By Afef Abrougui

Early November, the Ranking Digital Rights (RDR) project launched its corporate accountability index,  a ranking of 16 of the world’s most powerful telecommunications and internet companies on their commitments and policies that affect users’ free speech and privacy rights. Orange, MTN, Vodafone and Etisalat, which all have operations in the Arab region, are included in the ranking. The most popular internet companies such as Google, Twitter and Facebook are also there.

Violation of user rights in the Arab region is often uniquely blamed on repressive governments that extensively filter the internet, spy on their citizens, and prosecute them for merely expressing themselves online.

Over the past few years, however, activists and human rights groups have been drawing attention to the complicity of companies, either foreign or national, in violating the rights of users based in the region. Some of these companies, based in Western Europe or North America, sell internet filtering and surveillance technologies to governments which use them to crack down on speech and political dissent.

For instance, several Arab governments including those of Bahrain, Saudi Arabia, Egypt, Sudan, Morocco and the UAE, purchased the Milan-based Hacking Team’s “Remote Control System” intrusion software, as was revealed when the company was hacked and its documents leaked last July. In October, the Toronto-based Citizen Lab released a report confirming that filtering products by the Canadian company Netsweeper are being used to filter critical political content in Yemen.

It is not only companies selling spying and filtering technologies that threaten the rights of users. The practices and policies of internet and telecommunications companies can put their users’ at risk of rights violations. This is what RDR’s newly released index sheds light on.

RDR assessed the companies according to their publicly disclosed policies, and not their practices, in three categories: commitment, freedom of expression, and privacy. For each category, the indicators draw on guidelines established in international human rights frameworks, including the United Nations Guiding Principles on Business and Human Rights.

In the ranking, internet companies fare better than the telecommunications companies. The highest ranked Internet company, Google, obtained a score of 65%, while the highest ranked telecom company, Vodafone, obtained 54%. In the Internet companies’ ranking, four obtained at least a total score of 50%, while only two telecom companies obtained a score of 50 and above.

RDR, however, notes that “there are no winners” and that “even companies in the lead are falling short”, particularly when it comes to disclosing how they handle user information and enforce terms of service, and the lack of transparency when  it comes to requests for content takedown and user data.

How do companies violate our rights?

RDR explains how companies like Internet Service Providers (ISPs), social networking sites, and cell phones carriers violate user rights: “people increasingly depend on Internet and telecommunications services for many facets of their daily lives, including civic, political, and religious activities. The services these companies offer connect and empower people in unprecedented ways, but they can also be misused to undermine freedom of expression and privacy”.

Companies take a number of decisions that could affect user rights including:

– handing over user data at the request of governments, law enforcement agencies or courts.
– taking down content at the request of governments for violating local laws.
– taking down content or banning users from using their services for violating their terms of service. (Last August, for instance, Facebook removed a photo album shared by a Syrian artist showing drowned Syrian and Palestinian refugees off the coast of Libya after a number of users reported it for violating the company’s terms of service )
– shutting down networks and services at the requests of governments

There are of course legitimate reasons for which companies need to take similar decisions such as incitement to violence, hate speech, cyber-bullying or security concerns. Repressive governments, however, have other less legitimate reasons, such as requesting the data of an anonymous blogger who has been critical of the authorities, or shutting down communications during protests.

Though several governments in the Arab region advocate for a universal access to internet and mobile phones (the number of internet users in the region is expected to hit 197 million by 2017, a penetration of 51%), they are wary of online criticism and dissent, particularly following the so-called Arab Spring protests, during which protesters across the region made use of these technologies to document police violence and organize.

Etisalat gets lowest score in telecommunications companies ranking

With a 14% score, the UAE’s Etisalat received the lowest score for telecommunications companies. In the overall ranking, only Mail.ru, a Russian company which provides communication and entertainment services online, scored worse than Etisalat with 13%.

In fact, Etisalat discloses little to no information about its public policies and practices affecting its users’ free speech and privacy rights. Out of six indicators in the commitment category, Etisalat only received credit for disclosing processes to receive complaints and grievances from its users (indicator C6). The company, however, fails to get credit for the five remaining indicators, including conducting human rights impact assessments (C4) and engaging with a multi stakeholder initiative promoting freedom of expression and privacy (C5) such as the Global Network Initiative.

Etisalat has the lowest score of any telecommunications company in the Privacy category along with MTN,  a South African multinational mobile telecommunications company, which also has operations inside Sudan, Syria and Yemen. Though Etisalat makes its privacy policies freely available (P1), and provides some information into what user information it collects and shares, and why (P3 and P4), it does not say whether it notifies users about third party requests for their information (P10) or how long it retains user information (P17), nor publishes data about requests for user information (P11).

Etisalat fares better in the freedom of expression category by making its terms of service available (F1), committing to notify its users about changes to these services (F2), and disclosing information about the circumstances under which it restricts content or access to its services (F3 and F4). Out of a total of 10 indicators in the freedom of expression category, the company gets zero credit for five indicators. Etisalat fails to reveal information about its process for responding to requests from governments and other parties to restrict content (F6), and does not publish data about such requests (F7). In addition, the company does not reveal whether or not it prioritizes the delivery of certain types of content over other, aka net neutrality (F10).

What about foreign companies?

Etisalat is not unique in its lack of public commitments to  freedom of expression and privacy in the Arab region, where even private and foreign companies do not disclose enough information about their policies.

European companies behave differently in their countries of headquarters from countries where the regulatory environment is restrictive and does not provide legal protections for user rights.

Take for example the French multinational telecommunications group Orange which has operations in Egypt, Jordan and Tunisia. In the telecommunications ranking, Orange came third with a total score of 37 out of 100 after AT&T and Vodafone which respectively obtained 50 and 54. Though in France, Orange makes its terms of service available for each of its services on orange.fr, in Tunisia the terms and conditions are nowhere to be found on orange.tn.

In 2011, Vodafone came under criticism in Egypt when it shut down its network there during the protests against former president Hosni Mubarak, at the request of the government. For 24 hours its customers were unable to make phone calls or use the internet. Although Vodafone said that it was obliged to do so under local Egyptian law, this case clearly shows how companies favor business interests over human rights in countries where customers enjoy little to no protections.

It’s about regulation:

RDR notes that the legal and regulatory framework context in which Etisalat operates “presents challenges for the company to achieve a higher score in the Index”. The 2015 Freedom on the Net report states that the “UAE maintains an authoritarian grip on both politics and telecommunications”. In fact, the state has dominant ownerships in the country’s two telecommunication service providers, including a 60% stake in Etisalat.

As long as regulation in the region is about controlling users and not protecting them, it will be challenging for companies to improve their policies and practices.

In Bahrain, for instance, the Telecommunication Regulatory Authority has the power to revoke the licenses of ISPs if they do not abide by blocking orders from the government. In Egypt, the telecom industry regulator (NTRA) has been accused of monitoring social media.

Despite the restrictive regulatory frameworks, there are steps that telcos could take to further the protection of user rights, including making their terms of service available in an easy to understand language, disclosing sites and content they block access to, and  revealing how they handle user information (what information they collect, with which parties they share, and for what purposes and for how long they retain it). In the RDR ranking, companies also get scored for informing and educating users about cyberthreats (P14), and for deploying the latest encryption and security standards (P12), two practices even companies in the most restrictive environments should be capable of adopting.

For social media companies, regulation can be a bit tricky because of the borderless nature of the Internet. Though it is understandable for companies to respect the local legislation of countries inside which they operate, this does not mean that they should not assess the risks that come with opening an office in a restrictive environment.  When Twitter launched its office in Dubai, a spokesperson for the company said: “We do not make special arrangements with governments regarding censorship”, in response to an inquiry from BuzzFeed News about the agreements Twitter made with the government in order to be able to operate inside the UAE.

In addition, Internet companies take down content at the request of courts or government agencies for violating local laws. For instance, during the first half of 2014, Facebook restricted seven pieces of content inside Saudi Arabia for violating local laws that prohibit criticism of the royal family. This is a policy that Facebook and other new media companies need to review, because legislation under undemocratic regimes does not usually enshrine free speech protections in accordance with international human rights standards.

The role of civil society

Despite the restrictions placed on civil society in several countries in the region, groups

and activists working to advance digital rights protections can still do much. They can use the RDR ranking in their advocacy work, or if possible conduct a similar study focusing on ISPs and telcos operating inside the region. They can also raise awareness and educate users about companies’ practices and policies in order to allow users to make informed choices and know which rights they give away when they agree to the terms and conditions.

And in countries where civil society is not grappling with draconian restrictions such as Lebanon and Tunisia, organizations and activists should lobby the government and legislators to improve laws regulating the telecom industry, in a way that they respect user rights.