New ¿Where Is My Data? Report: Five Years of Holding ISPs Accountable in Colombia

Five years have passed since Colombian digital rights NGO Fundación Karisma launched its first annual ¿Dónde Están Mis Datos? assessing telecommunication companies’ commitment to transparency and user privacy. Since then, we’ve seen major telecom companies providing more transparency about how and when they divulge their users’ data to the government. This project is part of a region-wide initiative akin to EFF’s Who Has Your Back? by Latin American and Spanish NGOs. So far, nine countries have joined this project kicked off in 2015 with Karisma’s first report.

When Karisma started the reports in 2015, none of the ISPs published any transparency report or any aggregate data about the number of data requests they received from governments. Five years later, the country’s main ISPs, such as Telefónica-Movistar and Claro, periodically disclose government transparency reports. This is a big win for transparency and users’ rights. Companies’ privacy policies have also shown progress over the years, with more useful information being better provided to users on data retention, collection, and processing.

This year’s fifth edition featured six ISPs. Telefónica-Movistar shows the best rating, followed by Millicom-Tigo and Claro. Telefónica-Movistar and Claro improved their scores from the previous edition, with notable improvements in providing information about content blocking. The former also stands out in digital security. Poorly rated in this category in 2018, Telefónica-Movistar is the only company to earn the full score this year. Millicom-Tigo, however, disappointed for not publishing an updated transparency report with specific data from Colombia. ETB and DirecTV show an intermediate position, rating slightly less than the last edition, while EMCALI remains behind.

Throughout the annual editions of this report, the public-private shares company ETB has led significant shifts, showing openness to change and to uphold users’ rights. However, this year’s edition shows the ISP has to double down on its commitments if it wants to catch up with the two best-ranked companies.

An Outline of the 2019 Edition of ¿Where Is My Data?

The new report evaluates the same companies of the previous one with the exception of Telebucaramanga, a local ISP acquired by Telefónica-Movistar in 2018. It has also toughened some of the assessment criteria. For example, regarding transparency reports, companies should not only publish them periodically, but also include more detailed information on government data and content blocking requests. New parameters in the privacy category also require ISPs’ policies to provide greater detail about personal data collection, processing, and retention obligations and practices. Moreover, ISPs’ internal procedures to hand over users’ data to investigation authorities should contain human rights safeguards in addition to being publicly available.

The report’s main findings are below. The full study with a detailed evaluation for each company is available in Spanish.

Each ISP was assessed in the following four categories: political commitments, privacy, freedom of expression, and digital security.

In the political commitment category, the report assesses, among other things, if the ISPs publish transparency reports with detailed information about government data and content blocking demands. In this category, Telefónica-Movistar and Claro meet all the parameters. ETB is right behind, but still doesn’t provide clear and detailed information about traffic and subscriber data, communications interception, and content blocking requests. Millicom-Tigo, DirecTV, and EMCALI fall short in this category, receiving the lowest score.

AT&T, DirecTV’s parent company, publishes a global transparency report, but it doesn’t provide specific information on requests received by the Colombian branch.  As for Millicom-Tigo, the last transparency report the ISP published detailing Colombia’s government data and content blocking requests refers to 2017. 2018 and 2019 information can be found in more recent reports, but they aren’t available in the Colombian website and the figures are shown only per region. For South America, the reports aggregate data requests from Colombia, Paraguay, and Bolivia. Such reports, however, highlight that the country’s authorities demand direct access to companies’ mobile networks, preventing them from knowing the number of interception measures carried out in their mobile lines. By making the number of interception requests a requirement, this year’s report seeks to verify whether companies come clean about this surveillance practice. In essence, Millicom-Tigo, Telefónica-Movistar, and Claro explicitly mention this is taking place in Colombia.

Regarding privacy commitments, ISPs should publish data protection policies on their Colombian website detailing which data the company collects, how they are used, with whom they are shared, and for what reasons. They should also publicly disclose the legal obligation to retain users’ data and which data is retained and for how long, as well as the law enforcement guidelines followed when handing users’ data to government authorities. Finally, they should commit to notifying their users about government data requests.

Under this year’s stricter requirements for this category, no company received the full score. Telefónica-Movistar ranks best, followed by Claro, DirecTV, and Millicom-Tigo. DirecTV is the only one that mentions notifying users about government data requests, although the company’s policy describes it more as a “possibility” rather than as a commitment. In turn, Movistar and Claro best describe the procedure followed when handing users’ data to authorities.

For freedom of expression, companies should clarify the cases in which they have the legal duty to block content, and publish the procedures they adhere to when blocking content for legal or contractual reasons. They should inform users about the reason for the blocking and provide an appeals mechanism. Finally, they should provide public guidelines so that users know their rights and the rules they are expected to follow.

This year’s criteria push ISPs to shed light on how content blocking obligations are applied. Requests to block content may come from a judicial order, or the enforcement of legal online content restrictions regarding child exploitation and gambling. Companies have significantly improved the provision of such information compared to the previous edition, especially on child exploitation. Both Telefónica-Movistar and Millicom-Tigo earned the full score for detailing legal information, publishing the procedures they adhere to when blocking content, offering due process mechanisms, and providing public guidelines for users. Claro and ETB are a little behind, but still with good marks. Unlike the previous edition, Claro scored this year for providing public guidelines for its users.

Finally, on digital security, the report assesses whether the ISPs commit to notifying competent authorities and users in the case of a data breach, and if they disclose which measures the company can take to mitigate harms. Also, the report verifies whether ISPs use secure data transmission protocols (HTTPS) on their websites.

Telefónica-Movistar is the one that best provides information on how it addresses security incidents, and makes an explicit commitment to notify the country’s data protection authority about them.

These five years of Colombia’s reports have shown continuous progress, indicating that many ISPs have become more aware of their critical role in protecting users. As the report points out, companies’ enhanced commitments on transparency, due process, and user privacy are crucial to empower groups and individuals in knowing and exercising their rights.

https://www.eff.org/deeplinks/2020/03/new-where-my-data-report-five-years-holding-isps-accountable-colombia