Digital platforms

Yandex N.V.

Rank: 8th
Score: 27%

Headquartered in Russia, Yandex provides the country’s leading search engine service, alongside email, cloud storage, and maps.

Yandex placed eighth out of 14 digital platforms, tying with its Russian peer Mail.Ru. Although it published a commitment to respect users’ freedom of expression and privacy rights, Russia’s restrictive regulatory environment makes it difficult for companies like Yandex to respect these rights in practice. Authorities increasingly pressure platforms to cooperate in censorship and surveillance that undermine users’ rights. Nevertheless, for the first time in 2020, the company published a transparency report. However, the report did not include information about government censorship demands.[1] This is especially significant in the Russian context, where authorities are known to surveil and arrest dissidents; they also increasingly require digital platforms to block web content and hand over user information without due process.

Key takeaways

  • Yandex lacked evidence of strong governance and oversight over human rights commitments across its operations.
  • Yandex published no information about its process for responding to government censorship demands, and little about the process for responding to user information demands, although there are no legal barriers to disclosing at least some information.
  • Yandex explained little about what actions it takes to enforce its ad content and ad targeting rules, although it reportedly earns a majority of its revenue from advertising.

Key recommendations

  • Disclose more about government requests. Yandex should disclose data about how it responds to government requests to remove content or deactivate accounts and to hand over user data.
  • Improve governance oversight. Yandex should put processes in place to strengthen institutional oversight over freedom of expression and privacy issues. Yandex should adopt a human rights framework to guide its development and use of algorithmic systems.
  • Clarify handling of user information. Yandex should disclose more about its handling of user information and its policies to keep user information secure.

Services evaluated:

  • Market cap: $22.796 billion (as of February 4, 2021)
  • NasdaqGS: YNDX
  • Website: https://yandex.com

The 2020 RDR Index covers policies that were active between February 8, 2019, and September 15, 2020. Policies that came into effect after September 15, 2020 were not evaluated for this Index.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Afef Abrougui and Veszna Wessenauer

Changes since 2019

  • In its 2019 Annual Report, Yandex published an overview of legislative risks to freedom of expression and information in Russia.
  • Yandex disclosed that users can obtain a copy of their information, although it was not clear if they could obtain all the information the company holds on them.
  • Yandex failed to clarify whether it protects users’ privacy by using unique encryption keys by default.
+ 1.79 points

Gained 1.79 points on comparable indicators since the 2019 RDR Index.

Governance24%
Freedom of expression20%
Privacy33%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 24%

Despite making a commitment to protect users’ freedom of expression and privacy rights, Yandex continued to fall short in its governance and oversight of these commitments. It ranked ninth in this category, slightly outperforming its Russian peer, Mail.Ru.

  • Commitment to human rights: Yandex disclosed an explicit commitment to freedom of expression and privacy but failed to disclose a commitment to human rights in its use and development of algorithmic systems (G1).
  • Human rights due diligence: Yandex showed evidence that it assesses at least some of the privacy and freedom of expression risks caused by government regulations in markets where it operates. However, we found no evidence that the company assesses possible privacy, expression, or discrimination risks that could result from its own policy enforcement, its targeted advertising policies and practices, or its development and deployment of algorithms (G4).
  • Stakeholder engagement: Yandex continued to disclose no systematic engagement with stakeholders that represent, advocate on behalf of, or are people whose privacy and freedom of expression and information are directly impacted by the company (G5).
  • Remedy: AlthoughYandex enabled users to submit freedom of expression and privacy-related grievances, its processes for providing remedy for these types of complaints were unclear (G6a).

Freedom of expression 20%

Yandex was not transparent about its policies and practices affecting users’ freedom of expression and information rights, ranking eighth among digital platforms.

  • Content moderation: Yandex disclosed which activities and types of content it does not permit, but it was not clear about the processes it uses to identify content or accounts that violate its rules, including the role of algorithmic systems in those processes (F3a). It published no data about the volume or nature of content or accounts removed for violations to its rules (F4a, F4b). Yandex Search and Disk did not disclose whether they notify users who attempt to access content that has been restricted or explain why it was restricted (F8).
  • Algorithmic use and content curation: Yandex disclosed an easy-to-access and understandable policy describing how it uses algorithms on Yandex Search (F1d). While it clearly outlined how the company uses algorithmic systems to curate content, including the variables that influence these systems, the policy did not provide users with options to control those variables (F12).
  • Advertising content and targeting: Yandex did not provide comprehensive information about its advertising content and targeting rules. For example, it did not disclose what types of targeting parameters are not permitted (F3c) on its services, nor did it publish data on ads removed to enforce its ad rules (F4c).
  • Censorship demands: Yandex lacked transparency about its handling of government and private demands to remove content and accounts (F5-F7). It enabled private parties to submit requests to remove content, including for copyright infringement and defamation, but its process for responding to these types of requests lacked clarity, particularly for Yandex Search (F5b). It did not disclose anything about how it responds to government demands (F5a) or data around such demands. There is nothing legally preventing Yandex from disclosing information about its processes for handling third-party censorship demands.

Privacy 33%

Yandex failed to disclose enough information about its policies affecting users’ privacy, tying for 10th place with Mail.Ru among the 14 ranked digital platforms.

  • Handling of user data:Yandex lacked transparency about its handling of user information. Its privacy policy included information on some of the types of data it collects (P3a) and shares (P4), but information was not fully transparent in the privacy policy regarding how user information is handled. For example, it did not provide, for any of its services, the names of all third parties with which user data may be shared. Yandex did not disclose anything about its inference of user information (P3b) or whether and how users might control it. It also failed to disclose anything about which user information it collects from third parties (P9).
  • Government and private demands for user data: Yandex was far less transparent about its process for responding to government demands for user information than its Russian peer, Mail.Ru (P10a), and it did not disclose any data about the number and type of such requests it received and complied with (P11a). However, since Russian authorities have direct access to communications data, Russian companies may not be aware or able to report every case in which government authorities access user information. The company also disclosed nothing about how it handles or complies with private requests (P10b, P11b).[2]
  • Security:Like many of its peers,Yandex disclosed more about resources and tools it provides to help users protect their security (P17, P18) than it did about its own measures and processes for keeping user information secure. For example, while it disclosed that it commissioned a third-party security audit in 2020, it was unclear whether it conducts such audits on a regular basis and whether its internal security team conducts audits as well (P13). It did not disclose a process for responding to data breaches (P15), and while it did provide a bug bounty program allowing external researchers to submit reports of security vulnerabilities, it fell short of pledging not to pursue legal action against them (P14).
  • Encryption: Yandex disclosed only minimal (HTTPS) encryption to protect user communications, failing to implement more sophisticated measures such as end-to-end encryption and forward secrecy (unique keys). Russian law requires Yandex, Mail.ru, and many other technology companies to provide encryption keys to law enforcement on an ongoing basis (P16).

Footnotes

[1] Because Yandex published its transparency report in October 2020, about a month after the 2020 RDR Index research window closed, it was not accounted for in our scoring or analysis. The complete report is available in Russian.

[2] Since Yandex published a transparency report with some of this data in October 2020, after the research cycle for the 2020 RDR Index research was concluded, it was not accounted for in our scoring or analysis.