Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.
WannaCry ransomware highlights importance of security updates
Screenshot of WannaCry infection map from MalwareTech
Since its outbreak on May 12, the largest global ransomware attack in history, WannaCry, has affected hundreds of thousands of computers in more than 150 countries. The ransomware was based on a vulnerability in certain versions of Microsoft’s Windows operating system. The National Security Agency (NSA) had developed an exploit targeting this vulnerability, which was stolen and later published by a group of hackers called the “Shadow Brokers” in 2016. The WannaCry developers used this exploit to create rapidly spreading malware that encrypted the hard drives of more than 300,000 computers, according to the White House. A window instructed affected individuals that if they wanted to access their files, they would have to pay $300 in Bitcoin to receive the decryption key. Entities affected included the United Kingdom’s National Health Service, which shut down sixteen hospitals as a result, and Telefónica, which was the first company to report it had been impacted by the attack.
After hackers published the exploit in 2016, Microsoft released a patch fixing the vulnerability, but users who did not install the update or who used older operating systems that no longer supported regular security updates, such as Windows XP, remained vulnerable. Microsoft also released an emergency patch for Windows XP shortly following the attack.
The WannaCry ransomware attack highlights the need for companies to provide regular security updates and to clearly disclose to users their policies and timelines for responding to security vulnerabilities once they are discovered. As highlighted in the 2017 Corporate Accountability Index findings, users rely on software being up-to-date and resilient against malware and companies should clearly communicate to users for how long after purchase (or until what date) they are guaranteed to receive software updates.
EU fines Facebook over data policies
The European Commission has fined Facebook €110 million for providing ‘misleading’ information about the company’s technical capacity to match user data between WhatsApp and Facebook. According to the Commission, Facebook did not accurately state that it could match users’ WhatsApp phone number with their Facebook profile. Facebook filed this information to EU competition authorities as part of a merger approval process after the company purchased WhatsApp in 2014.
In a statement released in response to the Commission’s fine, Facebook said it did not intentionally mislead the Commission. “The errors we made in our 2014 filings were not intentional and the Commission has confirmed that they did not impact the outcome of the merger review,” the company said.
Facebook has confronted numerous legal challenges in Germany and other EU countries over its WhatsApp data-sharing practices. In the 2017 Corporate Accountability Index, Facebook received the lowest score of all internet and mobile companies for its lack of disclosure about how users can control what the company does with their information.
Chinese cybersecurity law raises concerns
International business groups are calling on the Chinese government to delay implementing a cybersecurity law set to take effect this June. The law has raised concerns over provisions requiring data about Chinese citizens to be stored within the country and vague security certification requirements for companies. It is unclear if companies will have provide software source code to authorities, according to reports.
As also noted in the 2017 Corporate Accountability Index, this law requires companies to cooperate with crime and national security investigations, and could mean that companies will be obligated to comply with government requests for user information and other surveillance demands. Both Chinese companies evaluated in the Index, Baidu and Tencent, had low levels of disclosure relating to government requests for user data, and current laws make it unrealistic for Chinese companies to reveal this information.
