/Presentation

VIEW BY:
Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests BONUS - Tells user about data requests

InternetLab was chosen by the Electronic Frontier Foundation – EFF to carry out the first edition of  “Who defends your data?”, the Brazilian version of EFF’s project “Who has your back ?”, published in the United States since 2011.

“Who defends your data?” aims to promote transparency and best practices in the field of privacy and data protection by companies that provide Internet access in Brazil, making Internet users aware of policies that affect the protection of their privacy and personal data.

The evaluation will be carried out on an annual basis. In each and every edition, we will reassess the methodology and the results, to make sure that they reflect the possibilities that are within reach of the evaluated companies to defend your data.

/Who we are

InternetLab is an independent research center that aims to foster academic debate around issues involving law and technology, especially internet policy. Our goal is to conduct interdisciplinary impactful research and promote dialogue among academics, professionals and policymakers. We follow an entrepreneurial nonprofit model, which embraces our pursuit of producing scholarly research in the manner and spirit of an academic think tank.

The Electronic Frontier Foundation is a leading international non-profit organization that, since 1990, defends digital rights. EFF uses the unique expertise of leading technologists, activists, and attorneys to defend free speech online, fight illegal surveillance, advocate for users and innovators, and support freedom-enhancing technologies.

/Our methodology

How were the evaluated companies chosen?

We chose the Internet Service Providers (ISPs) that, according to data released by the National Telecommunications Agency in October 2015, held at least 10% of all accesses to the Internet in Brazil – either by fixed broadband infrastructure or by the mobile infrastructure. This threshold ensured the assessment of companies that account for about 90% of the Internet  connections in Brazil in both types of access.

In the case of broadband, the following companies fit this filter: NET, Oi, Vivo and GVT. In the case of mobile Internet, Claro, Oi, TIM and Vivo were selected. We inserted the results in the table in such a way that there is the possibility of comparing performances in the fixed broadband and mobile Internet infrastructures.

How did we come up with the methodology?

Despite being inspired by the American project “Who Has Your Back?”, “Quem Defende Seus Dados?” does not exactly replicate its methodology. That is because Brazil’s social (and legal!) reality is obviously different from the US. From that follows the development of our own categories and parameters.

We prepared the evaluation categories and parameters based on the following perspectives:

  1. public commitment to compliance with the law;
  2. adoption of pro-user practices and policies;
  3. transparency about practices and policies.

We got to the final results as follows:

  1. We made a first adapted version of the methodology and applied it (October and November 2015);
  2. With the preliminary results in hand, we contacted the companies, asking them to send us comments, criticisms or documents on the methods and results (December 2015);
  3. We engaged in dialogue with companies and from their comments, adjusted the methodology and their performance. In this re-evaluation period, categories and parameters were modified as good arguments or practices were exposed by the companies (January to March 2016);
  4. Publication of the results (April 2016).

CATEGORY: Information about data processing

WHAT WE WANT TO KNOW: Does the ISP provide clear and complete information about the collection, use, storage, processing, and protection of user’s data?

What does Brazilian law say?

Brazilian law (Marco Civil da Internet, Article 7, sections VI e VIII) establishes the rights of users to clear and complete information about the collection, use, storage, processing, and protection of their personal data, which can only be used for purposes that are specified in the contracts between companies and its clients or in terms of use of internet applications. In light of this user right, we looked at how the ISPs perfom.

The term “data” is here used in a broad sense. This means that it encompasses both the account information that is provided by clients (such as name, address, social security number etc.) and records of each Internet connection provided. In this QDSD edition we chose not to make a distinction because specific regulation on either case is pending. We will be attentive to regulatory changes in future editions.

What were the evaluation criteria?

(I) The company provides information and clear legal references about data collection, including what data is collected and in which situations the collection occurs;

(II) The company provides information and clear legal references about the use and / or processing of data, including the purposes for which they are used and how this occurs;

(III) The company provides information and clear legal references on storage of data, including how long data are stored, where it is stored and when / if they are deleted;

(IV) The company provides information and clear legal references about data protection, including which security practices are observed in data retention procedures, if there is data anonymization policy and who would have access to the database;

(V) The company provides information and clear legal references on the use of data by third parties, including information about the circumstances under which this would happen and / or the need for customer’s authorization to do so;

(VI) It is easy to access this information on the company’s website.

Performance standards

estrela_3  The ISP meets 5 to 6 parameters.

estrela_2  The ISP meets 3 to 4 parameters.

estrela_1  The ISP meets 2 parameters.

estrela_0  The ISP does not meet any or meets only one of the parameters.

CATEGORY: Information about data disclosure to government authorities

WHAT WE WANT TO KNOW: Does the ISP commit to disclose account information and connection logs only upon a court order and, in the case of account information, upon application by competent administrative authorities?

What does the Brazilian law say?

The Marco Civil da Internet (Article 10, 1st paragraph) regulates when law enforcement authorities may have access to account information and connection logs.

Connection logs can be made available only if the disclosure is authorized by a court order. There is the same rule regarding account information, but the Marco Civil exceptionally allows administrative authorities with legal competence to directly request data without judicial review. Currently, law enforcement authorities have the right to request account information within the scope of the Criminal Organizations Act and the Money Laundering Crimes Act. In other cases, a court order is still required for disclosure of account information.

We evaluated whether the ISP, in its contract or any other official document available to the public, makes clear to users the circumstances under which judicial or administrative authorities can have access to their data.

What were the evaluation criteria?

(I) The company promises to disclose account information by direct request only to competent administrative authorities, within the scope of the law that creates their competence.

(II) The company promises to disclose account information, when not excepted, and connection logs, only pursuant to a court order.

Performance standards

estrela_3  The ISP meets both parameters

estrela_2  The ISP meets one of the parameters.

estrela_0  The ISP does not meet any of the parameters.

CATEGORY: Defense of user’s privacy in the courts

WHAT WE WANT TO KNOW: Has the ISP judicially challenged abusive data requests or legislation that it considers harmful to user privacy?

The Judiciary is an arena where  Internet users’ rights are protected against abuses and illegal conducts. With this in mind, we evaluated the posture of companies in litigation concerning privacy and data protection.

What were the evaluation criteria?

(I) The company has legally challenged legislation that it considers harmful to Internet users privacy rights, disproportionate and / or not to establish a clear, precise and detailed list of cases and circumstances in which information must be delivered or adequate safeguards to prevent abuse (Example:. articles 15, 17 and 21 of the Criminal Organizations Act);

(II) The company has legally challenged abusive requests for access of user’s data who exceed the legal prerogatives of the authority making the request, that are disproportionate because of its lack of clarity and precision of data required and motivation or for any other reason that compromise the privacy rights of users.

