Governance

[DCyfer]

If we're trying to build a privacy/security standard, what exactly does the company's human rights record have to do with anything? Social justice has zero to do with privacy & security.

I have no issue with making an issue of a company's record, but not in a standard like this. You only weaken the argument that a standard is necessary.

[digitalstandard-bot]

Thank you for helping shape the Digital Standard. Addressing privacy, security, and data issues in the marketplace requires a community-driven response.

The partners meet once every 3 months to review pull requests. The next meeting is scheduled for mid-May.

Thanks again!

[royapakzad]

@DCyfer The governance that is mentioned here goes back to UN Guiding Principles on Business and Human Rights which established in 2011 and expects companies to respect human rights of the users including rights to privacy and rights to freedom of expression. The argument goes beyond social justice issues and focuses on international human rights laws and norms. Companies' human rights policies and practices are very important in order to find out how transparent and accountable they are. For example, compare Microsoft human rights policies and reporting vs. Amazon's (regarding Alexa)

[DCyfer]

I appreciate your response @royapakzad, however this still has zero to do with security and privacy. I understand the attempt to link privacy with transparency, but it's a stretch at best. Others may see this as an attempt by social justice advocates to infiltrate a standard that SHOULD be politics-neutral and remain technical and objective. Making judgments as to human rights records, whistleblower protections, etc are best left to political standards, not technical standards.

[royapakzad]

On the "Procedure Overview," you could write "Is the company member of any multi-stakeholder initiatives such as GNI?" Reducing "Procedure Overview" only to checking publicly available document does not clarify what exactly to look for while reading the company's websites and documents. In my opinion, Procedure Overview should provide clear, practical and direct methods to follow. Thanks

[taliesan]

Thanks for your comments! And the constructive discussion. The Standard is an intentional work in progress. We chose to cast as wide a net as possible in the first draft. As this thread evidences, there are strong arguments both ways re: whether / how companies address human rights and disclosure concerns should be considered as part of the evaluation framework around broader concepts of privacy and security. We anticipate more discussion and the Standard evolves.

Royapakzad: We're going to consider your wording suggestion in our next review! Thanks.

[TatevSarg]

I realize that we have a long history of discussions and unresolved questions around the inclusion of freedom of expression (FoE) indicators in the Standard. However, having done three phases of evaluations, I recommend excluding FoE indicators from the assessment of services that are not primarily designed to mediate content and user communication. I also recommend having another discussion to decide whether we want to keep FoE indicators in the Standard, in general. On the one hand, the Standard can provide a roadmap for companies to improve their overall human rights and corporate social responsibility practices around FoE. On the other hand, it is not obvious why we have FoE indicators in an initiative that is publicized as a digital privacy and security standard.

[blackswanburst]

This may or may not be the right section for this comment, but how about simply stating the jurisdiction in which privacy or security matters will be resolved? https://www.dlapiperdataprotection.com/ Privacy legislation in the UK for example, is very different than Taiwan, and it would be nice to know where my concerns would be addressed if I bought X device and later had a problem with it.

[KatieMcInnis]

Could we define "multi-stakeholder initiatives" as ones that revolve around ensuring user rights?

[TatevSarg]

@royapakzad I agree with the general idea but I would not recommend adding the exact suggested language to procedure overview because membership in multi-stakeholder initiatives may not be the only way to have meaningful engagements with stakeholders. As you can see in the 5th criterion in the Governance test name we have approached stakeholder engagements more broadly by including the following indicator in the Standard that says:

“The company initiates or participates in meetings with stakeholders that represent, advocate on behalf of, or are people directly and adversely impacted by the company’s business.”

Under the procedure overview corresponding to the above mentioned indicator, we could add:

“Investigation and analysis of publicly available documentation to determine whether the company is a member of a multi-stakeholder initiative whose focus includes freedom of expression and privacy and/or initiates and participates in meetings with stakeholders who are or represent users whose rights to freedom of expression and privacy are directly and adversely impacted by the company’s business."