The 3+3 Project: Rogers

This is the Rogers report for The 3+3 Project: Evaluating Canada’s Wireless Carriers’ Data Privacy Transparency. The 10 criteria used to evaluate carriers and the scoring rubric used for each are included in the chart below. A carrier could earn a full star, half star, or no star on each criterion. The criteria and rubric (with minor alterations as noted) are reproduced from the criteria document prepared by the IXmaps research project for the annual Keeping Internet Users In the Know or In the Dark: Data Privacy Transparency of Canadian Internet Service Providers, by Andrew Clement (Professor, Faculty of Information, University of Toronto) and Jonathan A. Obar (Assistant Professor, Faculty of Social Science and Humanities, University of Ontario Institute of Technology).  The Keeping Internet Users In the Know of In the Dark report is available here. For a fuller explanation of the criteria and the rubric used for each, please consult the full criteria document. These criteria were originally developed by the IXmaps research project for their 2013 Keeping Internet Users in the Know or in the Dark report.[1] The Centre for Innovation Law and Policy (CILP) assisted with updating them for the 2014-2015 project, including developing the scoring rubric. Where we are aware of any difference in how we have applied these criteria compared to how IXmaps applies these criteria, this is indicated in the chart. For more information about IXmaps, as well as other significant projects engaging with data privacy, please see the project overview. This report frequently makes reference to PIPEDA, the Personal Information Protection and Electronic Documents Act. This is Canadian legislation dealing with the treatment of personal information by companies while carrying on commercial activities. For more on PIPEDA, please see the project overview. Notes:

  • The Rogers Terms of Service were consulted (as of January 18, 2015) but did not count towards Rogers’ final score. Part of the evaluation was related to transparency about privacy practices. Therefore, carriers only received credit for information in their privacy materials, on the theory that this was where privacy-minded users would look for privacy-related information. Where including the Rogers Terms of Service would have made a difference to Rogers’ score, this is noted. The Rogers Terms of Service apply to any “Rogers entity named in a Service Agreement,” and defines “Service or Services” as including wireless services.
  • Fido is a subsidiary of Rogers Wireless Inc.
    • It is thus possible that some of Rogers’ privacy materials apply to Fido. However, Rogers does not explicitly indicate this.
    • More importantly, although Fido notes on its general “About Us” web page that it is a subsidiary of Rogers Wireless Inc., and states in the Fido Privacy Policy and the Fido Terms and conditions that it is “operated by Rogers Communications Partnership”, Fido does not explicitly indicate in its privacy materials (or the Fido Terms and Conditions) that Fido users should consult Rogers’ materials.
    • Part of the evaluation was how transparent privacy practices are to a carrier’s users. Therefore, Fido received no credit for provisions and statements in Rogers materials, since Fido users would not know to consult Rogers’ materials for information relevant to them (if such materials are indeed relevant to Fido users).

