Keeping Internet Users in the Know or in the Dark: Data Privacy Transparncy of Canadian Internet Service Providers

This is an archived report. Read the Current Report →

Select a Category to View Carrier Ratings

Report Summary

Evaluating Internet Carrier Transparency

In the wake of the Snowden revelations about NSA surveillance, recent calls for greater data privacy recommend that internet service providers (ISPs) be more forthcoming about their handling of our personal information. Responding to this concern as well as in keeping with the transparency, openness and accountability principles fundamental to Canadian privacy law, this repoIn the wake of the Snowden revelations about mass state surveillance, notably by the US National Security Agency and it Five Eyes partners, there is growing demand for internet carriers to be more forthcoming about how they handle our personal information. Calls for greater privacy transparency in Canada became more urgent after it was revealed that Canadian government agencies are asking telecoms companies to turn over Canadians’ user data at “jaw-dropping” rates. Nine carriers received nearly 1.2 million requests in 2011 alone, largely without warrants. 1

Responding to these concerns, as well as in keeping with the transparency, openness and accountability principles fundamental to Canadian privacy law, this is the second annual report that evaluates the data privacy transparency of the most significant internet carriers serving the Canadian public. We award carriers up to ten ‘stars’ based on the ready public availability of the following information:

  1. A public commitment to PIPEDA2 compliance.
  2. A public commitment to inform users about all third party data requests.
  3. Transparency about frequency of third party data requests and disclosures.
  4. Transparency about conditions for third party data disclosures.
  5. An explicitly inclusive definition of ‘personal information’.
  6. The normal retention period for personal information.
  7. Transparency about where personal information is is stored and/or processed.
  8. Transparency about where personal information is routed.
  9. Domestic Canadian routing where possible.
  10. Open advocacy for user privacy rights.

These criteria are designed to address on-going privacy and civil liberties concerns, especially in light of the controversial expansion of state surveillance of internet activities.3 They are also relevant and timely in relation to the landmark Spencer Supreme Court of Canada decision that recognized that anonymity on-line is a privacy interest protected by s.8 of the Charter and that law enforcement authorities need a warrant to obtain subscriber information from telecoms (R. v. Spencer 2014 SCC 43). This report may also contribute to the debate over several items of federal legislation related to surveillance, privacy and national security that are currently before Parliament.4

We awarded stars based on careful examination of each carrier’s corporate website. Assuming that carriers want to make it easy for their customers to find information about corporate practices relating to personal information, and that the on-line privacy policy page is the first (and likely only) place users might look, we focus our attention on these public statements. 5

We expanded to 43 the carriers in our sample based on their prevalence among the approximately 9500 internet traceroutes in the IXmaps.ca database that correspond to intra-Canadian routes – i.e. with origin and destination in Canada. This added several major behind the scenes transit providers that handle internet traffic across the internet ‘backbone’, typically routing traffic via the US. We also included carriers that are the subject of parallel transparency initiatives. In particular, we were greatly assisted by the Volunteer Student Working Group at the Centre for Innovation Law and Policy (CILP) in the University of Toronto’s Faculty of Law. Their companion analysis of six of the most prominent wireless carriers provides valuable detail on the scoring of carriers. 6

The resulting star ratings can be seen in the accompanying 3 Star Tables: 7

  1. Major Canadian retail internet carriers
  2. Minor Canadian retail internet carriers
  3. Major international internet transit carriers

The Appendix contains detailed assessments for each carrier. Transparency ratings for particular internet routings and carriers can also be reviewed on the Explore page of the IXmaps website. 8

Main Changes from the 2013 Report

While internet carriers generally show little interest in being transparent about key aspects of the handling of personal information, there are some notable improvements over the past year. For the first time a small handful of Canadian carriers have begun issuing their own Transparency Reports, mainly providing statistics about the number of law enforcement requests they receive. While the details in these reports are typically scanty, and not up to the standards being established by large U.S. service providers, this is a good sign that Canadian carriers are beginning to respond to public pressure for greater transparency.

Key Findings

As the Star Tables make clear, internet carriers are generally not transparent in their handling of personal information, earning on average only 2 stars out of 10 possible.

No carrier earned a full star in any of these four criteria:

  • #2 - A public commitment to inform users of all third party data requests
  • #6 - The normal retention periods for personal information
  • #7 - Transparency about where personal information is stored and/or processed
  • #8 - Transparency about where personal information is routed.

The ‘fighting brands’ of major mobile carriers, Virgin Mobile, Fido and Koodo, all score below average and are significantly less transparent than their corporate owners, Bell, Rogers and Telus respectively.

Only one company stands out by earning more than 5 stars. TekSavvy, achieved 6 stars in aggregate based on full or half stars across eight criteria, the widest spectrum of privacy transparency of any carrier.