Performance standards

estrela_3  The ISP meets both parameters

estrela_2  The ISP meets one of the parameters.

estrela_0  The ISP does not meet any of the parameters.

CATEGORY: Pro-user privacy public engagement

WHAT WE WANT TO KNOW: Has the ISP engaged in public debates about law bills and public policies that may affect user’s privacy, defending projects that aim to advance privacy?

It is very important to know the positions adopted by the companies regarding users privacy and data protection rights. This category aims to evaluate the participation of ISPs in public debates regarding bills and public policies that may impact those rights.

In this edition of QDSD, we have followed the ISPs’ contribution in the most important public debates recently (from January 2015 until the end of February 2016) conducted: the debates regarding the regulamentation of the Marco Civil da Internet (Ministry of Justice, CGI.br and ANATEL) and the debates regarding the Data Protection Bill – Anteprojeto de Lei para a Proteção de Dados Pessoais (Ministry of Justice). For this evaluation, we considered only the contributions made by ISPs individually and not by associations that some ISPs may be a part of, such as the SindiTeleBrasil. We believe that in order to get to know where the ISPs really stand, we have to consider the participation of each company separately in their own name.

What were the evaluation criteria?

(I) The company has participated individually in any public debated (contributions made by associations that the company may be part of are not considered);

(II) The company has participated in a public debate about the Marco Civil da Internet regulamentation and, in its contributions, it has not supported a longer period of data retention;

(III) The company has participated in a public debate about the Marco Civil da Internet regulamentation and, in its contributions, it has not supported the creation of new data retention mandates beyond what is already established by law;

(IV) The company has supported that, in order to request account information without a judicial order, the law must limit and define the hypothesis of the possible situations in which the information shall be requested/or that these requests must contain legal justification and motivation of the competent governmental authority;

(V) The company has supported that the regulamentation of the Marco Civil da Internet should establish rules to limit, in any way, requests for preservation of logs in order to avoid the retention of information for an indefinite time, and abusive use;

(VI) The company has supported that the regulamentation of the Marco Civil da Internet and/or the Data Protection Bill should encourage/require, in any way, the implementation of cryptography to protect private communications;

(VII) The company has supported that the Data Protection Bill should establish a provision for data protection by anonymization, even if the data owner’s consent consent is not mandatory in those cases.

Performance standards

estrela_3  The ISP meets  between 6 and 7 parameters.

estrela_2  The ISP meets between 3 and 5 parameters.

estrela_1  The ISP  meets up to 2 parameters.

estrela_0  The ISP does not meet any of the parameters.

CATEGORY: Transparency reports about data requests

WHAT WE WANT TO KNOW: Does the company publish transparency reports that contain information about how many times governments sought user data and how often the company provided user data to governments?

Transparency reports are statements issued by companies containing a variety of statistics related to data requests. Internet companies around the world have increasingly adopted the practice of publishing transparency reports to inform how and when the companies cooperate with the government, in general because compelled by law,  by disclosing information that may be used as evidence in civil and criminal cases. It is already an usual practice among international Internet companies such as Google, Facebook, Twitter, and Microsoft and ISPs such as Vodafone and Verizon. In Brazil, this practice has not gained traction yet.

ISPs  are not under any obligation to produce transparency reports in Brazil, but the publication of statistics, aggregated data about requests and disclosures, is not forbidden either. Therefore, there is a window of opportunity for showing that ISPs are concerned about building trust in their relationships with customers, based on transparency.

The draft of the Internet Civil Marco regulatory decree creates an obligation of publicizing statisticsprovide information similar to those mentioned above (number of requests by requesting authorities, etc.) to agencies of the federal public administration. This stresses the importance of transparency on data requests. We believe that the private sector can voluntarily undertake this agenda. In testimonies to Parliamentary Committees, companies have already mentioned the greatness of the number of requests they receive. Ideal is the creation of periodic monitoring channels disclosing this information to users, such as through transparency reports.

What were the evaluation criteria?

(I) The company publishes transparency reports informing about the collaboration with governmental authorities;

(II) The company publishes transparency reports informing about the collaboration with governmental authorities, stating: (i) the quantity of requests and disclosures classified by data type (whether it concerns account information or connection logs); (ii) the quantity of requests and disclosures classified by which governmental authority made the request; (iii) the quantity of requests and disclosures classified by the motivation alleged by the governmental authority (production of evidence in civil, criminal, or administrative cases etc).

Performance standards

estrela_3  The ISP meets the second parameter.

estrela_2  The ISP meets the first parameter.

estrela_0  The ISP does not meet any of the parameters.

BONUS CATEGORY: User notification

WHAT WE WANT TO KNOW: Does the company notify the user about data requests by the government?  

When users are told that their account information or Internet connection records were demanded by administrative or judicial authorities, there is an expansion of the opportunities to effectively exercise their rights of defense against abuse and irregularities.

The powerful impact of notifications to guarantee an effective defense in the rule of law is not a new idea. In light of the constitutional principle of due process, many laws establish the obligation to notify persons about measures that affect their rights. Pursuant to the Brazilian Code of Criminal Procedure, for example, when the judge receives a request for injunctive enforcement against anyone, she must warn the affected party about the request, so he present his arguments (art. 282, § 3).

In the context of data requests, Internet providers gain an essential role in protecting procedural safeguards of the affected users. That is because the notification by the company enables the user to challenge illegal requests – both in the form of unsubstantiated court orders, and of requests from administrative authorities without competence and justification. As it is now, the user depends on the challenges made by the companies themselves against requests that they consider abusive. If notified by companies, users gain, at the earliest opportunity, the ability of self-defense against potential violations of their privacy.

With this in mind, we think it is important to encourage the practice of user notification through the QDSD project. In cases of data requests not accompanied by obligation of confidentiality, notification is, given the absence of legal prescription to the contrary, permitted by Brazilian law. The possibility of user notification can be glimpsed, for example, not only in cases of requests for data in civil procedures, but also in connection with requests made by other government agencies, such as the Brazilian IRS or ANATEL. Even in the context of criminal proceedings, notification prior to the data disclosure can be seen as permitted as a rule, provided there is no confidentiality requirement, in respect to the constitutional principles of legal defense and contradictory. It strengthens the possibility of legal challenge to the production of evidence irrelevant to the facts of the case.