1. A public commitment to PIPEDA compliance

Full Star: The carrier explicitly indicates that it complies with PIPEDA, or similar applicable legislation, and provides substantive details of its privacy obligations, including that it only transfers personal information to third parties that provide an equivalent level of protection.
Half Star: The carrier only vaguely states that it operates according to applicable legislation or doesn’t mention third party PIPEDA-equivalent protection.
No Star: The carrier makes no indication that it complies with PIPEDA or substantially equivalent privacy legislation.
Score: Half Star
Explanation:
  • Rogers explicitly indicates that it complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), all federal and provincial laws and regulations, and applicable privacy rules established by the Canadian Radio-television and Telecommunications Commission (CRTC).
  • Rogers indicates that it will transfer information to various third parties in certain circumstances but makes no mention of whether these third parties provide PIPEDA-equivalent protection.
Provisions: “2. Rogers' privacy practices are in accordance with all federal and provincial laws and regulations. We are compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) and where applicable with the privacy rules established by the Canadian Radio-television and Telecommunications Commission (CRTC).” – The Rogers Group of Companies (Rogers) Commitment to Privacy. “9. Rogers companies share information with other Rogers companies or their agents and authorized dealers, in order to offer customers products and services that they may find attractive. Notices on sharing information are contained in each company's application forms, invoices and web sites. If customers do not want to be marketed with these products and services, they can contact Rogers (see How To Contact Rogers below).” – The Rogers Group of Companies (Rogers) Commitment to Privacy. “The Personal Information Protection and Electronic Documents Act (PIPEDA) covers both how we protect customers’ information and how we disclose it.” – Rogers 2013 Transparency Report (“Why and How We Respond”). “Do the Rogers Group of Companies share my personal information? If so, with whom?
  • The Rogers Group of Companies will not release your personal information with these exceptions:
  • When you give us permission to do so;
  • When we believe that the law requires it;
  • To protect the rights or property of the Rogers Group of Companies;
  • Under circumstances described to you when we collect the information, such as in a Terms of Service or Use agreement, or in the rules of contests or other promotions;
  • To affiliated companies within the Rogers Group of Companies.”
– FAQs about Rogers Commitment to Privacy. The Rogers Terms of Service indicate various circumstances in which personal information may be disclosed to third parties. See Criterion #4 (Transparency about conditions for third party data disclosures) for details. Note that the Rogers Terms of Service were not formally a part of Rogers’ evaluation, and in any event would not have affected its score on this criterion.

2. A public commitment to inform users of all third party data requests

Full Star: The carrier clearly indicates that it will notify a user when it has received a third party request for the user’s information, unless explicitly prohibited from doing so by law.
Half Star: A carrier does not indicate that it will notify users when it receives requests, however it indicates that users may send an inquiry in order to acquire such information.*
*Note: This criterion was applied generously: carriers who indicated users could learn about disclosures of their information were scored a half star.
No Star: The carrier makes no mention of how users may learn of third party requests for their personal information.
Score: Half Star
Explanation:
  • Rogers does not indicate that it notifies users when it receives third party data requests, however it indicates that users may send an inquiry to acquire such information.Provisions:
“7. Rogers informs customers of the existence, use and disclosure of their personal information upon request and gives them access to their information.” – The Rogers Group of Companies (Rogers) Commitment to Privacy.

3. Transparency about frequency of third party requests and disclosures

Full Star: The carrier has published, in an annual or semi-annual report or in some other form, statistics regarding:
  • The number of requests from third parties, broken down by government (law enforcement, etc.), commercial and non-commercial entities.
  • How many requests it complied with.
  • How many accounts the requests applied to.
  • How many disclosures of information there were.
Half Star: The carrier has published SOME information but leaves many important statistics out.
No Star: The carrier has published no information relating to these types of statistics.
Note: This criterion was edited for ease of use and clarity in presentation here. In highlighting the absence of specific important statistics, we may have applied this criterion more strictly than IXmaps. However, we are not aware of any divergence with IXmaps as to the final score awarded to any carrier.
Score: Half Star
Explanation:
  • Rogers published a Transparency Report in 2013 that included statistics about the number of requests for data it received, broken down by the type of request and its authority.
  • It did not, however, include statistics about:
    • Number of requests complied with
    • Number of accounts the requests applied to
    • Number of disclosures
  • It also appears the report may refer only to law enforcement and other governmental requests, not to requests from commercial entities (if any).
  • Additionally, information about requests that were made without legal authority was not included in the report.
Provisions: GraphNotes [to the table shown above]: 1. These statistics include the following scenarios: (a) The information requested was provided; (b) Partial information was provided; (c) No information was provided because it doesn’t exist or the person is not a Rogers customer; and (d) We rejected the request or successfully fought it in court. 2. These statistics do not include informal requests such as phone calls from law enforcement looking for information they would require a warrant for. These requests are rejected because there is no legal authority and no formal response is provided.” – Rogers 2013 Transparency Report (“Breakdown of 2013 Requests”).

