Mail.Ru Group Limited
Key findings
- Mail.Ru disclosed less than most other internet and mobile ecosystem companies about policies affecting users’ freedom of expression and privacy.
- The company disclosed almost nothing about how it handles government demands to remove content or hand over user data, although it is not illegal to disclose at least some information about its processes for responding to these types of requests.
- The company lacked transparency about what user data it collects and shares, and for what purposes, including for the use of targeted advertising, as well as what measures it takes to keep this data secure.
Analysis
Mail.Ru ranked 11th of the 12 internet and mobile ecosystem companies evaluated, disclosing little about policies affecting freedom of expression and privacy. It made no improvements in the 2018 Index. Notably, the company disclosed significantly less about its privacy policies than Yandex, the other Russian company evaluated. While operating in an increasingly restrictive internet environment that discourages companies from publicly committing to protect human rights, the company could be more transparent about key policies and practices affecting freedom of expression and privacy. It could disclose more about its processes for handling government and private demands to restrict content or to hand over user information, as there are no legal obstacles preventing the company from doing so. Mail.Ru could also improve disclosure about its handling of user information—an area in which Yandex was more transparent—and give users clear options to control what information the company collects and shares, including for the use of targeted advertising.
- Make a clear commitment to human rights. The company should make a clear commitment to respect freedom of expression and privacy as human rights, as there are no legal obstacles preventing it from doing so.
- Be transparent about demands to block content and for user information. The company should disclose information on its handling of government requests to remove content and for user information, and indicate where laws may complicate full transparency.
- Clarify handling of user information. The company should improve disclosure of its handling of user data and communicate to users what steps it takes to keep that information secure.
Mail.Ru Group Limited provides online communication products and entertainment services in Russia and internationally. Services include a search engine, social networking platforms, email services, and gaming and e-commerce services.
Governance
Mail.Ru scored poorly in the Governance category, tying with Yandex and Tencent for the second-lowest score among internet and mobile ecosystem companies. The company received some credit on just two of the six indicators in this category. It disclosed a whistleblower program, but not specifically for reporting freedom of expression and privacy concerns (G3), and disclosed a grievance mechanism for complaints related to freedom of expression, but not for privacy issues (G6).
Freedom of expression
Mail.Ru disclosed little about policies affecting users’ freedom of expression, tying with Samsung for the fourth-lowest score of internet and mobile ecosystem companies, ahead of Yandex, Tencent, and Baidu.
Content and account restrictions: Mail.Ru disclosed more than Yandex but less than other internet and mobile ecosystem companies about what the rules are and how they are enforced (F3). Like most companies in the Index, Mail.Ru disclosed no data about the volume and nature of content or accounts it restricts for terms of service violations (F4). Unlike Yandex, Mail.Ru did not disclose if it notifies users when it restricts content or their accounts (F8).
Content and account restriction requests:Mail.Ru disclosed almost nothing about its process for handling government and private requests to block content or user accounts (F5-F7). The company provided only minimal information about its processes for responding to these types of requests (F5), and offered no data about the number of requests from governments it received or complied with (F6, F7), although there are no laws prohibiting Mail.Ru from doing so.
Identity policy: Mail.Ru’s VKontakte, the social networking service, disclosed a requirement for users to provide a mobile phone number and to verify a user’s real identity in case a user needs tech support. Internet service providers, telecommunications companies, and instant messaging services in Russia are legally required to verify the identities of their users, but it is unclear if the regulations apply to social network platforms like VKontakte.
Privacy
Mail.Ru received the second-lowest privacy score of the 12 internet and mobile ecosystem companies, scoring better than only Baidu.
Handling of user information:Mail.Ru disclosed less than all other internet and mobile ecosystem companies, including Yandex, about its handling of user information (P3-P9). While the company disclosed some information about what types of user data it collects (P3), shares (P4), and for what purpose (P5), it revealed little about for how long user information is retained (P6). Mail.Ru also lacked clarity about what options users have to control the company’s collection of their data, including options to control how their information is used for targeted advertising (P7), or whether the company tracks users across the internet with cookies or widgets (P9).
Requests for user information: Mail.Ru was one of three internet and mobile ecosystem companies that failed to disclose any information about its processes for handling government and private requests for user information (P10, P11). Like many of its peers, the company also disclosed nothing about whether it notifies users when their data has been requested (P12). However, since Russian authorities may have direct access to communications data through SORM, Russian companies may not be aware of when government authorities access user information.
Security: Mail.Ru disclosed little about its security policies, but more than four other internet and mobile ecosystem companies, including Twitter (P13-P18). Like most companies, it offered no information about its process for responding to data breaches (P15). It also disclosed little about its encryption policies, particularly in comparison to Yandex, the other Russian internet company evaluated (P16).
