Yandex ranked eighth out of 12 internet and mobile companies evaluated, and 12th in the Index overall. The company is new to this year’s ranking, joining Mail.Ru as the second Russian internet company evaluated by the Index. Notably, Yandex performed better than Mail.Ru, particularly on privacy-related disclosures, even though both companies operate within the restrictions of the Russian internet environment, which Freedom House rates as “Not Free.” Freedom House reports that companies for instance must comply with laws granting authorities broad powers to create internet “blacklists” and to participate in a mass surveillance system, SORM, that allows authorities to access communications and metadata.
Yandex N.V. provides a range of Internet-based services in Russia and internationally. The company’s products include the largest search engine in Russia, along with other services including email, cloud storage, and maps.
Yandex ranked 16th among all 22 companies evaluated in the Index in the Governance category. However, the company did have some notable disclosures: it disclosed a mechanism for employees and users to report violations to its code of conduct, which includes some aspects of privacy-related issues (G3), and received some credit on human rights due diligence for publishing a risk assessment on the impact of Russian law on user privacy (G4). Yandex also disclosed a grievance mechanism for users to file complaints about content removed for alleged copyright infringements, but not about content removed for terms of service violations (G6).
Yandex ranked seventh out of the 12 internet and mobile companies evaluated in the Freedom of Expression category, ahead of Apple, Tencent, Mail.Ru, and Baidu.
Content and account restrictions: Yandex disclosed little about how it enforces its terms of service (F3, F4, F8), although it had a similar level of disclosure as Apple and Mail.Ru. Yandex Search provided the most detailed disclosure about prohibited content of the three services evaluated (F3). However, Yandex did not publish any data about content or accounts the company restricts for violating its own rules (F4), and did not make clear whether it notifies users when content or their account has been restricted (F8).
Content and account restriction requests: Yandex also had weak disclosure about how it handles government and private requests to restrict content or accounts (F5, F6, F7), although it outperforms Apple, Mail.Ru, Tencent, Baidu, and Samsung on these indicators. The company did not clearly disclose its process for responding to government and third-party requests for account restrictions (F5), nor did it publish any data on the number of government requests it receives or complies with (F6). Yandex stood out for being among just a few companies—including top-performing Google, Yahoo, Microsoft and Twitter—that disclosed any information about compliance with private requests to remove content in response to Russia’s new “Right to be Forgotten” law.
Identity policy: Yandex disclosed that it can ask users to confirm their offline identity, and may deny access to services to users who do not comply (F11), although it is not explicitly required to do so by law.
Yandex ranked eighth out of the 12 internet and mobile companies evaluated in the Privacy category, ahead of Mail.Ru, Samsung, Tencent, and Baidu.
Handling of user information: Yandex disclosed more than Mail.Ru, Samsung, and Baidu about how it handles user information but there is much room for improvement. It provided some evidence about what user information it collects (P3), shares (P4), and why (P5) but did not reveal how long it retains user information (P6)—although it is not illegal to do so. Nor did it disclose if users can access the information the company holds about them (P8), or what information the company collects about the user from third parties (P9).
Requests for user information: Yandex disclosed little about its process for responding to government or private requests for user information (P10) and supplied no data about requests it receives or complies with (P11). However, since Russian authorities may have direct access to communications data through SORM, Russian companies may not be aware of the number of times, or for which users, government authorities access user information.
Security: Yandex was one of the top-performing companies on these indicators, behind only Google (P13-P18). It disclosed a particularly strong bug bounty program (P14). But like most companies, Yandex provided no information about how it responds to data breaches (P15). The company, however, received the second-highest score after Google for its disclosure more about it encryption policies, on par with Apple (P16). It disclosed that transmissions of users’ communications are encrypted by default and with unique keys.