Download the complete "Keeping Internet Users in the Know or in the Dark" report (PDF)
Download the complete "Keeping Internet Users in the Know or in the Dark" report (PDF)
In the wake of the Snowden revelations about NSA surveillance, recent calls for greater data privacy recommend that internet service providers (ISPs) be more forthcoming about their handling of our personal information. Responding to this concern as well as in keeping with the transparency, openness and accountability principles fundamental to Canadian privacy law, this report evaluates the data privacy transparency of twenty of the most prominent ISPs (aka carriers) currently serving the Canadian public. We award ISPs up to ten 'stars' based on the public availability of the following information:
These criteria are designed to address on-going privacy and civil liberties concerns, especially in light of the controversial expansion of state surveillance of internet activities as well as recent ‘lawful access’ proposals, notably Bill C-30 and the current Bill C-13.
Stars are awarded based on careful examination of each ISP’s corporate website. Assuming that carriers want to make it easy for their customers to find information about corporate practices relating to personal information, and that the on-line privacy policy is the first (and only) place users might look, we focus our attention on these public statements 2.
We selected the 20 ISPs in our sample based on their prevalence among the approximately 6000 internet traceroutes in the IXmaps.ca database (out of 25,000+ in total) that correspond to intra-Canadian routes — i..e. with origin and destination in Canada. The star ratings can be seen in the Star Table above 3 . The full report contains the detailed assessments for each carrier.
As noted in the Star Table, while we able to award at least one half star in each of the criteria, we were only able to award very few stars overall (31.5 out of a possible 200). For individual ISPs, this means an average of 1.5 out of a maximum of 10. The highest ISP score is 3.5 stars (Teksavvy), another earned 3 stars (Primus), followed by three each earning 2.5 stars (Bell Aliant, Distributel and MTS Allstream).
The large incumbent Canadian ISPs (Bell, Bell Aliant, MTS Allstream, Rogers, Shaw, Telus, Videotron) averaged 2 stars, while their smaller independent competitors scored 2.75. All but one of these, Eastlink, scored at least as well as the highest scoring incumbent. An important contributor to this discrepancy is that these small carriers generally peer openly at Canadian public internet exchange points, whereas none of their larger competitors do.
The highest scoring non-Canadian carrier, Primus Canada, received 3 stars. It was the only foreign carrier to indicate compliance with PIPEDA (Criterion #1). Cogent and AboveNet received no stars. In a counter-privacy form of transparency, Cogent makes clear to customers that they should not expect protection for their personal data:
Cogent makes no guarantee of confidentiality or privacy of any information transmitted through or stored upon Cogent technology, and makes no guarantee that any other entity or group of users will be included or excluded from Cogent's network.
In addition to receiving more stars in aggregate than any other carrier (3.5), TekSavvy stands out from the others by earning stars in more criteria (5) than any other and is the only ISP to receive recognition (half star) for Criteria 2: Public commitment to inform users about third party data requests. TekSavvy also distinguishes itself as the only ISP to discuss its stance on user privacy rights on its website by informing customers how they treat third party requests and the presentation of court documents. This is chiefly in relation to the Voltage Pictures filesharing suit. ISP subscribers shouldn’t have to wait until court cases arise to be told basic information about how their carriers treat third party requests and fight for their rights.
Of all the criteria, we awarded the highest number of stars (11/20) for Criterion #1: A public commitment to PIPEDA compliance. Exclusively, these are ISPs operating mainly in Canada, and of these very few went significantly beyond stating their compliance. Retention periods and handling of third party requests are left vague. As noted, Primus was the only foreign owned carrier to indicate PIPEDA compliance, even though the others have major Canadian operations (Cogent, Hurricane, Tata). This finding should of considerable concern to Canadians because many Canadian ISPs that do claim PIPEDA compliance often hand traffic to these non-US carriers that seemingly ignore Canadian privacy law.
No carrier providing internet services directly to Canadians has yet followed the lead of major US internet service providers, such as AT&T, Verizon, Google, Facebook or Twitter, and proactively reports on the frequency of law enforcement requests and how they respond to them.
Fewer than half (8/20) of the ISP privacy policies refer to the location and jurisdiction for the information they store. Only one (Hurricane) gives an indication of where it routes customer data and none make explicit that they may route data via the US where it is subject to NSA surveillance 4 . This is part of a more general pattern of not providing specific information publicly, instead placing the burden on individuals to make specific enquiries.
Many of the privacy policies evaluated contain buried “catch-all” language relating to implied consent. For example, Bell’s privacy policy (p. 8) notes:
In general, the use of products and services by a customer, or the acceptance of employment or benefits by an employee, constitutes implied consent for the Bell companies to collect, use and disclose personal information for all identified purposes.
Without proactive public reporting on the part of ISPs in the key areas identified above, it is very difficult for Canadians to protect their personal privacy nor hold these important organizations to account. To remedy this situation, we make the following recommendations directed at the primary internet privacy actors:
ISPS should go beyond minimum compliance with Canadian privacy law, and, in the spirit of PIPEDA’s Principle 8 – Openness, commit proactively to making the information identified by the ten criteria readily available on their corporate websites. In particular, this proactive process should include publishing on the privacy sections of their websites:
All ISPs that handle Canadian internet traffic should prominently display a public commitment to compliance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). This should include reference to the Act itself. They should make explicit the implicit requirement that to the extent feasible any other carrier they hand personal data to provides comparable privacy protection. (See also Recommendations 7 & 8)
All ISPs that handle Canadian internet traffic should prominently display a public commitment to notify customers in a timely way when their personal data has been requested by a third party, unless otherwise prohibited by law. Website text could read:
<This company>'s policy is to notify users of requests for their information prior to disclosure unless we are prohibited from doing so by statute or court order. Law enforcement or security agency officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically precludes customer notification.
