Summary

This is the third report assessing the extent to which carriers providing internet communications in Canada are forthcoming about their handling of personal information. Demand for data privacy transparency calls our trusted internet carriers to account, for details about the collection, management, retention, routing, disclosure and use of our data. To what extent do carriers collect and keep personal information? Is data routed and stored in the U.S.? When a company, security agency or political party requests access to data, do carriers oblige? When it comes to these and many other privacy concerns, do our internet carriers keep us in the know? Or in the dark?

This report is being released at a time when governments and industries throughout the world struggle to improve online consent processes. Research suggests that users commonly ignore consent opportunities, in part, because they struggle with the mechanisms for consent facilitation which sometimes overwhelm with information, sometimes lack information, and sometimes encourage circumvention.¹ As consent is central to Canadian privacy law, solutions to the persistent challenge are needed.² As Commissioner Daniel Therrien advised Parliament in the Office of the Privacy Commissioner of Canada’s 2016-2017 recommendations, “(Canadians require) better information to empower them to exercise individual control and personal autonomy. […] Individuals must be at the centre of privacy protection”.³

What is clear is that the public trustee function that telecommunication providers operating in the public interest used to fulfill is more vital than ever. As privacy scholars and advocates call for information fiduciary and data trust models, Canadians should expect leadership from their internet carriers, especially the majors.

In response to these concerns, and in keeping with the principles of transparency and accountability that are fundamental to privacy law in Canada, this third report assesses the data privacy transparency of 44 major, minor and transit carriers that route Canadian internet traffic. Consistent with the previous reports, carriers are assigned full, half or zero ‘stars’ based on ten criteria:

1. A public commitment to PIPEDA⁴ compliance.
2. A public commitment to inform users about all third party data requests.
3. Transparency about frequency of third party data requests and disclosures.
4. Transparency about conditions for third party data disclosures.
5. An explicitly inclusive definition of ‘personal information’.
6. The normal retention period for personal information.
7. Transparency about where personal information is is stored and/or processed.
8. Transparency about where personal information is routed.
9. Domestic Canadian routing where possible.
10. Open advocacy for user privacy rights.

Stars were assigned after careful review of the privacy materials present in the privacy section of each carrier’s corporate website as of January 2018. Materials not linked to a privacy section were not evaluated, as it is assumed that privacy pages are the first, and perhaps only location users interested in privacy will access.⁵

The sample of 44 carriers involved in the routing of Canadian internet traffic was determined based on their prevalence in the IXmaps.ca traceroute database for the 2014 report. Most carriers are the same as in the 2014 analysis, with a few minor changes due to acquisitions, mergers and so forth. The sample includes 14 transit providers that are involved in the routing of traffic across the internet ‘backbone’, often via boomerang routes through the United States.⁶

The star scores, or results for the ten criteria are organized into three star tables:

1. Major Canadian retail internet carriers
2. Minor Canadian retail internet carriers
3. Major international internet transit carriers

Key Findings

While major concerns persist, there are clear signs that some carriers are moving toward greater transparency, providing more information about how they treat personal data. Table 1 emphasizes the bright spots, highlighting the scores of the 10 major carriers evaluated and the criteria that show the biggest improvements since the 2014 report.

The 2014 leader, TekSavvy, added an aggregate of 2 stars to achieve a score of 8/10, keeping it well ahead of all other major Canadian carriers. Shaw was the major carrier that showed the most improvement, more than doubling its score to 4.5. Cogeco and Videotron are others in this category whose scores rose considerably. Among the minor carriers, Acanac and its corporate owner Distributel stand out in both their scores and improvement from 2014.

In terms of the criteria, the most notable improvements were associated with criterion 5: providing an explicitly inclusive definition of personal information. Four major and four minor carriers now earn full stars on criterion 5, whereas no major/minor carrier earned a full star in 2014. Modest improvements suggest some carriers are being slightly more transparent about the location of data storage (criterion 7) and data routing (criterion 8). These improvements may be due to demand for information about data sharing with the United States and corresponding surveillance implications. All major carriers now provide some level of detail about the location of data storage. In 2014 no carrier mentioned where data under their control might be routed, but now three carriers do so.

Almost all major carriers score above the average. The average across the 10 majors was 4.2/10 stars, an increase from 3.5/10 in 2014.

Bell remains the only major carrier to score below the 2.6/10 average with a score of 2.5 stars.

