Archives for June 2017

Chinese netizens anticipate VPN crackdown, Google receives historic antitrust fine from EU, and new documents released from investigation in Philando Castile’s death

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Chinese internet users anticipate VPN crackdown

Image via tonynetone on Flickr (licensed CC BY 2.0)

Global Voices reports that a crackdown on Virtual Private Network (VPN) use in China may be just around the corner. Internet users in China regularly rely upon VPNs to access websites and social media sites like Facebook and Twitter that are blocked by China’s “Great Firewall.” However several VPNs appear to have recently been removed from Apple and Android app stores, according to the report, and VPN provider Green issued a statement to its users that after receiving notice from “higher authorities,” it would cease operations on July 1. In January, the Chinese Ministry of Industry and Information Technology announced that VPN providers could not operate without approval. Internet users anticipate that a majority of VPN apps will be unavailable in Chinese Android and Apple app stores as of July 1, according to Global Voices.

In the Corporate Accountability Index, we look for app store companies to report data on the number of requests they receive from governments to remove or restrict third-party apps. Of the three mobile ecosystem companies we evaluated (Apple’s iOS, Google’s Android, and Samsung’s implementation of Android), Google was the only company to disclose some of this information.

European Commission fines Google 2.4 billion Euro in antitrust suit

The European Commission has fined Google 2.4 billion Euro in an antitrust case, finding that Google Search had prioritized results from Google’s comparison shopping service and demoted similar search results from competitors. According to EU Commissioner Margrethe Vestager, “Google abused its market dominance as a search engine” by doing this. In addition to receiving the largest antitrust fine aimed at a single company in EU history, this could also lead to further regulatory action focused on other aspects of Google’s business–including Android. In April 2016, the Commission filed a separate antitrust case that Google was abusing Android’s market dominance to benefit Google Search, which the Commission said “has harmed consumers by restricting competition and innovation.” The Android investigation is still ongoing, and financial analyst Richard Windsor told Reuters that the recent fine is a “warning shot” to Google regarding the Android case.

The majority of smartphone users use an Android operating system, and it is projected to maintain about an 85% market share through 2020. Google Android, and other mobile ecosystem companies, should be transparent about their policies and practices. However, our research found that all three mobile ecosystems evaluated—Apple, Google, and Samsung—failed to sufficiently disclose policies affecting users’ freedom of expression and privacy.

Facebook pushes back on request by authorities to access users’ accounts

Facebook successfully contested warrants for two users’ account information that included a gag order preventing the company from notifying anyone about the request, newly released documents reveal. The warrants were served as part of the investigation into the death of Philando Castile, who was fatally shot by a Minnesota police officer on July 7, 2016. His girlfriend, Diamond Reynolds, who was in the passenger’s seat when Castile was shot, livestreamed the immediate aftermath on Facebook live in a video that was viewed 3.2 million times in less than one day. Minnesota’s Bureau of Criminal Apprehension (BCA) served Facebook with warrants requesting information from both Castile’s and Reynold’s Facebook accounts. Authorities also served Sprint with a warrant for Diamond Reynolds’ phone records, including call and text logs and location data.

Both of the warrants included indefinite gag orders that would prevent Facebook and Sprint from ever notifying anyone else of the requests, including Reynolds. Facebook pushed back against the gag order, and notified the BCA that it was preparing a legal filing to challenge the warrants, which were eventually rescinded. Sprint complied with the warrant and gag order. A Facebook spokesperson told Gizmodo, “Our policy is to notify people about law enforcement requests for their information before disclosure unless we’re legally barred from doing so. In this case, we decided to challenge gag orders on our ability to provide this important notice, and the authorities ultimately withdrew these warrants altogether.”

The Corporate Accountability Index looks for companies to disclose a policy that they carry out due diligence when governments or law enforcement ask for user information before deciding how to respond. We also expect companies to commit to push back on inappropriate or overbroad requests, and to notify users when government entities request their user information, and clearly disclose situations when they may be prohibited by law from notifying users. For the Facebook social network, Instagram, and Messenger, Facebook clearly disclosed that it notifies users when government authorities request their user information, but did not make the same explicit disclosure for WhatsApp.

