Monday February 12, 2018

Telcos demand hefty fees for personal data that should be free, says Citizen Lab report

How to request your personal data using Canadian Law 25:02

Listen 14:26

By Craig Desson

Dating apps, fitness trackers and telecom companies are inconsistent in how they answer consumer requests for their personal data, according to a new report from the University of Toronto.

"You can't be exactly sure what you're going to get," said Andrew Hilts, the report's author and a research fellow at The Citizen Lab, a U of T research lab that studies technology and human rights. 

The report, titled Approaching Access, tracked consumers who requested their personal information from companies like OKCupid, Tinder, FitBit and Rogers, using an online tool called Access My Info, which Hilts helped create.  

"Every organization that does business in Canada is bound by Canadian consumer privacy law to responded to access to personal information," Hilts told Spark host Nora Young.

The online tool makes it easy to ask for several kinds of personal data from 40 different companies and government agencies. The requests can include: 

  • Data collected by the cellphone company about a person's location at different times;
  • Copies of every text message;
  • What a dating app thinks a person's sexual preference is;
  • Whether data has been sent to a government agency;

The study tracked 24 requests, drawn from 6,000 customers, made through The Access My Info tool between 2014 and 2016. The tool generated a lot of requests.

"We have heard anecdotes from people who worked inside telcos that at the time, they had never experienced anything like that," Hilts said.

Hefty fees for phone call, texting records

The tool let consumers request their data from all the major telecommunication companies: Fido, Koodo, NorthwestTel, Primus, Rogers, TekSavvy, Bell, Shaw and WIND (now called Freedom).

The report found that most companies gave different answers from each other for the same types of requests, such as the type of location information recorded about a customer.

Fido and its parent company Rogers, as well as Bell, said they only retain data about a person's location when a call was placed or a text message was sent or received. Wind and Koodo said they collected this information when there was a 911 call or when a government agency like the police asked that a person be tracked using the phone's GPS. 

citizen-lab-documents

Customers of telecom companies like Rogers and Bell received documents like these when they requested their personal data. (Citizen Lab)

Hilts found that companies would at first respond to a request from The Access My Info tool by sending records of customer service logs. They would then suggest the customer look up the rest of the information online.

"They'll say, 'You can get a lot of this from your customer portal.' But our issue with that response is you can't see all the data," Hilts said.

Customers who pushed for more detailed information, such as call log information or location data, were almost all asked to pay a fee.

A Rogers' customer who followed up was asked to pay $100 plus tax for one month of call and text message records like what time they were sent, and another $100 plus tax for a month of details about what cell tower a phone connected to. Shaw asked for $250 for a year's worth of data about what IP addresses were assigned to their home modem.  Bell said they would provide an estimate if the person making the request provided a time period. But the survey participant never followed up. 

According to the federal Privacy Commissioner, Canadian privacy law says consumers shouldn't pay more then a small fee for their data. However, there's no maximum price listed in the law. 

Hilts thinks there shouldn't be any fees.

"I think any request for a payment acts as a barrier to access, because what we've seen from people who've requested their data is any sort of roadblock they encounter can serve to discourage them," he said.  

citizen-lab-customerservice-logs

An example of a response sent from Rogers and Bell of customer service logs. (Citizen Lab)

When asked about these fees, Shaw told CBC in a statement that "most personal information access requests and call detail requests that fall within a one-year time span are typically processed without charge. We charge a reasonable fee in situations where information access requests require significant internal resources to process."

A Rogers spokesperson said, "While we do not charge fees for the vast majority of requests from our customers, we do charge a fee to help cover our costs in some cases like complicated requests that involve manual work for our teams to pull information that is not readily available."   

The spokesperson also said that Rogers does not keep a record of the contents of people's text messages or customers' browsing history. 

Does Canadian law apply to U.S. dating apps?

The study also looked at responses for personal data from the popular dating apps such as Tindr, Bumble and OKCupid. Many of the companies, all of which are based in the U.S., questioned whether Canadian law applied to them.

OkCupid and Tinder (both owned by parent company Match Group) responded that they are "a U.S. company and the Personal Information Protection and Electronic Documents Act (PIPEDA) is Canadian."

citizen-lab-heat-map

Citizen Lab made a heat map, using cell tower location data, that showed where a survey participant worked (red circle) and lived (dark blue circle).

David Fraser, a privacy lawyer based in Halifax, said Canadian law likely applies to these U.S. companies if they operate in Canada: "The courts have been clear recently in saying that if you are doing business with Canadians online, you're effectively doing business in Canada."

He pointed to a recent case, where the B.C. Court of Appeal said it had the power to force online selling site Craigslist to provide user information to the RCMP. The court said, in its ruling, "in the internet era it is formalistic and artificial to draw a distinction between physical and virtual presence."

"Canadian regulators will not shy away from enforcing Canadian law against non-Canadians," said Fraser.

citizen-lab-okcupid

The report says one survey participant discovered that OKCupid had photos they had deleted a year ago. (Citizen Lab)

Hilts hopes his research will shed light on how privacy law works in Canada.

"We're putting Canadian law to the test to see what it means when the rubber hits the road," he said.

But he also thinks we need to better understand how this data is being used.

"Are the decisions being made through these inscrutable algorithms fair?" he asked.

The next step for Hilts is to look into expanding his tool into new industries like banking and insurance.