19 Jul Ranking Digital Rights in Russia: Top telcos fail to respect users’ rights

Images remixed by Tetyana Lokot (CC BY 3.0)

These days, telecommunications companies in Russia are key players in the government’s increasingly sophisticated internet censorship and surveillance apparatus. Authorities have broad discretion to block a wide array of online content without a court order and without explanation. Telecom operators are obliged to monitor the government’s “blacklist” and to immediately block access to banned content. Tens of thousands of domains and web pages are blocked in Russia today as a result. On the surveillance side, telecom operators are obliged to cooperate with law enforcement authorities and install so-called SORM equipment that provides Russian Federal Security Service (FSB) with direct, real-time access to users’ communications.

Earlier this year, I worked with two Russian internet rights NGOs (Roscomsvoboda and Internet Protection Society) to evaluate public disclosures and practices of the four major Russian telecom operators (also known as the “Big Four”): MTS, Beeline, Tele2 and Megafon. Our goal was to assess how transparent these companies are about the policies and practices affecting their users’ digital rights.

We used the Ranking Digital Rights Corporate Accountability Index methodology as a starting point and tailored it to the Russian context. We selected certain indicators and elements from the Index methodology that in our view were most relevant for the scope of our analysis. Like the Index evaluation, our research was based exclusively on documents that the companies and their holding groups make publicly available. In addition, we conducted technical tests to evaluate how companies implement these policies in relation to content blocking.

Unfortunately, our findings were disappointing:

• None of the telecommunications operators informed users that their equipment is connected to the FSB terminal, which “mirrors” all the traffic transmitted to and from their users. 
• None of the operators published any information about government requests for user information. However, since authorities have direct access to communications data through SORM, Russian companies may not be aware of the frequency or scope of user information accessed by authorities. Still, there is no law preventing Russian telecommunications companies from disclosing their processes for responding to government demands for user data in the case that these requests are made. (This lack of transparency is very different from the practices of mobile operators in the U.S. and Europe—for example,  AT&T, Telia Company, Vodafone, and Telefónica—which regularly publish such information as part of their transparency reports. AT&T and Vodafone, for example, each disclose their process for responding to government requests as well as a commitment to carry out due diligence on each request before responding.) 
• Despite their central role in restricting access to online content, none of the four operators we evaluated publicly described how they restrict access to reported content, how users can appeal their actions, or how many websites have been blocked. With the exception of MTS, the companies disclosed very minimum information to their users about their reasons for blocking access to specific content. 
• Our technical tests demonstrated that excessive blocking, e.g. by IP address, is very rare. All four companies use some variation of “deep packet inspection” when blocking their users’ access to online content. 
• On a positive note, all four companies educate their users about cyberthreats and publish educational materials describing how users can protect themselves against these risks. 

Our assessment of the four major Russian mobile operators complements the Index evaluation of two Russian internet companies, Yandex and Mail.Ru, which found that these companies also disclose very little about policies related to users’ freedom of expression and privacy.

While Russian internet and telecommunications companies operate in a restrictive legal and political environment, these companies can still be more transparent about policies affecting their users’ human rights. As our research shows, the country’s four biggest telecommunications operators could disclose more about their policies for handling  government requests to restrict content and to hand over user data.

The full text of our study can be found here.

12 Jul Ugandan government to review social media tax, U.S. Congress probes Alphabet and Apple on privacy, Honduras pushes cybersecurity bill

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Uganda to review social media tax

The Ugandan government is reviewing its decision to impose taxes on the use of social media and on money transactions using mobile phones, in response to protests against the new measures.

#ThisTaxMustGo campaign photo in Uganda.

On July 1, the government started implementing a controversial law that imposes a 200 shilling [US$0.05] daily as a tax on people using internet messaging apps and social media platforms. Uganda’s president defended the law as a measure aimed at curtailing what he described as online gossip and to raise government revenues.

But domestic and international rights groups slammed the law for violating freedom of expression and network neutrality. In particular, the new measures will make it harder for Ugandans living in poverty to communicate and access information, and will widen the digital gender gap in the country.

On July 2, activists and legal advocates filed a court challenge against the law on the basis that it is unconstitutional and that it violates the principles of net neutrality and the open internet. However, it remains unclear when a court hearing will eventually be scheduled.