4. Transparency about conditions for third party data disclosures

Full Star:
(1) The carrier explicitly states the circumstances under which personal information will be disclosed to third parties.
(2) It must make clear what standard must be met by the third party in order for this disclosure to be made (e.g. whether a warrant is required).
(3) It must be clear whether or not a subscriber/user will be notified in the case that his or her information is disclosed to a third party and especially the specific conditions under which such information will be disclosed without consent.
Half Star: The carrier refers to some but not all of (1), (2) and (3) or is vague about them.*
*Note: In order to achieve consistency, this criterion was applied generously: carriers that had some discussion of when disclosure of user information could occur received a half star. A carrier would have had to fail entirely to discuss disclosure to receive no star, which none did. This criterion is likely to be revised and simplified in future years to improve consistent application and permit more meaningful distinctions between carriers.
No Star: The carrier fails to indicate any of (1), (2), or (3).
Note: Our evaluation of this criterion looked at discussion of disclosure to any third party, including sharing with affiliated companies, while IXmaps focused on disclosure when compelled by law. However, both approaches yielded the same score on this criterion.
Score: Half Star
Explanation:
  • The Rogers 2013 Transparency Report breaks down 6 types of requests received in 2013 and explains the legal authority associated with each.
  • Other privacy-related provisions make much more general reference to conditions when disclosure will occur.
  • Rogers states in the Rogers 2013 Transparency Report that customer name/address checks are “permitted” under “PIPEDA and CTRC Rules”. However, it has since stated, in July 2014, that it will now be requiring a court order or warrant before disclosing even basic customer information to law enforcement (for full details, see Criterion #10 [Open advocacy for user privacy rights]).
  • None of the privacy materials indicate whether subscribers will be notified about disclosure.
  • Rogers failed to earn a full star primarily on the third requirement: clarity as to whether or not users will be notified about disclosure.
  • However, a certain lack of consistency regarding the standard for disclosure across various documents, as well as a failure to clearly explain in its privacy materials its shift to requiring a warrant even for name/address checks – which makes the Rogers 2013 Transparency Report out of date – would likely have kept it at a half star.
    • The Rogers Terms of Service state that “[u]nless you provide express consent, or disclosure is required pursuant to a legal power,” disclosure can occur only in specific limited circumstances [emphasis added]. This statement seems to reflect the shift to requiring a warrant for name/address checks. Note that it appears only in the Rogers Terms of Service, not in Rogers’ privacy materials.
    • The Rogers Terms of Service also lists the specific situations, other than disclosure being “required pursuant to a legal power”, in which user information “other than… name, address and listed telephone number” will be disclosed without user consent. However, the Rogers Terms of Service were not formally a part of Rogers’ evaluation, and in any event would not have affected Rogers’ score on this criterion.
Provisions: “5. At Rogers, we collect customer information for one or more of the following purposes:
  • To provide a positive customer experience, and deliver, bill for, and collect payment for products and services;
  • To understand customer requirements and make information available regarding products and services offered by Rogers and its agents, dealers and related companies;
  • To manage and develop Rogers business and operations;
  • To meet legal and regulatory requirements; and
  • To obtain credit information or provide it to others.
6. Rogers does not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Rogers retains personal information only as long as necessary for the fulfillment of those purposes. “9. Rogers companies share information with other Rogers companies or their agents and authorized dealers, in order to offer customers products and services that they may find attractive. Notices on sharing information are contained in each company's application forms, invoices and web sites. If customers do not want to be marketed with these products and services, they can contact Rogers (see How To Contact Rogers below).” – The Rogers Group of Companies (Rogers) Commitment to Privacy. “The requests we receive are to respond to warrants and orders from law enforcement agencies. In addition, we receive requests from government departments who are authorized to request information to enforce laws like the Income Tax Act. We also assist police services in emergency life threatening situations. About half of the requests we receive are to confirm a customer’s name and address, which we respond to so police do not issue a warrant to the wrong person. Otherwise, we only provide customer information when forced by law or in emergencies after the request has been thoroughly vetted. If we consider an order to be too broad, we push back and, if necessary, go to court to oppose the request.” – Rogers 2013 Transparency Report (“Introduction”). “Canadian law governs how we protect private customer information and how government and law enforcement agencies can compel us to provide it to them:
  • The Criminal Code and other laws allow government and law enforcement agencies to require us to provide customer information.
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) covers both how we protect customers’ information and how we disclose it.