EU Parliament committee endorses end-to-end encryption, companies are behind in preparing for new EU data rules, and U.S. net neutrality debate resurfaces

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

EU Parliament committee endorses end-to-end encryption

European Parliament, image via Wikipedia

A European Parliament committee is proposing that end-to-end encryption be mandatory for all electronic communications. The proposal calls for  amending the EU Charter of Fundamental Rights to include online privacy. It also includes a ban on encryption “backdoors” that give governments access to encrypted communications. “Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services,” according to the proposal.

This is a stark contrast to recent discussions among officials in the UK, Germany, and Australia who say authorities should be able to access encrypted communications to stop terrorism. As highlighted in the 2017 Corporate Accountability Index, governments should not pass measures that undermine encryption. As the EU Parliament committee’s proposal asserts, “The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information.”

Companies not ready for new EU data protection rules

The Financial Times reports that European companies are unprepared for the EU’s new data protection regulations that come into force in less than a year. Many businesses are “dramatically underestimating” the impact of the General Data Protection Regulation (GDPR), according to the report, and appear to be behind schedule in making necessary changes, or are unaware of their obligations under the new rules. While the law is currently in effect, companies have until May 2018 to be compliant with the rules. The Irish Times also cited a survey showing that two-thirds of 150 businesses in Ireland “did not realize what they would have to do regarding the GDPR.”

Any company that handles personal data of EU citizens must comply with the GDPR. The rules cover a wide range of data protection issues, and include new requirements for handling personal data and reporting data breaches. Findings of the 2017 Corporate Accountability Index showed that most companies lacked transparency about how they handle user information, and only three of the 22 companies evaluated disclosed any information about their process for responding to data breaches.

Companies and rights groups to protest net neutrality rollback in the U.S.

Several companies, including Amazon, Netflix, and Reddit are joining with civil society advocates for an “internet-wide day of action to save net neutrality” to protest the Federal Communications Commission (FCC) plan to repeal the current net neutrality rules. In February 2015, the FCC classified internet service providers as “common carriers” under Title II of the Communications Act, protecting the principle of net neutrality—requiring carriers to treat all types of content and traffic equally. The measure was hailed by internet rights groups since it created strong protections for net neutrality, helping to ensure equal access to content and the free flow of information online.

In May 2017, the FCC voted to begin the process of repealing the 2015 net neutrality rules and the Title II classification for ISPs. On July 12, websites participating in the day of action will display a message about the importance of net neutrality and provide a prompt for users to submit a comment to the FCC and Congress in support of strong net neutrality protections.

While some telecommunications companies support net neutrality, our research shows they may lack transparency about their network management policies and practices. The Corporate Accountability Index evaluates if companies disclose whether they engage in practices that affect the flow of network traffic, like by prioritizing certain content or throttling traffic. We expect companies to avoid these types of practices unless for legitimate traffic management reasons, like to ensure the flow of traffic through their networks. If companies do engage in throttling, traffic shaping, or prioritization, we expect them to publicly disclose this and to explain their purpose for doing so. Of the ten telecommunications companies evaluated in the 2017 Index, Vodafone was the only company to clearly disclose a commitment to not prioritize, block, or delay certain types of traffic other than for assuring quality of service and reliability of the network.

UN expert says companies must do more to advance freedom of expression online

Many of the most serious threats to human rights online—like censorship, surveillance, and network shutdowns—are driven by governments, but are often carried out by companies. It is well-established that states have an obligation to protect human rights, but what responsibilities do companies have?

On June 12, UN Special Rapporteur on Freedom of Expression, David Kaye, presented his latest report to the UN Human Rights Council, addressing this question. The report analyzes the human rights responsibilities of internet service providers and telecommunications companies, and draws upon meetings and consultations with private sector and civil society actors, including a written submission from Ranking Digital Rights.

Kaye’s report states that governments should work to protect and promote freedom of expression online, including taking steps to limit companies from interfering with human rights. Government actions, such as surveillance or policies that undermine encryption, can also compel companies to violate human rights.

