When it comes to food, we want to know what we’re eating. Where it came from, what’s been added, how it’s processed, when it goes bad.
Hence, food labels. Food labels that must be accurate, truthful and not misleading. Federal legislation protects our food system and us.
Concerns about what data is consumed by big tech and social media are leading to calls to bring the same level of information, transparency, and protection to the digital ecosystem.
We’re all used to reading tech specs about a product’s processor speed, screen resolution, and bandwidth capabilities. How about a spec sheet detailing a social media company’s internal data security protocols? Or a list of third-party aggregators a telecom company hires to handle our personal information?
Much like the Apple App Store’s introduction of privacy labels, and Google’s announcement of a “safety” section in its Play outlet, app makers need to share what personal data are collected and how our personally identifiable information is being used.
Despite some shortcomings in privacy labelling, the trend is clear. Openness, transparency and information are trending.
With apps and ISPs.
New Broadband Nutrition Labels are coming that display “critical” information about Internet Service Provider price plans, data levels, service agreements and more. In the U.S. the Federal Communications Commission (FCC) is moving ahead with public consultations on the proposed mandate.
One advocacy group has already said the regulator should make sure that the privacy practices of Internet Service Providers (ISPs) are also on the label, because the ability to amass enormous volumes of personal information for various purposes – some business, some legislated, some as yet undetermined – has never been greater.
The release of collected customer data to third parties (some are commercial, some may be security or governmental), the collection of more customer data than is needed to provide the basic service (data can be collected at the individual, account, or device level), and the ability of customers to opt out of such data practices (without losing service or features as a result) should be clearly and comprehensibly described by the provider, says the Electronic Privacy Information Center (EPIC).
EPIC has unveiled proposed labels that include simple yes/no checkboxes regarding providers’ data collection and disclosure practices, as well as more detailed ways to inform customers about providers’ data collection, data retention, and data disclosure practices.
In Canada, we don’t have broadband service labels, but we do have a Code.
The Internet Code, established by the country’s telecom regulator, is a mandatory code of conduct for providers of retail Internet services for individual customers.
Our CRTC wrote the Code to ensure that customers get clarity in their interactions with ISPs about pricing, bundles, promotions, and time-limited discounts, as well as in matters like service calls, outages, security deposits, and disconnections.
But the Code does not specifically address data privacy issues, even though the value and importance of the information collected by ISPs is recognized, and that there can be failure by ISPs to effectively disclose details about data collection and use.
ISPs in Canada and elsewhere often manage their systems using Internet Traffic Management Practices, which can slow an individual customer’s data traffic or detect heavy users in order to limit their bandwidth. Such customer identification is deemed legitimate business practice, as long as the ISP is transparent about what they do and that customers are aware as to how their traffic will be managed.
Beyond competitive business motivations, there are legal requirements for ISPs to collect and retain information about their customers for six months (12 in cases of court proceedings) for the notice-and-notice copyright protection system in Canada, and proposals for ISPs to become gatekeepers in matters of access to online pornography, potentially increasing the age- and identity-sensitive data they collect. An Internet customer’s IP address has been deemed to be personal information, particularly when combined with other collected data.
As far as data practices, again, no labels to read in Canada, but request forms to fill out.
Under federal legislation known as the Personal Information Protection and Electronic Documents Act, Canadians can request complete records of the personal information held about them by the companies providing them services. We can ask questions about our data and correct misleading or false information if necessary.
Such requests (called DARs, for Data Access Requests) are legally-binding, but often encumbered by bureaucratic obstacles, not the least of which is knowing what exactly to ask for.
Access My Info is a project designed to help us understand what we should ask and what we can learn about a company’s data practices and the personal information held by a company. It seeks to explain and even expedite the DAR process.
Developed by security researchers from Citizen Lab at the University of Toronto, the AMI project and online tool can be used to make a personal data request of any number of Canadian companies, with telecom providers among them. In that case, the tool lets you request they info they have about your phone records, web browsing history, geolocation data and device identifiers.
In addition to telecom providers, Citizen Lab also applied the AMI tool to popular fitness trackers and online dating services. There’s a detailed report on its research into DARs, and the results they obtained through such requests, available online.
It’s a pdf, though, not a label. But this chart from the report could be a good one on its own: