Red en Defensa de los Derechos Digitales, the leading digital rights organization in Mexico and the Electronic Frontier Foundation, today launched ¿Quién Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the digital communication companies that millions of Mexicans use every day. The investigation is part of a series of studies across Latin America based on EFF’s annual report, Who Has Your Back? and adapted to local realities and need. The reports are intended to compare phone companies and Internet Service Providers to see which stand with their users when responding to government requests for personal information.

With more than 100,000 government data requests in Mexico in 2014, Mexican Internet users are increasingly a target for government investigation. Each of those requests may reveal a substantial amount of information about a user, including their online relationships, discussions, and even minute-by-minute movements. All of this data may be handed over without the person involved being able to challenge or limit the extent of information taken, as they would if their home was searched or it was their physical property that was being seized.

Instead, Internet users depend on the privacy policies of third-parties to protect their rights online. R3D’s report set out to uncover which Mexican ISPs and telephone companies best defend their customers. Which are transparent about their policies regarding requests for data? Which require a judicial warrant before handing over personal information? Do any challenge surveillance laws or individual demands for their users’ data? Do any of the companies notify their users when complying with judicial requests?

R3D examined publicly posted information, including the privacy policies and codes of practice, from eight of the biggest Mexican telecommunications access providers: Axtel, Cablemás, IZZI Telecom, Iusacell, Megacable, Nextel, Telefónica Movistar and Telmex / Telcel. Between them, these providers cover over 98% of Mexico’s mobile, fixed line and broadband markets.

Each company was given the opportunity to answer a questionnaire, to take part in a private interview and to send any additional information they felt appropriate, all of which was incorporated into the final report. This approach is based on EFF’s earlier work with Who Has Your Back? in the United States, although the specific questions in R3D’s study were adapted to match Mexico’s legal environment. Customised investigations using similar methodologies are being worked on by digital rights groups across Latin America. The Karisma Foundation in Colombia published their report, ¿Dónde Están Mis Datos? in May.  Hiperderecho in Peru, InternetLab in Brasil, and TEDIC in Paraguay are all also working on similar studies.

R3D’s rankings for Mexican ISPs and phone companies are below; the full report, which includes details about each company, is available at: qdtd.mx

Evaluation Criteria for  ¿Quién Defiende tus Datos?

1. Privacy Policy:  To earn a star, a company must have published a privacy policy that is easy to understand. It should inform the reader about what data is collected from them, how long it is stored, and to describe the guidelines and procedures the company has in place when an authority requests the data. Partial compliance was rewarded with half a star.

2. Judicial Warrant: Companies earned a star in this category if they required the government to obtain a warrant from a federal judge before handing over communication either content or metadata. Compliance with this requirement for the content of communications but not for metadata earned a company a half star.

3. User notification: To earn a star in this category, companies must promise to tell their customers of a government request at the earliest moment permitted by the law. They must also either challenge the laws prohibiting the notification of users or promoting a notification mechanism before Congress or other regulatory bodies.

4. Transparency: We award companies a star in this category if they publish a transparency report about government requests for user data. To earn a full star, the report must provide useful data about how many requests have been received and complied, including details about the type of requests, the government agencies that made the requests and the reasons provided by the authority. Partial compliance is rewarded with a half star.

5. Defending users in court: This star recognizes companies who have challenged legislation that permits mass surveillance or surveillance allows government access without judicial safeguards, as well as those that have publicly confirmed that they have resisted overbroad government requests.

6. Public opposition to mass and unchecked surveillance: In this category, companies are rewarded for taking a public position against mass and unchecked surveillance and defending their position before Congress and other regulatory bodies. Also, this category credits company participation in mechanisms that recognize their responsibilities to respect human rights.

THE RESULTS

1. Privacy Policy

No company earned a star in this category. All companies, except Iusacell, have a privacy policy about the telecommunications services they provide, published in the companies’ websites. However, the language used in the privacy policies is too vague and unclear to earn a star. The companies’ privacy policies do not indicate clearly which information is collected about the communications of users, for how long or which procedures are adopted when authorities request that data.

2. Judicial Authorization

Under Mexican Constitutional law authorities must obtain a warrant from a federal judge before accessing the content of communications. While there is no evidence that any company is not being compliant of this rule, no company has made a commitment to require a warrant from a federal judge when authorities request metadata, a requirement that has been recognized by both the Supreme Court of Mexico and the Inter-American Court of Human Rights. Therefore all companies were awarded only a half star.

3. User Notification

No company was found to adopt a policy of notifying users, at the first time allowed by the law, about authorities seeking access to their communications data. While in some cases there might be legal impediments to notify users, no company was found to have challenged this restrictive laws in courts or to have proposed the establishment of user notification mechanisms before Congress or other regulatory bodies, therefore no company received a star.

4. Transparency

Iusacell, Movistar, Nextel, and Telcel have each earned half a star by publishing a transparency report through ANATEL (Asociación Nacional de Telecomunicaciones). This is an important beginning step.However, this transparency report only provides with a general number of requests made by authorities for the prosecution of crime, without providing detailed information about which type of requests have been received, which authorities made the requests or which reasons were given by authorities to make the request. The lack of detailed information does not allow users to know the scope and reach of government requests. Therefore, the mobile companies part of ANATEL only received a half star. The other companies did not receive any stars.

5. Defend Users’ Privacy in Court

In the last year, the Mexican congress enacted laws that establish mass and unchecked surveillance measures, such as the Telecommunications and Broadcasting Law (Ley Federal de Telecomunicaciones y Radiodifusión). Iusacell and Telcel fought for their users by challenging the constitutionality of these surveillance provisions. However, no information was provided by any company about challenging in court specific abusive requests from authorities, therefore, Iusacell and Telcel received a half star. The rest of the companies did not earn any stars.

6. Public Statement Against Mass or Unchecked Surveillance

Telefónica Movistar earned a full star by publishing a public policy commitment against unchecked surveillance and a clear recognition about its human rights responsibilities, including the right to privacy. All companies, except for Megacable, have advocated for users privacy before congress and other regulatory bodies such as the Federal Institute of Telecommunications (IFT). Telefónica Movistar was also the only company that was found to be part of any mechanism for addressing its human rights obligations, such as the Telecommunications Industry Dialogue and the Global Network Initiative. As a result, Telefónica Movistar earned the only full star in this report.

Conclusion

Companies in Mexico have a long way to go in protecting customers’ personal data and being transparent about who has access to it. R3D expect to release this report annually to incentivize companies to improve transparency and protect user data. This way, all Mexican will have access to information about how their personal data is used and how it is controlled by ISPs so they can make smarter consumer decisions. We hope the report will shine with more stars next year.

CORRECTION: An earlier version of the report showed Iusacell with a no star score in the category of Advocates for Privacy in the condensed chart. However, the category chart and the totals were correct. We've updated the condensed chart.