Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.
U.S. government withdraws Facebook gag order
D.C. Court of Appeals (Photo by Mr.TinDC, Licensed CC BY-ND 2.0)
The U.S. government has dropped its effort prevent Facebook from notifying three users that their communications were being investigated. Facebook received search warrants for content from the users’ accounts and the warrants were accompanied with gag orders preventing the company from notifying the users. Facebook contested the gag order, though its request was denied by the D.C. Superior Court. Facebook appealed the decision to the D.C. Court of Appeals. A hearing on the matter was scheduled for September 14, though it was cancelled on September 13 after prosecutors said the gag orders were no longer necessary, and withdrew their request.
This is one of several recent instances of U.S. internet and telecommunications companies pushing back against inappropriate or overly broad government requests. Web hosting provider Dreamhost is currently engaged in a legal battle with the U.S. Department of Justice over a demand for information an anti-Trump website, although the DOJ has thus far dropped portions of its original overly broad warrant, including the demand for all IP addresses of visitors to the website. In April of this year, Twitter reported that the Trump administration had attempted to force the company to reveal the identity of an anonymous Twitter account critiquing the administration. Twitter pushed back against the request, which was ultimately withdrawn, saying it was unlawful and a violation of the First Amendment.
As noted in the Corporate Accountability Index methodology, companies should clearly disclose their processes for responding to third-party requests for user information. This disclosure should include a commitment to carry out due diligence on government requests before deciding how to respond, as well as a commitment to push back on inappropriate or overbroad government requests. Of the seven U.S. companies evaluated in the 2017 Corporate Accountability Index—Apple, AT&T, Facebook, Google, Microsoft, Twitter, and Yahoo— all seven committed to carry out due diligence on government requests for user information and to push back on inappropriate or overbroad requests.
New research shows security risks of South Korean content filtering apps
New research from Citizen Lab, Cure53, and OpenNet Korea has identified privacy and security risks in two South Korean content-filtering apps. Under South Korean law, content-filtering tools are mandatory on mobile phones used by minors.
The researchers identified security risks in Cyber Security Zone, a content-filtering app developed by the Korean Mobile Internet Business Association (MOIBA), a mobile phone industry consortium. MOIBA also developed Smart Sheriff, an app that previous Citizen Lab research identified had numerous security vulnerabilities, many of which remained in a follow-up audit, despite researchers’ communicating the vulnerabilities to MOIBA prior to publication. MOIBA later removed Smart Sheriff from the market, but as the most recent report finds, Cyber Security Zone is a “rebranded” version of Smart Sheriff. The researchers state, “The rebranding of the app and the failure to correct vulnerabilities known to MOIBA since 2015, means that users are being misled and are at continued risk of privacy and security violations.”
The report also found that the app Smart Dream allows parents to monitor their children’s online search history and SMS and chat messages for certain keywords—going beyond the legal requirements for content filtering apps, as well as creating new security and privacy risks because of how it transmits flagged messages. The researchers shared these vulnerabilities with MOIBA prior to publication and while they found the majority have been addressed in subsequent versions of the app, they note, “the overall implementation of the app still does not follow best security practices.”
As noted in our Corporate Accountability Index methodology, companies should conduct impact assessments to identify how all aspects of their business affect freedom of expression and privacy and to mitigate any risks posed by those impacts. The company should regularly conduct these impact assessments for its existing products and services, as well as for new activities such as launching a new service or entering a new market. Companies should also address security vulnerabilities when they are discovered, clearly disclosing a mechanism through which security researchers can submit vulnerabilities they discover, as well as disclosing the timeframe in which they will review these reports.
Togo orders network shutdown during anti-government protests
The government of Togo cut off internet and SMS service during recent anti-government protests. According to Global Voices, on September 5, internet users in Togo began reporting slow mobile internet connections and that they could not access social media sites like Facebook. On September 7, network monitoring company Dyn confirmed that internet service had been cut throughout the country. SMS service and mobile money payments were also blocked, according to reports received by Global Voices. The total blackout was in effect for six days.
Network shutdowns are a growing threat to human rights around the world. Earlier this year, Cameroon’s government shut down the internet in Anglophone regions of the country for 93 days, and according to our partners at Access Now, the number of network shutdowns is “dramatically increasing” compared to in 2016. These shutdowns also disrupt local businesses and education, and can place people in physical danger, without access to emergency services, according to Access Now’s Shutdown Stories project. As noted in the 2017 Index, governments should commit to protect human rights principles and refrain from ordering network shutdowns. Companies should also should clearly disclose their network shutdown policies, and have a responsibility to disclose what actions they are taking under whose authority so that those responsible can appropriately be held accountable.
