In Depth

Getting Internet Companies To Do The Right Thing

Case Studies and Graphical Timelines of the Adoption of Three Privacy & Security Best Practices
Photo: Shutterstock

Introducing the "Do the Right Thing" Project

For advocates seeking to protect the privacy and security of internet users, one of the most powerful levers for change is the internet industry itself. Getting the right companies to flip the right switches or make the right policy and design decisions—to do the right thing when it comes to protecting their users—can have a positive impact on hundreds of millions or even billions of people. Which naturally raises the question...

How do you get companies to do the right thing?

What are the conditions that most often can push companies’ to do the right thing? What are the signs that signal an opportunity for advocates to focus more pressure on a particular issue? What are the different factors that play into the companies’ decisions, and what are the different kinds of influence that can be leveraged?

We sought to answer these questions by developing case studies looking at the history of three different positive privacy and security practices, and mapping the timeline over which those three practices went from something no one did, to something one company did, to it becoming a best practice that a few companies did, to it becoming a standard practice that almost all of the major companies implemented.

The three privacy & security practices that are the subject of our case studies:

  • Using transit encryption by default to shield data sent between a company’s site and its users, or between data centers or mail servers, in order to better protect the privacy and integrity of users’ data;

  • Offering two-factor authentication (2FA) tools to users to help prevent users’ accounts from getting broken into, even if their password is stolen or easily guessed;

  • Issuing transparency reports to educate policymakers and the public about the extent of government demands for the handover of user data or the takedown of user content.

Each case study is in the form of a graphical timeline that maps key developments over the years that either reflected or helped spur the growing adoption of each practice, accompanied by a prefatory narrative to introduce some basic information about the practice and the key factors that influenced its implementation over time. You can see those timelines now by following the links above or below, or start here with the key lessons from the three timelines.



Key Lessons

In compiling our three timelines, we identified a number of key commonalities that identified a particular practice’s trend of adoption.

Case Study #1: Using Transit Encryption by Default

TLS is a protocol for adding encryption to different forms of Internet communications while they are in transit.

Case Study #2: Offering Two-Factor Authentication

2FA works by requiring a user to prove that they are who they say they are in two ways: with something they have and something they know.

Case Study #3: Transparency Reporting

Transparency reports offer companies a public-facing opportunity to showcase their values and commitments to protecting user rights.