A free and open internet depends on the ability for all users to have equal access to content and services, which is not possible if ISPs block or delay certain types of content or apps. Telecommunications companies should therefore commit to not prioritize or block certain types of network traffic. As the 2018 Corporate Accountability Index research showed, most of the world’s leading telecommunications companies fall short of making such a public commitment. Of the ten telecommunications companies evaluated, Vodafone was the only company to clearly disclose that it does not prioritize, block, or delay certain types of traffic, applications, protocols, or content for reasons beyond assuring quality of service and reliability of the network.

(more…)

29 Jun The EU moves forward with new copyright rules, U.S. Supreme Court rules in favor of digital privacy, government blocks Tor in Venezuela

The EU moves forward with new copyright rules

European lawmakers are moving forward with new copyright rules despite warnings from digital rights advocates over measures they say could increase internet censorship and stifle freedom of expression. Last week, the EU’s Legal Affairs Committee (JURI) approved the Copyright Directive, which overhauls the EU’s copyright law and holds companies legally accountable for monitoring and enforcing the new rules. 

European Union Flags, Photo by user Thijs ter Haar via Flickr (CC BY 2.0)

Among the more controversial provisions is Article 13, which requires all content uploaded online in the EU to be checked for copyright infringement. According to the Electronic Frontier Foundation (EFF), Article 13 means that any website that allows users to post “text, sounds, code, still or moving images, or other copyrighted works for public consumption will have to filter all their users’ submissions against a database of copyrighted works.” The directive requires websites to use “appropriate” measures to prevent infringing content from appearing on their platforms, which critics say is not only vague but also excessively burdensome on companies, which are likely to err on the side of over-censoring content in order to avoid breaching the new copyright rules.

Internet and telecommunications companies should be transparent to their users about their policies and practices for filtering, removing, or otherwise blocking access to content, whether in compliance with national laws or for breaches to the company’s own rules. They should clearly disclose their processes for identifying content that breaches these rules and report the volume and nature of content removed. Results from the 2018 Corporate Accountability Index show that companies across the board fail to disclose sufficient information about these processes.

(more…)

14 Jun Vietnam passes strict new cybersecurity measures, net neutrality repeal takes effect, UK fines Yahoo over 2014 data breach

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Vietnam parliament approves restrictive cybersecurity measures

Parliament House in Hanoi. Photo by user Hieucd via Wikimedia Commons (CC BY-SA 4.0)

Lawmakers in Vietnam have passed a cybersecurity law limiting freedom of expression online and requiring tech companies to store data locally and to operate offices in the country.

Set to take effect on January 1, 2019 the law includes vague and broad provisions banning speech and posts deemed offensive to the ‘’nation, the national flag, the national anthem, great people, leaders, notable people and national heroes.’’ The law further prohibits the dissemination of ‘’incorrect information.’’ At the request of the Information and Communications Ministry or the Public Security Ministry, companies will have 24 hours to remove content in violation of the new law.

The law raises privacy concerns since it requires tech companies to store data on servers in Vietnam, making it easier for authorities to force companies to hand over user data.

Speaking to lawmakers before the vote, Vo Trong Viet, chairperson of the National Assembly’s Committee on Defense and Security defended the bill on security grounds. However, the bill’s adoption is part of a wider crackdown targeting government critics online, human rights activists, independent journalists and bloggers.

It remains unclear how tech companies will respond to these measures. In a brief statement the Asia Internet Coalition (AIC), an industry group that represents tech and internet companies in Asia including Facebook, Twitter, Google and Line, said that it was ‘’disappointed’ that the law was passed. ‘’The provisions for data localisation, controls on content that affect free speech, and local office requirements will undoubtedly hinder the nation’s 4th Industrial Revolution ambitions to achieve GDP and job growth,’’ according to the group’s statement.

Companies should conduct regular, comprehensive human rights risk assessments evaluating how laws affect freedom of expression and privacy in the jurisdictions in which they operate, and assess freedom of expression and privacy risks when entering new markets or launching new products. Companies should also seek ways to mitigate risks posed by those impacts. The 2018 Corporate Accountability Index found that while Facebook, Google, Microsoft and Oath disclose strong commitments to conduct human rights impact assessments, other major tech players lag behind. Both Apple and Samsung fail to disclose whether or not they regularly assess risks to freedom of expression associated with the laws of the jurisdictions where they operate or a new activity such as the launch of a new service or entry into a new market.

(more…)