Keeping Internet Users in the Know or in the Dark: Data Privacy Transparncy of Canadian Internet Service Providers

Download the Full Report

Download the complete “Keeping Internet Users in the Know or in the Dark” report (PDF)

We welcome your feedback on the draft criteria for the 2014 report found here (.docx) and here (.pdf). Criteria will be finalized December 20. The 2014 report will be launched the week of March 9, 2015.

Continue reading below for the 2013 report.

Report Summary

Evaluating ISP Transparency

In the wake of the Snowden revelations about NSA surveillance, recent calls for greater data privacy recommend that internet service providers (ISPs) be more forthcoming about their handling of our personal information. Responding to this concern as well as in keeping with the transparency, openness and accountability principles fundamental to Canadian privacy law, this report evaluates the data privacy transparency of twenty of the most prominent ISPs (aka carriers) currently serving the Canadian public. We award ISPs up to ten 'stars' based on the public availability of the following information:

  1. A public commitment to PIPEDA1 compliance.
  2. A public commitment to inform users about all third party data requests.
  3. Transparency about frequency of third party data requests and disclosures.
  4. Transparency about conditions for third party data disclosures.
  5. An explicitly inclusive definition of ‘personal information’.
  6. The normal retention period for personal information.
  7. Transparency about where personal information is stored.
  8. Transparency about where personal information is routed.
  9. Publicly visible steps to avoid U.S. routing of Canadian data.
  10. Open advocacy for user privacy rights (such as in court and/or legislatively).

These criteria are designed to address on-going privacy and civil liberties concerns, especially in light of the controversial expansion of state surveillance of internet activities as well as recent ‘lawful access’ proposals, notably Bill C-30 and the current Bill C-13.

Stars are awarded based on careful examination of each ISP’s corporate website. Assuming that carriers want to make it easy for their customers to find information about corporate practices relating to personal information, and that the on-line privacy policy is the first (and only) place users might look, we focus our attention on these public statements 2.

We selected the 20 ISPs in our sample based on their prevalence among the approximately 6000 internet traceroutes in the IXmaps.ca database (out of 25,000+ in total) that correspond to intra-Canadian routes — i..e. with origin and destination in Canada. The star ratings can be seen in the Star Table above 3 . The full report contains the detailed assessments for each carrier.

Findings

ISPs all score poorly

As noted in the Star Table, while we able to award at least one half star in each of the criteria, we were only able to award very few stars overall (31.5 out of a possible 200). For individual ISPs, this means an average of 1.5 out of a maximum of 10. The highest ISP score is 3.5 stars (Teksavvy), another earned 3 stars (Primus), followed by three each earning 2.5 stars (Bell Aliant, Distributel and MTS Allstream).

Smaller, independent Canadian carriers score better than larger incumbents

The large incumbent Canadian ISPs (Bell, Bell Aliant, MTS Allstream, Rogers, Shaw, Telus, Videotron) averaged 2 stars, while their smaller independent competitors scored 2.75. All but one of these, Eastlink, scored at least as well as the highest scoring incumbent. An important contributor to this discrepancy is that these small carriers generally peer openly at Canadian public internet exchange points, whereas none of their larger competitors do.

Canadian carriers score better than foreign ones

The highest scoring non-Canadian carrier, Primus Canada, received 3 stars. It was the only foreign carrier to indicate compliance with PIPEDA (Criterion #1). Cogent and AboveNet received no stars. In a counter-privacy form of transparency, Cogent makes clear to customers that they should not expect protection for their personal data:

Cogent makes no guarantee of confidentiality or privacy of any information transmitted through or stored upon Cogent technology, and makes no guarantee that any other entity or group of users will be included or excluded from Cogent's network.

TekSavvy scores highest

In addition to receiving more stars in aggregate than any other carrier (3.5), TekSavvy stands out from the others by earning stars in more criteria (5) than any other and is the only ISP to receive recognition (half star) for Criteria 2: Public commitment to inform users about third party data requests. TekSavvy also distinguishes itself as the only ISP to discuss its stance on user privacy rights on its website by informing customers how they treat third party requests and the presentation of court documents. This is chiefly in relation to the Voltage Pictures filesharing suit. ISP subscribers shouldn’t have to wait until court cases arise to be told basic information about how their carriers treat third party requests and fight for their rights.

