Yandex N. V.
Key findings
- Yandex disclosed little about policies affecting users’ freedom of expression and privacy, but more than Mail.Ru, the other Russian internet company evaluated.
- Yandex disclosed almost nothing about how it handles government demands to remove content or to hand over user data, although it is not illegal to disclose at least some information about its processes for responding to these types of requests.
- The company lacked clear disclosure of options users have to control what information the company collects and shares, and whether and how it tracks users across the internet using cookies, widgets, or other tracking tools.
Analysis
Yandex ranked ninth out of the 12 internet and mobile ecosystem companies evaluated, disclosing little about its policies and practices affecting freedom of expression and privacy. The company made no substantive improvements in the 2018 Index. Notably, Yandex continued to disclose more than Mail.Ru about policies related to users’ privacy. While Yandex operates in an increasingly restrictive internet environment that discourages companies from publicly committing to protect human rights, the company could still be more transparent about key policies affecting users’ freedom of expression and privacy. It could disclose more about its processes for handling government and private demands to restrict content or to hand over user information, as there are no legal obstacles preventing the company from doing so. Yandex could also improve its commitments to users’ privacy by clarifying its handling of user information, and giving users clear options to control what information the company collects and shares, and for how long it retains it, so that people can better understand the privacy, security, and human rights risks associated with Yandex services.
- Make a clear commitment to human rights. The company should express a clear commitment to freedom of expression and privacy as human rights, as there are no legal obstacles preventing the company from doing so.
- Be transparent about external requests. The company should disclose information about its handling of government requests to remove content and for user information, and indicate where laws may hinder full transparency.
- Clarify handling of user information. The company should improve disclosure of its handling of user data, including how long it retains it, and whether and how it tracks users across the internet.
Yandex N.V. provides a range of internet-based services in Russia and internationally, with products and services that include Yandex Search, the largest search engine in Russia, and email, cloud storage, and maps.
Governance
Yandex scored poorly in the Governance category, ranking among the lowest internet and mobile ecosystem companies evaluated, but tying with Mail.Ru. The company received credit on three of the six indicators in this category. It disclosed a whistleblowing mechanism for reporting violations to privacy-related issues (G3), and published information about the impact of Russian law on user privacy (G4). Yandex also disclosed limited information about a grievance mechanism for users to file complaints about content removed for copyright violations, but not about content removed for terms of service violations (G6).
Freedom of expression
Yandex ranked tenth out of the 12 internet and mobile ecosystem companies evaluated in the Freedom of Expression category, disclosing less than Mail.Ru and most other companies.
Content and account restrictions: Yandex disclosed little about how it enforces its terms of service (F3, F4), although it had a similar level of disclosure as Apple. Yandex disclosed more about what the rules are and how they are enforced (F3) than actual data about the content or accounts the company restricted for violating its own rules (F4), and did not make clear whether it notifies users when content or their accounts have been restricted (F8).
Content and account restriction requests: Yandex also had weak disclosure about how it handles government and private requests to restrict content or accounts (F5, F6, F7), although it outperformed Mail.Ru, Tencent, Baidu, and Samsung on these indicators. The company disclosed limited information about its process for responding to government and private requests for content and account restrictions (F5), and published no data on the number of government requests it received or complied with (F6).
Identity policy: Yandex disclosed that it can ask users to confirm their offline identity, and may deny access to services to users who do not comply (F11). Internet service providers, telecommunications companies, and instant messaging services in Russia are legally required to verify the identities of their users, but it is unclear if the regulations apply to internet companies like Yandex.
Privacy
Yandex disclosed less than most of its peers about policies affecting users’ privacy, but more than Tencent, Samsung, Mail.Ru, and Baidu.
Handling of user information: Yandex disclosed little about how it handles user information, but more than Mail.Ru. While the company disclosed some information about what types of user data it collects (P3), shares (P4), and for what purpose (P5), it revealed nothing about for how long it retains it (P6). While Yandex lacked clarity about what options users have to control what information the company collects and shares about them, it disclosed that users have options to control how their user information is used for targeted advertising (P7). However, Yandex failed to say whether and how it tracks users across the internet (P9), or if users can access all the information the company holds about them (P8).
Requests for user information: Yandex disclosed less than most of its peers but more than Mail.Ru about how it handles government and private requests for user information (P10-P12). It disclosed little about its process for responding to government or private requests for user information (P10) and supplied no data about requests it received or complied with (P11). However, since Russian authorities may have direct access to communications data, Russian companies may not be aware of the frequency or scope of user information accessed by authorities.
Security: Yandex disclosed more than most internet and mobile ecosystem companies about policies and practices for keeping user information secure, lagging behind only Google and Apple (P13-P18). It disclosed a particularly strong bug bounty program (P14). Like most of its peers, Yandex provided no information about how it responds to data breaches (P15). The company, however, received the second-highest score after Google for its disclosure of it encryption policies (P16), disclosing that the transmission of users’ communications is encrypted by default and with unique keys.