IPANDETEC, the leading digital rights organization in Panama, today released its second annual Who Defends Your Data" (¿Quién Defiende Tus Datos?) report assessing how well the country’s mobile phone and Internet service providers (ISPs) are protecting users' communications data. While most companies received low scores, the report shows some ISPs making progress in a few important areas: ensuring payment processing services and websites are secure, requiring law enforcement to obtain warrants before accessing user data, and publicly promoting data privacy as a human right. Regarding the latter, all ISPs surveyed are working on an agreement to provide Internet connection to students and persons affected by the COVID-19, a welcome development as many are struggling without Internet access during the pandemic.

IPANDETEC looked at the privacy practices of Panama’s main mobile companies: Claro (America Movil), Digicel, Más Móvil (a joint operation between Cable & Wireless Communications and the Panamanian government, which owns 49% of the company), and Tigo, the new name for Movistar, the brand owned by Spain’s Telefonica whose assets were sold to Millicom International last year.

¿Quién Defiende Tus Datos? is modeled after EFF’s Who Has Your Back report, which was created to shine a light on U.S. ISPs’ policies for protecting users’ private information so consumers could make informed choices about what companies they should entrust their data to. Internet access and digital communications are part of everyday life for most people, and the companies that provide these services collect and store vast amounts of private information from their customers. People have a right to know if and how their data is being protected—that’s why IPANDETEC and other digital rights organizations across Latin America and Spain are evaluating and reporting on what ISPs publicly disclose about their data protection practices.

ISPs in Panama were evaluated on seven criteria concerning data protection, transparency, user notification, judicial authorization, defense of human rights, digital security, and law enforcement guidelines. Complete descriptions of what the categories include are provided later in this post.

Main Findings

Tigo, previously called Movistar, scored the highest, achieving full or partial stars in five of the seven categories assessed. It was the only company in the survey to receive a full star for stating that it requires law enforcement agencies seeking user data to first obtain a warrant. Tigo was also the only company to receive some credit for providing partial information about procedures for law enforcement requests for customer data—this is largely owing to the fact that its current parent company Millicom publishes a policy for assisting law enforcement. But the document refers to a global policy; Tigo’s local policy in Panama isn’t clear, so it received a quarter of a star.

Tigo was also the only company to receive partial credit in the data protection policy category. The other companies provide some information about data collection from visits to their websites and use of their apps, but not about data collected from their regular Internet or mobile phone services. Más Móvil says its contracts with customers provide information about privacy and data protection. But these contracts aren’t made public. How companies collect, use, share, and manage customers' personal data should be publicly disclosed so it's available to people before they choose a telecom operator. Tigo, through Millicom, discloses only some information about data collection policies for online services and received a quarter of a star.

Claro had the second-highest score, with one full star in the digital security category and half stars in the defense of human rights and judicial order categories. In the latter category, the company’s global policy is to only comply with law enforcement requests for users’ content and metadata when there’s an order from “the competent authority.” The global policy isn’t available on Claro’s local Panama business website, and Claro’s policy for Panama is less precise about a warrant requirement, hence the awarding of a half star.

Claro received a full star in the digital security category, an improvement over last year, by committing to using HTTPS on its website and for processing online payments. A big problem revealed by the report is a general lack of transparency about privacy and security practices by ISPs in Panama. None of the ISPs surveyed received credit for publishing a transparency report. Tigo’s previous and current parent companies, Telefonica and Millicom, respectively, didn’t include information about their mobile Panamanian businesses in their transparency reports because the Movistar sale transaction was in progress. As such, Tigo received no stars in the transparency report category. We hope to see that change in the next report, not just for Tigo but for the other companies as well.

The lack of transparency reports isn’t the only disclosure flaw among Panama’s leading ISP’s. None commit to notifying users when the government gets access to their data, according to  IPANDETEC's study. 

The specific criteria for each category and the final results of the study are below. For more information on each company and Panama’s ICT sector, you can find the full report on IPANDETEC’s website. 

Data Protection: Does the company post a document detailing its collection, use, disclosure, and management of personal customer data?    

    • The data protection policy is published on its website
    • The policy is written in clear and easily accessible language
    • The policy details what data is collected
    • The policy establishes the retention period for user data

Transparency: Does the company post an annual transparency report listing the number of government requests for customer data they’ve received, and how many were accepted and rejected?    

    • The company publishes a transparency report on its website
    • The report is written in clear and easily accessible language
    • The reports contain data related to the number and type of requests received, and how many were accepted

User Notification: Does the company promise to notify users when the government requests their data?    

    • The company states it will notify users when the government accesses their information as soon as the law allows

Judicial Authorization: Does the company explicitly state it will only comply with authorities’ request for user data if they have a warrant?

    • The company states in its policies that it requires a warrant before law enforcement can access the content of users' communications
    • The company rejects requests by law enforcement that violate legal requirements

Defense of Human Rights: Does the company publicly promote and defend the human rights of their users, specifically the privacy of their communications and protection of their personal data?

    • The company promotes user privacy and data protection  through campaigns or initiatives
    • The company supports legislation, impact litigation, or programs favoring user privacy and data protection
    • The company participates in cross-sector agreements promoting Human Rights as a core tenant of their business

Digital Security: Are the company’s website and online payment service secure?

    • The company uses HTTPS on its website 
    • The company uses HTTPS when processing payments online

Law Enforcement Guidelines: Does the company outline public guidelines and legal requirements required for law enforcement requesting customer data?

    • The company publishes guidelines for law enforcement data requests.

Conclusion

The report shows that all four ISPs surveyed support the idea that user privacy and data protection are human rights. The best way for companies to prove their commitment to this principle is by doing a better job at protecting their customers’ private information and being more transparent about how they collect, use, and share their data. We hope to see improvements across all categories in the next report.