The 3+3 Project: Criteria

Keeping Internet Users in the Know or in the Dark:
A Report on the Data Privacy Transparency of Canadian Internet Carriers

2014 Edition, forthcoming – March 2015

Andrew Clement
Professor, Faculty of Information
University of Toronto

Jonathan Obar
Assistant Professor, Department of Communication
University of Ontario Institute of Technology

December 22, 2014

Planning for the 2014 Edition

In preparation for the 2014 edition of the ‘Keeping internet users in the know or in the dark: A report on the data privacy transparency of Canadian internet carriers’, this document highlights the methodical aspects of the upcoming background research. The 2014 report will be based closely on the first report from 2013,[1] but with revisions in the following areas:

• Assessment criteria – The 10 criteria have been revised to focus more explicitly on transparency around pro-privacy features as well as the geography of connections between carriers and to clarify the standards for awarding full and half stars (see below)

• Carriers studied – enlarged from 20 to 30+, mainly incorporating those included in related transparency initiatives at the University of Toronto – of Christopher Parsons and Andrew Hilts, both at the Citizen Lab,[2] and the student working group at the Centre for Innovation Law and Policy (CILP),[3] as well as large internet backbone carriers

• Carrier profiles – The profiles for each carrier assessed have been expanded to include further information about the carriers, such as nationality and types and geographic areas of service.

Assessing Data Privacy Transparency

We model this report most directly on the EFF’s “Who Has Your Back?” annual report.[4] Ours takes an explicitly Canadian orientation, focusing specifically on internet carriers, rather than service providers more generally, while broadening the range of criteria to highlight those that are particularly relevant to contemporary privacy concerns in Canada. On the premise that carriers of Canadian domestic communication already comply with the law, we highlight those carriers that go beyond minimum compliance, and, in the spirit of PIPEDA Principle 8 –Openness, make their policy and practices around the handling of personal information readily available publicly.

Awarding Stars to ISPs

Carriers can earn stars, full or half, for each of the 10 criteria described below.

We award stars based on readily available evidence presented on the carrier’s corporate website. Presuming that carriers would want to make it easy for their customers to find relevant information about corporate practices around personal information, and that the on-line privacy policy is where users would look first (and likely not look further), we will confine our attention to these public statements (with some exceptions noted below), as they appear on the corporate website as of December 31, 2014.

An advantage of this approach is that individual internet users can check that our results are correct, or apply these criteria to additional carriers. We look forward to receiving feedback and will update the report accordingly.

In February we will provide all carriers evaluated with the opportunity to respond to a preliminary version of the report and our initial transparency assessment of their company. We will take their comments into consideration for the final analysis and where changes are indicated, re-check their websites to determine whether they had updated their public statements after Dec 31, 2014.

The 2014 edition will be launched on March 10, 2015.

Evaluation Criteria

1. A public commitment to PIPEDA compliance

The Personal Information Protection and Electronic Documents Act (PIPEDA), and its provincial equivalents,[5] applies to the commercial activities of all private sector organizations that exhibit a real and substantial connection to Canada, and outline rules for how they may collect, use or disclose personal information.[6] In particular, internet service providers, wireless carriers, and other telecommunications carriers, as federally regulated entities, are covered by PIPEDA. An important requirement of PIPEDA is that personal information can only be transferred to third parties, whether Canadian or foreign, that provide an equivalent level of protection as that offered by PIPEDA. This criterion evaluates the extent to which carriers serving the Canadian market inform the public of their basic privacy responsibilities under the law.

Full Star: The carrier explicitly indicates that it complies with PIPEDA, or similar applicable legislation, and provides substantive details of its privacy obligations, including that it only transfers personal information to third parties that provide an equivalent level of protection.

Half Star: The carrier only vaguely states that it operates according to applicable legislation or doesn’t mention third party PIPEDA-equivalent protection.

No Star: The carrier makes no indication that it complies with PIPEDA or substantially equivalent privacy legislation.

2. A public commitment to inform users of all third party data requests

PIPEDA states that individuals have a right to be informed upon request whether their personal information has been disclosed to a third party, including the government.[7] This criteria looks at whether a carrier has a clearly stated proactive policy to contact an individual when it has received a request for their personal information and to inform them it has been disclosed, without the individual bearing the burden of having to first inquire.

Full Star: The carrier clearly indicates that it will notify a user when it has received a third party request for the user’s information, unless explicitly prohibited from doing so by law.

Half Star: A carrier does not indicate that it will notify users when it receives requests, however it indicates that users may send an inquiry in order to acquire such information.

