13 Jul Tech companies join forces for “Day of Action” on Net Neutrality, EFF report shows tech companies can improve on user privacy, and Indian telco Reliance Jio responds to recent data breach reports

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

U.S. tech companies and NGOs rally against net neutrality rollback

Image via Battle for the Net

Technology companies, NGOs, and websites rallied this week in an “internet-wide day of action to save net neutrality.” Companies including Amazon, Netflix, Twitter, and Tumblr were among the members of the “Battle for the Net” coalition, which urged internet users to tell Congress and the Federal Communications Commission (FCC) to uphold the Title II Net Neutrality rules. These rules were passed in 2015 and created strong protections for net neutrality in the U.S. by classifying internet service providers as “common carriers” under Title II of the Communications Act. The FCC is accepting public comments for its proposed plan to roll back these rules until July 17. The Internet Association, a trade organization that represents tech companies including Facebook, Google, and Microsoft, also launched its own campaign, walking users through the process for submitting an FCC public comment. According to “Day of Action” organizers, more than 1.6 million public comments were filed with the FCC, breaking the previous record for most public comments in a single day.

Digital rights advocates have promoted the importance of net neutrality to ensuring a free and open internet, and in turn, freedom of expression. The Corporate Accountability Index evaluates whether telecommunications companies disclose that they do not prioritize, block, or delay certain types of network traffic, other than for assuring network quality and reliability. If telecommunications companies do engage in these practices, we expect them to clearly disclose their purpose for doing so. Of the ten telecommunications companies evaluated in the 2017 Index, Vodafone was the only company to clearly disclose a commitment to not prioritize, block, or delay certain types of traffic other than for assuring quality of service and reliability of the network.

New EFF report shows tech companies can do more to protect user privacy

Image via EFF (licensed CC-BY 3.0)

Tech companies can do more to stand up for our privacy, according to a new report from the Electronic Frontier Foundation (EFF). The EFF’s latest “Who Has Your Back?” report evaluates 26 U.S.-based tech companies’ policies for responding to government requests for user data. The companies were evaluated in categories including whether they follow industry-wide best practices, whether they notify users of government requests, and whether they have advocated for U.S. government surveillance reform. The EFF found that Amazon and WhatsApp lagged behind their internet industry peers, each earning two stars out of a possible five. Of the telecommunications companies, AT&T, Comcast, T-Mobile, and Verizon scored the lowest, each earning one star.

The “Who Has Your Back” report and the Corporate Accountability Index both evaluate companies’ disclosed policies for responding to government requests for user data. Our findings also indicated that of the 22 companies that we evaluate, most did not disclose enough to users about their processes for responding to government and other third-party requests for user data. Because the EFF focuses on U.S.-based companies and their processes for responding to U.S. authorities, the report is also able to evaluate policies specific to the U.S. legal and political context. For example, legal reforms passed in 2015 allow companies to request judicial review of the gag orders that accompany all National Security Letters (NSLs). However, the EFF reports that fewer than half the companies evaluated publicly commit to request judicial review of all NSLs they receive. In a more positive finding, 21 of the 26 companies evaluated have called for U.S. surveillance reform of Section 702 of the FISA Amendments Act, which Congress will debate reauthorizing this year. With regard to transparency and best practices for respecting user rights, “public scrutiny has helped raise the floor on technology companies,” according to the report—but that all companies still have room for improvement.

Indian telco Reliance Jio investigating data breach reports

Indian telecommunications company Reliance Jio is investigating reports of a data breach after a website published personal information that appeared to belong to subscribers. The company has denied that a breach occurred and said the information appeared to be “unauthentic,” according to Reuters. However, the Indian Express reports the company filed a police complaint alleging “unlawful access to its systems,” which according to the outlet “would be the telecom firm’s first official acknowledgement of a system breach.” The information posted on the website included individuals’ names, email addresses, and phone numbers, and some individuals were able to verify their information had been published, according to reports. It is unclear how of the company’s 112 million subscribers may have had their information published on the site.

India does not have a law that requires companies to notify users when their information may have been included in a data breach.

Users entrust internet and telecommunications companies with a vast amount of personal information—including names, addresses, social security numbers, passwords, and financial information. Companies should take measures to ensure that users’ data is secure. As highlighted in our recommendations, governments should encourage companies to implement and disclose appropriate policies and procedures for data breaches, including through relevant legislation. However, we also expect companies to disclose their policies for responding to a breach before one occurs. Companies should clearly disclose that they will immediately notify the relevant authorities, as well as their processes for notifying data subjects who might be affected by a data breach, and what kinds of steps they will take to address the impact of a data breach on users. Our research has found that companies are not doing enough to make users aware of their data breach response policies. Only three of the 22 companies we evaluated—Telefónica, AT&T, and Vodafone—disclosed any information about their process for responding to data breaches.

