The sample of 44 carriers involved in the routing of Canadian internet traffic was determined based on their prevalence in the IXmaps.ca traceroute database for the 2014 report. Most carriers are the same as in the 2014 analysis, with a few minor changes due to acquisitions, mergers and so forth. The sample includes 14 transit providers that are involved in the routing of traffic across the internet ‘backbone’, often via boomerang routes through the United States. 6

Stars were assigned after careful review of the privacy materials present in the privacy section of each carrier’s corporate website as of January 2018. Materials not linked to a privacy section were not evaluated, as it is assumed that privacy pages are the first, and perhaps only location users interested in privacy will access. 5

In response to these concerns, and in keeping with the principles of transparency and accountability that are fundamental to privacy law in Canada, this third report assesses the data privacy transparency of 44 major, minor and transit carriers that route Canadian internet traffic. Consistent with the previous reports, carriers are assigned full, half or zero ‘stars’ based on ten criteria:

What is clear is that the public trustee function that telecommunication providers operating in the public interest used to fulfill is more vital than ever. As privacy scholars and advocates call for information fiduciary and data trust models, Canadians should expect leadership from their internet carriers, especially the majors.

This report is being released at a time when governments and industries throughout the world struggle to improve online consent processes. Research suggests that users commonly ignore consent opportunities, in part, because they struggle with the mechanisms for consent facilitation which sometimes overwhelm with information, sometimes lack information, and sometimes encourage circumvention. 1 As consent is central to Canadian privacy law, solutions to the persistent challenge are needed. 2 As Commissioner Daniel Therrien advised Parliament in the Office of the Privacy Commissioner of Canada’s 2016-2017 recommendations, “(Canadians require) better information to empower them to exercise individual control and personal autonomy. […] Individuals must be at the centre of privacy protection”. 3

This is the third report assessing the extent to which carriers providing internet communications in Canada are forthcoming about their handling of personal information. Demand for data privacy transparency calls our trusted internet carriers to account, for details about the collection, management, retention, routing, disclosure and use of our data. To what extent do carriers collect and keep personal information? Is data routed and stored in the U.S.? When a company, security agency or political party requests access to data, do carriers oblige? When it comes to these and many other privacy concerns, do our internet carriers keep us in the know? Or in the dark?

Key Findings

While major concerns persist, there are clear signs that some carriers are moving toward greater transparency, providing more information about how they treat personal data. Table 1 emphasizes the bright spots, highlighting the scores of the 10 major carriers evaluated and the criteria that show the biggest improvements since the 2014 report.

The 2014 leader, TekSavvy, added an aggregate of 2 stars to achieve a score of 8/10, keeping it well ahead of all other major Canadian carriers. Shaw was the major carrier that showed the most improvement, more than doubling its score to 4.5. Cogeco and Videotron are others in this category whose scores rose considerably. Among the minor carriers, Acanac and its corporate owner Distributel stand out in both their scores and improvement from 2014.

In terms of the criteria, the most notable improvements were associated with criterion 5: providing an explicitly inclusive definition of personal information. Four major and four minor carriers now earn full stars on criterion 5, whereas no major/minor carrier earned a full star in 2014. Modest improvements suggest some carriers are being slightly more transparent about the location of data storage (criterion 7) and data routing (criterion 8). These improvements may be due to demand for information about data sharing with the United States and corresponding surveillance implications. All major carriers now provide some level of detail about the location of data storage. In 2014 no carrier mentioned where data under their control might be routed, but now three carriers do so.

Almost all major carriers score above the average. The average across the 10 majors was 4.2/10 stars, an increase from 3.5/10 in 2014.

Bell remains the only major carrier to score below the 2.6/10 average with a score of 2.5 stars.

Bell receives no stars on the following criteria:

#2 — A public commitment to inform users of all third party data requests.

#3 — Transparency about frequency of third party data requests and disclosures.

#6 —The normal retentions period for personal information.

#8 — Transparency about where personal information is routed.

#9 — Domestic Canadian routing where possible.

#10 — Open advocacy for user privacy rights.

While most major carriers in Canada are producing transparency reports, Bell Canada continues its refusal to release any details about law enforcement or third party requests or disclosures. In this respect, Bell demonstrates a disinterest in advocating for its customers’ privacy rights and in its efforts to help users achieve meaningful consent. The other major carriers that have yet to release a transparency report are Cogeco and Eastlink.

Minimum detail for minimum score:While many carriers earned half-stars in a variety of categories, this should not be interpreted as a widespread overhaul of data privacy transparency practice. Many carriers scored half stars for the addition of a sentence or two or a brief example.

No carrier earned a full star on the following criterion:

#8 — Transparency about where personal information is routed.

Only two carriers earned a full star on the following criteria:

#4 – Transparency about conditions for third party data disclosures.

#6 - The normal retention period for personal information.

#7 –Transparency about where personal information is stored and/or processed.

The ‘fighting brands’ of major mobile carriers, Chatr (Rogers), Fido (Rogers) and Koodo (Telus), all score below the average and are less transparent than their corporate owners.

Carriers continue to refuse to provide retention details. Despite growing calls for users to understand better how long carriers are keeping data, none of the major carriers, and few of the others, provide retention details, often noting that data will be kept as long as possible. This is frustrating, as some carriers do note that they maintain internal retention policies, but refuse to make these public.

Many carriers continue to lack explicit definitions of personal information. Despite some improvements in terms of the scores for this criterion, growing public concern about metadata, mobile data, surveillance data from in-store visits and set-top box data, is not reflected in the definitions provided by most carriers. Notable is the score of zero stars for Chatr (Rogers), Fido (Rogers) and Fongo in this category.

No transit provider indicates explicit compliance with Canadian privacy law. Since the first of these reports completed in 2013, not a single transit provider has made reference to Canadian privacy law in its privacy materials. This is concerning because these behind the scenes internet carriers handle large quantities of intra-Canadian traffic.

Transit carriers generally score much lower than the retail carriers and typically expose personal data to mass state surveillance by the NSA. All transit carriers (except for AT&T) score lower than the average. The following carriers earned a score of 0/10: Allstream, Cogent, Hurricane, Level 3, TeliaSonera and Zayo. This is concerning because when outside Canada, or handled by carriers subject to US or other jurisdictions, Canadian data enjoys no effective legal protection, and certainly much less than when within Canadian jurisdiction.7

Given the lack of equivalent privacy protection between Canada and the US, the reliance on US transit providers or US routing for Canadian domestic internet traffic, aka ‘boomerang’ routing, it appears that many Canadian internet carriers are in violation of their legal responsibilities under PIPEDA.

Overall, carriers continue to fail in their role as public trustees and as advocates for user privacy. As government officials and privacy advocates call for new ideas and new mechanisms for protecting privacy, reputation and security, last-mile carriers, who deal with users face-to-face and/or online every month, must do far more. Transit providers too, must help ensure users understand the processes and implications of going online. The consent challenges that persist epitomize current lackluster efforts. We cannot expect that content and platform providers will be the only entities helping to educate and engage users. Internet carriers must do far more to fulfill public interest mandates associated with longstanding expectations associated with the benefits of spectrum allocation, and certainly, the legal responsibilities determined by current privacy law.