Keeping track of ISPs’ commitments to their users, today Paraguay’s leading digital rights organization TEDIC is launching its second edition of ¿Quién Defiende Tus Datos? (Who Defends Your Data?), a report in collaboration with EFF. Transparent practices and firm privacy commitments are particularly crucial right now. During times of crisis and emergency, companies must, more than ever, show that users can trust them with sensitive information about their habits and communications. While Paraguayan ISPs have made progress with their privacy policies and taking part in forums pledging promotion of human rights, they still have a long way to go to give users what is needed for fully building this trust.
Paraguayan ISPs should make greater efforts in being transparent about their practices and procedures as well as having stronger public commitments to their users, such as taking steps to notify users about government data requests.
Overall, Tigo remains the best-ranked company in the report, followed by Claro and Personal. Copaco and Vox received the worst ratings. The second edition brings two new categories: assessing whether companies have publicly available guidelines for law enforcement requests, and whether their privacy policies and terms of service are provided following proper web accessibility standards. This year’s report focuses on telecommunication companies with more than fifteen thousand internet users across the country, which together represent the whole base of mobile broadband customers (except for Copaco, whichonly provides fixed services).
The full study is available in Spanish, and we outline the main findings below.
Main Findings
Each ISP was evaluated in the following seven categories: privacy policies, judicial order, user notification, policies for promoting political commitments, transparency, law enforcement guidelines, and accessibility standards.
Regarding privacy policies, this edition looked into companies’ publicly available documents and checked whether they provided clear and easily accessible information about personal data collection, processing, and sharing with third parties, as well as the retention time and security practices. While no company scored in the previous report, more than half of them showed improvements in this year’s edition. Tigo stands out with a full star, followed closely by Claro’s privacy policies. Claro did not earn the full star, as it failed to provide sufficient information on how personal data are collected and stored. Personal also received a partial score for publishing policies that properly detail how users’ data are shared with third parties.
When it comes to requiring a warrant before handing over users’ communications content for law enforcement authorities, Tigo is the only ISP to clearly and publicly commit to doing so. Claro stated that the company complies with applicable legislation, judicial proceedings, and government requests. TEDIC's report highlights that, in response to the research team, Claro and other companies claimed they do request judicial authorization for handing over communications content. Yet, these claims are still not reflected in the policies these companies’ public, verifiable policies.
Regarding government access to traffic data, a Supreme Court ruling in 2010 authorized prosecutors to request such data directly despite the country’s telecommunications law’s assertion that the constitutional safeguard of inviolability of communications refers not only to the content itself, but also to what indicates the existence of a communication, which would cover traffic data. The 2010 ruling has been applied to online context, running also afoul of the Inter-American Court of Human Rights case law recognizing that communications metadata should receive the same level of protection granted to content. TEDIC’s report recommends that companies publicly commit to requesting judicial authorization when handing metadata to authorities. Clarifying this discrepancy in favor of users' privacy is still a challenge and companies should play a greater role in taking it on and fighting for their users in courts or in Congress.
Tigo is the only ISP to receive partial stars in the transparency and law enforcement guidelines categories for documents published by its parent corporation Millicom. Regarding the transparency report, Millicom falls short of providing detailed information for Paraguay. The report aggregates data per region, disclosing statistical figures for interception and metadata that merge the requests received in Paraguay, Colombia, and Bolivia. Transparency reports are valuable tools for providing insight into how often governments request data and how companies respond to it, but this is not the case if the figures for each country are not disclosed.
However, Millicom does provide relevant insight when it states that Paraguay’s authorities mandate direct access to their mobile network, though it doesn't specify the legal ground that compels companies to do so.
As for law enforcement guidelines, Millicom publishes global key steps that its subsidiaries must follow when complying with government requests, but the ISP doesn’t make available to the public its detailed global and locally tailored procedures.
Getting companies’ commitment to notify users about government data requests remains a hard challenge. Just like in the last edition of the report, no company received credit in this category. While international human rights standards reinforce how crucial user notification is to ensure due process and effective remedies, ISPs are usually reluctant to take steps towards putting a proper notification procedure in place.
Three out of five companies (Claro, Tigo, and Personal) scored in the web accessibility category, though there is still room for improvement.
TEDIC’s work is part of a larger initiative across Latin America and Spain kicked off in 2015 and inspired by EFF’s Who Has Your Back? Project. Earlier this year, both Fundación Karisma in Colombia and ADC in Argentina published new reports. The second edition of Eticas Foundation in Spain comes next, with new instalments in Panamá, Peru, and Brazil already in the pipeline.