Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.
Russia starts blocking Telegram
Russian ISPs this week started blocking encrypted messaging app Telegram, after the messaging service refused to comply with court demands to hand over encryption keys to Russian authorities.In March 2018, a court ruled in favor of the Russian telecommunication industry regulator, Roskomnadzor, and gave Telegram two weeks to give Russian Federal Security Service (FSB) access to users’ encrypted messages or risk being blocked in the country. Telegram explained that it was “technically unable” to comply with this demand and appealed the ruling. But on April 13 a court in Moscow upheld the earlier decision, and this week Roskomnadzor ordered telecom service providers to restrict access to the service.
Users in Russia have resorted to using Virtual Private Networks (VPNs) and proxy servers to access the service. While Telegram moved some of its infrastructure to third-party cloud services, making it harder for authorities to block the service, TechCrunch reported.
As a result, Russian ISPs blocked millions of IP addresses including addresses belonging to Amazon Web Services and Google Cloud. The massive censorship affected other websites and services, including messaging app Viber, radio station Govorit Moskva, Microsoft’s gaming service Xbox and note-taking app Evernote.
The regulator also sent requests to Apple and Google asking them to remove Telegram messenger from their app stores for users inside Russia. In response, Russian internet freedom activists launched a petition calling on Apple and Google to reject the regulator’s requests. The petition also called on Content Delivery Networks (CDNs) and cloud providers “to resist RosKomNadzor requests to constrain access to Telegram (and other) back ends which provide essential functionality supporting freedom of access to information and communication.”
Telecommunications companies should be transparent about their processes for responding to government requests to restrict access to networks or to certain services and platforms. They should disclose information about how they handle government network shutdown demands, including under whose authority a shutdown is ordered, so that those responsible can be held accountable. None of the telecommunications companies evaluated in the 2017 Corporate Accountability Index disclosed sufficient information about how they handle government network shutdown demands.
Egypt to punish ISPs not complying with censorship orders
Egypt is introducing new measures against ISPs that refuse to comply with the government’s censorship orders. A parliamentary commission recently approved a provision in a controversial anti-cybercrime bill that punishes ISPs not complying with court orders to block websites that represent a ‘threat to Egypt’s national security,’ with a fine and a one-year jail term against their employees.
The cybercrime bill is the Egyptian government’s latest attempt to restrict freedom of expression and crackdown on online criticism. Rights groups have so far documented the blocking of more than 500 websites since May 2017, including websites of media outlets such as MadaMasr, Aljazeera, and the Arabic-language edition of the Huffington Post, and of human rights organizations like Reporters Without Borders and the Arabic Network for Human Rights Information.
Internet, mobile, and telecommunications companies should be transparent about how they handle government requests for content restrictions, and publish data about the number of requests received, the number they complied with, and the types of subject matter associated with these requests. Most companies evaluated in the 2017 Corporate Accountability Index lacked transparency about how they handle government requests to restrict content or accounts, and did not disclose sufficient data about the number of requests they received or complied with, or which authorities made these requests.
Companies should also notify users when they restrict content. Services that host user-generated content should notify those who posted the content, and users trying to access it. The notification should include a clear reason for the restriction. The 2017 Index found that companies do not disclose sufficient data about their user notification policies when they restrict content or accounts.
U.S. Supreme Court drops Microsoft email privacy case
The U.S. Supreme Court dropped a 2013 case brought by the Department of Justice to force Microsoft to hand over content of emails stored in a data center in Ireland. The department sought the information under the 1986 Stored Communications Act. Microsoft challenged the case, arguing that the content of the emails, are protected by Irish and EU privacy laws since they are stored in Ireland.
However, on Tuesday, the U.S. Supreme Court dropped the case following the Congress’s adoption of the Cloud Act, which clarified that warrants issued under the Stored Communications Act apply to data stored overseas, while allowing companies to challenge such warrants when they violate the privacy laws of the country where the data is stored.
Companies should disclose information about their process for responding to government requests for user data, including their processes for responding to non-judicial government requests and court orders, and the legal basis under which they comply with requests. In addition, companies should publicly commit to push back on inappropriate or overbroad government requests. Companies should also disclose and regularly publish data about these requests including, listing the number of requests received by country and number of accounts and pieces of content affected, and specifying the legal authorities making the requests.