U.S. internet service providers get green light to sell user
data — but what about Canada?
ISPs here can only share your personal information with your express
consent
Privacy protections designed to prevent U.S. internet service providers from sharing or selling
subscribers' personal information with third parties — without permission — were dismantled by
U.S. Congress on Tuesday.
It means that information about the apps American internet subscribers use, the websites they
visit, and the things they purchase online — among other things — can potentially be tracked,
shared, and monetized by third parties, unless those users opt out.
visit, and the things they purchase online — among other things — can potentially be tracked,
shared, and monetized by third parties, unless those users opt out.
You might be pleased to learn that Canada, which often follows the U.S. lead on technology
issues,
has taken a different approach. Here, internet service providers can only share your personal
information with third parties with your express consent.
issues,
has taken a different approach. Here, internet service providers can only share your personal
information with third parties with your express consent.
- If Trump's really for 'the little guy,' he won't roll back online privacy protections, expert says
Tamir Israel, a staff lawyer at the Canadian Internet Policy and Public Interest Clinic, says you have
the privacy commissioner of Canada and the CRTC to thank.
the privacy commissioner of Canada and the CRTC to thank.
Both organizations have released decisions in recent years that effectively limit the information
internet service providers can collect and use for secondary purposes, such as marketing, without
your consent.
internet service providers can collect and use for secondary purposes, such as marketing, without
your consent.
Pitfalls of relevant ads
In 2013, the privacy commissioner launched an investigation into a new Bell initiative called the "
relevant advertising program." The Canadian telco used network usage information, as well as
account and demographic information, to build advertising profiles that could be used by third.
parties to target specific audiences with ads.
relevant advertising program." The Canadian telco used network usage information, as well as
account and demographic information, to build advertising profiles that could be used by third.
parties to target specific audiences with ads.
In other words, advertisers could target Bell users that visited certain websites. Browsing
history or
frequently used apps could also be used to infer users' interests. Users could be further
targeted by
age, phone model or credit score. Bell also indicated that it might use home internet usage,
television
viewing history and calling patterns to build ad profiles in the future.
history or
frequently used apps could also be used to infer users' interests. Users could be further
targeted by
age, phone model or credit score. Bell also indicated that it might use home internet usage,
television
viewing history and calling patterns to build ad profiles in the future.
This sort of thing is fine — but only if customers opt in, or choose to allow their personal
information to
be used in this way. In this case, however, Bell designed the relevant advertising program
to be
opt-out, the default for Bell users unless they said otherwise. This is the current reality for .
internet users in the U.S.
information to
be used in this way. In this case, however, Bell designed the relevant advertising program
to be
opt-out, the default for Bell users unless they said otherwise. This is the current reality for .
internet users in the U.S.
Marketers and advertisers are especially interested in the data they can glean from U.S.
internet
service provider usage data, which can reveal much about a person's habits and interests.
(Mike Segar/Reuters)
"Bell should not simply assume that, unless they proactively speak up to the contrary, customers
are consenting to have their personal information used in this new way," Privacy Commissioner
Daniel Therrien said at the time, recommending that Bell make its program opt-in.
are consenting to have their personal information used in this new way," Privacy Commissioner
Daniel Therrien said at the time, recommending that Bell make its program opt-in.
By combining a user's personal information with their usage information, "they kind of
crossed a
line in what they proposed they wanted to do," said David Fraser, a partner at the law firm
McInnes
Cooper, who specializes in privacy issues. "If any other telco was looking at doing that before
, they've
mostly changed their mind."
crossed a
line in what they proposed they wanted to do," said David Fraser, a partner at the law firm
McInnes
Cooper, who specializes in privacy issues. "If any other telco was looking at doing that before
, they've
mostly changed their mind."
Even earlier, in 2009, the CRTC reviewed the internet traffic management practices of
Canadian ISPs
— the hardware and software ISPs use to track and manage how customers are using the
network
, for the ISPs' own business purposes.
Canadian ISPs
— the hardware and software ISPs use to track and manage how customers are using the
network
, for the ISPs' own business purposes.
Although the review was not specifically focused on marketing or ads, the CRTC said in its
decision
it was taking steps "to ensure that personal information collected for the purpose of managing
internet
traffic is not used for other purposes and is not disclosed."
decision
it was taking steps "to ensure that personal information collected for the purpose of managing
internet
traffic is not used for other purposes and is not disclosed."
Bell ultimately chose to close its old marketing program, but it now has a new program
— one that, following the privacy commissioner's recommendation, is opt-in.
— one that, following the privacy commissioner's recommendation, is opt-in.
So there's no data sharing at all?
Even though Canadian ISPs can't share personal information with third parties without your
consent, it doesn't mean they're not sharing any data at all.
consent, it doesn't mean they're not sharing any data at all.
Rogers, Bell and Telus, for example, say they may share de-identified information — data that
has been stripped of personal information — with third parties, without your consent.
has been stripped of personal information — with third parties, without your consent.
This may be done for "research, planning, or product and service development," according
to Telus,
while Bell says it may be done "to provide social benefits (such as assisting municipalities
with traffic
planning) and to develop analytic marketing reports for our use and for the use of our partners."
to Telus,
while Bell says it may be done "to provide social benefits (such as assisting municipalities
with traffic
planning) and to develop analytic marketing reports for our use and for the use of our partners."
What's the problem with that? Researchers have shown that, in some cases, users can be
re-identified
when de-identified data is combined with other sources of data. It's enough of a concern
that some
companies explicitly forbid re-identification in their terms of use.
re-identified
when de-identified data is combined with other sources of data. It's enough of a concern
that some
companies explicitly forbid re-identification in their terms of use.
But by and large, Fraser sees the collection of de-identified data as much less of a
concern than
other types of data. "It's aggregate information," he said. On its own, "it really doesn't
tell you
anything about any individual."
concern than
other types of data. "It's aggregate information," he said. On its own, "it really doesn't
tell you
anything about any individual."
Of course, knowing things about individuals is exactly what marketers want from ISPs.
In Canada,
they'll have to keep waiting. In the U.S., not so much.
In Canada,
they'll have to keep waiting. In the U.S., not so much.
excerpt to cbcnews
EmoticonEmoticon