RDR is now an independent initiative. Our website is catching up.  Read our announcement →

Donate

20 Apr

Posted at 14:56h in News by
0 Likes

Corporate Accountability News Highlights (we are still experimenting with the name) is a new series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Hungarian Government in Hot Water Over Data Privacy

Hungarian Prime Minister Viktor Orbán and Russian President Vladimir Putin (Image via Kremlin.ru, licensed under a Creative Commons Attribution 4.0 International license)

The Hungarian government’s recent national consultation about EU policies on immigration and economic issues, “Let’s Stop Brussels!,” has come under fire not just for its skewed survey design, but also for the way that its website originally handled individuals’ data. As reported by the Hungarian investigative reporting outlet 444, the online survey portal originally included code for Yandex Metrika, a website analytics tool offered by Russian internet company Yandex (the code was removed from the site after the 444 story was published).The choice of a Russian website analytics tool is interesting in light of Hungarian Prime Minister Viktor Orbán’s moves for closer ties with Russia, which also prompted an opposition party campaign to place stickers on top of the government’s billboards about the consultation so they instead read “Let’s Stop Moscow!”

In addition to raising eyebrows over the potential geopolitical significance, the Hungarian government’s use of Yandex’s code also raised significant privacy concerns. Yandex Metrika includes a feature called “webvisor” which, when enabled, allows administrators to track mouse movements, clicks, keystrokes, entries, and other data to monitor how users interact with their sites. According to 444, not only was this feature enabled on the consultation website, but it was also set up to capture the information a user typed into all fields on the website—including name, age, and email address—potentially violating the site’s privacy policy, which stated that users’ personal data would not be shared with any third parties.

Although the 2017 Corporate Accountability Index did not examine Yandex Metrika as a service, we did evaluate Yandex as a company and several other services. We found that overall, Yandex had limited disclosure of its policies for collecting, using, sharing, and retaining user data. As noted in the Index’s Russian company analysis, Russian law enforcement authorities may have direct access to communications data through a mass surveillance system known as SORM.

This incident also highlights the importance of writing a clear and specific privacy policy and ensuring that all services used on the site are in compliance with the policy, so that users are aware of with whom they are sharing their data.

Facebook Cracks Down on Content

Facebook recently announced in a blog post that as part of its efforts in combatting spam, fake accounts, and “deceptive content,” it had taken action against over 30,000 accounts in France. This move comes shortly before the French presidential election, which according to Reuters, was a key motivator for the company’s efforts to combat misinformation on the platform.

In the 2017 Index, while Facebook received credit for disclosing some data about content that it restricts in response to government requests, the company was found to disclose no information about content and accounts it restricts for violating its terms of service. Although the disclosure in the recent blog post is a step in the right direction, the company should include such information in its transparency report, and also include data on actions it has taken to restrict content due to other reasons.

We (can’t) Chat – Citizen Lab Research on WeChat and Weibo Content Filtering

New research from Citizen Lab examining content filtering on two Chinese messaging and social networking platforms, WeChat (operated by Tencent, which was included in the 2017 Index) and Sina Weibo (not included in the 2017 Index), found evidence of image-based filtering on WeChat. Although it is understood that WeChat, along with other Chinese internet platforms and apps, filters sensitive keywords, this is the first documented instance of similar filtering based on images deemed “sensitive” (in this case, content relating to the detention of Chinese lawyers and activists).

In our 2017 Index, we noted that Tencent had limited disclosure on processes it uses to identify content or accounts that violate the company’s rules, and almost no disclosure on its processes for responding to third party requests for content removals. Both Chinese companies in the Index, Baidu and Tencent, had more limited disclosures on policies relating to users’ freedom of expression than for privacy.

New study claims the angle users hold their phones can help hackers guess PINs

New research from Newcastle University reveals how motion sensor data from when a user types a PIN into their phone can help hackers identify what that PIN is. This data alone is not enough for a would-be hacker to gain access, especially without also knowing how an individual holds his/her phone when typing in certain numbers. However, the study’s authors also noted that unlike other a phone’s camera or microphone, many mobile apps and websites can access motion sensor data without asking a user’s permission, and that “people were far more concerned about the camera and GPS than they were about the silent sensors.”