In this edition, we decided to name this category as “bonus” because the notification is neither a legal duty imposed to companies nor a widespread practice in the country. It is a measure seen as groundbreaking and, because it requires a staff dedicated to the notifications, costly for companies. For those reasons, our understanding is that its adoption would reveal a special commitment to advancing the protection of users rights, especially worthy of being noted. The user notification, at the first legally possible opportunity, and preferably prior to the disclosure of data, collaborates with the principles of legal defense, and fosters a culture of privacy protection.

What were the evaluation criteria?

(I) The company promises to notify the users before complying with requests for account information data and connection logs in the cases not prohibited by legal confidentiality, or to issue a notification as soon as legally possible.

Performance standards

estrela_3  The ISP meets the parameter.

estrela_0  The ISP does not meet the parameter.

/Our Sources

When applying the methodology, we looked at model contracts (available on the companies’ websites), press releases (also available on websites), and official public statements, in written form, of the evaluated companies. They were the only material evidence available to assess the terms according to which their Internet service is offered to their customers. No relevant information was found in terms of use or pages called “Privacy Policy”, which refer to the use of their websites.

/Results

VIEW BY:
Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests BONUS - Tells user about data requests

CLARO

CATEGORY: Information about data processing

Result: estrela_1

Claro got ¼ star, as it fulfilled two parameters: information on the use of data by third parties (V) and ease of access to information (VI). No other information about the collection, use and processing, storage and data protection was found.

Regarding the use of data by third parties, contracts for the provision of Personal Mobile Service (SMP) indicate to whom and under what circumstances data can be provided to third parties.

Prepaid mode:

Clause 14.7. Once requested by the SUBSCRIBER the Portability Access Code and met the requirements and commercial terms established for such, SUBSCRIBER authorizes in advance, providing your registration information to the “Managing Entity” and the “Provider Giver” thus defined by ANATEL in order to allow completion or not of their portability request.

Prepaid mode:

Clause 15.6. All SUBSCRIBER’s registration information is confidential and may only be provided to: a) the SUBSCRIBER; b) the representative with specific power of attorney; c) the judicial authority; and d) the other Providers of Telecommunications Services for specific purposes of providing these services.

Postpaid mode:

Clause 15.4 All information regarding the Subscriber registration is confidential and will only be provided to: a) the Subscriber; b) the representative with specific power of attorney; c) Claro’s collection agency; d) to the judicial authority; e) other telecommunications service providers for specific purpose of providing these services.

The InternetLab considers that information  regarding use by the third party should be much more extensive. In this first edition of QDSD, while still awaiting the regulatory decree of the Civil Marco Internet, however, we understood that providing information of this kind would meet the parameter (V).

With regard to ease of information access, on the homepage of the website of the course (http://www.claro.com.br) at the end of the page, there is an item that is clearly signposted “Contracts and Regulations”. Thus, customers should not have difficulties finding this kind of information. So it was considered met the parameter (VI).

CATEGORY: Information about data disclosure to government authorities

Result: estrela_2

Claro got ½ star, as it met one parameter (II).

In contracts, Claro says that it may provide “the subscriber registration information” to judicial authorities.

Prepaid mode:

Clause 15.6. All SUBSCRIBER’s registration information is confidential and may only be provided to: a) the SUBSCRIBER; b) the representative with specific power of attorney; c) the judicial authority; and d) the other Providers of Telecommunications Services for the specific purpose of providing these services.

Postpaid mode:

Clause 15.4 All information regarding the Subscriber registration is confidential and will only be provided to: a) the Subscriber; b) the representative with specific power of attorney; c) Claro’s collection agency; d) to the judicial authority; e) other telecommunications service providers for the specific purpose of providing these services.

In this first edition of QDSD, InternetLab found that Claro meets the parameter (II). The contract language reveals the commitment to deliver data to government authorities in general only by court order. Although connection records are not explicitly mentioned, we considered that from the use of the pronoun “all” can be inferred that these  included.

However, in the contracts there is no reference to the possibilities of access by administrative authorities. Art. 10 of the Marco Civil da Internet allows companies to provide account  information directly to administrative authorities without a court order if they hold the legal competence to directly request. At a Public Hearing on 24 November 2015, at the CPI for Cybercrimes, Mr. Fabio Andrade (Director of Institutional Relations of Claro / Embratel) represented that Claro complies with court orders that require account information and connection records, as well as provides account information to administrative authorities (such as police and prosecutors) in cases where the law provides no need for a court order. As this information is not contained in the contracts, or any other official document of the company directed to customers, InternetLab found that Claro has not complied with the parameter (I). To meet this parameter in the next editions, Claro should be clear about these circumstances  in their statements to customers.

CATEGORY: Defense of users’ privacy in the courts

Result: estrela_2

Claro got ½ star, as it fulfilled one parameter (I).

Claro has challenged, together with other ISPs, legislation that it considers harmful in the Brazilian Supreme Court through the ACEL – Associação Nacional das Operadoras Celular (Nacional Association of Mobile Operators). They argue that some articles in the Criminal Organizations Act are unconstitutional, since they violate users’ right to privacy by allowing data to be delivered to law enforcement without a court order.

We considered this collective contribution through ACEL because, under the terms of the Brazilian Constitution, the ISP could not individually go to the Supreme Court to contest the constitutionality of a law. In order to do this, a class entity is necessary to represent them. We did not consider contributions made by class entities or associations in other opportunities because it was possible to make individual contributions (e.g. the  participation of SindiTelebrasil in the public debates around the Marco Civil da Internet).

Regarding the other parameter (II), about whether Claro has defended itself or its users against abusive requests for user’s data, this information was not publicized. Also, despite our engagement efforts, the company did not provide InternetLab with any information of this nature. Thus, for lack of material evidence, we considered that Claro did not meet this parameter.

CATEGORY: Pro-user privacy public engagement

Result: estrela_2

Claro got ½ star, as it fulfilled 5 parameters (I, II, III, IV and V).

We found contributions to the following public debates: the regulamentation of the Marco Civil da Internet (in the Ministry of Justice and in the CGI.org platforms) and the debates regarding the Data Protection Bill. Thus, Claro fulfilled the parameter (I) (engagement in public debates) by having participated individually in those three debates.

The ISP also met the parameters (II) (not to defend a longer period of data retention) and (III) (not to defend the creation of new data retention mandates), because it did not advocate for these kind of provisions.

