The Peruvian digital rights organization, Hiperderecho, together with the Electronic Frontier Foundation, launched ¿Quién Defiende Tus Datos? (Who Defends Your Data?) today, a report that evaluates the privacy practices of digital communication companies that Peruvians use every day. Along with similar reports published earlier this year in Colombia and Mexico, this investigation is part of a larger series of evaluations across Latin America that is based on EFF’s annual Who Has Your Back? report and adapted for local realities and needs. The reports compare phone companies and Internet Service Providers to determine which ones stand by their users when responding to government requests for personal information.

Peru is experiencing a digital revolution; its citizens are increasingly using the Internet and electronic devices to exercise free speech, organize social movements, and gather information. As more and more Peruvians use mobile phones and computers to access the Internet, more of their private data gets shared among companies who provide these services. As of July 2015, the government has been taking advantage of this shift, proposing brand new surveillance laws that compel ISPs to retain metadata for a certain period of time and allow warrantless access to geolocation data in emergency cases.

As such, Hiperderecho has released the ¿Quién Defiende Tus Datos? report that evaluates whether Peruvian ISPs and telephone companies stand by their customers when the government knocks at their door compelling user data. From its inception, this project has had two main goals: to provide users with a clear assessment of which telecommunications companies are adopting best practices to protect their users’ privacy; and, to provide companies with guidance and recommendations on how they can improve their privacy practices.

In their report, Hiperderecho analyzed whether companies publish appropriate and easy-to-understand privacy policies on their websites and if the outlined practices are sufficient enough to inform users about how they treat government requests.

Evaluation criteria

  1. Privacy Policy: To earn a star, a company must have published a privacy policy that is easy to understand. It should inform the reader about what data is collected from them, how long it is stored, and describe the guidelines and procedures the company has in place when an authority requests the data. Partial compliance was rewarded with half a star.
  2. Judicial Warrant: Companies earned a star in this category if they required the government to obtain a warrant from a judge before handing over communications (either content or metadata). Compliance with this requirement for the content of communications, but not for metadata, earned a company a half star.
  3. User notification: To earn a star in this category, companies must promise to inform their customers of a government request at the earliest moment permitted by the law. They could issue parallel notifications along with the official ones sent by the government after a surveillance measure took place through different means of communication.
  4. Transparency: This category looked for companies publishing transparency reports about government requests for user data. To earn a full star, the report must provide useful data about how many requests have been received and complied with, including details about the type of requests, the government agencies that made the requests, and the reasons provided by the authority. Partial compliance is rewarded with a half star.
  5. Commitment to privacy: This star recognizes companies who have challenged legislation that permits mass surveillance or surveillance that allows government access without judicial safeguards, as well as those that have publicly taken a position in favor of their users’ privacy before congress and other regulatory bodies.

The results

Results from Peruvian ISPs' privacy protections

Most of the companies have yet to earn a good evaluation in this first edition of the report, with some of them not even obtaining partial stars. As a result, telecommunications companies in Peru still have a long way to go to ensure the privacy of their users’ communications personal data. In categories like “Transparency Reports” and “User Notification Procedures,” no companies were awarded a star. In several cases, companies limited themselves to publishing privacy policies that neglected to include either what kind of data they were collecting or how long they would be storing the data.

Peru’s  recent adoption of a new data protection law has forced companies to disclose their data collection practices every time they sign up new users, but the law doesn’t compel them to provide a more comprehensive evaluation of the data they collect as a by-product of the usage of the service. Hence, there is little information on how companies treat information they collect from users, like IP addresses, traffic logs, and geolocation, among others.

This report asks companies to stand with their customers by implementing best practices to the fullest extent permitted by law. However, one of its key findings is that certain legal restrictions in Peruvian national law may prevent operators from adopting internationally-recognized best practices for user notice, which are designed to empower users to defend their own privacy.

According to the Criminal Procedure Code or the rules of the national intelligence system, ISPs and mobile companies are compelled to keep government access requests confidential. Accordingly, the companies may be prevented from notifying their users upfront. However, there’s still much more that companies could do within the space of their legal obligations. Under Peruvian law, courts must notify citizens after a surveillance measure has expired and, when this happens, companies could contact them in parallel through email or text message to call their attention on the notification. This would allow citizens to exercise their right to oppose and appeal any surveillance measure previously issued by the courts.

Some regional companies have better practices in countries other than Peru. For example, most of the Mexican companies, including Telmex (a subsidiary of América Móvil), have a privacy policy published on their website. However, Claro’s website in Peru does not publish this information.

Peruvian companies still have a long way to go in protecting customers’ personal data and being transparent about who has access to it. Hiperderecho expects to release this report annually to incentivize companies to improve transparency and protect users data. By making privacy policies accessible and understandable, Peruvians will know how their personal data is used and how it is controlled by ISPs so they can make smarter consumer decisions.

Download report

Check the full report of Who Defends Your Data? [Spanish] [PDF].