This study is one example of why app permissions are important, as many apps may have access to this type of user data, and how information that’s not treated as sensitive for app permissions may help give away more private information than users may think. It’s important that mobile ecosystems serve as better gatekeepers for user privacy in their app stores. The Index looks for company disclosure that they review privacy policies of apps in a way that provides adequate privacy safeguards for users.

18 Apr

Posted at 10:54h in News by
0 Likes

Digital rights groups in India and Pakistan have adapted the Ranking Digital Rights Corporate Accountability Index methodology to evaluate if and how telecommunications and internet companies in those countries disclose commitments to users’ freedom of expression and privacy.

The Centre for Internet and Society, an internet research institute based in India, applied the 2017 Index methodology to evaluate eight telecommunications and internet companies operating in India. Findings showed while companies demonstrated some commitment to users’ privacy, most fell short in key areas. The organization held an event in January 2017 to launch the report as well as a rankathon for participants to learn more about the companies evaluated and to provide feedback on the methodology and ways to adopt it for future research.  

In December 2016, Pakistan-based Digital Rights Foundation published a study examining privacy-related disclosures of five telecommunications companies, based on privacy indicators adapted from the Index methodology. Findings showed that not all privacy policies were available in Urdu or other languages commonly spoken in Pakistan, and that company policies for responding to government requests for user data were often unclear. The organization’s executive director, Nighat Dad, discussed some of these findings at our roundtable session at RightsCon on how to conduct research and advocacy focused on ICT companies.

These types of projects using the Index methodology allow for more in-depth analysis of how companies in different countries or regions commit to respecting users’ rights. We encourage researchers and civil society to adapt the Index methodology to launch research initiatives evaluating company disclosures of policies affecting users’ freedom of expression and privacy in their own countries and contexts.

13 Apr

Posted at 09:45h in News by
0 Likes

The Corporate Accountability News Roundup is a new series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues  around the world.

Twitter takes on Trump

According to Twitter, the Trump administration last week withdrew its attempt to force the company to reveal the identity of one its users. The account, @ALT_USCIS, is one of several “alt agency” accounts created after President Donald Trump took office, and which tweets criticisms of the administration. In response, Twitter announced it was suing the US government on grounds the demand was “unlawful and unenforceable because it violates the First Amendment rights of both Twitter and its users by seeking to unmask the identity of one or more anonymous Twitter users voicing criticism of the government on matters of public concern.” Twitter dropped its lawsuit after the government withdrew the summons.

The Ranking Digital Rights 2017 Corporate Accountability Index looks for companies to disclose their processes for responding to government requests for user information, including if the company carries out due diligence on government requests before deciding how to respond, and commits to push back on inappropriate or overbroad government requests. This recent case is an example of Twitter implementing these commitments. Our research showed that Twitter clearly disclosed its processes for responding to government requests for user information (P10) and also topped all internet and mobile companies evaluated for its transparency reporting on the government and private requests it receives to hand over user information (P11).

In Europe: bans on encryption, hate speech

The EU Justice Commissioner Věra Jourová has indicated the European Commission will propose new rules this June allowing law enforcement to access information from encrypted apps. This follows pressure from the governments of France, Germany, and the UK–including the recent call from UK Home Secretary Amber Rudd’s for police to be able to access encrypted chats from WhatsApp and similar services. However, as technical experts have continued to caution, allowing such access would prevent companies from being able to deploy secure end-to-end encryption and would put user privacy at risk. In our recommendations for companies, we note that except where permitted by law, companies should publicly commit to implement the highest encryption standards available, including end-to-end encryption. The EU’s proposed rules could prevent companies from being able to do so.

Germany’s cabinet has approved a plan that would fine social media networks for not removing hate speech content quickly enough. This plan raises numerous freedom of expression concerns, and puts companies, rather than courts, in the position of determining what speech is legally permissible. As noted in our recommendations for governments, authorities should limit legal liability imposed on companies for their users’ speech and other activities, in consistency with the Manila Principles on Intermediary Liability.