  • The CRTC Confidential Customer Information Rules (CRTC Rules) set out circumstances under which customer information – other than name, address and listed numbers, which can always be provided – may be disclosed to third parties including law enforcement agencies.
Our Privacy Policy and Terms of Service outline how we safeguard customers’ information under these laws and rules. We only give out private customer information when required by law or in emergencies and after the request has been thoroughly vetted. See Type of Requests below and our Frequently Asked Questions (FAQs) for more information.” – Rogers 2013 Transparency Report (“Why And How We Respond”). 2. Do you provide metadata or direct access to customer databases? No, we do not provide metadata without a warrant, or direct access to our customer databases. We only provide the information we are required to provide and this information is retrieved by our staff.” – Rogers 2013 Transparency Report (“Frequently Asked Questions”).3. How many times did you provide info? Do you ever reject law enforcement requests? Our statistics represent the total number of requests we received last year. If we consider an order to be too broad, we push back and, if necessary, go to court to oppose the request.” – Rogers 2013 Transparency Report (“Frequently Asked Questions”). The Rogers 2013 Transparency Report identifies 6 types of request and the “legal authority” associated with each:
  1. Customer name/address checks (PIPEDA and CRTC Rules “permit” confirmation of such information) (but see the “Update” below)
  2. Court order/warrant (“Issued under the Criminal Code or other laws”)
  3. Government requirement order (“Issued under laws such as the Customs Act or Income Tax Act”)
  4. Emergency requests from police in life threatening situations (“The Criminal Code and PIPEDA”)
  5. Child sexual exploitation emergency assistance requests (“The Criminal Code and PIPEDA”)
  6. Court order to comply with a Mutual Legal Assistance Treaty request (“Issued under Mutual Legal Assistance in Criminal Matters Act”)
The Report also provides “Details” of what constitutes each type of request as well as “Examples of info provided” for each. As the discussion is lengthy, the full text can be found in Appendix A at the end of this document. “Update: July 16, 2014: After hearing your concerns and reviewing the Supreme Court ruling from last month, we’ve decided that from now on we will require a court order/warrant to provide basic customer information to law enforcement agencies, except in life threatening emergencies. We believe this move is better for our customers and that law enforcement agencies will still be able to protect the public.” – “How Rogers handles government requests for information” Rogers RedBoard (5 June 2014), online: Rogers RedBoard <http://redboard.rogers.com>.[2] “A Rogers spokesperson has clarified that the new warrant requirement will apply to all government agencies, not just law enforcement bodies, which will cover the likes of Communications Security Establishment Canada.” – Peter Nowak, “Rogers scores points with warrant requirement” AlphaBeatic (17 July 2014), online: AlphaBeatic <http://alphabeatic.com>.[3] “[I]f police have an Internet Protocol, or IP, address of interest and want to obtain a warrant to investigate further, Rogers will tell them which city the relevant customer lives in so they know which judge to approach, [Rogers chief privacy officer Ken Engelhart] said. "But we won't give them any personal information — no name, no address."” – The Canadian Press, “Rogers will no longer hand customer info to police without a warrant” CBC News (16 July 2014), online: CBC <http://www.cbc.ca>.[4] “We fully comply with Canadian privacy law and take active steps to fully safeguard the information of our customers. At the same time we are compelled by law to respond to federal, provincial and municipal government and law enforcement agencies when they have a legally valid request‐like a search warrant or court order.” – Privacy, CCTS & CRTC.Do the Rogers Group of Companies share my personal information? If so, with whom? The Rogers Group of Companies will not release your personal information with these exceptions:
  • When you give us permission to do so;
  • When we believe that the law requires it;
  • To protect the rights or property of the Rogers Group of Companies;
  • Under circumstances described to you when we collect the information, such as in a Terms of Service or Use agreement, or in the rules of contests or other promotions;
  • To affiliated companies within the Rogers Group of Companies.”
– FAQs about Rogers Commitment to Privacy. The Rogers Terms of Service contain provisions pertaining to whom and in what circumstances personal information will be disclosed without a user’s consent. As the full provisions are long, the exact text is in Appendix A at the end of this document. However, to paraphrase, Rogers will only disclose personal information without consent:
  • Where “disclosure is required pursuant to a legal power”
  • To the user
  • To someone they reasonably believe is the user’s agent
  • To another telephone company, for the purpose of providing a user with services
  • To a company supplying the user “with telephone or telephone directory-related services”
  • To collection agencies or agents who “perform other administrative functions for” Rogers
  • To credit agencies, to check creditworthiness
  • To law enforcement where Rogers reasonably believes the user has “knowingly supplied [Rogers] with false or misleading information or are otherwise involved in unlawful activities”
  • To public authorities where there is “imminent danger to life or property”, or “for emergency public alerting purposes” where there is “an imminent or unfolding danger that threatens the life, health or security of an individual”
Rogers Terms of Service (“Privacy and Confidentiality of Your Information”/Provision #32) (Note that the Rogers Terms of Service were not formally a part of Rogers’ evaluation, and in any event would not have affected Rogers’ score on this criterion.)

