23 Mar Facebook under scrutiny in the the U.S. and the UK over Cambridge Analytica scandal, users in Iran blocked from Apple’s App Store, U.S. Congress urged to consider “implications” of CLOUD Act

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

U.S. and UK demand answers from Facebook over Cambridge Analytica scandal

Photo in the Public Domain, via Pixabay.

Authorities in the U.S. and the UK are demanding answers from Facebook after it was revealed that data of an estimated 50 million of the platform’s users was harvested without their consent. In 2014, a researcher at the University of Cambridge developed a personality quiz app that collected data from 270,000 users. The app also enabled the researcher to collect data about those in the friend networks of the quiz respondents without their knowledge. According to reports, the developer then sold the data to data mining firm Cambridge Analytica, which used the data to build detailed profiles of American voters target them with pro-Trump political ads.

In response to these revelations, authorities in both the UK and the US are demanding answers from Facebook. In the UK, members of parliament summoned Facebook CEO Mark Zuckerberg to testify before a parliamentary committee investigating fake news. The country’s information commissioner is investigating organizations that include social media companies and data analytics companies over their handling of user data during political campaigning. In the U.S., Congress members have also called on Zukerberg to testify, while the U.S. Federal Trade Commission is reportedly investigating whether the company violated the terms of a 2011 agreement by Facebook not to share users’ data without their consent.

On Thursday, Zuckerberg said that the company will “investigate all apps that had access to large amounts of information” before 2014 and “will conduct a full audit of any app with suspicious activity.” In 2014, Facebook changed its policies to reduce the amounts of data third-party developers can access. Zuckerberg told Recode that the number of the apps they are going to investigate is in the “tens of thousands” and that the process will “take a number of months.”   

Internet, mobile, and telecommunications companies should be transparent about what user information they share, with which parties and for what purposes. Companies should also give users options to control how their information is collected and used for targeted advertising. Companies evaluated in the 2017 Corporate Accountability Index did not disclose enough information about such options. Facebook disclosed less about these options than any of the other 12 internet companies evaluated. The company did not disclose options allowing users to control the company’s collection of their user information, and how their information is used for targeted advertising.

(more…)

16 Mar Users in the U.S. can sue Yahoo for data breaches, operators in Sri Lanka block social media, Weibo suspends feminist account on Women’s Day

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Users can sue Yahoo for data breaches, a U.S. judge rules

Former Yahoo CEO Marissa Mayer testifying before Congress about data breaches. Screenshot from the C-Span Video Library.

A federal judge has ruled that a class action lawsuit against Yahoo over data breaches can move forward. The massive data breaches that occurred between 2013 and 2016 affected all of the company’s 3 billion users.

The plaintiffs in the class action suit argue that Yahoo’s handling of the breaches exposed their data to hackers who stole their identities and money. The company admitted that hackers were able to access its user-database and steal user passwords. Yahoo is also accused of taking too long to address the data breaches even though the company’s security officials knew about them.

“Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,” U.S. District Judge Lucy Koh said.

Telecommunications, and internet and mobile ecosystem companies should clearly disclose what steps they take to keep user data secure and how they respond to data breaches. The 2017 Corporate Accountability Index found that companies communicate less about what they are doing to protect users’ security than they do about what users should do to protect themselves. Companies disclosed more to users about how to defend themselves against cyber risks than about what steps they take to keep users’ information secure or about what they do to address security vulnerabilities once they are discovered.

None of the internet and mobile ecosystem companies evaluated in the 2017 Index disclosed information about their processes for responding to data breaches, including whether or not they commit to notify relevant authorities without undue delay and their process for notifying data subjects affected by the breach.

(more…)

09 Mar Brussels says online platforms should remove terrorist content in one hour, Washington state enacts net neutrality law, Cameroon restores internet access to its Anglophone regions

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

European Commission gives tech companies 1 hour to remove terrorist content

The European Commission – Berlaymont Building. Photo credit: Glyn Lowe [CC BY 2.0].

Online platforms should remove terrorist content within one hour after being notified, the European commission said in a new recommendation. On 1 March the Commission adopted a “Recommendation on measures to effectively tackle illegal content online” proposing a “common approach” for platforms to “detect, remove and prevent the re-appearance of content online” including terrorist content, hate speech, child sexual abuse material, and copyright infringement.

“Given that terrorist content is typically most harmful in the first hour of its appearance online and given the specific expertise and responsibilities of competent authorities and Europol, referrals should be assessed and, where appropriate, acted upon within one hour, as a general rule,” the commission explained in the Recommendation.

Companies should also put in place “easy and transparent rules” to flag illegal content including “fast-track procedures for ‘trusted flaggers’,” the Commission said. It also advises companies to cooperate “through the sharing and optimisation” of technological tools that automatically detect terrorist content.

While not legally binding, the recommendation increases pressure on tech giants, already facing scrutiny in the EU, to act with speed to remove illegal content.

The latest move by the EU to regulate online platforms was met with criticism by the Computer & Communications Industry Association, which represents the tech industry. In a statement, the association said the one hour limit “will strongly incentivise hosting services providers to simply take down all reported content.”

The Center for Democracy and Technology, which advocates for online civil liberties and rights, said the new rules “lack adequate accountability mechanisms,” adding that its “emphasis on speed and use of automation ignores limits of technology and techniques.”

Companies should be transparent about their process for enforcing their rules by disclosing information about the types of content or activities they do not allow, and the processes they use to identify infringing content or accounts. None of the internet and mobile ecosystem companies evaluated in the 2017 Corporate Accountability Index disclosed whether government authorities receive priority consideration when flagging content to be restricted. Companies should also disclose and regularly publish data about the volume and nature of actions taken to restrict content or accounts that violate their rules. Of the 22 internet, mobile, and telecommunications companies evaluated in the 2017 Corporate Accountability Index, only three—Microsoft, Twitter, and Google—published any information at all on their terms of service enforcement.

(more…)