Red en Defensa de los Derechos Digitales (R3D) has released a report that compares Mexican ISPs’ transparency and privacy practices. The work parallels the Karisma Foundation’s report about Columbian ISPs’ transparency and privacy practices; both the Mexican and Columbian organizations’ reports are based on the Electronic Frontier Foundation’s “Who Has Your Back” reporting format. The format is designed to visually summarize the practices taken by Internet companies so that end-users can easily evaluate how companies protect their users.

This post briefly summarizes R3D’s findings and then proceeds to discuss whether Mexican companies’ transparency report genuinely enable corporate accountability. Based on academic literatures, a strong argument can be made that the aggregated Mexican transparency report that have been issued by the Mexican telecommunications companies does not make the companies particularly accountable to their customers. The post concludes by raising questions about the status of third-party comparisons of corporate privacy and transparency practices: why are intermediaries like R3D, Karisma Foundation, Electronic Frontier Foundation, or IX Maps so important? And what are the deficits of contemporary comparisons of corporate transparency and privacy practices?

Summary of R3D Findings

RD3’s report examines privacy policies and codes of practices from the eight Mexican telecommunications companies that, in aggregate, compose 98% of Mexico’s mobile, fixed line, and broadband markets. Out of a possible six ‘stars’ only one company (Movistar) received two stars (the most of any company); half for requiring a warrant for data requests, half for publishing a transparency report, and a full star for advocating for privacy. The worst company, Megacable, received just a half-star for requiring a warrant for data requests.

Companies could receive either a full star, half-star, quarter-star or no star in each of the categories that are noted in Figure One. The evaluation criteria for receiving these grades follows the figure.

Each of the categories was evaluated by R3D as follows:

1. Privacy Policy:  To earn a star, a company must have published a privacy policy that is easy to understand. It should inform the reader about what data is collected from them, how long it is stored, and to describe the guidelines and procedures the company has in place when an authority requests the data. Partial compliance was rewarded with half a star.
2. Judicial Warrant: Companies earned a star in this category if they required the government to obtain a warrant from a federal judge before handing over communication either content or metadata. Compliance with this requirement for the content of communications but not for metadata earned a company a half star.
3. User Notification: To earn a star in this category, companies must promise to tell their customers of a government request at the earliest moment permitted by the law. They must also either challenge the laws prohibiting the notification of users or promoting a notification mechanism before Congress or other regulatory bodies.
4. Transparency: We award companies a star in this category if they publish a transparency report about government requests for user data. To earn a full star, the report must provide useful data about how many requests have been received and complied, including details about the type of requests, the government agencies that made the requests and the reasons provided by the authority. Partial compliance is rewarded with a half star.
5. Defending Users in Court: This star recognizes companies who have challenged legislation that permits mass surveillance or surveillance allows government access without judicial safeguards, as well as those that have publicly confirmed that they have resisted overbroad government requests.
6. Public Opposition to Mass and Unchecked Surveillance: In this category, companies are rewarded for taking a public position against mass and unchecked surveillance and defending their position before Congress and other regulatory bodies. Also, this category credits company participation in mechanisms that recognize their responsibilities to respect human rights.

Mexican ISPs’ Transparency Reports

Unlike many jurisdictions, lusacell, Movistar, Nextel, and Telcel produced a single, aggregated transparency report through the Asociación Nacional de Telecomunicaciones (ANATEL). ANATEL’s transparency report,

only provides with a general number of requests made by authorities for the prosecution of crime, without providing detailed information about which type of requests have been received, which authorities made the requests or which reasons were given by authorities to make the request. The lack of detailed information does not allow users to know the scope and reach of government requests.

The ISPs’ decision to publish a combined transparency report arguably inhibits their subscribers’ abilities to hold the respective companies to account. Transparency reports are corporate accountability documents: they are public demonstrations in which companies recognize they ought to explain their actions to the public. Bovens, in “Analysing and Assessing accountability: A Conceptual Framework,” defines accountability as:

a relationship between an actor and a forum, in which the actor has an obligation to explain and to justify his or her conduct, the forum can pose questions and pass judgement, and the actor may face consequences.

