Open & free internet

Register your interest in this issue

Does your business explain its policies and practices in respect to its use of the internet?


No EXCELLENT answers have been published for this question.

GOOD Answers

No GOOD answers have been published for this question.

OKAY Answers

No OKAY answers have been published for this question.

POOR Answers

No POOR answers have been published for this question.

This Scorecard is due to be updated in 2018

A great many businesses use the internet, to at least some extent, whether for online banking, basic emailing or maintaining a company website. Increasingly, the goods and services businesses offer can be purchased over the internet and social media are used to market them. As a result, businesses have become custodians of people’s digital information. This may include personal information such as age, sex and other demographic details; financial information such as bank account and credit card details, ‘data’ (i.e. the comments, ‘likes’, email content, shared photos and videos) and ‘metadata’ (i.e. details of other people in their internet networks and how and when they link).

The impact of the internet on business has been and continues to be immense. And, given the pace of change inherent in the technology and its applications, opportunities and problems evolve rapidly. Theft of digital information has become one of the most commonly reported frauds. Other major concerns for business include misuse of company technology, information security, protection of business reputation and resulting corporate legal liability.

All companies can create cultures of internet use that will support business, allow innovation, improve employee productivity, deliver effective service to clients and customers, within a framework of practices that boost user confidence and provide a secure environment for business activities. There are several organisations, such as the US Federal Communications Commission (FCC) or the Global Network Initiative, which provide a business-focused approach to good practice guidance. Actions might include:

  • Communicating policies on internet freedom, freedom of expression and protection of privacy to employees, customers, down supply chains and to other stakeholders
  • Ensuring policies on data collection by the business protects the privacy of customers, clients and staff and is compliant with the law
  • Informing internet users of policies on data ownership, storage, retention and subsequent use
  • Ensuring data is fairly and lawfully processed and used only for limited purposes
  • Training employees in company internet policies
  • Ensuring data is securely protected for the sake of internet users as well as the security of the IT infrastructure
  • Ensuring data is retained only in compliance with the law and not transferred without adequate protection.

However, in addition to these various practical considerations actions, businesses are under increasing pressure to think more broadly about the internet and its impacts. The internet is more than a tool: it is a breakthrough technology affecting all of humanity. It is “an aggregate of a vast range of ideas, technologies, resources and policies developed on the assertion of freedom and through collective endeavours in the common interest. States, the private sector, civil society and individuals have all contributed to build the dynamic, inclusive and successful internet that we know today. The internet provides a space of freedom, facilitating the exercise and enjoyment of fundamental rights, participatory and democratic processes, and social and commercial activities.” Yet, according to John Perry Barlow, co-founder of the Electronic Frontier Foundation, “the internet is simultaneously the most liberating tool for humanity ever invented, and also the best for surveillance. It is not one or the other. It is both.”

The use and development of the internet throws up many ethical questions and human rights concerns. For example, how should individual freedom of expression, on one hand, be balanced with the prevention of social disharmony and discord on the other? Equally, how should the right to privacy be balanced with the prevention of threats to national security? When does protection of vulnerable users become repressive? Who owns data collected via the internet? At what point does market intelligence or research on competitors translate into corporate espionage? What level of responsibility should be placed upon governments and corporations to make their data publicly accessible?

The internet has not simply changed business, it has transformed power structures and the ways in which we all live. A ONE campaign highlights the potential of the internet to allow citizens of developing countries to hold business and government to account, if relevant data is made accessible. A lack of public access, it suggests, means that “at least $1trillion is being taken out of developing countries each year through a web of corrupt activity that involves shady deals for natural resources, the use of anonymous shell companies, money laundering and the use of illegal tax evasion”, money which governments should be using to enhance the lives of their citizens.

In countries where government censorship of national media is rife, the internet may be a vital alternative source of information and communication. Arguably, social media were fundamental to the spread of the ‘Arab Spring’. Internet Service Providers (ISPs) and social media platforms reportedly resisted government censorship in order to help citizens publicise the many uprisings, share images and coordinate demonstrations. At the same time, governments used surveillance and spy software to identify and harass key political opponents, such as bloggers and prominent social media users. Commercial operations underpinned all this activity. They continue to do so now in areas of conflict the world over.

The growth of the internet has also revolutionised foreign intelligence and counterintelligence activities for governments. In 2013, whistleblower Edward Snowden revealed the extent of the surveillance activities of the US National Security Agency, the government body in which he worked as a contractor. According to leaked documents, the NSA intercepts the communications of over a billion people worldwide and tracks the movement of hundreds of millions of people using mobile phones. The NSA has also created, or maintains, security vulnerabilities in most software and encryption, leaving the majority of the internet susceptible to cyber attacks from itself and its collaborators.