New rumors about Google’s return to China

The South China Morning Post reported that Google is engaged in talks with the Chinese government to potentially re-enter the Chinese market with certain services, such as Google Scholar. Google has not confirmed or commented about these discussions or whether or not it plans to re-enter China. However, the company did announce that users in China can now download the Translate app, which the Washington Post writes may be a signal that the company is slowing moving back into the Chinese market. In 2010, Google formally withdrew from China and shut down its Chinese-language search engine, citing concerns over censorship. Google’s products are currently blocked by the Chinese government’s “Great Firewall” and are not available to Chinese users without use of censorship circumvention technology.

Tech companies should conduct human rights impact assessments (HRIAs) before launching new services or entering new markets, to identify any risks to user free expression and privacy and take necessary steps to mitigate these risks. This is particularly important before launching any services in markets, such as in China, where the government has a record of human rights abuses.

As our research in the 2017 Index showed, Google expressed a commitment to carry out HRIAs, stating: “Prior to localizing in a new market, the company approach is to first examine the government’s record with respect to freedom of expression and privacy by consulting reports prepared by NGOs and analyzing the laws that are relevant for freedom of expression and privacy in that country.” Therefore, if reports that Google is considering re-entry into China are true, Google should live up to its stated commitments and be carrying out human rights impact assessments that will help it determine whether or how its presence in China may change in the future.
Our research indicates that although many aspects of Chinese companies’ poor performance in the 2017 Index can be blamed on China’s legal and regulatory environment, there are some areas in which companies still have room to improve their disclosures on certain privacy and free expression issues. For more on this, check out our analysis comparing free expression and privacy disclosures from Baidu and Tencent.

07 Apr

Posted at 12:22h in Events, News by
0 Likes

Corporate transparency is essential to building public trust, according to Annette Fergusson, head of Vodafone Group’s Sustainable Business unit, who spoke on a panel for the European launch of the Ranking Digital Rights 2017 Corporate Accountability Index at RightsCon in Brussels on March 29.

The event featured Ranking Digital Rights (RDR) project director Rebecca MacKinnon, who was joined by a group of panelists to discuss results of the 2017 Index, which ranked 22 of the world’s largest internet, mobile, and telecommunications companies on their disclosed commitments to users’ freedom of expression and privacy. Along with Vodafone’s Fergusson, panelists included Silvia Grundmann, head of the Media and Internet division at the Council of Europe, Adam Kanzer, managing director of Domini Impact Investments, a socially responsible mutual fund, and Afef Abrougui, a researcher with Beirut-based Social Media Exchange Network (SMEX) and an RDR research affiliate. The session was moderated by Malavika Jayaram, executive director of the Digital Asia Hub, an internet research center based in Hong Kong.

Panelists discussed why companies should be transparent about policies affecting users’ freedom of expression and privacy. According to Fergusson, companies need to be transparent in order to gain users’ trust: “Without trust, we don’t have a social license to operate,” she said. Vodafone tied with AT&T for the top spot among the ten telecommunications companies ranked in the 2017 Index. Vodafone earned the highest score among telecommunications companies on the Index’s governance indicators, which measure a company’s institutionalized commitments to human rights, including to freedom of expression and privacy.

While transparency is essential, companies should also work to ensure that human rights commitments made at the parent level are followed through at all levels of the company, according to Abrougui. Telecommunications companies, for instance, can have different policies, and varying levels of policy disclosure, in the different markets in which they operate, she said.  

Kanzer noted that while there is a difference between measuring company disclosure of their policies and measuring their actual practices, policy transparency is an important first step.

Talking so companies will listen, listening so companies will talk

Also at RightsCon, RDR senior research fellow Nathalie Maréchal led a roundtable discussion called “How to Talk So Companies Will Listen, and Listen So Companies Will Talk: Doing Company Advocacy and Research.” The session brought together researchers, advocates, and industry representatives to share best practices for communicating their research or advocacy initiatives to companies.

