Data protection: How are attitudes to disclosure changing? 

As more of our personal data is held in centralized, remote storage, it has become a tempting target for law enforcement and intelligence agencies.  Through various investigatory powers, these government agencies can demand that social media companies, e-mail providers, ISPs, and other intermediaries turn over sensitive records and message content.  Are governments abusing their investigatory powers? What legal authorities are they invoking and why?  The answers to these questions and others are critical to both an informed citizenry as well as informed consumers who trust their sensitive data to these online services.  Unfortunately, the answers to these questions are elusive.  One source of answers has been transparency reporting, which are reports – either from companies or governments – that aggregate data about government requests for use data.  However, finding useful transparency reports has been challenging, both in the United States and across Asia.  The struggle for effective transparency reports shares important similarities across continents, and the differences in approaches highlight a couple of valuable lessons for both regions.

Since early 2013, the Berkman Klein Center for Internet & Society at Harvard University, working in conjunction with the Open Technology Institute at New America, has been researching transparency reports in the United States and working to try to improve both their availability and utility.  Our focus from the beginning was on reports released by companies.  Because the intent of transparency reports is to better understand government actions, it may seem odd that we focused on company reports; at best, company reports in aggregate serve only as a rough proxy for estimating the full scope and scale of government requests.  We chose to focus on companies for a few important reasons.  First, in early 2013 there were already a handful of companies releasing transparency reports (most notably Google and Twitter).  Second, in most cases U.S. law enforcement and intelligence agencies have no legal obligation to disclose aggregate data on requests for user data.  Although companies also have no legal obligation to publicly disclose the volume of requests, we believed that they would be more likely to respond to consumer pressure.  And finally, requests for user data can come from government agencies ranging from a small local police department to the Federal Bureau of Investigation, so an effective government transparency report would require aggregating disclosures from thousands of different agencies.

Although we expected convincing companies to release reports would be easier than trying to collect government reports, it was by no means easy.  Instead, companies did not release transparency reports in any meaningful volume until a significant catalyzing event: the Snowden disclosures.  When we began our work in 2013, we interviewed both companies that were releasing reports and those that were not.  In our conversations, we learned that many companies saw transparency reports as risky with minimal advantages. In particular, the companies believed that the subject was too niche, and that publishing the number of requests that they received and responded to would lead to negative media attention and attract additional government requests.  The Snowden disclosures about government surveillance, changed the transparency landscape.  As privacy shifted to the forefront of public consciousness, the cost-benefit analysis changed and companies rushed to publish transparency reports.

The result of this rush to publish reports was that each company published a slightly (or in some cases dramatically) different report, making it impossible to compare or aggregate data.  Today, well over 40 Internet and telecommunications companies in the U.S. publish transparency reports, each one different.  Our project, the Transparency Reporting Toolkit, aims to identify best practices that would improve the quality and consistency of transparency reports. Our most recent report is a guide and template that walks companies through the process of transparency reporting and resolves many inconsistencies in current reporting practices.  Drafting this report took several years, working closely with companies both bilaterally and in large workshops to discuss and debate the variety of actual and potential practices. As a result of this significant investment of time, several companies have indicated an intent to implement at least some of our recommendations.  It remains to be seen whether companies will in fact adopt our recommended practices, but we believe we are heading in the right direction.  However, until more companies adopt the standardized practices that we’ve identified, the effectiveness of transparency reports remains diminished.

Civil society groups across Hong Kong, South Korea and Taiwan have collectively faced a similar struggle in Asia for transparency reporting.  One of the main differences between the U.S. and Asian approaches is who publishes the reports and where the data comes from.  In current transparency reporting from these three Asian locations, civil society and academic institutions take the lead in generating reports, not companies or governments.  For example, in Hong Kong, the Journalism and Media Studies Centre of the University of Hong Kong has published the Hong Kong Transparency Report, the Taiwanese Association for Human Rights published the Taiwanese Internet Transparency Report in 2015 and the Korean University Law School published the Korea Internet Transparency Report in 2015. Furthermore, these reports almost entirely rely on numbers that government agencies disclose, often due to pressure from legislative inquiries. While major ICT firms like Facebook and Google release information about requests from Asian countries, only two major online service providers in South Korea have far released reports, and a few local Taiwanese firms have chosen to release data on condition of anonymity.

Despite these differences, important similarities remain.  Just as in the U.S., catalyzing events seem to be necessary to accelerate the acceptance of transparency reports.  Although most countries in Asia have not yet had a Snowden-scale catalyzing event, smaller events have had a clear impact. Hong Kong Transparency Report Project Manager Benjamin Zhou noted that arrests of online activists during the 2014 Occupy Central movement and debates over major legislation like the 2014 copyright amendment bill have increased public awareness regarding online rights. As a result, citizens are placing increasing pressure on governments and companies to publish more comprehensive reports, which may help to encourage disclosure in the region.

Also, like the United States, transparency reports across Asia are struggling to reconcile inconsistent data sets.  Several of the transparency reports mentioned above point out that the available statistics contain glaring contradictions and remain incomplete. Just like company transparency reports published in the U.S., the lack of a standard system for describing even the most basic information relevant to these reports, like request type or number of requests, have made it difficult to aggregate and compare information.

Comparing the experiences across these two regions highlights a couple of valuable lessons.  First, these examples suggest that focusing solely on companies as the source of transparency data may be too narrow of an approach.  The success that Asian civil society and academic institutions have had in obtaining data from government agencies suggests that a comparable approach in the United States may yield some helpful information. Similarly, civil society and academic institutions in Asia may benefit from some of our progress in the United States in developing sets of standardizes practices, as they struggle with similar inconsistencies.  Although transparency reports in Asia are a relatively nascent practice when compared to the U.S., reports in both regions share a similar goal: better educating and informing citizens remains the same. 

This feature is part of a Digital Asia Hub Data Protection Day specialFor permission to republish or for interviews with the authors please contact Dev Lewis.

Ryan Budish
Latest posts by Ryan Budish (see all)
Amy Aixi Zhang
Latest posts by Amy Aixi Zhang (see all)