Main menu
- People
- Curriculum & Programs
- Events
- TIP Group
- Archives
- Sponsors
- Contact
This is the Koodo report for The 3+3 Project: Evaluating Canada’s Wireless Carriers’ Data Privacy Transparency. The 10 criteria used to evaluate carriers and the scoring rubric used for each are included in the chart below. A carrier could earn a full star, half star, or no star on each criterion. The criteria and rubric (with minor alterations as noted) are reproduced from the criteria document prepared by the IXmaps research project for the annual Keeping Internet Users In the Know or In the Dark: Data Privacy Transparency of Canadian Internet Service Providers, by Andrew Clement (Professor, Faculty of Information, University of Toronto) and Jonathan A. Obar (Assistant Professor, Faculty of Social Science and Humanities, University of Ontario Institute of Technology). The Keeping Internet Users In the Know of In the Dark report is available here. For a fuller explanation of the criteria and the rubric used for each, please consult the full criteria document.
These criteria were originally developed by the IXmaps research project for their 2013 Keeping Internet Users in the Know or in the Dark report.[1] The Centre for Innovation Law and Policy (CILP) assisted with updating them for the 2014-2015 project, including developing the scoring rubric. Where we are aware of any difference in how we have applied these criteria compared to how IXmaps applies these criteria, this is indicated in the chart. For more information about IXmaps, as well as other significant projects engaging with data privacy, please see the project overview.
This report frequently makes reference to PIPEDA, the Personal Information Protection and Electronic Documents Act. This is Canadian legislation dealing with the treatment of personal information by companies while carrying on commercial activities. For more on PIPEDA, please see the project overview.
Notes:
1. A public commitment to PIPEDA compliance |
|
---|---|
Full Star: The carrier explicitly indicates that it complies with PIPEDA, or similar applicable legislation, and provides substantive details of its privacy obligations, including that it only transfers personal information to third parties that provide an equivalent level of protection.
Half Star: The carrier only vaguely states that it operates according to applicable legislation or doesn’t mention third party PIPEDA-equivalent protection. No Star: The carrier makes no indication that it complies with PIPEDA or substantially equivalent privacy legislation. |
Score: No Star Explanation:
Provisions: “Koodo will use appropriate safeguards to protect your personal information, strive to keep it up to date and respond to your requests for access. Personal information collected by Koodo may be stored and processed in Canada or another country. In either case, the information is protected with appropriate security safeguards, but may be available to government agencies under applicable law.” – Koodo Privacy Commitment (“How does Koodo protect my privacy?”). |
2. A public commitment to inform users of all third party data requests |
|
Full Star: The carrier clearly indicates that it will notify a user when it has received a third party request for the user’s information, unless explicitly prohibited from doing so by law.
Half Star: A carrier does not indicate that it will notify users when it receives requests, however it indicates that users may send an inquiry in order to acquire such information.* *Note: This criterion was applied generously: carriers who indicated users could learn about disclosures of their information were scored a half star.
