Early findings from AMI requests

In June 2014, DSI and the Citizen Lab released the Access My Info tool, a web application that empowers Canadians to compel telecommunications service providers (TSPs) to explain and disclose what information they collect about subscribers, why it is collected and for how long, and to whom it has been disclosed. Other posts on this site describe the tool’s background and its design.

Several months after advocacy group OpenMedia implemented it, AMI has been accessed over 50,000 times and enabled thousands of Canadians to file right to information requests. Several requesters shared their TSP’s responses with DSI and Citizen Lab researchers.

We analyzed these documents along with anecdotal reports and conversations with telecommunications industry insiders to assess the impact of AMI on making public previously unclear industry data handling practices, and its ability to highlight consumer demand for access to personal information.

A full report of our early findings is forthcoming in the Winter 2014 edition of the Privacy and Access Council of Canada’s Winston Report. A prepublication version of the article is publicly available at SSRN. Our analysis found that Canadian TSPs responded to standardized access requests in varying ways across several different themes, which are summarized below.

To begin, TSPs differed in their chosen methods of delivering their responses. Responses were sent through registered mail, email, a special code that provided access to a web download, and finally through telephone calls that appeared intended to pressure requesters to abort their efforts. Emergent from this set of response methods, we concluded that there is  a lack of standardization across the industry for responding to these requests, which does little to help consumers know what to expect upon filing such requests.

TSPs responded to specific questions with differing degrees of detail. Moreover, they occasionally used terms that could be misleading to consumers. For example, in response to a question about retention of IP addresses, Fido initially stated that it does not “collect” the IP addresses of sites visited by its customers, but later clarified that it in fact does not “retain” the records. In contrast, TekSavvy directly stated that it does not “log” that information, implying that it does collect, but does not retain the data. Several other companies failed entirely to address the issue of visited IP address data retention. Without a common set of industry terms consumers may have difficulty making informed comparisons between TSP practices.

When TSPs were asked whether or not they had provided customer personal data to third parties, including government agencies, they tended not to provide unqualified “yes” or “no” responses. Instead, they stated they did not provide data to third parties without customer consent, and then listed several exceptions. In particular, TSPs stated they would disclose information if compelled to by law, but companies varied as to what specific laws and regulations were cited in these exceptions. Furthermore, such stated legal obligations may not be universally understood to be as all-encompassing as certain TSPs seemingly claimed them to be.

Finally, TSPs varied in the fees they requested in order to obtain specific historical data; some demanded large fees while others failed to directly address those requests. This was particularly apparent in the request for IP addresses that had been previously associated with a user’s device. Koodo indicated that it would cost upwards to $1,200 to access data, and Rogers up to $5,000. A common justification among TSPs was that fulfilling the requests would be time consuming and costly, and require retrieving data from disparate systems. As such, it appears as though TSPs were offsetting their costs for complying with Canadian privacy law to the consumers exercising their rights.

We have observed that Access My Info enabled Canadians to obtain (with varying degrees of specificity) basic information about their TSPs’ data handling practices. When TSP responses are made available to researchers or published by requesters themselves, it can add to public knowledge about such practices and complement other transparency-seeking methods such as public letters, ATIP requests, working with members of parliament, and interviews with expert practitioners.

Each TSP responded differently to identical access requests. A standard way for industry to respond to such requests would be useful for citizens and other interested parties to effectively compare the data practices of companies. TSPs could also proactively publish data retention schedules and other, specific, corporate data handling practices publicly either in privacy policies or (ideally) in company transparency reports. This could increase public understanding about such practices and therefore reduce the number of consumers issuing right to information requests.

AMI users, related privacy initiatives, public attention to privacy issues following Edward Snowden’s disclosures, and parliamentary proceedings about TSP disclosures of personal information to government have all placed pressure on TSPs in 2014. Such pressures have corresponded with the unprecedented release of transparency reports by the following major telecommunications providers: Rogers, TELUS, TekSavvy, and SaskTel. In particular, both TELUS and TekSavvy noted that efforts by the Citizen Lab played a role in the development and release of their reports.

Future work on AMI could help improve its public reporting capability. Currently the tool does not collect any data associated with an end user’s request. As such, we do not have representative statistics about its usage. Incorporating a privacy-protective reporting mechanism into AMI could help researchers to better understand the tool’s usage. Another area of future work is the development of a structured data format to represent an access request. Such a format could be standardized to let companies develop better processes to efficiently and promptly respond to requests.

Access My Info is premised upon law that was written largely before the Internet became an integral part of most aspects of daily life. By empowering Canadians to learn about how their TSPs handle personal information, AMI works to bring analogue law into a digital present.

If you would like to request that your TSP provide you with access to your personal information, consider creating your request with AMI.