One leading internet security expert, Bruce Schneier, argues that the NSA’s behaviour was simply pragmatic. That is, it did not suddenly decide to spy on the world but instead realised how useful the internet data, already collected by businesses, had become and it wanted access. He suggests consumers are willing to hand over their information to companies in exchange for ‘free’ services, such as email, games and networking, and that the data they generate becomes a valued commodity. Companies are constantly looking to obtain more data to better understand consumer behaviour and to better target individual users and so ‘to sell more stuff’. People are complicit in this and, indeed, are largely comfortable with such arrangements with commercial organisations. However, consider the business that requires customers install a new messaging app (i.e. the Facebook app which allows access to users’ phone cameras; records calls; sends messages without permission; identifies details about users and all their contacts and sends that information on to third parties). Is it improving its services to users or is it “invading people's privacy to a breath-taking extent”? If and when a government then piggyback on what business is already doing, reaction is adverse. People are quick to voice concern over the encroachment of ‘Big Brother’ and the breadth and depth of government powers of surveillance.

The roles of the corporate internet giants (e.g. Facebook, Google, Apple, Amazon, Yahoo, Microsoft, Twitter, AOL, LinkedIn) are obviously of great significance. But so too are the actions of the telephony companies whose infrastructure is critical to carrying internet traffic. Campaigners argue that one of the most critical issues for the future of the internet is in the maintenance of ‘net neutrality’. While other national jurisdictions have already passed legislation to protect net neutrality, in the USA, the FCC has recently “proposed rules that would allow rampant discrimination online. Rules that would allow telecom giants like AT&T, Comcast and Verizon to create a two-tiered Internet, with fast lanes for those who can afford it and dirt roads for the rest of us” according to the Save the Internet Campaign. The campaign also suggests that such companies would have the power to pick winners and losers online and discriminate against online content and applications, that no one would be able to do anything about it, and that this constitutes a grave threat to our rights to connect and communicate. Alternatively, the problem today isn't the ‘fast lanes’. The problem is whether a declining number of ISPs will grow so large that they have undue control over the market for fast speeds - whether they can independently decide who gets access to what connection at what price.

When great profits are at stake, organising the internet in a “sustainable and people-centered fashion, in harmony with human rights and fundamental freedoms, democracy and the rule of law” becomes ever more challenging. This question attempts to raise some of the key issues and provide businesses an opportunity to explain and justify their practices and decisions in respect of use of the internet.

Cyber security

'Cyber security' is information security as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.


'Data' is the lowest level of abstraction from which information and knowledge are then derived. (Data is collected and analysed so as to create information, while knowledge is derived from extensive amounts of experience dealing with information on a subject.)


The 'internet' is a global network of networks that connects and serves several billion users. It consists of millions of private, academic, business, government, public and global networks linked by electronic, wireless and optical networking technologies. The internet carries an extensive range of information resources and services, such as the inter-linked hypertext documents and applications of the web, the infrastructure to support email, and peer-to-peer networks for file sharing and telephony.

Internet governance

'Internet governance' is the development and application of shared principles, norms, rules, decision-making procedures and programs that shape the evolution and use of the internet. Recently accepted Internet Governance Principles include: human rights and shared values, such as freedom of expression and association, privacy and access to information; intermediary liability protection; cultural and linguistic diversity; unified, unfragmented network infrastructure promoting free flow of data; security, stability and resiliency; open architecture with voluntary collaboration and stewardship by technical experts; and 'permissionless innovation' supported by infrastructure investment.

Internet service provider

An 'internet service provider' (ISP) is an organisation that provides services for accessing, using, or participating in the Internet. ISPs may be organised in various forms, such as commercial, community-owned or non-profit.

Net neutrality

'Net neutrality' is the principle that ISPs should enable access to all content and applications regardless of the source and without favouring or blocking particular products or websites.

Open data

'Open data' is the idea that certain data should be freely available to everyone to use and republish as they wish, free from access restrictions, licenses, copyright, patents, charges for access or re-use, or other mechanisms of restriction or control.

Social media

'Social media' refers to the virtual network of information and contacts enabled via internet-based tools such as applications or websites which allow users to create, discuss and share content.


'Surveillance' is the monitoring and storing of personal information, with or without consent, by commercial or academic or governmental entities monitoring computer activity and online behaviour. This may be for purposes other than those expected by the user or apparent to the user.

