Keeping Internet Users in the Know or in the Dark
An Analysis of the Data Privacy Transparency of Canadian Internet Carriers
In the wake of Snowden's revelations about National Security Agency (NSA) surveillance, demands that Internet carriers be more forthcoming about their handling of personal information have intensified. Responding to this concern, this report evaluates the data privacy transparency of forty-three Internet carriers serving the Canadian public. Carriers are awarded up to ten stars based on the public availability of information satisfying ten transparency criteria. Carriers earn few stars overall, just 92.5 out of 430, an average of two of ten possible stars. A variety of policy recommendations are provided to encourage and guide further data privacy transparency efforts in Canada as well as around the world.
When we use the Internet, we entrust the enormous quantities of personal data produced by our online activities to a select group of Internet carriers. These carriers, also referred to as Internet service providers (ISPs) or telecommunication service providers (TSPs),1 carry, transmit, and route data back and forth over the Internet between personal devices (laptops, smartphones, etc.), e-mail servers, websites, social networking sites, and other services. The personal information carried in these messages, as well as the associated metadata, is often sensitive and highly revealing of our private lives, of our desires, affiliations, movements, social networks, spending habits, and so forth. It is not surprising, then, that as the role of the Internet in Canadians' daily lives expands, so too does a range of privacy concerns about Internet carriers surveilling and monitoring our personal information. Beyond the commercial uses and abuses of this potentially sensitive information, the recent revelations of US National Security Agency (NSA) whistleblower Edward Snowden validate longstanding privacy concerns. The evidence strongly indicates that it is not just businesses analyzing the details of our online activities, but that state signals intelligence agencies, such as the NSA and Canada's equivalent, the Communications Security Establishment (CSE), have secretly gained the cooperation of Internet carriers to capture, without prior suspicion, our data as it flows across their networks, and to analyze it for a variety of unknown, but potentially intrusive and even illegal, purposes.2
Knowing more about what carriers do with our data is becoming increasingly urgent. When a company or law enforcement agency (LEA) demands access, do carriers comply? Do they inform us about it? Do carriers route or even store Canadian's personal data beyond Canadian legal protection? Are they proactive in promoting their users' privacy interests? When it comes to data privacy protection, do carriers keep Canadians in the know or in the dark?
This analysis evaluates the data privacy transparency of forty-three Internet carriers that serve the Canadian public. We define data privacy transparency as the act of being open about commitments to data privacy protections, as well as publicly forthcoming about data collection, management, storage, retention, disclosure, and routing practices. It should be clear that data privacy transparency addresses what is said in public, and may not accurately reflect the actions of a disingenuous or secretive organization. We operationalize data privacy transparency with ten evaluation criteria, and award carriers half or full stars based on how well they fulfill each of these. We present the results in “star tables” to show off the best performers and facilitate comparisons between them. Our hope is that this analysis will help Internet users in Canada and around the world become better informed and equipped, individually and collectively, to choose their ISPs based on privacy considerations and more generally to hold them to account. We seek further to encourage carriers to become more transparent about how they handle personal information. We also hope that this study can serve as a model for future evaluations in other international contexts.
This study begins by providing some background on the importance of data privacy transparency and reasons for assessing it. We explain how we evaluate carriers—which carriers we chose to focus on and why, the ten assessment criteria we developed, and how we apply each of them in awarding stars. After an analysis and discussion of the resulting scores, we provide recommendations (see Appendix A), mainly aimed at the carriers, about the state of data privacy transparency in Canada and where improvements should be considered.
Why Assess Transparency?
Transparency assessments matter because access to relevant information is vital to maintaining accountability in principal–agent relationships.3 A principal–agent relationship is one in which an individual or organization (the principal) delegates some form of labor to a representative (the agent).4 Typically, delegation is required because the function performed by the agent would otherwise be burdensome, time-consuming, and/or complicated for the principal. From the representative government tasked with governing society to the company providing a packaged food item, individuals enter into principal–agent relationships in many aspects of their lives. Connections via the Internet are also facilitated through these relationships, with individuals delegating the responsibility for an Internet connection to various Internet carriers. While this division of labor allows individuals to enjoy the benefits of services that would otherwise be burdensome, time-consuming, or complicated, delegation introduces potential hazards. A fundamental concern associated with these relationships is the “principal–agent problem,” based in the reality that agents may not always act in accordance with the demands or even the best interests of principals.5 A representative government may marginalize individuals or groups through a lack of pluralism, a manufacturer of processed food may add unhealthy or even dangerous ingredients to its packaged food, and Internet carriers may violate privacy rights by mishandling the personal data of their customers. In general, principal–agent problems arise and persist because agents hide or do not give access to information about the tasks they are performing. Furthermore,
[s]ince the principal cannot always be there to observe the choices of an agent, the agent can enjoy some power to make choices with which the principal might disagree. Principals cannot always see what choices an agent is making, and cannot often see the full set of ideas and data that an agent faced when making a selection.6
This returns us to the benefits of transparency and the connection between access to information and the maintenance of accountability in principal–agent relationships. If hidden or inaccessible information contributes to agent concerns, then revealing and giving access to information is a potential solution. Governments should reveal the details of their deliberations, food manufacturers should disclose ingredients and nutritional information on product labels, and Internet carriers must communicate how they handle data and protect the privacy of data subjects. This is an idea with an intellectual lineage stretching back far longer than discussions about telecommunication providers and data collection. In 1822, James Madison, often regarded as the “Father” of the US Constitution and the Bill of Rights, wrote:
A popular Government, without popular information, or the means of acquiring it, is but a Prologue to a Farce or a Tragedy; or, perhaps both. Knowledge will forever govern ignorance: And a people who mean to be their own Governors, must arm themselves with the power which knowledge gives.7
In 1913, Justice Louis D. Brandeis, who with Samuel Warren is credited with formulating the first modern notion of informational privacy, expressed similar sentiments in Harper's Weekly: “Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”8
Madison's and Brandeis's words have bolstered subsequent legislative efforts aiming to promote greater corporate and government transparency, lighting a path to the US Freedom of Information Act and beyond.9 At the heart of these and more recent attempts is the notion that the public's voice, when well informed about institutional practices and power structures, serves as a check on their excesses, and has the potential to protect against social, economic, and moral stratifications, bias, myopia, and even tyranny.10 Similar views of the connection between information access and the ability to hold institutional power structures to account have historically served as justifications for the Fourth Estate,11 and more recently, an emerging digitally mediated Fifth Estate.12 Indeed, “transparency is thus a highly valued instrumental good, since it is an input into a process of monitoring that increases the odds that voters or consumers get what they want from institutional actors.”13
In the current context, this means questioning the sources of information available to the public that aid in the realization of these protections. Our analysis supplements contributions of the Fourth or Fifth Estate as well as those of whistleblowers and advocates to advance data privacy transparency. We take a more academic approach, systematically assessing Internet carriers' public statements in relation to a legally mandated model of information access known as the “openness principle” that requires organizations that handle personal information to disclose key aspects of their practices.
Data Privacy Transparency and the “Openness Principle”
Responding to the growth of digital data collection and processing of personal information during the 1960s and 1970s, the concept of “fair information practices” was proposed in the United States in a 1973 report entitled Records, Computers and the Rights of Citizens, released by the US Department of Health, Education, and Welfare.14 In 1980, the Organisation for Economic Co-operation and Development (OECD) elaborated on these efforts and developed its OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which now underpin privacy legislation around the globe. Among the guidelines is the OECD's “Openness Principle,” which states,
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.15
Over the more than thirty years since the OECD established its guidelines, other data privacy initiatives have built on these fair information practice principles, including the EU's 1995 Data Protection Directive16 and the White House's 2012 Consumer Privacy Bill of Rights.17 Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), which since 2001 has regulated privacy in commercial transactions within Canada, fits squarely in this transparency tradition. Its Openness Principle (PIPEDA Principle 8) states,
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.18
Even in jurisdictions where there is not a legal requirement for the kind of transparency implicit in PIPEDA's Openness Principle, such as in the private sector in the United States, corporations have begun to value publicly manifesting a form of data privacy transparency. A prominent example is the rapidly growing number of major technology companies that now routinely publish their own transparency reports, providing annual or semiannual statistics on the number of requests they receive for personal information they hold on their users. Google was the first of these in 2010, evidently to address growing public concerns about the enormous volumes of personal information that it collects and processes intensively for commercial purposes. Twitter and Dropbox were the next two major companies to follow suit, in 2012. This trickle became a flood in 2013 following the revelations by Edward Snowden about the mass suspicionless surveillance by the NSA and the signals intelligence agencies in the Five Eyes partnership (United States, United Kingdom, Canada, Australia, and New Zealand). By the end of 2015, the number of Internet and telecommunications companies worldwide producing some form of a transparency report had leapt to sixty-one.19
This corporate self-reporting focuses almost exclusively on the number of requests for personal information received from national LEAs. The resulting statistics are revealing of widespread intrusive practices that had hitherto been largely secret. In many cases, they also show the willingness of these companies to hand over customers' personal information with little evident effort to protect privacy. In this regard, such reporting represents a significant step in the right direction. But each company report is unique, even idiosyncratic, making it hard to compare one company's statistics with another, or even to understand what each measure means specifically. They can also be seen as self-serving on the part of the companies, developed not just to reveal internal operations, but to help deflect the growing criticism they are facing away from their own data handling practices and onto government. In relation to the breadth of possible disclosure of other privacy sensitive corporate practices, these reports are very narrow in scope, and do little to address the many other privacy concerns people have about the potential abuse of their data by business organizations, to say nothing about those companies that were quietly cooperating with governments seeking access to their data collected originally for commercial purposes.20
While this kind of transparency reporting does shed useful light on previously hidden practices, unless it helps provide a foundation for more comprehensive transparency reporting and contributes to the momentum needed to achieve substantive reform, it risks being counterproductive by giving the appearance of actually addressing the real problem and so reducing the motivation for further action. Thus transparency reporting risks becoming an end in itself, rather than a means to the wider democratic governance goal of public accountability of organizations, especially those that wield considerable social, economic, and political power.