29 Jun Chinese netizens anticipate VPN crackdown, Google receives historic antitrust fine from EU, and new documents released from investigation in Philando Castile’s death

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Chinese internet users anticipate VPN crackdown

Image via tonynetone on Flickr (licensed CC BY 2.0)

Global Voices reports that a crackdown on Virtual Private Network (VPN) use in China may be just around the corner. Internet users in China regularly rely upon VPNs to access websites and social media sites like Facebook and Twitter that are blocked by China’s “Great Firewall.” However several VPNs appear to have recently been removed from Apple and Android app stores, according to the report, and VPN provider Green issued a statement to its users that after receiving notice from “higher authorities,” it would cease operations on July 1. In January, the Chinese Ministry of Industry and Information Technology announced that VPN providers could not operate without approval. Internet users anticipate that a majority of VPN apps will be unavailable in Chinese Android and Apple app stores as of July 1, according to Global Voices.

In the Corporate Accountability Index, we look for app store companies to report data on the number of requests they receive from governments to remove or restrict third-party apps. Of the three mobile ecosystem companies we evaluated (Apple’s iOS, Google’s Android, and Samsung’s implementation of Android), Google was the only company to disclose some of this information.

European Commission fines Google 2.4 billion Euro in antitrust suit

The European Commission has fined Google 2.4 billion Euro in an antitrust case, finding that Google Search had prioritized results from Google’s comparison shopping service and demoted similar search results from competitors. According to EU Commissioner Margrethe Vestager, “Google abused its market dominance as a search engine” by doing this. In addition to receiving the largest antitrust fine aimed at a single company in EU history, this could also lead to further regulatory action focused on other aspects of Google’s business–including Android. In April 2016, the Commission filed a separate antitrust case that Google was abusing Android’s market dominance to benefit Google Search, which the Commission said “has harmed consumers by restricting competition and innovation.” The Android investigation is still ongoing, and financial analyst Richard Windsor told Reuters that the recent fine is a “warning shot” to Google regarding the Android case.

The majority of smartphone users use an Android operating system, and it is projected to maintain about an 85% market share through 2020. Google Android, and other mobile ecosystem companies, should be transparent about their policies and practices. However, our research found that all three mobile ecosystems evaluated—Apple, Google, and Samsung—failed to sufficiently disclose policies affecting users’ freedom of expression and privacy.

Facebook pushes back on request by authorities to access users’ accounts

Facebook successfully contested warrants for two users’ account information that included a gag order preventing the company from notifying anyone about the request, newly released documents reveal. The warrants were served as part of the investigation into the death of Philando Castile, who was fatally shot by a Minnesota police officer on July 7, 2016. His girlfriend, Diamond Reynolds, who was in the passenger’s seat when Castile was shot, livestreamed the immediate aftermath on Facebook live in a video that was viewed 3.2 million times in less than one day. Minnesota’s Bureau of Criminal Apprehension (BCA) served Facebook with warrants requesting information from both Castile’s and Reynold’s Facebook accounts. Authorities also served Sprint with a warrant for Diamond Reynolds’ phone records, including call and text logs and location data.

Both of the warrants included indefinite gag orders that would prevent Facebook and Sprint from ever notifying anyone else of the requests, including Reynolds. Facebook pushed back against the gag order, and notified the BCA that it was preparing a legal filing to challenge the warrants, which were eventually rescinded. Sprint complied with the warrant and gag order. A Facebook spokesperson told Gizmodo, “Our policy is to notify people about law enforcement requests for their information before disclosure unless we’re legally barred from doing so. In this case, we decided to challenge gag orders on our ability to provide this important notice, and the authorities ultimately withdrew these warrants altogether.”

The Corporate Accountability Index looks for companies to disclose a policy that they carry out due diligence when governments or law enforcement ask for user information before deciding how to respond. We also expect companies to commit to push back on inappropriate or overbroad requests, and to notify users when government entities request their user information, and clearly disclose situations when they may be prohibited by law from notifying users. For the Facebook social network, Instagram, and Messenger, Facebook clearly disclosed that it notifies users when government authorities request their user information, but did not make the same explicit disclosure for WhatsApp.

23 Jun EU Parliament committee endorses end-to-end encryption, companies are behind in preparing for new EU data rules, and U.S. net neutrality debate resurfaces

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

EU Parliament committee endorses end-to-end encryption

European Parliament, image via Wikipedia

A European Parliament committee is proposing that end-to-end encryption be mandatory for all electronic communications. The proposal calls for  amending the EU Charter of Fundamental Rights to include online privacy. It also includes a ban on encryption “backdoors” that give governments access to encrypted communications. “Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services,” according to the proposal.

This is a stark contrast to recent discussions among officials in the UK, Germany, and Australia who say authorities should be able to access encrypted communications to stop terrorism. As highlighted in the 2017 Corporate Accountability Index, governments should not pass measures that undermine encryption. As the EU Parliament committee’s proposal asserts, “The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information.”

Companies not ready for new EU data protection rules

The Financial Times reports that European companies are unprepared for the EU’s new data protection regulations that come into force in less than a year. Many businesses are “dramatically underestimating” the impact of the General Data Protection Regulation (GDPR), according to the report, and appear to be behind schedule in making necessary changes, or are unaware of their obligations under the new rules. While the law is currently in effect, companies have until May 2018 to be compliant with the rules. The Irish Times also cited a survey showing that two-thirds of 150 businesses in Ireland “did not realize what they would have to do regarding the GDPR.”