Participants shared their experiences and strategies for engaging with companies through their work on a variety of projects, including the Fundación Karisma’s and Digital Rights Foundation’s research evaluating the privacy policies of telecommunications companies in Pakistan, and OpenNet Korea’s work with Citizen Lab researching the Korean app “Smart Sheriff.” UCLA professor Sarah Roberts also offered insights into her experiences engaging with companies as part of her research on commercial content moderation. Strategies for company engagement depend on the company and political contexts, and can include building long-term relationships with human rights allies within companies, according to participants.

Michael Samway, former Vice President and Deputy General Counsel at Yahoo! Inc. who founded the company’s Business and Human Rights Program, noted that trust between advocates and companies is only formed through years of engagementand that for advocates, it is crucial to have practical solutions in mind before approaching a company.  

Samway, who serves as an RDR advisory board member, was also interviewed at RightsCon for a podcast discussion about evolution of the  broader business and human rights movement, and how advocates and other stakeholders can achieve meaningful engagement with companies.

This year’s RightsCon event in Brussels brought together 1,500 participants from 100 countries, according to event organizer Access Now. We look forward to seeing everyone next year at the seventh annual RightsCon conference in Toronto!

03 Apr

Posted at 13:34h in News, Press by
0 Likes

Since its release on March 23, the 2017 Ranking Digital Rights Corporate Accountability Index has received attention from NGOs and media outlets around the world.

According to Cynthia Wong of Human Rights Watch, the Index “provides users with a crucial assessment about company policies, and a roadmap for the basic standards firms must meet if they hope to earn our trust by respecting our privacy and freedom of expression.”

Ranking Digital Rights (RDR) partner Access Now highlighted the Index’s findings showing that telecommunications companies lack transparency about their processes for responding to network shutdown requests from governments. “Telcos can often be required to shut down the internet at risk of losing their licenses to operate, but still have options to push back against governments,” according to the organization. “Ranking Digital Rights illuminates many ways for telcos to increase transparency on their shutdown policies and practices.”

R3D, a digital rights organization based in Mexico, also published a piece spotlighting the performance of Mexican telecommunications company América Móvil, which ranked fifth out the 10 telecommunications companies evaluated in the 2017 Index.

The Global Network Initiative (GNI) issued a statement highlighting a key Index finding that GNI and Telecommunications Industry Dialogue (TID) members were among the top performers in the Index.

Index findings were also reported in Yahoo Finance, Observer, Media Power Monitor, Vocativ, Global Voices Advox, Entrepreneur, and CSO Australia. The China Digital Times and Hong Kong Free Press reviewed the differences between the two Chinese companies evaluated, Baidu and Tencent.

In addition, RDR team members were interviewed and invited to write pieces about the 2017 Index research. On NPR’s Weekend Edition, RDR project director Rebecca MacKinnon discussed key findings of the Index and what these findings mean for users’ freedom of expression and privacy. “What’s really important is that companies be transparent, so people know who to hold accountable,” she said. “If your content is being removed or you’re being prevented from accessing certain information, you need to know who is responsible for that decision.”

In the Consumerist, senior research fellow Nathalie Maréchal discussed the Index findings related to mobile ecosystems. Our research showed that all three mobile ecosystems evaluatedApple iOS, Google Android, and Samsung’s implementation of Androidfailed to sufficiently disclose policies affecting users’ freedom of expression and privacy. In a piece for Global Voices Advocacy, Maréchal also discussed how cheaper smartphones can leave users more vulnerable to online threats and hacking, highlighting the importance of company disclosure of how they address security vulnerabilities.

In Slate, policy and communications analyst Ilana Ullman discussed the issue of Facebook and Twitter providing access to Geofeedia, a third-party developer that marketed its social media-monitoring product as a surveillance tool to U.S. law enforcement. The issue highlights why social networks need more clear terms of service, according to Ullman. “Social media companies must be more transparent with their users about the steps they are taking to crack down on surveillance tool developers like Geofeedia, and provide evidence that these commitments are being implemented,” she wrote.

In the New America Weekly, senior research analyst Laura Reed discussed how the recent roll back of the FCC’s broadband privacy guidelines will negatively impact transparency and public accountability around how companies handle users’ information. “All companies should, at the very least, tell users what they are doing with their personal information,” according to Reed.

Read more about the 2017 Index, key findings, and recommendations. The full report and raw data can be downloaded here.