As Canadians debate numerous items of legislation that could affect their privacy rights — from the new anti-terrorism bill to the Digital Privacy Act — a new study has ranked how well Canada’s telecoms are doing on protecting their subscribers’ personal info.
The independent Ontario-based telco TekSavvy came out on top in the study, which was released Thursday, with Telus ranking as the second-best telco for privacy.
It found that among the worst telecoms for privacy are the small wireless carriers (Wind, Mobilicity) and the big telcos’ “flanker brands,” like Koodo (Telus), Fido (Rogers) and Virgin Mobile (Bell).
While TekSavvy came out on top, it still garnered only six of 10 possible stars in the study’s “star chart” (see below). That’s a sign that “Canadian Internet providers are still falling short when it comes to being transparent about how they protect their customers’ privacy,” the study authors said in a statement.
Story continues below
Prof. Andrew Clement of the University of Toronto’s Faculty of Information and Dr. Jonathan Obar of the University of Ontario Institute of Technology compiled the study with the help of nine law students. They ranked 43 telcos operating in Canada on 10 criteria, including how transparent they are about susbscriber information requests, informing subscribers when a request for their data has been made, and openly advocating for user privacy rights.
Only two telcos — Rogers and Telus — were recognized for advocating for privacy rights, while TekSavvy was given partial credit (a half star).
“Every day millions of Canadians entrust their ISP or mobile carrier with enormous quantities of sensitive, personal information,” Clement said in a statement.
“Against a backdrop of worrying revelations of mass surveillance, it’s more important than ever that ISPs be forthcoming about how they safeguard our personal information. ISPs can play a leadership role in working for strong data privacy protection — but as our report shows, there is still lots of room for improvement.”
Particularly worrying for the researchers is the fact that numerous non-Canadian telcos are responsible for routing Canadian internet traffic, and they don’t appear to be mindful of Canadian privacy laws.
Internet privacy experts point out that a lot of Canadian internet traffic is routed through the United States, meaning Canadians’ personal data is likely being caught up in the NSA’s dragnet.
Companies such as AT&T, Comcast, Sprint and Verizon have shown no commitment to Canada’s PIPEDA law, the principal law guiding the sharing of online subscriber data, the study said.
Only one of those companies — AT&T — was given any credit for advocating for privacy rights.
The study recommends tighter enforcement of privacy rules by the CRTC, and urges telcos not to route traffic through the U.S. if possible.
It also recommends that telcos begin issuing regular transparency reports that collect data on how many subscriber info requests the company got, and how many it complied with.
Some Canadian telcos are already doing this. Rogers, TekSavvy and Telus last year became the first telcos to issue transparency reports.
But while telecoms have scrambled to understand how the Supreme Court’s warrant requirement changes their obligations, the Harper government has largely ignored it, moving ahead with legislation that would allow warrantless data handovers in some circumstances.
Bill S-4, the Digital Privacy Act, has been criticized for weakening privacy protections by allowing telecoms to share subscriber data, without a warrant, with private companies investigating internet users.
The Tory-dominated Senate passed the bill last year, shortly after the Supreme Court ruling requiring warrants, and the bill is now being debated in the House of Commons.
The Tories' anti-cyberbullying bill, passed by the House last year, includes immunity for telecoms that hand over subscriber data without a warrant. Critics said the Supreme Court ruling effectively nixed that immunity even before the law was passed.
(Click for full size)