The 3+3 Project: Fido

This is the Fido report for The 3+3 Project: Evaluating Canada’s Wireless Carriers’ Data Privacy Transparency. The 10 criteria used to evaluate carriers and the scoring rubric used for each are included in the chart below. A carrier could earn a full star, half star, or no star on each criterion. The criteria and rubric (with minor alterations as noted) are reproduced from the criteria document prepared by the IXmaps research project for the annual Keeping Internet Users In the Know or In the Dark: Data Privacy Transparency of Canadian Internet Service Providers, by Andrew Clement (Professor, Faculty of Information, University of Toronto) and Jonathan A. Obar (Assistant Professor, Faculty of Social Science and Humanities, University of Ontario Institute of Technology).  The Keeping Internet Users In the Know of In the Dark report is available here. For a fuller explanation of the criteria and the rubric used for each, please consult the full criteria document.

These criteria were originally developed by the IXmaps research project for their 2013 Keeping Internet Users in the Know or in the Dark report.[1] The Centre for Innovation Law and Policy (CILP) assisted with updating them for the 2014-2015 project, including developing the scoring rubric. Where we are aware of any difference in how we have applied these criteria compared to how IXmaps applies these criteria, this is indicated in the chart. For more information about IXmaps, as well as other significant projects engaging with data privacy, please see the project overview.

This report frequently makes reference to PIPEDA, the Personal Information Protection and Electronic Documents Act. This is Canadian legislation dealing with the treatment of personal information by companies while carrying on commercial activities. For more on PIPEDA, please see the project overview.

Notes:

  • The Fido Terms and Conditions were consulted (as of January 23, 2015) but did not count towards Fido’s final score. Part of the evaluation was related to transparency about privacy practices. Therefore, carriers only received credit for information in their privacy materials, on the theory that this was where privacy-minded users would look for privacy-related information. Where including the Fido Terms and Conditions would have made a difference to Fido’s score, this has been noted. The Fido Terms and Conditions apply to Fido Solutions.
  • Fido is a subsidiary of Rogers Wireless Inc.
    • It is thus possible that some of Rogers’ privacy materials apply to Fido. However, Rogers does not explicitly indicate this.
    • More importantly, although Fido notes on its general “About Us” web page (https://www.fido.ca/web/content/aboutus, last consulted February 26, 2015) that it is a subsidiary of Rogers Wireless Inc., and states in the Fido Privacy Policy and the Fido Terms and Conditions that it is “operated by Rogers Communications Partnership”, Fido does not explicitly indicate in its privacy materials (or the Fido Terms and Conditions) that Fido users should consult Rogers’ materials.
    • Part of the evaluation was how transparent a carrier’s privacy practices are to its users. Therefore, Fido received no credit for provisions and statements in Rogers’ materials, since Fido users would not know to consult Rogers’ materials for information relevant to them (if such materials are indeed relevant to Fido users).

1. A public commitment to PIPEDA compliance
Full Star: The carrier explicitly indicates that it complies with PIPEDA, or similar applicable legislation, and provides substantive details of its privacy obligations, including that it only transfers personal information to third parties that provide an equivalent level of protection.

Half Star: The carrier only vaguely states that it operates according to applicable legislation or doesn’t mention third party PIPEDA-equivalent protection.

No Star: The carrier makes no indication that it complies with PIPEDA or substantially equivalent privacy legislation.

 Score: Half Star

Explanation:

  • Fido explicitly indicates that it complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), all federal and provincial laws and regulations, and applicable privacy rules established by the Canadian Radio-television and Telecommunications Commission (CRTC).
  • Fido indicates that it will transfer information to various third parties in certain circumstances but makes no mention of whether these third parties provide PIPEDA-equivalent protection.

Provisions:

“2. Fido’s privacy practices are in accordance with all federal and provincial laws and regulations. We are compliant with the Personal Information Protection and Electronic Documents Act and where applicable with the privacy rules established by the Canadian Radio-television and Telecommunications Commission.” – Fido Privacy Policy.

“7. Fido shares information with other Fido related companies, including the Rogers companies, in order to offer customers products and services that they may find attractive. Notices on sharing information are contained on Fido’s invoice and on fido.ca. If customers do not want to be marketed with these products and services, they can contact Fido at 1-888-481-3436.” – Fido Privacy Policy.

