Consumer data protection and the illusion of open internet
Since we’re all mad at telecom right now, I figure the timing of this one is pretty appropriate given that Rogers went down nationwide just two days prior.
Last weekend, I took a trip to beautiful BC for a music festival. We stopped for lunch on our last day at an amazing family-owned cafe in Kamloops for the best tomato soup and grilled cheese sandwich I’ve ever had.
As we waited for our order, I fidgeted with my phone. I had recently paid $340 in data overcharges the previous month due to a limited data plan and a growing love of TikTok, so I was keen to take advantage of the public WiFi spots that popped up along our travels.
The strongest open WiFi signal came from a network called ShawOpen. I connected to it and was presented with a typical corporate registration screen with bright, beaming text. “Lets get you connected. You get 500 MB to use over the next 7 days at Shaw Go WiFi hotspots.”
For free access, the page then asked me for not one, not two — but five mandatory unique identifiers. My first name, last name, mobile number, e-mail address (for verification pin), and my full postal code.
Hang on a second.
Tell us some deeply personal and identifying information about yourself, then give us consent to send you mail and promotions about our products and services. Okay, actually, it isn’t exactly consent because you have to accept our promotional emails to access this free service — the checkbox is just for funsies.
The information required for access to “free” internet here is anything but free. In data-driven marketing, this information is worth actual Big Dollars, and having unique identifiers that can accurately identify a specific human being is the highest value data a company’s marketing team can have about you. This information also isn’t a technological necessity for the provisioning of internet— save for a communication method like e-mail or phone number to send an identity and device verification code.
Given that Shaw is already collecting data on my device and IP address to ensure I don’t watch too many TikToks on their dime, this feels pretty invasive already. And as Paul Craig helpfully pointed out, the likelihood is high that the only way to unsubscribe is to receive a marketing promotion in the first place.
By providing my first name, last name, email and full postal code, I’ve essentially guaranteed that I am now identifiable as not just a Sidra but THE Sidra to Shaw and whatever data-sharing partnerships they might have. I wouldn’t know, I am part of the 91% of consumers who always skip the privacy policy and terms of use before agreeing to something because I naively assume that most corporations adequately function under an ethical code.
So while not outright illegal, this practice feels deceiving and unethical. I’m no legal eagle, but I’m aware that PIPEDA applies to federally regulated businesses, which telecommunications falls under. PIPEDA importantly prohibits the harvesting of addresses — which I argue may count here because the premise of collecting addresses is presented as a necessary step for access to free internet, burying the truly transactional nature of this exchange.
In a world where consumers are increasingly concerned about data security, pseudonymization practices (like those adopted by the GPDR) are considered the gold standard for protecting private consumer data. These rules are meant to protect users from being identified as a specific individual. I’m not sure this is the case here, because the value lies in the personal information itself, for when Shaw wants to send mail-outs of deals to my mailing address, or directly address me by name in their e-mail promotions. Pseudonymization would render the data itself useless to marketers.
The illusion of consumer choice
The final field on the form was a checkbox. Marking the checkbox served as my consent to “[receive] offers & promotions from Shaw Cablesystems G.P. & affiliates, and I can unsubscribe at any time”.
Like most rational people trying to wind down the chaos that is their inbox, I decided against checking so cue my surprise when instead of submitting, the form presented me with an error message explaining that “accepting promotions is required to connect”.
As per Neilsen Norman, a true/false form control is redundant when a single option is presented and turns out to be mandatory. Canadian Anti-Spam Legislation (CASL) is also pretty clear on how it evaluates misleading information and express consent. The use of checkboxes for consent is conditional on checkboxes being optional for users, which is not the case with the login screen for ShawOpen.
Telecom corporations spend billions annually in Canada to compete for dollars in a truly limited ecosystem. This is no longer about providing public and open access to wireless networks. This is about mispresenting private interests by asking for uniquely identifying information that typically comes at quite the premium under the guise of public good.
There are class-based considerations too. 86% of youth experiencing homelessness in the United States access the internet at least once a week. By requiring a residential postal code, the message is made clear: access to public internet is a privilege afforded to only those who can be converted into paying customers in the future. The potential merger of Rogers and Shaw will further complicate access to these services as a reduction in competition will inevitably contribute to an increase in cost to consumers. In fact, Canadians already pay some of the highest fees for data and internet in the world. These practices contribute to a digital divide that hurts the people who need these services the deepest.
Private public WiFi networks are not an acceptable alternative to truly public internet access. It’s not “free” if I’m paying with my personal data, and it’s not “open” if it’s for the purposes of being marketed to by a for-profit institution.
A very special thank you to Paul Craig and Bianca Wylie for their quick proofreading and review of this article. Y’all are the best.
