Is your internet provider handing your personal information to U.S. and Canadian authorities or companies without your knowledge?
A new report looks at the stated privacy practices of 43 Canadian internet service providers and finds that most of them tell very little about what they do with your information.
In fact, "it appears that many Canadian internet carriers are in violation of their legal responsibilities" under Canadian privacy law, says the report entitled "Keeping Internet Users in the Know or in the Dark" released today by Toronto-area researchers.
The study was conducted by information policy researchers Andrew Clement at the University of Toronto and Jonathan Obar at the University of Ontario Institute of Technology, in collaboration with the Centre for Innovation Law and Policy.
It looks at the information provided publicly by internet service providers in Canada about how they protect customers' privacy and ranked them based on 10 criteria, including whether:
- They inform customers when third parties request their personal information.
- They tell customers the circumstances under which they agree to those requests and provide customers' information to third parties.
- They tell customers where their personal information is stored and processed.
- They try to avoid routing customers' personal information outside Canada, where it could be intercepted by U.S. authorities, for example.
"Generally speaking, most carriers in Canada … score quite poorly in terms of privacy transparency — an average of two out of 10 stars, which is fairly low," said Obar, an assistant professor in the Faculty of Social Sciences and Humanities at UOIT in an interview with CBC News.
Among the retail ISPs that most Canadians buy their internet service from directly, the top scorer was Teksavvy, with six stars, followed by Telus with five. Rogers and Bell had middling scores of 4 and 3 respectively, while Shaw and Videotron were at the bottom, with 2 stars each.
Many smaller ISPs scored even lower — Acanac received 0 stars and Storm Internet got just half a star.
"We hope that consumers will use the star table to determine which carriers are trustworthy," Obar said.
The researchers also hope the report will:
- Push carriers to be more transparent.
- Encourage the government to strengthen Canadian privacy laws.
ISPs' lack of transparency about their privacy protection is a problem, Obar said, because it makes it very hard for Canadians to know who might be handing over their data to organizations such as the U.S. National Security Agency or Canadian government agencies and take steps to protect their privacy.
A recent poll commissioned by the Office of the Privacy Commissioner of Canada shows that Canadians are increasingly concerned about their privacy, especially how personal information about them that ends up online might be used in government surveillance.
The poll found most respondents are not comfortable with government departments and agencies requesting personal information from telecommunications companies without a warrant. Last year, the interim privacy commissioner showed that nine telecommunications companies received over a million requests from government departments and agencies for data about their customers.
However, the study found that no Canadian carrier has publicly committed to inform customers of all third-party data requests.
Meanwhile, many Canadian internet providers that we buy our services from route their traffic outside the country via non-Canadian internet providers called transit carriers. That means the data will "enjoy no effective legal protection" and the routing will "typically expose personal data to mass surveillance by the NSA," the report says. The extensive surveillance activities of the U.S. spy agency have been publicized by whistleblower Edward Snowden,
Some Canadian internet providers have also received requests from companies to provide information about customers who may have downloaded movies illegally.
The report found that not a single carrier was completely transparent about where customers' personal information is routed and what foreign jurisdiction they would be under.
"Because they don't explain to Canadians potentially what is happening with their data, such as where it's going, it requires us to guess if there's potentially a problem or what the potential problem might be," said Obar.
By relying on U.S. transit providers or routing Canadian internet traffic via the U.S., the report says, carriers also are in violation of their responsibilities under Personal Information Protection and Electronic Documents Act, the law that governs how businesses must handle personal information, since the U.S. has no equivalent law.
The report makes a number of recommendations to carriers for improvement, such as making public commitments to comply with Canadian privacy law and to inform users when a third party has requested their data.
It also has some recommendations for government regulators, such as better oversight of carriers to make sure they're complying with privacy laws.
The report is an expanded version of a study that looked at 20 Canadian carriers last year. It's modelled after a similar one on U.S. internet carriers that has been released annually since 2007 by the Electronic Frontier Foundation, a group that advocates for the rights of internet users. That annual report has led to improvements in privacy transparency, Obar said.
"What we're hoping to do is similar."
The research for the report was part of a project called IXmaps.ca that is looking at how internet data is routed around the internet. It was supported by the Office of the Privacy Commissioner of Canada and funded by the Social Sciences and Humanities Research Council and Canadian internet Registration Authority.