Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.
U.S. proceeds with rollback of net neutrality protections
2014 net neutrality protest at the White House. Photo Joseph Gruber (CC BY-NC-ND 2.0)
U.S. regulators are moving forward with plans to undo current net neutrality protections despite strong public opposition. On December 14, the Federal Communications Committee (FCC) plans to vote to repeal the rules adopted in 2015, which provide strong net neutrality protections that prevent ISPs from blocking, throttling, or offering paid prioritization for certain types of content. Several major internet companies, including Google, Facebook, Netflix, and Reddit, have spoken out in support of keeping the existing net neutrality protections, and a coalition of NGOs and activists have organized over 700 protests in all 50 states this week to oppose the FCC’s plan. Verizon, however, has asked the FCC to preempt any state laws regulating net neutrality, in the event that individual states pass their own net neutrality rules, and Comcast deleted a net neutrality pledge from its website the same day the rules repeal was announced, according to Ars Technica. The FCC has been criticized for ignoring strong public support for net neutrality, and for proceeding with its plan despite evidence that many of the public comments submitted about the repeal were spam or used stolen identities.
Telecommunications companies should not prioritize or block certain types of network traffic, and should publicly disclose a commitment to not prioritize or block traffic. A free and open internet depends on the ability for all users to have equal access to content and services, which is not possible if ISPs block or delay certain types of content or apps. However, it is often unclear whether companies use these types of network management practices, which is why strong net neutrality protections can help ensure that users have equal access to internet content. As 2017 Corporate Accountability Index research shows, most of the world’s leading telecommunications companies fall short of making such a public commitment. Of the ten telecommunications companies evaluated in the 2017 Index, Vodafone was the only one to clearly disclose that it does not prioritize, block, or delay certain types of traffic, applications, protocols, or content for reasons beyond assuring quality of service and reliability of the network.
Internet companies remove troves of extremist content
Top internet companies say they have removed thousands of videos and images containing extremist content from their platforms as part of a joint effort to combat terrorism. The Global Internet Forum to Counter Terrorism (GIFCT)—which includes Facebook, Google, Microsoft, Oath (formerly Yahoo), and Twitter—was formed in June 2017, following increasing government pressure for internet platforms to remove more extremist content from their services. The group reported this week that a shared private database used to identify extremist content across their services now contains over 40,000 videos and images. Civil society groups warn that using such a database could pose a threat to freedom of expression online due to the potential for cross-platform censorship, or for enabling governments and private third parties to exploit such a system to censor content. It is unclear from the GIFCT’s update how images and videos are submitted to the database, including whether or not governments can submit content to be removed.
While the recent information offers some insight about the amount of content removed as part of this program, internet companies in general need to be more transparent about their policies and practices for removing content. Companies should clearly disclose what content is prohibited, what methods they use to identify content that violates these rules, and if they give governments or private parties priority flagging status. For instance, companies might have staff to review content, use automated systems, or rely on community flagging programs. We expect companies to clearly disclose if they give priority or expedited consideration to any government authorities, law enforcement, or private organizations when they report content or users for violating the company’s rules. Findings from the 2017 Corporate Accountability Index show that companies across the board lacked disclosure of their policies and practices for removing content at the request of governments and private parties—and are even less transparent about content removed for terms of service violations. No company evaluated disclosed if they give governments or private parties priority flagging status. Only three companies—Google, Microsoft, and Twitter—published any data about volume and nature of content or accounts removed for violating the company’s terms of service. No company evaluated discloses if the give governments or private parties priority flagging status.
Uber paid hacker to hide 2016 data breach
Reuters reports that Uber paid a hacker to hide a data breach that exposed the personal data of 57 million users. The company paid the hacker $100,000 to keep the breach a secret, disguising the payment as a bug bounty award, according to the report. The breach, which occurred in October 2016, included users’ names, addresses, and in some cases, driver’s license information. Uber first publicly acknowledged the breach in November 2017. At the time of the breach, the company did not notify users who were affected. In its November 2017 blog post, the company says it will notify regulators as well as drivers whose driver’s license numbers were impacted, but does not indicate if it will notify all affected users. The company could face a number of lawsuits over its failure to notify regulators of the 2016 breach, according to Recode, which reports that most U.S. states have some version of a law requiring companies to notify consumers in cases of data breaches.
Beyond complying with regulations, companies should have clear data breach response policies in place in order to build trust with their users. They should clearly communicate their processes for securing users’ information and identifying security vulnerabilities, and what steps they take when data breaches occur. Processes should include notifying the relevant authorities and users who might be affected, and clearly disclosing what kinds of steps they will take to address the impact of the breach on users. Of the 22 internet, mobile, and telecommunications companies evaluated in the 2017 Index, only three companies—AT&T, Telefónica, and Vodafone—disclosed any information about their processes for responding to data breaches. However, Telefónica was the only company to fully disclose its process for notifying users who might be affected by a data breach.