“Your account information may, from time to time, be disclosed to Fido’s affiliates, including other members of the Rogers Communications Inc. organization and to our agents and dealers in order to service your account, respond to your questions and telemarket (including by way of automatic dialing and announcing devices) and promote additional products and services offered by Fido and the other members of the Rogers organization that may interest you. If you do not wish to receive offers or information from or related to Fido and related Rogers entities, please contact our Customer Service at 1-888-481-3436.” – Fido Terms and Conditions (“Privacy and Confidentiality of Your Information”/Provision #30). (Note that the Fido Terms and Conditions were not formally a part of Fido’s evaluation, and in any event would not have affected Fido’s score on this criterion.)

The Fido Terms and Conditions indicate various circumstances in which personal information may be disclosed to third parties. See Criterion #4 (Transparency about conditions for third party data disclosures) for details. Note that the Fido Terms and Conditions were not formally a part of Fido’s evaluation, and in any event would not have affected its score on this criterion.

2. A public commitment to inform users of all third party data requests
Full Star: The carrier clearly indicates that it will notify a user when it has received a third party request for the user’s information, unless explicitly prohibited from doing so by law.

Half Star: A carrier does not indicate that it will notify users when it receives requests, however it indicates that users may send an inquiry in order to acquire such information.**Note: This criterion was applied generously: carriers who indicated users could learn about disclosures of their information were scored a half star.

No Star: The carrier makes no mention of how users may learn of third party requests for their personal information.

 Score: Half Star

Explanation:

  • Fido does not indicate that it notifies users when it receives third party data requests, however it indicates that users may send an inquiry to acquire such information.

Provisions:

“5. Fido informs customers of the existence, use and disclosure of their personal information upon request and gives them access to their information.” – Fido Privacy Policy.

3. Transparency about frequency of third party requests and disclosures
Full Star: The carrier has published, in an annual or semi-annual report or in some other form, statistics regarding:
  • The number of requests from third parties, broken down by government (law enforcement, etc.), commercial and non-commercial entities.
  • How many requests it complied with.
  • How many accounts the requests applied to.
  • How many disclosures of information there were.

Half Star: The carrier has published SOME information but leaves many important statistics out.

No Star: The carrier has published no information relating to these types of statistics.

Note: This criterion was edited for ease of use and clarity in presentation here. In highlighting the absence of specific important statistics, we may have applied this criterion more strictly than IXmaps. However, we are not aware of any divergence with IXmaps as to the final score awarded to any carrier.

 Score: No Star

Explanation:

  • Fido has published no information about third party data requests and disclosures.
    • While Fido’s parent company, Rogers, has released a 2013 Transparency Report, neither Fido nor Rogers indicates whether Fido statistics are included in this report. (For Fido to receive credit for Rogers’ report, Fido statistics would have had to be clearly included in Rogers’ report, and Fido would have had to clearly indicate this in its own privacy materials. Neither was true here.)

Provisions: None

4. Transparency about conditions for third party data disclosures
Full Star:

(1) The carrier explicitly states the circumstances under which personal information will be disclosed to third parties.

(2) It must make clear what standard must be met by the third party in order for this disclosure to be made (e.g. whether a warrant is required).

(3) It must be clear whether or not a subscriber/user will be notified in the case that his or her information is disclosed to a third party and especially the specific conditions under which such information will be disclosed without consent.

Half Star: The carrier refers to some but not all of (1), (2) and (3) or is vague about them.*

*Note: In order to achieve consistency, this criterion was applied generously: carriers that had some discussion of when disclosure of user information could occur received a half star. A carrier would have had to fail entirely to discuss disclosure to receive no star, which none did. This criterion is likely to be revised and simplified in future years to improve consistent application and permit more meaningful distinctions between carriers.

No Star: The carrier fails to indicate any of (1), (2), or (3).

Note: Our evaluation of this criterion looked at discussion of disclosure to any third party, including sharing with affiliated companies, while IXmaps focused on disclosure when compelled by law. However, both approaches yielded the same score on this criterion.

 Score: Half Star

Explanation:

  • The Fido Privacy Policy states Fido will not disclose information except: for the purposes for which it was collected, with user consent, or “as required by law”. It does not go into any detail regarding what “as required by law” means.
  • Fido is unclear as to what standards various third parties must meet in order for disclosure to be made.
  • Fido does not state whether users will be alerted to disclosures of their information.
  • The Fido Terms and Conditions lists the specific situations, other than disclosure being “required pursuant to a legal power”, in which user information will be disclosed without user consent. However, the Fido Terms and Conditions were not formally a part of Fido’s evaluation (and in any event would not have affected Fido’s score on this criterion).

