Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.
U.S. tech companies and NGOs rally against net neutrality rollback
Technology companies, NGOs, and websites rallied this week in an “internet-wide day of action to save net neutrality.” Companies including Amazon, Netflix, Twitter, and Tumblr were among the members of the “Battle for the Net” coalition, which urged internet users to tell Congress and the Federal Communications Commission (FCC) to uphold the Title II Net Neutrality rules. These rules were passed in 2015 and created strong protections for net neutrality in the U.S. by classifying internet service providers as “common carriers” under Title II of the Communications Act. The FCC is accepting public comments for its proposed plan to roll back these rules until July 17. The Internet Association, a trade organization that represents tech companies including Facebook, Google, and Microsoft, also launched its own campaign, walking users through the process for submitting an FCC public comment. According to “Day of Action” organizers, more than 1.6 million public comments were filed with the FCC, breaking the previous record for most public comments in a single day.
Digital rights advocates have promoted the importance of net neutrality to ensuring a free and open internet, and in turn, freedom of expression. The Corporate Accountability Index evaluates whether telecommunications companies disclose that they do not prioritize, block, or delay certain types of network traffic, other than for assuring network quality and reliability. If telecommunications companies do engage in these practices, we expect them to clearly disclose their purpose for doing so. Of the ten telecommunications companies evaluated in the 2017 Index, Vodafone was the only company to clearly disclose a commitment to not prioritize, block, or delay certain types of traffic other than for assuring quality of service and reliability of the network.
New EFF report shows tech companies can do more to protect user privacy
Tech companies can do more to stand up for our privacy, according to a new report from the Electronic Frontier Foundation (EFF). The EFF’s latest “Who Has Your Back?” report evaluates 26 U.S.-based tech companies’ policies for responding to government requests for user data. The companies were evaluated in categories including whether they follow industry-wide best practices, whether they notify users of government requests, and whether they have advocated for U.S. government surveillance reform. The EFF found that Amazon and WhatsApp lagged behind their internet industry peers, each earning two stars out of a possible five. Of the telecommunications companies, AT&T, Comcast, T-Mobile, and Verizon scored the lowest, each earning one star.
The “Who Has Your Back” report and the Corporate Accountability Index both evaluate companies’ disclosed policies for responding to government requests for user data. Our findings also indicated that of the 22 companies that we evaluate, most did not disclose enough to users about their processes for responding to government and other third-party requests for user data. Because the EFF focuses on U.S.-based companies and their processes for responding to U.S. authorities, the report is also able to evaluate policies specific to the U.S. legal and political context. For example, legal reforms passed in 2015 allow companies to request judicial review of the gag orders that accompany all National Security Letters (NSLs). However, the EFF reports that fewer than half the companies evaluated publicly commit to request judicial review of all NSLs they receive. In a more positive finding, 21 of the 26 companies evaluated have called for U.S. surveillance reform of Section 702 of the FISA Amendments Act, which Congress will debate reauthorizing this year. With regard to transparency and best practices for respecting user rights, “public scrutiny has helped raise the floor on technology companies,” according to the report—but that all companies still have room for improvement.
Indian telco Reliance Jio investigating data breach reports
Indian telecommunications company Reliance Jio is investigating reports of a data breach after a website published personal information that appeared to belong to subscribers. The company has denied that a breach occurred and said the information appeared to be “unauthentic,” according to Reuters. However, the Indian Express reports the company filed a police complaint alleging “unlawful access to its systems,” which according to the outlet “would be the telecom firm’s first official acknowledgement of a system breach.” The information posted on the website included individuals’ names, email addresses, and phone numbers, and some individuals were able to verify their information had been published, according to reports. It is unclear how of the company’s 112 million subscribers may have had their information published on the site.
India does not have a law that requires companies to notify users when their information may have been included in a data breach.
Users entrust internet and telecommunications companies with a vast amount of personal information—including names, addresses, social security numbers, passwords, and financial information. Companies should take measures to ensure that users’ data is secure. As highlighted in our recommendations, governments should encourage companies to implement and disclose appropriate policies and procedures for data breaches, including through relevant legislation. However, we also expect companies to disclose their policies for responding to a breach before one occurs. Companies should clearly disclose that they will immediately notify the relevant authorities, as well as their processes for notifying data subjects who might be affected by a data breach, and what kinds of steps they will take to address the impact of a data breach on users. Our research has found that companies are not doing enough to make users aware of their data breach response policies. Only three of the 22 companies we evaluated—Telefónica, AT&T, and Vodafone—disclosed any information about their process for responding to data breaches.