Colombia’s top internet and cell phone companies continued to maintain a high level of transparency about their privacy practices, and continued to implement best practices to protect customer data, free expression, and security in 2021. But they faced challenges from the impacts of COVID-19 and pressure to inform users about government spying on mobile phone communications, according to a new report released today by Fundacion Karisma, Colombia’s leading digital rights organization.

¿Dónde están mis datos?" (“Where Is My Data?”) evaluated seven leading internet and cell phone companies: Claro (América Móvil), Movistar (Telefónica), Tigo (Millicom), ETB, DirecTv, Emcali,  and Avantel. Karisma also included satellite internet companies Hughesnet and Skynet for their role in connecting rural areas.

Today’s report is Karisma’s seventh annual ¿Dónde Estan Mis Datos? for Colombia—an assessment of telecommunication companies’ commitment to transparency and user privacy. As in prior years, Karisma looked at whether companies’ transparency reports provide detailed information about government requests for user data and content blocking, how strong their data protection policies are, and whether they adequately disclose content blocking practices and data breaches.

In these categories, Colombia’s internet and cell phone companies were steady, mostly meeting, or exceeding, levels achieved in the last few years. Movistar was the overall top performer, with 15 out of a possible 16 points, followed by Tigo with 13 points, and Claro and Avantel, each with 10 points. ETB scored 8 points, DirectTV earned 7 points, Hughesnet and Emcali each earned 5 points, while Skynet earned 3.

In new evaluation categories added to assess companies’ policies regarding net neutrality and government interception of communications, the results were mixed.

The COVID-19 pandemic put significant pressure on internet and telecommunications providers, as their network infrastructures were tested by higher traffic from remote work. Also, government demands for data to track and contain the virus tested their commitment to user privacy. What’s more, the Colombian government and the country’s Communications Regulatory Commission decided through emergency regulations to prepare the ground in case it was necessary to suspend net neutrality—a key tenet t of an open internet.

Under net neutrality, internet service providers treat all data that travels over their networks fairly, without improper discrimination in favor of particular apps, sites, or services. While the suspension of net neutrality did not occur, Karisma for the first time added new categories in ¿Dónde Estan Mis Datos? to evaluate companies’ disclosure of their net neutrality practices.

Movistar, Tigo, Avantel and Hughesnet were the standouts in these categories, each earning points for publishing their traffic management practices and publicly committing to protect net neutrality.

Karisma also added new categories to document a highly controversial and constitutionally questionable surveillance practice that has come to light. After analyzing the last few ¿Dónde Estan Mis Datos? reports, Karisma has concluded that Colombian authorities are intercepting users’ mobile phone communications, directly accessing communications without making formal requests or involving telecommunications companies hosting the networks. 

Little is known about how this deeply problematic surveillance practice occurs. To provide users with information and shed light on this troubling practice, ¿Dónde Estan Mis Datos? will, starting with today’s report, evaluate whether companies are clearly disclosing that direct access occurs. 

Main Results

DEMD Colombia 2021 chart main findings

Each company is evaluated in the following categories:

Political commitments: This category looks at whether companies have internal gender equality rules and accessibility policies for users with disabilities, and if they publish annual transparency reports (or the equivalent) for Colombia. New criteria added this year includes whether companies disclosed content blocking requests justified by a national health emergency, and if they have publicly committed to net neutrality.

Movistar continues to lead in the category; it fully reports on all expected criteria and in a disaggregated manner, including blocking events related to states of emergency or other exceptions.

Claro reports on the occurrence of each event, the legal framework in which each order is justified, and the authorities that raise them before the company. But when it comes to providing disaggregated statistics, it only does so in relation to content blocking orders and the four subtypes in which this can be justified (not data about government requests for user data).

Privacy: This category includes whether companies publish data protection policies with relevant information for users, publicly disclose the legal basis for complying with government requests to turn over data, and notify users about data requests. New criteria includes whether companies disclose the possibility that authorities have direct access to their communications networks, what legal basis exists for that, and their role in direct access. 

Movistar stands out for the clarity of the information it provides on direct access, while both Claro and Tigo disclose information on the different legal frameworks that allegedly underpin such communications surveillance. Tigo is also to be recognized for transparency on direct access, which is reinforced by the global report of its parent company Millicom. Movistar, Claro and Tigo each received 2 points in the areas—the other four companies received no points. 

Free expression: This category evaluates companies on whether they publish procedures that they have in place to respond to government requests to block content or terminate internet service, and whether companies publish guidelines, so users know which kind of practices can face blocking.  

Claro, Movistar, Tigo, ETB and Avantel report the execution of orders to block websites or URLs. Emcali and Hughesnet report blocking websites or URLs only in the case of circulation of child sexual abuse content. Skynet does not provide information on any of these criteria.

Digital security: In this category, companies are rated on their practices for disclosing data breaches and mitigation measures, and whether they use the secure data transmission protocol (HTTPS) on their websites. 

Movistar, Tigo and Avantel are the only companies that have a protocol and documentation for data breach mitigation actions. Skynet warns in general what security measures it deploys, but not what contingency measures it would apply for possible security breaches.

Karisma’s full report is available in Spanish, and is part of a region-wide initiative that since 2015 has been holding ISPs accountable for their commitments on transparency and user privacy in key Latin American countries.