No Star: The carrier makes no mention of how users may learn of third party requests for their personal information.

3. Transparency about frequency of third party requests and disclosures

This criteria considers whether a carrier has published information regarding the types of requests for personal data it receives and how it responds to such requests. Since 2009, a rapidly growing number of major U.S.-based internet companies regularly publish transparency reports. In 2014, for the first time, Canadian internet carriers have begun to follow suit. These transparency reports typically include statistics about the number of requests the companies receive from third parties, broken down by government (law enforcement, etc.), commercial and non-commercial entities. Also important is how many requests they complied with, how many accounts the requests applied to and how many disclosures of information there were. The best transparency reports mention the lawful authority that accompanied the requests (e.g. whether the request was accompanied by a warrant or other court order) and in some cases even indicate the number of secretive ‘security letters’ the carrier has handled.

Full Star: The carrier has published the above-mentioned statistics in an annual or semi-annual report or in some other form.

Half Star: The carrier has published SOME information but leaves many important statistics out.

No Star: The carrier has published no information relating to these types of statistics.

4. Transparency about conditions for third party data disclosures.

Canadians use communication devices every day to browse the internet and transmit personal information via phone calls and text messages. The information transmitted, received, and accessed through these activities is logged by carriers who may disclose this information along with data about identity, address, and service payments to third parties. Evidence came to light in March 2014 revealing that such disclosure has been a very common occurrence, typically without carriers requiring a judicial warrant or other court order.[8] This criterion seeks to evaluate the requirements that the carrier establishes for disclosing personal information to third parties.

Full Star(1) The carrier explicitly states the circumstances under which personal information will be disclosed to third parties. (2) It must make clear what standard must be met by the third party in order for this disclosure to be made (e.g. whether a warrant is required). (3) It must be clear whether or not a subscriber/user will be notified in the case that his or her information is disclosed to a third party and especially the specific conditions under which such information will be disclosed without consent.

Half Star: The carrier refers to some but not all of (1), (2) and (3) or is vague about them.

No Star: The carrier fails to indicate any of (1), (2), or (3).

5. An explicitly inclusive definition of ‘personal information’.

PIPEDA defines personal information broadly as “information about an identifiable person.”[9] Personal information can refer to any number of variables. There have been recent controversies about whether data derived from the communication (e.g. transaction data, traffic data, userIDs or metadata more generally) or certain numbers associated with personal devices (eg IP addresses, IMSI/IMEI numbers, or MAC addresses),[10] that are enduringly associable with an individual should be regarded as ‘personal information’; e.g. The Office of the Privacy Commissioner of Canada, has found that “An Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual.”[11] This criterion evaluates whether a carrier has given an explicitly inclusive definition of ‘personal information’ in line with such best privacy practice.

Full Star: The carrier explicitly states all forms of data that fall under ‘personal information’. This should include subscribers/users’ IP addresses, IMSI/IMEI numbers, or MAC addresses, as well as their userIDs, meta-data (e.g. who subscriber communicated with, when and where this communication occurred), browser history (pages accessed, date of access, location when accessed), personal account information, credit card information etc.

Half Star: The carrier only implicitly states forms of data included in a definition of ‘personal information’, and/or provides a definition which (a) incorporates a closed list of what constitutes personal information that (b) excludes one or more of IP addresses, IMSI/IMSEI numbers, MAC addresses, userIDs, meta-data, browser history, personal account information, or credit card information.

No Star: The carrier gives no definition of ‘personal information’.

6. The normal retention periods for personal information

Companies hold on to users’ personal information, including internet usage, phone calls, and GPS locations for varying lengths of time. How long they do so is a clear privacy issue and something that consumers should know. The longer personal information is kept, the more likely it is that the personal information will be exposed to misuse or disclosure.

Full Star: The carrier discloses how long personal information is routinely retained for, specifying retention time periods for each data type.

Half Star: The carrier only states the retention period for limited types of information. For example, a company may state that it retains consumers’ browsing history for 2 weeks, but provides no information on call log retention.

