Keeping Internet Users in the Know or in the Dark: An Analysis of the Data Privacy Transparency of Canadian Internet Service Providers

Abstract

In the wake of the Snowden revelations about NSA surveillance, recent calls for greater data privacy recommend that internet service providers (ISPs) be more forthcoming about their handling of our personal information. Responding to this concern as well as in keeping with the transparency, openness and accountability principles fundamental to Canadian privacy law, this report evaluates the data privacy transparency of twenty of the most prominent ISPs (aka carriers) currently serving the Canadian public. We award ISPs up to ten ‘stars’ based on the public availability of the following information: 1. A public commitment to PIPEDA compliance. 2. A public commitment to inform users about all third party data requests. 3. Transparency about frequency of third party data requests and disclosures. 4. Transparency about conditions for third party data disclosures. 5. An explicitly inclusive definition of ‘personal information’. 6. The normal retention period for personal information. 7. Transparency about where personal information is stored. 8. Transparency about where personal information is routed. 9. Publicly visible steps to avoid U.S. routing of Canadian data. 10. Open advocacy for user privacy rights (such as in court and/or legislatively).Stars are awarded based on careful examination of each ISP’s corporate website. We selected the 20 ISPs in our sample based on their prevalence among the approximately 6000 internet traceroutes in the IXmaps.ca database (out of 25,000 in total) that correspond to intra-Canadian routes – i.e. with origin and destination in Canada.ISPs earn very few stars – 1.5/10 on average. The highest scoring carrier overall is TekSavvy, earning 3.5 stars in aggregate based on full or half stars across five criteria. The large foreign carriers Cogent and AboveNet (Zayo) receive no stars. Slightly more than half of the ISPs (11 of 20), all operating primarily in Canada, state a commitment to adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the handling of personal information in commercial transactions. None of the foreign-based ISPs that carry significant amounts of intra-Canadian traffic indicate any explicit compliance with Canadian privacy law. At the time of writing, no Canadian ISP had yet published a transparency report along the lines of AT&T, Verizon, Google, Facebook or Twitter, each of which have begun to report standardized statistics concerning law enforcement access requests.Without proactive public reporting on the part of ISPs in the key areas identified above, it is very difficult for Canadians to protect their personal privacy online nor hold these important organizations to account. To remedy this situation, we provide a number of policy recommendations specific to the various groups involved.