Russia increases pressure on foreign companies, Thailand to require mobile phone biometric identity verification, and U.S. Department of Justice limits use of gag orders for user data requests

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Russia increases pressure on foreign companies to comply with data localization law via Wikimedia Commons (CC BY-SA 3.0)

Russian authorities have increased pressure on foreign companies to comply with a data localization law. Russia’s telecommunications regulator has said it will investigate whether or not Facebook is complying with the law, which requires data operators processing personal data of Russian citizens to do so using servers within Russia. Authorities previously announced that Facebook will be blocked next year if the company does not comply with the law. Russian authorities said that Twitter planned to comply with the law by the middle of 2018, according to the Telegraph. Twitter declined to comment, the Telegraph reported.

Privacy advocates have raised concerns over mandatory data localization laws, particularly in countries such as Russia, where authorities may have direct access to communications data. The data localization law is one example of how authorities in Russia are increasing restrictions on online privacy. Messaging app Telegram was recently fined for refusing to turn over encryption keys which would have allowed authorities to decrypt and access the contents of user communications, and in August, Russian President Vladimir Putin signed a law prohibiting tools, including VPNs, that allow users to access banned websites, and another law requiring users of chat apps to verify their identities.

Thailand to require biometric identity verification for all mobile phone users

Thailand’s telecommunications regulator has announced that beginning in December, mobile phone users will have to register their SIM cards with biometric identifiers. Individuals will have to verify their identities with either a fingerprint or a face scan. According to officials, such a system was launched in southern Thailand earlier this year for national security reasons. The government has said that the national system is intended to combat fraudulent financial transactions.

As noted in the 2017 Index report, a growing number of governments have introduced mandatory registration of pre-paid SIM card users in recent years to assist with law enforcement or counterterrorism efforts. However, mandatory identification requirements can pose serious threats to users’ right to freedom of expression, especially in jurisdictions where governments can easily demand or otherwise gain access to user information held by companies. Biometric identification programs also pose significant risks to security and privacy. We therefore recommend that governments respect the right to anonymous online activity as central to freedom of expression, privacy and human rights, and that they refrain from requiring companies to document users’ identities.

U.S. Department of Justice issues new policy limiting use of gag orders for user data requests

The U.S. Department of Justice recently issued new binding guidance for prosecutors that limits routine use of gag orders when requesting companies turn over user data. The guidance also largely bans indefinite gag orders, which prevents a company from ever telling a user that his or her data had been requested by authorities. The guidance was issued following a Microsoft lawsuit, which had been ongoing since 2016, in which the company said that over an 18-month period, 68% of requests for user data the company received from the U.S. government appeared to contain “indefinite demands for secrecy.” In a blog post, Microsoft welcomed the new guidance and renewed its call for Congress to amend the Electronic Communications Privacy Act (ECPA), which it referred to as “the law at the heart of this issue.”

As noted in our methodology, companies should notify users to the extent legally possible when their user information has been requested by governments and other third parties. Companies should also clearly disclose situations when they might not notify users, including a description of the types of government requests they are prohibited by law from disclosing to users, and commit to push back on inappropriate or overbroad government requests. In the 2017 Corporate Accountability Index, only seven out of 22 companies evaluated clearly disclosed any information about their policies for notifying users when their user information has been requested by governments and other third parties.

Leave a Reply