Corporate Accountability News Highlights: Tech companies combat white supremacist content, Chinese companies face investigation over user content, and web host pushes back on Trump administration demand for website visitor info

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Tech companies combat white supremacist content

Image by Mark Dixon (Licensed CC BY 2.0)

Leading tech companies are  making new efforts to restrict white supremacist content, following the white supremacist rallies in Charlottesville, Virginia on August 11 and 12. Several companies terminated services for the Daily Stormer, a neo-Nazi website, after it posted an article disparaging Heather Heyer, a counter demonstrator who was killed during the rally on August 12. GoDaddy, a domain name registrar, terminated its service for the Daily Stormer, stating, “this type of article could incite additional violence, which violates our terms of service.” The Daily Stormer then moved its domain name registry to Google Domains, which also cancelled its service, citing a violation to its terms of service. Zoho, the website’s email provider, also cancelled its service due to a terms of service violation. Following the rally, Twitter also suspended the Daily Stormer’s account, and Facebook removed several pages affiliated with white supremacist groups.

Notably, Cloudflare, a content distribution network company that had previously publicly defended its decision to provide services to the Daily Stormer, also dropped the site. Cloudflare CEO Matthew Prince told the Verge, “This was my decision, I don’t think it’s CloudFlare’s policy and I think it’s an extremely dangerous decision in a lot of ways. I think that we as the internet need to have a conversation about where the right place for content restriction is…but there was no way we could have that conversation until we resolved this particular issue.”

Internet and social media companies have come under increasing pressure to do a better job policing extremist content. However, in doing so, it is important that these companies have clear guidelines, policies, and accountability mechanisms to ensure they do not censor legitimate free speech. Companies’ terms of service or user agreements, which outline what content and activities are not permitted, are also not always transparent or consistently enforced, making it difficult to determine what impact this may have on users’ freedom of expression rights. Only three of the 22 companies evaluated in the 2017 Corporate Accountability IndexGoogle, Microsoft, and Twitter—disclosed any data about the volume and nature of content they restricted for breaches to terms of service. Companies should clearly disclose the circumstances under which they may restrict content or user accounts, publish data about the volume and nature of actions they take to enforce these rules, and provide clear grievance and remedy mechanisms to address users’ concerns over violations to their freedom of expression rights as a result of actions taken by the company.Continue Reading

Corporate Accountability News Highlights: UK to overhaul data protection regulations, ISPs in India ordered to block thousands of sites including Internet Archive, U.S. NGOs warn new bill would create greater internet censorship

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

UK to revamp data protection rules

UK lawmakers have announced plans to revamp the country’s data protection rules in order to comply with the EU’s General Data Protection Regulation (GDPR), which come into force in May 2018. Under the proposed plans, the definition of “personal data” would be expanded to include IP addresses, internet cookies, and DNA. UK organizations could also face fines for not adequately addressing cybersecurity risks. Plans also include measures allowing UK citizens to demand that social media companies delete their data.

The GDPR, which will harmonize data protection laws across the EU, affects data protection regulations and practices globally. The rules apply to all “data processors” that handle data of EU citizens, regardless of where the data processors are based. As noted in our recommendations for the 2017 Corporate Accountability Index, governments should develop effective data protection regimes and privacy regulations in consultation with industry and civil society, with impact assessments to ensure that the laws can avoid unintended consequences for freedom of expression. Companies should also disclose more information about their GDPR compliance, and what this means for non-EU users.Continue Reading

Corporate Accountability News Highlights: Apple, Amazon comply with Chinese government VPN crackdown, Putin targets circumvention tech and chat apps, and Hungarian arrested after reporting security vulnerability

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Apple, Amazon comply with Chinese government VPN restrictions

The New York Times reports that Apple has removed several Virtual Private Network (VPN) apps from its China App Store at the the request of the Chinese government. Amazon’s Chinese partner, Beijing Sinnet Technology Co Ltd, which operates its cloud services in China, has also instructed its customers to stop using VPNs that have not been approved by Chinese authorities, and that it would shut down services for those who continued to do so, according to Reuters.

Internet users in China have anticipated a crackdown on VPNs, which users need to circumvent China’s “Great Firewall” and access blocked sites and content. According to The New York Times a number of the most popular foreign VPNs are no longer accessible from Apples App store. “We would obviously rather not remove the apps, but like we do in other countries, we follow the law wherever we do business,” Apple CEO Tim Cook said in response to the company’s decision to remove the VPN apps. “We strongly believe participating in markets and bringing benefits to customers is in the best interest of the folks there and in other countries as well,” he said.Continue Reading

Corporate Accountability News Highlights: Chinese social media censorship increases following Liu Xiaobo’s death, new report highlights Russian crackdown on freedom of expression online, and Verizon responds to third-party vendor data breach

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

Social media censorship on the rise in China following death of Liu Xiaobo

From Citizen Lab’s report: “Evidence of image censorship on WeChat’s group chat. A user with an international account attempts to send an image commemorating Liu Xiaobo’s death in a group chat. Users with China accounts in the group did not receive the message.” (Licensed CC BY 2.5 CA)