No Star: The carrier either provides no information on data retention periods OR provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. For instance,

“[Our company]shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.”[12]

7. Transparency about where personal information is stored and/or processed

The physical location of servers and data storage facilities is important. Data stored or processed in different jurisdictions will be subject to the associated legal regimes regardless of where the data originated or the nationality of the data subject. For instance, Canadian data stored in the United States loses the protection afforded by the Canadian Charter of Rights and Freedoms, as well as PIPEDA, and becomes subject to the USA PATRIOT Act and other surveillance authorizations.[13] In fact, Canadian data is considered under those legal authorizations to be ‘foreign’ to the U.S. and therefore afforded significantly reduced (little or no) safeguards compared to American data. Furthermore data storage outsourced to foreign-owned hosting services, even if physically located inside Canada, is similarly subject to foreign jurisdiction. In light of the privacy risks from the exposure of Canadians’ data to foreign jurisdictions, the Office of the Privacy Commissioner found in 2008 that:

38. [O]rganizations that outsource the processing of personal information must
provide sufficient notice with respect to the existence of service-provider
arrangements, including notice that any foreign-based service provider may be
required by the applicable laws of that country to disclose personal information in
the custody of such service provider to the country’s government or agencies.[14]

This criterion therefore evaluates whether a carrier has provided a sufficiently clear and explicit indication of possible exposure of personal information to foreign jurisdictions and what additional risks of disclosure this may entail.

Full Star: The carrier clearly indicates the storage and/or processing locations of user’s data and whether data storage and/or processing has been outsourced to a foreign company. This should include whether data may be stored in, or otherwise subject to other jurisdictions, what those jurisdictions are, and what sort of disclosure such data may be subject to.

Half Star: The carrier only indicates that there is a possibility that data may be stored and/or processed subject to a foreign jurisdiction. No jurisdiction is noted or details are not provided.

No Star: The carrier fails to clearly indicate whether or not data may be stored and/or processed such that it may be subject to a foreign jurisdiction.

8. Transparency about where personal information is routed.

Many mobile phone subscribers use the internet on their devices. This criterion evaluates a carrier on the basis of whether or not it has indicated the relevant geographic locations or jurisdictions for routing of personal information. Data routing, as the particular form of information processing concerned with the switching of data packets among possible routes across the internet, affects legal privacy protection much the way that data storage location does, but has hitherto received comparatively little public attention. A serious concern for Canadians is that a significant proportion (~25%) of their domestic communications (i.e. communicating with other Canadian persons or services) is routed through the United States (aka “boomerang routing”) and hence is subject to NSA surveillance.[15][16] Furthermore, nearly all internet communication between Canada and third countries also passes through the U.S. or is handled by U.S. carriers, which similarly exposes it to mass suspicionless surveillance by the NSA and other state agencies.

Full Star: The carrier clearly indicates whether Canadians’ personal domestic communication data might be routed through the United States or otherwise subject to foreign jurisdiction while in transit. It clearly indicates the geographical locations where domestic communication is routed and what jurisdictions it is subject to. Similarly, it indicates whether or not communications with third countries is subject to U.S. jurisdiction.

Half Star: The carrier is vague about the geographical locations or jurisdictional exposure of personal data routing.

No Star: The carrier gives no indication of the geographical locations or jurisdictions where personal data is routed.

9. Domestic Canadian routing when possible

This criterion evaluates whether the carrier has taken reasonable, publicly visible steps to maintain Canadian routing for domestic internet traffic. Given the additional privacy and surveillance risks facing Canadians maintain Canadian routing for tates or otherwise subject to foreign jurisdiction while in transit. It clearly indicates the geoata within Canadian jurisdiction when possible.[17] One good way is for carriers to make contracts for the handling of their domestic traffic only with Canadian internet transit providers that they can connect with in Canada and that maintain a similar policy of domestic routing when possible. Another, more publicly visible way for carriers to help ensure all-Canadian routing is to exchange traffic or ‘peer’ openly at Canadian public internet exchanges points (IXPs), such as TorIX (Toronto Internet Exchange) and OttIX (Ottawa internet exchange) and other more recently established ones in Calgary, Winnipeg, Montreal and Halifax.

Full Star: The carrier clearly states on its privacy pages a policy of domestic Canadian routing when possible, and indicates the concrete measures it takes to achieve this goal. A carrier that verifiably peers openly at all the Canadian IXPs in its service region(s) will also receive a full star. Only Canadian carriers are eligible for a full star, as foreign carriers by definition subject the data they carry to non-Canadian jurisdictions.

Half Star: The carrier is vague about its policies for ensuring Canadian routing of domestic traffic and the measures it takes to ensure this. In the absence of a clear policy statement, a carrier (whether Canadian or foreign) that peers openly at some but not all Canadian public IXPs in their operating regions will earn a half star.

No Star: The carrier gives no indication of any policy or concrete measures to promote domestic routing when possible, nor does it peer openly at any Canadian public IXPs.

