19 Apr Russia blocks Telegram, Egypt to punish ISPs not complying with censorship orders, U.S. Supreme Court drops Microsoft email privacy case

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Russia starts blocking Telegram

Collage by RuNet Echo [CC BY 2.0]

In March 2018, a court ruled in favor of the Russian telecommunication industry regulator, Roskomnadzor, and gave Telegram two weeks to give Russian Federal Security Service (FSB) access to users’ encrypted messages or risk being blocked in the country. Telegram explained that it was “technically unable” to comply with this demand and appealed the ruling. But on April 13 a court in Moscow upheld the earlier decision, and this week Roskomnadzor ordered telecom service providers to restrict access to the service.

Users in Russia have resorted to using Virtual Private Networks (VPNs) and proxy servers to access the service. While Telegram moved some of its infrastructure to third-party cloud services, making it harder for authorities to block the service, TechCrunch reported.

As a result, Russian ISPs blocked millions of IP addresses including addresses belonging to Amazon Web Services and Google Cloud. The massive censorship affected other websites and services, including messaging app Viber, radio station Govorit Moskva, Microsoft’s gaming service Xbox and note-taking app Evernote.

The regulator also sent requests to Apple and Google asking them to remove Telegram messenger from their app stores for users inside Russia. In response, Russian internet freedom activists launched a petition calling on Apple and Google to reject the regulator’s requests. The petition also called on Content Delivery Networks (CDNs) and cloud providers “to resist RosKomNadzor requests to constrain access to Telegram (and other) back ends which provide essential functionality supporting freedom of access to information and communication.”

Telecommunications companies should be transparent about their processes for responding to government requests to restrict access to networks or to certain services and platforms. They should disclose information about how they handle government network shutdown demands, including under whose authority a shutdown is ordered, so that those responsible can be held accountable. None of the telecommunications companies evaluated in the 2017 Corporate Accountability Index disclosed sufficient information about how they handle government network shutdown demands.

(more…)

13 Apr Facebook’s Cambridge Analytica saga continues, Chad shuts down social media services, Malaysian anti-fake news law enters into force

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Facebook still in the spotlight over Cambridge Analytica scandal

This week, Facebook’s CEO Mark Zuckerberg testified before two congressional committees over his company’s handling of user data. Zuckerberg agreed to appear before lawmakers to answer questions about revelations that data of millions of Facebook users was sold to political consulting firm Cambridge Analytica.

Facebook CEO Mark Zuckerberg testifying before the Senate Judiciary & Commerce Committees. Screenshot from the C-Span Video Library.

In 2014, a researcher at the University of Cambridge developed a personality quiz app that enabled him to collect data from the quiz’s respondents and those in their friend networks without their knowledge. The developer then sold the data to Cambridge Analytica, which used the data to build detailed profiles of American voters and target them with pro-Trump political ads. The number of users impacted is believed to be 87 million users. Although mostly in the U.S., users in nine other countries including the Philippines, Indonesia, the UK and Mexico were affected.

At a joint hearing of the Commerce and Judiciary Committees, Zuckerberg said that data of the 87 million users affected was also sold to other firms. Senator Kamala Harris pressed Zuckerberg on why the platform did not keep its users informed when it first found that the researcher sold the data to Cambridge Analytica back in December 2015. “We clearly view it as a mistake that we didn’t inform people. We thought the case was closed and the data was deleted,” Zuckerberg said. He also “reject[ed] any suggestion” that Facebook violated a 2011 consent decree with the Federal Trade Commission (FTC) barring it from sharing users’ data without their consent. Facebook could face heavy fines if an investigation launched by FTC determines that it violated the decree.

When asked at Wednesday’s hearing whether the company would consider changing the platform’s privacy settings “to minimize, to the greatest extent possible, the collection and use of users’ data,” Zuckerberg responded that “this is a complex issue that deserves more than a one-word answer.”

The company is also facing lawsuits for failing to protect user data. On April 9, a law firm filed a lawsuit with the US District Court for the Northern District of California in San Jose accusing the company of “unjust enrichment and violation of privacy and consumer-protection laws.” In another lawsuit, a Facebook user is suing the company and Cambridge Analytica. According to that lawsuit, while Cambridge Analytica “improperly” collected user data “without authorization,” Facebook knew this improper data aggregation was occurring and failed to stop it.”

In the meantime, the company suspended Canadian data firm AggregateIQ over reports that it is affiliated with Cambridge Analytica and may have “improperly received user data,” a Facebook spokesperson said. Another data analytics firm, CubeYou was suspended for sharing user information collected through what it said were quizzes “for non-profit academic research,” with marketers.

Internet, mobile, and telecommunications companies should give users options to control how their information is collected and used for targeted advertising. Companies evaluated in the 2017 Corporate Accountability Index did not disclose enough information about such options. Results of the 2017 Index showed that Facebook disclosed less about these options than any of the other 12 internet and mobile ecosystem companies evaluated. The company did not disclose options allowing users to control the company’s collection of their user information, and how their information is used for targeted advertising.

