ISPs as Privacy Custodians

Just published in the Canadian Journal of Law and Society (CJLS) is my article on Internet Service Providers as Privacy Custodians (a pre-print version is available here). The content is adapted (and updated) from a chapter of my PhD dissertation, wherein different chapters dealt with different social responsibilities of ISPs in Canada. The focus of this piece is on privacy responsibilities, but these are interrelated with ISPs’ other responsibilities and social roles, such as surveillance. For example, Canada’s Privacy Act was referred to as the “wiretap bill” while it was being debated in 1973, because while it criminalized the invasion of privacy, it also provided a formal legal route through which the police could obtain wiretaps (I particularly enjoyed studying the murky history of wiretapping in Canada for this piece, which I could only include in summary form).

The responsibilities of ISPs to protect privacy directly shape how police can carry out investigations involving subscriber information, how copyright enforcement operates, and the sorts of commercial relationships ISPs can enter into when monetizing subscriber information. I settled on the term “privacy custodians” to describe the role of ISPs in governing privacy for lack of a better one (the term is used in health care, and here I conceive of privacy governance as being broader than managing the personal information of users, encompassing a broader relationship to the public including policy advocacy, public accountability, and privacy education). I’ve been interested in how different ISPs approach the role of privacy custodian, at times through differing interpretations of legal obligations, but also through different kinds of voluntary efforts to go beyond legal obligations. I discuss these by distinguishing positive responsibilities (the responsibility to do something) and negative responsibilities (the responsibility to not do something). I argue that we should pay attention to the ways that ISPs are distinguishing themselves by carving out and asserting new positive responsibilities, but being mindful of the discretion with which they do so, and the pressures to compromise privacy given the growing value of the data that these intermediaries can collect.

The abstract reads:

This article examines the role of internet service providers (ISPs) as guardians of personal information and protectors of privacy, with a particular focus on how telecom companies in Canada have historically negotiated these responsibilities. Communications intermediaries have long been expected to act as privacy custodians by their users, while simultaneously being subject to pressures to collect, utilize, and disclose personal information. As service providers gain custody over increasing volumes of highly-sensitive information, their importance as privacy custodians has been brought into starker relief and explicitly recognized as a core responsibility.

Some ISPs have adopted a more positive orientation to this responsibility, actively taking steps to advance it, rather that treating privacy protection as a set of limitations on conduct. However, commitments to privacy stewardship are often neutralized through contradictory legal obligations (such as mandated surveillance access) and are recurrently threatened by commercial pressures to monetize personal information.

While tensions over privacy and state surveillance have been long-lasting and persistent, in recent years the most interesting developments have been related to the monetization of personal information. Recent news have included the re-launch of Bell’s targeted ads program, and another U.S. privacy scandal involving the resale of location information. Canadian incumbents collaborate on location and identification services through EnStream, which has so far remained relatively quiet and scandal-free, but also introduced a new role into the subscriber-provider relationship. We pay service providers to give us connectivity and some extent of privacy, but these companies are also serving the needs of customers who want information about us.

In short, the internet’s gatekeepers are also the gatekeepers of our identities and activities.