IPANDETECs Report on Panamas ISPs Show Improvements But More Work Needed to Protect Users Privacy
IPANDETEC, the leading digital rights organization in Panama, today released its second annual Who Defends Your Data" (¿Quién Defiende Tus Datos?) report assessing how well the country’s mobile phone and Internet service providers (ISPs) are protecting users' communications data. While most companies received low scores, the report shows some ISPs making progress in a few important areas: ensuring
payment processing services and websites are secure, requiring law enforcement to obtain warrants before accessing user data, and publicly promoting data privacy as a human right. Regarding the latter, all ISPs surveyed are working on an agreement to provide Internet connection to students and persons affected by the COVID-19, a welcome development as many are struggling without Internet access during the pandemic. IPANDETEC looked at the privacy practices of Panama’s main mobile companies: Claro (America Movil), Digicel, Más Móvil (a joint operation between Cable Wireless Communications and the Panamanian government, which owns 49% of the company), and Tigo, the new name for Movistar, the brand owned by Spain’s Telefonica whose assets were sold to Millicom International last year. ¿Quién Defiende Tus Datos? is modeled after EFF’s Who Has Your Back report, which was created to shine a light on U.S. ISPs’ policies for protecting users’ private information so consumers could make informed choices about what companies they should entrust their data to. Internet access and digital communications are part of everyday life for most people, and the companies that provide these services collect and store vast amounts of private information from their customers. People have a right to know if and how their data is being protected—that’s why IPANDETEC and other digital rights organizations across Latin America and Spain are evaluating and reporting on what ISPs publicly disclose about their data protection practices. ISPs in Panama were evaluated on seven criteria concerning data protection, transparency, user notification, judicial authorization, defense of human rights, digital security, and law enforcement guidelines. Complete descriptions of what the categories include are provided later in this post. Main Findings
Tigo, previously called Movistar, scored the highest, achieving full or partial stars in five of the seven categories assessed. It was the only company in the survey to receive a full star for stating that it requires law enforcement agencies seeking user data to first obtain a warrant. Tigo was also the only company to receive some credit for providing partial information about procedures for law enforcement requests for customer data—this is largely owing to the fact that its current parent company Millicom publishes a policy for assisting law enforcement. But the document refers to a global policy; Tigo’s local policy in Panama isn’t clear, so it received a quarter of a star. Tigo was also the only company to receive partial credit in the data protection policy category. The other companies provide some information about data collection from visits to their websites and use of their apps, but not about data collected from their regular Internet or mobile phone services. Más Móvil says its contracts with customers provide information about privacy and data protection. But these contracts aren’t made public. How companies collect, use, share, and manage customers' personal data should be publicly disclosed so it’s available to people before they choose a telecom operator. Tigo, through Millicom, discloses only some information about data collection policies for online services and received a quarter of a star. Claro had the second-highest score, with one full star in the digital security category and half stars in the defense of human rights and judicial order categories. In the latter category, the company’s global policy is to only comply with law enforcement requests for users’ content and metadata when there’s an order from “the competent authority.” The global policy isn’t available on Claro’s local Panama business website, and Claro’s policy for Panama is less precise about a warrant requirement, hence the awarding of a half star. Claro received a full star in the digital security category, an improvement over last year, by committing to using HTTPS on its website and for processing online payments. A big problem revealed by the report is a general lack of transparency about privacy and security practices by ISPs in Panama. None of the ISPs surveyed received credit for publishing a transparency report. Tigo’s previous and current parent companies, Telefonica and Millicom, respectively, didn’t include information about their mobile Panamanian businesses in their transparency reports because the Movistar sale transaction was in progress. As such, Tigo received no stars in the transparency report category. We hope to see that change in the next report, not just for Tigo but for the other companies as well. The lack of transparency reports isn’t the only disclosure flaw among Panama’s leading ISP’s. None commit to notifying users when the government gets access to their data, according to IPANDETEC’s study. The specific criteria for each category and the final results of the study are below. For more information on each company and Panama’s ICT sector, you can find the full report on IPANDETEC’s website. Data Protection: Does the company post a document detailing its collection, use, disclosure, and management of personal customer data?
The data protection policy is published on its website The policy is written in clear and easily accessible language The policy details what data is collected The policy establishes the retention period for user data
Transparency: Does the company post an annual transparency report listing the number of government requests for customer data they’ve received, and how many were accepted and rejected?
The company publishes a transparency report on its website The report is written in clear and easily accessible language The reports contain data related to the number and type of requests received, and how many were accepted
User Notification: Does the company promise to notify users when the government requests their data?
The company states it will notify users when the government accesses their information as soon as the law allows
Judicial Authorization: Does the company explicitly state it will only comply with authorities’ request for user data if they have a warrant?
The company states in its policies that it requires a warrant before law enforcement can access the content of users' communications The company rejects requests by law enforcement that violate legal requirements
Defense of Human Rights: Does the company publicly promote and defend the human rights of their users, specifically the privacy of their communications and protection of their personal data?