5. An explicitly inclusive definition of ‘personal information’

Full Star: The carrier explicitly states all forms of data that fall under ‘personal information’. This should include subscribers/users’ IP addresses, IMSI/IMEI numbers, or MAC addresses, as well as their userIDs, meta-data (e.g. who subscriber communicated with, when and where this communication occurred), browser history (pages accessed, date of access, location when accessed), personal account information, credit card information etc.
Half Star: The carrier only implicitly states forms of data included in a definition of ‘personal information’, and/or provides a definition which (a) incorporates a closed list of what constitutes personal information that (b) excludes one or more of IP addresses, IMSI/IMSEI numbers, MAC addresses, userIDs, meta-data, browser history, personal account information, or credit card information.
No Star: The carrier gives no definition of ‘personal information’.Note: IP addresses, IMSI/IMEI numbers and MAC addresses are all used to identify individual devices connected to the Internet. This information could be used to identify individuals and track their locations. For more information, click here.
Score: Half Star
Explanation:
  • Rogers provides definitions of “personal information” in the Rogers Group of Companies (Rogers) Commitment to Privacy and the FAQs about Rogers Commitment to Privacy which include some examples.
  • Although the examples are not a closed list, most of the key elements required to do well on this criterion are not included. For example, there is no reference to IP addresses or meta-data. (There is a reference to meta-data in the Rogers 2013 Transparency Report, but as something that is not released without a warrant, not as part of a definition of personal information. This implies that Rogers likely considers meta-data personal information, but this is not clear.)
  • The examples Rogers gave of what constituted “personal information” were considered sufficiently obvious and uninformative that it might have earned no star on this criterion, had there not been other carriers who gave no definition of personal information at all.
Provisions “4. Personal information collected by Rogers is information about an identifiable individual that may include such information as your name, e-mail address, mailing address, phone number, financial information, birth date and any recorded complaints.” – The Rogers Group of Companies (Rogers) Commitment to Privacy. “What is personal information? Personal information is information about an identifiable individual but does not include aggregated information that cannot be associated with a specific individual. Personal information may include such information as your name, email address, mailing addresses, financial information, service and equipment, birth dates and any recorded complaints.” – FAQs about Rogers Commitment To Privacy. “2. Do you provide metadata or direct access to customer databases? No, we do not provide metadata without a warrant, or direct access to our customer databases. We only provide the information we are required to provide and this information is retrieved by our staff.” – Rogers 2013 Transparency Report (“Frequently Asked Questions”).

