By: Eric Davis, Senior Director, Product Management
As part of our intent to bring valuable stakeholder insights into Symantec’s corporate responsibility strategy we look forward to incorporating more viewpoints from external stakeholders – NGOs, customers, investors, thought leaders - that help shape and guide our corporate responsibility efforts. Here we feature Access Now, a nonprofit defending and extending digital rights for technology users across the world.
The prevalence of data enables life-saving, life-changing and life-enhancing solutions; however, with it comes greater risk of misuse and potential exposure. Not surprisingly, digital privacy has emerged as an issue that touches nearly every company and is fast becoming a core component to building a brand that consumers and the world can trust.
At the annual RightsCon conference hosted last month by Access Now, I had the chance to speak with Peter Micek, lead for Business and Human Rights at Access Now, about digital privacy and protection and the key issues at the intersection of technology and society.
Can you describe Access Now’s mission and current focus?
At Access Now, we defend and extend the digital rights of users at risk around the world. Across our policy, advocacy and technical support arms, we ensure that online activities are private, safe and secure. We believe that privacy is a fundamental human right and protecting personal data should be a part of any organization’s or company’s commitment to its customers, and the world at large.
Since our founding in 2009, the prevalence of and dependence on technology has completely transformed the debate around digital rights protection. As our organization has grown, the issues we focus on have increasingly become mission-critical to business sectors far beyond internet and telecoms, like consumer credit and banking, transportation and health care. Meanwhile, governments and civil society also look to digitize and extend their work through new tools, opening their exposure to digital threats.
What is your role and day-to-day responsibility?
As the lead for Business and Human Rights at Access Now, I have grown with the organization for over six years and have seen the negative impacts of surveillance and privacy invasions on human rights defenders around the world. How can companies approach digital rights risks and opportunities in 2018 and beyond? How can they increase their transparency with stakeholders and customers to build trust and credibility? Leading firms are answering these questions through consulting vulnerable and marginalized communities and at-risk users, along with input from organizations like ours.
What are the top issues you see facing technology companies today?
How a company in the digital age views and processes its responsibility for respecting and enabling human rights is a deep question many are pondering – whether they want to, or because they are being forced to. Should companies rely on legislation or is there a responsibility to go further?
For example, I understand that Symantec took part in discussions around the European Union’s development of new rules for good data governance and provided input into the General Data Protection Regulation (GDPR). Our organization also engaged with policymakers on this landmark legislation for several years, and even produced a guide for future legislators to draft and implement similar laws.
Internet policymaking must take place through open and inclusive processes, where corporate as well as civil society actors interact, debate and produce stronger, rights-respecting regulation. Our hope is that, through this experience, private firms like Symantec gain the knowledge needed to provide customers with products that ensure their compliance with the GDPR, while also building lasting relationships with privacy advocates and affected communities, to better prevent future harms.
What trends are you seeing around the social impact of technology (i.e. positive and negative unintended consequences)?
Privacy risks have increased, on individual and societal levels, and now range from government hacking and mass surveillance, to identity theft and personal online security threats, to misuse of personal information and communications by governments and companies, at scale. We also track rising censorship, like blocking of messaging apps during protests and forced content removal, which imperil the free flow of information at the heart of the Web’s success. These threats have in turn raised the stakes in terms of the impact that a technology can have on its users, the risks posed by its use.
Companies are being challenged to define their responsibility to protect human rights. A good place to start is looking at your most exposed users and understanding how your products and solutions, whether via intended or unintended uses, impact their ability to exercise rights.
In many cases, companies must expand the definition of who their users are to gauge the potential risks and impacts of their business. After all, technology never exists in isolation, but rather, sits within legal, economic and social structures with deep histories and ingrained values. Understanding the potential use cases and the people impacted remains a necessity for rights-respecting businesses.
What role does privacy play?
Privacy enables us to act confidently and safely, online or off. It is a right unto itself, but also inextricably linked to our right to free expression, our health, and even our education and financial prospects. After all, who would seek out sensitive health advice, or investigate a new business opportunity, if they knew that authorities – whether bosses, parents or government officials – were looking over their shoulders?