Provisions:

“3. At Fido, we collect customer information for one or more of the following purposes:

  • To provide a positive customer experience, and deliver, bill for, and collect payment for products and services;
  • To understand customer requirements and make information available regarding products and services offered by Fido directly or through its network of distributors, and its related companies, including the Rogers group of companies;
  • To manage and develop Fido’s business and operations;
  • To meet legal and regulatory requirements; and
  • To obtain credit information or provide it to others.

4. Fido does not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Fido retains personal information only as long as necessary for the fulfillment of those purposes.” – Fido Privacy Policy.

“7. Fido shares information with other Fido related companies, including the Rogers companies, in order to offer customers products and services that they may find attractive. Notices on sharing information are contained on Fido’s invoice and on fido.ca. If customers do not want to be marketed with these products and services, they can contact Fido at 1-888-481-3436.” – Fido Privacy Policy.

“Your account information may, from time to time, be disclosed to Fido’s affiliates, including other members of the Rogers Communications Inc. organization and to our agents and dealers in order to service your account, respond to your questions and telemarket (including by way of automatic dialing and announcing devices) and promote additional products and services offered by Fido and the other members of the Rogers organization that may interest you. If you do not wish to receive offers or information from or related to Fido and related Rogers entities, please contact our Customer Service at 1-888-481-3436.” – Fido Terms and Conditions (“Privacy and Confidentiality of Your Information”/Provision #30). (Note that the Fido Terms and Conditions were not formally a part of Fido’s evaluation, and in any event would not have affected Fido’s score on this criterion.)

The Fido Terms and Conditions contain provisions pertaining to whom and in what circumstances personal information will be disclosed without a user’s consent. As the full provisions are long, the exact text is in Appendix A at the end of this document. However, to paraphrase, Fido will only disclose personal information without consent:

  • Where “disclosure is required pursuant to a legal power”
  • To the user
  • To someone they reasonably believe is the user’s agent
  • To another telephone company, for the purpose of providing a user with services
  • To a company supplying the user “with telephone or telephone directory-related services”
  • To collection agencies or agents who “perform other administrative functions for” Fido
  • To credit agencies, to check creditworthiness
  • To law enforcement, where Fido reasonably believes the user has “knowingly supplied [Fido] with false or misleading information or are otherwise involved in unlawful activities”
  • To public authorities where there is “imminent danger to life or property”

– Fido Terms and Conditions (“Privacy and Confidentiality of Your Information”/Provision #30). (Note that the Fido Terms and Conditions were not formally a part of Fido’s evaluation, and in any event would not have affected Fido’s score on this criterion.)

5. An explicitly inclusive definition of ‘personal information’
Full Star: The carrier explicitly states all forms of data that fall under ‘personal information’. This should include subscribers/users’ IP addresses, IMSI/IMEI numbers, or MAC addresses, as well as their userIDs, meta-data (e.g. who subscriber communicated with, when and where this communication occurred), browser history (pages accessed, date of access, location when accessed), personal account information, credit card information etc.

Half Star: The carrier only implicitly states forms of data included in a definition of ‘personal information’, and/or provides a definition which (a) incorporates a closed list of what constitutes personal information that (b) excludes one or more of IP addresses, IMSI/IMSEI numbers, MAC addresses, userIDs, meta-data, browser history, personal account information, or credit card information.

No Star: The carrier gives no definition of ‘personal information’.

Note: IP addresses, IMSI/IMEI numbers and MAC addresses are all used to identify individual devices connected to the Internet. This information could be used to identify individuals and track their locations. For more information, click here.

 Score: Half Star

Explanation:

  • Fido gives no definition of “personal information”.

Provisions: None

6. The normal retention periods for personal information
Full Star: The carrier discloses how long personal information is routinely retained for, specifying retention time periods for each data type.

Half Star: The carrier only states the retention period for limited types of information. For example, a company may state that it retains consumers’ browsing history for 2 weeks, but provides no information on call log retention.

No Star: The carrier either provides no information on data retention periods OR provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. For instance, “[Our company] shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.” (Example wording is from Bell’s privacy policy.)

 Score: No Star

Explanation:

  • Fido provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. It merely restates PIPEDA’s Principle 5 - Limiting Use, Disclosure, and Retention.

Provisions:

“4. Fido does not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Fido retains personal information only as long as necessary for the fulfilment of those purposes.” – Fido Privacy Policy.