For the first time in 2014, Canadian internet carriers have begun issuing Transparency Reports that systematically provide statistics and other relevant details on law enforcement requests for personal data. Rogers, Sasktel, Telus, Teksavvy, and Wind are the pioneers. Carriers are also being more publically explicit about what they require from law enforcement when making such requests for personal subscriber information.

No transit provider indicates explicit compliance with Canadian privacy law. This is concerning because these behind the scenes internet carriers handle large quantities of intra-Canadian traffic.

Transit carriers generally score much lower than the retail carriers and typically expose personal data to mass state surveillance by the NSA. This is concerning because when outside Canada, or handled by carriers subject to US or other jurisdictions, Canadians’ data enjoy no effective legal protection, and certainly much less than when within Canadian jurisdiction. 9

Given the lack of equivalent privacy protection between Canada and the U.S., the reliance on U.S. transit providers or U.S. routing for Canadian domestic internet traffic, aka ‘boomerang’ routing, it appears that many Canadian internet carriers are in violation of their legal responsibilities under PIPEDA.

Policy Recommendations

Without proactive public reporting on the part of carriers in the key areas identified above, it is very difficult for Canadians to hold these important organizations to account and develop the trust in them appropriate to the sensitivity of the information they carry is such large volumes. To remedy this situation, we make two primary recommendations:

Primary Recommendation 1:

To earn the trust of Canadians, the companies that carry their personal information via the internet need to be much more transparent about the handling of information – who has access to it, on what terms, how long it is kept, where it is stored, processed and routed – and generally more actively promote the privacy interests of their subscribers.

Primary Recommendation 2:

Given the risks of mass suspicionless surveillance, especially by the National Security Agency, when Canadians’ data transits the U.S. or is handled by U.S. based transit providers, and the absence of legal or constitutional protections for Canadians’ data in these cases, Canadian retail carriers should avoid transferring personal data to companies that bring such exposure. Thus can be achieved by only handing domestic traffic off inside Canada to carriers that are exclusively within Canadian jurisdiction.

We also offer the following more specific recommendations directed at various key internet privacy actors:

For carriers that handle Canadian internet traffic:

Carriers should to go beyond minimum compliance with Canadian privacy law, and, in the spirit of PIPEDA’s Principle 8 – Openness, commit proactively to making the information identified by the ten criteria readily available publicly. In particular, they should publish on the privacy/transparency articles of their corporate websites:

Recommendation 1:

A public commitment to PIPEDA compliance, and ensuring that data hand to third parties for any form of storage, processing or routing enjoys equivalent protection.

Recommendation 2:

A public commitment to inform users when personal data has been requested by a third party.

Recommendation 3:

Regular, detailed transparency reports that provide information about third party data requests and disclosures.

Recommendation 4:

Detailed conditions and procedures for law enforcement and other third parties that submit requests for personal information.

Recommendation 5:

A clear indication that metadata and device identifiers are included in the definition of ‘personal information’.

Recommendation 6:

Retention periods and the justification for these, for the various types of personal information handled.

Recommendation 7:

Details of whether personal data may be stored, processed or routed outside Canada, and what risks this may entail.

Recommendation 8:

How they strive to keep Canadians’ data within Canadian legal jurisdiction.

Recommendation 9:

How they strive to keep Canadians’ data protected against mass Canadian state surveillance.

Recommendation 10:

How they advocate for their subscribers’ privacy rights.

Recommendation 11:

Consolidate all privacy and transparency policy information so it is easily accessible though the main corporate privacy page.

For Privacy Commissioners and the Canadian Radio-Television and Telecommunications Commission (CRTC):

Recommendation 12:

Regulators should more closely oversee carriers, Canadian and foreign, to ensure their data privacy transparency and compliance with legal obligations.

For Legislators and Politicians:

Recommendation 13:

Amend PIPEDA’s Principle 8 — Openness to include proactive transparency around key privacy policies.

Recommendation 14:

Amend PIPEDA’s Principle 9 — Individual Access to require proactive notification in the case of third party disclosure requests.

For Canadian Law Enforcement and Security Agencies:

Recommendation 15:

Canadian law enforcement and security agencies should proactively publish statistics about requests for personal information they make to ISPs. Canadian law enforcement and security agencies should proactively publish statistics about requests for personal information they make to internet carriers, including the legal basis for such requests and the responses from carriers.

These various measures advancing data privacy transparency will contribute to ensuring that ISPs and third party data requestors are accountable to the Canadian public for their data management practices. Those actors adopting strong transparency measures will demonstrate leadership in the global battle for data privacy protections, and help bring state surveillance under more democratic control.