The report also found that governments and companies are insufficiently transparent with the public about demands being placed on companies and how companies are implementing those demands. “A lack of transparency pervades government interferences with the digital access industry,” according to Kaye.

In some cases, this is due to vague laws that give authorities overly broad powers to shut down networks or prevent companies from publicly disclosing information about government access to user data. However, as the report notes, even if companies are legally prohibited from being fully transparent about how they respond to such government requests, they should seek to disclose the maximum amount of information possible under the law—which, according to RDR’s research, most companies are failing to do. Even more troubling, while companies may be legally obligated to comply with government requests for censorship and surveillance, Kaye’s report cites instances in which companies appear to have gone above and beyond their legal obligations in assisting with government surveillance activities.

Companies should also disclose more information about their own policies and practices that affect individuals’ rights to freedom of expression—such as terms of service, content moderation practices, privacy policies, and data collection practices. They should consult with users, civil society, and fellow companies on best practices for transparency, according to the report. Kaye also observes that multistakeholder engagement allows companies to benefit from external expertise and accountability. Citing RDR’s 2015 Index findings, the report highlights how membership in initiatives such as the Global Network Initiative and the Telecommunications Industry Dialogue often correlates with greater institutional commitments to respecting human rights. Our 2017 Index found even stronger evidence of that correlation with the addition of several more companies.

Governments and corporations each have steps they could take to significantly improve their human rights commitments, and also to improve their overall transparency about how these commitments are actually implemented. As the report notes, internet users “deserve to understand how those actors interact with one another, how these interactions and their independent actions affect us and what responsibilities providers have to respect fundamental rights.”

Read the full report here.

Read RDR’s submission here.

Russia moves forward with banning anonymous use of messaging apps, Australian government sets its sights on encryption, and research finds majority of apps share user data with third parties

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Russian legislature considering banning anonymous use of messaging apps

Identity policy scores from the 2017 Corporate Accountability Index

Russian lawmakers are discussing a bill that would ban anonymity on certain messaging apps. If passed, the law would require users to verify their identities using their mobile phone number, and services that continue to allow anonymous users could be fined or blocked. Russian law requires telecommunications companies to verify the identities of their subscribers; mobile phone numbers are therefore directly linked to an individual’s offline identity. In a similar move against online anonymity, Russian lawmakers also recently submitted draft legislation to ban Virtual Private Networks (VPNs) and other internet anonymizers that allow internet users to access blocked content.

The ability to communicate anonymously is essential to ensuring freedom of expression. The 2017 Corporate Accountability Index evaluates if companies disclose whether they require users to verify their identity with a government-issued identification or with other forms of identification that could be connected to their offline identity. Our research showed that 10 of 12 internet and mobile companies disclosed a policy requiring users to verify their identity as a condition of using at least one of the company’s services evaluated. Of the two Russian companies, Yandex disclosed that it may require users to verify their identities for all services, while Mail.Ru disclosed this requirement for one of its services.

As noted in our recommendations, governments should respect the right to anonymous online activity as central to freedom of expression, privacy, and human rights, and refrain from requiring companies to document users’ identities when it is not essential to the provision of service.

Australian government suggests plans for greater access to encrypted communications

The Australian government announced it is considering legal measures that would place greater obligation on companies to assist authorities in decrypting user communications. Prime Minister Malcolm Turnbull called for stronger cooperation between tech companies and authorities to fight extremism, so that “terrorists and organized criminals are not able to operate with impunity in ungoverned digital spaces online.” The Australian government said it plans to raise this issue with the other members of the Five Eyes intelligence network (the U.S., UK, Canada, and New Zealand), during the group’s next meeting later this month.

As highlighted in the 2017 Corporate Accountability Index, governments should not adopt measures to undermine encryption. Strong encryption is vital not only for human rights, but also for economic and political security, and technical experts note that weakening encryption creates significant risks to privacy and security.