No Star: The carrier makes no mention of how users may learn of third party requests for their personal information. |
Score: No Star
Explanation:
Provisions: None For provisions related to when Koodo may disclose personal information, see Criterion #4 (Transparency about conditions for third party data disclosures). |
3. Transparency about frequency of third party requests and disclosures |
|
Full Star: The carrier has published, in an annual or semi-annual report or in some other form, statistics regarding:
Half Star: The carrier has published SOME information but leaves many important statistics out. No Star: The carrier has published no information relating to these types of statistics. Note: This criterion was edited for ease of use and clarity in presentation here. In highlighting the absence of specific important statistics, we may have applied this criterion more strictly than IXmaps. However, we are not aware of any divergence with IXmaps as to the final score awarded to any carrier. |
Score: No Star
Explanation:
Provisions: None |
4. Transparency about conditions for third party data disclosures |
|
Full Star:
(1) The carrier explicitly states the circumstances under which personal information will be disclosed to third parties. (2) It must make clear what standard must be met by the third party in order for this disclosure to be made (e.g. whether a warrant is required). (3) It must be clear whether or not a subscriber/user will be notified in the case that his or her information is disclosed to a third party and especially the specific conditions under which such information will be disclosed without consent. Half Star: The carrier refers to some but not all of (1), (2) and (3) or is vague about them.* *Note: In order to achieve consistency, this criterion was applied generously: carriers that had some discussion of when disclosure of user information could occur received a half star. A carrier would have had to fail entirely to discuss disclosure to receive no star, which none did. This criterion is likely to be revised and simplified in future years to improve consistent application and permit more meaningful distinctions between carriers. No Star: The carrier fails to indicate any of (1), (2), or (3). Note: Our evaluation of this criterion looked at discussion of disclosure to any third party, including sharing with affiliated companies, while IXmaps focused on disclosure when compelled by law. However, both approaches yielded the same score on this criterion. |
Score: Half Star
Explanation:
Provisions: The Koodo Privacy Commitment contains provisions pertaining to whom and in what circumstances personal information will be disclosed without a user’s consent. As the full provision is long, the exact text is in Appendix A below. However, to paraphrase, it indicates Koodo will only disclose personal information without consent to:
– Koodo Privacy Commitment (“How does Koodo protect my privacy?”). The Koodo Service Terms have a similar provision, relating to disclosure of information “other than [user] name and address”. In the Koodo Service Terms, however, there is the addition of disclosure to “[a] law enforcement agency if Koodo reasonably believes that you or anyone using your device is engaged in fraudulent or unlawful activities against Koodo.” The absence of this circumstance from the Koodo Privacy Commitment list calls into question whether that list is a truly exhaustive list of circumstances where disclosure can occur without consent. Note that the Koodo Service Terms are not formally included in Koodo’s evaluation, and in any event would not have changed Koodo’s score on this criterion. Still, this discrepancy should be noted. See “Explanation” above for details. The full text of both the Koodo Service Terms and Koodo Privacy Commitment provisions is in Appendix A at the end of this document. “What Koodo won’t do with my personal information Koodo will not collect, use or disclose your personal information for any purpose other than those identified above or in your Customer Service Agreement or our Service Terms, except with your consent. For greater clarity, unless you provide express consent Koodo will not:
– Koodo Privacy Commitment. |
5. An explicitly inclusive definition of ‘personal information’ |
|
Full Star: The carrier explicitly states all forms of data that fall under ‘personal information’. This should include subscribers/users’ IP addresses, IMSI/IMEI numbers, or MAC addresses, as well as their userIDs, meta-data (e.g. who subscriber communicated with, when and where this communication occurred), browser history (pages accessed, date of access, location when accessed), personal account information, credit card information etc.
Half Star: The carrier only implicitly states forms of data included in a definition of ‘personal information’, and/or provides a definition which (a) incorporates a closed list of what constitutes personal information that (b) excludes one or more of IP addresses, IMSI/IMSEI numbers, MAC addresses, userIDs, meta-data, browser history, personal account information, or credit card information. No Star: The carrier gives no definition of ‘personal information’. Note: IP addresses, IMSI/IMEI numbers and MAC addresses are all used to identify individual devices connected to the Internet. This information could be used to identify individuals and track their locations. For more information, click here. |
Score: No Star
Explanation:
Provisions: None |
6. The normal retention periods for personal information |
|
Full Star: The carrier discloses how long personal information is routinely retained for, specifying retention time periods for each data type.
Half Star: The carrier only states the retention period for limited types of information. For example, a company may state that it retains consumers’ browsing history for 2 weeks, but provides no information on call log retention. No Star: The carrier either provides no information on data retention periods OR provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. For instance, “[Our company] shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.” (Example wording is from Bell’s privacy policy.) |
Score: No Star
Explanation:
Provisions: None |
7. Transparency about where personal information is stored and/or processed |
|
Full Star: The carrier clearly indicates the storage and/or processing locations of user’s data and whether data storage and/or processing has been outsourced to a foreign company. This should include whether data may be stored in, or otherwise subject to other jurisdictions, what those jurisdictions are, and what sort of disclosure such data may be subject to.
