Archives for July 2017

Corporate Accountability News Highlights: Chinese social media censorship increases following Liu Xiaobo’s death, new report highlights Russian crackdown on freedom of expression online, and Verizon responds to third-party vendor data breach

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Social media censorship on the rise in China following death of Liu Xiaobo

From Citizen Lab’s report: “Evidence of image censorship on WeChat’s group chat. A user with an international account attempts to send an image commemorating Liu Xiaobo’s death in a group chat. Users with China accounts in the group did not receive the message.” (Licensed CC BY 2.5 CA)

In China, online censorship of content related to human rights activist Liu Xiaobo has increased following his recent death, according to new research from Citizen Lab. Although certain terms relating to Liu have regularly been blocked, researchers found an increase in censorship of images and keywords on Chinese messaging app WeChat and social media platform Sina Weibo. According to the report, “the death of Liu marks a particularly critical moment for the Communist Party of China (CPC) and, as a result, Chinese Internet companies are facing direct or indirect government pressure to apply broad restrictions to content related to Liu.”

On July 18, users in China also reported issues using messaging app WhatsApp. The Guardian reports that photo, video, and voice messages sent from China using the services were blocked, but text messages were not. According to the BBC, neither the Chinese government nor WhatsApp have commented on the issue. As noted in the 2017 Corporate Accountability Index, Chinese companies are held liable if forbidden content is published on or transmitted through their services. Services that do not make a concerted effort to police such content are blocked from being accessed in China.

New HRW report highlights Russian government’s crackdown on freedom of expression

Russian authorities are increasing restrictions on freedom of expression online as part of a broader crackdown on civil society, according to a new report from Human Rights Watch. The report documents how Russian authorities are using “anti-extremism” laws to prosecute individuals for online speech, particularly those critical of the government, or those who post about sensitive topics, like the occupation of Crimea. The report urges the Russian government to refrain from requiring social media users to register with their real names. It also recommends the government repeal legislation that requires telecommunications and internet companies to store communications data for six months and metadata for up to three years, potentially allowing for authorities to access this information. The report also urges companies to regularly publish transparency reports detailing the number of government requests to censor content and to hand over user information, and the number of requests with which they comply; and minimizing the amount of user information stored within Russia, thereby minimizing the amount of user information that can potentially be accessed by authorities.

The 2017 Index findings showed that although Russian authorities have tightened controls over the internet, there are specific areas in which Russian companies can be more transparent about their policies affecting users’ freedom of expression rights, despite legal and political constraints. Both Russian companies evaluated—Mail.Ru and Yandex—disclosed little information about they handle government or private requests to block content or restrict user accounts, and neither published any data about the number of government requests it receives or with which it complies—although there are no laws prohibiting Russian companies from doing so.

Verizon responds to vendor data breach

U.S. telecommunications company Verizon has confirmed a recent data breach affecting millions of customer accounts. According to ZDNet, the breach occurred after a vendor contracted by Verizon uploaded personal information belonging to at least 14 million subscribers to an unprotected cloud storage server. A security researcher discovered the vulnerability and notified Verizon, but the vulnerability remained unpatched for more than a week, according to the Washington Post. After the researcher then followed up with the company’s cyber emergency team, noting he had raised the issue a week earlier, Verizon told him the issue would be addressed, and the vendor fixed the vulnerability within a day. “The informal contact did not drive the action we would have wanted to see and we are reviewing opportunities for improving our handling of such contacts,” company spokesperson David Samberg said.

In response to the rise in data breaches, RDR added an indicator on data breaches to our methodology evaluating whether companies clearly disclose their policies for responding to a data breach before one occurs. We expect companies to clearly disclose that they will immediately notify the relevant authorities, as well as their processes for notifying data subjects who might be affected by a data breach, and what kinds of steps they will take to address the impact of a data breach on users. Companies should also clearly disclose that they have a mechanism through which security researchers can submit vulnerabilities they discover, as well as the timeframe in which they will review reports of vulnerabilities. Our findings showed that although 11 companies disclosed they had such a mechanism, only six clearly disclosed the timeline in which they commit to review reports.

