Bulletins

Russian search engine Yandex reportedly routing iOS and Android user data to Russia

The company's SDK is used by iOS and Android apps that could be exposing user data to the Russian government.

Yandex logo

Yandex is the Google of Russia.

Photo: Kirill Kudryavtsev/AFP via Getty Images

User data collected by Russian search engine Yandex may be visible to the Russian government, according to a Financial Times report. Yandex's software development kit, used by makers of iOS and Android apps, was found to harvest metadata that is sometimes routed through servers in Russia. Privacy watchdogs are concerned this metadata could be accessed by the Kremlin and used to track users.


Games, location-sharing tools and messaging apps use Yandex's SDK, as do many VPNs, seven of which the Financial Times reported are created specifically for Ukrainians. Hundreds of millions of users’ IP addresses, device and network data could be vulnerable, as the data is stored in centers both in Finland and Russia.

Yandex said that it has a “very strict” process for approving government requests for data. On its website, the company said it rejects about 21% of government requests.

“Although theoretically possible, in practice it is extremely hard to identify users based solely on such information collected. Yandex definitely cannot do this," the company told the Financial Times.

That's not exactly reassuring.

Researchers with Me2B Alliance, a nonprofit focused on protecting online privacy and security, first discovered Yandex was collecting and storing metadata when conducting an app audit. Researchers found the code installed in 52,000 apps. One of the researchers tweeted that users are unable to check whether any of the apps they use are involved, because “neither Google or Apple has a way to identify this SDK before you download an app.”

A Google spokesperson told Protocol that the company is "always working to improve privacy and transparency on Google Play, including efforts around SDKs, and are reviewing the allegations in this report." The company adds that it will take "appropriate action" against any apps violating Google Play's policy.

An Apple spokesperson told Protocol that users can review how apps use privacy permissions, including location data, in Apple’s App Privacy Report. Apps must also describe the use of SDKs in Apple’s Privacy Nutrition Labels. Users are asked whether they are willing to share sensitive data like location and camera information when they first download the app, and Apple’s App Tracking Transparency allows users to stop cross-app tracking.

Yandex's stock has taken a big hit since the war began, and foreign-listed shares on Nasdaq were suspended. Several board members have recently resigned. And the company laid off Michigan employees working on its self-driving and robot projects earlier this month, saying the state suspended their licenses — something which the Secretary of State’s office says isn’t true.

Some app developers are reportedly removing Yandex's SDK from their apps. According to the Financial Times, the popular Opera VPN removed the SDK on Feb. 15.

Latest Bulletins

Last year saw a notable jump in ransomware attacks that included exfiltration of data as a component, highlighting an ongoing shift in the way the attacks are monetized, according to Verizon's major annual breach report.

Keep Reading Show less

Snap is the latest tech giant to join The Great Hunkering Down. Like other social media companies that flourished during lockdown, the company is struggling to meet earnings estimates and will slow hiring.

Keep Reading Show less

Spotify stopped hosting political ads on its services in early 2020, citing a lack of “robustness” in its systems, ahead of what turned out to be the ugliest U.S. election in recent history.

Two years later, as the midterm primaries get going, the company is courting political advertisers once again, according to a company presentation and marketing email viewed by Protocol.

Keep Reading Show less

Quality assurance testers at Call of Duty studio Raven Software have voted overwhelmingly to form a union with the Communications Workers of America, marking a historic labor victory for the video game industry. The vote, with the Milwaukee office of the National Labor Relations Board, was 19-3.

Keep Reading Show less

Federal labor prosecutors in California plan to file a complaint against Activision Blizzard for illegally threatening workers if the company doesn't agree to a settlement, according to National Labor Relations Board spokesperson Kayla Blado.

Keep Reading Show less

Swedish "buy now, pay later" company Klarna is laying off 10% of its workforce, CEO Sebastian Siemiatkowski told staff via a pre-recorded video call Monday. Interest in pay-later products has sagged somewhat as consumers have felt more financially strapped and advocates in the U.S. began investigating the deferred payment plans last year. Klarna has reportedly been looking for more funding, potentially at a lower valuation.

Keep Reading Show less

The New York State Common Retirement Fund, one of the nation’s largest pension funds, announced that it will vote to remove all of Twitter’s directors at this week’s annual shareholder meeting. The vote against the directors is unlikely to result in change, but it shows mounting institutional pressure for Twitter to resist Elon Musk’s vision for relaxed content moderation policies.

Keep Reading Show less

Apple is looking to boost global production outside of China as the country’s "zero-COVID" strategy cripples production facilities, the Wall Street Journal reported.

The strict lockdown, which has been described by the WHO as "not sustainable," has shut down large cities, including Shanghai, as the highly infectious omicron variant spreads.