During the CGI.br consultation, Claro supported the standardization of data retention periods, meeting the parameter (V) (rules limiting data preservation requests). The company also stated that:

The regulamentation should define the period that application providers are authorized to retain the data beyond the one established in Article 15, in the case the judiciary does not manifest itself (…) This period should not be longer than 180 days.

In the Ministry of Justice platform, the company has argued that there should be a definition of which authorities fit the category “competent administrative authority”. Competent administrative authorities shall require account information without a previous court order. Against this background, Claro suggested a new wording to the article 9:

Article 9. The administrative authorities [list of competent authorities] shall justify their competence and motivation to access the account information.

Therefore, Claro fulfilled the parameter (IV) (rules regarding the limits to access account information).

The company did not meet the parameters (VI) (to support the use of cryptography) and (VII) (to defend data anonymization process). We did not find any statements on these topics.

CATEGORY: Transparency reports about data requests

Result: estrela_0

Claro did not get a star, because it did not meet any of the parameters.

The América Móvil group, of which Claro is a part, publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

BONUS CATEGORY: User notification

Result: estrela_0

Claro did not a star, because it did not meet the parameter.

We did not find in the contracts or elsewhere any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.

NET

CATEGORY: Information about data processing

Result: estrela_1

NET got ¼ star, because it partially met the parameters (I) and (III) on data collection and storage, and fully complied with the parameter (VI) on ease of access to information.

With respect to data collection, the contract indicates that the client agrees that his or her data will be added to the company’s database.

Clause 02.20. Upon accession to this agreement, SUBSCRIBERS authorize personal data to integrate the database of PROVIDER and mailing of information about releases, special offers and promotions of the PROVIDER or of other COMPANIES. The SUBSCRIBER who has no more interest in receiving this information retains the right to, at any time, contact the PROVIDER’s of Customer Service  and request the exclusion of the above actions.

However, there is neither further information than nor more details on this data collection; the one above seems only to refer to the collection of data for marketing purposes. Therefore, InternetLab considered that NET fulfilled only partially the parameter (I).

With respect to data storage, the company incorporates the text of ANATEL’s resolution (Resolution 614/2013, art. 53), which reads as follows:

Clause 37.01. Articles 56, 57 and 58 of the ANATEL Resolution 614/2013, provide the following rights and duties of SUBSCRIBERS:

. (…) Article 47. Without prejudice to the applicable legislation, the SCM Providers have an obligation to:

I – provide adequate service in the manner provided in the regulations;

II – submit to Anatel, in the form and frequency established in the regulations and whenever regularly subpoenaed, through interactive system made available by the Agency, all data and information that may be requested for the service, including technical, operational and economic-financial information in particular those relating to the number of subscribers, coverage area and the values measured by the Provider in relation to the parameters and quality indicators;

Art. 52. The Provider must ensure the secrecy inherent to telecommunications services and the confidentiality of data, including connection records and subscriber information, using all the means and technology to both.

Sole paragraph. The Provider should make available data relating to telecommunications confidentiality suspension to the authorities, according to the law, are authorized to request such information.

Art. 53. The Provider shall keep the registration data and the connection records of their subscribers for a minimum period of one year.

However, no more information on data storage is provided – only what is already contained in ANATEL’s regulations on what companies shall do. The company does not report, for example, for how long it stores data. Therefore, InternetLab considered that NET fulfilled only partially the parameter (III).

Thus, we consider as if NET had just fulfilled one parameter in the case of (I) and (III).

With regard to ease of access to information, at the end of the home page of NET (http://www.netcombo.com.br), there is an item on contracts and regulations. Thus, customers should not have many difficulties to find this kind of information. So it fulfilled parameter (VI).

CATEGORY: Information about data disclosure to government authorities

Result: estrela_3

NET got a full star, because it fulfilled the two parameters.

Incorporating a section of ANATEL’s resolution, the contract contains the following information about data disclosure to “competent authorities”:

37.01 Articles 41-55 of the ANATEL Resolution 614/2013 feature the following rights and obligations of the PROVIDER:

Art. 52. The Provider must ensure the secrecy inherent to telecommunications services and the confidentiality of data, including connection records and subscriber information, using all the means and technology to both.

Sole paragraph. The Provider shall make data related to the suspension of telecommunications confidentiality available to the authorities that, according to the law, have competence to request such information.

In this first edition of QDSD, InternetLab considered that the term used (“authorities that, under the law, have competence”) is generic enough to indicate that data may be disclosed both to judicial authorities and administrative authorities, when they are competent to make the request.

However, we emphasize that the wording adopted does not make clear the fact that account information and connection logs are treated differently by the law. Account information can be demanded without a court order by competent administrative authorities. Currently, those are Police agents and Prosecutors under the laws of the Criminal Organizations (Law 12.850/13, arts. 15 and 17) and Money Laundering (Law 9.613/99, art. 17b, added by Law 12.683/12). Connection logs, however, can only be disclosed pursuant a court order. They can not be directly disclosed to administrative authorities upon mere request.

A client without technical knowledge neither knows who the “competent authorities” (Judiciary? Police? ANATEL? IRS? Prosecutor?) are nor the conditions (court order? mere request?) that afford access their data. The legal language is arid and the Marco Civil sets forth that companies should provide clear information to their customers.

In future editions of the project, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the existing legal nuances. It will be necessary to make clear what types of data NET discloses under what circumstances.

CATEGORY: Defense of users’ privacy in the courts

Result: estrela_0

NET did not get a star, because it did not fulfill any of the parameters.

We did not find any legal case in which NET challenges legislation. Nor did we find cases in which it defends users from abusive data demands. InternetLab was also not provided with information of this nature when it engaged with the company. So, for lack of material evidence, it was considered that NET does not meet the parameters.

It is worth mentioning that, unlike the other analyzed companies that received credit for fulfilling parameter (I) for challenging articles of the Criminal Organizations Law (Law No. 12.850 / 13), NET is a broadband Internet provider. The constitutional complaint in question was brought by a collective of mobile operators, which are also mobile Internet providers. NET is, however, also affected by the obligations of this law, fact that could have given it reason to challenge it.

CATEGORY: Pro-user privacy public engagement

Result: estrela_2

NET got ½ star, as it met four parameters.

We found statements of NET in the public consultation on the regulation of the Civil Marco Internet held by CGI.br. The company therefore fulfilled the parameter (I) (participation in debates) for taking part in public debates on their own behalf.