Any company that handles personal data of EU citizens must comply with the GDPR. The rules cover a wide range of data protection issues, and include new requirements for handling personal data and reporting data breaches. Findings of the 2017 Corporate Accountability Index showed that most companies lacked transparency about how they handle user information, and only three of the 22 companies evaluated disclosed any information about their process for responding to data breaches.

Companies and rights groups to protest net neutrality rollback in the U.S.

Image via Battle for the Net

Several companies, including Amazon, Netflix, and Reddit are joining with civil society advocates for an “internet-wide day of action to save net neutrality” to protest the Federal Communications Commission (FCC) plan to repeal the current net neutrality rules. In February 2015, the FCC classified internet service providers as “common carriers” under Title II of the Communications Act, protecting the principle of net neutrality—requiring carriers to treat all types of content and traffic equally. The measure was hailed by internet rights groups since it created strong protections for net neutrality, helping to ensure equal access to content and the free flow of information online.

In May 2017, the FCC voted to begin the process of repealing the 2015 net neutrality rules and the Title II classification for ISPs. On July 12, websites participating in the day of action will display a message about the importance of net neutrality and provide a prompt for users to submit a comment to the FCC and Congress in support of strong net neutrality protections.

While some telecommunications companies support net neutrality, our research shows they may lack transparency about their network management policies and practices. The Corporate Accountability Index evaluates if companies disclose whether they engage in practices that affect the flow of network traffic, like by prioritizing certain content or throttling traffic. We expect companies to avoid these types of practices unless for legitimate traffic management reasons, like to ensure the flow of traffic through their networks. If companies do engage in throttling, traffic shaping, or prioritization, we expect them to publicly disclose this and to explain their purpose for doing so. Of the ten telecommunications companies evaluated in the 2017 Index, Vodafone was the only company to clearly disclose a commitment to not prioritize, block, or delay certain types of traffic other than for assuring quality of service and reliability of the network.

16 Jun Russia moves forward with banning anonymous use of messaging apps, Australian government sets its sights on encryption, and research finds majority of apps share user data with third parties

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Russian legislature considering banning anonymous use of messaging apps

Identity policy scores from the 2017 Corporate Accountability Index

Russian lawmakers are discussing a bill that would ban anonymity on certain messaging apps. If passed, the law would require users to verify their identities using their mobile phone number, and services that continue to allow anonymous users could be fined or blocked. Russian law requires telecommunications companies to verify the identities of their subscribers; mobile phone numbers are therefore directly linked to an individual’s offline identity. In a similar move against online anonymity, Russian lawmakers also recently submitted draft legislation to ban Virtual Private Networks (VPNs) and other internet anonymizers that allow internet users to access blocked content.

The ability to communicate anonymously is essential to ensuring freedom of expression. The 2017 Corporate Accountability Index evaluates if companies disclose whether they require users to verify their identity with a government-issued identification or with other forms of identification that could be connected to their offline identity. Our research showed that 10 of 12 internet and mobile companies disclosed a policy requiring users to verify their identity as a condition of using at least one of the company’s services evaluated. Of the two Russian companies, Yandex disclosed that it may require users to verify their identities for all services, while Mail.Ru disclosed this requirement for one of its services.

As noted in our recommendations, governments should respect the right to anonymous online activity as central to freedom of expression, privacy, and human rights, and refrain from requiring companies to document users’ identities when it is not essential to the provision of service.

Australian government suggests plans for greater access to encrypted communications

The Australian government announced it is considering legal measures that would place greater obligation on companies to assist authorities in decrypting user communications. Prime Minister Malcolm Turnbull called for stronger cooperation between tech companies and authorities to fight extremism, so that “terrorists and organized criminals are not able to operate with impunity in ungoverned digital spaces online.” The Australian government said it plans to raise this issue with the other members of the Five Eyes intelligence network (the U.S., UK, Canada, and New Zealand), during the group’s next meeting later this month.

As highlighted in the 2017 Corporate Accountability Index, governments should not adopt measures to undermine encryption. Strong encryption is vital not only for human rights, but also for economic and political security, and technical experts note that weakening encryption creates significant risks to privacy and security.

Research finds majority of apps share user data with third parties

According to researchers at UC Berkeley and IMDEA Networks Institute, more than 70% of apps share user data with third-party services. Once users give an app permission to access their data, app developers can share this with third-party companies, potentially without the user’s knowledge or consent, according to the research. And if different apps use code from the same third-party software library, these software library developers may be able to aggregate user information from different apps to build detailed user profiles.

These findings are based on data collected through an Android app called the Lumen Privacy Monitor, which allows users to monitor what information the apps they have installed are collecting, and with whom it is being shared. The app, after obtaining user consent, also shares non-personal data with researchers about the scope of data being collected and shared.

Of the three mobile ecosystem companies (Apple, Google, and Samsung) evaluated in the 2017 Corporate Accountability Index, none disclosed that they evaluate whether the third-party apps offered in their app stores disclose what information they share with other third-parties, and with whom they share it.