6. The normal retention periods for personal information

Full Star: The carrier discloses how long personal information is routinely retained for, specifying retention time periods for each data type.
Half Star: The carrier only states the retention period for limited types of information. For example, a company may state that it retains consumers’ browsing history for 2 weeks, but provides no information on call log retention.
No Star: The carrier either provides no information on data retention periods OR provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. For instance, “[Our company] shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.” (Example wording is from Bell’s privacy policy.)
Score: Half Star
Explanation:
  • Rogers makes a general statement that it keeps information as long as needed to fulfill the purposes for which it was collected, a statement so vague as to not inform the consumer beyond what PIPEDA requires (it merely restates PIPEDA’s Principle 5 - Limiting Use, Disclosure, and Retention). Rogers only indicates a retention period for one type of data (bills). However, it also indicates that “customers’ communications” are not retained at all.
  • Had Rogers referred to the retention period for bills alone, this likely would have been a no-star statement. However, whether the content of communications is retained is of significant interest to users, so Rogers’ explicit exclusion of this material from what is retained at all moved it up to a half star. These considerations may be reflected in separate criteria in future. (Note: IXmaps would have awarded a half star to Rogers even without this explicit exclusion of certain material.)
Provisions: “6. Rogers does not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Rogers retains personal information only as long as necessary for the fulfillment of those purposes.” – The Rogers Group of Companies (Rogers) Commitment to Privacy.6. How long do you keep customer information? We only keep information for as long as it’s required for business purposes or as required by law. For example, we are required by law to keep customer bills for seven years. We don’t keep our customers’ communications like text messages and emails because our customers’ privacy is important and we don’t need this information.” – Rogers 2013 Transparency Report (“Frequently Asked Questions”).

7. Transparency about where personal information is stored and/or processed

Full Star: The carrier clearly indicates the storage and/or processing locations of user’s data and whether data storage and/or processing has been outsourced to a foreign company. This should include whether data may be stored in, or otherwise subject to other jurisdictions, what those jurisdictions are, and what sort of disclosure such data may be subject to.
Half Star: The carrier only indicates that there is a possibility that data may be stored and/or processed subject to a foreign jurisdiction. No jurisdiction is noted or details are not provided.
No Star: The carrier fails to clearly indicate whether or not data may be stored and/or processed such that it may be subject to a foreign jurisdiction.
Score: No Star
Explanation:
  •  Rogers’ only reference to where personal information is stored and/or processed is found in the Rogers Terms of Service. As the Rogers Terms of Service were not formally a part of Rogers’ evaluation, it cannot receive credit for this reference.
    • Had this provision been counted, Rogers would have earned a half star: it only indicates that there is a possibility that personal information may be stored or processed subject to a foreign jurisdiction. Jurisdiction details and types of disclosure the information may be subject to are not provided.
Provisions: None in privacy materials “Personal information collected in connection with the provision of the Services may be stored and processed in or outside Canada and may be subject to the laws of other jurisdictions.” – Rogers Terms of Service (“Privacy and Confidentiality of Your Information”/Provision #32).

8. Transparency about where personal information is routed

Full Star: The carrier clearly indicates whether Canadians’ personal domestic communication data might be routed through the United States or otherwise subject to foreign jurisdiction while in transit. It clearly indicates the geographical locations where domestic communication is routed and what jurisdictions it is subject to. Similarly, it indicates whether or not communications with third countries is subject to U.S. jurisdiction.
Half Star: The carrier is vague about the geographical locations or jurisdictional exposure of personal data routing.
No Star: The carrier gives no indication of the geographical locations or jurisdictions where personal data is routed.
Score: No Star
Explanation:
  • Rogers gives no indication of the geographical locations or jurisdictions through which personal data is routed.
Provisions: None

