Technology companies in Colombia are privy to our most sensitive information: conversations, photos, location data, and more. Our data may be collected by third parties and scrutinized under surveillance conducted by governments and other actors. While corporations offering Internet service in Colombia are subject to various regulations governing how they handle our personal information, their privacy policies and terms of service often lack clarity about exactly what steps they take to protect their users’ data. That is why Karisma Foundation, a leading Latin American NGO working on the promotion of human rights in the digital world, and the Electronic Frontier Foundation have asked Colombians: Do you know where your data is right now? Do these companies stand with you? Do they let you know if they let others access your information? To answer this question, we are issuing a report entitled Where Is My Data? (¿Dónde están mis datos?).
Karisma Foundation and EFF have joined forces on an initiative that aims to foster greater transparency among Internet providers in Latin America. The effort is coordinated by EFF in five countries in the region with the participation of Red en Defensa de los Derechos Digitales in Mexico, Hiperderecho in Peru, InternetLab in Brasil, TEDIC in Paraguay, and Karisma Foundation in Colombia.
Karisma Foundation is kicking off the initiative with Where Is My Data?—the first report of its kind to analyze which Internet access providers in Colombia stand with their users and embrace transparency around government data requests. The purpose of this report is to allow users to make informed decisions about the companies with whom they do business. It is also designed to incentivize companies to adopt best practices, be transparent about how data flows to the government, and strengthen the public commitment to defending users rights.
"Internet service providers in Colombia should be transparent about the extent to which they provide user data to the government,'' EFF International Rights Director Katitza Rodriguez said today during the launch of the event in Bogota. "Karisma Foundation's `Where Is My Data' report examines the privacy policies of Colombia's most popular ISPs to provide a clear picture of how open they are with customers about government requests for user information. The report is an important tool for users seeking to make informed decisions about which companies they should trust with their information.''
Karisma Foundation conducted an assessment of the public information available on the websites of these five companies. They were rated on how much they disclosed to their users in their privacy policies and terms of service. We focused on five areas:
Does the ISP publish transparency reports? These reports provide individuals with limited information about the scope and nature of government requests for user information for investigations and surveillance. While companies are not legally obligated to provide transparency reports and they are limited by governments as to how much data they can disclose, publishing them is a good practice and shows that companies care about protecting their customers. More and more Internet and social media companies around the globe are stepping up to provide these reports, including Google, Facebook, Twitter, Microsoft and Vodafone. Transparency reports contain aggregate information about the specific number of requests a particular company has received from the government, the number of times a company has rejected the requests (and their reasons for denying them), a breakdown of the requests by investigation authority, type, and purpose, and the number of accounts affected by each request, for example.
Does the ISP notify users about government data requests? This is important because it enables users to challenge the decision for surveillance or seek other effective remedies.
Does the ISP publish compliance guidelines regarding their legal obligation to disclose user data to the government, the duration the company keeps user data, and how or if they dispose of it?
Does the ISP offer clarity to users about the ways in which content is filtered, removed or blocked, and what happens to data when service is canceled or suspended? There are legal and contractual grounds for filtering and removing content. Users should be able to know why and how data is removed, and what possible remedies are available when they feel there are abuses.
Where Is My Data? aims to promote best business practices among ISPs for the benefit of users. It seeks to identify areas where more transparency is needed and raise awareness among customers about how their data is used by ISPs and the government so they can make more informed decisions when choosing an Internet provider.
The analysis was based on methodologies developed by EFF and used in similar projects around the world, taking into account current laws in Colombia. Companies earned whole stars and partial stars for each of the five area of focus. Whole stars were awarded for the most transparency, half stars were given when information was partially disclosed and a fourth of a star was given this time to recognize the development of good practices even when disclosure was lacking. Stars were withheld when no information was provided to customers.
Karisma Foundation contacted the five companies in the report to explain the ratings process, provide the initial results, and give them an opportunity to supply feedback, identify issues, and provide evidence of improved policies and practices. The observations and comments made by ISPs were considered in the final evaluation.
The Results: Vague, Unclear Policies, Lack of Disclosure About Government Surveillance Requests Leave Lots of Room For Improvement
What’s more, Karisma Foundation found that of the policies and terms of services reviewed, most did not state users would be notified about government demands for personal data. Notification is essential for users to challenge data requests or seek other remedies.
DirecTV is the only company that declares in its terms of service that it may notify users if and when such requests are made, but the company’s statement is discretionary, vague, and lacks specifics on how the information would be disclosed. We were encouraged that UNE promised to scrutinize the legality of inquiries and keep a record of the requests, but the company failed to take the next step and commit to notifying users about requests.
Unfortunately, none of the ISPs reviewed publish compliance guidelines regarding their legal obligation to disclose user data to the government, nor do the companies’ terms of service describe the ways in which content is filtered, removed or blocked, or what happens to it when service is canceled or suspended.
Companies in Colombia have a long way to go in protecting customers’ personal data and being transparent about who has access to it. We expect to release this report annually to incentivize companies to improve transparency and protect user data. This way, all Colombians will have access to information about how their personal data is used and how it is controlled by ISPs so they can make smarter consumer decisions. We hope the report will shine with more stars next year.