Tech Accountability and Society: Quantitative Metrics

Dear Readers,

The Financed Focused Strategy Project intends to understand and translate civil society’s privacy concerns with the technology sector into a concise, quantifiable criteria set that will allow for the assessment of corporate actions. Its goal is to incentivize investor interest in, and support of, technology companies becoming more accountable and attentive to their human rights practices.

The key question the project is addressing is: How can civil society organizations make common cause with investors and in doing so utilize the influence they have with corporate boards and management?

The research has been divided in two ways. Our core focus in on company governances systems, including structure, policies and practices. Privacy, a key human rights issue and a gateway to so many other tech-related concerns is the illustrative example and focus data set we are using to assess the effectiveness of the governance metrics. The project’s strategy is built on developing quantitative metrics for investors to assess and engage with companies, identifying where attention to governance, privacy and human rights may support long-term value creation and benefit portfolio returns. This might include, for example, increased revenue, reduced costs, improved forecasting, and/or the reduction of systematic or idiosyncratic portfolio risk. 

The criteria presented below was created in consultation with a wide range of civil society experts. The research team is now collecting data on the largest public US-based tech and communications companies. These criteria will then be assessed for their relative impact on company and portfolio performance. This process is intended to identify those human rights priorities most clearly linked to investor interests and, consequently, engage investors as allies in calling for needed changes in corporate practice.

This project builds from research and strategy setting available here.

Feedback request

This criteria set is outlined by two main pillars: Broad Accountability, which looks at a technology company’s overarching ability to understand and manage human rights, and Privacy, which looks at criteria specific to the human rights implications of privacy. Within each pillar are various categories and subcategories with criteria ranging from 1-point to 6-points, depending on the complexity of the data being captured.

All feedback and questions are welcome on this approach and criteria set. We encourage, in particular, your comments on the completeness of this set of metrics. Please share them in the comments section below.

Criteria Set

Policy Commitment

Governance SUBMetrics

    1. Has the company made statements around its commitment to having a positive role in society? (1 pt)

    2. Has the company stated its commitment to international human rights? (1 pt)

    3. Does the company state that it employs the precautionary principle, or any preemptive measures to avoid releasing harmful products or services? (1 pt)

    4. Are there public examples of the company’s use of the precautionary principle? (1 pt)

Privacy specific SUBMETRICS

    1. Does the company have a publicly accessible data privacy policy? Per product? (2 pt)

    2. Does the company’s data privacy policy refer to international frameworks (5 pt)

      [Note: UN Guiding Principles?General Data Protection Regulation (GDPR)/ California Privacy Protection Act? EU-US and Swiss-US Privacy Shield frameworks? Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising? AICPA’s Privacy Management Framework (PMF)?]

    3. Does the data privacy policy set out clear expectations of employees, suppliers, contractors, business partners, customers, and users? (6 pt)

Governance and Oversight

Governance SUBMetrics

    1. Has the Board formally established its oversight over the company's impact on society? (1 pt)

    2. Has the Board set performance measures related to the company’s impact on society? (1 pt)

    3. Does at least 25% of the Board participate in a committee related to the company’s impact on society? (1 pt)

    4. Does the company state that the board has human rights expertise? If so, does the company define the human rights expertise and its origins? (2 pt)

Privacy specific SUBMETRICS

    1. Does the Board of directors exercise formal oversight over privacy risks and management? (1 pt)

    2. Does at least one member of the Board have expertise in privacy issues related to human rights? (1 pt)

    1. Does at least one member of the executive team have expertise in privacy-related issues? (1 pt)

    2. Does the company have a Chief Privacy Officer, Chief Security Officer, or equivalent? (1 pt)

Risks and Opportunities

Governance SUBMetrics

    1. Is there a process for identifying risks to society associated with direct product use, both intended and unintended? (1 pt)

    2. Is there a process for assessing risks to society associated with direct product use, both intended and unintended? (1 pt)

    3. Is there a process for mitigating risks to society associated with direct product use, both intended and unintended? (1 pt)

    4. Is there a process for identifying risks to society associated with indirect product use, both intended and unintended? (1 pt)

    5. Is there a process for assessing risks to society associated with indirect product use, both intended and unintended? (1 pt)

    6. Is there a process for mitigating risks to society associated with indirect product use, both intended and unintended? (1 pt)

