16 Mar Users in the U.S. can sue Yahoo for data breaches, operators in Sri Lanka block social media, Weibo suspends feminist account on Women’s Day

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Users can sue Yahoo for data breaches, a U.S. judge rules

Former Yahoo CEO Marissa Mayer testifying before Congress about data breaches. Screenshot from the C-Span Video Library.

A federal judge has ruled that a class action lawsuit against Yahoo over data breaches can move forward. The massive data breaches that occurred between 2013 and 2016 affected all of the company’s 3 billion users.

The plaintiffs in the class action suit argue that Yahoo’s handling of the breaches exposed their data to hackers who stole their identities and money. The company admitted that hackers were able to access its user-database and steal user passwords. Yahoo is also accused of taking too long to address the data breaches even though the company’s security officials knew about them.

“Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,” U.S. District Judge Lucy Koh said.

Telecommunications, and internet and mobile ecosystem companies should clearly disclose what steps they take to keep user data secure and how they respond to data breaches. The 2017 Corporate Accountability Index found that companies communicate less about what they are doing to protect users’ security than they do about what users should do to protect themselves. Companies disclosed more to users about how to defend themselves against cyber risks than about what steps they take to keep users’ information secure or about what they do to address security vulnerabilities once they are discovered.

None of the internet and mobile ecosystem companies evaluated in the 2017 Index disclosed information about their processes for responding to data breaches, including whether or not they commit to notify relevant authorities without undue delay and their process for notifying data subjects affected by the breach.

(more…)

09 Mar Brussels says online platforms should remove terrorist content in one hour, Washington state enacts net neutrality law, Cameroon restores internet access to its Anglophone regions

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

European Commission gives tech companies 1 hour to remove terrorist content

The European Commission – Berlaymont Building. Photo credit: Glyn Lowe [CC BY 2.0].

Online platforms should remove terrorist content within one hour after being notified, the European commission said in a new recommendation. On 1 March the Commission adopted a “Recommendation on measures to effectively tackle illegal content online” proposing a “common approach” for platforms to “detect, remove and prevent the re-appearance of content online” including terrorist content, hate speech, child sexual abuse material, and copyright infringement.

“Given that terrorist content is typically most harmful in the first hour of its appearance online and given the specific expertise and responsibilities of competent authorities and Europol, referrals should be assessed and, where appropriate, acted upon within one hour, as a general rule,” the commission explained in the Recommendation.

Companies should also put in place “easy and transparent rules” to flag illegal content including “fast-track procedures for ‘trusted flaggers’,” the Commission said. It also advises companies to cooperate “through the sharing and optimisation” of technological tools that automatically detect terrorist content.

While not legally binding, the recommendation increases pressure on tech giants, already facing scrutiny in the EU, to act with speed to remove illegal content.

The latest move by the EU to regulate online platforms was met with criticism by the Computer & Communications Industry Association, which represents the tech industry. In a statement, the association said the one hour limit “will strongly incentivise hosting services providers to simply take down all reported content.”

The Center for Democracy and Technology, which advocates for online civil liberties and rights, said the new rules “lack adequate accountability mechanisms,” adding that its “emphasis on speed and use of automation ignores limits of technology and techniques.”

Companies should be transparent about their process for enforcing their rules by disclosing information about the types of content or activities they do not allow, and the processes they use to identify infringing content or accounts. None of the internet and mobile ecosystem companies evaluated in the 2017 Corporate Accountability Index disclosed whether government authorities receive priority consideration when flagging content to be restricted. Companies should also disclose and regularly publish data about the volume and nature of actions taken to restrict content or accounts that violate their rules. Of the 22 internet, mobile, and telecommunications companies evaluated in the 2017 Corporate Accountability Index, only three—Microsoft, Twitter, and Google—published any information at all on their terms of service enforcement.