Surveillance technology

'Surveillance technology' is any technology that can be used for the monitoring, intercepting, analysing, mapping, and/or storing of electronic communications, i.e. internet, phone, email, VOIP, social media etc. Such technologies cross a broad spectrum and can vary from intrusion software (malware or trojan programmes), to undersea fibre optic cable taps, location monitoring, false mobile phone base stations, and social media relationship mapping etc. Such technology is often 'dual use', i.e. it can be used for both civilian and military purposes.

UN Guiding Principles on Business and Human Rights

The 'UN Guiding Principles on Business and Human Rights' (UNGPs) are a global standard for preventing and addressing the risk of adverse impacts on human rights linked to business activity. Article 13, which may have particular relevance to open and free internet, states: "The responsibility to respect human rights requires that business to prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships, even if they have not contributed to those impacts".

World wide web

The 'world wide web' (abbreviated as www and commonly known as 'the web') is a system of interlinked hypertext documents that are accessed via the internet using a web browser to view web pages that may contain text, images, videos, and other multimedia.

Answering YES

All Businesses MUST

Detail any business philosophies, principles or values which influence their use of the internet

Set out their policies and practices for use of the internet

Explain any practices or operations that fully or partially block or favour particular internet content

Detail their policies, practices and any future intents in regards net neutrality

All Businesses MAY

Explain their policies and practices for the protection, monitoring, sharing, storage and/or retention of user data (i.e. both employees and customers)

Explain if and how the UN Guiding Principles on Business and Human Rights influence their internet policies

Detail how they communicate their principles and policies on the internet to staff and other users

Describe any staff training on data usage issues and the procedures for data protection

Explain engagement with external stakeholders such as suppliers and contractors

Describe any involvement in the development, sale and/or export of surveillance technology and whether they undertake any human rights or social impact assessments when selling or exporting these products

State any policies in place to deal with security breaches of sensitive information

State their concern for and/or support of accepted internet governance principles

Set out any proposed future actions in relation to this issue

Answering NO

All Businesses MUST

Explain why they do not or cannot answer YES to this question, listing the business reasons, any mitigating circumstances or other reasons that apply

All Businesses MAY

Explain the extent to which they meet elements of the YES criteria

Set out any proposed future action regarding this issue

DON'T KNOW is not a permissible answer to this question

NOT APPLICABLE is not a permissible answer to this question

Version 1

To receive a score of 'Excellent'

Actively transparent on its practices and policies in the use of the internet

Examples of policies and practices which may support an EXCELLENT statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

  1. Internet transparency apparent within key values and philosophy of the company
  2. Values etc disseminated throughout organisation and staff engagement apparent
  3. Actively seeking to meet the UN Guiding Principles on Business & Human Rights
  4. Carrying out Human Rights Impact Assessments when products, technologies and services may present a risk to freedom of expression and/or privacy
  5. Comprehensive training on internet use across the organisation
  6. Continuously updating internet practices and policies
  7. Terms of service and privacy policy freely available in plain and accessible language
  8. Continuously updating protection against online threats
  9. Customer consent in storing and sharing of information e.g. to third parties
  10. Clear policies to deal with information disclosure requests and transparency in instances when this may occur
  11. Actively supports full net neutrality
  12. Member of external organisations dealing with business internet issues
  13. Used as exemplar by other companies
To receive a score of 'Good'

Several steps to develop transparent practices and policies in the use of the internet apparent

Examples of policies and practices which may support a GOOD statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

  1. Company practices and policies readily disseminated and easily available across the organisation
  2. Terms of service and privacy policy available
  3. A named person (or more) responsible for handling internet issues
  4. Strict compliance with relevant guidelines and regulations e.g. EU policy on cookies, the right to be forgotten
  5. Regular review of internet practices and policies
  6. Staff training and awareness on data usage and data protection issues
  7. Promoting stakeholder awareness regarding internet related policies
  8. Prompt and accurate responses to queries and disclosure requests
To receive a score of 'Okay'

Ad hoc practices and policies in the use of the internet

Examples of policies and practices which may support an OKAY statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

  1. Limited steps to ensure internet security and privacy
  2. Some protection of information, computers and networks, such as regularly changing individual passwords
  3. Some data protection policies, such as T&Cs for company web users
  4. Limiting authority to install non-company software
To receive a score of 'Poor'

Little or no concern/action to be transparent on practices and policies in the use of the internet

Examples of policies and practices which may support a POOR statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

  1. No apparent company policies regarding internet uses and data management
  2. Secrecy and restriction in the company’s internet usage norms
  3. Limited information about internet use available for employees and public
  4. No apparent mechanism to protect customers or employees from cyber crime
  5. Evidence of monitoring, surveillance or use of customer/employee information without justifiable reason or authority
  6. Data storage and manipulation can not be justified