NET met the parameters (II) (not to defend a longer data retention) and (III) (not to defend the creation of new data retention mandates), because it did not advance these kind of provisions.

In a statement  in CGI.br’s platform, NET reiterated that:

regulation should define the period for which application providers must keep custody of the records beyond the deadline established in the caput of Article 15, in the event that there is not a manifestation of the judiciary (…) It is suggested that this term does not exceed 180 (one hundred and eighty) days.

Therefore, NET met the parameter (V) (rules limiting data requests).

We believe that the parameters (IV) (rules regarding the limits to access account information) were not contemplated, (VI) (to support the use of cryptography) and (VII) (to defend data anonymization process) in the statements of the company. We did not find any statements on these topics.

CATEGORY: Transparency reports about data requests

Result: estrela_0

NET did not get a star, because it did not meet any of the parameters.

The América Móvil group, of which NET is a part, publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

BONUS CATEGORY: User notification

Result: estrela_0

NET did not get a star, because it did not meet the parameter.

We did not find in the contracts or elsewhere any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.

OI

CATEGORY: Information about data processing

Result: 

Oi – Fixed broadband

Oi did not get a star, since it only fulfilled one parameter (VI).

It was not possible to find any clear information in the contract or elsewhere  on data processing. The company only states that the client’s data is entitled to the right to privacy, except in the legal cases of breach of confidentiality. InternetLab did not consider this information complete enough to meet any parameter:

Clause 8.9. [the client is entitled to] (…) the right to privacy by Oi, except in the legal cases of breach of confidentiality established by constitutional law.

Besides, there is no mention of the collection, storage, data protection or of conditions for third parties use of data. Therefore the parameters (I) to (V) were not met.

Currently, the access to the contracts in Oi website is easier than it was back in October 2015 (http://www.oi.com.br/), which fulfills the parameter (V). However, the fulfillment of only one parameter is not enough to get any score in this category.

Oi Mobile

Oi did not get a star, since it only fulfilled one parameter (VI).

In the contract, InternetLab could not find any information on data processing, collection, storage, protection or conditions for third parties use of data. Thus, the parameters (I) to (V) were not met.

Currently, the access to the contracts in Oi website is easier than it was back in October 2015 (http://www.oi.com.br/), which fulfills the parameter (V). However, the fulfillment of only one parameter is not enough to get any score in this category.

CATEGORY: Information about data disclosure to government authorities

Result: estrela_0

Oi – Fixed broadband

Oi did not get a star, since it did not meet any parameters.

The contracts did not make clear to the users the circumstances under which judicial or administrative authorities can have access to their data.

At a Public Hearing on 24 November 2015, at the CPI for Cybercrimes, Mr. Marcos Augusto Mesquita Coelho (Director of Institutional Relations of Oi) represented that Oi complies with court orders that require account information and connection records, as well as provides account information to administrative authorities (such as police and prosecutors) in cases where the law provides no need for a court order. As this information is not contained in the contracts, or any other official document of the company directed to customers, InternetLab found that Oi has not complied with the parameters. To meet these parameters in the next editions, Oi should be clear about these circumstances  in their statements to customers.

Oi – Mobile

Oi did not get a star, since it did not meet any parameters.

The contracts did not make clear to the users the circumstances under which judicial or administrative authorities can have access to their data.

At a Public Hearing on 24 November 2015, at the CPI for Cybercrimes, Mr. Marcos Augusto Mesquita Coelho (Director of Institutional Relations of Oi) represented that Oi complies with court orders that require account information and connection records, as well as provides account information to administrative authorities (such as police and prosecutors) in cases where the law provides no need for a court order. As this information is not contained in the contracts, or any other official document of the company directed to customers, InternetLab found that Oi has not complied with the parameters. To meet these parameters in the next editions, Oi should be clear about these circumstances  in their statements to customers.

CATEGORY: Defense of users’ privacy in the courts

Result: estrela_2

Oi got ½ star, as it fulfilled one parameter (I).

Oi has challenged, together with other ISPs, legislation that it considers harmful in the Brazilian Supreme Court through the ACEL – Associação Nacional das Operadoras Celular (Nacional Association of Mobile Operators). They argue that some articles in the Criminal Organizations Act are unconstitutional, since they violate users’ right to privacy by allowing data to be delivered to law enforcement without a court order.

We considered this collective contribution through ACEL because, under the terms of the Brazilian Constitution, the ISP could not individually go to the Supreme Court to contest the constitutionality of a law. In order to do this, a class entity is necessary to represent them. We did not consider contributions made by class entities or associations in other opportunities because it was possible to make individual contributions (e.g. the  participation of SindiTelebrasil in the public debates around the Marco Civil da Internet).

Regarding the other parameter (II), about whether Oi has defended itself or its users against abusive requests for user’s data, this information was not publicized. Also, despite our engagement efforts, the company did not provide InternetLab with any information of this nature. Thus, for lack of material evidence, we considered that Oi did not meet this parameter.

CATEGORY: Pro-user privacy public engagement

Result: estrela_0

Oi did not get a star,  since it did not meet any of the parameters.

It was not possible to identify the participation of Oi in any of the analyzed public debates.

CATEGORY: Transparency reports about data requests

Result: estrela_0

Oi did not get a star, because it did not meet any of the parameters.

Oi publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

BONUS CATEGORY: User notification

Result: estrela_0

Oi did not get a star, because it did not meet the parameter.

We did not find in the contracts or elsewhere any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.

TIM

CATEGORY: Information about data processing

Result: estrela_1

TIM got ¼ star, as it fulfilled two parameters: information about how data will be used (V) and ease of access to information (VI). No other information on the collection, treatment, storage and data protection was found.

The contracts analyzed state that the company will respect the inviolability and secrecy of communications of their customers, subject to the constitutional and legal cases of breach of confidentiality and the possibility of providing information for statistical purposes.

Postpaid mode:

Clause 3.5. The following rights established in the SMP regulation and legislation are safeguarded to the CLIENT:

(…) F) inviolability and confidentiality of their communication, subject to the constitutional and legal hypotheses of breach of telecommunications confidentiality and the disclosure of information for statistical purposes.

Prepaid mode:

Clause 3.3. The following rights established in the SMP regulation and legislation are safeguarded to the CLIENT:

(…) G) inviolability and confidentiality of their communication, subject to the constitutional and legal hypotheses of breach of telecommunications confidentiality and the disclosure of information for statistical purposes.

