Internet and mobile ecosystem companies

Mail.Ru Group Limited

Domicile: Russia
Website: corp.mail.ru
Download company report: English | Русский

12

Key findings

  • Mail.Ru earned the lowest score of all internet and mobile ecosystem companies in the Index, disclosing less about policies affecting users’ freedom of expression and privacy than any of its peers, including Yandex, the other Russian internet company evaluated.
  • Mail.Ru disclosed almost nothing about how it handles government demands to remove content or hand over user data, although there are no legal barriers to disclosing at least some information about its processes for responding to these types of requests.
  • Mail.Ru lacked transparency about options users have to control and access their own information and the measures it takes to keep that information secure.
Services evaluated

Analysis

While Mail.Ru’s overall score improved slightly in this year’s Index,1 it earned the lowest score of all 12 internet and mobile ecosystem companies evaluated, disclosing the least about policies affecting freedom of expression and privacy than all other internet and mobile ecosystem companies evaluated.2 It disclosed significantly less than Yandex, the other Russian company evaluated, about its governance and oversight over freedom of expression and privacy issues at the company. It disclosed very little about how it handles government demands to remove content or hand over user data, and lacked transparency about options users have to control and access their own information. It also disclosed little about the measures it takes to keep that information secure. While operating in an increasingly restrictive internet environment, it could be more transparent about key policies and practices affecting freedom of expression and privacy, such as its content moderation policies, how it handles user information, and how it keeps that information secure.3



Mail.Ru Group Limited provides online communication products and entertainment services in Russia and internationally. Services include a search engine, social networking platforms, email services, and gaming and e-commerce platforms.

Market cap: USD 5.4 billion4
LSE: MAIL

  • Make a clear commitment to human rights: Mail.Ru should make a clear commitment to respect freedom of expression and privacy as human rights, as there are no legal obstacles preventing it from doing so.
  • Be transparent about demands to block content or hand over user information: Mail.Ru should disclose information on its process for handling government requests to remove content or hand over user information, and indicate where laws may complicate full transparency.
  • Clarify handling of user information: Mail.Ru should improve disclosure of its handling of user data and communicate to users what steps it takes to keep that information secure.

Governance

Mail.Ru disclosed almost nothing about its governance and oversight over human rights issues at the company, and received the second-lowest score among internet and mobile ecosystem companies in this category. It did not publish a formal commitment to respect users’ freedom of expression and privacy (G1)—although the other Russian company evaluated, Yandex, did publish such a commitment, demonstrating that such disclosure is possible. It disclosed some information about a whistleblower program for employees to raise concerns about violations of its code of conduct, though it was not clear if the scope included human rights concerns (G3), and it provided a grievance mechanism for users to issue complaints related to freedom of expression and privacy issues, but failed to disclose comprehensive information about its process or time frame for providing remedy to these complaints (G6).

No score changes

Freedom of Expression

Mail.Ru disclosed little about policies affecting users’ freedom of expression, though it did disclose more than the other Russian company evaluated, Yandex. Mail.Ru’s terms for its services were not always easy to understand (F1), and it did not clearly disclose whether it provides notice to users when it changes its terms for all services evaluated (F2). It clearly disclosed its rules, but not its process for enforcing them (F3), and, like most companies in the Index, it disclosed no data about the volume and nature of content or accounts it restricted for terms of service violations (F4). Unlike Yandex, Mail.Ru did not disclose any information about whether it notifies users when it restricts their content or accounts (F8).

Mail.Ru disclosed almost nothing about its process for handling government and private requests to restrict content or accounts (F5-F7). It provided only minimal information about its processes for responding to these types of requests (F5), and offered no data about the number of requests it receives or complies with (F6, F7), although there are no laws prohibiting Mail.Ru from doing so.

No score changes

Privacy

Mail.Ru received the lowest privacy score of the 12 internet and mobile ecosystem companies evaluated. It was one of three internet and mobile ecosystem companies that failed to disclose any information about its processes for handling government and private requests for user information (P10, P11). Like many of its peers, it also disclosed nothing about whether it notifies users when their data has been requested (P12). However, since Russian authorities may have direct access to communications data, Russian companies may not be aware of when government authorities access user information.5

Mail.Ru disclosed less than all other internet and mobile ecosystem companies, including Yandex, about how it handles user information (P3-P9). It did not disclose anything about what user data it shares and with whom, aside from acknowledging that it may share user data with government authorities (P4). While it improved its disclosure of the purposes for which VKontakte collects user information (P5), a commitment previously disclosed by Mail.Ru to limit VKontakte’s use of user information for the purposes for which it is collected was no longer available (P5). On the plus side, VKontakte’s privacy policy was more transparent about how it collects user information from third-party websites using cookies (P9).

Mail.Ru disclosed less than most of its peers, including Yandex, about its policies for keeping user information secure (P13-P18). It failed to disclose if it limits and monitors employee access to user information (P13). It did, however, disclose that it has a mechanism for researchers to report security vulnerabilities (P14). Like most companies, it offered no information about its process for responding to data breaches (P15). It also disclosed little about its encryption policies, particularly in comparison to Yandex, the other Russian internet company evaluated, which received the second-highest score on this indicator (P16).

P5. Purpose for collecting and sharing user information

VKontakte’s commitment to limit its use of user information for the purposes for which it is collected was no longer available.

P9. Collection of user information from third parties (internet companies)

VKontakte’s privacy policy was more transparent about how it collects user information from third-party websites using cookies.

Footnotes

[1] For Mail.Ru’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/mailru 

[2] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.

[3] “Freedom on the Net” (Freedom House, November 2018), freedomhouse.org/report/freedom-net/2018/russia 

[4] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/MAIL:LI 

[5] Andrei Soldatov and Irina Borogan, “Inside the Red Web: Russia’s Back Door onto the Internet – Extract,” The Guardian, September 8, 2015, www.theguardian.com/world/2015/sep/08/red-web-book-russia-internet