Focusing on the case of Internet carriers currently serving the Canadian public, we adopt a public accountability approach to examine the privacy materials made public by the most prominent of these organizations. We highlight those that not only claim to meet the letter of their legal responsibilities under PIPEDA, but in the spirit of Principle 8—Openness, go beyond minimum compliance requirements by making important aspects of their handling of personal data publicly transparent. In doing so, we aim to help Internet users in Canada and abroad understand better the privacy risks of using the Internet, and which carriers do more to earn their trust by being transparent about their privacy practices in specific ways.
While this is the first Canadian study of ISP data privacy transparency, it is inspired by and contributes to the growing number of similar efforts around the world. These include, most notably, the Electronic Frontier Foundation (EFF)'s “Who Has Your Back” reports21 and the “Ranking Digital Rights” Project (led by Rebecca McKinnon of the New America Foundation and the University of Pennsylvania).22 Since we began this work in 2013, civil society organizations in several other countries have undertaken transparency reporting initiatives aimed at telecom companies, typically focusing in particular on how carriers deal with requests for personal information made by law enforcement and security agencies. AccessNow, mentioned earlier, provides a global Transparency Reporting Index of such companies.23 The Berkman Center for Internet & Society at Harvard University and New America's Open Technology Institute (OTI) have since 2013 led the development of the Transparency Reporting Toolkit, producing a series of memos that survey the transparency reporting practices of forty-three US Internet and telecommunications companies, and highlight the “best practices” among them.24 Based closely on the EFF “Who Has Your Back” reporting, Karisma25 in Colombia and Red en Defensa de los Derechos Digitales (R3D) in Mexico have recently issued reports comparing the transparency and privacy practices of the leading telecom companies in their respective countries.26 Closer to home is the work of Dr. Christopher Parsons and Andrew Hilts, at the University of Toronto's Citizen Lab, who used in-depth questionnaires and personal information requests to make publicly available detailed information about data retention periods and the handling of law enforcement access requests that Canadian carriers haven't published proactively.27 By contrast, and like the EFF, we assess, compare, and highlight only what ISPs already publicly reveal across a wider range of data privacy transparency issues.
By drawing attention to important but too often obscure personal data handling practices of ISPs and giving recognition to those carriers that are relatively open, we hope to encourage carriers to be more proactively transparent and to take stronger public stands for user privacy. To be clear, we do not rate the actual privacy protections carriers offer—that would require a different study—but instead assess a vital ingredient of data privacy and public accountability—transparency. It is quite possible that a carrier may be very protective of personal data, but if it is not publicly transparent about its policies and practices, on what basis can we trust it? Given that it is much easier to post statements about privacy policies and practices once formulated than to enact them, the absence of these statements strongly suggests that strong privacy protections don't exist.
We are also not ranking carriers in a single ordering from best to worst. Rather, we prefer to direct attention to specific aspects of privacy transparency, showing where improvement is possible and cheering on those providers that are especially transparent about how they handle our personal information.
Our method is modeled after the EFF's approach to its “Who's Got Your Back” annual reports.28 We take an explicitly Canadian orientation, focusing specifically on carriers, rather than digital media service providers more generally (i.e., companies like Apple and Facebook), while broadening the range of criteria to highlight those that are particularly relevant to contemporary privacy concerns in Canada.
We examined the privacy statements of the leading forty-three carriers that currently route Canadian Internet traffic. The primary basis for selection was not familiarity to Canadians, but more importantly, the degree to which they carry domestic Canadian Internet traffic. We assessed this by drawing on the database of traceroutes that the IXmaps.ca research project has accumulated by crowdsourcing methods since 2009.29 At the end of 2014, the database contained over 35,000 trace-routes, of which over 9,000 we categorized as intra-Canadian, that is, they originate and terminate in Canada, whether or not they are routed entirely within Canada. We examined data on these intra-Canadian routes to identify all ISPs that carried traffic between the immediate origination and destination, and ranked them by the number of routers involved in carrying this traffic.
The resulting sample includes all the major Canadian telecom carriers (Bell, Bell Aliant, Cogeco, MTS Allstream, Rogers, Shaw, Telus, and Videotron), as well as several of their smaller Canadian competitors (Distributel, Eastlink, Primus Canada,30 Storm Internet Service, and Teksavvy). But importantly, it also includes those large ISPs that do not have a local, retail presence in Canada but serve as “transit providers,” handling Canadian traffic behind the scenes, in the “backbone” or “core” of the Internet. These include a Canadian networking provider (Peer-1, owned by Cogeco), large well-known US carriers (AT&T, Comcast, Sprint, Verizon), and major global Internet backbone operators, mostly based in the United States (AboveNet [Zayo], Cogent, Hurricane, Level-3, Limelight, Savvis [CenturyLink], Tata, and TeliaSonera) that despite their vital role in Internet operations, are much less well known publicly.
The remaining carriers in the sample were chosen, in part, to parallel complementary data privacy transparency research being conducted at the University of Toronto's law school31 and the Citizen Lab.32 They include mobile “fighting brands”33 for Bell, Rogers, and Telus (Virgin Mobile, Fido, and Koodo respectively), as well as Acanac, ACN Canada, Bruce Telecom, Cogeco, Comwave, Execulink, Fongo, Mobilicity, Northwestel, Novus, Sasktel, Telebec, VIF Internet, Wind Mobile, and Xplornet. As noted in Tables 1–3, we have organized the carriers into “Major,” “Minor” and “Transit” carriers, which together represent a very large proportion of the routing of Canadian Internet traffic.34
Assigning Stars to Carriers
In an attempt to recognize carriers already demonstrating levels of data privacy transparency, carriers earn stars for each of the following ten criteria. We award stars based on readily available evidence presented on the ISP's corporate website. On the premise that carriers would want to make it easy for their customers to find relevant information about corporate practices around personal information, and that the online privacy pages are where users would look first (and likely not look further), we confined our attention to these public sections.35 To encourage carriers to ensure that privacy sections of corporate websites are comprehensive, our analysis focuses only on privacy policies (summaries and complete policies), codes of fair information practice, transparency reports, third-party access guidelines/handbooks, and any other privacy-related material located in the privacy section of corporate websites as they appeared on a particular target date to which we had alerted the carriers.36 Terms of service agreements, user agreements, and all other legal materials were not assessed.
We provided all ISPs evaluated with the opportunity to respond to a preliminary version of the evaluation criteria and our initial data privacy transparency assessment of the organization. For those carriers that responded to our e-mails, we took their comments into consideration for the current analysis and rechecked their websites to see if they had updated their public statements in light of our assessment.37
Data privacy transparency is a broad and evolving concept, with an (over-)abundance of possible criteria upon which to assess it. In our case, we began this work in early 2013 with the criteria the EFF used in its 2012 Who's Got Your Back report (i.e., informing users of third-party requests, corporate transparency reporting, fighting for user privacy in the courts and legislature). We supplemented these with criteria directly related to current Canadian controversies around personal privacy and civil liberties—most notably the defeated Bill C-30 “lawful access” proposal,38 and concerns about the “boomerang” routing (aka “tromboning”) of Canadian domestic Internet traffic through the United States in particular39 (e.g., definition of personal information, data retention periods, locational jurisdiction of data storage, and routing). Their relevance has been subsequently heightened in light of the Snowden revelations of the extraordinary expansion of mass state surveillance of Internet activities as well as the reincarnation of lawful access legislation in the form of Bill C-13—the Protecting Canadians from Online Crime Act, passed in October 2014, and Bill C-51—the Anti-Terrorism Act 2015, passed June 2015, but up for review and possible repeal by the Liberal Government elected a few months later.40 In what follows, we describe all ten criteria including descriptions of content that would earn full, half, or no stars for each.41
A public commitment to PIPEDA compliance
The PIPEDA, and its provincial equivalents,42 applies to the commercial activities of all private sector organizations that exhibit a real and substantial connection to Canada, and outlines rules for how they may collect, use, or disclose personal information.43 In particular, ISPs, wireless carriers, and other telecommunications carriers, as federally regulated entities, are required to comply with PIPEDA.44 An important requirement of PIPEDA is that personal information can only be transferred to third parties, whether Canadian or foreign, that provide an equivalent level of protection as that offered by PIPEDA. This criterion evaluates the extent to which carriers serving the Canadian market inform the public of their basic privacy responsibilities under the law.