7. Transparency about where personal information is stored and/or processed
Full Star: The carrier clearly indicates the storage and/or processing locations of user’s data and whether data storage and/or processing has been outsourced to a foreign company. This should include whether data may be stored in, or otherwise subject to other jurisdictions, what those jurisdictions are, and what sort of disclosure such data may be subject to.

Half Star: The carrier only indicates that there is a possibility that data may be stored and/or processed subject to a foreign jurisdiction. No jurisdiction is noted or details are not provided.

No Star: The carrier fails to clearly indicate whether or not data may be stored and/or processed such that it may be subject to a foreign jurisdiction.

 Score: No Star

Explanation:

  • Fido’s only reference to where personal information is stored and/or processed is found in the Fido Terms and Conditions. As the Fido Terms and Conditions were not formally a part of Fido’s evaluation, it cannot receive credit for this reference.
    • Had this provision been counted, Fido would have earned a half star: it only indicates that there is a possibility that personal information may be stored or processed in a foreign jurisdiction. Jurisdiction details and types of disclosure personal information may be subject to are not provided.

Provisions: None in privacy materials

“Personal information collected in connection with the provision of the Services may be stored and processed in or outside Canada and may be subject to the laws of other jurisdictions.” – Fido Terms and Conditions (“Privacy and Confidentiality of Your Information”/Provision #30).

8. Transparency about where personal information is routed
Full Star: The carrier clearly indicates whether Canadians’ personal domestic communication data might be routed through the United States or otherwise subject to foreign jurisdiction while in transit. It clearly indicates the geographical locations where domestic communication is routed and what jurisdictions it is subject to. Similarly, it indicates whether or not communications with third countries is subject to U.S. jurisdiction.

Half Star: The carrier is vague about the geographical locations or jurisdictional exposure of personal data routing.

No Star: The carrier gives no indication of the geographical locations or jurisdictions where personal data is routed.

 Score: No Star

Explanation:

  • Fido gives no indication as to the geographical locations or jurisdictions through which personal data is routed.

Provisions: None

9. Domestic Canadian routing when possible
Full Star: The carrier clearly states on its privacy pages a policy of domestic Canadian routing when possible, and indicates the concrete measures it takes to achieve this goal. A carrier that verifiably peers openly at all the Canadian IXPs in its service region(s) will also receive a full star. Only Canadian carriers are eligible for a full star, as foreign carriers by definition subject the data they carry to non-Canadian jurisdictions.

Half Star: The carrier is vague about its policies for ensuring Canadian routing of domestic traffic and the measures it takes to ensure this. In the absence of a clear policy statement, a carrier (whether Canadian or foreign) that peers openly at some but not all Canadian public IXPs in its operating regions will earn a half star.

No Star: The carrier gives no indication of any policy or concrete measures to promote domestic routing when possible, nor does it peer openly at any Canadian public IXPs.

 Score: No Star

Explanation:

  • Fido gives no indication that it promotes domestic routing where possible.
  • Fido does not peer at any Canadian public IXPs as of January 26, 2015. The IXPs reviewed were:
  • Fido is a subsidiary of Rogers. If Rogers had been peering openly at Canadian IXPs during the research period, we might have asked whether that meant Fido’s traffic was being routed domestically as well. However, since Rogers earned no star on this issue, the question of whether Fido should get credit for actions by Rogers has been left for the future.

Provisions: None

For an explanation of IXPs and open and conditional peering, see the project overview.

10. Open advocacy for user privacy rights
Full Star: The carrier makes clear reference on its privacy pages to its support for user privacy rights via at least one of the following:
  • Involvement in public debates over mass state surveillance;
  • Involvement in privacy or surveillance related legislative initiatives (e.g. the current Bill C-13 on lawful access);
  • Defending user privacy rights in court; or
  • Ties to advocacy organizations or initiatives promoting user privacy rights.

Half Star: The carrier has defended user privacy rights politically, in court or legislatively, but there is no reference to this in its privacy pages.

No Star: There is no readily available public evidence that the carrier has taken a positive pro-privacy position in any of the above areas.

Note: While this criterion was edited for ease of use and clarity in presentation here, we are not aware of any divergence with IXmaps with regard to application.

