Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Facebook still in the spotlight over Cambridge Analytica scandal

This week, Facebook’s CEO Mark Zuckerberg testified before two congressional committees over his company’s handling of user data. Zuckerberg agreed to appear before lawmakers to answer questions about revelations that data of millions of Facebook users was sold to political consulting firm Cambridge Analytica.

Facebook CEO Mark Zuckerberg testifying before the Senate Judiciary & Commerce Committees. Screenshot from the C-Span Video Library.

In 2014, a researcher at the University of Cambridge developed a personality quiz app that enabled him to collect data from the quiz’s respondents and those in their friend networks without their knowledge. The developer then sold the data to Cambridge Analytica, which used the data to build detailed profiles of American voters and target them with pro-Trump political ads. The number of users impacted is believed to be 87 million users. Although mostly in the U.S., users in nine other countries including the Philippines, Indonesia, the UK and Mexico were affected.

At a joint hearing of the Commerce and Judiciary Committees, Zuckerberg said that data of the 87 million users affected was also sold to other firms. Senator Kamala Harris pressed Zuckerberg on why the platform did not keep its users informed when it first found that the researcher sold the data to Cambridge Analytica back in December 2015. “We clearly view it as a mistake that we didn’t inform people. We thought the case was closed and the data was deleted,” Zuckerberg said. He also “reject[ed] any suggestion” that Facebook violated a 2011 consent decree with the Federal Trade Commission (FTC) barring it from sharing users’ data without their consent. Facebook could face heavy fines if an investigation launched by FTC determines that it violated the decree.

When asked at Wednesday’s hearing whether the company would consider changing the platform’s privacy settings “to minimize, to the greatest extent possible, the collection and use of users’ data,” Zuckerberg responded that “this is a complex issue that deserves more than a one-word answer.”

The company is also facing lawsuits for failing to protect user data. On April 9, a law firm filed a lawsuit with the US District Court for the Northern District of California in San Jose accusing the company of “unjust enrichment and violation of privacy and consumer-protection laws.” In another lawsuit, a Facebook user is suing the company and Cambridge Analytica. According to that lawsuit, while Cambridge Analytica “improperly” collected user data “without authorization,” Facebook knew this improper data aggregation was occurring and failed to stop it.”

In the meantime, the company suspended Canadian data firm AggregateIQ over reports that it is affiliated with Cambridge Analytica and may have “improperly received user data,” a Facebook spokesperson said. Another data analytics firm, CubeYou was suspended for sharing user information collected through what it said were quizzes “for non-profit academic research,” with marketers.

Internet, mobile, and telecommunications companies should give users options to control how their information is collected and used for targeted advertising. Companies evaluated in the 2017 Corporate Accountability Index did not disclose enough information about such options. Results of the 2017 Index showed that Facebook disclosed less about these options than any of the other 12 internet and mobile ecosystem companies evaluated. The company did not disclose options allowing users to control the company’s collection of their user information, and how their information is used for targeted advertising.

(more…)

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Facebook CEO to testify before U.S. Congress

Facebook CEO Mark Zuckerberg will testify before two U.S. congressional panels next week over revelations that data of millions of Facebook users was sold to political consulting firm Cambridge Analytica. In 2014, a researcher at the University of Cambridge developed a personality quiz app that collected data from 270,000 users.

Mark Zuckerberg at the 2016 Mobile World Congress. Photo by Alessio Jacona (CC BY-SA 2.0) via Flickr.

The app also enabled the researcher to collect data about those in the friend networks of the quiz respondents without their knowledge. The developer then sold the data to Cambridge Analytica, which used the data to build detailed profiles of American voters and target them with pro-Trump political ads. The number of users impacted was first believed to be about 50 million. However, on April 4, Facebook revealed that data of 87 million users “may have been improperly shared with Cambridge Analytica.” Although mostly in the U.S., users in nine other countries including the Philippines, Indonesia, the UK and Mexico were affected.

Zuckerberg will first appear before a joint hearing by the Senate Judiciary and Commerce committees on April 10. The following day he will appear before the House Energy and Commerce Committee. The hearing “will explore approaches to privacy that satisfy consumer expectations while encouraging innovation,” Senator Chuck Grassley, the chairman of the Judiciary Committee said in a statement. The House Energy and Commerce Committee hearing “will be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online,” representatives Greg Walden and Frank Pallone from the energy committee said.

Since the revelations were first made a few weeks ago, Facebook has been facing scrutiny over its handling of user information. The U.S. Federal Trade Commission (FTC) company is already investigating whether the company violated a 2011 settlement barring it from sharing users’ data without their consent.

Internet, mobile, and telecommunications companies should give users options to control how their information is collected and used for targeted advertising. Companies evaluated in the 2017 Corporate Accountability Index did not disclose enough information about such options. Facebook disclosed less about these options than any of the other 12 internet and mobile ecosystem companies evaluated. The company did not disclose options allowing users to control the company’s collection of their user information, and how their information is used for targeted advertising.

Messaging application Telegram faces bans in both Iran and Russia

The Iranian government has announced that it will permanently block Telegram by April 20 after it releases its own messaging app. The chairman for the Iranian parliament’s national security commission cited “national security” as the reason for the ban. Telegram is popular in Iran with 45 million users. Iranian authorities resorted to blocking and throttling access to the service in response to anti-government protests this winter. Government officials are also promoting the use of local applications to end what they describe as Telegram’s “monopoly” over instant messaging services in Iran. However, activists say that local alternatives, such as Soroush, are not secure.

In Russia, Telegram is also facing a ban after it rejected a demand to hand over encryption keys to Russia’s communications watchdog, Roskomnadzor. Last March, a Russian court gave Telegram two weeks to allow authorities to access its users’ encrypted messages or risk being blocked in the country. In a letter to Roskomnadzor, Telegram’s lawyer explained that the company is “technically unable” to comply with this demand.

Telecommunications companies should be transparent about their processes for responding to government requests to restrict access to networks or to certain services and platforms. They should disclose information about how they handle government network shutdown demands, including under whose authority a shutdown is ordered, so that those responsible can be held accountable. None of the telecommunications companies evaluated in the 2017 Corporate Accountability Index disclosed sufficient information about how they handle government network shutdown demands.

Grindr to stop sharing user HIV status with other companies

LGBTQ dating app Grindr said that it will stop sharing information about the HIV status of its users with third-party companies. The announcement came after it was revealed that the company was sharing such sensitive information with two software vendors, Apptimize and Localytics. Grindr said that such data was shared with the two companies, to “help [the company] improve the experience for [its] users.” However, Cooper Quintin, senior staff technologist and security researcher at the Electronic Frontier Foundation, told BuzzFeed News that “there was no reason for them to be storing that data with these analytics companies in the first place.”

In Norway, a consumer protection group filed a complaint to the country’s data protection authority for breaching national and European data protection laws. In the complaint, the group argues that Grindr does not treat information about sexual orientation and health status, considered as sensitive personal data in the EU, “with great care.” The company fails to “obtain a separate and clearly given consent” from users about the sharing of their sensitive data, and transmits such data unencrypted.

Internet, mobile, and telecommunications companies should be transparent about what user information they share, with which parties and for what purposes. Internet companies should also encrypt user communication and private content.

Important notice: We are launching a new mailing list on Monday April 9. If you are currently subscribed to receive blog post updates, and wish to continue receiving blog post updates from us, you will need to opt-in to the new mailing list here. If you have not previously subscribed to our updates, but want to start receiving them, you can also sign up here.

On Monday, April 9, Ranking Digital Rights will launch a new mailing list so people can more easily sign up for updates, news, and blog posts.

If you are currently subscribed to receive blog post updates and wish to continue to receiving updates from us, you will need to opt-in to the new mailing list here.

If you have not previously subscribed to our updates, but want to start receiving them, you can also sign up now here.

Our new mailing list is hosted by Mailchimp. After April 9, those who have not subscribed to our new mailing list will no longer receive email updates from RDR. You will also be able to sign up for the mailing list directly on our homepage beginning April 9.

Ranking Digital Rights is updating our privacy policy, which applies to visitors to our website and to subscribers to our mailing list. The new policy will come into effect on April 9, 2018.

The revised privacy policy contains key updates about changes to our mailing service provider, which specifically effects subscribers to our mailing list and blog. As of April 9, RDR will transition to Mailchimp as the service we will use to send blog post updates, announcements, and other communications to subscribers. Mailchimp’s privacy policy can be found here.

The revised privacy policy also includes updated information about the service we use for website analytics, formerly called Piwik. It has been re-named Matomo. We are updating our Privacy Policy to reflect this name change, but we are still using the same version of Piwik (Piwik 3.2.1) and none of our policies or settings have changed. We are considering updating to the next version of Matomo, and will update the Privacy Policy accordingly if and when we do so.

You can read the full version of our updated Privacy Policy here. The current version of our privacy policy will be available as an archived version after the new policy is published on April 9.

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Turkey tightens internet controls

Lawmakers in Turkey have adopted new measures that further tightens the government’s control over the internet. A new law adopted on March 21 will require video-streaming services and media or websites broadcasting through the internet to obtain a license from the country’s broadcasting regulator, RTÜK. 

A protest against internet censorship in Istanbul, Turkey in May 2011. Photo credit: Erdem Civelek [CC BY 2.0] via Wikimedia Commons.

If a service does not secure a license, courts would order ISPs to block that service. Courts would also be able to request “broadcasters” to remove content deemed “illegal.” The law is also expected to apply to video platforms hosting user-generated content, like Youtube, or platforms that allow users to host live video streams, like Facebook and Periscope.

One RTÜK member said that “there’s little difference between what YouTube does and some of the video streaming services that will be subject to the new law.” Reporters Without Borders noted in a statement that such platforms have been used by “many censored media outlets to circulate their content.”

This is the latest move by the Turkish government to crack down on internet freedom. The 2017 Freedom on the Net report by Freedom House rated the country’s internet environment as “Not Free.” The Turkish government often resorts to blocking or throttling social media platforms and instant messaging apps. Thousands of websites, including Wikipedia, news sites, LGBT-related websites, and VPN services are blocked. The country’s authorities recently banned the encrypted email service ProtonMail, and they are reportedly considering “solutions” to block VPNs.

In addition, Turkish authorities are notorious for pressuring social media platforms to comply with their requests to remove content, often threatening to block them. For example, during the first half of 2017, Turkey made 2,710 content removal requests to Twitter, topping the list of countries making such requests.

Internet and telecommunications companies should be transparent about how they handle government requests for content restrictions, and publish data about the number of requests received, the number they complied with, and the types of subject matter associated with these requests. Most companies evaluated in the 2017 Corporate Accountability Index lacked transparency about how they handle government requests to restrict content or accounts, and did not disclose sufficient data about the number of requests they received or complied with, or which authorities made these requests.  

Companies should also notify users when they restrict content. Services that host user-generated content should notify those who posted the content, and users trying to access it. The notification should include a clear reason for the restriction. The 2017 Index found that companies do not disclose sufficient data about their user notification policies when they restrict content or accounts.

(more…)