional)
Organization (optional)
E-mail (optional)
Submit
Clear form
Never submit passwords through Google Forms.
This content is neither created nor endorsed by Google. - Terms of Service - Privacy Policy

Does this form look suspicious? Report