 Score: No Star

Explanation:

  • No indication of Fido publicly supporting user privacy rights was found.
  • A search of legal databases for Canadian cases involving Fido did not turn up any case law where Fido defended user privacy rights in court.
  • Fido is a subsidiary of Rogers. Rogers has publicly supported user privacy rights, including via a current Canadian court case (see the Rogers report for details). However, Fido did not make any reference to Rogers’ actions in its privacy materials, nor was it obviously involved in Rogers’ privacy-related litigation. Therefore, it cannot receive any credit for Rogers’ actions.

Google searches used in seeking public evidence of a pro-privacy position (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.)

Fido privacy (January 18, 2015).

Fido privacy [but not]“fido alliance” (January 23, 2015).[2]

Fido transparency (January 23, 2015).

Fido personal information (January 18, 2015).

Fido “personal information” (January 23, 2015).

Fido “customer information” (January 23, 2015).

Fido “subscriber information” (January 23, 2015).

Fido disclosure (January 23, 2015).

Fido “lawful access” (January 23, 2015).

Fido “warrant” (January 23, 2015).

Fido “legal authority” (January 23, 2015).

Fido “Bill C-13” (January 23, 2015).

Fido “privacy” (January 23, 2015).

Fido privacy advocacy (January 18, 2015).

Fido “privacy advocacy” (January 23, 2015).

Fido user privacy (January 18, 2015).

Fido “user privacy” (January 23, 2015).

Fido customer privacy (January 18, 2015).

Fido “customer privacy” (January 23, 2015).

Fido privacy complaints (January 18, 2015).

Fido “privacy complaints” (January 23, 2015).

Fido privacy issue (January 18, 2015).

Fido “privacy issue” (January 23, 2015).

Searches used in seeking case law where Fido defended user privacy rights in Canadian courts (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.)

Westlaw Canada:

• “Fido Solutions” back to 01/01/2010 (January 23, 2015).

Quicklaw:

• fido solutions in Case Name, limited to previous 5 years (January 23, 2015).

• “fido solutions” & intervener limited to previous 5 years (January 23, 2015).

CanLii:

• “Fido Solutions” (January 23, 2015).

Appendix A: Provisions related to Transparency about conditions for third party data disclosures(Criterion #4)

“Unless you provide express consent, or disclosure is required pursuant to a legal power, all information regarding you kept by us, other than your name, address and listed telephone number, is confidential and may not be disclosed by us to anyone other than:

  • you;
  • a person who, in our reasonable judgment, is seeking the information as your agent;
  • another telephone company, provided the information is required for the efficient and cost-effective provision of telephone service and disclosure is made on a confidential basis, with the information to be used only for that purpose;
  • a company involved in supplying you with telephone or telephone-directory-related services, provided the information is required for that purpose and disclosure is made on a confidential basis, with the information to be used only for that purpose;
  • an agent retained by us in the collection of your account or to perform other administrative functions for us, provided the information is required for and used only for that purpose;
  • an agent retained by us to evaluate your creditworthiness, provided the information is required for and is to be used only for that purpose;
  • a law enforcement agency whenever we have reasonable grounds to believe that you have knowingly supplied us with false or misleading information or are otherwise involved in unlawful activities; or
  • a public authority or agent of a public authority if, in our reasonable judgment, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information.”

Express consent to disclosure may be obtained as follows:

  • by written consent;
  • by oral confirmation verified by an independent third party;
  • by electronic confirmation through the use of a toll-free number;
  • by electronic confirmation via the Internet;
  • by oral consent, where an audio recording of the consent is retained by us; or
  • by consent through other methods, as long as an objective documented record of your consent is created by you or by an independent third party.”

– Fido Terms and Conditions (“Privacy and Confidentiality of Your Information”/Provision #30). (Note that the Fido Terms and Conditions and this provision were not formally a part of Fido’s evaluation.)

Appendix B: Sources

Fido Privacy Policy

  • Applies to: Fido Solutions (per its first provision).
  • Last consulted January 23, 2015.

News Releases on Fido website back to April 12, 2012 (earliest date available on the Fido website): https://www.fido.ca/web/content/media/news_releases

  • Last consulted January 18, 2015.

[1]Andrew Clement & Jonathan A. Obar, “Keeping Internet Users in the Know or in the Dark: Data Privacy Transparency of Canadian Internet Service Providers” (27 March 2014), online: IXmaps & New Transparency Projects <http://ixmaps.ca/>. The report is available online at <http://ixmaps.ca/transparency/img/DataPrivacyTransparencyofCanadianISPs.....

[2]“FIDO Alliance” is an unrelated organization.