Research finds majority of apps share user data with third parties

According to researchers at UC Berkeley and IMDEA Networks Institute, more than 70% of apps share user data with third-party services. Once users give an app permission to access their data, app developers can share this with third-party companies, potentially without the user’s knowledge or consent, according to the research. And if different apps use code from the same third-party software library, these software library developers may be able to aggregate user information from different apps to build detailed user profiles.

These findings are based on data collected through an Android app called the Lumen Privacy Monitor, which allows users to monitor what information the apps they have installed are collecting, and with whom it is being shared. The app, after obtaining user consent, also shares non-personal data with researchers about the scope of data being collected and shared.

Of the three mobile ecosystem companies (Apple, Google, and Samsung) evaluated in the 2017 Corporate Accountability Index, none disclosed that they evaluate whether the third-party apps offered in their app stores disclose what information they share with other third-parties, and with whom they share it.

UK Government calls for increased internet regulation, Brazil holds hearings on WhatsApp blocking, and Weibo users face restrictions on Tiananmen anniversary

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

UK Government calls for increased internet regulation following terror attack

UK Prime Minister Theresa May (Image via Number 10, licensed CC BY-NC-ND 2.0)

In response to the most recent terror attack in London, UK Prime Minister Theresa May is calling for tighter internet regulations in order to combat terrorism. May said she plans to pursue international agreements to regulate cyberspace and criticized internet companies for providing “safe spaces” that allow extremists to communicate.

Adding to May’s comments, UK Home Secretary Amber Rudd said the government wanted tech companies to do more to take down extremist content and to limit access to end-to-end encryption.

In response, some tech companies defended their efforts to identify and remove extremist content. “Using a combination of technology and human review, we work aggressively to remove terrorist content from our platform as soon as we become aware of it,” according to Facebook.

Human rights advocates warn that government attempts to regulate the internet could threaten freedom of expression and that efforts to address online extremist content must be consistent with international human rights norms. According to David Kaye, UN Special Rapporteur on freedom of expression, efforts to combat violent extremism can be the “perfect excuse” for both authoritarian and democratic governments to restrict freedom of expression and control access to information.

Brazil’s Supreme Court holds hearings on WhatsApp blocking

Brazil’s Supreme Court has held hearings to decide whether it is legal for courts to direct telecommunications companies to block apps like WhatsApp. Lower courts on numerous occasions have ordered telecommunications companies to block WhatsApp (which is owned by Facebook), after the company refused to turn over user information requested as part of criminal investigations. Judges in these cases based their rulings on an interpretation of Brazil’s Marco Civil law, which some civil society groups argue is an improper application of the law.

WhatsApp co-founder Brian Acton, who testified at one of the hearings, explained why the company is unable to turn over user information, “Encryption keys relating to conversations are restricted to the parties involved in those conversations,” Acton said. “No one has access to them, not even WhatsApp.” The court is expected to issue a ruling on the matter in the next few weeks.

Of the eight messaging and VoIP services evaluated in the 2017 Corporate Accountability Index, WhatsApp earned the highest score for its disclosure of encryption policies. The company disclosed that transmissions of user communications are encrypted by default using unique keys, as well as that end-to-end encryption is enabled for users by default.

Weibo users censored on Tiananmen anniversary

Users of Chinese social network service Weibo faced restrictions when attempting to post photos or videos on the platform during the anniversary of the 1989 Tiananmen Square pro-democracy protests. Users outside of China were unable to post photos or videos, and users within China also reported that they were unable to change their profile information or post photos and videos as comments during this time.

Although references to Tiananmen Square are regularly censored in China, both by the government and by technology companies, censorship is often heightened in early June each year, as documented by groups such as Freedom House. In a post on June 3, Weibo said that some of the platform’s functions would not be available until the 5th due to a “systems upgrade.” Comments on the post were disabled, and according to a Mashable reporter, “when we attempted to post a comment saying: ‘I want to comment,’ a notice popped up saying that the comment was in violation of Weibo’s community standards.”

As research in the 2017 Corporate Accountability Index showed, Chinese companies are legally liable for publishing or transmitting prohibited content, and services that do not make a concerted effort to police such content can be blocked in China.