Bell receives no stars on the following criteria:

• #2 — A public commitment to inform users of all third party data requests.
• #3 — Transparency about frequency of third party data requests and disclosures.
• #6 —The normal retentions period for personal information.
• #8 — Transparency about where personal information is routed.
• #9 — Domestic Canadian routing where possible.
• #10 — Open advocacy for user privacy rights.

While most major carriers in Canada are producing transparency reports, Bell Canada continues its refusal to release any details about law enforcement or third party requests or disclosures. In this respect, Bell demonstrates a disinterest in advocating for its customers’ privacy rights and in its efforts to help users achieve meaningful consent. The other major carriers that have yet to release a transparency report are Cogeco and Eastlink.

Minimum detail for minimum score:While many carriers earned half-stars in a variety of categories, this should not be interpreted as a widespread overhaul of data privacy transparency practice. Many carriers scored half stars for the addition of a sentence or two or a brief example.

No carrier earned a full star on the following criterion:

• #8 — Transparency about where personal information is routed.

Only two carriers earned a full star on the following criteria:

• #4 – Transparency about conditions for third party data disclosures.
• #6 - The normal retention period for personal information.
• #7 –Transparency about where personal information is stored and/or processed.

The ‘fighting brands’ of major mobile carriers, Chatr (Rogers), Fido (Rogers) and Koodo (Telus), all score below the average and are less transparent than their corporate owners.

Carriers continue to refuse to provide retention details. Despite growing calls for users to understand better how long carriers are keeping data, none of the major carriers, and few of the others, provide retention details, often noting that data will be kept as long as possible. This is frustrating, as some carriers do note that they maintain internal retention policies, but refuse to make these public.

Many carriers continue to lack explicit definitions of personal information. Despite some improvements in terms of the scores for this criterion, growing public concern about metadata, mobile data, surveillance data from in-store visits and set-top box data, is not reflected in the definitions provided by most carriers. Notable is the score of zero stars for Chatr (Rogers), Fido (Rogers) and Fongo in this category.

No transit provider indicates explicit compliance with Canadian privacy law. Since the first of these reports completed in 2013, not a single transit provider has made reference to Canadian privacy law in its privacy materials. This is concerning because these behind the scenes internet carriers handle large quantities of intra-Canadian traffic.

Transit carriers generally score much lower than the retail carriers and typically expose personal data to mass state surveillance by the NSA. All transit carriers (except for AT&T) score lower than the average. The following carriers earned a score of 0/10: Allstream, Cogent, Hurricane, Level 3, TeliaSonera and Zayo. This is concerning because when outside Canada, or handled by carriers subject to US or other jurisdictions, Canadian data enjoys no effective legal protection, and certainly much less than when within Canadian jurisdiction.⁷

Given the lack of equivalent privacy protection between Canada and the US, the reliance on US transit providers or US routing for Canadian domestic internet traffic, aka ‘boomerang’ routing, it appears that many Canadian internet carriers are in violation of their legal responsibilities under PIPEDA.

Overall, carriers continue to fail in their role as public trustees and as advocates for user privacy. As government officials and privacy advocates call for new ideas and new mechanisms for protecting privacy, reputation and security, last-mile carriers, who deal with users face-to-face and/or online every month, must do far more. Transit providers too, must help ensure users understand the processes and implications of going online. The consent challenges that persist epitomize current lackluster efforts. We cannot expect that content and platform providers will be the only entities helping to educate and engage users. Internet carriers must do far more to fulfill public interest mandates associated with longstanding expectations associated with the benefits of spectrum allocation, and certainly, the legal responsibilities determined by current privacy law.

Policy Recommendations

Our internet carriers must acknowledge and demonstrate a leadership role in the unfolding data privacy debate. Data privacy transparency means more than simply placing minimal text in a downloadable PDF on an almost hidden section of a website. Data privacy transparency should contribute to a more democratic and engaged discussion about the role of state surveillance in Canada and about the threats linked to corporate, political and governmental data collection, management, retention, disclosure and use. The presentation of comprehensive, meaningful and approachable privacy materials and transparency reports will help users to realize privacy rights, and also help to determine what additional regulatory and self-governance supports are necessary. This process should begin with our internet carriers serving as leaders in our efforts to try and control the unwieldy and complex big data universe. Secondary recommendations draw from the ten criteria assessed for this study, and are included in the full report.

