2020 RDR Index
Digital platforms

Mail.Ru Group Limited

Rank: 8th
Score: 27%

Headquartered in Russia, Mail.Ru provides email, cloud storage, a search engine, messaging apps, and VK, the world’s most popular Russian-language social media platform. In the third quarter of 2020, VK had 72.9 million monthly active users in Russia.

Twitter
1
53%
Verizon Media
2
52%
Microsoft
3
50%
Google
4
48%
Facebook
5
45%
Apple
6
43%
Kakao
7
42%
Mail.Ru
8
27%
Yandex
8
27%
Alibaba
10
25%
Baidu
10
25%
Samsung
12
23%
Tencent
13
22%
Amazon
14
20%

Mail.Ru placed eighth out of 14 digital platforms, tying with its Russian peer Yandex. The company made some notable improvements in 2020, including by publishing a commitment to respect users’ freedom of expression and privacy rights. Nevertheless, Russia’s restrictive regulatory environment makes it difficult for companies like Mail.Ru to respect these rights in practice. Authorities increasingly pressure platforms to cooperate in censorship and surveillance demands. In 2019, a court rejected a lawsuit that opposition activists brought against VK, the social media platform operated by Mail.Ru, for providing their information to authorities. Mail.Ru disclosed nothing about how it responds to government censorship demands and provided no data on such requests, although Russian law does not prevent it from doing so. This lack of transparency contributed to Mail.Ru’s weak performance in the 2020 RDR Index, despite the progress it made in the governance and privacy categories.

Key takeaways

  • Mail.Ru disclosed almost nothing about how it handles government demands to remove content, although there are no legal barriers to disclosing at least some information about its processes for responding to these types of requests.
  • Mail.Ru disclosed nothing about the nature and volume of content it moderated to enforce its own rules.
  • Mail.Ru made notable strides by publishing a formal commitment to respect users’ freedom of expression and privacy rights but otherwise lacked evidence of strong governance and oversight over human rights commitments across the company’s operations.

Key recommendations

  • Be more transparent about government demands to block content or hand over user information. Mail.Ru should disclose its process for handling government demands to remove content and report data on the volume of such demands.
  • Be transparent about content moderation. Mail.Ru should publish data on content removed or accounts suspended for violations of platform rules.
  • Strengthen governance and oversight over human rights commitments. Mail.Ru should conduct human rights due diligence and improve its remedy procedures.

Services evaluated:

The 2020 RDR Index covers policies that were active between February 8, 2019, and September 15, 2020. Policies that came into effect after September 15, 2020 were not evaluated for this Index.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Afef Abrougui, Jie Zhang
Download data and sources

Changes since 2019

  • Mail.Ru published an explicit commitment to respect users’ fundamental freedom of expression and privacy rights.
  • Mail.Ru improved its transparency on how it handles user information in certain areas, including what user information it collects and shares.
  • Mail.Ru published more about how it responds to government demands for user information and clarified situations when it might not notify users of such demands.
+ 11.77 points

Gained 11.77 points on comparable indicators since the 2019 RDR Index.

Governance23%
Freedom of expression19%
Privacy33%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 23%

Despite making progress in the governance category, Mail.Ru continued to fall short in its governance and oversight of its privacy and freedom of expression commitments

  • Commitment to human rights: Mail.Ru disclosed a clear and explicit commitment to freedom of expression and privacy but failed to disclose a commitment to human rights in its use and development of algorithmic systems (G1).
  • Human rights due diligence: Mail.Ru lacked transparency about whether it assesses the privacy, expression, and discrimination risks of government regulations and policies (G4a), of its own terms of service enforcement (G4b), of its targeted advertising practices (G4c), and of its use and development of algorithms (G4d).
  • Stakeholder engagement: Mail.Ru disclosed no evidence of systematically engaging with stakeholders that represent, advocate on behalf of, or are people whose rights are directly affected by the company (G5).
  • Remedy: Mail.Ru enabled users to submit freedom of expression- and privacy-related grievances, but its procedures for providing remedy for these types of complaints were unclear (G6a). Its process for content moderation appeals for VK also lacked clarity (G6b).

