Yandex N.V.

Yandex was not transparent about its policies and practices affecting users’ freedom of expression and information rights, ranking eighth among digital platforms.

• Content moderation: Yandex disclosed which activities and types of content it does not permit, but it was not clear about the processes it uses to identify content or accounts that violate its rules, including the role of algorithmic systems in those processes (F3a). It published no data about the volume or nature of content or accounts removed for violations to its rules (F4a, F4b). Yandex Search and Disk did not disclose whether they notify users who attempt to access content that has been restricted or explain why it was restricted (F8).

• Algorithmic use and content curation: Yandex disclosed an easy-to-access and understandable policy describing how it uses algorithms on Yandex Search (F1d). While it clearly outlined how the company uses algorithmic systems to curate content, including the variables that influence these systems, the policy did not provide users with options to control those variables (F12).

• Advertising content and targeting: Yandex did not provide comprehensive information about its advertising content and targeting rules. For example, it did not disclose what types of targeting parameters are not permitted (F3c) on its services, nor did it publish data on ads removed to enforce its ad rules (F4c).

• Censorship demands: Yandex lacked transparency about its handling of government and private demands to remove content and accounts (F5-F7). It enabled private parties to submit requests to remove content, including for copyright infringement and defamation, but its process for responding to these types of requests lacked clarity, particularly for Yandex Search (F5b). It did not disclose anything about how it responds to government demands (F5a) or data around such demands. There is nothing legally preventing Yandex from disclosing information about its processes for handling third-party censorship demands.

Yandex failed to disclose enough information about its policies affecting users’ privacy, tying for 10th place with Mail.Ru among the 14 ranked digital platforms.

• Handling of user data:Yandex lacked transparency about its handling of user information. Its privacy policy included information on some of the types of data it collects (P3a) and shares (P4), but information was not fully transparent in the privacy policy regarding how user information is handled. For example, it did not provide, for any of its services, the names of all third parties with which user data may be shared. Yandex did not disclose anything about its inference of user information (P3b) or whether and how users might control it. It also failed to disclose anything about which user information it collects from third parties (P9).

• Government and private demands for user data: Yandex was far less transparent about its process for responding to government demands for user information than its Russian peer, Mail.Ru (P10a), and it did not disclose any data about the number and type of such requests it received and complied with (P11a). However, since Russian authorities have direct access to communications data, Russian companies may not be aware or able to report every case in which government authorities access user information. The company also disclosed nothing about how it handles or complies with private requests (P10b, P11b).^[2]

• Security:Like many of its peers,Yandex disclosed more about resources and tools it provides to help users protect their security (P17, P18) than it did about its own measures and processes for keeping user information secure. For example, while it disclosed that it commissioned a third-party security audit in 2020, it was unclear whether it conducts such audits on a regular basis and whether its internal security team conducts audits as well (P13). It did not disclose a process for responding to data breaches (P15), and while it did provide a bug bounty program allowing external researchers to submit reports of security vulnerabilities, it fell short of pledging not to pursue legal action against them (P14).

• Encryption: Yandex disclosed only minimal (HTTPS) encryption to protect user communications, failing to implement more sophisticated measures such as end-to-end encryption and forward secrecy (unique keys). Russian law requires Yandex, Mail.ru, and many other technology companies to provide encryption keys to law enforcement on an ongoing basis (P16).