In China, online censorship of content related to human rights activist Liu Xiaobo has increased following his recent death, according to new research from Citizen Lab. Although certain terms relating to Liu have regularly been blocked, researchers found an increase in censorship of images and keywords on Chinese messaging app WeChat and social media platform Sina Weibo. According to the report, “the death of Liu marks a particularly critical moment for the Communist Party of China (CPC) and, as a result, Chinese Internet companies are facing direct or indirect government pressure to apply broad restrictions to content related to Liu.”Continue Reading

Corporate Accountability News Highlights: Tech companies join forces for “Day of Action” on Net Neutrality, EFF report shows tech companies can improve on user privacy, and Indian telco Reliance Jio responds to recent data breach reports

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

U.S. tech companies and NGOs rally against net neutrality rollback

Technology companies, NGOs, and websites rallied this week in an “internet-wide day of action to save net neutrality.” Companies including Amazon, Netflix, Twitter, and Tumblr were among the members of the “Battle for the Net” coalition, which urged internet users to tell Congress and the Federal Communications Commission (FCC) to uphold the Title II Net Neutrality rules. These rules were passed in 2015 and created strong protections for net neutrality in the U.S. by classifying internet service providers as “common carriers” under Title II of the Communications Act. The FCC is accepting public comments for its proposed plan to roll back these rules until July 17. The Internet Association, a trade organization that represents tech companies including Facebook, Google, and Microsoft, also launched its own campaign, walking users through the process for submitting an FCC public comment. According to “Day of Action” organizers, more than 1.6 million public comments were filed with the FCC, breaking the previous record for most public comments in a single day.

Digital rights advocates have promoted the importance of net neutrality to ensuring a free and open internet, and in turn, freedom of expression. The Corporate Accountability Index evaluates whether telecommunications companies disclose that they do not prioritize, block, or delay certain types of network traffic, other than for assuring network quality and reliability. If telecommunications companies do engage in these practices, we expect them to clearly disclose their purpose for doing so. Of the ten telecommunications companies evaluated in the 2017 Index, Vodafone was the only company to clearly disclose a commitment to not prioritize, block, or delay certain types of traffic other than for assuring quality of service and reliability of the network.

New EFF report shows tech companies can do more to protect user privacy

Image via EFF (licensed CC-BY 3.0)

Tech companies can do more to stand up for our privacy, according to a new report from the Electronic Frontier Foundation (EFF). The EFF’s latest “Who Has Your Back?” report evaluates 26 U.S.-based tech companies’ policies for responding to government requests for user data. The companies were evaluated in categories including whether they follow industry-wide best practices, whether they notify users of government requests, and whether they have advocated for U.S. government surveillance reform. The EFF found that Amazon and WhatsApp lagged behind their internet industry peers, each earning two stars out of a possible five. Of the telecommunications companies, AT&T, Comcast, T-Mobile, and Verizon scored the lowest, each earning one star.

The “Who Has Your Back” report and the Corporate Accountability Index both evaluate companies’ disclosed policies for responding to government requests for user data. Our findings also indicated that of the 22 companies that we evaluate, most did not disclose enough to users about their processes for responding to government and other third-party requests for user data. Because the EFF focuses on U.S.-based companies and their processes for responding to U.S. authorities, the report is also able to evaluate policies specific to the U.S. legal and political context. For example, legal reforms passed in 2015 allow companies to request judicial review of the gag orders that accompany all National Security Letters (NSLs). However, the EFF reports that fewer than half the companies evaluated publicly commit to request judicial review of all NSLs they receive. In a more positive finding, 21 of the 26 companies evaluated have called for U.S. surveillance reform of Section 702 of the FISA Amendments Act, which Congress will debate reauthorizing this year. With regard to transparency and best practices for respecting user rights, “public scrutiny has helped raise the floor on technology companies,” according to the report—but that all companies still have room for improvement.

Indian telco Reliance Jio investigating data breach reports

Indian telecommunications company Reliance Jio is investigating reports of a data breach after a website published personal information that appeared to belong to subscribers. The company has denied that a breach occurred and said the information appeared to be “unauthentic,” according to Reuters. However, the Indian Express reports the company filed a police complaint alleging “unlawful access to its systems,” which according to the outlet “would be the telecom firm’s first official acknowledgement of a system breach.” The information posted on the website included individuals’ names, email addresses, and phone numbers, and some individuals were able to verify their information had been published, according to reports. It is unclear how of the company’s 112 million subscribers may have had their information published on the site.

India does not have a law that requires companies to notify users when their information may have been included in a data breach.

Users entrust internet and telecommunications companies with a vast amount of personal information—including names, addresses, social security numbers, passwords, and financial information. Companies should take measures to ensure that users’ data is secure. As highlighted in our recommendations, governments should encourage companies to implement and disclose appropriate policies and procedures for data breaches, including through relevant legislation. However, we also expect companies to disclose their policies for responding to a breach before one occurs. Companies should clearly disclose that they will immediately notify the relevant authorities, as well as their processes for notifying data subjects who might be affected by a data breach, and what kinds of steps they will take to address the impact of a data breach on users. Our research has found that companies are not doing enough to make users aware of their data breach response policies. Only three of the 22 companies we evaluated—Telefónica, AT&T, and Vodafone—disclosed any information about their process for responding to data breaches.