Corporate Accountability News Highlights: Tech companies join forces for “Day of Action” on Net Neutrality, EFF report shows tech companies can improve on user privacy, and Indian telco Reliance Jio responds to recent data breach reports

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

U.S. tech companies and NGOs rally against net neutrality rollback

Technology companies, NGOs, and websites rallied this week in an “internet-wide day of action to save net neutrality.” Companies including Amazon, Netflix, Twitter, and Tumblr were among the members of the “Battle for the Net” coalition, which urged internet users to tell Congress and the Federal Communications Commission (FCC) to uphold the Title II Net Neutrality rules. These rules were passed in 2015 and created strong protections for net neutrality in the U.S. by classifying internet service providers as “common carriers” under Title II of the Communications Act. The FCC is accepting public comments for its proposed plan to roll back these rules until July 17. The Internet Association, a trade organization that represents tech companies including Facebook, Google, and Microsoft, also launched its own campaign, walking users through the process for submitting an FCC public comment. According to “Day of Action” organizers, more than 1.6 million public comments were filed with the FCC, breaking the previous record for most public comments in a single day.

Digital rights advocates have promoted the importance of net neutrality to ensuring a free and open internet, and in turn, freedom of expression. The Corporate Accountability Index evaluates whether telecommunications companies disclose that they do not prioritize, block, or delay certain types of network traffic, other than for assuring network quality and reliability. If telecommunications companies do engage in these practices, we expect them to clearly disclose their purpose for doing so. Of the ten telecommunications companies evaluated in the 2017 Index, Vodafone was the only company to clearly disclose a commitment to not prioritize, block, or delay certain types of traffic other than for assuring quality of service and reliability of the network.

New EFF report shows tech companies can do more to protect user privacy

Image via EFF (licensed CC-BY 3.0)

Tech companies can do more to stand up for our privacy, according to a new report from the Electronic Frontier Foundation (EFF). The EFF’s latest “Who Has Your Back?” report evaluates 26 U.S.-based tech companies’ policies for responding to government requests for user data. The companies were evaluated in categories including whether they follow industry-wide best practices, whether they notify users of government requests, and whether they have advocated for U.S. government surveillance reform. The EFF found that Amazon and WhatsApp lagged behind their internet industry peers, each earning two stars out of a possible five. Of the telecommunications companies, AT&T, Comcast, T-Mobile, and Verizon scored the lowest, each earning one star.

The “Who Has Your Back” report and the Corporate Accountability Index both evaluate companies’ disclosed policies for responding to government requests for user data. Our findings also indicated that of the 22 companies that we evaluate, most did not disclose enough to users about their processes for responding to government and other third-party requests for user data. Because the EFF focuses on U.S.-based companies and their processes for responding to U.S. authorities, the report is also able to evaluate policies specific to the U.S. legal and political context. For example, legal reforms passed in 2015 allow companies to request judicial review of the gag orders that accompany all National Security Letters (NSLs). However, the EFF reports that fewer than half the companies evaluated publicly commit to request judicial review of all NSLs they receive. In a more positive finding, 21 of the 26 companies evaluated have called for U.S. surveillance reform of Section 702 of the FISA Amendments Act, which Congress will debate reauthorizing this year. With regard to transparency and best practices for respecting user rights, “public scrutiny has helped raise the floor on technology companies,” according to the report—but that all companies still have room for improvement.

Indian telco Reliance Jio investigating data breach reports

Indian telecommunications company Reliance Jio is investigating reports of a data breach after a website published personal information that appeared to belong to subscribers. The company has denied that a breach occurred and said the information appeared to be “unauthentic,” according to Reuters. However, the Indian Express reports the company filed a police complaint alleging “unlawful access to its systems,” which according to the outlet “would be the telecom firm’s first official acknowledgement of a system breach.” The information posted on the website included individuals’ names, email addresses, and phone numbers, and some individuals were able to verify their information had been published, according to reports. It is unclear how of the company’s 112 million subscribers may have had their information published on the site.

India does not have a law that requires companies to notify users when their information may have been included in a data breach.

Users entrust internet and telecommunications companies with a vast amount of personal information—including names, addresses, social security numbers, passwords, and financial information. Companies should take measures to ensure that users’ data is secure. As highlighted in our recommendations, governments should encourage companies to implement and disclose appropriate policies and procedures for data breaches, including through relevant legislation. However, we also expect companies to disclose their policies for responding to a breach before one occurs. Companies should clearly disclose that they will immediately notify the relevant authorities, as well as their processes for notifying data subjects who might be affected by a data breach, and what kinds of steps they will take to address the impact of a data breach on users. Our research has found that companies are not doing enough to make users aware of their data breach response policies. Only three of the 22 companies we evaluated—Telefónica, AT&T, and Vodafone—disclosed any information about their process for responding to data breaches.