Full Star: The carrier explicitly indicates that it complies with PIPEDA, or similar applicable legislation, and provides substantive details of its privacy obligations, including that it only transfers personal information to third parties that provide an equivalent level of protection.
Half Star: The carrier only vaguely states that it operates according to applicable legislation or doesn't mention third-party PIPEDA-equivalent protection.
No Star: The carrier makes no indication that it complies with PIPEDA or substantially equivalent privacy legislation.
A public commitment to inform users of all third-party data requests
PIPEDA states that individuals have a right to be informed upon request whether their personal information has been disclosed to a third party, including the government.45 This criterion aims to encourage carriers, in the spirit of PIPEDA's “openness” principle, to go a step further and state proactively that they will contact an individual after receiving a request for his or her personal information. This involves informing them it has been disclosed without the individual bearing the burden of having to first inquire.
Full Star: The carrier clearly indicates that it will notify a user when it has received a third-party request for the user's information, unless explicitly prohibited from doing so by law. Half Star: A carrier does not indicate that it will notify users when it receives requests; however, it indicates that users may send an inquiry in order to acquire such information.
No Star: The carrier makes no mention of how users may learn of third-party requests for their personal information.
Transparency about frequency of third-party requests and disclosures
This criterion considers whether a carrier has published information regarding the types of requests for personal data it receives and how it responds to such requests. As noted earlier, beginning in 2010 a rapidly growing number of major US-based Internet companies began regularly publishing transparency reports. In 2014, for the first time, Canadian Internet carriers began to follow suit. These transparency reports typically include statistics about the number of requests the companies receive from third parties, broken down by government (law enforcement, etc.), commercial, and noncommercial entities. Also important is how many requests are complied with, how many accounts requests apply to, and how many disclosures of information there were.46 The best transparency reports mention the lawful authority that accompanied the requests (e.g., whether the request was accompanied by a warrant or other court order), and in some cases even indicate the number of secretive “security letters” the carrier has handled.
Full Star: The carrier has published, in an annual or semi-annual report or in some other form, statistics regarding:
The number of requests from third parties, broken down by government (law enforcement, etc.), commercial, and noncommercial entities.
How many requests it complied with.
How many accounts the requests applied to.
How many disclosures of information there were.
Half Star: The carrier has published some information but leaves many important statistics out.
No Star: The carrier has published no information relating to these types of statistics.
Transparency about conditions for third-party data disclosures
Canadians use communication devices every day to browse the Internet and transmit personal information via phone calls and text messages. The information transmitted, received, and accessed through these activities is logged by carriers who may disclose this information along with data about identity, address, and service payments to third parties, notably law enforcement. Evidence came to light in March 2014 revealing that such disclosure has been a very common occurrence, typically without carriers requiring a judicial warrant or other court order.47 This criterion seeks to evaluate the requirements that the carrier establishes for disclosing personal information to third parties. A law enforcement handbook with this information is encouraged.
Full Star: (1) The carrier explicitly states the circumstances under which personal information will be disclosed to third parties. (2) It makes clear what standard must be met by the third party in order for this disclosure to be made (e.g., whether a warrant is required). (3) It is clear whether or not a subscriber/user will be notified in the case that his or her information is disclosed to a third party and especially the specific conditions under which such information will be disclosed without consent.
Half Star: The carrier refers to some but not all of (1), (2), and (3) or is vague about them.
No Star: The carrier fails to indicate any of (1), (2), or (3).
An explicitly inclusive definition of “personal information”
PIPEDA defines personal information broadly as “information about an identifiable person.” Personal information can refer to any number of variables. There have been recent controversies about whether data derived from the communication (e.g., transaction data, traffic data, userIDs, or metadata more generally) or certain numbers associated with personal devices (e.g., IP addresses, IMSI/IMEI numbers, or MAC addresses)48 that are enduringly associable with an individual should be regarded as “personal information”; for example, The Office of the Privacy Commissioner (OPC) of Canada has found that “An Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual.”49 This criterion evaluates whether a carrier has given an explicitly inclusive definition of “personal information” in line with such best privacy practice.
Full Star: The carrier explicitly states all forms of data that fall under “personal information.” This should include subscribers/users' IP addresses, IMSI/IMEI numbers, or MAC addresses, as well as their userIDs, metadata (e.g., who subscriber communicated with, when and where this communication occurred), browser history (pages accessed, date of access, location when accessed), personal account information, credit card information, and so forth.
Half Star: The carrier only implicitly states the forms of data included in a definition of “personal information,” and/or provides a definition which (a) incorporates a closed list of what constitutes personal information that (b) excludes one or more of IP addresses, IMSI/IMSEI numbers, MAC addresses, userIDs, metadata, browser history, personal account information, or credit card information.
No Star: The carrier gives no definition of “personal information.”50
The normal retention periods for personal information
Companies hold onto users' personal information, including Internet usage, phone calls, and GPS locations, for varying lengths of time. How long they do so is a clear privacy issue and something that consumers should know. The longer personal information is kept, the more likely it is that the personal information will be exposed to misuse or disclosure.
Full Star: The carrier discloses for how long personal information is routinely retained, specifying retention time periods for each data type.
Half Star: The carrier only states the retention period for limited types of information. For example, a company may state that it retains consumers' browsing history for two weeks, but provides no information on call log retention.
No Star: The carrier either provides no information on data retention periods or provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. For instance,
[Our company] shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.51
Transparency about where personal information is stored and/or processed
The physical location of servers and data storage facilities is important. Data stored or processed in different jurisdictions will be subject to the associated legal regimes regardless of where the data originated or the nationality of the data subject. For instance, Canadian data stored in the United States loses the protection afforded by the Canadian Charter of Rights and Freedoms, as well as PIPEDA, and becomes subject to the USA PATRIOT Act and other surveillance authorizations.52 In fact, Canadian data is considered under those legal authorizations to be “foreign” to the United States and therefore afforded significantly reduced (little or no) safeguards compared to American data. Furthermore, data storage outsourced to foreign-owned hosting services, even if physically located inside Canada, is similarly subject to foreign jurisdiction. In light of the privacy risks from the exposure of Canadians' data to foreign jurisdictions, the OPC found in 2008 that:
38. [O]rganizations that outsource the processing of personal information must provide sufficient notice with respect to the existence of service-provider arrangements, including notice that any foreign-based service provider may be required by the applicable laws of that country to disclose personal information in the custody of such service provider to the country's government or agencies.53
This criterion therefore evaluates whether a carrier has provided a sufficiently clear and explicit indication of possible exposure of personal information to foreign jurisdictions and what additional risks of disclosure this may entail.
Full Star: The carrier clearly indicates the storage and/or processing locations of user's data and whether data storage and/or processing have/has been outsourced to a foreign company. This should include whether data may be stored in, or otherwise subject to, other jurisdictions, what those jurisdictions are, and to what sort of disclosure such data may be subject.
Half Star: The carrier only indicates that there is a possibility that data may be stored and/or processed subject to a foreign jurisdiction. No jurisdiction is noted or details are not provided.
No Star: The carrier fails to clearly indicate whether or not data may be stored and/or processed such that it may be subject to a foreign jurisdiction.
Transparency about where personal information is routed
This criterion evaluates a carrier on the basis of whether or not it has indicated the relevant geographic locations or jurisdictions for routing of personal information. Data routing, as the particular form of information processing concerned with the switching of data packets among possible routes across the Internet, affects legal privacy protection much the way that data storage location does, but has hitherto received comparatively little public attention. A serious concern for Canadians is that a significant proportion (>20 percent) of their domestic communications (i.e., communicating with other Canadian persons or services) is routed through the United States (aka “boomerang routing”) and hence is subject to NSA surveillance.54,55 Furthermore, nearly all Internet communication between Canada and third countries also passes through the United States or is handled by US carriers, which similarly exposes it to mass suspicionless surveillance by the NSA and other state agencies.
