Defending The Kingdom

Update (30 April 2007): Rogers is through answering my emails. In their latest message to me, they implied that they had said all they wanted to and that further questions should be directed to The Office of the Privacy Commissioner of Canada:

The Office of the Privacy Commissioner of Canada oversees Rogers’ personal information handling practices. If your privacy concerns are not addressed to your satisfaction by Rogers you may contact the Office of the Privacy Commissioner of Canada for further guidance

So, Rogers doesn’t want to consider the subject further. The reasoning is this: if the Privacy Commissioner thinks Rogers handles privacy adequately, so should Rogers’ customers.

I encourage those of you who are customers of Rogers (there may not be many of you, as the majority of this blog’s readers are American) to call them or email them for a real answer. When pressed by actual customers, Rogers is probably more likely to be responsive.

Update (23 April 2007): Rogers replied a week and a half ago with this (I apologize for the delay in posting and for the strange quote marks and other typographical oddities that have appeared in this post as a result of my use of a foreign keyboard):

Please note that Rogers does not sell nor release any confidential subscriber information, to anyone outside Rogers line of companies (who basically share the information for the purpose of providing excellent customer service to our subscribers). The private account information of our subscribers is never fraudulently used to jeopardize customer privacy concerns.

With regard to internet usage, the information is kept on the database to ensure that bandwidth is not abused. This allows us to provide high level of performance for all subscribers. The IP addresses are dynamic and can change at anytime. Also, any personal subscriber account details are only released with a court order.

As with the email I received from Shaw, this message from Rogers avoids some of the most pertinent questions I and this site’s readers would like answered (“how long does Rogers store data on its subscribers’ internet usage?” for example, or “how long are logs of what IP addresses were assigned to which customer kept?”).

I admire Rogers’ refusal to sell or release confidential subscriber information, but I worry that the company’s definition of “subscriber information” and “personal subscriber account details” don’t include internet histories. Also, if the company keeps records of bandwidth usage, it must have a way of identifying users’ internet histories even though IP addresses are dynamic. So that bit about dynamic IP addresses was, I think, a lot of smoke.

What I’d like to see from each of these ISPs, although I may not get it, is a specific confirmation or denial of the practice of selling users’ internet histories. It seems to me that none of what Rogers (or any of the others) has said thus far prohibits this.

Update (6 April 2007): Rogers has not yet responded; Telus emailed me to say they are thinking the matter over (which I think is fair); Shaw dodged the questions with this answer

The questions you asked do not directly relate to customers [sic] personal information (i.e. data relating to an IP address is not personal information as long as it is not associated with a particular customer account) and would require that we disclose confidential business information proprietary to Shaw. Therefore, we confirm that we are not in a position to provide responses to your questions, except for question 6.

In response to question 6 [Does Shaw sell internet usage data? What kind of data? If so, how is it anonymized and to whom do you sell it? What language in your privacy policy discloses this?], we advise that Shaw does not sell Internet usage data to third parties.

Shaw’s privacy policy is fairly thorough and is, I think, a good effort. However, the way that Shaw answered the questions I sent them reveals the limitations of the company’s privacy policy. Shaw’s policy describes how “Personal Information” (a category that includes customers’ names, addresses, telephone numbers, gender, credit information, payment records, and correspondence sent by the Customer to Shaw) is protected, but it appears that the company doesn’t consider “data relating to an IP address” to be personal information. Perhaps Shaw feels that as long as a customer’s name is stripped from the data, it has been thoroughly anonymized and is fit for treatment not mentioned in the privacy policy. But we know this type of anonymization isn’t good enough. New York Times made this pretty clear in its 2006 article called Face Is Exposed for AOL Searcher No. 4417749, published after AOL released what it thought were anonymized search terms.

I’ll press for more detailed answers from Shaw, and hopefully get something from Telus and Rogers soon.

————————

Original article:

Last year, when AOL was caught out for publishing its users’ search terms and phrases, many people, including me, were surprised at how much harm can be had when internet usage data, even seemingly anonymized data, is not kept confidential by those who necessarily have access to it. Internet Service Providers, or ISPs, can collect a lot of personal information about you just by keeping track of the websites you visit. It’s important, then, to know what information ISPs collect, how long they keep it, and to whom they show/sell it.

12 days ago, Ryan Singel, writing for a Wired blog, wrote that

ISPs are selling data history of their users, according to co-founder of web analytics firm, Compete, David Cancel, who told a panel of conference attendees on Tuesday that his company buys such data. Cancel says the data does not include IP addresses, but that’s not enough to truly anonymize it, as click stream data can include searches that identify a user.

Recently, Ryan has been asking questions of some of the big American ISPs (like Comcast and Verizon) to find out if any of them are selling their users’ internet usage logs. So far, AOL and Cox have answered up (with results posted in a handy web-spreadsheet visible at the page linked to above), but others haven’t. To get complete information from all of the ISPs, Ryan says

We’re asking those of you who are customers of the non-responsive ISPs to call, write, FTP or IM or Twitter your ISP and ask them to clarify how they use, store or even sell data about you. Report the results back and we’ll add it to the spreadsheet.

What to ask your ISP

Ryan has made it easy to ask your ISP what it’s up to. Along with the phone numbers and email addresses of major American ISPs, he’s written a list of questions to ask them, and I’ve reposted them here (feel free to copy and paste, then email to your ISP; change “ISP NAME” to your ISP’s actual name if you’re feeling ambitious):

Canadian ISPs

Shaw, Rogers, and Telus are the big internet service providers in Canada, and, since I live in Canada, I sent an email to all three. I’ll report whatever results I get here as well as on Ryan’s blog. If you want to email any of the Canadian ISPs, you can find their submittable help forms here: Shaw, Rogers, and Telus. If you send an email and get any sort of answer, post it in the comments below or in the comments on Ryan’s blog, called 27B Stroke 6. Just to make it ridiculously easy to send an email, I’ve altered the forms (only slightly) to be Canada specific: