This is the third report assessing the extent to which carriers providing internet communications in Canada are forthcoming about their handling of personal information. Demand for data privacy transparency calls our trusted internet carriers to account, for details about the collection, management, retention, routing, disclosure and use of our data. To what extent do carriers collect and keep personal information? Is data routed and stored in the U.S.? When a company, security agency or political party requests access to data, do carriers oblige? When it comes to these and many other privacy concerns, do our internet carriers keep us in the know? Or in the dark? Consistent with the previous reports, 44 major, minor and transit carriers that route Canadian internet traffic are assigned full, half or zero ‘stars’ based on ten criteria: 1) A public commitment to PIPEDA compliance. 2) A public commitment to inform users of all third party data requests. 3) Transparency about frequency of third party data requests and disclosures. 4) Transparency about conditions for third party data disclosures. 5) An explicitly inclusive definition of ‘personal information’. 6) The normal retention periods for personal information. 7) Transparency about where personal information is stored and/or processed. 8) Transparency about where personal information is routed. 9) Domestic Canadian routing where possible. 10) Open advocacy for user privacy rights. Stars were assigned after careful review of the privacy materials present in the privacy section of each carrier’s corporate website as of January 2018. Materials not linked to a privacy section were not evaluated, as it is assumed that privacy pages are the first, and perhaps only location users interested in privacy will access. Key Findings - While major concerns persist, there are clear signs that some carriers are moving toward greater transparency, providing more information about how they treat personal data. The 2014 leader, TekSavvy, added an aggregate of 2 stars to achieve a score of 8/10, keeping it well ahead of all other major Canadian carriers. Shaw was the major carrier that showed the most improvement, more than doubling its score to 4.5. Cogeco and Videotron are others in this category whose scores rose considerably. Among the minor carriers, Acanac and its corporate owner Distributel stand out in both their scores and improvement from 2014. - Bell remains the only major carrier to score below the 2.6/10 average with a score of 2.5 stars. While most major carriers in Canada are producing transparency reports, Bell Canada continues its refusal to release any details about law enforcement or third party requests or disclosures. - Minimum detail for minimum score: While many carriers earned half-stars in a variety of categories, this should not be interpreted as a widespread overhaul of data privacy transparency practice. Many carriers scored half stars for the addition of a sentence or two or a brief example. - Carriers continue to refuse to provide retention details. Despite growing calls for users to understand better how long carriers are keeping data, none of the major carriers, and few of the others, provide retention details, often noting that data will be kept as long as possible. - Many carriers continue to lack explicit definitions of personal information. Despite some improvements in terms of the scores for this criterion, growing public concern about metadata, mobile data, surveillance data from in-store visits and set-top box data, is not reflected in the definitions provided by most carriers. - No transit provider indicates explicit compliance with Canadian privacy law. Since the first of these reports completed in 2013, not a single transit provider has made reference to Canadian privacy law in its privacy materials. This is concerning because these behind the scenes internet carriers handle large quantities of intra-Canadian traffic. - Overall, carriers continue to fail in their role as public trustees and as advocates for user privacy. As government officials and privacy advocates call for new ideas and new mechanisms for protecting privacy, reputation and security, last-mile carriers, who deal with users face-to-face and/or online every month, must do far more. Transit providers too, must help ensure users understand the processes and implications of going online. The consent challenges that persist epitomize current lackluster efforts. We cannot expect that content and platform providers will be the only entities helping to educate and engage users. Internet carriers must do far more to fulfill public interest mandates associated with longstanding expectations associated with the benefits of spectrum allocation, and certainly, the legal responsibilities determined by current privacy law.