PIPEDA compliance is minimal and partial at best

Of all the criteria, we awarded the highest number of stars (11/20) for Criterion #1: A public commitment to PIPEDA compliance. Exclusively, these are ISPs operating mainly in Canada, and of these very few went significantly beyond stating their compliance. Retention periods and handling of third party requests are left vague. As noted, Primus was the only foreign owned carrier to indicate PIPEDA compliance, even though the others have major Canadian operations (Cogent, Hurricane, Tata). This finding should of considerable concern to Canadians because many Canadian ISPs that do claim PIPEDA compliance often hand traffic to these non-US carriers that seemingly ignore Canadian privacy law.

No proactive transparency reporting

No carrier providing internet services directly to Canadians has yet followed the lead of major US internet service providers, such as AT&T, Verizon, Google, Facebook or Twitter, and proactively reports on the frequency of law enforcement requests and how they respond to them.

Routing transparency is almost entirely absent

Fewer than half (8/20) of the ISP privacy policies refer to the location and jurisdiction for the information they store. Only one (Hurricane) gives an indication of where it routes customer data and none make explicit that they may route data via the US where it is subject to NSA surveillance 4 . This is part of a more general pattern of not providing specific information publicly, instead placing the burden on individuals to make specific enquiries.

ISPs rely heavily on implied consent

Many of the privacy policies evaluated contain buried “catch-all” language relating to implied consent. For example, Bell’s privacy policy (p. 8) notes:

In general, the use of products and services by a customer, or the acceptance of employment or benefits by an employee, constitutes implied consent for the Bell companies to collect, use and disclose personal information for all identified purposes.

Policy Recommendations

Without proactive public reporting on the part of ISPs in the key areas identified above, it is very difficult for Canadians to protect their personal privacy nor hold these important organizations to account. To remedy this situation, we make the following recommendations directed at the primary internet privacy actors:

Recommendations for ISPs that Handle Canadian Internet Traffic

ISPS should go beyond minimum compliance with Canadian privacy law, and, in the spirit of PIPEDA’s Principle 8 – Openness, commit proactively to making the information identified by the ten criteria readily available on their corporate websites. In particular, this proactive process should include publishing on the privacy sections of their websites:

Recommendation 1: A public commitment to PIPEDA compliance

All ISPs that handle Canadian internet traffic should prominently display a public commitment to compliance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). This should include reference to the Act itself. They should make explicit the implicit requirement that to the extent feasible any other carrier they hand personal data to provides comparable privacy protection. (See also Recommendations 7 & 8)

Recommendation 2: A public commitment to inform users when personal data has been requested by a third party

All ISPs that handle Canadian internet traffic should prominently display a public commitment to notify customers in a timely way when their personal data has been requested by a third party, unless otherwise prohibited by law. Website text could read:

<This company>'s policy is to notify users of requests for their information prior to disclosure unless we are prohibited from doing so by statute or court order. Law enforcement or security agency officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically precludes customer notification.

Recommendation 3: Regular detailed transparency reporting that provides information about third party data requests and disclosures

All ISPs that handle Canadian internet traffic should publish transparency reports every year or more often. These reports should include information about the requesting entities, including their country of origin, the specific agency or organization, the legal authority for the request and purpose for the request. For all such disclosure or transfer requests complied with, ISPs should provide relevant justifications. Reporting should include the numbers of requests, the number of accounts covered, the number of requests fully and partially complied with, the number declined, and the number of accounts implicated. These transparency reports should be easily accessible via the web as well as downloadable for easy sharing and analysis. Those ISPs that want to lead by example should also commit to related public education campaigns by creating whole sections of their websites devoted to these reports and include additional explanatory materials, such as videos and supplementary documents where possible.

Recommendation 4: Detailed conditions and procedures for law enforcement and other third parties that submit requests for personal information

All ISPs that handle Canadian internet traffic should make public clear guidelines for law enforcement and other third parties to follow when making requests for personal information. A suitable way to do this is through publishing law enforcement agency (LEA) handbooks.

The Guidelines for Law Enforcement, posted by Twitter provide a good model to follow.

