SCORES FOR THE 3+3 PROJECT
Using 10 criteria, this chart scores Canada’s “Big Three” wireless carriers and their extension brands with respect to how transparent they are about their privacy practices and how they treat personal information. For a brief explanation, hover your mouse directly below a score. To read a complete description of a criterion or a score, click the criterion title or the star score. You can also click a carrier’s name to see the full evaluation of that carrier.
During the 2014-2015 academic year, the Centre for Innovation Law and Policy (“CILP”) at the University of Toronto, Faculty of Law, sponsored a volunteer student working group with the goal of producing a visual representation of wireless carriers’ privacy policies. To demonstrate whether each carrier included certain information in its privacy materials, the group ultimately adopted transparency criteria originally developed by Andrew Clement (Professor, Faculty of Information, University of Toronto) and Jonathan A. Obar (Assistant Professor, Faculty of Social Science and Humanities, University of Ontario Institute of Technology) for the transparency stream of their IXmaps Project and their 2013 report, “Keeping Internet Users in the Know or in the Dark: A Report on the Data Privacy Transparency of Canadian Internet Carriers.”
The working group used the transparency criteria to analyze publicly available information provided by Canada’s “Big Three” wireless carriers (Rogers, Bell, and Telus)and certain of their related brands and companies (Fido, Virgin, and Koodo) (collectively, “the 3+3”) to evaluate how transparent each carrier is about its treatment of its customers’ personal information and third-party requests for disclosures of that information, as well as its positions on privacy and privacy issues. The students also worked with Professors Obar and Clement to build on, improve, and update the criteria used to evaluate the carriers (the updated criteria are also being used to evaluate over 40 Canadian Internet Service Providers (“ISPs”) in a concurrently released 2014 edition of “Keeping Internet Users in the Know or in the Dark”).
The students evaluated the 3+3 by analyzing not only the carriers’ own websites, but also public statements in press releases, relevant news articles, and recent court cases, and developed their own reports.
Finally, the students created an overview chart. The chart, which scores each carrier using the system of no star, half star, or full star on each criterion, is modelled on IXmaps’ previous “star charts”, which are themselves inspired by the Electronic Frontier Foundation’s star charts in its “Who Has Your Back?” reports. In addition, the chart uses hovertext to make additional information about each score available on the chart page when the chart is viewed online. This was inspired by the use of hovertext in the Bank Privacy project at Carnegie Mellon University’s Cylab Usable Privacy and Security Laboratory [CUPS lab]).
Privacy legislation sets a “floor” regarding the treatment of customers’ personal information, third-party requests for disclosures of that information, and what consumers must be told about such treatment and disclosures. However, it does not necessarily identify best practices, or capture every issue of concern. This project tackles the treatment of personal information from a transparency standpoint, looking at key areas to determine (1) what major wireless carriers tell the public regarding their treatment of personal information, and (2) how that compares with how they could be treating that information and/or communicating about their practices regarding personal information and privacy.
Further, this report is situated among a larger literature that ranks companies on user rights, privacy, and transparency in the digital sphere, which includes not only the “Keeping Internet Users In the Know or In the Dark” report and the EFF’s, “Who has your back?” annual reports, which examine publicly available information about (primarily US-based) Internet companies’ positions on government requests for user data, but also the Ranking Digital Rights project, which is developing a system to rank information and communication technology companies on users’ rights to privacy and free expression on a worldwide basis, and the work of Dr. Christopher A. Parsons, Post-Doctoral Fellow at the Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, which evaluates whether Canadian telecommunications’ companies own transparency reports actually provide consumers with useful information, or merely generate publicity.
The working group’s evaluation, and the concurrently released IXmaps’ 2014 Report, “2014 Keeping Internet Users in the Know or in the Dark: A Report on the Data Privacy Transparency of Canadian Internet Carriers” make it easier for consumers to understand and compare privacy policies and to judge for themselves whether the 3+3 and other carriers are keeping users in the dark about what happens to their personal data.
Further, the working group’s evaluation shines a spotlight on the 3+3 wireless carriers and serves as an entry point to Professor Clement’s and Professor Obar’s larger transparency project for Canadian ISPs and their related work of mapping where data packets go.