Full Star: The carrier clearly indicates whether Canadians' personal domestic communication data might be routed through the United States or otherwise subject to foreign jurisdiction while in transit. It clearly indicates the geographical locations where domestic communication is routed and what jurisdictions to which it is subject. Similarly, it indicates whether or not communications with third countries is subject to US jurisdiction.
Half Star: The carrier is vague about the geographical locations or jurisdictional exposure of personal data routing.
No Star: The carrier gives no indication of the geographical locations or jurisdictions where personal data is routed.
Domestic Canadian routing when possible
This criterion evaluates whether the carrier has taken reasonable, publicly visible steps to maintain Canadian routing for domestic Internet traffic. Given the additional privacy and surveillance risks facing Canadians' personal data when traveling outside Canada or carried by foreign companies, there are good privacy reasons for routing this data within Canadian jurisdiction when possible.56 One good way is for carriers to make contracts for the handling of their domestic traffic only with Canadian Internet transit providers that they can connect with in Canada and that maintain a similar policy of domestic routing when possible. Another, more publicly visible way for carriers to help ensure all-Canadian routing is to exchange traffic or “peer” openly at Canadian public Internet exchanges points (IXPs), such as Toronto Internet Exchange (TorIX) and Ottawa Internet Exchange (OttIX), and other more recently established ones in Vancouver, Calgary, Winnipeg, Montreal, and Halifax.57
Full Star: The carrier clearly states on its privacy pages a policy of domestic Canadian routing when possible, and indicates the concrete measures it takes to achieve this goal. A carrier that verifiably peers openly at one of the Canadian IXPs will also receive a full star. Only Canadian carriers are eligible for a full star, as foreign carriers by definition subject the data they carry to non-Canadian jurisdictions.58
Half Star: The carrier is vague about its policies for ensuring Canadian routing of domestic traffic and the measures it takes to ensure this.
No Star: The carrier gives no indication of any policy or concrete measures to promote domestic routing when possible, nor does it peer openly at any Canadian public IXPs.
Open advocacy for user privacy rights
This criterion is evaluated on the basis of whether or not the carrier has made clear on its privacy pages its recent (in the last five years) political, legal, and/or legislative positions regarding support for user privacy rights. A carrier can demonstrate its pro-privacy position in any of the following areas:
Public debates over mass state surveillance
Privacy- or surveillance-related legislative initiatives (e.g., the current Bill C-13 on lawful access)
Defending user privacy rights in court
Ties to advocacy organizations or initiatives promoting user privacy rights
Full Star: The carrier makes clear reference on its privacy pages to its support for user privacy rights in at least one of the areas itemized earlier.
Half Star: The carrier has defended user privacy rights politically, in court or legislatively, but there is no reference to this in their privacy pages.
No Star: There is no readily available public evidence that the carrier has taken a positive pro-privacy position in any of the aforementioned areas.
Since our intention with this ongoing transparency assessment exercise is not just to produce a series of conventional research reports, but to help open up to public scrutiny the personal information handling policies of Internet carriers, we are not content simply to post the assessment reports to the transparency section of our IXmaps research project website,59 but to give them wider public exposure. Firstly, in the mapping section of the IXmaps site,60 we directly link the individual carrier profiles and star scores appearing in the latest report to interactive maps of Internet routes involving the particular carrier (see Figure 1).
Simultaneous with posting these reports, the Canadian media advocacy group OpenMedia61 launched publicity campaigns targeting news media. For the most recent, 2014 report, released March 12, 2015, this resulted in stories published in Canada's largest daily newspaper, the Toronto Star,62 the CBC (the national public broadcaster in Canada),63 as well as several aimed more specifically at the technology sector, such as TechVibes.64
As noted in Tables 1–3, most carriers perform poorly on data privacy transparency. We awarded very few stars overall, 92.5 in total out of a possible 430. On average, this is barely two stars out of a maximum of ten. Just seven of the forty-three carriers earned more than three stars, the highest being Teksavvy, with six stars.65 Next highest was Telus, at five.
In four criteria, no carrier received a full star. While in each of the ten criteria at least four carriers received a half star, for the following four criteria, we were not able to award a full star:
Criterion 2—A public commitment to inform users of all third-party data requests
Criterion 6—The normal retention periods for personal information
Criterion 7—Transparency about where personal information is stored and/or processed
Criterion 8—Transparency about where personal information is routed
Assessing Criterion 2 revealed the absence of any proactive commitment to inform users of third-party data requests. Just under half of the carriers in our sample (20/43) publicly state that they will inform subscribers of third-party data access requests, but subscribers are required to initiate the conversation. This is the minimum legal requirement under PIPEDA.66 No carrier yet has indicated that it will relieve users of this prohibitive burden and inform them proactively.
The assessment of Criterion 6 reveals that the majority of carriers fail to indicate how long personal data is retained. Only six carriers go beyond the minimum PIPEDA requirement of declaring that it “retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected,” which itself is so ambiguous that it earns no credit in this analysis. None give a comprehensive list of the various forms of personal data they hold, along with specific retention periods.
The results for Criterion 7 point to a lack of transparency over where personal data is stored, processed, or routed. Only about half the carriers give an indication that data may be stored in jurisdictions outside of Canada, but none go further to earn a full star by stating what those jurisdictions are. Far fewer carriers, just four out of forty-three, give an indication of the geographical locations or jurisdictions where personal data is routed, and none meet the requirements for a full star in Criterion 8.
Our study also reveals that the fighting brands of major mobile carriers are significantly less transparent than their corporate owners. The Big Three incumbent telecom companies in Canada that offer mobile telephony service (Bell, Rogers, and Telus) each own smaller fighting brands (Virgin Mobile, Fido, and Koodo respectively) that offer discount services to compete with independent carriers. One would expect these subsidiaries, which operate over the same physical infrastructure and ultimately under the same senior corporate management as their parent companies, would follow similar privacy policies as their parents, but this turns out not to be the case. Furthermore, all three fighting brands score below the average for the sample as a whole.
Transit providers scored worse than retail carriers. As noted in Table 3, the fourteen major transit providers that carry the bulk of long distance Internet traffic earned on average 1.3 stars, significantly lower than the twenty-nine retail providers (see Tables 1 and 2), which averaged 2.4 stars. Apart from AT&T and Comcast, the average score for transit carriers was just one star, and none earned more than two out of ten. All transit providers failed to indicate explicit compliance with Canadian privacy law. This is concerning because these behind-the-scenes Internet carriers handle large quantities of intra-Canadian traffic, including nearly all Canadian boomerang traffic, while passing through the United States. In fact, at least one of these twelve foreign transit providers is involved in almost every boomerang route67 in the IXmaps database. A few of these international giants also route traffic entirely within Canada. These findings are important, not only because these transit providers are largely invisible to Canadian consumers, but also because they operate under foreign jurisdictions, usually the United States, which can put the data they carry beyond Canadian legal and constitutional protection, even while it is in Canada.
Cogent makes no guarantee of confidentiality or privacy of any information transmitted through or stored upon Cogent technology, and makes no guarantee that any other entity or group of users will be included or excluded from Cogent's network.
This is especially significant since Cogent is ranked number three in the IXmaps traceroute database, after Bell and Rogers, in terms of handling Canadian domestic traffic both within and outside of Canada.
That being said, two major US carriers scored better than most Canadian ones. The highest scoring non-Canadian carrier, AT&T, received four stars, placing it third highest in the entire group. Comcast also scored relatively well. While only garnering 2.5 stars, this places it ahead of more than half of the twenty-nine Canadian carriers. In neither case did these carriers indicate compliance with PIPEDA (Criterion 1), but scored better in terms of Criterion 3, Transparency about frequency of third-party requests and disclosures, and Criterion 4, Transparency about conditions for third-party data disclosures. This can be attributed in part to their transparency performance being rated annually since 2011 in the EFF's Who Has Your Back reports, with both companies for the first time publishing law enforcement guidelines in 2013 and transparency reports in 2014.68
While the majority of the findings raise considerable concern, the analysis did reveal a basis for some optimism. For the first time, Canadian carriers have begun to follow the lead of major US ISPs by systematically providing statistics and other relevant details on law enforcement requests for personal data. MTS Allstream,69 Rogers, Sasktel, Telus, Teksavvy, and Wind are the pioneers. Carriers are also being more publically explicit about what they require from law enforcement when making such requests for personal subscriber information.