Recommendation 5: A clear indication that metadata and device identifiers are included in the definition of ‘personal information’

All ISPs that handle Canadian internet traffic should make publicly clear that they include communication meta-data as well as persistent unique devices identifiers among the personal information they protect under Canadian privacy law. Since metadata is a broad term, they should itemize specifically the items comprising the metadata that they collect.

Recommendation 6: Retention periods and the justification for these, for the various types of personal information handled,

All ISPs that handle Canadian internet traffic should provide details about retention periods for the various types of personal information it handles. Justifications for these retention periods should be provided. Many ISPs have determined internally how long they will hold onto certain types of data. This information must be made public. For example:

“The following is a list of types of personal information that we retain and the normal retention periods for each type of data:
— IP logs: x days;
— call records: y days;
— preservation requests: 90 days.
In case of legal proceedings, we may be required to retain personal data until the litigation is concluded.”

Recommendation 7: Details of whether personal data may be stored or routed outside Canada

All ISPs that handle Canadian internet traffic should provide detailed information about the location of storage and routing of personal data. This includes listing, for example:

  • the countries through which data is routinely routed;
  • the countries where data is stored,
  • the jurisdictional authority of all the carriers it exchanges traffic with,
  • an explicit indication of whether these carriers provide data protection comparable to that expected under Canadian law.
Recommendation 8: How they strive to keep Canadians’ data within Canadian legal jurisdiction

All ISPs that handle Canadian internet traffic should make public the measures they adopt to keep Canadians’ data and domestic interent traffic within Canadian legal jurisdiction, or at least protect it from foreign jurisdiction, particularly the US. These measures could include:

  • storing data within Canada,
  • exchanging traffic only with carriers providing data protection comparable to that expected under Canadian law,
  • exchanging traffic at public internet exchange points in Canada,
  • encrypting traffic when unavoidably subject to foreign jurisdiction, with the keys kept with the individual subscriber or within Canadian legal jurisdiction
Recommendation 9: How they strive to keep Canadians’ data protected against mass Canadian state surveillance

All ISPs that handle Canadian internet traffic should make public, to the extent legally permissible, their relations with Canadian law enforcement and security agencies, as well as the measures they adopt to protect data against access by these agencies without legal due process and oversight.

Recommendation 10: The extent to which they advocate for their subscribers’ privacy rights

All ISPs that handle Canadian internet traffic should clearly indicate their stance on current related to personal data privacy protection and mass state surveillance. This stance should include their position on alleged NSA and CSEC surveillance of Canadian internet transmissions. If an ISP is making official submissions or lobbying in relation to any prospective legislative, regulatory or policy change that can influence subscriber data protections, its activities should be readily available on its privacy pages. An ISP should be similarly transparent if it is involved in any court case around the privacy rights of their subscribers. Whatever the ISPs position in relation to user privacy rights, this should be made publicly clear.

Recommendation for Privacy Commissioners and the Canadian Radio-Television and Telecommunications Commission (CRTC)

Recommendation 11: Regulators should more closely oversee ISPs to ensure their data privacy transparency

Both the Office of the Privacy Commissioner (OPC) and Canadian Radio-Television and Telecommunications Commission (CRTC) have responsibilities under their respective legislative mandates to ensure that ISPs are respecting the privacy of their subscribers. They should exercise their powers more vigourously, to ensure proper handling of personal information and in particular that ISPs only hand off internet traffic to carriers that meet Canadian privacy law standards.

Recommendation for Legislators and Politicians

Recommendation 12: Amend PIPEDA’s Principle 8 — Openness to include public transparency

In particular it should be amended as follows:

An organization shall make readily available to individuals, and the public generally, specific information about its policies and practices relating to the management of personal information. (emphasis added to inserted text)

Recommendation 13: Amend PIPEDA’s Principle 9 — Individual Access to require proactive notification

Currently Principle 9 only requires organizations to respond to individual requests. It should be amended to require timely proactive notification to the individual whenever a third party requests disclosure of their personal information. Any exceptions should be limited, specific and justified in relation to the circumstances.

Recommendation for Canadian Law Enforcement and Security Agencies

Recommendation 14: Canadian law enforcement and security agencies should proactively publish statistics about requests for personal information they make to ISPs

Just as leading internet businesses are beginning to do, the law enforcement and security agencies that requests ISP to disclose personal customer information should routinely and proactively publish detailed statistics about their requests, the rationales, ISP responses, and how these have assisted or not in achieving their mandates.