CILP STUDENT WORKING GROUPS
CILP fosters student participation in research on laws, institutions, and policies that affect – or are affected by – innovation or technological change. Volunteer student working groups, like this one, are student initiated projects that provide experiential learning opportunities for students, cultivate student leadership, and provide legal information to civil society. More information on CILP and its programs are available at http://innovationlaw.org.
METHODOLOGY & CRITERIA
The working group collaborated with Professors Clement and Obar to update and improve the 10 criteria from their 2013 “Keeping Internet Users in the Know or in the Dark” report (part of the IXmaps project), and in particular to develop the rubrics defining what earns a carrier a full-star, half-star, or no star, under each criterion. The transparency portion of the IXmaps project uses ‘snapshots’ of Canadian Internet Service Providers’ websites and privacy policies to evaluate them annually on their privacy transparency. The concurrently released IXmaps’ report for 2014 will evaluate over 40 Canadian ISPs. The working group and IXmaps have used the same criteria to evaluate the carriers. The full criteria document includes a description of each of the 10 criteria, including their relevance to the overall project. The criteria document, included here, was released by IXmaps on December 22, 2014 and made available for carriers to review on IXmaps’ website.
The working group initially divided into three sub-groups to undertake the carrier evaluations, with each sub-group assigned to a pair of related carriers (e.g. Rogers and Fido). The working group took snapshots (i.e. saving date-stamped webpages) of the carriers’ privacy policies, Terms and Conditions, Transparency Reports and additional privacy-related documents where available, and related web pages, as well as searched press releases, Google, and Canadian legal databases, to determine each carrier’s score on each of the 10 criteria. The working group gathered this information during December 2014, January 2015, and February 2015. Thus, although IXmaps provided an overview of each carrier’s commitment to privacy as of December 31, 2014, some of the student research continued after that date. (However, this divergence did not result in any differences in scoring on any criterion for any of the carriers). All of the documents reviewed are on file with CILP, and the relevant provisions (including the dates the documents were accessed), are included in the evaluation of each carrier.
However, as the evaluations make clear, while the working group consulted multiple sources of information for each carrier, not all of the sources (such as press releases) were relevant to the evaluation of each carrier. Further, it was decided that the working group would follow IXmaps and not consider provisions from the carriers’ Terms and Conditions in awarding scores to carriers, based on the idea that people seeking information on privacy will look first to a carrier’s privacy materials. However, the working group has indicated in its written evaluations where carriers’ Terms and Conditions included important privacy information. The treatment of Terms and Conditions may be revisited in future years if CILP is able to continue this project (see Key Findings and Recommendations, below).
IXmaps notified carriers’ privacy officers of their carrier’s preliminary scores in mid-February 2015 and provided carriers the opportunity to send updated information and other feedback. None of the six carriers included in the 3+3 provided any response.
The working group has cross-checked the scores awarded to each carrier for consistency with other carriers to ensure the consistent application of criteria, and has also checked the application of each criteria for consistency with its application by IXmaps, ensuring consistency in scoring across the projects. Where any differences arise in the application of the criteria to a particular carrier, they are noted in the carrier’s evaluation.
A NOTE ON LEGAL AND TECHNICAL TERMS
The working group’s evaluations necessarily include some legal and technical terms, which are discussed, below.
The Office of the Privacy Commissioner of Canada, describes PIPEDA as follows:
“The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. PIPEDA also applies to federal works, undertakings and businesses in respect of employee personal information. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them.
In general, PIPEDA applies to organizations’ commercial activities in all provinces, except organizations that collect, use or disclose personal information entirely within provinces that have their own privacy laws, which have been declared substantially similar to the federal law. In such cases, it is the substantially similar provincial law that will apply instead of PIPEDA, although PIPEDA continues to apply to federal works, undertakings or businesses and to interprovincial or international transfers of personal information.”
Accordingly, the criteria document makes the following statement:
“PIPEDA, and its provincial equivalents, applies to the commercial activities of all private sector organizations that exhibit a real and substantial connection to Canada, and outlines rules for how they may collect, use, or disclose personal information. In particular, internet service providers, wireless carriers, and other telecommunications carriers, as federally regulated entities, are covered by PIPEDA. An important requirement of PIPEDA is that personal information can only be transferred to third parties, whether Canadian or foreign, that provide an equivalent level of protection as that offered by PIPEDA.”
