OTTAWA -- Canada's Internet service providers are being less than forthcoming about how they handle customer information -- including whether they routinely give personal data to spy agencies, says a new report.

The report by University of Toronto researchers gives low marks to all 20 providers ranked in 10 categories of transparency.

They looked at how much information the companies posted on their websites about commitment to federal privacy law, how and when they hand personal data to authorities, where and how long information is stored, and whether data is routed through the United States.

The average grade was 1.5 out of 10, with carrier TekSavvy getting the highest grade of 3.5 points.

The report comes amid widespread concern about surveillance by western security agencies and a legislative move by the federal government to make it easier for authorities to find out more about Internet users.

The researchers, Andrew Clement and Jonathan Obar, say it is very difficult for Canadians to protect their personal privacy online unless companies reveal how they treat customer information.

They recommend that Internet providers and law-enforcement and security agencies do more to inform the public.

Slightly more than half of the providers examined explicitly state a commitment to the federal privacy law governing private enterprises.

None of the foreign-based providers carrying significant amounts of Canadian traffic indicate any compliance with Canadian privacy law, the report says.

"Foreign carriers expose personal data to U.S. and other jurisdictions, where Canadian data is largely unprotected legally from foreign state surveillance."

The authors say this is "especially concerning" because Canadians have little influence over the activities of foreign governments.

No Canadian Internet service provider has yet published a transparency report similar to those of AT&T, Verizon, Google, Facebook or Twitter, which have begun publishing statistics on requests for information from law-enforcement agencies.

Statistics tabled in Parliament this week following a formal question from NDP digital issues critic Charmaine Borg show telecommunications companies responded to more than 18,000 requests for data in 2012-13 from the Canada Border Services Agency, the vast majority involving basic subscriber information.

The border agency said it requests information from providers about their customers when it believes it is required to investigate possible violations of the law.

The research report makes several recommendations, calling on Internet service providers to:

-- publicly commit to compliance with federal privacy law.

-- inform users when personal data has been requested by a third party.

-- publish regular, detailed transparency reports about such requests and disclosures.

-- provide details of whether personal data may be stored or routed outside Canada.

It also urges Canadian law-enforcement and intelligence agencies -- such as the Canadian Security Intelligence Service and the national eavesdropping service, Communications Security Establishment Canada -- to publish statistics about requests for personal information that they make to providers.

Earlier this month, a report by a researcher with the University of Toronto's Citizen Lab said Canadian telecommunication companies provided vague answers to a detailed questionnaire about when and how they hand customer information to police and security agencies.