9. Domestic Canadian routing when possible

Full Star: The carrier clearly states on its privacy pages a policy of domestic Canadian routing when possible, and indicates the concrete measures it takes to achieve this goal. A carrier that verifiably peers openly at all the Canadian IXPs in its service region(s) will also receive a full star. Only Canadian carriers are eligible for a full star, as foreign carriers by definition subject the data they carry to non-Canadian jurisdictions.
Half Star: The carrier is vague about its policies for ensuring Canadian routing of domestic traffic and the measures it takes to ensure this. In the absence of a clear policy statement, a carrier (whether Canadian or foreign) that peers openly at some but not all Canadian public IXPs in its operating regions will earn a half star.
No Star: The carrier gives no indication of any policy or concrete measures to promote domestic routing when possible, nor does it peer openly at any Canadian public IXPs.
Note: Due to minor changes in wording during the evaluation process, we may have applied this criterion more strictly than IXmaps. However, we are not aware of any divergence with IXmaps as to the final score awarded to any carrier.
Score: No Star
Explanation:
  • Rogers gives no indication that it promotes domestic routing where possible.
  • Rogers was listed on only one Canadian IXP (the Toronto Internet Exchange [TorIX]), where it was a conditional peer only.
  • Open peering at TorIX might have merited a half star, as might conditional peering at a significant number of IXPs. Conditional peering at one IXP, however, merits no stars.
  • Rogers does not peer openly at any Canadian public IXPs as of January 24, 2015. In addition to TorIX (http://www.torix.ca/), the IXPs reviewed were:
    • Manitoba Internet Exchange: http://www.mbix.ca/
    • Échange Internet de Montréal: http://www.qix.ca/en/
    • Ottawa Internet Exchange: http://www.ottix.net/
    • Halifax Internet Exchange: http://hfxix.ca/
    • Calgary Internet Exchange: http://yycix.ca/
Provisions: None For an explanation of IXPs and open and conditional peering, see the project overview.