InternetLab is pleased that TIM informs their customers that their information will be used for statistical purposes. In this first edition, while we wait for the regulation of the Marco Civil da Internet, we considered that the parameter (II) has been fulfilled: less for the completeness of the information – what TIM does not offer – more for the distinction. It is the only company that openly includes information of this kind.

With regard to ease of access, it is easy to find contracts on TIM’s website (http://www.tim.com.br/). During the engagement phase with companies, TIM also informed InternetLab that it provides a copy of the contract at the time of purchase and the mobile app for its users. So it was considered that the parameter (VI) was fulfilled.

CATEGORY: Information about data disclosure to government authorities

Result:estrela_3

TIM got a full star, because it fulfilled the two parameters.

The contracts analyzed adopt the following language:

Postpaid mode:

Clause 10.12. TIM will provide secret and confidential treatment to CLIENT’s data and communications, being allowed disclosure in case of demand of a competent authority.

Prepaid mode:

Clause 10.4 TIM will provide secret and confidential treatment to CLIENT’s data and communications, being allowed disclosure in case of demand of a competent authority.

In this first edition of QDSD, InternetLab considered that the term used (“competent authority”) is generic enough to indicate that data may be disclosed both to judicial authorities and administrative authorities, when they are competent to make the request.

However, we emphasize that the wording adopted does not make clear the fact that account information and connection logs are treated differently by the law. Account information can be demanded without a court order by competent administrative authorities. Currently, those are Police agents and Prosecutors under the laws of the Criminal Organizations (Law 12.850/13, arts. 15 and 17) and Money Laundering (Law 9.613/99, art. 17b, added by Law 12.683/12). Connection logs, however, can only be disclosed pursuant a court order. They can not be directly disclosed to administrative authorities upon mere request.

A client without technical knowledge neither knows who the “competent authorities” (Judiciary? Police? ANATEL? IRS? Prosecutor?) are nor the conditions (court order? mere request?) that afford access their data. The legal language is arid and the Marco Civil sets forth that companies should provide clear information to their customers.

In future editions of the project, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the existing legal nuances. It will be necessary to make clear what types of data TIM discloses under what circumstances.

CATEGORY: Defense of users’ privacy in the courts

Resultado:estrela_3

TIM has challenged, together with other ISPs, legislation that it considers harmful in the Brazilian Supreme Court through the ACEL – Associação Nacional das Operadoras Celular (Nacional Association of Mobile Operators). They argue that some articles in the Criminal Organizations Act are unconstitutional, since they violate users’ right to privacy by allowing data to be delivered to law enforcement without a court order.

We considered this collective contribution through ACEL because, under the terms of the Brazilian Constitution, the ISP could not individually go to the Supreme Court to contest the constitutionality of a law. In order to do this, a class entity is necessary to represent them. We did not consider contributions made by class entities or associations in other opportunities because it was possible to make individual contributions (e.g. the  participation of SindiTelebrasil in the public debates around the Marco Civil da Internet).

With regard to parameter (II), TIM shared with InternetLab, in the phase of engagement with the companies, information about two court cases in which the company challenges abusive data demands from the government. For that reason, it fulfilled the parameter.

CATEGORY: Pro-user privacy public engagement

Result: estrela_2

TIM got ½ star, because it met five parameters (I, II, III, IV and V).

Regarding the fulfillment of the item (I) (engagement in public debates), we considered the fact that TIM participated in its own name in public debates on the regulamentation of the Marco Civil da Internet (in the Ministry of Justice and in the CGI.org platforms).

TIM met the parameters (II) (not to defend a longer period of data retention) and (III) (not to defend the creation of new data retention mandates), because it did not advocate for these kind of provisions.

In the debate on the regulamentation of the Marco Civil, TIM suggested it was added a new paragraph in art. 9:

Art. 9. The administrative authorities referred to in art. 10, § 3 of Law No. 12965/14 shall indicate the legal basis for its competence to access and motivate the request for access to account information.

The new paragraph suggested by TIM aims to prevent that administrative authorities make claims that are not supported by law (for example, requests based on the Criminal Organizations Act). Thus, the suggestion increases the burden on the government by trying to reduce arbitrariness or abuse of authority in requests without a court order. In addition, in  the CGI.br public consultation, TIM also asked for there to be a clearer definition about whom the administrative authorities empowered by the Marco Civil to request account information without a court order are:

It is relevant to specify what the  “administrative authorities” with legal power to request access to registration data, regardless of a court order, are, in order to bring greater certainty to all who may in any way be affected, especially in the mind of the necessity of ensuring that those who receive the data have the necessary security to avoid any incidents of third-party leakage of data. In addition, it is important that this disclosure is only effective in the case of violation of legal provisions.

In light of the above, TIM met the parameter (IV) (rules regarding the limits to access account information).

In that public consultation, TIM also suggested establishing a limit for data preservation requests, which can be placed through the precautionary measures provided for in the Marco Civil da Internet (arts. 12 and 13). The suggested time is 5 years.

We understand that the provision should specify the maximum period for preservation of the connection logs or access to application logs after request of Police authorities or Public Prosecutors, in order to avoid the obligation to preserve indefinitely. We suggest that the term be limited to prescription defined in the Civil Code, ie five years.

This position fulfills the parameter (V) (rules limiting data preservation requests).

The company did not meet the parameters (VI) (to support the use of cryptography) and (VII) (to defend data anonymization process). We did not find any statements on these topics.

CATEGORY: Transparency reports about data requests

Resultado: estrela_0

TIM did not get a star, because it did not meet any of the parameters.

TIM publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

BONUS CATEGORY: User notification

Result: estrela_0

TIM did not get a star, because it did not meet the parameter.

We did not find in the contracts or elsewhere any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.

VIVO

CATEGORY: Information about data processing

Result: estrela_0

Vivo – Fixed Broadband  

Vivo did not get a star, since it did not meet any parameters.

In the analyzed contract, there was no clear information about data processing or any other parameter requirement. It is merely mentioned in passing that the company is committed to protect the client’s right to privacy and confidentiality regarding their personal data, to protect the secrecy inherent to telecommunications services:

Clause 5.2.9 It is a duty to strictly protect the secrecy inherent to telecommunications services and to ensure the confidentiality of the SUBSCRIBER personal data, using all the means and technology needed to ensure this right.

Thus, the parameters (I) to (V) were not met.

With regard to ease of access, it is not easy to find the contracts in the company’s website. Also, when we find them, the contracts are not clearly identified. Therefore, the parameter (VI) was not met.

