Local Internet service providers (ISPs) could be handing over our personal data to government authorities or other third parties without our knowledge because most of these ISPs tell their customers very little about what they do with our information, according to a report that looks into the privacy practices of 43 Canadian ISPs.
The report entitled “Keeping Internet Users in the Know or in the Dark,” stems from a survey conducted by Andrew Clement, industry policy researcher at the University of Toronto and Jonathan Obar, researcher at the University of Ontario, Institute of Technology. The report was produced in coordination with the Centre for Innovation Law and Policy.
Canadian ISPs “all scored poorly” based on a set of 10 data privacy and security criteria set by the researchers. They also found that “compliance to PIPEDA (the Personal Information Protections and Electronics Documents Act) is minimal and partial at best.”
The ISPs were awarded up to 10 “stars” based on the public availability of the following information:
- A public commitment to PIPEDA compliance
- A public commitment to inform users about all third party data requests
- Transparency about frequency of third party data requests and disclosures
- Transparency about conditions for third party data disclosures
- An explicitly inclusive definition of ‘personal information’
- The normal retention period for personal information
- Transparency about where personal information is stored
- Transparency about where personal information is routed
- Publicly visible steps to avoid U.S. routing of Canadian data
- Open advocacy for user privacy rights (such as in court and/or legislatively)
Off all the ISPs, Chatham, Ont.-based TekSavvy Solutions received the most aggregate stars (3.5).
Teksavvy stood out from the others by earning more stars in more criteria (five) than any other and was the only ISP to receive recognition (half star) for the public commitment about third party data requests.
“TekSavvy also distinguishes itself as the only ISP to discuss its stance on user privacy rights on its website by informing customers how they treat third party requests and the presentation of court documents,” the report said.
The survey also found that smaller, indepedent Canadian carriers scored better than larger incumbents.
Bell, Bell Aliant, MTS Allstream, Rogers, Shaw, Telus, Videotron averaged two stars, while their smaller independent competitors scored 2.75.
“An important contributor to this discrepancy is that these small carriers generally peer openly at Canadian public Internet exchange points, whereas none of their larger competitors do,” the report said.
Canadian carriers also scored better that foreign ones. The highest scoring non-Canadian carriers was Primus Canada which received three stars. Cogent and AboveNet received no stars. The report noted that Cogent made it clear to customers that they could not expect protection for their personal data. The company even tells customers:
Cogent makes no guarantee of confidentiality or privacy of any information transmitted through or stored upon Cogent technology, and makes no guarantee that any other entity or group of users will be included or excluded from Cogent’s network.
In general, the use of products and services by a customer, or the acceptance of employment or benefits by an employee, constitutes implied consent for the Bell companies to collect, use and disclose personal information for all identified purposes.
“No carrier providing Internet services directly to Canadians has yet followed the lead of major US internet service providers, such as AT&T, Verizon, Google, Facebook or Twitter, and proactively reports on the frequency of law enforcement requests and how they respond to them,” the report said.
The researchers came up with a total of 14 recommendations covering the areas of how ISPs should handle Canadian Internet traffic, recommendations for the commissioner of the Canadian Radio-television and Telecommunications Commission (CRTC), legislators and politicians and recommendations for law enforcement and security agencies.
Among others, they recommended that ISPs should:
- Prominently display commitment to PIPEDA
- Inform customers when their personal data has been requested by a third party
- Provide clear details around conditions and procedures for law enforcement and third parties which request personal information
- Itemize specifically the items comprising the metadata they collect,
- Provide customers details about the retention period for various types of personal information they handle.
Clement and Obar also recommended that Canadian law enforcement and security agencies should publish statistics about the requests for personal information that they make to ISPs.
“These various measures advancing data privacy transparency will contribute to ensuring that ISPs and third party data requestors are accountable to the public and the spirit of Canadian privacy law for their data management practices,” the researchers said. “Those actors adopting strong transparency measures will demonstrate leadership in the global battle for data privacy protections, and help bring state surveillance under more democratic control.”