All ISPs that handle Canadian internet traffic should publish transparency reports every year or more often. These reports should include information about the requesting entities, including their country of origin, the specific agency or organization, the legal authority for the request and purpose for the request. For all such disclosure or transfer requests complied with, ISPs should provide relevant justifications. Reporting should include the numbers of requests, the number of accounts covered, the number of requests fully and partially complied with, the number declined, and the number of accounts implicated. These transparency reports should be easily accessible via the web as well as downloadable for easy sharing and analysis. Those ISPs that want to lead by example should also commit to related public education campaigns by creating whole sections of their websites devoted to these reports and include additional explanatory materials, such as videos and supplementary documents where possible.
All ISPs that handle Canadian internet traffic should make public clear guidelines for law enforcement and other third parties to follow when making requests for personal information. A suitable way to do this is through publishing law enforcement agency (LEA) handbooks.
The Guidelines for Law Enforcement, posted by Twitter provide a good model to follow.
All ISPs that handle Canadian internet traffic should make publicly clear that they include communication meta-data as well as persistent unique devices identifiers among the personal information they protect under Canadian privacy law. Since metadata is a broad term, they should itemize specifically the items comprising the metadata that they collect.
All ISPs that handle Canadian internet traffic should provide details about retention periods for the various types of personal information it handles. Justifications for these retention periods should be provided. Many ISPs have determined internally how long they will hold onto certain types of data. This information must be made public. For example:
“The following is a list of types of personal information that we retain and the normal retention periods for each type of data:
— IP logs: x days;
— call records: y days;
— preservation requests: 90 days.
In case of legal proceedings, we may be required to retain personal data until the litigation is concluded.”
All ISPs that handle Canadian internet traffic should provide detailed information about the location of storage and routing of personal data. This includes listing, for example:
All ISPs that handle Canadian internet traffic should make public the measures they adopt to keep Canadians’ data and domestic interent traffic within Canadian legal jurisdiction, or at least protect it from foreign jurisdiction, particularly the US. These measures could include:
All ISPs that handle Canadian internet traffic should make public, to the extent legally permissible, their relations with Canadian law enforcement and security agencies, as well as the measures they adopt to protect data against access by these agencies without legal due process and oversight.
All ISPs that handle Canadian internet traffic should clearly indicate their stance on current related to personal data privacy protection and mass state surveillance. This stance should include their position on alleged NSA and CSEC surveillance of Canadian internet transmissions. If an ISP is making official submissions or lobbying in relation to any prospective legislative, regulatory or policy change that can influence subscriber data protections, its activities should be readily available on its privacy pages. An ISP should be similarly transparent if it is involved in any court case around the privacy rights of their subscribers. Whatever the ISPs position in relation to user privacy rights, this should be made publicly clear.
Both the Office of the Privacy Commissioner (OPC) and Canadian Radio-Television and Telecommunications Commission (CRTC) have responsibilities under their respective legislative mandates to ensure that ISPs are respecting the privacy of their subscribers. They should exercise their powers more vigourously, to ensure proper handling of personal information and in particular that ISPs only hand off internet traffic to carriers that meet Canadian privacy law standards.
In particular it should be amended as follows:
An organization shall make readily available to individuals, and the public generally, specific information about its policies and practices relating to the management of personal information. (emphasis added to inserted text)
Currently Principle 9 only requires organizations to respond to individual requests. It should be amended to require timely proactive notification to the individual whenever a third party requests disclosure of their personal information. Any exceptions should be limited, specific and justified in relation to the circumstances.
Just as leading internet businesses are beginning to do, the law enforcement and security agencies that requests ISP to disclose personal customer information should routinely and proactively publish detailed statistics about their requests, the rationales, ISP responses, and how these have assisted or not in achieving their mandates.
This report calls on ISPs, regulators, legislators, law enforcement and security agencies to remove the systemic barriers to data privacy transparency, and to implement a more proactive approach requiring robust public transparency norms.
These various measures advancing data privacy transparency will contribute to ensuring that ISPs and third party data requestors are accountable to the public and the spirit of Canadian privacy law for their data management practices. Those actors adopting strong transparency measures will demonstrate leadership in the global battle for data privacy protections, and help bring state surveillance under more democratic control.
We appreciate the contributions of our research collaborators and assistants at the University of Toronto: Andi Argast, Alex Cybulski, Lauren DiMonte, Antonio Gamba, Colin McCann and Nancy Paterson (OCAD University). We would also like to acknowledge the input of Steve Anderson, Nate Cardozo, Tamir Israel, Christopher Parsons, Christopher Prince and Rainey Reitman.
Website and report design assistance: Jennette Weber.
This research was conducted under the auspices of the IXmaps: Mapping Canadian privacy risks in the internet 'cloud' project (see IXmaps.ca) and the Information Policy Research Program (IPRP), with the support of the Office of the Privacy Commissioner of Canada as well as The New Transparency: Surveillance and Social Sorting project, funded by the Social Sciences and Humanities Research Council.
The views expressed are of course those of the authors alone.
"Keeping internet users in the know or in the dark: A report on the data privacy transparency of Canadian internet service providers" by Andrew Clement and Jonathan Obar is licensed under a Creative Commons Attribution 2.5 Canada (CC BY 2.5 CA) .