11 May Net neutrality debate returns to the U.S., Ultrasonic beacons track users via mobile apps, Russia blocks messaging app WeChat

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

John Oliver emphasizes corporate role in net neutrality debate

Screenshot via Last Week Tonight, YouTube

The debate over government enforcement of net neutrality principles in the U.S. has remerged in full force. On April 27, the FCC released a notice of proposed rulemaking (NPRM) that outlined its intention to deregulate the telecommunications industry and reverse the net neutrality provisions that were established with the 2015 Open Internet Order. This weekend, comedian John Oliver, in an echo of his hit 2014 net neutrality tirade, once again brought the topic of net neutrality to the masses with a feature segment. In addition to laying out his arguments in favor of net neutrality, Oliver also highlighted a point about corporate responsibility, noting examples in the past in which ISPs used their networks to favor their own content or services over that of their competitors. He argued that without regulatory enforcement, companies have little incentive to voluntarily abide by net neutrality principles.

Oliver’s remarks highlight the importance of regulatory enforcement to protect consumer rights in the absence of other accountability mechanisms. RDR’s methodology is based on companies’ disclosure of commitments and policies that respect users’ rights: in the Freedom of Expression category we evaluate whether ISPs disclose that they do not block, prioritize, or delay content for reasons beyond assuring network quality and reliability. The results of the 2017 Index show that of the 10 ISPs evaluated, only U.K.-based Vodafone disclosed that it does not engage in these types of traffic management practices.

More mobile apps are “listening” for marketing beacons

Last week, scholars from the Technical University of Braunschweig presented new research at the IEEE European Symposium on Privacy and Security documenting a potentially growing privacy threat to mobile app users. The research findings, which were covered by several media outlets, found 234 examples of Android apps that are “constantly listening for ultrasonic beacons in the background,” compared to 39 found in December 2015 and just six found in April 2015. These mobile apps are equipped with technology that, if users grant the app permission to access the device’s microphone, use the microphone to “listen” for ultrasonic tones that are emitted by advertisers. Companies such as Signal360 market products that use ultrasonic beacons to track users for advertising purposes — for example, a sports stadium might partner with a mobile app developer to send promotions to users of the mobile app when they walk into the stadium. These beacons aren’t only emitted at stadiums, though — they’re found in brick and mortar stores, billboards, online ads, television ads, etc, and can be used to link multiple devices to a single owner. These companies can then build profiles on users based on where they go and what they watch on TV or search for online. In 2015, the Center for Democracy and Technology filed comments with the FTC highlighting the privacy concerns presented by this type of cross-device tracking.

Mobile applications should clearly disclose what types of user information they might collect, how they collect this information, and the third parties with whom they share it, so that users can make informed decisions about the apps they choose to download and use. This includes information conveyed and collected via ultrasonic signals. In addition, companies that operate mobile ecosystems should make an effort to protect users by disclosing whether and to what extent they evaluate the privacy policies of the third-party apps in their app stores. The 2017 Index evaluated three mobile ecosystems—Google’s Android, Apple’s iOS, and Samsung’s implementation of Android—and found that, while companies may have guidelines regarding app privacy policies, none of these companies disclosed whether they evaluate the content of these policies.

Russia blacklists mobile messaging app WeChat

“Communication tools / iOS” (Image via Microsiervos on Flickr, CC BY 2.0)

On May 4, Russia’s telecommunications regulator, Roskomnadzor, added the mobile messaging app WeChat to its list of banned websites and information outlets for failing to register with the government as an “organizer of information.” The regulator has reportedly required ISPs to block more than two dozen IP addresses associated with Tencent, WeChat’s parent company. Companies that are registered as “organizers of information” are required to comply with a new set of amendments known as Yarovaya’s Law passed last July, including requirements to store users’ metadata and communications content on servers located in Russia, hand over this data at the request of Russian authorities, and assist the government in decrypting encrypted data.

As Freedom House noted in their Freedom on the Net 2016 report, more governments are cracking down on communication apps than ever before. Companies around the world face pressure from governments trying to censor content or conduct surveillance. RDR’s methodology awards credit to companies that report on the requests they receive from governments to block access to online content or to restrict services. It also rewards companies for disclosing that user communications and content are encrypted, and if not, it expects companies to disclose the sharing of user information with government authorities.

05 May Turkey blocks Wikipedia, UK lawmakers mull fines for social media companies, and US-based cloud services companies pledge compliance with EU data protection rules

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Turkish government blocks Wikipedia

Image via Wikimedia foundation (Licensed CC BY-SA 3.0)

The Turkish government blocked Wikipedia this week, citing a law that gives authorities the ability to block websites that it deems are obscene or a threat to national security. “Instead of coordinating against terrorism, it [Wikipedia] has become part of an information source which is running a smear campaign against Turkey in the international arena,” the government said. The Wikimedia Foundation issued a statement refuting the government’s claims and urging authorities to remove the block. “We strongly oppose censorship or threats that lead to self-censorship,” stated Wikimedia.