IXPs and PEERING
Criterion # 9, Domestic Canadian routing when possible, includes language about whether a carrier “verifiably peers openly at all the Canadian IXPs in its service regions.” “An Internet exchange point (IX or IXP) is a physical infrastructure that allows different Internet Service Providers (ISPs) to exchange Internet traffic between their networks. … The primary purpose of an IXP is to allow networks to interconnect directly, via the exchange, rather than through one or more 3rd party networks.”In other words, the IXP’s members allow each other’s data to cross their networks, without charge, to find the shortest physical path while in transit. As a result, this typically increases connection speeds and decreases costs. In the case of Canadian ISPs, it significantly reduces the chance that Canadian data is routed through the U.S. on its way to a Canadian destination. Data routed through the US is not protected by Canadian laws, and is subject to US jurisdiction (and surveillance). Further, as noted in the criteria document, there are also good economic reasons for keeping Canadian data within Canada.
Six IXPs were reviewed for this project: the Manitoba Internet Exchange, Échange Internet de Montréal, Toronto Internet Exchange, Ottawa Internet Exchange, Halifax Internet Exchange, and Calgary Internet Exchange. All except the Ottawa and Halifax exchanges list whether their members (or peers) are “open” as opposed to “conditional” or “active.” An “open” or “accepting” peer accepts all of the terms and conditions of an IXP, which may include not charging other ISPs to use its network, and revealing the path that data travels. A “conditional” or “active” peer accepts some, but not all, of the IXP’s terms and conditions of membership.
EXAMPLES OF PERSONAL INFORMATION
The following terms, listed as examples under Criterion #5, whether a carrier explicitly states all forms of data that fall under ‘personal information,’ are all used to identify individual devices connected to the Internet, information which could be used to identify individuals and track their locations.
‘IP address’ is a shorter way of saying “Internet Protocol address.” IP addresses are the numbers assigned to computer network interfaces. Although we use names to refer to the things we seek on the Internet, such as www.example.org, computers translate these names into numerical addresses so they can send data to the right location. So when you send an email, visit a web site, or participate in a video conference, your computer sends data packets to the IP address of the other end of the connection and receives packets destined for its own IP address.
Thus, a computer user’s own IP address can be used to identify the user.
IMSI and IMEI
International Mobile Subscriber Identity (IMSI) is a string of decimal digits, up to a maximum length of 15 digits, which identifies a unique mobile phone subscriber and allows mobile phone users to ‘roam’ among networks. The IMSI consists of three fields: the mobile country code (MCC), the mobile network code (MNC), and the mobile subscription identification number (MSIN).
International Mobile Station Equipment Identity (IMEI) is a unique number included in mobile phones that can be used to identify the specific phone, where it connects to a network (i.e. its location), and the type of network to which the phone is designed to connect. Phone manufacturers are required to include the number by the International Telecommunication Union, the United Nations’ specialized agency for information and communication technologies.
In computer networking, a Media Access Control address, better known as MAC address, is a unique identifier assigned to a network adapter or network interface card (NIC) by the manufacturer for identification. The MAC address can also be called the Ethernet Hardware Address (EHA), hardware address, adapter address or physical address. Your computer may have more than one MAC address. Do you have wireless and an ethernet port? Then you have at least two MAC addresses. Your smart phone probably also has a MAC address — my iPhone has two; one for wireless and one for bluetooth.
As a result, the MAC address can be used to identify where a device is connected to a network or the Internet, and the type of connection or device being used.
KEY FINDINGS AND RECOMMENDATIONS
The Centre for Innovation Law and Policy and the student working group hope to continue this project in future years, to pass it down to future student working groups, and to continue the collaboration with IXmaps. Accordingly, a few key points are highlighted, below, to assist in the ongoing development, expansion, and improvement of the project.
In addition, as one of the goals of this project is to encourage carriers to become more transparent, a few key recommendations for carriers are also highlighted below.
Key Findings for Carriers
- Where Privacy Information is Located
As discussed above, the working group consulted multiple sources of information about each carrier, although not all were relevant and not all were used to determine the carriers’ scores.