Notes

1. See: Obar, J. A., & Oeldorf-Hirsch, A. (2018). The biggest lie on the internet: Ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society, 1-20.; Obar, J. A., & Oeldorf-Hirsch, A. (2018). The clickwrap: A political economic mechanism for manufacturing consent on social media. Social Media+ Society, 4(3); Oeldorf-Hirsch, A. & Obar, J. A. (2019). Overwhelming, important, irrelevant: Terms of service and privacy policy reading among older adults. SMSociety '19, July 19–21, 2019, Toronto, ON, Canada. ↩
2. See: Office of the Privacy Commissioner of Canada. (2016). Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act, https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2016/consent_201605 ↩
3. Office of the Privacy Commissioner of Canada. (2017). 2016-17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act. ↩
4. Personal Information Protection and Electronic Documents Act. ↩
5. In the case of criterion #9 – Publicly visible steps to avoid U.S. routing of Canadian data, the peering arrangements identified on the website for TorIX, a Toronto-based internet exchange are also assessed. ↩
6. A boomerang route is an internet transmission that begins and ends in the same country, but goes via another. See: Obar, J. A., & Clement, A. (2012). Internet surveillance and boomerang routing: A call for Canadian network sovereignty. In TEM 2013: Proceedings of the Technology & Emerging Media Track-Annual Conference of the Canadian Communication Association (Victoria); Clement, A., & Obar, J. A. (2015). Canadian internet “boomerang” traffic and mass NSA surveillance: Responding to privacy and network sovereignty challenges. In Geist, M. Law, privacy and surveillance in Canada in the post-Snowden era, 13-44, Ottawa, ON: University of Ottawa Press.↩
7. Austin, L. M., Black, H., Geist, M., Levin, A., and Kerr, I. (2013 December 12). Our data, our laws, National Post, http://news.nationalpost.com/2013/12/12/our-data-our-laws; Austin, L. M. (2015). Enough About Me: Why Privacy is About Power, Not Consent (or Harm), in Austin Sarat (Ed)., A World Without Privacy?: What Can/Should Law Do, New York, NY: Cambridge, 131-189; Austin, L. M. and Carens-Nedelsky, D. (2015). Jurisdiction still matters: The Legal Contexts of Extra-National Outsourcing, presented at the Assessing Privacy Risks of Extra-National Outsourcing of eCommunications public forum, Seeing Through the Cloud: Why Jurisdiction Still Matters in a Digitally Interconnected World, University of Toronto, March 6, 2015.↩

About the Author

Jonathan Obar (jonathan.obar@uoit.ca) is an Assistant Professor in the Department of Communication Studies at York University. He also serves as a Research Fellow with the Quello Center at Michigan State University. Dr. Obar has published research in a variety of academic outlets about the relationship between digital technologies, civil liberties and the inclusiveness of public culture.

Acknowledgments

The most important acknowledgement is to Professor Andrew Clement, whose vision for greater data privacy transparency in Canada began this project, and whose guidance and support makes continuing this work possible. I greatly appreciate the work over the years of IXmaps collaborators at York University and the University of Toronto: Antonio Gamba, Andrew Hatelt and Colin McCann. It is also important to acknowledge the input of Nate Cardozo (EFF), Steve Anderson, (Openmedia.ca), Christopher Parsons (Citizen Lab), Andrew Hilts (Cyber Stewards Initiative), and Tamir Israel (CIPPIC).

The methodology updated in 2014 and central to this third report was developed in collaboration with the Centre for Innovation Law and Policy at the University of Toronto. In particular, Matthew Schuman, Ainslie Keith, Shawn Arksey, Nathaniel Rattansey, Kassandra Shortt, Matthew Vaughan, Michael Cockburn, Caroline Garel-Jones, Jada Tellier and Aaron Goldstein.

IXmaps website and design assistance: Jennette Weber.

This third report is part of a broader effort associated with the IXmaps: Mapping Canadian privacy risks in the internet ‘cloud’ project (IXmaps.ca) and the Information Policy Research Program (IPRP) at the University of Toronto. Over the years, funding support for these reports has been provided by the Office of the Privacy Commissioner of Canada (2012-13), the Social Sciences and Humanities Research Council (2012-15), and the Canadian Internet Registration Authority (CIRA).

The views expressed in this report are the author’s.

"Keeping internet users in the know or in the dark: A report on the data privacy transparency of Canadian internet carriers" is licensed under a Creative Commons Attribution 3.0 Unported License.