When we connect to the Internet, we entrust the enormous quantities of personal data we produce through our online activities to a select group of Internet carriers. These carriers carry, transmit, and route our data back and forth over the Internet between our personal devices and e-mail servers, websites, social networking sites, and other services. These data routing and management practices continue to raise longstanding privacy concerns about how personal information may be monitored or surveilled on the Internet. Research now suggests that nearly 100 percent of US domestic Internet transmissions may be subject to surveillance by the US NSA due to the likely presence of splitter operations at US Internet exchange points in an estimated eighteen cities.70 This almost complete coverage by the NSA has contributed to related concerns that Internet transmissions that enter the United States (whether as a destination or a point of transit, notably in boomerang routing)71 may also routinely subject citizens of non-US countries to NSA surveillance.72 This is especially concerning for Canadians, as recent research suggests that beyond the surveillance realities associated with Canadians accessing American Internet services, more than 20 percent of intra-Canadian Internet transmissions (Canadians accessing websites hosted in Canada) transit the United States (i.e., boomerang routing), making those transmissions subject to NSA surveillance.73 The ongoing revelations of former US NSA contractor Edward Snowden validate these concerns, providing further evidence that state surveillance agencies, such as the NSA and Canada's CSE, have secretly gained the cooperation of telecommunications companies willing to share the data that travels through their networks.
Finding out more about what ISPs do with our data, who they make it available to, and on what grounds has become more urgent. As noted earlier, a principal's access to information about agent behavior is directly linked to the ability to hold agents to account.74 Of course, a lack of transparency does not automatically mean that agents are acting badly, nor does an abundance of information automatically ensure that agents are being honest. That being said, opening up access to information about ISPs does present a valuable strategy for improving carriers' performance in the face of a range of potential concerns. Among the concerns are a wide variety of civil liberties and public interest questions associated with widespread data collection and analysis by governments and commercial organizations that appear to increasingly be using data for eligibility decision making.75 While the opportunities and risks associated with data sharing practices among corporate and state agents are still coming into view, what is already clear is the need for a more informed public debate about the possibility of maintaining a democratically determined security and surveillance apparatus. The question remains, how is the general public to make informed decisions about the future of such an apparatus without knowledge of data management practices, especially by those corporations that provide the communications infrastructure on which everyone relies? Without proactive public reporting on the part of ISPs in the key areas identified earlier, it is very difficult for Canadians to protect their personal privacy and to hold these important organizations to account. ISPs must be more forthcoming about their handling of our personal information. Do we know where they store our data? Where do they send it? What jurisdictions apply? When a company, law enforcement or security agency demands access to our personal information, do ISPs comply? Do they inform us about it? Do they make clear to everyone what criteria they apply when responding to these requests? On what basis can we trust them? Do our ISPs keep us in the know or in the dark?
The results of this study suggest that indeed the majority of Internet carriers serving the Canadian public, whether they be direct providers of Internet service or behind-the-scenes transit carriers, are failing to keep Canadians in the know. An increase in the number of carriers publishing transparency reports, typically highlighting general figures about government requests for data, is reason for modest hope. This is optimism not so much over the substance of the self-disclosure, which as noted earlier remains very limited, but because it indicates that public pressure is beginning to have an effect and companies are now paying more attention.
Overall, however, the results are dismal. Internet carriers may be complying with the minimum requirements of PIPEDA, but there is little public evidence to support this. With few exceptions, they show scant willingness to adopt PIPEDA's Openness Principle in spirit and demonstrate publicly an active concern for the privacy rights of their customers. Part of the reason may be that there is little pressure on Internet carriers, whether from government, regulators, or the public, to improve their transparency practices. In 2015, Industry Canada published its first Transparency Reporting Guidelines.76 While this may help raise the expectation that carriers should issue such reports, and could enable comparisons among them with a more standardized reporting template, the specific guidelines appear designed more to discourage than enhance transparency initiatives. They exhibit numerous shortcomings and rather than require reporting, they leave it voluntary while explicitly limiting it in several significant respects.77
Apart from some recent campaigning by OpenMedia, there is barely any public indication of people complaining about how carriers are handling their information. Nor is there much they can do about it if not satisfied with the responses. At the local level, the ISP market in Canada is highly concentrated78 and even where there are alternatives, it demands considerable effort to compare them based on how well they treat personal information. And since Internet communication generally requires one's data to be handled by several transit providers behind the scenes, it is virtually impossible to take any effective action based on one's privacy preferences.
Part of the problem lies with the legislation. As noted earlier, the openness provisions within PIPEDA place little onus on data managers to be proactive in disclosing their practices. Instead, the law relies on individual data subjects to take the initiative. Furthermore, PIPEDA enforcement is complaint-based, so individuals must first take their questions or grievances to the companies involved and then if not satisfied by the response, file a formal complaint with the federal Office of the Privacy Commissioner of Canada, which handles them on a case-by-case basis. This adds to the undue burden individuals face when seeking to protect their data privacy or hold organizations to account for their data handling practices.79,80
Far more needs to be done, especially on the part of the ISPs that serve Canadians directly. Transit providers also need to be held to a higher standard, since almost all carry Canadian traffic via the United States, or otherwise bring it under US jurisdiction, further exposing Canadians' data to mass state surveillance by the NSA. This is concerning because when outside Canada, or handled by carriers subject to US or other jurisdictions, Canadians' data enjoy no effective legal protection, and certainly much less than when entirely within Canadian jurisdiction.81,82
Without greatly enriched proactive public reporting on the part of all Internet carriers in the key areas identified earlier, it is very difficult for Canadians to protect their personal privacy when using the Internet or hold these influential organizations to account. Hence our central recommendation is that the openness principle at the core of current privacy legislation be significantly expanded and strengthened, so that public understanding of carriers' personal data handling practices does not rely on persistent individuals seeking and sharing this information on their own, but rather privacy transparency be made a legally mandated, well-enforced, normal requirement for doing Internet business. We expand on this in Appendix A, where we make specific recommendations directed at the primary Internet privacy actors: the carriers that handle Canadians' Internet traffic; the privacy commissioners and the Canadian Radio-Television and Telecommunications Commission (CRTC) that regulate the carriers; the legislators and politicians that make the telecommunications laws; and not least the Canadian law enforcement and security agencies that go to the carriers to access personal data.
The measures we propose for advancing data privacy transparency will contribute to ensuring that carriers and third-party data requestors are compliant with the spirit of Canadian privacy law and accountable to the public for their data management practices. Those actors adopting strong transparency measures will demonstrate leadership in the global struggle for data privacy protections, and help bring state surveillance under more democratic control. They will also be more likely to earn the trust of Canadians who rely on them for the safe handling of their personal and sensitive data.
Beyond the Canadian context, it is our hope that the results of this study, and the recommendations provided, raise awareness of data privacy transparency challenges that persist in other national and international contexts. We encourage others to build upon our methodology and conduct their own evaluations of Internet carriers in other regions around the world. In doing so, we will not only advance the privacy interests of individuals, but through citizen empowerment, take a significant step toward holding our Internet carriers to account.
Recommendations for Carriers That Handle Canadian Internet Traffic
Carriers should go beyond minimum compliance with Canadian privacy law, and in the spirit of PIPEDA's Principle 8—Openness, commit to proactively making the information identified by the ten criteria readily available on the privacy sections of their corporate websites.
Recommendation 1: A public commitment to PIPEDA compliance
All carriers that handle Canadian Internet traffic should prominently display a public commitment to compliance with Canada's PIPEDA. This should include reference to the Act itself. They should make explicit their legal obligation to ensure that any other carrier they hand personal data to provides comparable privacy protection (see also Recommendations 7 and 8).
Recommendation 2: A public commitment to inform users proactively when personal data has been requested by a third party
All carriers that handle Canadian Internet traffic should prominently display a public commitment to proactively notify customers in a timely way when their personal data has been requested by a third party, unless otherwise prohibited by law. Individuals should not have to inquire themselves before being informed that information about them has been requested by or handed over to a third party. Website text could read:
<This company>'s policy is to notify users of requests for their information prior to disclosure, unless we are specifically prohibited from doing so by statute or court order. Law enforcement or security agency officials who believe that notification would jeopardize an investigation should obtain a court order or other appropriate authorization that specifically precludes customer notification.
Recommendation 3: Regular detailed transparency reporting that provides information about third-party data requests and disclosures
All carriers that handle Canadian Internet traffic should publish transparency reports annually or more often. These reports should include information about the requesting entities, including their country of origin, the specific agency or organization, the legal authority, and purpose of the request. Carriers should provide relevant justifications where they have complied with such disclosure or transfer requests. Reporting should include the numbers of requests, the number of accounts covered, the number of requests fully and partially complied with, the number declined, and the number of accounts implicated. These transparency reports should be easily accessible via the web as well as downloadable for easy sharing and analysis. Those carriers that want to lead by example should also commit to related public education campaigns by devoting designated sections of their websites to these reports and include additional explanatory materials, such as videos and supplementary documents where possible.
Recommendation 4: Detailed conditions and procedures for law enforcement and other third parties that submit requests for personal information
All carriers that handle Canadian Internet traffic should make public clear guidelines for law enforcement and other third parties to follow when making requests for personal information. A suitable way to do this is through publishing law enforcement agency handbooks.