    1. Does the company conduct a comprehensive risk analysis before entries entering high-risk or conflict affected areas? (1 pt)

    2. Is there is a risk identification team and/or a risk identification role related to the company's impact on society? (1 pt)

    3. Is the risk identification team able to escalate its concerns to the Board? (1 pt)

    4. Do stakeholders and employees have a third-party managed channel(s) or whistleblower program for the escalation of concerns to the executive team? To the Board? (2 pt)

    5. Does the company conduct scenario analyses related to new product development and societal impact? (1 pt)

Privacy specific SUBMETRICS

    1. Does the company have a process to identify and assess potential human rights risks and impacts to privacy associated with product use, both intended and unintended? (2 pt)

    2. If yes, does this process include consulting with external stakeholders such as civil society groups, affected communities, and/or academics? (1 pt)

    3. Does the company’s product include the ability to disable or shut down its technology (a “kill switch”) in the event of a violation or misuse of the product? (1 pt)

Internal Implementation

Governance SUBMetrics

    1. Does the company have an executive team member whose core responsbility is the company's role in society, such as a Chief Impact Officer? (1 pt)

    2. Does the company have sufficient staff and resources dedicated to understanding and managing its impact on society? (1 pt)

    3. Has the company placed quantitative measures in place to assess its impact on society? (1 pt)

    1. Does the company provide relevant employees with training on societal issues? (1 pt)

    2. Does the company use broad non-disclosure agreements or arbitration requirements that go beyond the protection of competitive interests? (1-No, 0-Yes)

    3. Do employees have a protected mechanism to communicate with each other or external stakeholders around societal issues? (1 pt)

    4. Do employees have an anonymous mechanism to elevate concerns to the Board? (1 pt)

    5. Does the company provide relevant employees with training on privacy and and best practices as pertinent to the company’s products or services? (1 pt)

Privacy specific SUBMETRICS

    1. Has the company disclosed a list of countries where core products or services are subject to government-required monitoring, blocking, content filtering, or censoring? (1 pt)

    2. Does the company have a clean record of fines or violations related to data protection laws? (1 pt)

    1. Does the company rely on “privacy by default/ by design” principles in product design, development, and/or testing? (1 pt)

    2. Does the company limit employee and other privileged access to private data to those with a strict “business need to know”? (1 pt)

    3. Does the company explore the potential misuse of its products or services before deployment? (1 pt)

    4. Does the design team consult with Trust and Safety experts to account for potential risks? (1 pt)

External Relationships

Governance SUBMetrics

    1. Does the company formally participate in organizations intended to increase its ability to understand and address societal concerns? (1 pt)

    2. Has the company ceased, or significantly modified, a project or product or client relationship given concerns about its impact on society? (1 pt)

    3. Does the company have a formal venue (like an Advisory Board) for guidance and feedback from external experts on its societal impact? (1 pt)

    4. Does that committee have the appropriate level of expertise? (1 pt)

    5. Is the committee independently governed and remunerated? (1 pt)

    6. Does the committee have the ability to prevent the development of, or end the use of, products or services which are concerning? (1 pt)

    7. Does the company provide financial support to organizations seeking to address societal concerns related to tech? (1 pt)

    1. Does the company report on its political contributions, including participation in trade associations? (1 pt)

    2. Does the company report on how it ensures that its political giving aligns with its publicly stated values? (1 pt)

    3. Does the company conduct country-specific assessments? (1 pt)

Privacy specific SUBMETRICS

    1. Does the company participate in organizations or events intended to increase its ability to understand and address privacy concerns? (1 pt)

    2. Does the company collect, access, manage or otherwise handle private highly sensitive private data, such as: financial data, private health data, data that identifies individuals as members of vulnerable communities, activism affiliations, etc? (4 pt)

Transparency

Governance SUBMetrics

    1. Has the company set public intentions relative to its societal impact? (1 pt)

    2. Has the company set measures and metrics to assess its societal impact? (1 pt)

    3. Has the company evaluated the impact of removing or modifying a service, given human rights concerns? (1 pt)

    4. Does the company’s assessment and review process have an accessible and trustworthy forum to provide anonymous feedback? (1 pt)

    5. Did the setting of its public intentions related to its societal impact involve internal and external stakeholders? (1 pt)

