Mail.Ru ranked 10th of 12 internet and mobile companies and 14th in the Index overall. As a Russian company, Mail.Ru faces clear challenges: The 2016 Freedom on the Net report by Freedom House rated Russia’s internet environment as “Not Free.” Russian companies must comply with laws that grant authorities broad powers to create internet “blacklists,” and participate in a mass surveillance program, SORM, which allows authorities to intercept communications and metadata. But these constraints do not fully explain Mail.Ru’s weak disclosure in a number of other areas. Mail.Ru scored six percentage points lower than Yandex, the other Russian internet company evaluated, highlighting areas where immediate improvement is possible. For Mail.Ru this includes disclosure of its processes for handling government and private requests for content and account restrictions, and requests to hand over user information, indicators on which Yandex scored higher.
Mail.Ru Group Limited provides online communication products and entertainment services in Russia and internationally. The company provides a search engine, social networking platforms, email services, and gaming and e-commerce services.
Mail.Ru scored poorly in the Governance category, earning the fourth-lowest score of all 22 companies evaluated, ahead of Axiata, Ooredoo, and Baidu. It received a small amount of credit on just two of the six indicators in this category. It disclosed a whistleblower program, although not specifically for reporting freedom of expression and privacy concerns (G3). It also disclosed an avenue for users to file complaints, including about blocked accounts, but offered no options for users to file privacy-related grievances (G6).
Mail.Ru received the fourth-lowest score of internet and mobile companies evaluated in this category, ahead of Samsung, Tencent, and Baidu.
Content and account restrictions: Mail.Ru disclosed far less than most other internet and mobile companies on these indicators (F3, F4, F8). While the company received some credit for disclosing what types of content and accounts are prohibited on its services, it also disclosed it can delete user content without notice and without explanation (F3). Mail.Ru did not provide data about the content or accounts it restricts for violating its terms (F4), nor did it disclose a policy to notify users when it restricts content or their account (F8).
Content and account restriction requests: Mail.Ru disclosed far less than most other internet and mobile companies, with the exception of Samsung, Baidu, and Tencent, on these indicators (F5-F7). Although there are no laws prohibiting Russian companies from disclosing information about government requests to restrict or block content or accounts, the company provided only minimal information about its processes for responding to these types of requests (F5) and no data about the number of requests from governments or private parties it receives or complies with (F6, F7).
Identity policy: Mail.Ru’s VKontakte, the social networking service, disclosed that it requires users to provide a mobile phone number and may ask to verify a user’s real identity in case a user needs tech support. Russian internet service providers and telecommunications companies are legally required to verify the identities of their users, but this requirement does not apply to companies such as Mail.Ru.
In the Privacy category, Mail.Ru had the second-lowest score of the 12 internet and mobile companies, scoring better than only Baidu.
Handling of user information: Mail.Ru scored lower than all other internet and mobile companies except Baidu on these indicators (P3-P9). The company disclosed more information about what types of user information it collects (P3), than about what information it shares (P4), for what purpose (P5), and for how long it retains it (P6). Russian law does not prevent companies from fully disclosing user information retention policies.
Requests for user information: Mail.Ru and Samsung were the only two internet and mobile companies that did not disclose any information on policies for responding to requests by governments and private parties for user information (P10-P11). The company also provided no information about whether it notifies users when information has been requested about them (P12). However, since Russian authorities may have direct access to communications data through SORM, Russian companies may not be aware of the number of times, or for which users, government authorities access user information.
Security: Mail.Ru disclosed little about its security policies, but more than four other internet and mobile companies, including Twitter (P13-P18). Like most companies, it offered no information about its process for responding to data breaches (P15). While it disclosed that transmissions of user communications are encrypted by default, the company disclosed little else about its encryption policies, particularly in comparison to Yandex, the other Russian internet company evaluated (P16).