The Guidelines for Law Enforcement posted by Twitter provide a good model to follow: https://support.twitter.com/articles/41949-guidelines-for-law-enforcement#9.
Recommendation 5: An explicit and inclusive definition of “personal information,” with a clear indication that metadata and device identifiers are included
All carriers that handle Canadian Internet traffic should make publicly clear that they adopt an explicit and inclusive definition of the personal information they protect under Canadian privacy law, one that includes communication metadata as well as persistent unique device identifiers. Since metadata is a broad term, they should itemize specifically the items comprising the metadata that they collect or make accessible.
Recommendation 6: Explicit data retention periods, and the justification for these, for the various types of personal information handled
All carriers that handle Canadian Internet traffic should provide details about retention periods for the various types of personal information they handle. Justifications for these retention periods should be provided, based on the requirement that they be “only as long as necessary for the fulfillment of the purposes for which it was collected.” Many carriers have already established internally how long they will hold onto specific types of data. This information must be made public. For example:
The following is a list of types of personal information that we retain and the normal retention periods for each type of data:
IP logs: x days; for the purpose of …
Call records: y days; for the purpose of …
Preservation requests: 90 days. for the purpose of …
In case of legal proceedings, we may be required to retain personal data until the litigation is concluded.
Recommendation 7: Details of whether personal data may be stored or routed outside Canada
All carriers that handle Canadian Internet traffic should provide detailed information about the location of storage and routing of personal data. This includes listing, for example:
The countries through which data is routinely routed
The countries where data is stored
The jurisdictional authority of all the carriers it exchanges traffic with
An explicit indication of whether these carriers provide data protection comparable to that expected under Canadian law
Recommendation 8: How they strive to keep Canadians' data within Canadian legal jurisdiction
All carriers that handle Canadian Internet traffic should make public the measures they adopt to keep Canadians' data and domestic Internet traffic within Canadian legal jurisdiction, or at least protect it from foreign jurisdiction, particularly the United States. These measures could include:
Storing data within Canada
Exchanging traffic only with carriers providing data protection comparable to that expected under Canadian law
Exchanging traffic at public Internet exchange points in Canada
Encrypting traffic when unavoidably subject to foreign jurisdiction, with the keys kept with the individual subscriber or within Canadian legal jurisdiction
Recommendation 9: How they strive to keep Canadians' data protected against mass Canadian state surveillance
All carriers that handle Canadian Internet traffic should make public, to the extent legally permissible, their relations with Canadian law enforcement and security agencies, as well as the measures they adopt to protect data against access by these agencies without legal due process and oversight.
Recommendation 10: How they advocate for their subscribers' privacy rights
All carriers that handle Canadian Internet traffic should clearly indicate their current stance on personal data privacy protection and mass state surveillance. This stance should include their position on alleged NSA and CSE surveillance of Canadian Internet transmissions. If a carrier is making official submissions or lobbying in relation to any prospective legislative, regulatory, or policy change that could influence subscriber data protections, its activities should be readily available on its privacy pages. A carrier should be similarly transparent if it is involved in any court case around the privacy rights of their subscribers. Whatever the carrier's position in relation to user privacy rights, this should be made publicly clear.
Recommendation 11: Consolidate all privacy and transparency policy information so it is easily accessible though the main corporate privacy page
Recommendation for Privacy Commissioners and the CRTC
Recommendation 12: Regulators should more closely oversee ISPs to ensure their data privacy transparency
Both the OPC and CRTC have responsibilities under their respective legislative mandates to ensure that carriers are respecting the privacy of their subscribers. We recommend that the OPC and CRTC exercise their powers more vigorously to ensure proper handling of personal information. This should include, at least, requiring Internet carriers to demonstrate greater data privacy transparency, and ensuring that carriers only hand off Internet traffic to other carriers that meet Canadian privacy law standards.
Recommendation for Legislators and Politicians
Recommendation 13: Amend PIPEDA's Principle 8—Openness to include public transparency
In particular, it should be amended as follows:
An organization shall make readily available to individuals and the public generally, specific information about its policies and practices relating to the management of personal information. (emphasis added to inserted text)
Recommendation 14: Amend PIPEDA's Principle 9—Individual Access to require proactive notification
Currently, Principle 9 only requires organizations to respond to individual requests. It should be amended to require timely proactive notification to the individual whenever a third party requests disclosure of their personal information. Any exceptions should be limited, specific, and justified in relation to the circumstances.
Recommendation for Canadian Law Enforcement and Security Agencies
Recommendation 15: Canadian law enforcement and security agencies should proactively publish statistics about requests for personal information they make to carriers
Just as leading Internet businesses are beginning to do, the law enforcement and security agencies requesting that ISPs disclose personal customer information should routinely and proactively publish detailed statistics about their requests, the rationales, carrier responses, and how these have assisted or not in achieving their mandates.
In brief, we call on carriers, regulators, legislators, law enforcement, and security agencies to remove the systemic barriers to data privacy transparency, and to implement a more proactive approach requiring robust public transparency norms.
- Our work benefited from the contributions of many people. Thank you to Matthew Schuman, Ainslie Keith, Shawn Arksey, Michael Cockburn, Caroline Garel-Jones, Aaron Goldstein, Nathaniel Rattansey, Kassandra Shortt, Jada Tellier, and Matthew Vaughan from the Centre for Innovation Law and Policy (CILP), Faculty of Law, University of Toronto, for your part in assessing the 3+3 carriers. We also appreciate the research assistance of Alex Goel, Andi Argast, and Alex Cybulski from the Faculty of Information, University of Toronto. Thank you to Jennette Weber for providing website and report design assistance. We are also pleased to acknowledge the input and encouragement of Steve Anderson and David Christopher (Openmedia.ca), Nate Cardozo and Rainey Reitman (EFF), Andrew Hilts (Cyber Stewards Initiative), Tamir Israel (CIPPIC), Christopher Parsons (Citizen Lab), and Chris Prince (OPC). Thank you also to the privacy officials from several carriers we evaluated that responded to our assessments and offered constructive feedback.
- Our ongoing privacy transparency assessment and reporting builds on the IXmaps.ca internet mapping project. Of the many people who have contributed to its development since 2008, Colin McCann and Antonio Gamba are among those most directly involved in integrating transparency scoring into the interactive mapping platform. Together with the wider IXmaps project, this research has received funding from Social Sciences and Humanities Research Council of Canada (SSHRC), Office of the Privacy Commissioner of Canada, (OPC) and Canadian Internet Registration Authority (CIRA).
- 1.The focus of this study is on those Internet service providers that carry Canadian data across telecommunications networks, rather than store or process it, so we use the terms “ISP” and “carrier” interchangeably.
- 3.Bowles, Hamilton, and Levy.
- 4.Jensen and Meckling.
- 5.See Jensen and Meckling; Snider; Przeworski and Stokes.
- 6.Bowles, Hamilton, and Levy, xii.
- 10.Walker; Gramberger.
- 11.See Kovach and Rosenstiel.
- 12.See Dutton; Obar and Shade.
- 13.Bowles, Hamilton, and Levy, xv.
- 14.US Department of Health, Education, and Welfare.
- 15.OECD, “OECD Guidelines.”
- 16.European Union.
- 17.White House.
- 18.Office of the Privacy Commissioner of Canada, “Legal Information Related to PIPEDA: Privacy Principles.”
- 19.AccessNow. The United States accounts for forty-seven of these companies but twelve other countries are listed in AccessNow's index.
- 20.Most prominent are the major Internet companies in the NSA's PRISM program: AOL, Google, Facebook, Microsoft, Yahoo (“NSA Slides Explain”), as well as AT&T and Verizon, the leading telecommunications carriers that provided the NSA with access to the contents of email and other traffic transiting their networks (Angwin et al.). Each of these companies now regularly issues their own transparency reports on law enforcement access requests.
- 21.Electronic Frontier Foundation, “Who Has Your Back,” 2015.
- 22.See Ranking Digital Rights.
- 23.See AccessNow.
- 24.Berkman Center for Internet & Society at Harvard University and New America's OTI.
- 26.Parsons, “Does Mexico's Transparency.”
- 27.Parsons, “The Governance”; Hilts and Parsons.
- 28.Electronic Frontier Foundation, “Who Has Your Back,” 2015.
- 29.While we make no claim that the database is representative of all Canadian Internet traffic, we regard our sample as large and diverse enough that nearly all carriers of significance show up in it, and that the routing patterns it reveals apply more widely.
- 30.Primus Canada operates exclusively within Canada, but in 2014 was owned by a US parent, Primus Telecommunications.
- 31.See Centre for Innovation Law and Policy.
- 32.Parsons, “The Governance”; Hilts and Parsons.