    6. Do its public intentions address short and long-term goals for its impact on society? (1 pt)

    1. Is the company’s reporting audited by an independent third party? (1 pt)

    1. Has the company been clear in its intention to provide remedy for accidental harms? (1 pt)

    2. Is the remedy process clearly elucidated and appear to be functioning effectively? (1 pt)

Privacy specific SUBMETRICS

    1. Has the company set goals relative to its data privacy risk management? (1 pt)

    2. ...if yes, are the goals both short and long term? (1 pt)

    1. Does the company publish the number of law enforcement requests for data it receives and its response to each request? Is this report audited by an independent 3rd party? (2 pt)

    2. Does the company have a clear process for the conditions under which it provides private data in response to law enforcement requests? Does this rationale prioritize human rights? (1 pt)

Relationship to Shareholders

Governance SUBMetrics

    1. Is the Board Chair an independent Board member? (1 pt)

    2. Are less than 15% of voting shares held by the Board or executive officers? (1 pt)

    3. Is the Board more than 75% independent? (1 pt)

    4. Has the company made a public commitment to be responsive to shareholders? (1 pt)

    5. If the company has multiple share classes, are voting rights consistent across shares? (1 pt)

Data Management

Privacy specific SUBMETRICS

    1. Does the company seek to clearly and simply lay out what private data it collects and for what purposes to rightsholders? (1 pt)

    2. Does the company obtain user consent before collecting data? (1 pt)

    3. Does the company seek to minimize the private data it collects? (1 pt)

    4. Does the company disclose data handling practices at each stage of the information “lifecycle” (i.e., collection, usage, retention, processing, disclosure, and destruction of information)? (6 pt)

    5. Does the company sell, rent, license, lend, share, or otherwise provide access to private data to third parties (customers, partners, suppliers, etc)? (1 pt)

    6. ...If yes, does the company track what third parties do with the private data that was sold, licensed, rented, shared, or otherwise provided by the company? (1 pt)

    7. ...If yes, has the company set limitations on the use of the private data it collects by third-parties? (1 pt)

    8. Does the company use a different level/type of data security practice for the most sensitive data? (e.g. personally identifiable information (PII), protected health information (PHI), personal data, sensitive personal data...) (1 pt)

    9. Does the company have a codified process for the distribution of data and/or usage of data of known members of vulnerable groups, e.g. children, people with disabilities, women in states that have limited reproductive freedoms, dissidents, journalists, human rights defenders in authoritarian regimes? (1 pt)

    1. Do rightholders have the right and ability to alter, control, or delete their data permanently from company systems (“right to be forgotten”)? (1 pt)

    2. Do rightholders have the option to request a copy of the data that is collected across various products and services? (1 pt)

    3. Does the company use a pay-for-privacy model? (1 pt)

    4. Does the company use data for the use of behavioral advertising? (1 pt)

    5. Has the company set limitations on primary data use? (1 pt)

    6. Are end users given the right to opt out of certain types of data usage? (1 pt)

    7. Does the company conduct Know Your Customer (KYC) or other due diligence on customers? (1 pt)

    8. Does the company retain private data? (1-No, 0-Yes)

    9. Does the company indicate how long it retains private data? (1 pt)

    10. Does the company indicate where (what country) it stores data? (1 pt)

    11. Does the company confirm customer/data user (if different from user, e.g. an employer or advertiser) understanding of appropriate usage of private data before granting access? (1 pt)

    12. Does the company use end-to-end encryption, or two-factor authentication? (1 pt)

    13. Does the company have SOC 2 certification (Type 2) and/or HIPAA audit? (1 pt)

    14. Does the company require its suppliers to uphold the same privacy standards as those to which it holds itself? business partners? (2 pt)

    15. Does the company follow best-practice protocols, as outlined by the FTC, to address all cases of data leaks? breaches? hacks? theft? (4 pt)

    16. Does the company disclose the number of data breaches it has encountered? number of rightholders affected? the percentage involving personally identifiable information (PII)? (3 pt)

    17. Does the company regularly test its own data security processes to ensure they are effective and sufficient before and/or after deployment? partners’/ suppliers’ data security processes? (2 pt)

Phone: (415) 384-9895

Email: hello@whistlestop.capital