Katitza Rodriguez of EFF reports:
Red en Defensa de los Derechos Digitales (R3D)—the leading Mexican digital rights organization—has released the 2016 ¿Quién defiende mis datos? report, which evaluates how well Mexican telecommunications companies protect their customers’ privacy. R3D’s second annual report examines publicly-available policies from eight of the biggest telecommunications companies: AT&T, Axtel, Izzi, Megacable, Movistar, Telcel, Telmex, and TotalPlay.
Initial industry-wide trends show that, while some Mexican telecommunications companies have stood up for user privacy when faced with governmental demands for user data, many have not. Furthermore, none of the telecommunications companies that were included in this report promise to, when it is legally possible, notify their users when their data has been requested by law enforcement. The telecommunications industry in Mexico has yet not caught up to the global industry standards that safeguard user data from unwarranted access and data retention demands.
Many of the companies in the report were not living up to their full potential. For example, Telmex and TELCEL, had a full year to prepare for their inclusion in the ¿Quién defiende mis datos? report, but did not significantly improve their support for their users’ privacy and security. TotalPlay and Izzi have a lot of work to do to show their commitment to their customers, failing earn any credit in any of the categories this year. This is disappointing, but we are optimistic that these companies will consider R3D’s report a wake-up call and step up to stand behind their users in 2017.
We recognize that shifts in industry practices takes time. It took several years before EFF saw widespread changes in tech giants’ policies in response to EFF’s annual Who Has Your Back report. We hope that R3D’s 2017 ¿Quién defiende mis datos? report will find more of these companies adopting best practices and standing by their users.
In the meantime, we commend AT&T for leading the Mexican telecom industry in transparency reporting and appreciate Movistar for taking steps to improve its privacy practices and policies, and standing by its users.
R3D Key findings
AT&T, Axtel, IZZI, Megacable, Movistar, Telcel, Telmex, and Total Play all have privacy policies or notices available on their homepages. However, only AT&T and Movistar indicate which communications information they collect from their users. None of the companies indicate the duration for which personal data is stored.
AT&T, Megacable, and Movistar all have policies related to the procedures involved in collaborating with authorities for security and justice matters. However, AT&T is the only company that details the specific terms and legal requirements authorities need before handing over its’ users’ data to authorities.
None of the companies promise to notify their users when they modify their privacy policies. They all impose that responsibility onto the customer who must then check the provider’s website periodically. None of the companies retain old versions of their privacy policies for the public to access, nor do they explain any of the changes that have been made to them over time.
Requiring a warrant
Only AT&T and Telmex explicitly require a warrant from authorities when they request access to user data. Although there was not any publicly-available information related to whether the companies in this report demand a federal warrant when authorities request communications metadata, AT&T, Megacable and Movistar have been known to reject such requests. According to the Federal Telecommunications Institute, in the first half of 2016, AT&T rejected nearly half of the 5,503 requests it received to access userdata. Megacable rejected 64% of the 115 requests it received, and Movistar only rejected 7.9% of a total of 4,341 requests it received. Axtel and Telcel didn’t reject any requests for data. This is particularly disappointing since Telcel received the most data requests out of any of the companies during that term (27,672 requests), and it seems quite unlikely that Telcel received nothing objectionable.
None of the evaluated companies have a publicly-available policy that promises to notify users when their data has been handed over to authorities.. Based on public information, R3D found that none of the companies challenged any legal impediment in court to notify their users, or advocated for the creation of notification mechanisms in Congress or to the Federal Telecommunications Institute.
Only AT&T published an individual transparency report on governmental requests for data. Although we commend the transparency report, it is only available in English and does not offer enough information to determine the volume, origin, reasons, and reach of the requests, nor the number or identity of the authorities making the requests.
On the other hand, the Federal Telecommunications Institute reported that AT&T, AXTEL, Megacable, Telcel, and Movistar complied with their obligation to deliver a biannual report on the number of real-time geolocation and data registration requests they receive.
Commitment to human rights
There is evidence that AT&T appealed against illegal or abusive requests to access to user data. Likewise, AT&T, Movistar, and America Movil’s companies (Telcel and Telmex) have publicly acknowledged their business responsibilities towards human rights, including the right to privacy.
R3D found that companies did not engage in legislative advocacy or defend the right to privacy against other regulatory entities in 2016. AT&T and Movistar, however, are involved in a system that helps address their human rights responsibilities–both of them participate in the Telecommunications Industry Dialogue.
Right to access your own data
R3D’s staff filed requests with AT&T, Movistar, and Telcel to gain access to their own personal metadata that these mobile companies collected. However, none of the companies agreed to hand over the information. R3D subsequently filed a data protection request with the National Institute of Transparency, Access to Information, and Personal Data Protection (INAI), who determined that, in all cases, the metadata collected by the telecommunications service providers is personal data and therefore, AT&T, Movistar, and Telcel should deliver the data to the users who request it. This is a bonus category that did not impact the whole process. This category do not apply to Internet Service Providers.
Since AT&T, Movistar, and Telcel didn’t grant their users access to their stored communications data, these companies received a negative grade.