RDR is now an independent initiative. Our website is catching up.  Read our announcement →

Donate

22 Mar

Posted at 15:56h in Featured, News, Partnerships by
0 Likes
Verizon building in the New York City skyline.

Verizon building in the New York City skyline. Photo credit: Ted McGrath [CC BY-NC-SA 2.0]

Internet service providers in New York City fail to provide sufficient information for consumers to make informed choices about the privacy risks of using these services, according to a new study (PDF) by the Digital Equity Lab at the New School released this week. The study, which used the Ranking Digital Rights Corporate Accountability Index methodology to evaluate 11 of New York City’s major internet service providers (ISPs), found that these privacy policies were too vague for consumers to understand how these companies handle their data.

The study found that ISPs did not provide privacy policies in the main languages spoken by residents. While companies offered policies in English and Spanish, none provide these policies in the other six official languages of New York City. The study also found that most policies failed to provide users clear options to control what information is collected and shared about them.

The report is one of several recent studies that have adapted the Index methodology to examine corporate transparency of policies and practices affecting freedom of expression and privacy in different regions. A report by the Social Media Exchange (SMEX) in Lebanon used the Index methodology to survey 66 mobile providers in 22 Arab countries and found that mobile users lacked critical information about the policies affecting their freedom of expression and privacy. In addition, this February researchers with Paris-based Internet Sans Frontières published a study based on the Index methodology which found that mobile providers in Kenya and Senegal lacked sufficient transparency, with discrepancies between disclosed policies of the parent companies and their local subsidiaries.

20 Mar

Posted at 04:18h in Announcements, Featured, News by
0 Likes

Image by VLADGRIN on Shutterstock

Please join us online or in person on Wednesday, April 25th for the launch of the Ranking Digital Rights 2018 Corporate Accountability Index!! As in 2017, we have evaluated 22 of the world’s most powerful internet, mobile, and telecommunications companies on their commitments and disclosed policies affecting users’ expression and privacy. Find out what has—and has not—improved in the past year. Learn how our 2018 findings relate to the headlines of the past year about privacy breaches, disinformation, hate speech, censorship, network shutdowns, and more.

When: 9:30-11am EDT (1:30pm UTC) on Wednesday April 25th

Where: Italian Academy, Columbia University, New York City

RSVP here with more event information, directions to the venue

UPDATE: watch the live webcast here!

(more…)

16 Mar

Posted at 05:43h in News by
0 Likes

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Users can sue Yahoo for data breaches, a U.S. judge rules

Former Yahoo CEO Marissa Mayer testifying before Congress about data breaches. Screenshot from the C-Span Video Library.

A federal judge has ruled that a class action lawsuit against Yahoo over data breaches can move forward. The massive data breaches that occurred between 2013 and 2016 affected all of the company’s 3 billion users.

The plaintiffs in the class action suit argue that Yahoo’s handling of the breaches exposed their data to hackers who stole their identities and money. The company admitted that hackers were able to access its user-database and steal user passwords. Yahoo is also accused of taking too long to address the data breaches even though the company’s security officials knew about them.

“Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,” U.S. District Judge Lucy Koh said.

Telecommunications, and internet and mobile ecosystem companies should clearly disclose what steps they take to keep user data secure and how they respond to data breaches. The 2017 Corporate Accountability Index found that companies communicate less about what they are doing to protect users’ security than they do about what users should do to protect themselves. Companies disclosed more to users about how to defend themselves against cyber risks than about what steps they take to keep users’ information secure or about what they do to address security vulnerabilities once they are discovered.

None of the internet and mobile ecosystem companies evaluated in the 2017 Index disclosed information about their processes for responding to data breaches, including whether or not they commit to notify relevant authorities without undue delay and their process for notifying data subjects affected by the breach.

(more…)

09 Mar

Posted at 07:06h in News by
0 Likes

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

European Commission gives tech companies 1 hour to remove terrorist content

The European Commission – Berlaymont Building. Photo credit: Glyn Lowe [CC BY 2.0].

Online platforms should remove terrorist content within one hour after being notified, the European commission said in a new recommendation. On 1 March the Commission adopted a “Recommendation on measures to effectively tackle illegal content online” proposing a “common approach” for platforms to “detect, remove and prevent the re-appearance of content online” including terrorist content, hate speech, child sexual abuse material, and copyright infringement.