(more…)

02 Mar U.S. Supreme Court hears Microsoft privacy case, mobile network shutdowns ruled illegal by Pakistani court, Facebook’s tracking of non-users violates Belgian privacy laws

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

U.S. Supreme Court hears Microsoft privacy case

Microsoft Corporation headquarters in Redmond, Washington. Photo credit: user Coolcaesar [CC BY-SA 4.0] via Wikimedia Commons.

The case dates back to 2013 when a New York state judge issued a warrant requesting that Microsoft hand over Outlook email information belonging to a user, who was the subject of a drug-trafficking investigation. While the company agreed to hand over metadata stored in the U.S., it refused to hand over the content of the emails, arguing that they are protected by Irish and EU privacy laws since they are stored in Ireland. The company says that the government should try to obtain the sought-after information using the United States-Ireland Mutual Legal Assistance Treaty (MLAT). MLATs are bilateral, multilateral or regional agreements that allow governments to exchange information related to an investigation.

The U.S. government argues that the MLAT process is “costly, cumbersome and time-consuming,” and is not needed since “the privacy intrusion occurs only when Microsoft turns over the content to the Government, which occurs in the United States.”

In court on Tuesday, Microsoft argued that the 1986 law is outdated and that the case should be decided by Congress. The Congress is considering to pass a new legislation, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which would clarify that warrants issued under the Stored Communications Act apply to data stored overseas, while allowing companies to challenge such warrants when they violate the privacy laws of the country where the data is stored.

While supported by tech companies including Microsoft, Facebook, Google and Apple, privacy advocate groups including the Electronic Frontier Foundation (EFF) and Access Now slammed the bill because it allows the U.S government to access data stored in any foreign country without consideration to its privacy laws. The bill would also give the U.S President power to enter into “executive agreements” with other countries for cross-border access to data. Such agreements would allow foreign governments to request U.S. companies to hand over data stored in the U.S, as long as the user is not a U.S citizen or based in the country, “without the procedural safeguards of U.S. law typically given to data stored in the United States,” EFF says.

A decision by the Supreme court is expected by summer. If the court rules in favor of the U.S. government, it would set a new precedent allowing governments to obtain data stored in other countries. The European Union is already considering a bill that would allow law enforcement authorities of any member-state to request data stored not only within the 28 EU countries, but also overseas, Reuters reported.

Companies should disclose information about their process for responding to government requests for user data including their processes for responding to non-judicial government requests and court orders, and the legal basis under which they comply with requests. In addition, companies should publicly commit to push back on inappropriate or overbroad government requests. Companies should also disclose and regularly publish data about these requests including, listing the number of requests received by country and number of accounts and pieces of content affected, and specifying the legal authorities making the requests.

(more…)

23 Feb Instagram complies with Russian censorship request, Intel faces lawsuits over security flaws, EU warns Facebook and Twitter about content removal policies

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Instagram appeases Russian censorship request

Russian opposition leader Alexei Navalny. Photo credit: Evgeny Feldman / Novaya Gazeta [CC BY-SA 3.0] via Wikimedia Commons.

Navalny also posted a video on Youtube and his website on the link between Deripaska and the Kremlin. Deripaska filed an injunction with Russia’s federal media regulator, Roskomnadzor, to remove the videos and reports about the allegations. Instagram, which is owned by Facebook, and Russian media sites complied. Russian ISPs also blocked Navalny’s website.

The video is still available on Youtube, which is owned by Google. However, the platform warned Navalny and his team that if they do not take down the offending materials, the company will do so.

Internet, mobile ecosystem, and telecommunications companies should be transparent about how they handle government requests for content restrictions and publish data about the number of requests received, the number they complied with, and the types of subject matter associated with these requests. Most companies evaluated in the 2017 Corporate Accountability Index lacked transparency about how they handle government requests to restrict content or accounts, and did not disclose sufficient data about the number of requests they received or complied with, or which authorities made these requests.  

Companies should also notify users when it restricts content. Services that host user-generated content should notify those who posted the content, and users trying to access it. The notification should include a clear reason for the restriction. The 2017 Index found that companies do not disclose sufficient data about their user notification policies when they restrict content or accounts.

(more…)