This report calls on ISPs, regulators, legislators, law enforcement and security agencies to remove the systemic barriers to data privacy transparency, and to implement a more proactive approach requiring robust public transparency norms.

These various measures advancing data privacy transparency will contribute to ensuring that ISPs and third party data requestors are accountable to the public and the spirit of Canadian privacy law for their data management practices. Those actors adopting strong transparency measures will demonstrate leadership in the global battle for data privacy protections, and help bring state surveillance under more democratic control.

Notes
  1. Personal Information Protection and Electronic Documents Act
  2. In the case of criterion 9 – Publicly visible steps to avoid U.S. routing of Canadian data, we also examine the peering arrangements noted on the websites of the two main Canadian public internet exchanges, TorIX and OttIX (Toronto/Ottawa Internet Exchanges) as these are also publicly visible.
  3. Star ratings can also be reviewed for particular internet routings and carriers on the Explore page of the IXmaps website.
  4. It is worth noting that personal information that is kept within Canadian jurisdiction is also subject to state surveillance activities; however, Canadian entities conducting surveillance within Canada are subject to Canadian law and its Constitution. Should Canadians determine that the Canadian surveillance apparatus is to change, that would possibly affect the level of surveillance on intra-Canadian traffic. The same cannot be said about traffic that passes through the US and other foreign countries as Canadians cannot easily force change in the laws and surveillance practices of foreign countries.

About the Authors

Andrew Clement (andrew.clement@utoronto.ca) is a Professor in the Faculty of Information at the University of Toronto, where he coordinates the Information Policy Research Program and is a co-founder of the Identity, Privacy and Security Institute. With a PhD in Computer Science, he has had longstanding research and teaching interests in the social implications of information/communication technologies and participatory design. Among his recent privacy/surveillance research projects, are IXmaps.ca an internet mapping tool that helps make more visible NSA warrantless wiretapping activities and the routing of Canadian personal data through the U.S. even when the origin and destination are both in Canada; SurveillanceRights.ca, which documents (non)compliance of video surveillance installations with privacy regulations and helps citizens understand their related privacy rights. The SurveillanceWatch app enables users to locate surveillance cameras around them and contribute new sightings of their own; and Proportionate ID, which demonstrates through overlays for conventional ID cards and a smartphone app privacy protective alternatives to prevailing full disclosure norms. Clement is a co-investigator in The New Transparency: Surveillance and Social Sorting research collaboration. See http://www.digitallymediatedsurveillance.ca/

Jonathan Obar (jonathan.obar@utoronto.ca) is a Postdoctoral Research Fellow in the Faculty of Information at the University of Toronto. He also serves as Visiting Assistant Professor in the Department of Telecommunication, Information Studies, and Media at Michigan State University, and as Associate Director of the Quello Center for Telecommunication Management and Law. Dr. Obar has published in a wide variety of academic journals about the relationship between digital media technologies, ICT policy and the protection of civil liberties.

Acknowledgements

We appreciate the contributions of our research collaborators and assistants at the University of Toronto: Andi Argast, Alex Cybulski, Lauren DiMonte, Antonio Gamba, Colin McCann and Nancy Paterson (OCAD University). We would also like to acknowledge the input of Steve Anderson, Nate Cardozo, Tamir Israel, Christopher Parsons, Christopher Prince and Rainey Reitman.

Website and report design assistance: Jennette Weber.

This research was conducted under the auspices of the IXmaps: Mapping Canadian privacy risks in the internet ‘cloud’ project (see IXmaps.ca) and the Information Policy Research Program (IPRP), with the support of the Office of the Privacy Commissioner of Canada as well as The New Transparency: Surveillance and Social Sorting project, funded by the Social Sciences and Humanities Research Council.

The views expressed are of course those of the authors alone.

Creative Commons License
"Keeping internet users in the know or in the dark: A report on the data privacy transparency of Canadian internet service providers" by Andrew Clement and Jonathan Obar is licensed under a Creative Commons Attribution 2.5 Canada (CC BY 2.5 CA) .