15 Sep U.S. government drops Facebook gag order, research shows security risks in content filtering apps, Togo orders network shutdown

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

U.S. government withdraws Facebook gag order

D.C. Court of Appeals (Photo by Mr.TinDC, Licensed CC BY-ND 2.0)

The U.S. government has dropped its effort prevent Facebook from notifying three users that their communications were being investigated. Facebook received search warrants for content from the users’ accounts and the warrants were accompanied with gag orders preventing the company from notifying the users. Facebook contested the gag order, though its request was denied by the D.C. Superior Court. Facebook appealed the decision to the D.C. Court of Appeals. A hearing on the matter was scheduled for September 14, though it was cancelled on September 13 after prosecutors said the gag orders were no longer necessary, and withdrew their request.

This is one of several recent instances of U.S. internet and telecommunications companies pushing back against inappropriate or overly broad government requests. Web hosting provider Dreamhost is currently engaged in a legal battle with the U.S. Department of Justice over a demand for information an anti-Trump website, although the DOJ has thus far dropped portions of its original overly broad warrant, including the demand for all IP addresses of visitors to the website. In April of this year, Twitter reported that the Trump administration had attempted to force the company to reveal the identity of an anonymous Twitter account critiquing the administration. Twitter pushed back against the request, which was ultimately withdrawn, saying it was unlawful and a violation of the First Amendment.

As noted in the Corporate Accountability Index methodology, companies should clearly disclose their processes for responding to third-party requests for user information. This disclosure should include a commitment to carry out due diligence on government requests before deciding how to respond, as well as a commitment to push back on inappropriate or overbroad government requests. Of the seven U.S. companies evaluated in the 2017 Corporate Accountability Index—Apple, AT&T, Facebook, Google, Microsoft, Twitter, and Yahoo— all seven committed to carry out due diligence on government requests for user information and to push back on inappropriate or overbroad requests. (more…)

08 Sep India’s Supreme Court issues landmark privacy verdict, Yahoo to face civil suit for data breaches, Chinese government’s crackdown on free speech online continues

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Privacy is a fundamental right, says India’s top court

Image by MohitSingh (Licensed CC BY 3.0)

In a landmark decision, India’s Supreme Court has ruled that privacy is a fundamental right, protected by the country’s constitution. The case stems from a legal challenge to the Indian government’s controversial new biometric database, Aadhaar, which is the largest of its kind in the world. Individuals must enroll in this database—which requires submitting their fingerprints, iris photographs, and facial photographs—in order to obtain a variety of government services, including paying taxes or receiving a government subsidy. According to The Atlantic, this makes it “almost impossible to live in India without enrolling.”

Privacy advocates in India petitioned the court over the program’s privacy risks to individuals enrolled in Aadhaar. In its ruling that privacy is a fundamental right, the court also overturned previous cases which said it was not. The court did not rule on the legality of Aadhaar itself, which will be considered separately. Advocates also anticipate the case will also have an impact on tech companies’ collection and use of user data. “These companies must brace for [legal action],” Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, told CNN. “Individuals who are unhappy with the treatment of their personal information can now take them to court, because it is an infringement of a fundamental right.”

The Corporate Accountability Index contains 18 indicators measuring companies’ disclosure of policies affecting users’ privacy, and whether these policies and commitments demonstrate the concrete ways companies respect and protect the privacy rights of users. Indicators in this category are based on standards established by the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and other international human rights instruments, which guarantee privacy as a fundamental human right. However, national laws and regulations can have a significant impact on a company’s policies affecting users’ privacy. As noted in our recommendations, governments should work with the private sector and civil society to ensure that legal and regulatory frameworks make it possible for companies to respect digital rights. (more…)

17 Aug Tech companies combat white supremacist content, Chinese companies face investigation over user content, and web host pushes back on Trump administration demand for website visitor info

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Tech companies combat white supremacist content

Image by Mark Dixon (Licensed CC BY 2.0)

Leading tech companies are  making new efforts to restrict white supremacist content, following the white supremacist rallies in Charlottesville, Virginia on August 11 and 12. Several companies terminated services for the Daily Stormer, a neo-Nazi website, after it posted an article disparaging Heather Heyer, a counter demonstrator who was killed during the rally on August 12. GoDaddy, a domain name registrar, terminated its service for the Daily Stormer, stating, “this type of article could incite additional violence, which violates our terms of service.” The Daily Stormer then moved its domain name registry to Google Domains, which also cancelled its service, citing a violation to its terms of service. Zoho, the website’s email provider, also cancelled its service due to a terms of service violation. Following the rally, Twitter also suspended the Daily Stormer’s account, and Facebook removed several pages affiliated with white supremacist groups.

Notably, Cloudflare, a content distribution network company that had previously publicly defended its decision to provide services to the Daily Stormer, also dropped the site. Cloudflare CEO Matthew Prince told the Verge, “This was my decision, I don’t think it’s CloudFlare’s policy and I think it’s an extremely dangerous decision in a lot of ways. I think that we as the internet need to have a conversation about where the right place for content restriction is…but there was no way we could have that conversation until we resolved this particular issue.”

Internet and social media companies have come under increasing pressure to do a better job policing extremist content. However, in doing so, it is important that these companies have clear guidelines, policies, and accountability mechanisms to ensure they do not censor legitimate free speech. Companies’ terms of service or user agreements, which outline what content and activities are not permitted, are also not always transparent or consistently enforced, making it difficult to determine what impact this may have on users’ freedom of expression rights. Only three of the 22 companies evaluated in the 2017 Corporate Accountability Index—Google, Microsoft, and Twitter—disclosed any data about the volume and nature of content they restricted for breaches to terms of service. Companies should clearly disclose the circumstances under which they may restrict content or user accounts, publish data about the volume and nature of actions they take to enforce these rules, and provide clear grievance and remedy mechanisms to address users’ concerns over violations to their freedom of expression rights as a result of actions taken by the company. (more…)

11 Aug UK to overhaul data protection regulations, ISPs in India ordered to block thousands of sites including Internet Archive, U.S. NGOs warn new bill would create greater internet censorship

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

UK to revamp data protection rules

UK lawmakers have announced plans to revamp the country’s data protection rules in order to comply with the EU’s General Data Protection Regulation (GDPR), which come into force in May 2018. Under the proposed plans, the definition of “personal data” would be expanded to include IP addresses, internet cookies, and DNA. UK organizations could also face fines for not adequately addressing cybersecurity risks. Plans also include measures allowing UK citizens to demand that social media companies delete their data.

The GDPR, which will harmonize data protection laws across the EU, affects data protection regulations and practices globally. The rules apply to all “data processors” that handle data of EU citizens, regardless of where the data processors are based. As noted in our recommendations for the 2017 Corporate Accountability Index, governments should develop effective data protection regimes and privacy regulations in consultation with industry and civil society, with impact assessments to ensure that the laws can avoid unintended consequences for freedom of expression. Companies should also disclose more information about their GDPR compliance, and what this means for non-EU users. (more…)