RDR is now an independent initiative. Our website is catching up.  Read our announcement →

Donate

25 Apr

Posted at 06:38h in Announcements, Featured, News, Publications by
0 Likes

Top internet, mobile, and telecommunications companies failed to disclose key policies and practices affecting users’ freedom of expression and privacy, according to results of the 2018 Corporate Accountability Index, which Ranking Digital Rights released today.

Tune in here at 9:30am ET (13:30 UTC) to watch the 2018 Index global launch event at Columbia University in New York City. You can also join the conversation on Twitter by following @rankingrights and by using the hashtag #rankingrights.

The 2018 Index evaluated 22 companies whose products and services are collectively used by over half of the world’s 4.2 billion internet users. Results showed that while some companies have improved disclosures in the past year, most internet users are still being left in the dark about how their personal information is accessed and used, and how online speech is managed and policed.

“Companies have not been clear enough about how their products, services, business operations and business models might either cause harm, or be used to violate internet users’ rights,” said Rebecca MacKinnon, director of Ranking Digital Rights. “People do not have enough information to make informed choices as consumers or as citizens, exposing them to undisclosed risks.”

Findings from the 2018 Index include:

  • Facebook disclosed less about how it handles user data than most of its U.S. peers. It also disclosed less information about options for users to control what is collected about them, and how it is used, than any other company in the Index, including two Chinese companies and two Russian companies.
     
  • Most companies withhold basic information about measures they take to safeguard users’ data from breach or theft, preventing users from knowing the risks they may face when using a particular platform or service.
     
  • All of the companies evaluated disclosed too little about how they handle users’ information. In addition to Facebook, companies including Google, Twitter, Apple, Samsung, AT&T, Vodafone, Telefónica, and Orange disclosed too little about how user information is shared for targeted advertising. This opacity makes it easier for digital platforms and services to be abused and manipulated by a range of state and non-state actors who seek to attack individuals as well as institutions and communities.
     
  • Companies do not adequately inform the public about how they police content on their platforms and services. In light of revelations that the world’s most powerful social media platforms have been used to spread disinformation and manipulate political outcomes in a range of countries, companies’ efforts to police and manage content lack accountability without greater transparency.
     
  • Too few companies make users’ rights a central priority for corporate oversight and risk assessment. Companies do not have adequate processes to identify and mitigate the full range of potential harms to users that may be caused not only by government censorship or surveillance, and by malicious non-state actors, but also by practices related to their own business models.

Companies were assessed on 35 indicators in three categories: Governance, Freedom of Expression, and Privacy. The 2018 Index applied the same methodology as the 2017 Index, which enabled us to produce comparative analyses of each company’s performance and to track overall trends.

The 2018 Index also includes recommendations for governments, questions for investors, and recommendations for companies.

To view and download the complete report, including interactive data and analysis, company report cards, methodology, raw data files, and other resources for download, visit rankingdigitalrights.org/index2018. The 2018 Index website and data visualization were developed in partnership with the SHARE Foundation, a digital rights NGO.

For those who want to help promote the Index and our findings, please see our social media toolkit, which contains downloadable report graphics and sample social media posts.

20 Apr

Posted at 06:51h in News, Partnerships by
0 Likes

The full report from Internet Without Borders is available in English and in French.

Subsidiaries of Orange in Senegal, and Vodafone in Kenya disclose less information about policies affecting their users’ digital rights than their European counterparts, according to research by advocacy group Internet Without Borders. The report evaluated policies from Sonatel (Orange in Senegal) and Safaricom (Vodafone in Kenya) affecting users’ freedom of expression and privacy. The research was conducted using a methodology adapted from the Ranking Digital Rights Corporate Accountability Index.

These two companies seem to face serious challenges in disclosing precise and clear information about how they uphold freedom of expression and privacy of their users. In fact, the study shows that Orange Senegal did not publish its terms of services or a privacy policy, while Safaricom’s terms of service was vague and used complicated legal language, making it not easily accessible to users.

In response to the report, Sonatel (Orange Senegal) said in a statement, “The report tends to project European habits onto an African context without thinking about whether this is accurate.”  However, this shows the the need for better protections in sub-Saharan Africa for freedom of expression and privacy, which are universal human rights norms.

The Ranking Digital Rights Corporate Accountability Index uses benchmarks that help companies identify areas in which to improve disclosures and practices affecting freedom of expression and privacy. At Internet Without Borders, we hope that our research will inspire companies evaluated, and other telcos in sub-Saharan Africa, to re-assess their policies affecting privacy and freedom of expression. Moreover, we hope that telcos will play their part in leading the transformation of local legal environments in fostering better protection of digital rights in Africa. The initiative by Orange in Côte d’Ivoire to organize a masterclass on privacy in the digital age, following the publication of our report, is a great initiative which should be emulated elsewhere.

This blog post was written by Julie Owono, Executive Director of Internet Without Borders, a Ranking Digital Rights partner organization.

