Last year, we announced our commitment to the UN Guiding Principles on Business and Human Rights, and our partnership with Global Network Initiative (GNI). As part of that announcement, Cloudflare committed to developing a human rights policy in order to ensure that the responsibility to respect human rights is embedded throughout our business functions. We spent much of the last year talking to those inside and outside the company about what a policy should look like, the company’s expectations for human rights-respecting behavior, and how to identify activities that might affect human rights.
Today, we are releasing our first human rights policy. The policy sets out our commitments and the way we implement them.
Why would Cloudflare develop a human rights policy?
Cloudflare’s mission — to help build a better Internet — reflects a long-standing belief that we can help make the Internet better for everyone. We believe that everyone should have access to an Internet that is faster, more reliable, more private, and more secure. To earn our customers’ trust, we also strive to live up to our core values of being principled, curious, and transparent. The actions that we have taken over the years reflect our mission and values.
From introducing Universal SSL so that every Cloudflare customer would be able to easily secure their sites, to developing protocols to encrypt DNS and SNI in order to protect the privacy of metadata, we’ve taken steps to make the Internet more private. We’ve sought to rid the world of the scourge of DDoS attacks with free, unmetered DDoS mitigation, and consistently strive to make beneficial new technologies available to more people, more quickly and less expensively. We’ve been transparent about our actions and our activities, publicly documenting the requests we get from governments, the difficult choices we face, and the mistakes we sometimes make. We’ve tried to think about the way products can be abused, and provide mechanisms for addressing those concerns. We’ve launched projects like Project Galileo, the Athenian Project, Cloudflare for Campaigns, and Project Fair Shot to make sure that vulnerable populations who need extra security or resources can get them for free.
Although being thoughtful about the ways the company’s actions affect people and the Internet at large is part of Cloudflare’s DNA, as we grow as a company it is critical to have frameworks that help us more thoroughly and systematically evaluate the risks posed by our activities to people and communities. The United Nations Guiding Principles on Business and Human Rights (UNGPs) were designed to provide businesses with exactly that type of guidance.
UN Guiding Principles on Business and Human Rights
The UNGPs, unanimously endorsed by the UN Human Rights Council in 2011, are based on a framework developed by Harvard Professor John Ruggie, distinguishing the state responsibility to protect human rights from the business responsibility to respect human rights. The responsibility to respect human rights means that businesses should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved. The UNGPs also expect companies to develop grievance mechanisms for individuals or communities adversely impacted by their activities.
So what are human rights? The idea, enshrined in the Universal Declaration of Human Rights that was adopted by the UN General Assembly in 1948, is that we all have certain rights, independent of any state, that are universal and inalienable. As described by the UN Human Rights Office of the High Commissioner, these rights “range from the most fundamental — the right to life — to those that make life worth living, such as the rights to food, education, work, health and liberty.” These interdependent rights must not be taken away except in specific and well-defined situations and according to due process.
Companies comply with their responsibility to respect human rights by stating their commitment to human rights, and by developing policies and processes to identify, prevent and mitigate the risk of causing or contributing to human rights harm. Consistent with the UNGPs, these policies typically require companies to conduct human rights due diligence to consider whether their business activities will cause or contribute to harm, to find ways to reduce the risk of any potential harms that are identified, and to remediate harms that have occurred. Companies are expected to prioritize addressing severe harms — meaning harms of significant scope or scale or harms that cannot be easily remedied — that are most at risk from the company’s activities.
Developing Cloudflare’s Human Rights Policy
To develop our human rights policy, we’ve had conversations both within the company, so that we could better understand the scope of Cloudflare activities that might affect human rights, and with human rights experts outside the company.
From an internal standpoint, we realized that, because of our company culture and values, we had been talking for years about the aspects of the company’s business that could have significant implications for people, although we rarely framed our discussions through a human rights lens. Our goal in developing a policy was therefore to build on the good work that had already been done, and fill in additional gaps as necessary.
On the external expert side, the last few years have brought increasing recognition of the challenges and importance of applying human rights frameworks to digital technologies. In 2017, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression prepared a report looking at the way certain actors in the technology sector, including content delivery networks, implicate freedom of expression. That report emphasized the importance of private actors as a “bulwark against government and private overreach” and specifically described content delivery networks as being “strategically positioned on the Internet infrastructure to counter malicious attacks that disrupt access.” The report provided recommendations on conducting due diligence, incorporating human rights safeguards like reducing the collection of information by design, engaging with stakeholders, and improving transparency, among other things.
Recognizing the significance of technology for human rights, the UN Office of the High Commissioner on Human Rights launched the B-Tech project in 2019 to develop practical guidance and recommendations on the UNGPs for companies operating in the tech sector. Cloudflare has benefited from participating in regular working groups with other companies in the ICT space through both the B-Tech project and through GNI on how to apply and advance the UN guiding principles, including sharing best practices and policies among similar companies. We also engage with our Project Galileo partners to discuss topical human rights issues, and how Cloudflare can apply its human rights policy to specific situations.
Cloudflare’s human rights policy is the first step in turning those discussions into something concrete. The policy formally states our commitment to the UNGPs and provides additional details on how we plan to implement our commitments. We will continue to refine this policy over time, and seek input on how to improve it.
What’s next?
Building a human rights program is a dynamic process, and we anticipate that our policies will continue to grow and change. We look forward to continuing to learn from experts, engage with Cloudflare’s stakeholders, and refine our assessment of our salient human rights issues. A better Internet is one built on respect for human rights.