If we take Bovens’ definition then we are left to ask: to what extent can the forum — the Mexican public — pose questions and pass judgement when transparency reporting information from a multitude of Mexican companies has been conjoined? Perhaps when the data is disaggregated it would reveal that one company disclosed far more information than all of the others. Moreover, by failing to provide detailed information about the types of requests the public is left wondering what kinds of surveillance ISPs are responding to, and the regularity at which such requests are being made. Further, because the companies have aggregated their transparency reports subscribers are limited in how they might impose consequences on the companies, such as by terminating their business relationship with companies that exhibit poor data stewardship behaviours. Consumers cannot know whether it makes sense to move to lusacell because of Movistar’s activities, or Telcel because of Nextel’s practices, or whether all of the providers exhibit the exact same behaviours. Consequently, by aggregating the transparency reporting information consumers really have received very little actionable information while, at the same time, the companies can claim that they are ‘taking a risk’ by being more transparent than their competitors…but without truly embracing the accountability that accompanies releasing holistic or, at the very least, individuated corporate transparency reports.

Broader Considerations

The analytical work conducted by R3D helps to visually summarize the variations between different companies’ privacy and transparency practices, and is particularly helpful in evaluating across cross-comparative work which adopts a similar analysis framework with similar data analysis categories. Work by organizations like R3D, the Karisma Foundation (which has analyzed Columbian ISPs), and IX Maps (which has analyzed Canadian telecommunications companies) offers a way for the public to quickly digest companies’ transparency and privacy information, and the brief discussions of findings that follow in each of these organizations’ reports explain the rationales behind the assigned ratings.

The work of these intermediaries matters. Academic research, such as by Amitai Etzioni (.pdf) and Jenny de Fine Licht, shows that the public relies on third-parties to intermediate transparency-related information; the information tends to only be accessible to specialists and must be couched in a broader context and analysis to provide useful information to generalists and the media alike. However, it remains to be seen whether analyses of telecommunications transparency reports enable consumers to impose consequences on companies: where companies have chosen to provide mixed or minimal information, or provided it in significantly different formats across a national industry category, the work of intermediaries is made more difficult. Moreover, when companies adopt different reporting standards — forcing intermediaries to interpret reports to make them comparable — the interpretations are more easily challenged by companies that are principally playing at being accountable. More specifically, the companies may agree with the analyses of intermediaries which provide a positive account of a company’s disclosures. Alternately, the companies may insist that intermediaries have badly interpreted the corporate transparency reports when the intermediaries conduct unfavourable analyses of corporate disclosures. In effect, an industry which refuses to adopt a common transparency reporting standard may be doing so intentionally, to prevent intermediary analysts or the public from being able to easily compare companies’ transparency practices.

To some extent, a longer list of questions (which are, also, each more detailed or specialized) can better tease out the differences between companies’ privacy and transparency practices: this is the approach adopted by IX Maps’ analyses of Canadian telecommunications companies’ transparency and privacy practices. As more detailed or nuanced categories are added to these ‘star charts’, however, the reports become more challenging for consumers to quickly parse. Moreover, it isn’t clear that more detail in the charts improves customers’  abilities, or reasons, to act based on the information the intermediaries have summarized.

While comparisons of corporate practices are essential for holding companies and the requesting government agencies to account it remains unclear just how accountable companies genuinely are: consumers typically lack legal recourse against the companies without showing direct harm and transparency reports do not typically reveal to individuals whether they have been affected by government surveillance activities. Moreover, while there is an emerging standard for comparing companies’ transparency and privacy practices emerging from North and South American it remains unclear whether this standard is the most appropriate for educating end-users, or whether more/less data categories would be more helpful for educational purposes. And it’s possible that an entirely different format would be more suitable than the currently-used star charts. And finally, even as the standards for comparing companies’ practices are emerging there is significant variation in how companies themselves disclose privacy- and transparency-related information; as such, the cross-comparative analyses performed of companies’ practices and transparency reports are challenged by the perhaps deliberate effort on the part of companies to not develop common transparency reporting practices that are agreed to within a multistakeholder forum.

NOTE: This post first appeared at the Telecom Transparency Project website.