19 Apr

Posted at 09:36h in News by
0 Likes

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Russia starts blocking Telegram

Collage by RuNet Echo [CC BY 2.0]

Russian ISPs this week started blocking encrypted messaging app Telegram, after the messaging service refused to comply with court demands to hand over encryption keys to Russian authorities.

In March 2018, a court ruled in favor of the Russian telecommunication industry regulator, Roskomnadzor, and gave Telegram two weeks to give Russian Federal Security Service (FSB) access to users’ encrypted messages or risk being blocked in the country. Telegram explained that it was “technically unable” to comply with this demand and appealed the ruling. But on April 13 a court in Moscow upheld the earlier decision, and this week Roskomnadzor ordered telecom service providers to restrict access to the service.

Users in Russia have resorted to using Virtual Private Networks (VPNs) and proxy servers to access the service. While Telegram moved some of its infrastructure to third-party cloud services, making it harder for authorities to block the service, TechCrunch reported.

As a result, Russian ISPs blocked millions of IP addresses including addresses belonging to Amazon Web Services and Google Cloud. The massive censorship affected other websites and services, including messaging app Viber, radio station Govorit Moskva, Microsoft’s gaming service Xbox and note-taking app Evernote.

The regulator also sent requests to Apple and Google asking them to remove Telegram messenger from their app stores for users inside Russia. In response, Russian internet freedom activists launched a petition calling on Apple and Google to reject the regulator’s requests. The petition also called on Content Delivery Networks (CDNs) and cloud providers “to resist RosKomNadzor requests to constrain access to Telegram (and other) back ends which provide essential functionality supporting freedom of access to information and communication.”

Telecommunications companies should be transparent about their processes for responding to government requests to restrict access to networks or to certain services and platforms. They should disclose information about how they handle government network shutdown demands, including under whose authority a shutdown is ordered, so that those responsible can be held accountable. None of the telecommunications companies evaluated in the 2017 Corporate Accountability Index disclosed sufficient information about how they handle government network shutdown demands.

(more…)

13 Apr

Posted at 06:57h in News by
0 Likes

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Facebook still in the spotlight over Cambridge Analytica scandal

This week, Facebook’s CEO Mark Zuckerberg testified before two congressional committees over his company’s handling of user data. Zuckerberg agreed to appear before lawmakers to answer questions about revelations that data of millions of Facebook users was sold to political consulting firm Cambridge Analytica.

Facebook CEO Mark Zuckerberg testifying before the Senate Judiciary & Commerce Committees. Screenshot from the C-Span Video Library.

In 2014, a researcher at the University of Cambridge developed a personality quiz app that enabled him to collect data from the quiz’s respondents and those in their friend networks without their knowledge. The developer then sold the data to Cambridge Analytica, which used the data to build detailed profiles of American voters and target them with pro-Trump political ads. The number of users impacted is believed to be 87 million users. Although mostly in the U.S., users in nine other countries including the Philippines, Indonesia, the UK and Mexico were affected.

At a joint hearing of the Commerce and Judiciary Committees, Zuckerberg said that data of the 87 million users affected was also sold to other firms. Senator Kamala Harris pressed Zuckerberg on why the platform did not keep its users informed when it first found that the researcher sold the data to Cambridge Analytica back in December 2015. “We clearly view it as a mistake that we didn’t inform people. We thought the case was closed and the data was deleted,” Zuckerberg said. He also “reject[ed] any suggestion” that Facebook violated a 2011 consent decree with the Federal Trade Commission (FTC) barring it from sharing users’ data without their consent. Facebook could face heavy fines if an investigation launched by FTC determines that it violated the decree.

When asked at Wednesday’s hearing whether the company would consider changing the platform’s privacy settings “to minimize, to the greatest extent possible, the collection and use of users’ data,” Zuckerberg responded that “this is a complex issue that deserves more than a one-word answer.”

The company is also facing lawsuits for failing to protect user data. On April 9, a law firm filed a lawsuit with the US District Court for the Northern District of California in San Jose accusing the company of “unjust enrichment and violation of privacy and consumer-protection laws.” In another lawsuit, a Facebook user is suing the company and Cambridge Analytica. According to that lawsuit, while Cambridge Analytica “improperly” collected user data “without authorization,” Facebook knew this improper data aggregation was occurring and failed to stop it.”

In the meantime, the company suspended Canadian data firm AggregateIQ over reports that it is affiliated with Cambridge Analytica and may have “improperly received user data,” a Facebook spokesperson said. Another data analytics firm, CubeYou was suspended for sharing user information collected through what it said were quizzes “for non-profit academic research,” with marketers.

Internet, mobile, and telecommunications companies should give users options to control how their information is collected and used for targeted advertising. Companies evaluated in the 2017 Corporate Accountability Index did not disclose enough information about such options. Results of the 2017 Index showed that Facebook disclosed less about these options than any of the other 12 internet and mobile ecosystem companies evaluated. The company did not disclose options allowing users to control the company’s collection of their user information, and how their information is used for targeted advertising.