“Given that terrorist content is typically most harmful in the first hour of its appearance online and given the specific expertise and responsibilities of competent authorities and Europol, referrals should be assessed and, where appropriate, acted upon within one hour, as a general rule,” the commission explained in the Recommendation.

Companies should also put in place “easy and transparent rules” to flag illegal content including “fast-track procedures for ‘trusted flaggers’,” the Commission said. It also advises companies to cooperate “through the sharing and optimisation” of technological tools that automatically detect terrorist content.

While not legally binding, the recommendation increases pressure on tech giants, already facing scrutiny in the EU, to act with speed to remove illegal content.

The latest move by the EU to regulate online platforms was met with criticism by the Computer & Communications Industry Association, which represents the tech industry. In a statement, the association said the one hour limit “will strongly incentivise hosting services providers to simply take down all reported content.”

The Center for Democracy and Technology, which advocates for online civil liberties and rights, said the new rules “lack adequate accountability mechanisms,” adding that its “emphasis on speed and use of automation ignores limits of technology and techniques.”

Companies should be transparent about their process for enforcing their rules by disclosing information about the types of content or activities they do not allow, and the processes they use to identify infringing content or accounts. None of the internet and mobile ecosystem companies evaluated in the 2017 Corporate Accountability Index disclosed whether government authorities receive priority consideration when flagging content to be restricted. Companies should also disclose and regularly publish data about the volume and nature of actions taken to restrict content or accounts that violate their rules. Of the 22 internet, mobile, and telecommunications companies evaluated in the 2017 Corporate Accountability Index, only three—Microsoft, Twitter, and Googlepublished any information at all on their terms of service enforcement.

(more…)

02 Mar

Posted at 05:26h in News by
0 Likes

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

U.S. Supreme Court hears Microsoft privacy case

Microsoft Corporation headquarters in Redmond, Washington. Photo credit: user Coolcaesar [CC BY-SA 4.0] via Wikimedia Commons.

On Tuesday, the U.S. Supreme court heard arguments in the U.S. v. Microsoft case, in which the Department of Justice is seeking to force Microsoft to hand over content of emails stored in a data center in Ireland, under the 1986 Stored Communications Act. The case could set a new precedent that allows governments to obtain data stored in other countries.

The case dates back to 2013 when a New York state judge issued a warrant requesting that Microsoft hand over Outlook email information belonging to a user, who was the subject of a drug-trafficking investigation. While the company agreed to hand over metadata stored in the U.S., it refused to hand over the content of the emails, arguing that they are protected by Irish and EU privacy laws since they are stored in Ireland. The company says that the government should try to obtain the sought-after information using the United States-Ireland Mutual Legal Assistance Treaty (MLAT). MLATs are bilateral, multilateral or regional agreements that allow governments to exchange information related to an investigation.

The U.S. government argues that the MLAT process is “costly, cumbersome and time-consuming,” and is not needed since “the privacy intrusion occurs only when Microsoft turns over the content to the Government, which occurs in the United States.”

In court on Tuesday, Microsoft argued that the 1986 law is outdated and that the case should be decided by Congress. The Congress is considering to pass a new legislation, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which would clarify that warrants issued under the Stored Communications Act apply to data stored overseas, while allowing companies to challenge such warrants when they violate the privacy laws of the country where the data is stored.

While supported by tech companies including Microsoft, Facebook, Google and Apple, privacy advocate groups including the Electronic Frontier Foundation (EFF) and Access Now slammed the bill because it allows the U.S government to access data stored in any foreign country without consideration to its privacy laws. The bill would also give the U.S President power to enter into “executive agreements” with other countries for cross-border access to data. Such agreements would allow foreign governments to request U.S. companies to hand over data stored in the U.S, as long as the user is not a U.S citizen or based in the country, “without the procedural safeguards of U.S. law typically given to data stored in the United States,” EFF says.

A decision by the Supreme court is expected by summer. If the court rules in favor of the U.S. government, it would set a new precedent allowing governments to obtain data stored in other countries. The European Union is already considering a bill that would allow law enforcement authorities of any member-state to request data stored not only within the 28 EU countries, but also overseas, Reuters reported.

Companies should disclose information about their process for responding to government requests for user data including their processes for responding to non-judicial government requests and court orders, and the legal basis under which they comply with requests. In addition, companies should publicly commit to push back on inappropriate or overbroad government requests. Companies should also disclose and regularly publish data about these requests including, listing the number of requests received by country and number of accounts and pieces of content affected, and specifying the legal authorities making the requests.

(more…)