10. Open advocacy for user privacy rights.

This criterion is evaluated on the basis of whether or not the carrier has made clear on its privacy pages its recent (in the last five years) political, legal and/or legislative positions regarding support for user privacy rights. A carrier can demonstrate its pro-privacy position in any of the following areas:

• Public debates over mass state surveillance;

• Privacy or surveillance related legislative initiatives (e.g. the current Bill C-13 on lawful access);

• Defending user privacy rights in court; or

• Ties to advocacy organizations or initiatives promoting user privacy rights.

Full Star: The carrier makes clear reference on its privacy pages to its support for user privacy rights in at least one of the areas itemized above.

Half Star: The carrier has defended user privacy rights politically, in court or legislatively, but there is no reference to this in their privacy pages.

No Star: There is no readily available public evidence that the carrier has taken a positive pro-privacy position in any of the above areas.

NOTES

[1] available at: http://ixmaps.ca/transparency.php

[2] https://citizenlab.org/

[3] http://cilp.law.utoronto.ca/

[4] https://www.eff.org/who-has-your-back-2014

[5] Provincial laws that have been deemed substantially equivalent are British Columbia’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, and Quebec’s An Act Respecting the Protection of Personal Information in the Private Sectorhttps://www.priv.gc.ca/leg_c/legislation/ss_index_e.asp The European Data Protection (1995) has also been deemed substantially equivalent.

[6] https://www.priv.gc.ca/leg_c/leg_c_p_e.asp

[7] PIPEDA, Principle 9 – Individual Access https://www.priv.gc.ca/leg_c/p_principle_e.asp

[8] Paul McLeod, “Ottawa has been spying on you: Telecom firms handing over data without warrants,” Chronicle Herald, March 26, 2014.http://thechronicleherald.ca/novascotia/1195828-ottawa-has-been-spying-on-you. This common practice may change in light of the Supreme Court of Canada finding unanimously in R. v. Spencer, 2014 SCC 43, that PIPEDA prevents ISPs from disclosing customer information without ‘lawful authority’, which at least in the context of law enforcement agency access to identification information, means a judicial warrant. The recently passed Bill C-13, Protecting Canadians from Online Crime Act, introduced new “lawful access” provisions facilitating such disclosure, but appear to be at odds with Spencer and may not be constitutional.

[9] Ibid.

[10] Internet Protocol (“IP”); International Mobile Subscriber Identity (“IMSI”); International Mobile Station Equipment Identity (“IMEI”); Medium Access Control  (“MAC”)

[11] https://www.priv.gc.ca/leg_c/interpretations_02_e.asp#_ftn52 See also: Parsons, Christopher, “The Anatomy of Lawful Access Phone Records”, posted to the “Technology, Thoughts and Trinkets” blog on 21 November 2011. https://www.christopher-parsons.com/the-anatomy-of-lawful-access-phone-records/

[12] This is taken from Bell Canada’s privacy policy, and echoes PIPEDA. Several Canadian companies go no further than this.

[13] Notably the Foreign Intelligence Surveillance Act Amendments Act (2008), esp. Sec. 702, and Executive Order EO12333 (198X)

[14] https://cippic.ca/sites/default/files/OPC_Findings-canada.com.pdf

[15] See Clement 2013. “IXmaps – Tracking your personal data through the NSA’s warrantless wiretapping sites” IEEE – ISTAS conference, Toronto, June 26-27, 2013https://www.dropbox.com/s/9y4xtavova2qtj4/ISTAS13%20paper%2026%20IXmaps%20%E2%80%93%20Tracking%20May%2022.pdf  Clement 2014. “Canada’s Bad Dream” World Policy Journal, Special issue on “Connectivity”, Fall 2014 http://www.worldpolicy.org/journal/fall2014/canada%27s-bad-dream

[16] Given that the Communication Security Establishment Canada (CSEC), a close signals intelligence partner of the NSA, likely conducts similar forms of internet interception, means that keeping data exclusively in Canada does not avoid mass state surveillance, but since data that remains within Canadian jurisdiction enjoys Constitutional protection, exposure to U.S. agencies adds a significant privacy risk.

[17] There are also good economic reasons for keeping Canadian data within Canada, as the Canadian Internet Registration Authority (CIRA) makes clear in its report with the Packet Clearing House: Toward Efficiencies in Canadian Internet Traffic Exchange, by Bill Woodcock & Benjamin Edelman, Sept. 2012.