Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.
U.S. and UK demand answers from Facebook over Cambridge Analytica scandal
Photo in the Public Domain, via Pixabay.
Authorities in the U.S. and the UK are demanding answers from Facebook after it was revealed that data of an estimated 50 million of the platform’s users was harvested without their consent. In 2014, a researcher at the University of Cambridge developed a personality quiz app that collected data from 270,000 users. The app also enabled the researcher to collect data about those in the friend networks of the quiz respondents without their knowledge. According to reports, the developer then sold the data to data mining firm Cambridge Analytica, which used the data to build detailed profiles of American voters target them with pro-Trump political ads.
In response to these revelations, authorities in both the UK and the US are demanding answers from Facebook. In the UK, members of parliament summoned Facebook CEO Mark Zuckerberg to testify before a parliamentary committee investigating fake news. The country’s information commissioner is investigating organizations that include social media companies and data analytics companies over their handling of user data during political campaigning. In the U.S., Congress members have also called on Zukerberg to testify, while the U.S. Federal Trade Commission is reportedly investigating whether the company violated the terms of a 2011 agreement by Facebook not to share users’ data without their consent.
On Thursday, Zuckerberg said that the company will “investigate all apps that had access to large amounts of information” before 2014 and “will conduct a full audit of any app with suspicious activity.” In 2014, Facebook changed its policies to reduce the amounts of data third-party developers can access. Zuckerberg told Recode that the number of the apps they are going to investigate is in the “tens of thousands” and that the process will “take a number of months.”
Internet, mobile, and telecommunications companies should be transparent about what user information they share, with which parties and for what purposes. Companies should also give users options to control how their information is collected and used for targeted advertising. Companies evaluated in the 2017 Corporate Accountability Index did not disclose enough information about such options. Facebook disclosed less about these options than any of the other 12 internet companies evaluated. The company did not disclose options allowing users to control the company’s collection of their user information, and how their information is used for targeted advertising.
Users in Iran blocked from Apple’s App Store
Users in Iran were blocked from accessing Apple’s App Store on March 15, before access was restored again a day later. Those attempting to access the store were shown the following message: “the App Store is unavailable in the country or region you’re in.” It remains unclear why users in the country were blocked from accessing the store, but Iranian activists and journalists are speculating that this is due to U.S.-imposed sanctions.
On Twitter, British-Iranian journalist Saeed Kamali Dehghan described the move as an “arbitrary reading of sanctions policy” which “imposes blanket discriminatory restrictions, and is against what Apple stands for.” Apple did not comment on the matter. Last August, the U.S. company removed from its store apps by developers in Iran, due to U.S. sanctions regulations that prevent it from “hosting, distributing, or doing business with apps or developers connected to certain U.S. embargoed countries.”
Internet, mobile, and telecommunications companies should be transparent about the circumstances under which they may restrict access to their services. They should also commit to notify users when access to their service is restricted and regularly publish data about the volume and nature of actions taken to restrict content or accounts that violate their rules. The 2017 Corporate Accountability Index found that while Apple disclosed some information about its policies for enforcing its rules, it did not disclose a commitment to notify users when it restricts their access to content and services, and did not publish a transparency report about actions taken to enforce the company’s rules.
Congress urged to consider “implications” of the CLOUD ACT
Four civil society groups—Access Now, European Digital Rights (EDRi), the Electronic Frontier Foundation (EFF), and Panoptykon Foundation—have called on members of the U.S. Congress to consider the ‘’domestic and global implications’’ of the CLOUD Act.
The Clarifying Lawful Overseas Use of Data Act (or “CLOUD Act”), which is currently being considered by U.S. lawmakers, would clarify that warrants issued under the 1986 Stored Communications Act apply to data stored overseas, while allowing companies to challenge such warrants when they violate the privacy laws of the country where the data is stored. The measures would also give the U.S president power to enter into “executive agreements” with other countries for cross-border access to data. According to the bill, these countries would have to meet certain requirements such as “demonstrating respect for the rule of law and principles of nondiscrimination” and “adherence to applicable international human rights obligations.”
However, the signatory organizations are concerned that the proposal as it is “provides no mechanism for review of these agreements in the event of democratic backsliding” in countries that enter into such agreements with the U.S. government.
Internet and mobile ecosystem companies should disclose information about their process for responding to government requests for user data including their processes for responding to non-judicial government requests and court orders, and the legal basis under which they comply with requests. In addition, companies should publicly commit to push back on inappropriate or overbroad government requests. Companies should also disclose and regularly publish data about these requests including, listing the number of requests received by country and number of accounts and pieces of content affected, and specifying the legal authorities making the requests.
