Fundacion Karisma—the leading Colombian digital rights organization—has published the 2016 ¿Dónde están mis datos? report, which evaluates how well Colombian telecommunications companies protect their customers’ privacy.

Karisma’s second annual report examines publicly-available policies on government surveillance transparency, data protection, privacy, and free expression from five of the biggest telecommunications companies: Claro, Tigo-UNE, Telefónica-Movistar, ETB (Empresa de Telecomunicaciones de Bogotá), and DirecTV.

The report shows that Colombian telecommunication companies have not yet stepped up to meet tech industry best practices related to privacy and transparency reporting. Nonetheless, two key members of Colombia’s telecommunications industry—ETB and Telefónica-Movistar—have improved their practices, with ETB leading the way.

ETB not only attained the best result of the companies evaluated, but also made the biggest improvements in practices compared to 2015. We applaud ETB’s commitments and urge the company to adopt all the recommended standards next year. However, all the companies still have a long way to go, and the other companies risk being left behind.

Telefónica-Movistar has also made positive changes, and Telefónica-Movistar and DirecTV are now tied for second place in this year’s report. Two major telecom companies—Claro and UNE—received especially poor results, lagging behind the industry in protection of their customers.

The Context

Nations emerging from long-term conflicts have an important opportunity to examine their commitments to human rights. As Colombia grapples with its path toward ending a decades-long civil war and insurgency, it faces questions on many levels about its future and the institutional and social tolls the conflicts have taken. At the same time, Edward Snowden’s disclosures have illustrated the ways that technology companies can be on the front lines when it comes to defending users’ data and privacy: sometimes protecting these rights, sometimes utterly failing to do so.

While Colombia’s digital world continues to advance with 21st century technologies, the country’s privacy law has not kept pace. Colombia’s intelligence and criminal laws do not compel the state to report on the number of surveillance requests it makes each year. Companies are not legally obligated to notify their users of decisions authorizing communications surveillance. Colombia does have data protection laws that compel companies to publish their privacy policies, but these privacy policies are often vague and opaque.

That’s why, in response to Colombia’s loose electronic privacy laws and lack of accountability measures, Fundacion Karisma and EFF have turned to Colombian telecommunication companies to encourage them to voluntarily enact the strongest possible policies to protect their user’s rights.

Karisma’s report ranked the companies’ policies and practices against a set of criteria, and awarded batteries to companies for each category they successfully fulfilled. A full battery indicates that the telecommunications company met the criterion, while a half battery indicates that only a portion of the criterion was met. In some cases, a quarter battery was awarded to companies that are working towards better policies, but aren’t quite there yet. Empty batteries indicate that there was no information available to determine whether the company had fulfilled the criterion, or the information that was available was not sufficient.

1. On Transparency

Karisma asked the companies to provide regular transparency reports that include at least aggregate information on the specific number of requests approved and rejected, a summary of the requests by service provider and by investigation authority, type, and purpose, and the specific number of individuals affected by each.

None of the companies fully met this standard. Most of the industry, Karisma noted, associate transparency primarily with economic and financial reporting for anti-corruption purposes. “It is only in this context that companies published transparency reports,” Karisma said.

As a result, the general public has little insight into how often the government is pressuring telecommunication companies for access to user data. This is a serious concern: one way to allow surveillance without due process to grow worse is to allow it to happen entirely in secret. Publicizing reports of law enforcement access requests can help illuminate patterns of overzealous policing, shine a light on efforts by companies to resist overbroad requests, and perhaps give pause to law enforcement officials who might otherwise seek to grab more user data than they need for an investigation. We hope that next year’s ¿Dónde están mis datos? will show a trend in the Colombian telecom industry toward publishing surveillance transparency reports.

Despite that, ETB obtained a quarter of a credit for publishing centralized information about the process for wiretapping, for blocking of content, and its law enforcement guidelines for data requests. This is a positive first step. We hope that next year ETB will also reveal how many requests it received from authorities.

DirecTV, a subsidiary of the US company AT&T, should follow the example of its parent company, which published both law enforcement guidelines and transparency reports at home in the United States.

2. On Data Protection

Karisma awarded a battery to companies for publishing their privacy policy in a clear and accessible way.

As in 2015, DirecTV was the only company given a full battery for its privacy policy. Unfortunately, ¿Dónde están mis datos? showed that DirecTV’s practice is the exception to the rule—most ISPs’ privacy policies are difficult for users to find and vague on specifics. In particular, Karisma’s report showed that Claro’s privacy policy is not only hard to find but difficult to search; it lacks accessibility features to let customers to find or search for specific information quickly.

3. On User Notification

Karisma asked companies to adopt the technology industry best practice of notifying their customers about any government request for information (when allowed by law). However, Karisma found that the Colombian telecommunication companies haven’t caught up with the rest of the industry. All ISPs should recognize the central role they play in defending the privacy of those who contract for their services, and prioritize protecting users.

While DirecTV does not specifically discuss its legal obligation to provide personal data in response to a government data request, nor give details of the procedure used when this happens, its privacy policy made clear that it will notify those who contract its services if DirecTV hands over its customers’ data. At the other end of the spectrum, UNE’s policy is totally silent about this standard.

4. Privacy - On government data retention practices

Karisma evaluated two important disclosures to users: whether the company disclosed that the company is compelled by law to retain its customers’ data, and that it is obliged to comply with a prosecutor’s legitimate requests to access content, subscriber and metadata in the context of a criminal investigation.

Telefónica-Movistar is the only company which discloses data retention policies to its customers. However, its privacy policy itself is not especially privacy-protective. Fundación Karisma noted that Telefónica-Movistar Colombia databases have an “indefinite validity,” an admission of poor data collection practices. Karisma then contrasted those policies with those of Telefonica’s parent company, finding that Telefonica headquarters has better privacy policies than its Colombian subsidiary. The parent firm specified that it retained the data only for the required time established by law or to achieve a legitimate business aim, and that it is willing to respond to data protection requests that oppose the processing of personal data that is not necessary for the purpose of the service.

ETB is the only company that discloses its obligation to comply with a prosecutor’s legitimate requests. ETB disclosed this on its new central Transparency and Access to Information page, which discusses the procedures for legal interception and government data requests in Colombia. By contrast, Telefónica-Movistar and Tigo-UNE do not mention at all who can request information and what information can be requested according to law. For their part, Claro and DirecTV indicate quite broadly that they can share information with public or administrative authorities in the exercise of their legal functions or by court order. This is concerning, since the legal norms in Colombia are much more specific about who can ask for information and what information can be requested.

5. Freedom of Expression - On transparency regarding ISPs’ blocking or removing content

In this category, Karisma evaluated the industry’s transparency regarding their processes for filtering, taking down, or blocking content, and canceling and suspending internet service.

Karisma saw improvement from Telefónica-Movistar and ETB compared to their practices in 2015. Those companies now have codes of conduct that provide certain guidelines regarding the behaviors that are allowed by the ISPs, so that users can understand how to avoid sanctions. Karisma’s evaluation only assesses whether these practices are adequately codified publicly disclosed; here, it does not examine if those practices are good or bad.

We recognize that shifts in industry can take time. It took several years before EFF saw widespread changes in tech giants’ policies in response to EFF’s annual Who Has Your Back report. We hope that next year’s Karisma’s ¿Dónde están mis datos? report will find more of these companies adopting these best practices and standing by their users.