Corporate Accountability News Highlights: Telegram faces challenges from Russian authorities, U.S. and EU publish first annual Privacy Shield review, and data breach exposes millions of South Africans’ personal information

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Telegram faces challenges from Russian authorities

Image via Wikipedia

The messaging app Telegram has been fined for refusing to give Russian authorities access to encrypted communications. A Moscow court fined Telegram 800,000 Rubles (around 14,000 USD) after the company refused to turn over encryption keys allowing  authorities to decrypt and access the contents of user communications. In June, Telegram agreed to register as an “information distributor” with Russian communications regulator Roskomnadzor, a requirement under Russian data laws. Telegram founder Pavel Durov said this was a formality and that the company would not share private user data with the government. Durov also said the company would appeal the court ruling.

This case highlights the crackdown on encrypted communications by many governments throughout the world—both through efforts to legislate “backdoors” and law enforcement efforts to break encryption. It is important that companies publicly commit to implement high encryption standards, and advocate and push back against government efforts to undermine encryption. This also highlights challenges that many companies face in dealing with government requests for access to user information. As noted in our 2017 Corporate Accountability Index recommendations, companies should also commit to push back against excessively broad or extra-legal requests, and should use every opportunity available to pressure governments to move away from mass surveillance and institute meaningful oversight over national security and law enforcement authorities.Continue Reading

Corporate Accountability News Highlights: German telecommunications regulator makes landmark net neutrality decision, Twitter suspension raises questions about rules enforcement, U.S. government revives encryption debate

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

German telecommunications regulator makes landmark net neutrality decision

Photo by fdecomite (Licensed CC BY 2.0)

In a key decision affecting net neutrality in Europe, Germany’s telecommunications regulator has said that Deutsche Telecom’s zero rating program can continue. Zero rating programs allow telecommunications companies to offer certain services for free without counting against a customer’s data cap. Net neutrality advocates say that zero rating undermines the principle of net neutrality, and in some countries, like India, zero rating has been ruled in violation of net neutrality laws. The EU’s net neutrality rules, adopted in 2015, do not prohibit zero rating, and its 2016 implementation guidelines left it largely up to regulators to determine if zero-rated services are permissible. According to ZDNet, Germany’s zero rating decision is the first from an EU regulator since the EU net neutrality rules were implemented, and may influence how other countries approach the issue.

Our Corporate Accountability Index indicator on network management evaluates companies on whether they clearly disclose that they do not prioritize, block, or delay certain types of traffic, applications, protocols, or content for reasons beyond assuring quality of service and reliability of the network. It considers zero rating as a type of traffic prioritization, and look for companies to clearly disclose that they do not engage in such practices. If they do, we look for them to clearly disclose their purpose for doing so. Of the ten telecommunications companies evaluated in the 2017 Index, Vodafone was the only one to receive full credit on this indicator, for clearly disclosing that it does not prioritize, block, or delay certain types of traffic, applications, protocols, or content for reasons beyond assuring quality of service and reliability of the network.Continue Reading

Corporate Accountability News Highlights: Google and Apple report increase in user data requests from U.S. government, new German law imposes steep fines on social media companies, EU-US data transfer case referred to EU high court

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Google and Apple report jump in U.S. government requests for user data

U.S. Department of Justice (Image via Wikipedia, licensed CC BY-SA 3.0)

Google and Apple both report a significant increase in U.S. government requests to hand over user information, according to the companies’ latest transparency reports covering a six-month period from January to June 2017. Apple reported an increase in U.S. government requests for user information, affecting 6,407 accounts, a 62 percent increase compared to the previous six-month period. Google reported that requests from U.S. government authorities for user data affected more than 33,000 accounts, a 23 percent increase. Both companies also reported an increase in government requests worldwide.

Internet and telecommunication companies often receive requests from governments to restrict content and to hand over user information. As noted in the Index, companies should publish information about their process for handling such requests, as well as the number of they receive and comply with. Companies should also disclose that they push back on overly broad requests so that the public can make informed decisions about potential freedom of expression and privacy risks associated with products and services they use. In the 2017 Corporate Accountability Index, although 15 of the 22 companies evaluated published some information on their processes for responding to government requests for user information, only 11 published any data about these requests.Continue Reading

Corporate Accountability News Highlights: Russia threatens Facebook over data localization, Spain orders companies to censor Catalan referendum content, U.S. and EU complete first annual Privacy Shield review

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Russia threatens to block Facebook over data localization law

Russian authorities have announced that Facebook will be blocked next year if the company does not comply with a Russian data localization law. Under the law, which entered into force in 2015, data operators processing personal data of Russian citizens must do so using servers within Russia. In November 2016, Russia blocked LinkedIn for not complying with the data localization law. In January 2017, Russian authorities also ordered Apple and Google to remove the LinkedIn app from their app stores.

Privacy advocates have raised concerns over the impact of data localization requirements, particularly in Russia, where authorities have significant mass surveillance capabilities. This could also make it more difficult for companies operating in Russia to be transparent about government access to user data. As noted in our 2017 Corporate Accountability Index Russian company analysis, Russian authorities may have direct access to communications data through a program called SORM. It therefore may be impossible for companies to publish data on Russian authorities’ requests for user information, since they may not know themselves how often various agencies exercise their authority under SORM.Continue Reading

Corporate Accountability News Highlights: U.S. government drops Facebook gag order, research shows security risks in content filtering apps, Togo orders network shutdown

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

U.S. government withdraws Facebook gag order

D.C. Court of Appeals (Photo by Mr.TinDC, Licensed CC BY-ND 2.0)

The U.S. government has dropped its effort prevent Facebook from notifying three users that their communications were being investigated. Facebook received search warrants for content from the users’ accounts and the warrants were accompanied with gag orders preventing the company from notifying the users. Facebook contested the gag order, though its request was denied by the D.C. Superior Court. Facebook appealed the decision to the D.C. Court of Appeals. A hearing on the matter was scheduled for September 14, though it was cancelled on September 13 after prosecutors said the gag orders were no longer necessary, and withdrew their request.

This is one of several recent instances of U.S. internet and telecommunications companies pushing back against inappropriate or overly broad government requests. Web hosting provider Dreamhost is currently engaged in a legal battle with the U.S. Department of Justice over a demand for information an anti-Trump website, although the DOJ has thus far dropped portions of its original overly broad warrant, including the demand for all IP addresses of visitors to the website. In April of this year, Twitter reported that the Trump administration had attempted to force the company to reveal the identity of an anonymous Twitter account critiquing the administration. Twitter pushed back against the request, which was ultimately withdrawn, saying it was unlawful and a violation of the First Amendment.

As noted in the Corporate Accountability Index methodology, companies should clearly disclose their processes for responding to third-party requests for user information. This disclosure should include a commitment to carry out due diligence on government requests before deciding how to respond, as well as a commitment to push back on inappropriate or overbroad government requests. Of the seven U.S. companies evaluated in the 2017 Corporate Accountability Index—Apple, AT&T, Facebook, Google, Microsoft, Twitter, and Yahoo— all seven committed to carry out due diligence on government requests for user information and to push back on inappropriate or overbroad requests.Continue Reading