Notes
  1. Alex Boutilier, Government agencies seek telecom user data at ‘jaw-dropping’ rates, Toronto Star, Apr 29 2014.
  2. Personal Information Protection and Electronic Documents Act
  3. Note for instance that the latest incarnation of highly controversial ‘lawful access’ legislation, Bill C-13 - Protecting Canadians from Online Crime Act, passed into law October 20, 2014.
  4. Current Federal Bills:
     S-4 - Digital Privacy Act, 2014
     C-44 - Protection of Canada from Terrorists Act, 2014
     C-51 - Anti-terrorism Act, 2015
  5. In the case of criterion 9 – Publicly visible steps to avoid U.S. routing of Canadian data, we also examine the peering arrangements noted on the websites of the main Canadian public internet exchanges, TorIX, OttIX and YYCIX (Toronto/Ottawa/Calgary Internet Exchanges) as these are also publicly visible.
  6. The 3+3 Project: Evaluating Canada’s Wireless Carriers’ Data Privacy Transparency, 2014-2015 Centre for Innovation Law and Policy Volunteer Student Working Group, Centre for Innovation Law and Policy (CILP), Faculty of Law, University of Toronto, March 12, 2015.
  7. Division into these three tables was based primarily on the difference in role, between Canadian retail ISP and backbone transit carrier, and then secondarily among retail carriers based on the prominence of their internet presence in Canada, rather than their telephone or other service offerings.
  8. https://ixmaps.ca/map.php
  9. Lisa M. Austin, Heather Black, Michael Geist, Avner Levin and Ian Kerr, Our data, our laws, National Post, December 12, 2013.
    Lisa M. Austin, Enough About Me: Why Privacy is About Power, Not Consent (or Harm), Forthcoming in Austin Sarat, ed., A World Without Privacy?: What Can/Should Law Do (Cambridge 2014)
    Lisa M Austin and Daniel Carens-Nedelsky, Jurisdiction still matters: The Legal Contexts of Extra-National Outsourcing, presented at the Assessing Privacy Risks of Extra-National Outsourcing of eCommunications public forum, Seeing Through the Cloud: Why Jurisdiction Still Matters in a Digitally Interconnected World, University of Toronto, March 6, 2015. See webcast.

About the Authors

Andrew Clement (andrew.clement@utoronto.ca) is a Professor in the Faculty of Information at the University of Toronto, where he coordinates the Information Policy Research Program and is a co-founder of the Identity, Privacy and Security Institute. With a PhD in Computer Science, he has had longstanding research and teaching interests in the social implications of information/communication technologies and participatory design. Among his recent privacy/surveillance research projects, are IXmaps.ca an internet mapping tool that helps make more visible NSA warrantless wiretapping activities and the routing of Canadian personal data through the U.S. even when the origin and destination are both in Canada; SurveillanceRights.ca, which documents (non)compliance of video surveillance installations with privacy regulations and helps citizens understand their related privacy rights. The SurveillanceWatch app enables users to locate surveillance cameras around them and contribute new sightings of their own; and Proportionate ID, which demonstrates through overlays for conventional ID cards and a smartphone app privacy protective alternatives to prevailing full disclosure norms. Clement is a co-investigator in The New Transparency: Surveillance and Social Sorting research collaboration. See http://www.digitallymediatedsurveillance.ca/

Jonathan Obar (jonathan.obar@uoit.ca) is an Assistant Professor in the Faculty of Social Science and Humanities at the University of Ontario Institute of Technology. He also serves as a Research Associate at the Quello Center for Telecommunication Management and Law at Michigan State University. Dr. Obar has published in a wide variety of academic journals about the relationship between digital media technologies, ICT policy and the protection of civil liberties.

Acknowledgments

We appreciate the contributions of our research collaborators and assistants at the University of Toronto: Antonio Gamba, Alex Goel and Colin McCann. We are also pleased to acknowledge the input of Steve Anderson, (Openmedia.ca), Nate Cardozo (EFF), Andrew Hilts (Cyber Stewards Initiative), Tamir Israel (CIPPIC) and Christopher Parsons (Citizen Lab).

The research reported here benefited significantly from collaboration with the Centre for Innovation Law and Policy (CILP), Faculty of Law, University of Toronto. We worked most closely with Matthew Schuman, Assistant Director, and Ainslie Keith, who led a Volunteer Student Working Group consisting of Shawn Arksey, Michael Cockburn, Caroline Garel-Jones, Aaron Goldstein, Nathaniel Rattansey, Kassandra Shortt, Jada Tellier and Matthew Vaughan.

Website and report design assistance: Jennette Weber.

This research was conducted under the auspices of the IXmaps: Mapping Canadian privacy risks in the internet ‘cloud’ project (see IXmaps.ca) and the Information Policy Research Program (IPRP), with the support of the Office of the Privacy Commissioner of Canada (2012-13), The New Transparency: Surveillance and Social Sorting project funded by the Social Sciences and Humanities Research Council (2012-15), and the Mapping Canadian internet traffic, infrastructure and service provision (2014-15), funded by the Canadian Internet Registration Authority (CIRA).

The views expressed are of course those of the authors alone.

Creative Commons License
"Keeping internet users in the know or in the dark: A report on the data privacy transparency of Canadian internet carriers" by Andrew Clement and Jonathan Obar is licensed under a Creative Commons Attribution 2.5 Canada (CC BY 2.5 CA) .