(more…)

06 Apr

Posted at 06:54h in News by
0 Likes

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Facebook CEO to testify before U.S. Congress

Facebook CEO Mark Zuckerberg will testify before two U.S. congressional panels next week over revelations that data of millions of Facebook users was sold to political consulting firm Cambridge Analytica. In 2014, a researcher at the University of Cambridge developed a personality quiz app that collected data from 270,000 users.

Mark Zuckerberg at the 2016 Mobile World Congress. Photo by Alessio Jacona (CC BY-SA 2.0) via Flickr.

The app also enabled the researcher to collect data about those in the friend networks of the quiz respondents without their knowledge. The developer then sold the data to Cambridge Analytica, which used the data to build detailed profiles of American voters and target them with pro-Trump political ads. The number of users impacted was first believed to be about 50 million. However, on April 4, Facebook revealed that data of 87 million users “may have been improperly shared with Cambridge Analytica.” Although mostly in the U.S., users in nine other countries including the Philippines, Indonesia, the UK and Mexico were affected.

Zuckerberg will first appear before a joint hearing by the Senate Judiciary and Commerce committees on April 10. The following day he will appear before the House Energy and Commerce Committee. The hearing “will explore approaches to privacy that satisfy consumer expectations while encouraging innovation,” Senator Chuck Grassley, the chairman of the Judiciary Committee said in a statement. The House Energy and Commerce Committee hearing “will be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online,” representatives Greg Walden and Frank Pallone from the energy committee said.

Since the revelations were first made a few weeks ago, Facebook has been facing scrutiny over its handling of user information. The U.S. Federal Trade Commission (FTC) company is already investigating whether the company violated a 2011 settlement barring it from sharing users’ data without their consent.

Internet, mobile, and telecommunications companies should give users options to control how their information is collected and used for targeted advertising. Companies evaluated in the 2017 Corporate Accountability Index did not disclose enough information about such options. Facebook disclosed less about these options than any of the other 12 internet and mobile ecosystem companies evaluated. The company did not disclose options allowing users to control the company’s collection of their user information, and how their information is used for targeted advertising.

Messaging application Telegram faces bans in both Iran and Russia

The Iranian government has announced that it will permanently block Telegram by April 20 after it releases its own messaging app. The chairman for the Iranian parliament’s national security commission cited “national security” as the reason for the ban. Telegram is popular in Iran with 45 million users. Iranian authorities resorted to blocking and throttling access to the service in response to anti-government protests this winter. Government officials are also promoting the use of local applications to end what they describe as Telegram’s “monopoly” over instant messaging services in Iran. However, activists say that local alternatives, such as Soroush, are not secure.

In Russia, Telegram is also facing a ban after it rejected a demand to hand over encryption keys to Russia’s communications watchdog, Roskomnadzor. Last March, a Russian court gave Telegram two weeks to allow authorities to access its users’ encrypted messages or risk being blocked in the country. In a letter to Roskomnadzor, Telegram’s lawyer explained that the company is “technically unable” to comply with this demand.

Telecommunications companies should be transparent about their processes for responding to government requests to restrict access to networks or to certain services and platforms. They should disclose information about how they handle government network shutdown demands, including under whose authority a shutdown is ordered, so that those responsible can be held accountable. None of the telecommunications companies evaluated in the 2017 Corporate Accountability Index disclosed sufficient information about how they handle government network shutdown demands.

Grindr to stop sharing user HIV status with other companies

LGBTQ dating app Grindr said that it will stop sharing information about the HIV status of its users with third-party companies. The announcement came after it was revealed that the company was sharing such sensitive information with two software vendors, Apptimize and Localytics. Grindr said that such data was shared with the two companies, to “help [the company] improve the experience for [its] users.” However, Cooper Quintin, senior staff technologist and security researcher at the Electronic Frontier Foundation, told BuzzFeed News that “there was no reason for them to be storing that data with these analytics companies in the first place.”

In Norway, a consumer protection group filed a complaint to the country’s data protection authority for breaching national and European data protection laws. In the complaint, the group argues that Grindr does not treat information about sexual orientation and health status, considered as sensitive personal data in the EU, “with great care.” The company fails to “obtain a separate and clearly given consent” from users about the sharing of their sensitive data, and transmits such data unencrypted.

Internet, mobile, and telecommunications companies should be transparent about what user information they share, with which parties and for what purposes. Internet companies should also encrypt user communication and private content.

Important notice: We are launching a new mailing list on Monday April 9. If you are currently subscribed to receive blog post updates, and wish to continue receiving blog post updates from us, you will need to opt-in to the new mailing list here. If you have not previously subscribed to our updates, but want to start receiving them, you can also sign up here.