Indicators

Freedom of expression 19%

Mail.Ru was not transparent about its policies and practices affecting users’ freedom of expression and information rights. It ranked ninth among the 14 digital platform companies, and scored lower in this category than its Russian peer, Yandex.

  • Content moderation: Mail.Ru disclosed which activities and types of content it does not permit on its services, but it was not clear about the processes it uses to identify content or accounts that violate its rules, including the role of algorithmic systems in those processes (F3a). It did not publish any data about content and account restrictions due to terms-of-service violations (F4a, F4b). It also failed to commit to notifying users of content restrictions (F8).
  • Algorithmic use and content curation: Mail.Ru did not disclose a policy describing how it uses algorithmic systems (F1d). It provided examples of how the algorithms are used to show users "personalized" content but did not describe how it uses algorithmic systems to curate, rank, or recommend content on VK, its social networking platform (F12).
  • Advertising content and targeting: Mail.Ru revealed what types of ad content it does not permit, but failed to explain how it enforces its ad content rules (F3b). It also lacked transparency about its ad targeting rules and enforcement processes, offering no detail on what types of targeting parameters it prohibits (F3c). The company also failed to publish any data around the enforcement of its ad content and targeting rules (F4c).
  • Censorship demands: Mail.Ru lacked transparency about its handling of third-party demands to remove content and accounts. Authorities require VK to censor various types of content, including LGBTQ material, content deemed insulting to “ state symbols,” and most recently, disinformation related to COVID-19. The company disclosed nothing about its process to address these demands, including whether it pushes back on overly broad censorship requests (F5a). The company was more transparent when it came to private requests to remove content, disclosing a process for handling copyright and terms of service-related private content removal requests on VK (F5b).

Indicators

Privacy 33%

Despite several improvements in this category, Mail.Ru disclosed insufficient information about its policies affecting users’ privacy. It tied with Yandex for 10th place among digital platforms.

  • Handling of user data: Mail.Ru lacked transparency about its handling of user information. In the privacy policy for VK, the company acknowledged one type of information it infers (interests of users) based on user data but offered no further details on inference, and it did not offer users the ability to control what data the company infers about them (P3b, P7). Mail.Ru failed to provide any rules on how its algorithmic systems are developed (P1b) or whether users can control how the company uses their information to develop these systems (P7).
  • Government and private demands for user data: Mail.Ru disclosed its process for responding to government demands for user information, including a commitment to push back against “unfounded’’ demands (P10a). However, the company disclosed no data about these types of demands (P11).
  • Security: Like many of its peers, Mail.Ru provided resources and tools to help users protect their account security (P17, P18), but offered limited information about its own data security measures and protocols. It disclosed that it has a security team that conducts audits and that it limits unauthorized employee access to user information, although it was unclear if such access is monitored (P13). It did not articulate a process for responding to data breaches (P15). While it has a bug bounty program allowing external researchers to submit reports of security vulnerabilities, it fell short of pledging not to pursue legal action against them (P14).
  • Encryption: Mail.Ru disclosed that it encrypts user communications on Mail.Ru email and VK but was silent regarding Mail.Ru Cloud and explicitly stated that messages on Mail.Ru Agent are totally unencrypted (P16). Russian law requires Mail.ru, Yandex, and many other technology companies to provide encryption keys to law enforcement on an ongoing basis.

Indicators

35%
0%
38%
P4. Sharing of user information
50%
P5. Purpose for collecting, inferring, and sharing user information
35%
P6. Retention of user information
20%
P7. Users' control over their own user information
23%
P8. Users' access to their own user information
2%
P9. Collection of user information from third parties
13%
40%
0%
P12. User notification about third-party requests for user information
33%
P13. Security oversight
46%
P14. Addressing security vulnerabilities
58%
P15. Data breaches
0%
P16. Encryption of user communication and private content (digital platforms)
13%
P17. Account security (digital platforms)
92%
P18. Inform and educate users about potential risks
100%