Apple, Amazon comply with Chinese government VPN crackdown, Putin targets circumvention tech and chat apps, and Hungarian arrested after reporting security vulnerability

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Apple, Amazon comply with Chinese government VPN restrictions

The New York Times reports that Apple has removed several Virtual Private Network (VPN) apps from its China App Store at the the request of the Chinese government. Amazon’s Chinese partner, Beijing Sinnet Technology Co Ltd, which operates its cloud services in China, has also instructed its customers to stop using VPNs that have not been approved by Chinese authorities, and that it would shut down services for those who continued to do so, according to Reuters.

Internet users in China have anticipated a crackdown on VPNs, which users need to circumvent China’s “Great Firewall” and access blocked sites and content. According to The New York Times a number of the most popular foreign VPNs are no longer accessible from Apples App store. “We would obviously rather not remove the apps, but like we do in other countries, we follow the law wherever we do business,” Apple CEO Tim Cook said in response to the company’s decision to remove the VPN apps. “We strongly believe participating in markets and bringing benefits to customers is in the best interest of the folks there and in other countries as well,” he said.

Censorship of app stores is a growing threat to freedom of expression, as more governments are ordering companies that operate app stores, like Apple and Google, to remove certain apps. Earlier this year The New York Times reported that China had ordered Apple to remove The New York Times app from its app store. It also reported that Russia had ordered Google and Apple to remove the LinkedIn app from their app stores, after the LinkedIn was blocked for not complying with Russian data localization law.

The Corporate Accountability Index looks for companies that manage app stores to be report data on the number of requests they receive from governments to remove or restrict third-party apps. Findings from the 2017 Index showed that Apple or Samsung did not report this information, while Google did disclose some of this data.

Putin takes aim at censorship circumvention tools and chat app anonymity

Russian President Vladimir Putin has signed a law prohibiting tools, including VPNs, that allow users to access banned websites, and another law requiring users of chat apps to verify their identities.

Human rights groups have documented increasing restrictions on freedom of expression online as part of the Russian government’s broader crackdown on civil society. Many censorship circumvention tools that will be prohibited under the new law not only allow users to access banned websites but also to browse the internet anonymously.

The ability to communicate anonymously is essential to freedom of expression. The Corporate Accountability Index looks for companies to disclose that they do not require a phone number, or other form of identification tied to a user’s offline identity, to use their services (unless a phone number is required for the service to function properly). As noted in our recommendations, governments should respect the right to anonymous online activity as central to freedom of expression, privacy, and human rights, and refrain from requiring companies to document users’ identities when it is not essential to the provision of service.

Hungarian arrested after reporting security vulnerability

An 18-year-old was arrested in Hungary after reporting a security vulnerability he found in the new mobile payment system for Budapest’s public transportation system. The online payment platform was built by T-Systems Hungary, a subsidiary of Deutsche Telekom. According to TechCrunch, the individual who was arrested had emailed the Budapest Transport Authority (BKK) after discovering that any visitor to the website could change the price of any ticket before purchasing it, using the website developer tools built into their internet browser. In his email, the individual said that he verified the bug by purchasing a monthly pass for only HUF 50 (approximately $0.20 USD) but that he had no plans to use the ticket, as he lives outside of Budapest and does not use the city’s transportation system. More bugs were later discovered, including an administration screen with with a password set to “adminadmin,” TechCrunch reports.

The individual who reported the vulnerability was arrested for “hacking” the online payment system and was later released. The move sparked heavy criticism by the tech communities both in Hungary and internationally. Following the incident, T-Systems Hungary CEO Zoltán Kaszás said the company would introduce a “bug bounty” program to award security researchers for reporting security vulnerabilities to the company.  

It is critical that companies offer ways for researchers and users to report security vulnerabilities. The Corporate Accountability Index evaluates if companies clearly disclose a mechanism allowing researchers to submit vulnerabilities they discover, and if companies commit not to pursue legal action against researchers for doing so. Of the 22 companies evaluated in the 2017 Index, just 12 disclosed a bug bounty program. Of these, Facebook was the only company to explicitly state it would not pursue legal action against researchers who report vulnerabilities.

Leave a Reply