The working group found that the extension brands all had a single privacy document, usually quite short, which often did not include information required by the criteria. The parent brands all had two or more privacy documents; in some cases information was duplicated across documents, but in other cases it was contained in only certain materials. In addition, in a few instances carriers put privacy-related information in their Terms and Conditions only, where a user might not know to look for it (see particularly Rogers and Fido, criterion #7).
As a result, to try to understand a carrier’s position on how it treats personal information, one must consult multiple sources of information, and it’s not always clear where the information might be located. Thus, even if carriers create some sources of information (like FAQs) as a way to provide more information to their customers and members of the public, they may still be making it difficult to understand how they treat personal information, by requiring individuals to consult multiple sources.
To encourage carriers to make their privacy information more readily findable, both IXmaps and the working group evaluated the carriers on the language in their privacy policies, but did not count provisions from Terms and Conditions toward the scores awarded to each carrier.
- To Which Carrier Information Applies
The 3+3 carriers evaluated by the working group are related companies, to the extent that each of the larger brands (Rogers, Telus, and Bell) have parent/subsidiary or other relationships with the smaller brands (Fido, Koodo, and Virgin, respectively).
The working group learned that while some parent brands indicate that certain of their privacy materials apply to their subsidiaries and related companies, the extension brands do not indicate in their privacy materials that their parent brands’ privacy materials apply to them. As a result, a customer of an extension brand would not know the full scope of the company’s position on privacy or how the company might treat the customer’s personal information after consulting the extension brand’s policies. Instead, the customer would independently have to know of the relationship between the parent and extension brands and also independently know to consult the parent brand’s privacy documents.
Further, even though Telus and Rogers have gathered statistics into transparency reports, they do not make clear whether such statistics apply to their extension brands (Koodo and Fido, respectively). As a result, extension brand customers would be unable to tell whether the important statistics and information in the reports apply to them.
Key Recommendations for Carriers
While Telus and Rogers have produced transparency reports, these evaluations demonstrate that all of the carriers evaluated could still communicate better about how they treat personal information, where it goes, how it’s stored, and when and under what circumstances it’s disclosed. The evaluations also demonstrate carriers are unclear about what they consider to fall under “personal information.” We hope these evaluations continue to encourage the carriers to provide more information and to be more transparent.
- Ensure Key Information Is Easy to Find
As discussed above, even when carriers produce more information, it may still be located in multiple sources and thus may be difficult to find and understand. We acknowledge that it is often very helpful to consumers when carriers post simplified versions of complex documents and policies. However, we encourage carriers to (1) maintain information in as few documents as possible while still ensuring consumers have a clear, easy-to-read option for understanding their carrier’s privacy approach, and (2) ensure key information appears in all documents where there is more than one document. We hope that these evaluations encourage carriers to not only provide additional information, but also to make that information more accessible.
- Offer More Information to Extension Brand Customers
In all cases, the extension brands did worse than their associated parent brand on at least two criteria. Students who were expecting to find significant similarities between parent and extension brands were surprised. For some carriers, this may be explained by the fact that the parent brand’s privacy materials are intended to apply to its extension brand as well. However, as discussed in “To Which Carrier Information Applies,” above, it is generally not made clear to extension brand customers that they should look to the parent brand’s materials. From a transparency standpoint, therefore, extension brand customers are not provided with as much information about privacy practices as are parent brand customers.
Key Recommendations for Future Evaluations
Just as the working group hopes these evaluations encourage carriers to be more transparent, we also hope to continue to improve the methodology for this project, as shown in the following examples.
This year, the working group made a significant contribution to IXmaps’ criteria document by working on defining what it means for a carrier to earn a full star, half star, or no star, for each of the 10 criteria. However, there is always room for improvement.
- Re-Consider Terms and Conditions
As discussed above, in these evaluations, the working group reviewed carriers’ Terms and Conditions, and noted where they would have affected carriers’ scores on each criterion, but did not count provisions in the Terms and Conditions toward the scores awarded. Nevertheless, the working group acknowledges that some carriers refer to their Terms and Conditions into their privacy policies, or vice versa. Furthermore, these documents are readily available to consumers, who, indeed, are expected to read them. So, while the working group encourages carriers to make their privacy information more readily findable by locating it in a limited number of documents, future evaluations might consider whether and in what circumstances carriers could receive credit for informing consumers about their privacy practices via their Terms and Conditions.