In our work, we see communities whose sole access to information comes through tunnels to the global internet via Virtual Private Networks (VPNs), who must protect themselves from sophisticated hacking operations. Right now, the burden of protecting privacy falls disproportionately on the vulnerable. That is why we demand more from powerful business and government entities in the effort to build a more open and rights-respecting world, starting with the internet.
What can tech companies do better or differently?
As with all aspects of corporate responsibility, managing digital privacy is more successful when it’s embedded into the core business. The “Privacy by Design” principles advocate for consideration of privacy and data protection compliance from the start of the development process. Privacy by Design assessments and certification provide third-party expert confirmation that privacy best practices are being implemented.
Additionally, tech companies should leverage policies and frameworks such as the UN Guiding Principles on Business and Human Rights, which show how to go above and beyond to protect users and mitigate adverse impacts on their rights and interests. Putting users first can become a business advantage, as many companies are discovering in the post-GDPR world.
Lastly, companies should ensure that both employees and users are educated about basic digital hygiene. For example, multi-factor authentication, end-to-end and full disk encryption, and organization-wide security policies are essential. You would be surprised how many risks can be mitigated through simple measures.
Please share some examples of recent progress made.
More platforms are allowing you to enable “multi-factor authentication,” to require more than a simple password to log into your accounts. These options give users more notice and control over login attempts, and help prevent simple break-ins, by requiring other factors like a hardware key, a dedicated phone application, an SMS text message, or your fingerprint. We created an infographic to help users navigate the new authentication options available here.
Many tech companies have also joined the trend of “transparency reporting,” or releasing regular reports on their policies and actions impacting privacy and freedom of expression. Generally, the reports give aggregate data and insights into the past few months of government and third-party requests for user data and content and account restrictions, and how the company responded. You can see a list of these reports here.
How can a company engage and best work with an NGO like Access Now?
A great first step is to join an established community of stakeholders with the expertise and insights you need to build and maintain a privacy strategy. For example, the Global Network Initiative (GNI), representing an alliance of internet and telecom companies and academics, human rights groups, and investors, has advocated for laws and policies that protect freedom of expression and privacy rights worldwide for over ten years.
Access Now’s Digital Security Helpline is another resource that companies can tap into. This is a free of charge service for civil society worldwide, providing direct technical support to individuals and organizations that want to protect themselves online. Our helpline can help you assess the risks in your organization’s work, and together prioritize your digital security needs. We can also help you resolve existing problems, educate people on best practices, and help you foster a secure mindset. Additionally, our helpline can serve as an emergency resource in times of crisis.
Cloudflare and Google provide enterprise-level protection free to civil society groups, a form of in-kind donation that directly benefits the most vulnerable among us. Through TechSoup, where Symantec and other firms offer discounted and free products, nonprofits can access world-leading cyber security products.
Finally, the Ranking Digital Rights’ Corporate Accountability Index analyzes the most powerful internet, mobile and telecom providers on their commitments and policies affecting privacy and freedom of expression. In 2018, the majority of companies that were ranked improved in key areas, however, there are still weaknesses in areas such as disclosing potential privacy risks to users, prioritizing privacy governance, protecting user security and more.
Respecting digital rights is not a simple box to check off and move on. There are many factors and emerging areas that determine the extent of a company’s responsibility and marks its progress. Companies can start small, as not every company can be a leader from the get-go. Conferences like Access Now’s RightsCon are a great place to meet people and begin to understand the key issues with regards to privacy and how/who you may be impacting. Additionally, RightsCon prides itself on providing space for face-to-face bilateral meetings with key user groups and stakeholders, from civil society to governments. Connecting privately with others in the community can provide insights on issues not yet on your radar, so you can develop strategies and reforms before a crisis impacting users happens.
Prepared to protect
What privacy means for an organization may vary depending on the breadth, type and confidentiality of the data collected. However, in many cases, privacy has direct implications for the fundamental human rights of your customers. What will differentiate the leaders are those that are prepared to protect and react as needed.
We encourage you to share your thoughts on your favorite social platform.