Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.
Users can sue Yahoo for data breaches, a U.S. judge rules
A federal judge has ruled that a class action lawsuit against Yahoo over data breaches can move forward. The massive data breaches that occurred between 2013 and 2016 affected all of the company’s 3 billion users.
The plaintiffs in the class action suit argue that Yahoo’s handling of the breaches exposed their data to hackers who stole their identities and money. The company admitted that hackers were able to access its user-database and steal user passwords. Yahoo is also accused of taking too long to address the data breaches even though the company’s security officials knew about them.
“Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,” U.S. District Judge Lucy Koh said.
Telecommunications, and internet and mobile ecosystem companies should clearly disclose what steps they take to keep user data secure and how they respond to data breaches. The 2017 Corporate Accountability Index found that companies communicate less about what they are doing to protect users’ security than they do about what users should do to protect themselves. Companies disclosed more to users about how to defend themselves against cyber risks than about what steps they take to keep users’ information secure or about what they do to address security vulnerabilities once they are discovered.
None of the internet and mobile ecosystem companies evaluated in the 2017 Index disclosed information about their processes for responding to data breaches, including whether or not they commit to notify relevant authorities without undue delay and their process for notifying data subjects affected by the breach.
Operators in Sri Lanka ordered to block social media services
On March 7, Sri Lanka’s telecommunications regulator ordered telecommunication service providers to block access to Facebook, Viber, and WhatsApp for three days, in response to a recent wave of sectarian violence. Officials said that they had identified online posts inciting to violence against Muslims, who represent nine percent of the Buddhist-majority country.
In the district of Kandy, where acts of violence and vandalism occurred, internet access was completely shut down. Although access in Kandy has been restored, Facebook, WhatsApp and Viber were still blocked across the country as of March 14. Sri Lanka’s telecommunication minister said the block on Facebook and Whatsapp will be lifted after his government meets with representatives from the company. The Sri Lankan government says Facebook “does not have adequate resources to monitor posts in Sinhalese,” and accuses the company of being “slow” to address its concerns.
Telecommunications companies should be transparent about their processes for responding to government requests to restrict access to networks or to certain services and platforms. They should disclose information about how they handle government network shutdown demands, including under whose authority a shutdown is ordered, so that those responsible can be held accountable. None of the telecommunications companies evaluated in the 2017 Corporate Accountability Index disclosed sufficient information about how they handle government network shutdown demands.
Sina Weibo silences feminist account on Women’s Day
On Women’s Day, the Chinese microblogging platform Sina Weibo suspended a feminist account for ‘’irregularities.’’ The account, called Feminist Voices, had more than 180,000 followers prior to its suspension. On March 6, it launched a campaign against sexual harassment. The company told the account’s founding editor that it was suspended for publishing ‘’sensitive content that was in violation of regulations.’’ Although it is unclear if the suspension was ordered by Chinese authorities, Weibo has so far refused to reactivate the account.
Companies should be transparent about their process for enforcing their rules by disclosing information about the types of content or activities they do not allow, and the processes they use to identify infringing content or accounts. Companies should also disclose and regularly publish data about the volume and nature of actions taken to restrict content or accounts that violate their rules. Research from the 2017 Index showed that most companies, including Facebook, do not publish such data. Of the 22 internet, mobile, and telecommunications companies evaluated in the 2017 Index, only three—Microsoft, Twitter, and Google—published any information at all on their terms of service enforcement.