It's Paraguay's turn to take a closer look at the practices of their local Internet companies, and how they treat their customer's private information. Paraguay's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of TEDIC, the country's leading digital rights organization. It's part of a continent-wide initiative by South America's leading digital rights groups to shine a light on Internet privacy practices in the region, based on EFF's annual Who Has Your Back report. (Derechos Digitale's Chile report was published on Monday, and digital rights groups in Colombia, Mexico, Brazil, and Argentina will be releasing similar studies soon.)
TEDIC's survey comes at a tense moment in Paraguayan politics. After 24 years of relatively stable democracy, the country has spent the last few months caught in a high-stakes political battle. The current President, Horacio Cartes, pushed through an amendment to end his office's constitutional term limits. The opposition sees echoes of the presidential power-grab that led to Paraguay's last dictatorship. After riots in March led to setting fire of the Congress and the shooting of an opposition party member by police, Cartes has now declared he will not run for re-election. Still, talk of the "shadow of dictatorship" continues to hover over Asunción. Paraguayan Internet users want to know how their ISPs will defend their data in the event of a repressive or suspicious state.
The six companies surveyed by TEDIC—Tigo, Telecom Personal, Claro, Vox, Copaco, and Chaco Communications—together make up the vast majority of the fixed, mobile, and broadband market in Paraguay. Their logs hold intimate records of the movements and relationships of almost every citizen of the country. TEDIC, in the tradition of Who Has Your Back, evaluated the companies for their commitment to privacy and free expression, and awarded stars based on their current practices and public behavior.
The good news from TEDIC's report is that every telco explicitly stated that they only hand over data to the authorities (both metadata and the content of communications) in response to a legitimate court order. That may seem like a basic minimum for data protection, but a public commitment to the rule of law can be an important statement in unsettling times. Every company reviewed got a full star for this.
The less positive news is that individual consumers in Paraguay don't yet have a way to reliably check that the companies are truly complying with their public promises. None of the companies had policies in place to notify users if they were the target of surveillance, for instance, even if that order was overturned, or the investigation was complete.
The TEDIC research team notes that user notification would truly be sign of a commitment to customer privacy over and above financial or legal requirements. Paraguay law does not require notification, and in some cases the ISPs might have to seek explicit legal permission to pass on notice of surveillance to their users. But without notification, it is difficult to know the extent of surveillance, or for anyone to challenge surveillance they believe to be unnecessary or disproportionate.
Transparency is important for oversight, both to show customers how often their governments request data, and whether particular companies are more likely to put the customer first when responding. Many Internet and telecommunication companies now publish transparency reports, documenting the total number of requests they receive for surveillance or content takedowns from government agencies or by court order. These annual reports provide valuable insight into the levels of government surveillance and censorship, and how that surveillance changes over time. Paraguay has its own entry in many global reports. Tigo's activities are documented in regional reporting by its multinational parent corporation, Millicom. Unfortunately, Millicom’s local telecommunication subsidiaries do not follow the parent company’s lead and publish country specific reports. That denies technology users in Paraguay a chance to track their own government's level of spying, and means not one company in TEDIC's report received a full star in this category.
We don't get much insight into Paraguayan Internet blocking or filtering from the telecommunication companies either. Despite worrying incidents in the past, such as when ISPs blocked an online satire of a newspaper, it seems that there is very little public understanding of how or why ISPs might censor their users' Internet feeds. None of our companies describe how they would handle a blocking order if they received one, or gave any insight as to whether they would challenge it, or notify anyone other than the court or government department. Only one company made any public statement about how it might block at all: Chaco Communications, whose statement threatened to ban P2P traffic, left them as the only no-star ISP in a sea of half-stars for this category.
The final two categories show something of the incentives for telecommunication companies in a competitive market. Three of the six companies gained half stars by participating in the legislative debate over surveillance and net neutrality, making an explicit commitment to human rights, or contributing to international Internet policy fora like the Internet Governance Forum. This shows that at least some companies recognize that politics can have an impact on their customers, and perhaps their profits.
But, like telephone companies around the world, Paraguayan phone companies are reticent to rule out new uses for customers' personal data. No company in the survey published how they plan to use consumer data, or gave a detailed privacy policy that their customers could use when shopping for an Internet provider.
This is the first ¿Quien Defiende Tus Datos? report in Paraguay, and TEDIC plans to release one annually. This years' report shows Tigo in the lead, but with plenty of opportunity for their competitors to catch up. Tigo has plenty of room to improve on its own track record too. Any company that decided to pioneer user notification of surveillance, publish a transparency report, or publicly adopt strong data protection principles could easily seize the lead for 2018—and make its customers feel safer against both state and commercial misuse of the most private details of their lives.