The company promotes user privacy and data protection through campaigns or initiatives The company supports legislation, impact litigation, or programs favoring user privacy and data protection The company participates in cross-sector agreements promoting Human Rights as a core tenant of their business
Digital Security: Are the company’s website and online payment service secure?
The company uses HTTPS on its website The company uses HTTPS when processing payments online
Law Enforcement Guidelines: Does the company outline public guidelines and legal requirements required for law enforcement requesting customer data?
The company publishes guidelines for law enforcement data requests.
Conclusion The report shows that all four ISPs surveyed support the idea that user privacy and data protection are human rights. The best way for companies to prove their commitment to this principle is by doing a better job at protecting their customers’ private information and being more transparent about how they collect, use, and share their data. We hope to see improvements across all categories in the next report.
Author: Veridiana Alimonti
Date: 2020-10-30
eff.org
| We Fight For the Users: An Appreciation of IETF’s RFC 8890 (2020-10-09) | Here at the Electronic Frontier Foundation we have a guiding motto: I Fight For the Users We even put it on t-shirts from time to time! We didnt pick that one by accident nor merely because we dig the 1982 classic film Tron but because it provides such a clear moral compass when we sit down to work every day Should your boss be able to spy on you through your computer? Well youre the user and we f.. |
| Tell Trump’s Patent Office Director: Don’t Make Permanent Rule Changes Now (2020-11-12) | In the final days of the administration Andre Iancu President Trumps Director of the US Patent and Trademark Office is trying to push through permanent rule changes that would destroy the post-grant review system Iancu is going all out to weaken inter partes review proceedings or IPRs which are the most effective mechanisms we have for getting the Patent Office to cancel patents it never should ha.. |
| Election Security: When to Worry, When to Not, and the Takeaway from Antrim County, Michigan (2020-11-10) | Everyone wants an election that is secure and reliable With technology in the mix making sure that the technology supports this is critical EFF has long-warned against blindly adopting technologies that can be easily manipulated or fail without having systems in place to test secure and catch problems including through risk limiting audits At the same time not every problem is worth pulling the fi.. |
| The Last Smash and Grab at the Federal Communications Commission (2020-10-27) | ATT and Verizon secured arguably one of the biggest regulatory benefits from the Federal Communications Commission FCC with the agency ending the last remnants of telecom competition law In return for this massive gift from the federal government they will give the public absolutely nothing A Little Bit of Telecom History When the Department of Justice successfully broke up the ATT monopoly into r.. The Last Smash and Grab at the Federal Communications Commission |
| Introducing “How to Fix the Internet,” a New Podcast from EFF (2020-11-12) | Today EFF is launching How to Fix the Internet a new podcast mini-series to examine potential solutions to six ills facing the modern digital landscape Over the course of 6 episodes well consider how currenttech policy isnt working well for users and invite experts to join us in imagining a better future Hosted by EFFs Executive Director Cindy Cohn and our Director of Strategy Danny OBrien How to .. |
| Peru’s Third Who Defends Your Data? Report: Stronger Commitments from ISPs, But Imbalances, and Gaps to Bridge. (2020-10-21) | Hiperderecho Perus leading digital rights organization has launched today its third Quin Defiende Tus Datos? Who Defends you Data–a report that seeks to hold telecom companies accountable for their users privacy The new Peruvian edition shows improvements compared to 2019s evaluation Movistar and Claro commit to require a warrant for handing both users communications content and metadata to the g.. Peru’s Third Who Defends Your Data? Report: Stronger Commitments from ISPs, But Imbalances, and Gaps to Bridge. |
| Action for Egyptian Human Rights Defenders (2020-12-02) | The undersigned organisations strongly condemn the persecution of employees of the Egyptian Initiative for Personal Rights EIPR and Egyptian civil society by the Egyptian government We urge the global community and their respective governments to do the same and join us in calling for the release of detained human rights defenders and a stop to the demonisation of civil society organisations and h.. |
| Sen. Ron Wyden Joins EFF on December 10 for Fireside Chat About the Future of Free Speech (2020-12-02) | Coauthor of Section 230 Wyden Will Address Calls to Repeal the ProvisionSan FranciscoSen Ron Wyden a fierce advocate for the rights of technology users will join EFF Legal Director Corynne McSherry on Thursday December 10 for a livestream fireside chat about the fight to defend freedom of expression and innovation on the webWyden is an original framer of Section 230 one of the legal pillars of the.. |
| Defending Fair Use in the Omegaverse (2020-10-27) | Copyright law is supposed to promote creativity not stamp out criticism Too often copyright owners forget that especially when they have a convenient takedown tool like the Digital Millennium Copyright Act DMCA EFF is happy to remind them as we did this month on behalf of Internet creator Lindsay Ellis Ellis had posted a video about a copyright dispute between authors in a very particular fandom n.. |
| Elections Are Partisan Affairs. Election Security Isn’t. (2020-11-16) | An Open Letter on Election Security Voting is the cornerstone of our democracy And since computers are deeply involved in all segments of voting at this point computer security is vital to the protection of this fundamental right Everyone needs to be able to trust that the critical infrastructure systems we rely upon to safeguard our votes are defended that problems are transparently identified as.. |
