Executive Summary

We live in a world today where vast Information and Communications Technology (ICT) infrastructures and extensive flows of information have become natural and unquestioned features of modern life. Rapidly growing online services—everything from social media to ecommerce and virtual cooperation — have come to define our day-to-day lives in ways unimaginable just a decade ago. This increasingly pervasive, unpredictable, and rapidly changing interaction between ICT and society brings with it a wide range of new human rights risk drivers and ethical dilemmas for companies in the ICT industry, especially for how to protect and advance freedom of expression and privacy online.

In order to understand the ICT industry’s freedom of expression and privacy risk drivers, it is important to consider certain characteristics of the ICT industry that distinguish it from other industry sectors. These characteristics exist across five spheres and have significant implications for how to best protect and advance human rights in the industry:

1. End user – plays a significant role in the human rights impact of ICT
2. Legal frameworks – can move more slowly than ICT product and service development
3. Jurisdictional complexity – increasingly significant as information becomes global and data flows across borders
4. Technological complexity – new products and services are continually introduced, often with unpredictable consequences for human rights
5. B2B relationships with enterprise and government customers – with whom ICT companies often co-design products and services

The ICT industry has been increasingly proactive over the past few years in defining approaches to protecting freedom of expression and privacy. For example, the Global Network Initiative provides direction and guidance to companies on how to respond to government demands to remove, filter, or block content, and how to respond to law enforcement agency demands to disclose personal information. These types of risk drivers will be relevant for companies that hold significant amounts of personal information and/or act as gatekeepers to content, primarily telecommunications services providers and internet services companies.

These approaches to protecting human rights online have been focused at the content level or on personal information itself. However, human rights risk drivers can also be found at the product/service functionality level. These risk drivers can arise, for example, through the requirement that certain types of ICT products, services, and technologies contain functionalities that allow for the removal, filtering, and blocking of content, or which enable easier surveillance and access to personal information by law enforcement agencies. These types of risk drivers will be relevant for companies that build the underlying ICT infrastructure through which information flows, such as network equipment manufacturers, cell phone companies, and security software providers.

There are a number of different points across the ICT value chain in which governments can interact with private sector companies, sometimes at the level of content or personal information, and sometimes at the product or service functionality level. It is at these intersections between governments and ICT companies that the need to respect, protect, and advance human rights is most significant.

The main body of this report sets out these risk drivers across eight segments of
the ICT industry:
1) Telecommunications Services – risk drivers include requirements to assist law enforcement agencies in investigations
2) Cell Phones and Mobile Devices – location-based services such as mapping or advertising can present new sources of security and privacy risks
3) Internet Services – companies can receive demands to remove, block, or filter content, or deactivate individual user accounts
4) Enterprise Software, Data Storage, and IT Services – companies hosting data “in the cloud” may increasingly be gatekeepers to law enforcement requests or provide service to high-risk customers
5) Semiconductors and Chips – hardware can be configured to allow remote access, which may present security and privacy risks
6) Network Equipment – where functionality necessarily allows content to be restricted or data to be collected by network managers
7) Consumer Electronics – pressure may exist to pre-install certain types of software to restrict access to content or allow for surveillance
8) Security Software – risk drivers may include increasing pressure to offer simpler means of unscrambling encrypted information

While there are certainly variations between different parts of the ICT industry, this report also demonstrates that there are common themes, such as responding to requests, demands, and legal requirements from governments and law enforcement agencies, or more demands to unscramble encrypted information. It also demonstrates that the ICT industry is one integrated whole, and that it is only by understanding how this integrated whole works together that the ICT industry and its stakeholders can most effectively protect human rights.

However, this report only begins to hint at various ways that ICT companies can mitigate these risks, and so it only completes the first half of the analysis required for ICT companies to effectively address these human rights risks. What is needed is a concerted effort, undertaken by the industry as a whole and its various stakeholders (including human rights groups, governments, investors, and academics) to explore how the human rights of freedom of expression and privacy can be most effectively protected in the context of legitimate law enforcement and national security activities.

This report concludes by highlighting four key topics that such a dialogue should address: relationships with governments; designing future networks; implementing due diligence; and engaging employees, users, and consultants.