Blocking Wikipedia is the Turkish government’s latest crackdown on freedom of expression on online platforms. Turkey was rated “Not Free” in Freedom House’s annual Freedom on the Net report, which noted the government has, on numerous occasions, temporarily blocked social media services including Twitter, Facebook, WhatsApp and YouTube. According to Twitter’s most recent transparency report, Turkey had the greatest number of government requests for content removal, both in terms of court orders (844 requests) as well as requests from government agencies, police, and other government authorities (2,232 requests).

UK Parliament: Social media companies should do more to police content

A new report by the UK Parliament’s Home Affairs Select Committee calls on social media companies like Twitter, Facebook, and Google to do more to monitor and remove illegal content. The report criticizes these companies for being “shamefully far” from addressing “illegal and dangerous content,” claiming that they should be able to use the same technology used to identify and take down content for copyright infringement to identify and remove hate speech and extremist content. The report recommended the UK government consider fining companies that fail to remove illegal content quickly enough, referencing a law recently proposed in Germany.

Some privacy advocates warn that such efforts to curb extremist content could lead to increased government censorship and that automating the process could make it more likely that legal content is erroneously removed.

As highlighted in the 2017 Corporate Accountability Index, some companies, like Google, Microsoft and Twitter, are starting to publish data about content that they remove for violating their rules. For instance, in a 2016 blog post Twitter published some information on these takedowns. The company’s most recent transparency report included data about content that was removed, following a government request, due to terms of service violations.

Companies pledge compliance with EU data protection rules

Google, Microsoft, and Amazon have committed to ensuring that their cloud services will be compliant with new European Union rules on data privacy, which come into effect in May 2018. The General Data Protection Regulation (GDPR), which European lawmakers adopted in April 2016, specifies new, EU-wide privacy rules for handling personal information of EU citizens.

The GDPR requires companies to adhere to the principle of data minimization, to have accountability measures which may include appointing a Data Privacy Officer, and to abide by new requirements for reporting data breaches. Findings of the 2017 Corporate Accountability Index showed that the companies evaluated disclosed little information about policies for responding to data breaches. Only three of the 22 companies we evaluated revealed some information about whether they notify authorities or users who might be affected by a data breach.

28 Apr Uber breaks Apple’s rules, German court upholds WhatsApp user data sharing ban, local authorities in Kashmir order ISPs to block social media and messaging apps

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Uber, Apple, and user privacy

The New York Times reported that in 2015 Uber ran afoul of Apple’s privacy rules for adding a feature in its iPhone app allowing it to identify devices even after users had deleted the Uber app or erased all contents on the device. The practice, known as “fingerprinting,” tracks devices using their Unique Device Identifier (UDID), which in 2013 Apple announced it would no longer allow app developers to do. According to the article, Uber engineers “geofenced” Apple’s headquarters in Cupertino, California in an effort to hide that portion of the code from Apple employees. After discovering the code in 2015, Apple CEO Tim Cook demanded that Uber stop fingerprinting devices or it would be banned from the App Store, according to The New York Times.

This issue puts a spotlight on the need for mobile ecosystem companies like Apple, Google, and Samsung, to have clear and transparent user-information collection and retention policies for third-party apps hosted on their app stores. Findings of the 2017 Corporate Accountability Index showed that all three mobile ecosystems evaluated fell short in this regard. While all three companies disclosed they require third-party apps that collect user data to have privacy policies, none disclosed that they review the content of these policies for compliance with app store rules.

German Court bans WhatsApp from sharing user data with other Facebook services

A German court has upheld an order banning Facebook from collecting data on WhatsApp users in Germany. The court ruled that Facebook, which owns WhatsApp, must obtain user consent before its other services can process user information obtained from WhatsApp. WhatsApp updated its terms of service and privacy policy in August 2016 to state that it could share certain user data with Facebook, like a user’s phone number, in order to improve targeting advertising. The German case is one of several ongoing legal challenges the company is facing in the EU over its WhatsApp user data-sharing practices.

Of the 12 internet companies evaluated in the 2017 Corporate Accountability Index, Facebook received the lowest score on our indicator evaluating disclosure of options users have to control what information the company’s collects, retains, and uses. Our research found that WhatsApp did not fully disclose the options users have to control what information is collected or how their information is used for targeted advertising.

ISPs in Kashmir ordered to block social media and messaging services

Authorities in the northern India state of Jammu and Kashmir have ordered all ISPs to block 22 social networks and messaging apps for one month or until further notice. The services include social networks Facebook, Twitter, and QZone, and messaging and VoIP services and apps Skype, WhatsApp, and WeChat, which authorities claim were “being misused by anti-national and anti-social elements” in the Kashmir Valley to disturb “peace and tranquility.” Authorities previously ordered telecommunications companies to suspend 3G and 4G mobile internet services after several videos circulating online of security forces abusing civilians drew outrage from Kashmiris.

