Russian internet companies can do better despite tough legal environment
The Russian internet environment has grown increasingly restrictive. Companies face serious legal, regulatory, and political challenges that limit their ability to respect users' freedom of expression and privacy rights.
In 2017 the Corporate Accountability Index evaluated two Russian internet companies, Mail.Ru and Yandex. Both companies scored poorly: Yandex ranked eighth out of the 12 internet companies evaluated, and Mail.Ru performed even worse, ranking 10th. Results showed that both companies disclosed little about policies and practices affecting users' freedom of expression and privacy next to most other internet companies evaluated.
While both companies failed to meet the basic benchmarks of transparency, variations in levels of disclosure indicate there is room for Russian internet companies to make different policy choices that reflect different levels of respect for users' rights, even within the country's restrictive internet environment.
While the Russian constitution guarantees freedom of expression, in practice that right is increasingly curtailed, especially online. However, unlike in China, in Russia there is relatively limited blocking of foreign platforms, with the notable exception of LinkedIn, which has been blocked since late 2016, in part due to non-compliance with Russia's data localization law. Foreign companies like Facebook, Google, and Twitter have access to the Russian market, though it remains to be seen how long that will last, given that Russia's media regulator Roskomnadzor stated plans to start enforcing the data localization law against international companies this year.
Still, in the past few years, authorities have tightened control over the internet, in a broader crackdown on expression both on and offline. Growing intermediary liability, mass surveillance (SORM), and a pattern of physical and digital intimidation and retribution against regime critics and independent civil society all contribute to an environment that severely limits companies from making any public commitments to human rights.
Differences in scores between Mail.Ru and Yandex shed light on specific areas in which Russian companies can reasonably be held responsible despite their challenging home environment.
The limitations created by the Russian political and regulatory environment are reflected in low scores for both Mail.Ru and Yandex in the Index's Governance category, which measures if and how companies institutionalize commitments to freedom of expression and privacy, as codified in various international human rights instruments, including in the U.N. Guiding Principles on Business and Human Rights.
- Russian companies can make commitments to respect users' rights and demonstrate efforts to implement those commitments.
- Both companies were among the worst performers in this year's Index on governance indicators, along with the two Chinese internet companies, Baidu and Tencent. Neither company offered a formal policy commitment to human rights, as measured in Indictor (G1), and both disclosed little about if and how respect for users' freedom of expression and privacy are institutionalized within the company.
- Yet even in this category, Yandex proved some disclosure of human rights commitments is possible: the company received some credit on human rights due diligence for publishing a risk assessment of the impact of Russian law on user privacy (G4) — an indicator on which few companies across entire the Index scored well.
Freedom of Expression
In the Freedom of Expression category, both companies scored poorly, although Yandex scored ahead of Mail.Ru by two percentage points. Yet, variations in disclosure between Mail.Ru and Yandex reveal areas where both companies can improve:
- Tell users more about processes for responding to government and private requests for user information, or to restrict content or accounts. Russian internet companies can disclose more information about how they handle these types of third-party requests.
- Both companies disclosed little information about they handle government or private requests to block content or restrict user accounts (F5-F7), and neither published any data about the number of government requests it receives or complies with (F6)-although there are no laws prohibiting Russian companies from doing so.
- Yandex offered more disclosure than Mail.ru about its process for considering such requests (F5). It also stood out for being among just a few companies-including top-performing Google, Yahoo, Microsoft, and Twitter-that disclosed any information about compliance with private requests to remove content in response to Russia's new "Right to be Forgotten" law (F7). This indicates that Russian companies can disclose more about their processes for responding to both government and private requests to remove content.
- Refrain from requiring users to register their identity. While internet service providers and telecommunications companies are required to verify the identities of their users, internet companies are not.
- Yandex fell behind Mail.Ru on one indicator in this category: F11, which measures if companies clearly disclose whether they require users to verify their identity with a government-issued identification or with another form of identification that could be connected to their offline identity. Mail.Ru's social network VKontakte disclosed it requires users to provide a mobile phone number and states that it may ask to verify a user's real identity in case a user needs tech support, while Yandex disclosed it can ask users to confirm their offline identity and may deny access to services to users who do not comply. Russian internet service providers and telecommunications companies are legally required to verify the identities of their users, but this does not apply to internet companies. In Russia, having to provide a mobile phone number is equivalent to providing proof of ID, since identification is required to obtain a mobile account.
The biggest difference between the Russian internet companies evaluated was found in the Privacy category, where Yandex outscored Mail.Ru by more than 10 percentage points. Differences in scores highlight the following areas for improvement:
- Disclose more about how government and private requests for user information are handled. No law prevents Russian companies from disclosing information about how they process and comply with third-party requests for user information.
- Both companies disclosed significantly less than most of their peers about how they handle government and private requests for user information (P10, P11), and neither published any data about the number of these requests they receive or comply with (P11). However, since Russian authorities may have direct access to communications data, it may be impossible for companies to publish data on government requests for user information, since they may not know themselves how often various agencies exercise their authority under SORM. But this does not prevent companies from disclosing more information about their process for responding to government and private requests (P10), or from publishing data about private requests for user data they receive and comply with.
- Demonstrate strong commitment to users' security. Russian companies can do more to disclose what they do to keep user information secure.
- Yandex was among the top-performing companies in the Index regarding disclosure of its security policies, outscored by only Google and tying with AT&T on these indicators (P13-P18). The company disclosed a particularly strong bug bounty program that allows independent researchers to report security vulnerabilities (P14). In contrast, Mail.Ru provided minimal disclosure of its security policies, though it performed better than four other internet and mobile companies, including Twitter, on this set of indicators.
- Yandex received one of the top scores in the Index for disclosure of its encryption policies, on par with that of Apple (P16). The company's high scores on this indicator comes despite restrictions by Russian authorities that limit companies' abilities to offer true encryption to users. Companies that offer encryption are legally required to assist Russian authorities in accessing communications-effectively prohibiting end-to-end encryption or requiring that companies provide the authorities with decryption keys. Yandex, however, disclosed more about its encryption policies than most companies evaluated in the Index, including Mail.Ru. This indicates that Russian companies can disclose more about their encryption policies and practices, despite current legal obligations.