- 33.According to the OECD Glossary of Statistical Terms: “A Fighting brand refers to a new brand of an existing or similar product which is priced very low or below costs and is made available for a limited time period in specific market areas in order to combat competition from other (usually smaller) firms…. Fighting brands are often viewed as a form of predation or anticompetitive practice intended to drive out competitors from a given market.” The three brands mentioned here meet these characteristics in terms of lower costs and role in combating smaller competitors. Whether they are short-lived or not will likely depend on the longevity of these competitors.
- 34.Based on the IXmaps traceroute data cited earlier, we roughly estimate these forty-three carriers handle over 95 percent of Canadian Internet routing, both foreign and domestic.
- 35.The sole exception to the exclusive focus on corporate privacy and related statements is in the case of Criterion 9—Domestic Canadian routing when possible (p. 311).
- 36.For the most recent report that this article is based on, the target date was December 31, 2014.
- 37.We contacted the carriers to invite their participation in formulating the criteria. We first alerted them in November to the upcoming 2014 assessment exercise and solicited suggestions for refining the criteria we used in 2013. We were keen to cooperate with any carriers so interested, but while a couple of carriers replied, none made any substantive proposals. In December, we posted revised draft criteria, inviting feedback. Again, we received no requests for revision. On December 22, we posted the final set of criteria in the hopes that carriers would find these helpful in revising their web policies and thereby improve their scores.
- 38.Bill C-30—the Protecting Children from Internet Predators Act.
- 39.Clement and Obar, “Canadian Internet ‘Boomerang’ Traffic”; Obar and Clement.
- 40.For C-13, see Bill C-13; for C-51, see Bill C-51.
- 41.We updated the criteria from our 2013 study (see Clement and Obar, “Keeping Internet Users in the Know,” 2013) in collaboration with the Policy Volunteer Student Working Group, Centre for Innovation Law and Policy (CILP). The CILP group greatly helped refine the ten criteria, formulating explicit grounds for distinguishing between full, half, and no stars, and prepared a much more in depth assessment of their “3 + 3” sample than our analysis of forty-three carriers. See Centre for Innovation Law and Policy.
- 42.Provincial laws that have been deemed substantially equivalent are British Columbia's Personal Information Protection Act, Alberta's Personal Information Protection Act, and Quebec's An Act Respecting the Protection of Personal Information in the Private Sector. See Office of the Privacy Commissioner of Canada, “Legal Information Related to PIPEDA: Substantially Similar.” The European Data Protection (1995) has also been deemed substantially equivalent.
- 43.Office of the Privacy Commissioner of Canada, “Legal Information Related to PIPEDA: Privacy Principles.”
- 44.A single exception to this in our sample is Sasktel, which as the sole remaining provincially owned Crown Corporation telecommunications provider is covered by Saskatchewan's Freedom of Information and Protection of Privacy Act (FOIP).
- 46.In some cases, there are legally prescribed limitations on the precision of the statistics reported, such as only giving number ranges (e.g., 0–1,000 requests). These limitations, even when not well justified, did not affect a carrier's star rating.
- 48.Internet Protocol (“IP”); International Mobile Subscriber Identity (“IMSI”); International Mobile Station Equipment Identity (“IMEI”); Medium Access Control (“MAC”).
- 49.See Office of the Privacy Commissioner of Canada, “Legal Information Related to PIPEDA: Interpretation Bulletin”; Parsons, “The Anatomy.”
- 50.We interpreted “no definition” to include the situation of only a trivial mention that does not substantially inform a user, such as a vague term like “Internet data.”
- 52.Notably, the Foreign Intelligence Surveillance Act Amendments Act (2008), esp. Sec. 702, and Executive Order EO12333 (1981).
- 53.See Office of the Privacy Commissioner of Canada, “Report of Findings.”
- 54.Clement and Obar, “Canadian Internet ‘Boomerang’ Traffic”; Obar and Clement.
- 55.Given that the CSE, a signals intelligence partner of the NSA, likely conducts similar forms of Internet interception, keeping data in Canada may still expose Canadians to mass state surveillance; however, since data that remains within Canadian jurisdiction enjoys greater Constitutional and legal protections, boomerang routing via the United States poses additional privacy risk.
- 56.There are also good economic reasons for keeping Canadian data within Canada, as the Canadian Internet Registration Authority (CIRA) makes clear in its report with the Packet Clearing House; see Woodcock and Edelman.
- 57.See Holland.
- 58.This wording reflects a small relaxation from the original criterion, by not insisting on peering at every IXP in the service region.
- 59.Clement and Obar, “Keeping Internet Users in the Know,” 2015.
- 65.Contributing to TekSavvy's high score is its extensive and detailed response to the questions that Dr. Christopher Parsons asked of eighteen carriers about their handling of lawful access requests. See: Parsons, “The Governance”.
- 66.For this they received a half star, a relaxation of the criterion from the previous year to help distinguish carriers that at least go this far compared to the others that give their users no indication that they are entitled to this important information.
- 67.A boomerang route is an Internet transmission that originates and terminates in the same country, but transits another.
- 68.See Electronic Frontier Foundation, “Who Has Your Back,” 2014.
- 69.While MTS Allstream has issued two transparency reports, they are buried at the very bottom of their corporate governance section, where few will find them, and hence we didn't include them in this study.
- 71.Internet communications may also be subject to US jurisdiction by virtue of being handled by a US-based company or one otherwise subject to US law, but this issue is beyond the scope of the current article.
- 72.Clement and Obar, “Canadian Internet ‘Boomerang’ Traffic”; Obar and Clement.
- 73.Clement and Obar, “Canadian Internet ‘Boomerang’ Traffic”; Obar and Clement.
- 74.Bowles, Hamilton, and Levy.
- 75.See, for example, Pasquale.
- 76.Industry Canada.
- 77.Parsons, “Industry Canada.”
- 78.Canadian Media Concentration Research Project, 23.
- 79.Solove; Ben-Shahar and Schneider; Obar; Obar and Oeldorf-Hirsch.
- 80.The OPC also has audit powers to initiate its own investigations where there is evidence of widespread noncompliance, but has been reluctant to exercise them. There have been only two audits under PIPEDA since coming into effect in 2000.
- 81.Austin et al.; Austin; Austin and Carens-Nedelsky.
- 82.It is worth noting that personal information that is kept within Canadian jurisdiction is also subject to state surveillance activities; however, Canadian entities conducting surveillance within Canada are subject to Canadian law and its Constitution. Should Canadians determine that the Canadian surveillance apparatus needs reforming, that would likely curtail surveillance of intra-Canadian traffic. The same cannot be said about traffic that passes through the United States and other foreign countries, as Canadians have scant ability to change the laws and surveillance practices of foreign countries.
- Angwin, Julia, Charlie Savage, Jeff Larson, Henrik Moltke, Laura Poitras, and James Risen. “AT&T Helped U.S. Spy on Internet on a Vast Scale.” The New York Times, August 15, 2015. Accessed August 17, 2016. http://www.nytimes.com/2015/08/16/us/politics/att-helped-nsa-spy-on-an-array-of-internet-traffic.html?_r=1.
- Austin, Lisa M. “Enough About Me: Why Privacy is About Power, Not Consent (or Harm).” In A World Without Privacy: What Can/Should Law Do, edited by Austin Sarat, 131–89. New York: Cambridge University Press, 2015.
- Austin, Lisa M., and Daniel Carens-Nedelsky. “Why Jurisdiction Still Matters.” In Seeing Through the Cloud: National Jurisdiction and Location of Data, Servers, and Networks Still Matter in a Digitally Interconnected World. Accessed August 17, 2016. http://ecommoutsourcing.ischool.utoronto.ca/.
- Austin, Lisa M., Heather Black, Michael Geist, Avner Levin, and Ian Kerr. “Our Data, Our Laws.” National Post, December 12, 2013. Accessed August 17, 2016. http://news.nationalpost.com/2013/12/12/our-data-our-laws.
- Ben-Shahar, Omri, and Carl E. Schneider. “The Failure of Mandated Disclosure.” University of Pennsylvania Law Review 159 (2011): 647–749.
- Berkman Center for Internet & Society at Harvard University and New America's Open Technology Institute (OTI). The Transparency Reporting Toolkit: Best Practices for Reporting on U.S. Government Requests for User Information, March 31, 2016. Accessed August 17, 2016. https://cyber.law.harvard.edu/publications/2016/transparency_memos.
- Bowles, Nigel, James T. Hamilton, and David Levy. “Introduction.” In Transparency in Politics and the Media: Accountability and Open Government, edited by Nigel Bowles, James T. Hamilton, and David Levy. London: IB Tauris, 2013.
- Brandeis, Louis D. “What Publicity Can Do.” Harper's Weekly 20 (1913): 10.