Half Star: The carrier only indicates that there is a possibility that data may be stored and/or processed subject to a foreign jurisdiction. No jurisdiction is noted or details are not provided. No Star: The carrier fails to clearly indicate whether or not data may be stored and/or processed such that it may be subject to a foreign jurisdiction. |
Score: Half Star
Explanation:
Provisions: “Personal information collected by Koodo may be stored and processed in Canada or another country. In either case, the information is protected with appropriate security safeguards, but may be available to government agencies under applicable law.” – Koodo Privacy Commitment (“How does Koodo protect my privacy?”). “You acknowledge that while roaming outside Canada the storage, treatment and transfer of your personal information and data may be subject to regulation different from the regulation in Canada.” – Koodo Service Terms (“Your Privacy: What limitations apply to any claim made against Koodo?”). (Note that the Koodo Service Terms are not formally included in Koodo’s evaluation, and in any event would not have changed Koodo’s score on this criterion.) |
8. Transparency about where personal information is routed |
|
Full Star: The carrier clearly indicates whether Canadians’ personal domestic communication data might be routed through the United States or otherwise subject to foreign jurisdiction while in transit. It clearly indicates the geographical locations where domestic communication is routed and what jurisdictions it is subject to. Similarly, it indicates whether or not communications with third countries is subject to U.S. jurisdiction.
Half Star: The carrier is vague about the geographical locations or jurisdictional exposure of personal data routing. No Star: The carrier gives no indication of the geographical locations or jurisdictions where personal data is routed. |
Score: No Star
Explanation:
Provisions: None |
9. Domestic Canadian routing when possible |
|
Full Star: The carrier clearly states on its privacy pages a policy of domestic Canadian routing when possible, and indicates the concrete measures it takes to achieve this goal. A carrier that verifiably peers openly at all the Canadian IXPs in its service region(s) will also receive a full star. Only Canadian carriers are eligible for a full star, as foreign carriers by definition subject the data they carry to non-Canadian jurisdictions.
Half Star: The carrier is vague about its policies for ensuring Canadian routing of domestic traffic and the measures it takes to ensure this. In the absence of a clear policy statement, a carrier (whether Canadian or foreign) that peers openly at some but not all Canadian public IXPs in its operating regions will earn a half star. No Star: The carrier gives no indication of any policy or concrete measures to promote domestic routing when possible, nor does it peer openly at any Canadian public IXPs.
Note: Due to minor changes in wording during the evaluation process, we may have applied this criterion more strictly than IXmaps. However, we are not aware of any divergence with IXmaps as to the final score awarded to any carrier. |
Score: No Star
Explanation:
Provisions: None For an explanation of IXPs and open and conditional peering, see the project overview. |
10. Open advocacy for user privacy rights |
|
Full Star: The carrier makes clear reference on its privacy pages to its support for user privacy rights via at least one of the following:
Half Star: The carrier has defended user privacy rights politically, in court or legislatively, but there is no reference to this in its privacy pages. No Star: There is no readily available public evidence that the carrier has taken a positive pro-privacy position in any of the above areas. Note: While this criterion was edited for ease of use and clarity in presentation here, we are not aware of any divergence with IXmaps with regard to application. |
Score: No Star
Explanation:
Google searches used in seeking public evidence of a pro-privacy position (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.) Koodo “privacy” (January 23, 2015). Koodo privacy (January 25, 2015). Koodo transparency (January 25, 2015). Koodo “Personal information” (January 23, 2015). Koodo “customer information” (January 25, 2015). Koodo “subscriber information” (January 25, 2015). Koodo disclosure (January 25, 2015). Koodo “user privacy” (January 23, 2015). Koodo “Bill C-13” (January 25, 2015). Koodo “lawful access” (January 25, 2015). Koodo “Customers’ privacy” (January 23, 2015). Koodo “personal information” (January 25, 2015). Koodo “warrant” (January 25, 2015). Koodo “legal authority” (January 25, 2015). Searches used in seeking case law where Koodo defended user privacy rights in Canadian courts (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.) Westlaw Canada:
Quicklaw:
CanLii:
