InternetLab, the Brazilian independent research center, has published their third edition of “Quem Defende Seus Dados?" (Who defends your data?"), an annual report which evaluates the practices of their local Internet Service Providers (ISPs), and how they treat their customers’ personal data when the government demands it.

This years' report expanded the number of ISPs covered, and shows Vivo taking a strong lead, followed by Tim and then Claro and Oi close behind. The Brazilian ISPs still have plenty of room for improvement, especially on transparency reports, law enforcement guidelines, and notification to users.

Dennys Antonialli, Executive Director, InternetLab told EFF:

“After three years of the project in Brazil, we can see progress in the amount of information ISP’s are giving out to users. Policies have become more clear and detailed. But transparency is still a main challenge: only one of the companies publishes a transparency report and none of them provides notification to users about their data been sought by law enforcement.”

InternetLab was chosen by the Electronic Frontier Foundation to carry out "Who defends your data?"—the Brazilian version of EFF’s own “Who has your back?”. “Quem Defende Seus Dados?" aims to promote transparency and the adoption of good privacy and data protection practices by ISPs in Brazil, and to make Internet users aware of practices that affect the protection of their personal data.

This project is part of a region-wide initiative by U.S., Latin American, and Spanish NGOs. Last year InternetLab joined Colombia’s Karisma Foundation, Paraguay's TEDIC, and Chile’s Derechos Digitales in publishing 2017 reports, and ETICAS Foundation and Asociacion por los Derechos Civiles released a similar study earlier this year, part of a series across Latin America and Spain.

InternetLab’s third annual report set out to examine which Brazilian ISPs best defend their customers. Which notify users about terms of compliance with government data requests? Do any challenge disproportionate data demands for their users’ data in courts? Do they fight for users’ privacy in public debates?  Do any of the companies notify their users when complying with judicial requests?

For this edition, InternetLab evaluated ISPs that according to data released by the National Telecommunications Agency in May 2017, each held at least 1% of the market for Internet access in Brazil—whether that was through fixed broadband infrastructure or via mobile. Previous editions only evaluated larger ISPs with 10% or more of the market. For broadband, that meant these companies: NET, Oi, Vivo, Sky and Algar. For mobile Internet, InternetLab selected Claro, Oi, TIM, Vivo and Nextel.

Algar, Nextel, and Sky are newcomers to the project: Claro, NET, Oi, Vivo and TIM went under the microscope for the third time.

Inspired by the U.S. project "Who Has Your Back?", “Quem Defende Seus Dados?" has adapted the WHYB methodology to the differences between Brazil and the United States’ Internet industry and laws. InternetLab reviewed each company in six categories:

  1. Data processing: Does the ISP provide clear and complete information about the collection, use, storage, processing, and protection of user’s personal data?
  2. Data disclosure to the government: Does the ISP publicly commit to disclose subscriber data and internet connection logs only upon a court order or, in the case of subscriber data, upon application by competent administrative authorities?
  3. Defense of user privacy in the courts: Has the ISP judicially challenged abusive data requests or legislation that it considers harmful to user privacy?
  4. Pro-user privacy public engagement: Has the ISP engaged in public debates about law bills and public policies that may affect user's privacy, defending projects that aim to advance privacy?
  5. Transparency reports: Does the company publish transparency reports that contain information about how many times governments sought user data and how often the company provided user data to governments?
  6. User notification: Does the company notify the user about data requests by the government?  

The Results

Companies in Brazil are off to a good start but still have a ways to go to fully protect their customers’ personal data and be transparent about who has access to it. Vivo is leading with four of six stars, with Tim in second place with two, and Claro and Oi not far behind. While this is important progress, all the companies have room for to earn more stars, especially on Transparency Reports, law enforcement guidelines, and user notification. For 2019, competitors could catch up with efforts to provide better user notification of surveillance, publish transparency reports, law enforcement guidelines, or fight for users’ privacy rights in court or in public debates.

InternetLab is expected to release this report annually to incentivize companies to improve transparency and protect user data. This way, all Brazilians will have access to information about how their personal data is used and how it is controlled by ISPs so they can make smarter consumer decisions. We hope the report will shine with more stars next year.