Ever wondered how long your telecom provider retains your user data? Or if law enforcement has requested your records?
At the beginning of May, Christopher Parsons, a prominent privacy expert and a researcher at the Munk School of Global Affairs' Citizen Lab, posted a form letter to his blog. Readers could take the letter, make a few edits, and send it along to their cellphone or internet service provider asking for all of their records, activity and information. That means call logs, IP addresses, text message metadata and more—that had been tracked, collected, and retained.
The letter was great for eager privacy-minded people like myself, who didn't want to wait for what Parsons was preparing next: an online tool, co-created with the Digital Stewards Initiative, intended to simplify and streamline the process of asking a telecom company for one's personal information.
Typically, that process involves sending a letter or email to a company's privacy or legal department, but it can be daunting for users who may not know what, exactly, to request. So for those less fluent in legalese, there's now officially an online app to ask your ISP just what they're holding on you. And I used it to try to find out what my ISPs, Telus and TekSavvy, do with the data they collect.
This "Access My Info" tool was launched in June, and now, responses have started to trickle back in.
"We're starting to be able to compare and contrast some of the larger company's responses," Parsons said.
Using either Parsons' form letter, or the AMI tool, subscribers can request that their telecom providers clarify the types of data they collect, tell them how long they retain such data, provide copies of relevant records, and whether their information has been disclosed to law enforcement or government agencies. But perhaps unsurprisingly, policies and practices tend to differ from one provider to the next.
"I think that the letters from TekSavvy are comprehensive. They're not trying to play games," Parsons said, referring to the responses sent out by one of Canada's smaller internet service providers. "They're actually taking seriously the questions that individuals are making and not trying to blow them off. That stands in variance with, I would say, almost every other member of the industry."
Parsons said that in other responses, "the detail that is present, or is more often the case, absent, is really quite breathtaking. The only thing I have from Bell is a one page sheet that's almost worse than useless. It almost doesn't respond to the customer's question."
They're not trying to play games.
Parsons told me that discerning how long certain types of data are retained has proven particularly hard, for example.
"Retention schedules matter. How long you store data should not be a top secret corporate secret, because it's about citizens," said Parsons. "Here we're talking about basic, basic, basic privacy information. How long do you store information about me? None of these companies aside from TekSavvy have tried to comprehensively respond to that question."
Telus, in their response to my request, says it will retain logs of IP addresses that I've been assigned or connected to (included the port used) for "a limited period of time for network management purposes," which is up to 90 days. Text message metadata is retained for "approximately" 150 days (but not the content of those messages, which isn't collected or retained at all). Call records are retained for 13 months, and copies of bills are retained for approximately seven years.
Rogers, which is along with Bell one of Canada's biggest telco providers, has confirmed some (though not all) data that they collect, according to Parsons, including call records, which are retained for seven years, and SMS metadata, which is retained for 13 years. For how long device IP logs are retained, however, is unknown.
Curiously, according to Parson's research, no cellular provider has volunteered to provide cell tower logs or information on the nearby cellular towers that a phone or device is connected to, along with signal strength, which can also be used to determine the location of a device.
Telus says it retains such data for 14 months, but would not make this data available to me for commercial reasons. Rogers told Parsons it did not collect such data at all. He finds it hard to believe that such information wouldn't be logged, even for law enforcement purposes.
Another source of frustration is how most telecom providers are interpreting the section of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) that dictates whether or not they can disclose to subscribers whether their information has been requested and given to law enforcement or government agencies.
In the US, there is no federal, PIPEDA-style framework for information requests, and the privacy or policies on the websites of big US telcos don't list steps or procedures for requesting one's data.
Even retention policies for big telcos in the US weren't revealed until 2011, and only as the result of a Justice Department internal memo obtained through a FOIA request. The closest equivalent is a California law enabling subscribers to request a list of cases where their data has been shared with a third party in the last year.
Almost all of Canada's telecom providers have interpreted PIPEDA to include a gag order, which prevents them from saying whether a subscriber's information has been requested by police.
The only thing I have from Bell is a one page sheet that's almost worse than useless.
Only TekSavvy thus far has chosen to interpret this section differently. In their response to my request, for example, TekSavvy wrote, "To this point, TekSavvy has not disclosed records containing your information to any state agency, nor to any third party."
If there's one encouraging result of all this, it's that Parson's initial form letter and the AMI tool have prompted a flurry of activity the likes of which Canadian telecom companies had not previously seen.
In TekSavvy's response to my request, Chief Legal and Regulatory Officer Bram Abramson noted that mine was "the first of an unusual flurry of very broad templated access requests we received for all records containing personal information. This flurry significantly exceeds the total number of such requests TekSavvy Solutions Inc. ("TekSavvy") has received in its history as a company."
While Parsons doesn't have exact numbers, he knows that over 50,000 people have visited the OpenMedia site hosting the AMI tool so far, and that "one large telecom informed me that they had received thousands upon thousands of requests."
"We don't, however, know if that's similar to the other members of the industry or the precise number of 'thousands' they were referring to," he added.
The next step for Parsons, Citizen Lab and the Digital Stewardship Initiative is to take all of the responses that Canadians have chosen to share with researchers, and compile the results into more digestible data—what Parsons terms "company summaries." The intent is to distill each company's policies and practices on data collection, retention and responding to law enforcement and government requests into short, useful reports that subscribers can use to compare providers.
You can still request your own data from your internet or cellular provider using the AMI tool here.