|
Appendix A: Provisions related to Transparency about conditions for third party data disclosures (Criterion #4)“…Koodo will not disclose any personal information without your express consent, other than in the following circumstances, to:
– Koodo Privacy Commitment (“How does Koodo protect my privacy?”). Note: Comparison with other carriers’ materials and with a similar provision in the Koodo Service Terms (below) lead us to believe this Koodo Privacy Commitment provision is intended to say that Koodo will not disclose personal information without consent except to these listed people/entities in these circumstances. It is important, however, to note that this is not what the provision literally says. Due to the comma after “circumstances” in the introductory paragraph before the list, the provision literally says that Koodo will not disclose personal information without consent to these listed people/entities, except in the circumstances listed – which means the provision, as written, does not address when personal information would be disclosed without consent to people/entities not listed here. In addition, it should be noted that despite this language indicating the list in the Koodo Privacy Commitment is a complete list of when Koodo will disclose information without consent, this may not be the case:
“All information that Koodo keeps with respect to you and your service, other than your name and address, is confidential. Unless you provide your express consent or unless disclosure is required under the law, your information may not be disclosed by Koodo to anyone, other than:
By “express consent”, we mean:
– Koodo Service Terms (“Your Privacy: What limitations apply to any claim made against Koodo?”). (Note that these Terms and this provision was not formally a part of Koodo’s evaluation.) Appendix B: TELUS Statements Regarding Applicability of TELUS Policies to KoodoNote: Part of the evaluation was how transparent privacy practices are to a carrier’s users. Therefore, despite the below provisions, Koodo received no credit for provisions and statements in TELUS privacy materials, since Koodo did not indicate in its privacy materials that Koodo users should consult TELUS’ materials. Koodo users would therefore not know to consult TELUS’ materials for information relevant to them. “What’s new? We have updated the language in our Privacy Commitment to make it more clear and simple. We have not changed any of our TELUS privacy practices, expanded the ways that we use or disclose your personal information, or lessened any safeguards. Also, our Privacy Commitment continues to extend across our brands1, as it always has.” 1Including TELUS Mobility, TELUS Quebec, Koodo, Black’s and PC Mobile, but excluding TELUS Health” – About TELUS’ Privacy Commitment (last consulted January 25, 2015). “1In this Privacy Commitment, the words “we” or “TELUS” refer to TELUS Corporation and its subsidiary companies, as they may exist from time to time, including those subsidiaries or divisions that carry on business under the names TELUS, TELUS Communications Company, TELUS Mobility, TELUS Quebec, Koodo, Black’s and PC Mobile, but not including TELUS Health. The words “we” and “TELUS” do not include independent dealers and distributors of TELUS products and services.” – TELUS’ Privacy Commitment to You (Endnote 1) (last consulted January 25, 2015). “TELUS – TELUS Corporation and its subsidiary companies, as they may exist from time to time. These include, without limitation, the subsidiaries or divisions which carry on business under the following names: TELUS, TELUS Communications Company, TELUS Mobility, TELUS Québec, Koodo, Black’s and PC Mobile, but not including TELUS Health. “TELUS” does not include independent dealers and distributors of TELUS products and services.” – TELUS Privacy Code (“Definitions”) (last consulted January 25, 2015). Appendix C: SourcesKoodo Privacy Commitment
Note: Note: Koodo does not appear to have a news or press release archive on its website. The working group reviewed TELUS’ press release archive on the TELUS website back to 2009: http://about.telus.com/community/english/news_centre/news_releases (Last consulted January 25, 2015). Had relevant Koodo press releases been found in that archive, or had statements clearly related to Koodo and its practices and position on privacy been found in TELUS' releases, this might have affected Koodo's score on criterion #10. However, as no such releases or statements were found, the point did not arise. |
[1] Andrew Clement & Jonathan A. Obar, “Keeping Internet Users in the Know or in the Dark: Data Privacy Transparency of Canadian Internet Service Providers” (27 March 2014), online: IXmaps & New Transparency Projects <http://ixmaps.ca/>. The report is available online at <http://ixmaps.ca/transparency/img/DataPrivacyTransparencyofCanadianISPs.....