Vivo – Mobile

Vivo did not get a star, since it did not meet any parameters.

In the analyzed contract, there was no clear information about data processing or any other parameter requirement. With regard to ease of access, it is not easy to find the contracts in the company’s website. Also, when we find them, the contracts are not clearly identified. Therefore, no parameter (I to VI) was met.

CATEGORY: Information about data disclosure to government authorities

Result:estrela_0

Vivo – Fixed Broadband

Vivo did not get a star, since it did not meet any parameters.  The contracts did not make clear to the users the circumstances under which judicial or administrative authorities can have access to their data.

At a Public Hearing on 24 November 2015, at the CPI for Cybercrimes, Mr. Enylson Flávio Martinez Camolesi (Director of Institutional Relations of Telefonica/Vivo) represented that Vivo complies with court orders that require account information and connection records, as well as provides account information to administrative authorities (such as police and prosecutors) in cases where the law provides no need for a court order. As this information is not contained in the contracts, or any other official document of the company directed to customers, InternetLab found that Vivo has not complied with the parameters. To meet these parameters in the next editions, Vivo should be clear about these circumstances  in their statements to customers.

Vivo – Mobile

Vivo did not get a star, since it did not meet any parameters.  The contracts did not make clear to the users the circumstances under which judicial or administrative authorities can have access to their data.

At a Public Hearing on 24 November 2015, at the CPI for Cybercrimes, Mr. Enylson Flávio Martinez Camolesi (Director of Institutional Relations of Telefonica/Vivo) represented that Vivo complies with court orders that require account information and connection records, as well as provides account information to administrative authorities (such as police and prosecutors) in cases where the law provides no need for a court order. As this information is not contained in the contracts, or any other official document of the company directed to customers, InternetLab found that Vivo has not complied with the parameters. To meet these parameters in the next editions, Vivo should be clear about these circumstances  in their statements to customers.

CATEGORY: Defense of users’ privacy in the courts

Result: estrela_2

Vivo got ½ star, as it fulfilled one parameter (I).

Vivo has challenged, together with other ISPs, legislation that it considers harmful in the Brazilian Supreme Court through the ACEL – Associação Nacional das Operadoras Celular (Nacional Association of Mobile Operators). They argue that some articles in the Criminal Organizations Act are unconstitutional, since they violate users’ right to privacy by allowing data to be delivered to law enforcement without a court order.

We considered this collective contribution through ACEL because, under the terms of the Brazilian Constitution, the ISP could not individually go to the Supreme Court to contest the constitutionality of a law. In order to do this, a class entity is necessary to represent them. We did not consider contributions made by class entities or associations in other opportunities because it was possible to make individual contributions (e.g. the  participation of SindiTelebrasil in the public debates around the Marco Civil da Internet).

Regarding the other parameter (II), about whether Vivohas defended itself or its users against abusive requests for user’s data, this information was not publicized. Also, despite our engagement efforts, the company did not provide InternetLab with any information of this nature. Thus, for lack of material evidence, we considered that Vivo did not meet this parameter.

CATEGORY: Pro-user privacy public engagement

Regarding the fulfillment of the item (I) (engagement in public debates), we considered the fact that TIM participated in its own name in public debates on the regulamentation of the Marco Civil da Internet (in the Ministry of Justice and in the CGI.org platforms).

TIM met the parameters (II) (not to defend a longer period of data retention) and (III) (not to defend the creation of new data retention mandates), because it did not advocate for these kind of provisions.

In the debate on the regulamentation of the Marco Civil, TIM suggested it was added a new paragraph in art. 9:

Art. 9. The administrative authorities referred to in art. 10, § 3 of Law No. 12965/14 shall indicate the legal basis for its competence to access and motivate the request for access to account information.

The new paragraph suggested by TIM aims to prevent that administrative authorities make claims that are not supported by law (for example, requests based on the Criminal Organizations Act). Thus, the suggestion increases the burden on the government by trying to reduce arbitrariness or abuse of authority in requests without a court order. In addition, in  the CGI.br public consultation, TIM also asked for there to be a clearer definition about whom the administrative authorities empowered by the Marco Civil to request account information without a court order are:

It is relevant to specify what the  “administrative authorities” with legal power to request access to registration data, regardless of a court order, are, in order to bring greater certainty to all who may in any way be affected, especially in the mind of the necessity of ensuring that those who receive the data have the necessary security to avoid any incidents of third-party leakage of data. In addition, it is important that this disclosure is only effective in the case of violation of legal provisions.

In light of the above, TIM met the parameter (IV) (rules regarding the limits to access account information).

In that public consultation, TIM also suggested establishing a limit for data preservation requests, which can be placed through the precautionary measures provided for in the Marco Civil da Internet (arts. 12 and 13). The suggested time is 5 years.

We understand that the provision should specify the maximum period for preservation of the connection logs or access to application logs after request of Police authorities or Public Prosecutors, in order to avoid the obligation to preserve indefinitely. We suggest that the term be limited to prescription defined in the Civil Code, ie five years.

This position fulfills the parameter (V) (rules limiting data preservation requests).

The company did not meet the parameters (VI) (to support the use of cryptography) and (VII) (to defend data anonymization process). We did not find any statements on these topics.

Result: estrela_2

Vivo got ½ star, as it met four parameters (I, II, III, IV).

Regarding the fulfillment of the item (I) (engagement in public debates), we considered the fact that Vivo participated in its own name in public debates on the regulamentation of the Marco Civil da Internet (in the Ministry of Justice platform) and in the public debate concerning the Data Protection Bill (Ministry of Justice platform)

Vivo met parameters (II) (not to defend a longer period of data rentention) and (III) (not to defend the creation of new data retention mandates) because it did not advocate for these kind of provisions.

In the 2nd phase of regulamentation of Marco Civil, Vivo said it should be made clear:

(…) the descriptive list of the administrative authorities, mentioned in this article, given that the provisions of art. 10, § 3 of Law No. 12965/14 do not identify who would be those authorities either. It is essential to explain that besides indicating the legal basis for its competence to obtain information and its motivation, it is also mandatory that the requesting administrative authority to stick to obtaining only the information that complies with their needs and nothing more.

In addition, Vivo proposed a new article whose goal would be to explicitly include the list to “competent authorities”, who would have to justify the merits for asking for personal data:

Art. 9 The administrative authorities [list of authorities] shall show the legal basis for its competence to access personal data and show its motivation for the request.

So, it fulfilled the parameter (IV) (rules regarding the limits to access account information).