Keep Reading Show less

As the Supreme Court weighs whether to block Texas' social media "censorship" law, a court of appeals has decided to uphold the injunction on a similar Florida law, finding that social media companies "are 'private actors' whose rights the First Amendment protects."

Keep Reading Show less

GameStop is all about Web3: The company announced on Monday that it will launch a digital wallet for crypto and NFTs.

The GameStop wallet can be used across apps without users needing to leave their browsers, the company said in a statement. The self-custodial Ethereum wallet gives users access to the keys to their digital assets rather than trusting them with a third party, and is available for download as an extension on Google Chrome's web store as well as on web browser Brave. The wallet will also be available as an iPhone app down the line, according to the GameStop wallet website. The wallet uses Loopring for transactions, a Layer 2 solution that's meant to lower transaction fees.

Keep Reading Show less

D.C. Attorney General Karl Racine is suing Mark Zuckerberg, alleging the Meta CEO was responsible for decisions that opened the door for the Cambridge Analytica scandal.

Keep Reading Show less

The U.K.'s Information Commissioner’s Office, the country's privacy watchdog, has ordered facial recognition company Clearview AI to delete all data belonging to the country's residents.

Keep Reading Show less

Meta will finally give researchers access to targeting data for political ads — information that academics have been clamoring for and using legally risky workarounds to collect on their own for years.

Keep Reading Show less

Coinbase just celebrated its 10th birthday. And the crypto powerhouse marked the milestone on a defiant note, with a snarky TV ad clapping back at crypto bashers.

Keep Reading Show less

Google is allowing some Android apps to use their own payment systems after getting into battles with both Match Group and Epic Games' Bandcamp, but the move might be temporary. The company is facing legal action for requiring apps in the Google Play Store to use its billing, and the interim solution Google came up with is to let those apps use their own payments — with a catch.

Keep Reading Show less

Larry Ellison was among the participants on a call in November 2020, during which top Trump allies discussed ways to contest the election results, according to The Washington Post. It's unclear what role Ellison played on the call, but The Post found evidence of Ellison's apparent involvement in court records and confirmed with one of the call's other participants.

Keep Reading Show less

Microsoft Bing has exported Chinese censorship abroad, according to a new report by The University of Toronto's Citizen Lab.

Bing searches for national figures, leaders within the Chinese Communist Party, dissidents and topics that Beijing considers politically sensitive did not appear in auto-suggest in North America, according to the report. Among the search terms that didn't generate autocomplete suggestions were searches for President Xi Jinping, the late human rights activist Liu Xiaobo and searches related to the Tiananmen Square massacre.

Keep Reading Show less

Google had its "best year yet" for hiring Black and Latinx employees in the U.S. as well as women globally, according to its 2022 Diversity Annual Report. The hiring rate increased for Black, Latinx, Native American and female employees, although these identities are still very underrepresented compared to white and male employees.

Keep Reading Show less

Tech companies are figuring out how to handle the upcoming historic Supreme Court decision that could overturn abortion rights. In the case of Meta, that includes telling employees to not talk about it at work. Meta VP of HR Janelle Gale told workers during an all-hands on Thursday not to talk about abortion on Workplace, the company's internal messaging platform.

Keep Reading Show less

As many tech companies face a slump and crypto looks set for a deep freeze, Coinbase is facing reality and hitting the brakes on spending. The company is halting some business projects, freezing hiring for two weeks and cutting its spending on Amazon Web Services, the Information reported Thursday.

Keep Reading Show less

AWS reached a private settlement with a female employee who accused now-former executive Joshua Burgin of discrimination and harrasement, Protocol has learned.

Keep Reading Show less

The Federal Trade Commission on Thursday unanimously reminded providers of education technology to follow federal limits on the collection and use of kids' data in an attempt to ensure that common practices in the data economy don't become the norm in schools.

Keep Reading Show less

The apocalypse is coming, at least according to one of the world's biggest startup accelerators.

Y Combinator sent an email to portfolio founders this week, obtained by TechCrunch, advising the startups to "plan for the worst" as the market turbulence has prompted many companies to initiate layoffs, cost-cutting measures and hiring slowdowns.

Keep Reading Show less

Apple just hit an important milestone in developing its mixed-reality headset as rivals like Meta are making strides in developing similar devices. Executives showed off an AR/VR device to Apple's board last week, according to Bloomberg, a sign that the product is really happening and it's inching closer to a public launch.

Keep Reading Show less

The SEC is pushing back on Ripple’s bid for access to emails and other documents that the crypto giant believes could bolster its case against the regulator.

The SEC, which sued Ripple in 2020 for failing to register $1.4 billion worth of XRP as securities, has refused to release emails related to a 2018 speech by former director William Hinman in which he argued the ether cryptocurrency was not a security. The speech sparked a rally in ether’s price and was interpreted as an endorsement of the industry’s view that cryptocurrencies are not securities.

Keep Reading Show less
Bulletins