- Improving Criteria and Rubrics
Criterion #2 was applied generously by both the working group and IXmaps. As written, it requires that a carrier speak to whether and when it will inform users of requestsfor their information, but carriers also received credit for noting whether and when they will inform users of disclosures of their information. The criterion may be applied more strictly in future, particularly as the looser application created overlap with Criterion #4, which relates to the circumstances under which a carrier will disclose personal data, and includes whether a carrier indicates if it will notify the customer about the disclosure.
Some criteria may try to address too many issues, and might be split into separate criteria. For example, Criterion #4 includes information about 1) the circumstances under which personal information will be disclosed to third parties; 2) the standard the third party must meet for the carrier to make the disclosure; and 3) whether or not it is clear whether the carrier will notify the subscriber of a disclosure to a third-party. This meant that first, carriers who did well on some aspects of the criteria did not have this reflected in a higher score, and second and relatedly, that carriers who did well on some sub-criteria but poorly on others received the same score as carriers who did poorly on most sub-criteria, reducing the usefulness of scores on this criterion for comparison between carriers.
Criterion #6 dealt with retention periods for personal information. Carriers ultimately received some consideration for identifying types of information they did not retain at all. In future the criterion may be updated to reflect this application.
As discussed above, the working group cross-checked its evaluations with IXmaps for consistency. However, there is always room for improvement in the way criteria are applied. For example, even though it did not affect the carriers’ scores, the working group checked for the specific types of statistics listed in Criterion # 3, relating to third party requests and disclosures of personal information, and thus, may have applied this criterion more strictly than IXmaps.
In addition, the working group plans to further standardize the search terms and dates that it used to search legal databases and Google to determine carriers scores forCriterion #10, Open advocacy for user privacy rights.
Although it was not possible this year, in future the working group intends to follow IXmaps’ lead and capture information as of a certain date.
Relatedly, the sub-group assigned to Bell and Virgin divided their work differently than the other sub-groups, with each member focusing on particular criteria. While an equally appropriate approach, this meant that within Bell and Virgin, one group member might have reported on the relevant materials for Criterion #1 as of one date, and another on the relevant materials for Criterion #2 as of another. Setting a single snapshot date will eliminate any confusion caused by multiple consultation dates for the same materials. (Although other sub-groups did not necessarily consult all materials as of the same date, the reports of group members could be compared and the lack of changes between dates confirmed such that the latest date of consultation was that reported.)
The 2014-2015 CILP Student Working Group
Professor Simon Stern, Co-Director, Centre for Innovation Law and Policy
Students Participating in Refinement of Evaluation Criteria
Students Participating in Evaluation of Wireless Carriers
Overview Prepared by
Matthew Schuman, Assistant Director, Centre for Innovation Law and Policy
Funding for this report and the 2014-2015 CILP student working group is made possible by a generous gift from Microsoft Canada.
 Andrew Clement & Jonathan A. Obar, “Keeping Internet Users in the Know or in the Dark: Data Privacy Transparency of Canadian Internet Service Providers” (27 March 2014), online: IXmaps & New Transparency Projects <http://ixmaps.ca/>. The report is available online at http://ixmaps.ca/transparency/img/DataPrivacyTransparencyofCanadianISPs.pdf.
 Bell, Rogers and Telus, through a combination of their flagship brands and related companies, had 90% of Canada’s wireless subscribers in 2012 and 2013. Canadian Radio-television and Telecommunications Commission, Communications Monitoring Report (Ottawa, CRTC, October 2014, at 213. The report is available online at http://www.crtc.gc.ca/eng/publications/reports/PolicyMonitoring/2014/cmr.pdf.
 By “related brands” we mean that each of the larger brands have parent/subsidiary or other relationships with the smaller brands.
 Andrew Clement & Jonathan A. Obar, “Keeping Internet Users in the Know or in the Dark: Data Privacy Transparency of Canadian Internet Service Providers” (12 March 2015), online: IXmaps & New Transparency Projects <http://ixmaps.ca/>. The report is available online at http://ixmaps.ca/transparency.php.