The parameters (V) (rules limiting data preservation requests), (VI) (to support the use of cryptography) and (VII) (to defend data anonymization process and its protection) were not met, since no contribution breached those subjects.

CATEGORY: Transparency reports about data requests

Resultado: estrela_0

Vivo did not get a star, because it did not meet any of the parameters.

The Telefónica group, of which Vivo is a part, publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

BONUS CATEGORY: User notification

Result: estrela_0

Vivo did not get a star, because it did not meet the parameter.

We did not find in the contracts or elsewhere any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.

GVT

CATEGORY: Information about data processing

Result: estrela_0

GVT did not get a star, because it fulfilled no parameter. No information about collection, use and processing, storage and data protection was found.

In the contract, the company says that the customer is entitled to privacy in the bill documents and in the use of their personal data by GVT:

Clause 4.3, o. Ensure the secrecy inherent to telecommunications services and the confidentiality of data and SUBSCRIBER information, using all the means and technology necessary to ensure this right of users.

However, GVT does not specify what type of protection will be given to those data. Therefore, even the parameter (IV), which refers to information on data protection (security practices and access policies, for example) cannot be considered fulfilled.

There was no ease of access to the contracts on the company’s website until the beginning of March 2016 (https://assine.gvt.com.br/). On the first page there is no reference to the area in which contracts can be found, it is necessary to search the section “broadband”  to find them. It is important to note that in the version of the site until October 12, 2015 was considerably easier to access this information. Thus, with the redesign of its website, GVT ceased to meet the parameter (VI).

CATEGORY: Information about data disclosure to government authorities

Result:estrela_3

GVT got a full star, because it fulfilled the two parameters.

The contract analyzed adopts the following language:

14.3 (…) the Receiver shall have no obligation to preserve the confidentiality of the information that: a) was of his knowledge before this contract, and the information was obtained without being subject to any obligation of confidentiality; b) is disclosed to third parties by the Discloser, subject to constraints; c) is publicly available; d) is fully and independently developed by the Receiver; or e) has been required by court or administrative order.

In this first edition of QDSD, InternetLab considered that the term used (“no obligation to preserve confidentiality” of information “required by court or administrative order”) is generic enough to indicate that data may be disclosed both to judicial and administrative authorities, when they are competent to make the request.

However, we emphasize that the wording adopted does not make clear the fact that account information and connection logs are treated differently by the law. Account information can be demanded without a court order by competent administrative authorities. Currently, those are Police agents and Prosecutors under the laws of the Criminal Organizations (Law 12.850/13, arts. 15 and 17) and Money Laundering (Law 9.613/99, art. 17b, added by Law 12.683/12). Connection logs, however, can only be disclosed pursuant a court order. They can not be directly disclosed to administrative authorities upon mere request.

A client without technical knowledge neither knows who the “competent authorities” (Judiciary? Police? ANATEL? IRS? Prosecutor?) are nor the conditions (court order? mere request?) that afford access their data. The legal language is arid and the Marco Civil sets forth that companies should provide clear information to their customers.

In future editions of the project, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the existing legal nuances. It will be necessary to make clear what types of data GVT discloses under what circumstances.

CATEGORY: Defense of users’ privacy in the courts

Result: estrela_0

GVT did not get a star, because it did not fulfill any of the parameters.

We did not find any legal case in which GVT challenges legislation. Nor did we find cases in which it defends users from abusive data demands. InternetLab was also not provided with information of this nature when it engaged with the company. So, for lack of material evidence, it was considered that NET does not meet the parameters.

It is worth mentioning that, unlike the other analyzed companies that received credit for fulfilling parameter (I) for challenging articles of the Criminal Organizations Law (Law No. 12.850 / 13), GVT is a broadband Internet provider. The constitutional complaint in question was brought by a collective of mobile operators, which are also mobile Internet providers. GVT is, however, also affected by the obligations of this law, fact that could have given it reason to challenge it.

CATEGORY: Pro-user privacy public engagement

Result: estrela_0

GVT did not get a star, because it did not meet any of the parameters.

We did not identify the company’s participation in any of the debates.

CATEGORY: Transparency reports about data requests

Resultado: estrela_0

GVT did not get a star, because it did not meet any of the parameters. InternetLab did not find any transparency reports published by the company.

BONUS CATEGORY: User notification

Result: estrela_0

GVT did not get a star, because it did not meet the parameter.

We did not find in the contracts or elsewhere any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.

FAQ

How does InternetLab funds its activities?

InternetLab is a non-profit entity. We do not act as a consulting or a law firm and we only provide services if they are in tune with our goals, which are mainly related to do research in the area of law and technology, specially with subjects concerned with the impact of public policies.

The financing of our activities comes from foundations, nonprofit organizations, companies and individuals. In all these cases we have two conditions for accepting contributions: independence in the development and implementation of projects and the freedom to express any kind of analysis and institutional stance.

In the year 2015, our funding came 66% from foundations and international third sector organizations, 5% of national institutions, 28% of companies and 1% of individual donations.

How was the project "QDSD?" funded?

The project was funded by donations from Ford Foundation and individual donors.

Who worked in the "QDSD"?

The InternetLab team that worked on this project was: Dennys Antonialli (executive director), Francisco Brito Cruz (Director), Jacqueline Abreu (researcher) and Juliana Ruiz (research intern). The team had collaborations from  Mariana Valente (director), Beatriz Kira (researcher) and Fabiane Midori (research intern).

In EFF,  Katitza Rodríguez (international rights director) and Kurt Opsahl (Deputy Executive Director and General Counsel) worked on the project.

The communication part of the project was conducted by Maria Claudia Levy, from GOMA Oficina, and Sergio and Bruno Berkenbrock, from MirrorLab.

The project ends with the dissemination of the results?

No, the project continues. The frequency of the evaluation in the project is annual. In each version, InternetLab will re-evaluate the methodology and the results, ensuring that they reflect what are the possibilities within the reach of companies so they can defend your data.

 

Recommendations for the next edition

For the next few years and evaluations, InternetLab invites the companies to develop privacy policies in oder to inform users about the treatment given to personal data and connection logs, as requested by the Marco Civil da Internet, and the ways they deal with court orders and requests from administrative authorities. It is also encouraged that the companies use their ‘press rooms’ on their websites to list their actions in defense of privacy and data protection in the judiciary and in public debates. Finally, InternetLab also encourages companies to publish transparency reports and to adopt user notification practices.