- Canadian Media Concentration Research Project. “Media and Internet Concentration in Canada, 1984–2014 Report.” 2015. Accessed August 17, 2016. http://www.cmcrp.org/wp-content/uploads/2015/11/Media_InternetConcentration1984-2014_for_web.pdf.
- Centre for Innovation Law and Policy. “The 3+3 Project: Evaluating Canada's Wireless Carriers' Data Privacy Transparency.” 2015. Accessed August 17, 2016. http://cilp.law.utoronto.ca/archives/3-plus-3-working-group.
- Chung, Emily. “Internet Carriers May Be Breaching Canadian Privacy Laws.” CBCNews, March 12, 2015. Accessed August 17, 2016. http://www.cbc.ca/news/technology/internet-carriers-may-be-breaching-canadian-privacy-laws-1.2992125.
- Clement, Andrew. “IXmaps – Tracking Your Personal Data through the NSA's Warrantless Wiretapping Sites.” Proceedings of the IEEE – ISTAS Conference, 2013.
- Clement, Andrew, and Jonathan A. Obar. “Canadian Internet “Boomerang” Traffic and Mass NSA Surveillance: Responding to Privacy and Network Sovereignty Challenges.” In Law, Privacy and Surveillance in Canada in the Post-Snowden Era, edited by Michael Geist. Ottawa, ON: University of Ottawa Press, 2015.
- Clement, Andrew, and Jonathan A. Obar. “Keeping Internet Users in the Know or in the Dark: Data Privacy Transparency of Canadian Internet Service Providers.” 2013. Accessed August 17, 2016. https://www.ixmaps.ca/transparency-2013.php.
- Clement, Andrew, and Jonathan A. Obar. “Keeping Internet Users in the Know or in the Dark: A Report on the Data Privacy Transparency of Canadian Internet Carriers.” 2015. Accessed August 17, 2016. https://IXmaps.ca/transparency.php.
- Desson, Craig. “New Report Rates Internet Service Providers on Privacy.” Toronto Star, March 12, 2015 (updated December 10). Accessed August 17, 2016. https://www.thestar.com/news/privacy-blog/2015/03/new-report-rates-internet-service-providers-on-privacy.html.
- Electronic Frontier Foundation. “Who Has Your Back: Protecting Your Data from Government Requests.” 2014. Accessed August 17, 2016. https://www.eff.org/who-has-your-back-government-data-requests-2014.
- Electronic Frontier Foundation. “Who Has Your Back: Protecting Your Data from Government Requests.” 2015. Accessed August 17, 2016. https://www.eff.org/who-has-your-back-government-data-requests-2015.
- European Union. “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.” 1995. Accessed August 17, 2016. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.
- Gramberger, Marc. Citizens as Partners: OECD Handbook on Information, Consultation and Public Participation in Policy Making. Paris: OECD, 2001.
- Greenwald, G. No Place to Hide: Edward Snowden, the NSA and the Surveillance State. London: Hamish Hamilton, 2014.
- Hilts, Andrew and Christopher Parsons. “Enabling Citizens' Rights to Information in the 21st Century.” The Winston Report, Fall 2014.
- Industry Canada (Now Innovation, Science and Economic Development Canada). “Transparency Reporting Guidelines.” August 17, 2016. Accessed May 26, 2016, http://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf11057.html.
- Jensen, Michael C., and William H. Meckling. “Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure.” Journal of Financial Economics 3, no. 4 (1976): 305–60.
- Kovach, Bill, and Tom Rosenstiel. The Elements of Journalism: What Newspeople Should Know and the Public Should Expect. Three Rivers, CA: Three Rivers Press, 2007.
- Lewis, Rob. “Canadian Telcos Still Not Transparent Enough, Latest Report Shows.” TechVibes, March 13, 2015. Accessed August 17, 2016. http://www.techvibes.com/blog/canadian-telcos-not-transparent-2015-03-13.
- McLeod, Paul. “Ottawa Has Been Spying on You: Telecom Firms Handing over Data without Warrants.” Chronicle Herald, March 26, 2014. Accessed August 17, 2016. http://thechronicleherald.ca/novascotia/1195828-ottawa-has-been-spying-on-you.
- “NSA Slides Explain the PRISM Data-Collection Program.” The Washington Post, July 10, 2013. Accessed August 17, 2016. http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/.
- Obar, Jonathan A. “Big Data and the Phantom Public: Walter Lippmann and the Fallacy of Data Privacy Self-Management.” Big Data & Society 2, no. 2 (2015): 1–16.
- Obar, Jonathan A., and Anne Oeldorf-Hirsch. “The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services.” Working Paper, 2016. Accessed August 17, 2016. http://ssrn.com/abstract=2757465.
- Obar, Jonathan A., and Andrew Clement. “Internet Surveillance and Boomerang Routing: A Call for Canadian Network Sovereignty.” Proceedings: Technology and Emerging Media Division, Canadian Communication Association Conference, edited by Philippe Ross and Jeremy Shtern. Victoria, BC: University of Victoria, 2013. Accessed August 17, 2016. http://www.acc-cca.ca/resources/Documents/TEM_proceedings/TEM_2013/OBAR-CLEMENT-TEM2013.pdf.
- Obar, Jonathan A., and Leslie Regan Shade. “Activating the Fifth Estate: Bill C-30 and the Digitally Mediated Public Watchdog.” In Strategies for Media Reform: International Perspectives, edited by Des Freedman, Jonathan A. Obar, Cheryl Martens, and Robert W. McChesney. New York: Fordham University Press, 2016.
- OECD. “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.” Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. 1980. Accessed August 17, 2016. http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.
- Office of the Privacy Commissioner of Canada. “Legal Information Related to PIPEDA: Interpretation Bulletin.” 2015. Accessed August 17, 2016. https://www.priv.gc.ca/leg_c/interpretations_02_e.asp#_ftn52.
- Office of the Privacy Commissioner of Canada. “Legal Information Related to PIPEDA: Substantially Similar Provincial Legislation.” 2013. Accessed August 17, 2016. https://www.priv.gc.ca/leg_c/legislation/ss_index_e.asp.
- Parsons, Christopher. “Industry Canada Transparency Report Guidelines Intensely Problematic.” Telecom Transparency Project, blog post, June 30, 2015. Accessed August 17, 2016. https://www.telecomtransparency.org/industry-canada-transparency-report-guidelines-intensely-problematic/.
- Parsons, Christopher. “The Anatomy of Lawful Access Phone Records.” Technology, Thoughts and Trinkets, blog post, November 21, 2011. Accessed August 17, 2016. https://www.christopher-parsons.com/the-anatomy-of-lawful-access-phone-records/.
- Parsons, Christopher. “Does Mexico's Transparency Report Promote Accountability?” Technology, Thoughts and Trinkets, blog post, July 1, 2015. Accessed August 17, 2016. https://www.christopher-parsons.com/does-mexicos-transparency-report-promote-accountability/.
- Parsons, Christopher. “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians.” Telecom Transparency Project. Accessed August 17, 2016. https://www.telecomtransparency.org/wp-content/uploads/2015/05/Governance-of-Telecommunications-Surveillance-Final.pdf.
- Pasquale, Frank. The Black Box Society. Cambridge, MA: Harvard University Press, 2015.
- Przeworski, Adam, and Susan C. Stokes. Democracy, Accountability, and Representation. Vol. 2. Cambridge, UK: Cambridge University Press, 1999.
- Rodriguez, Katitza. “Columbian Users to ISPs: ‘Where Is My Data?’” Electronic Frontier Foundation. May 20, 2015. Accessed August 17, 2016. https://www.eff.org/deeplinks/2015/05/which-internet-providers-tell-colombians-where-their-data.
- Schudson, Michael. The Rise of the Right to Know: Politics and the Culture of Transparency, 1945–1975. Cambridge, MA: Harvard University Press, 2015.
- Snider, J. H. Speak Softly and Carry a Big Stick: How Local TV Broadcasters Exert Political Power. Lincoln, NE: iUniverse, 2005.
- Solove, Daniel J. “Introduction: Privacy Self-Management and the Consent Dilemma.” Harvard Law Review 126 (2012): 1880.
- US Department of Health, Education, and Welfare. “Records, Computers, and the Rights of Citizens.” Report of the Secretary's Advisory Committee on Automated Personal Data Systems. Accessed August 17, 2016. http://www.justice.gov/opcl/docs/rec-com-rights.pdf.
- Walker, Jack L. “A Critique of the Elitist Theory of Democracy.” American Political Science Review 60, no. 2 (1966): 285–95.
- Woodcock, Bill, and Benjamin Edelman. Toward Efficiencies in Canadian Internet Traffic Exchange. September 2012. Accessed August 17, 2016. https://cira.ca/sites/default/files/public/attachments/publications/toward-efficiencies-in-canadian-internet-traffic-exchange.pdf.