 E.g. Nate Cardozo, Cindy Cohn, Parker Higgins, Kurt Opsahl, and Rainey Reitman, “Who Has Your Back? Protecting Data from Government Requests: The Electronic Frontier Foundation’s Fourth Annual Report on Online Service Providers’ Privacy and Transparency Practices Regarding Government Access to User Data” (15 May 2014), online: Electronic Frontier Foundation < https://www.eff.org >. The report is available online at https://www.eff.org/files/2014/05/15/who-has-your-back-2014-govt-data-requests.pdf.
 Lorrie Faith Cranor, Pedro Giovanni Leon, and Blase Ur, “Bank Privacy Project” (2013), online: Carnegie Mellon University, Cylab Usable Privacy and Security Laboratory (CUPS lab) http://cups.cs.cmu.edu. The comparison tool is available online at http://cups.cs.cmu.edu/bankprivacy/index.htm.
 Note 3, supra.
 Rebecca MacKinnon, “Our Mission” (11 June 2014), online: Digital Rights Project, available at https://rankingdigitalrights.org.
 Christopher A. Parsons, “Do Transparency Reports Matter for Public Policy? Evaluating the Effectiveness of Telecommunications Transparency Reports” (13 January 2015), online: University of Toronto, Munk School of Global Affairs, Citizen Lab. This paper is available online at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2546032.
 Note 3, supra.
 During the evaluation process, Professors Obar and Clement made minor changes to criterion #9, requiring a carrier to peer openly at one IXP in its service region, rather than all of the IXPs in its service region. As the working group did not modify the criterion released in December, we may have applied this criterion more strictly than IXmaps. However, as the carriers evaluated here only peered conditionally at IXPs (where they were peers at IXPs at all), we are not aware of any divergence with IXmaps as to the final score awarded to any carrier.
 “Legal Information Related to PIPEDA” (March 21, 2013), online: Office of the Privacy Commissioner of Canada, https://www.priv.gc.ca. This information is available at https://www.priv.gc.ca/leg_c/leg_c_p_e.asp.
 Provincial laws that have been deemed substantially equivalent are British Columbia’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, and Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector. “Legal Information Related to PIPEDA” (March 22, 2013), online: Office of the Privacy Commissioner of Canada, https://www.priv.gc.ca. This information is available at https://www.priv.gc.ca/leg_c/legislation/ss_index_e.asp. The European Data Protection (1995) has also been deemed substantially equivalent.
 Note 12, supra.
 IXmaps, but not the working group, modified this language slightly after posting the criteria document on December 22, 2014. See note 13, supra.
 BGP: the Border Gateway Protocol Advanced Internet Routing Resources, “Internet Exchanges / Exchange Points / Peering Points,” online, available athttp://www.bgp4.as/internet-exchanges (last accessed 2 March 2015).
 ICANN, “Beginner’s Guide to Internet Protocol (IP) Addresses” (4 March 2011), online: Internet Corporation for Assigned Names and Numbershttps://www.icann.org/. The guide is available online at https://www.icann.org/en/system/files/files/ip-addresses-beginners-guide-04mar11-en.pdf.
 Telecommunication Standardization Sector, “Recommendation ITU-T E.212: The international identification plan for public networks and subscriptions” ( May 2008), online: International Telecommunications Union http://www.itu.int. The Recommendation is available online at http://www.itu.int/rec/T-REC-E.212-200805-I/en.
 Radiocommunication Sector, “Recommendation ITU-R M.1224-1: Vocabulary of terms for International Mobile Telecommunications (IMT)” (March 2012), online: International Telecommunications Union http://www.itu.int. The Recommendation is available online at http://www.itu.int/rec/R-REC-M/en.
 “What is my IP Address / MAC Address?” (3 December 2012), online: University of Illinois at Chicago, Academic Computing and Communications Centerhttp://accc.uic.edu/answer/what-my-ip-address-mac-address.
 For ease of reading, Fido, Koodo, and Virgin will hereafter be referred to as the “extension brands” (and Rogers, Telus, and Bell as the “parent brands”) but it should be noted that in the case of Virgin its relationship to Bell may be slightly different.