User data collected by Russian search engine Yandex may be visible to the Russian government, according to a Financial Times report. Yandex's software development kit, used by makers of iOS and Android apps, was found to harvest metadata that is sometimes routed through servers in Russia. Privacy watchdogs are concerned this metadata could be accessed by the Kremlin and used to track users.
Games, location-sharing tools and messaging apps use Yandex's SDK, as do many VPNs, seven of which the Financial Times reported are created specifically for Ukrainians. Hundreds of millions of users’ IP addresses, device and network data could be vulnerable, as the data is stored in centers both in Finland and Russia.
Yandex said that it has a “very strict” process for approving government requests for data. On its website, the company said it rejects about 21% of government requests.
“Although theoretically possible, in practice it is extremely hard to identify users based solely on such information collected. Yandex definitely cannot do this," the company told the Financial Times.
That's not exactly reassuring.
Researchers with Me2B Alliance, a nonprofit focused on protecting online privacy and security, first discovered Yandex was collecting and storing metadata when conducting an app audit. Researchers found the code installed in 52,000 apps. One of the researchers tweeted that users are unable to check whether any of the apps they use are involved, because “neither Google or Apple has a way to identify this SDK before you download an app.”
A Google spokesperson told Protocol that the company is "always working to improve privacy and transparency on Google Play, including efforts around SDKs, and are reviewing the allegations in this report." The company adds that it will take "appropriate action" against any apps violating Google Play's policy.
An Apple spokesperson told Protocol that users can review how apps use privacy permissions, including location data, in Apple’s App Privacy Report. Apps must also describe the use of SDKs in Apple’s Privacy Nutrition Labels. Users are asked whether they are willing to share sensitive data like location and camera information when they first download the app, and Apple’s App Tracking Transparency allows users to stop cross-app tracking.
Yandex's stock has taken a big hit since the war began, and foreign-listed shares on Nasdaq were suspended. Several board members have recently resigned. And the company laid off Michigan employees working on its self-driving and robot projects earlier this month, saying the state suspended their licenses — something which the Secretary of State’s office says isn’t true.
Some app developers are reportedly removing Yandex's SDK from their apps. According to the Financial Times, the popular Opera VPN removed the SDK on Feb. 15.