(more…)

06 Apr Mark Zuckerberg to testify before U.S. Congress, Telegram faces bans in Iran and Russia, Grindr to stop sharing user HIV data

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Facebook CEO to testify before U.S. Congress

Facebook CEO Mark Zuckerberg will testify before two U.S. congressional panels next week over revelations that data of millions of Facebook users was sold to political consulting firm Cambridge Analytica. In 2014, a researcher at the University of Cambridge developed a personality quiz app that collected data from 270,000 users.

Mark Zuckerberg at the 2016 Mobile World Congress. Photo by Alessio Jacona (CC BY-SA 2.0) via Flickr.

The app also enabled the researcher to collect data about those in the friend networks of the quiz respondents without their knowledge. The developer then sold the data to Cambridge Analytica, which used the data to build detailed profiles of American voters and target them with pro-Trump political ads. The number of users impacted was first believed to be about 50 million. However, on April 4, Facebook revealed that data of 87 million users “may have been improperly shared with Cambridge Analytica.” Although mostly in the U.S., users in nine other countries including the Philippines, Indonesia, the UK and Mexico were affected.

Zuckerberg will first appear before a joint hearing by the Senate Judiciary and Commerce committees on April 10. The following day he will appear before the House Energy and Commerce Committee. The hearing “will explore approaches to privacy that satisfy consumer expectations while encouraging innovation,” Senator Chuck Grassley, the chairman of the Judiciary Committee said in a statement. The House Energy and Commerce Committee hearing “will be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online,” representatives Greg Walden and Frank Pallone from the energy committee said.

Since the revelations were first made a few weeks ago, Facebook has been facing scrutiny over its handling of user information. The U.S. Federal Trade Commission (FTC) company is already investigating whether the company violated a 2011 settlement barring it from sharing users’ data without their consent.

Internet, mobile, and telecommunications companies should give users options to control how their information is collected and used for targeted advertising. Companies evaluated in the 2017 Corporate Accountability Index did not disclose enough information about such options. Facebook disclosed less about these options than any of the other 12 internet and mobile ecosystem companies evaluated. The company did not disclose options allowing users to control the company’s collection of their user information, and how their information is used for targeted advertising.

Messaging application Telegram faces bans in both Iran and Russia

The Iranian government has announced that it will permanently block Telegram by April 20 after it releases its own messaging app. The chairman for the Iranian parliament’s national security commission cited “national security” as the reason for the ban. Telegram is popular in Iran with 45 million users. Iranian authorities resorted to blocking and throttling access to the service in response to anti-government protests this winter. Government officials are also promoting the use of local applications to end what they describe as Telegram’s “monopoly” over instant messaging services in Iran. However, activists say that local alternatives, such as Soroush, are not secure.

In Russia, Telegram is also facing a ban after it rejected a demand to hand over encryption keys to Russia’s communications watchdog, Roskomnadzor. Last March, a Russian court gave Telegram two weeks to allow authorities to access its users’ encrypted messages or risk being blocked in the country. In a letter to Roskomnadzor, Telegram’s lawyer explained that the company is “technically unable” to comply with this demand.

Telecommunications companies should be transparent about their processes for responding to government requests to restrict access to networks or to certain services and platforms. They should disclose information about how they handle government network shutdown demands, including under whose authority a shutdown is ordered, so that those responsible can be held accountable. None of the telecommunications companies evaluated in the 2017 Corporate Accountability Index disclosed sufficient information about how they handle government network shutdown demands.

Grindr to stop sharing user HIV status with other companies

LGBTQ dating app Grindr said that it will stop sharing information about the HIV status of its users with third-party companies. The announcement came after it was revealed that the company was sharing such sensitive information with two software vendors, Apptimize and Localytics. Grindr said that such data was shared with the two companies, to “help [the company] improve the experience for [its] users.” However, Cooper Quintin, senior staff technologist and security researcher at the Electronic Frontier Foundation, told BuzzFeed News that “there was no reason for them to be storing that data with these analytics companies in the first place.”

In Norway, a consumer protection group filed a complaint to the country’s data protection authority for breaching national and European data protection laws. In the complaint, the group argues that Grindr does not treat information about sexual orientation and health status, considered as sensitive personal data in the EU, “with great care.” The company fails to “obtain a separate and clearly given consent” from users about the sharing of their sensitive data, and transmits such data unencrypted.

Internet, mobile, and telecommunications companies should be transparent about what user information they share, with which parties and for what purposes. Internet companies should also encrypt user communication and private content.

Important notice: We are launching a new mailing list on Monday April 9. If you are currently subscribed to receive blog post updates, and wish to continue receiving blog post updates from us, you will need to opt-in to the new mailing list here. If you have not previously subscribed to our updates, but want to start receiving them, you can also sign up here.