The rise of network shutdown orders by governments has sparked growing concerns by human rights groups and policy makers around the world. In 2016, India had the highest number of internet shutdowns in the world, with 31 instances of internet shutdowns in Jammu and Kashmir since 2012, according to the Software Freedom Law Centre. The UN Human Rights Council in 2016 condemned network shutdowns as a violation of international human rights law and called on governments to refrain from taking these actions. At the same time, companies should push back on government demands to shut down networks, and clearly explain the circumstances under which they comply with such requests. Findings of the 2017 Corporate Accountability Index showed that all telecommunications companies evaluated failed to meet this obligation to varying extents and none disclosed sufficient information about their policies for responding to network shutdown requests.

20 Apr Hungarian government entrusts Russian company with user data, social media crackdowns in France and China, and new smartphone security concerns emerge

Corporate Accountability News Highlights (we are still experimenting with the name) is a new series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Hungarian Government in Hot Water Over Data Privacy

Hungarian Prime Minister Viktor Orbán and Russian President Vladimir Putin (Image via Kremlin.ru, licensed under a Creative Commons Attribution 4.0 International license)

The Hungarian government’s recent national consultation about EU policies on immigration and economic issues, “Let’s Stop Brussels!,” has come under fire not just for its skewed survey design, but also for the way that its website originally handled individuals’ data. As reported by the Hungarian investigative reporting outlet 444, the online survey portal originally included code for Yandex Metrika, a website analytics tool offered by Russian internet company Yandex (the code was removed from the site after the 444 story was published).The choice of a Russian website analytics tool is interesting in light of Hungarian Prime Minister Viktor Orbán’s moves for closer ties with Russia, which also prompted an opposition party campaign to place stickers on top of the government’s billboards about the consultation so they instead read “Let’s Stop Moscow!”

In addition to raising eyebrows over the potential geopolitical significance, the Hungarian government’s use of Yandex’s code also raised significant privacy concerns. Yandex Metrika includes a feature called “webvisor” which, when enabled, allows administrators to track mouse movements, clicks, keystrokes, entries, and other data to monitor how users interact with their sites. According to 444, not only was this feature enabled on the consultation website, but it was also set up to capture the information a user typed into all fields on the website—including name, age, and email address—potentially violating the site’s privacy policy, which stated that users’ personal data would not be shared with any third parties.

Although the 2017 Corporate Accountability Index did not examine Yandex Metrika as a service, we did evaluate Yandex as a company and several other services. We found that overall, Yandex had limited disclosure of its policies for collecting, using, sharing, and retaining user data. As noted in the Index’s Russian company analysis, Russian law enforcement authorities may have direct access to communications data through a mass surveillance system known as SORM.

This incident also highlights the importance of writing a clear and specific privacy policy and ensuring that all services used on the site are in compliance with the policy, so that users are aware of with whom they are sharing their data.

Facebook Cracks Down on Content

Facebook recently announced in a blog post that as part of its efforts in combatting spam, fake accounts, and “deceptive content,” it had taken action against over 30,000 accounts in France. This move comes shortly before the French presidential election, which according to Reuters, was a key motivator for the company’s efforts to combat misinformation on the platform.

In the 2017 Index, while Facebook received credit for disclosing some data about content that it restricts in response to government requests, the company was found to disclose no information about content and accounts it restricts for violating its terms of service. Although the disclosure in the recent blog post is a step in the right direction, the company should include such information in its transparency report, and also include data on actions it has taken to restrict content due to other reasons.

We (can’t) Chat – Citizen Lab Research on WeChat and Weibo Content Filtering

New research from Citizen Lab examining content filtering on two Chinese messaging and social networking platforms, WeChat (operated by Tencent, which was included in the 2017 Index) and Sina Weibo (not included in the 2017 Index), found evidence of image-based filtering on WeChat. Although it is understood that WeChat, along with other Chinese internet platforms and apps, filters sensitive keywords, this is the first documented instance of similar filtering based on images deemed “sensitive” (in this case, content relating to the detention of Chinese lawyers and activists).

In our 2017 Index, we noted that Tencent had limited disclosure on processes it uses to identify content or accounts that violate the company’s rules, and almost no disclosure on its processes for responding to third party requests for content removals. Both Chinese companies in the Index, Baidu and Tencent, had more limited disclosures on policies relating to users’ freedom of expression than for privacy.

New study claims the angle users hold their phones can help hackers guess PINs

New research from Newcastle University reveals how motion sensor data from when a user types a PIN into their phone can help hackers identify what that PIN is. This data alone is not enough for a would-be hacker to gain access, especially without also knowing how an individual holds his/her phone when typing in certain numbers. However, the study’s authors also noted that unlike other a phone’s camera or microphone, many mobile apps and websites can access motion sensor data without asking a user’s permission, and that “people were far more concerned about the camera and GPS than they were about the silent sensors.”

This study is one example of why app permissions are important, as many apps may have access to this type of user data, and how information that’s not treated as sensitive for app permissions may help give away more private information than users may think. It’s important that mobile ecosystems serve as better gatekeepers for user privacy in their app stores. The Index looks for company disclosure that they review privacy policies of apps in a way that provides adequate privacy safeguards for users.