Baby I Got Your Data: Canadian ISPs Aren’t Transparent About Client Information

Screen shot 2014-03-27 at 3.53.51 PM

The legendary American hip-hop artist “ODB” once waxed, “I’m the O-D-B as you can see/ Every eye, don’t you be watching me.”

Evidently Canadian Internet Service Providers (ISPs) never listened to those wise words. Canadian consumers are giving Internet carriers their “numbers”, but they’re not getting “called up”.

In fact, a new report from the faculty of information at the University of Toronto indicates that the amount of transparency on behalf of Canadian Internet Service Providers (ISP) is near deplorable.

20 Canadian ISP’s were ranked up to ten stars based on their data privacy transparency. The study, called “Keeping Internet Users in the Know or in the Dark?“, was completed by Andrew Clement & Jonathan Obar.

It was completed in the wake of the Snowden revelations about NSA surveillance, amid recent calls for greater data privacy that recommended that ISPs be more forthcoming about their handling of our personal information. Responding to this concern as well as in keeping with the transparency, openness and accountability principles fundamental to Canadian privacy law, the report evaluated the evidence.

Stars were awarded based on how an ISP could answer these ten questions, based on publicly available information:

1) A public commitment to PIPEDA1 compliance.
2) A public commitment to inform users about all third party data requests.
3) Transparency about frequency of third party data requests and disclosures.
4) Transparency about conditions for third party data disclosures.
5) An explicitly inclusive definition of ‘personal information’.
6) The normal retention period for personal information.
7) Transparency about where personal information is stored.
8) Transparency about where personal information is routed.
9) Publicly visible steps to avoid U.S. routing of Canadian data.
10) Open advocacy for user privacy rights (such as in court and/or legislatively).

The results weren’t pretty: ISPs earned very few stars – 1.5/10 on average. The highest scoring carrier overall was TekSavvy, earning 3.5 stars. The large foreign carriers Cogent and AboveNet (Zayo) received no stars.

“Slightly more than half of the ISPs (11 of 20), all operating primarily in Canada, state a commitment to adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the handling of personal information in commercial transactions. None of the foreign-based ISPs that carry significant amounts of intra-Canadian traffic indicate any explicit compliance with Canadian privacy law. Foreign carriers expose personal data to US and other jurisdictions, where Canadian data is largely unprotected legally from foreign state surveillance. This is especially concerning because while Canadians can work to influence the activities of a democratically governed Canadian state surveillance apparatus, Canadians’ ability to affect the activities of foreign governments is relatively limited.”

No Canadian ISP has yet to publish a transparency report along the lines of AT&T, Verizon, Google, Facebook or Twitter, each of which have begun to report standardized statistics concerning law enforcement access requests.

As a result of the study, Clement and Obar issued these 14 policy recommendations for Canadian ISPs:

Recommendation 1: A public commitment to PIPEDA compliance,

Recommendation 2: A public commitment to inform users when personal data has been
requested by a third party,

Recommendation 3: Regular, detailed transparency reports that provide information about third party data requests and disclosures,

Recommendation 4: Detailed conditions and procedures for law enforcement and other third parties that submit requests for personal information,

Recommendation 5: A clear indication that metadata and device identifiers are included in the definition of ‘personal information’.

Recommendation 6: Retention periods and the justification for these, for the various types of personal information handled,

Recommendation 7: Details of whether personal data may be stored or routed outside Canada,

Recommendation 8: How they strive to keep Canadians’ data within Canadian legal jurisdiction,

Recommendation 9: How they strive to keep Canadians’ data protected against mass Canadian state surveillance,

Recommendation 10: The extent to which they advocate for their subscribers’ privacy rights.

For Privacy Commissioners and the Canadian Radio-Television and Telecommunications Commission (CRTC):

Recommendation 11: Regulators should more closely oversee ISPs to ensure their data privacy transparency.

For legislators and politicians:

Recommendation 12: Amend PIPEDA’s Principle 8 — Openness to include public transparency.

Recommendation 13: Amend PIPEDA’s Principle 9 — Individual Access to require proactive notification

Recommendation for Canadian law enforcement and security agencies:

Recommendation 14: Canadian law enforcement and security agencies should proactively
publish statistics about requests for personal information they make to ISPs.

Those actors adopting strong transparency measures will demonstrate leadership in the global battle for data privacy protections, and help bring state surveillance under more democratic control.

Joseph Czikk

Joseph Czikk

Joseph Czikk previously has written for the National Post, Montreal Gazette, Vancouver Sun, Regina Leader Post, Techvibes and BC Business Online. Joseph often goes crazy on twitter during NHL and NFL games.