Fundación Karisma, Colombia’s leading digital rights organization, just launched its fourth annual ¿Dónde Estan Mis Datos? report in collaboration with EFF. The results are even more encouraging than the ones seen in 2017, with significant improvement in transparency - five companies published transparency reports, and four publicly explained their procedures around government blocking requests. Every company in the report showed progress from 2017, though there remains work to be done.
Based on EFF’s US-based Who Has Your Back? reports, the ¿Dónde Estan Mis Datos? project is one of several across Iberoamerican countries that assess ISPs’ public commitments to their users’ privacy in the face of government requests for user data.
The report (available in Spanish), rates seven companies that, together, account for more than 90% of the mobile and fixed Internet service provider market in Colombia – that is to say, a set of ISPs that together hold the private information of nearly everyone who accesses the Internet in Colombia.
Each ISP was evaluated in the following four categories:
Political commitments:
- Does the ISP have internal gender equality rules and accessibility policies for users with disabilities?
- Does the ISP publish a transparency report (or the equivalent) for Colombia at least annually?
Privacy policy:
- Does the ISP adopt data protection policies and are they easily accessible?
- Does the ISP publicly disclose the legal obligation to retain users’ data, the legal basis for which it must comply with data requests, and the procedures used to deliver such data?
- Does the ISP commit to notify its users about data requests?
Free expression:
- Does the ISP publish the procedures they adhere to when governments request to block or terminate Internet service?
- Does the ISP provide public guidelines so that users know their rights and duties?
Digital security:
- Does the ISP disclose what it does in the case of a data breach?
- Does the ISP use the secure data transmission protocol (HTTPS) on all websites and, particularly, those on which there is an information exchange (purchases, sales or consultations)?
Below is the chart, which ranks the seven Colombian telecommunications companies:
This year, we were pleased to see improvement in the ISPs’ transparency policies. Five out of seven companies received the maximum score for publishing comprehensive transparency reports. In 2017 there was only one company, ETB, that received this score.
Similarly, we were pleased to see Claro, Telefónica-Movistar, and Tigo-UNE follow in ETB’s 2017 footsteps and publicly explain their procedures around government blocking requests. On the down side, DirecTV fell short compared to other ISPs when it came to publishing their Internet service blocking practices. When users understand how and why blocking is carried out, it can help them identify possible sources of abuse or misconduct, and better protect free expression.
Since the launch of this project in 2015, the ISPs’ privacy policies have become more detailed and accessible. In the 2018 iteration of Colombia’s ¿Dónde Estan Mis Datos? report, all ISPs reviewed have published clear policies on their websites that are easy to navigate and understand. But even though ISPs have become more transparent about their data retention policies, there’s still room for improvement. Regarding the procedures surrounding handing over data to authorities, only ETB and Tigo-UNE received the maximum score. ETB published its law enforcement guidelines for communication interception, and Tigo-UNE disclosed its procedures for granting access to users' metadata.
For the user notification category, ISPs were held to a stricter standard than in years past. The 2018 report scores companies on their public commitment to notify users whenever a third-party–including law enforcement and state authorities– requests access to data. As a result, none of the companies receive as high of a score in this category; Even though it’s not expressly set out in Colombia’s law, user notice enables the affected individual to contest illegitimate government surveillance request or seek other remedies, and should be adopted as a best practice by the ISPs.
In general, all of the ISPs featured in the report improved their scores in 2018. Cases of setback were mostly due to stricter changes in the evaluation criteria, and not because the company regressed in some way. Karisma's newest report shows that keeping on the pressure and having an open dialogue with companies pays off. It also shows that we can simultaneously recognize progress, while pushing on ISPs to provide better privacy safeguards for their users.