10. Open advocacy for user privacy rights

Full Star: The carrier makes clear reference on its privacy pages to its support for user privacy rights via at least one of the following:
  • Involvement in public debates over mass state surveillance;
  • Involvement in privacy or surveillance related legislative initiatives (e.g. the current Bill C-13 on lawful access);
  • Defending user privacy rights in court; or
  • Ties to advocacy organizations or initiatives promoting user privacy rights.
Half Star: The carrier has defended user privacy rights politically, in court or legislatively, but there is no reference to this in its privacy pages.
No Star: There is no readily available public evidence that the carrier has taken a positive pro-privacy position in any of the above areas.
Note: While this criterion was edited for ease of use and clarity in presentation here, we are not aware of any divergence with IXmaps with regard to application.
Score: Full Star
Explanation:
  • Rogers’ reference in the Rogers 2013 Transparency Report to “push[ing] back” against orders it considers “too broad” would have been too vague to merit a full star on its own. However, Rogers’ statement in the Report that it “encourage[s] the Government of Canada to issue its own report on these requests [for user information]” constitutes a clear reference to support for user privacy rights, specifically via “involvement in public debates over mass state surveillance.”
    • Although this is only a single line, Rogers was under no obligation to take a position on the issue of the government issuing a report, and no indication was found that other carriers made statements on this issue.
  • Rogers (alongside TELUS) is also currently fighting a “tower dump” order, involving information about 40,000-50,000 TELUS and Rogers customers, in R v Rogers Communications Partnership, 2014 ONSC 3853, but this is not (yet) mentioned in its privacy materials. Rogers should refer to this case in its 2014 Transparency Report.
  • Rogers updated its policies after the Supreme Court of Canada ruling in R v Spencer, 2014 SCC 43, (a case about online privacy and disclosure by ISPs) to require warrants, court orders, or similar authority in more disclosure situations, but did not highlight this change in its privacy materials. Although Spencer could be said to require this change, not all companies have made such a declaration, and the recently-passed Bill C-13 removes liability for carriers who voluntarily disclose customer information. (For discussion of Spencer and warrants, see Alex Boutilier & Paul McLeod, “Supreme Court ruling hasn’t stopped police from warrantless requests for data” The Toronto Star (17 September 2014), online: <http://www.thestar.com>[5] and Christine Dobby, “Rogers to require warrants for police requests” The Globe and Mail (16 July 2014), online: The Globe and Mail <http://www.theglobeandmail.com>[6] .)
Provisions and other sources: “5. Do you fight for customers’ privacy rights? Absolutely, if we consider an order to be too broad, we push back and, if necessary, go to court to oppose the request. Our customers’ privacy is important to us and that’s why we’re issuing this report. We believe more transparency is helpful and encourage the Government of Canada to issue its own report on these requests.” – Rogers 2013 Transparency Report (“Frequently Asked Questions”). Regarding the “Tower Dump” Order (R v Rogers Communications Partnership, 2014 ONSC 3853):
  • The Peel Regional Police obtained a “tower dump” production order for the information of TELUS and Rogers customers attempting connections through any of 21 TELUS towers or 16 Rogers towers.
  • 40,000-50,000 persons could be affected.
  • The goal was “to further an investigation by identifying persons using cell phones in the vicinity of known criminal activity.” (R v Rogers Communications Partnership, 2014 ONSC 3853 at paragraph 1).
  • TELUS and Rogers applied to quash the orders under s. 24(1) of the Canadian Charter of Rights and Freedoms: “Anyone whose rights or freedoms, as guaranteed by this Charter, have been infringed or denied may apply to a court of competent jurisdiction to obtain such remedy as the court considers appropriate and just in the circumstances.”
  • “Rogers and Telus brought their Charter applications asserting the general proposition that production orders are obtained without due regard for the privacy interests of their customers. Litigating that issue, they submit, will provide guidance to the police and telecommunications industry in the future.” (R v Rogers Communications Partnership, 2014 ONSC 3853 at paragraph 24).
  • Cell towers record whenever a user makes or attempts a communication (including a call, text, or email). Towers in cities cover 1-2 kilometres, and in the country 10-25 kilometres.
  • The information provided under the orders would include, for all users making or attempting a communication:
    • Which tower they were using,
    • Their name and address, and
    • Their billing information, possibly including banking and credit card information.
  • Where the recipient of a communication was also a TELUS or Rogers subscriber, that person’s information, including the tower they were using, would also need to be provided.
  • The orders did not include:
    • How the information would be safeguarded.
    • Restrictions on the use of the information (i.e. it could be kept and used in other investigations).
  • The Peel Regional Police successfully applied to revoke the original order saying they would be satisfied with a more limited order. (Whether their application for this second order was successful is not clear.)
  • However, the Charter challenge to the original orders will proceed.
– Information from R v Rogers Communications Partnership, 2014 ONSC 3853 (available on CanLII). “A Rogers’ emailed statement said: “We thought the request we received was too broad, so in order to protect our customers’ privacy, we went to court to seek clarification on what constitutes a reasonable request.” – David Paddon (The Canadian Press), “Ontario judge to examine Telus-Rogers’ Charter of Rights challenge” The Toronto Star (25 July 2014), online: The Toronto Star <http://www.thestar.com/>.[7] Regarding Rogers’ Tightened Requirements for Disclosure: “Update: July 16, 2014: After hearing your concerns and reviewing the Supreme Court ruling from last month, we’ve decided that from now on we will require a court order/warrant to provide basic customer information to law enforcement agencies, except in life threatening emergencies. We believe this move is better for our customers and that law enforcement agencies will still be able to protect the public.” – “How Rogers handles government requests for information” Rogers RedBoard (5 June 2014), online: Rogers RedBoard <http://redboard.rogers.com>.[8] “A Rogers spokesperson has clarified that the new warrant requirement will apply to all government agencies, not just law enforcement bodies, which will cover the likes of Communications Security Establishment Canada.” – Peter Nowak, “Rogers scores points with warrant requirement” AlphaBeatic (17 July 2014), online: AlphaBeatic <http://alphabeatic.com>.[9]
“The new policy of requiring a warrant even for basic requests will be better for customers, and law enforcement will still be able to protect the public, Rogers says. It stresses that, in keeping with the [Spencer] ruling, police would not need a warrant to get basic subscriber information in life-threatening emergencies. In addition, if police have an Internet Protocol, or IP, address of interest and want to obtain a warrant to investigate further, Rogers will tell them which city the relevant customer lives in so they know which judge to approach, [Rogers chief privacy officer Ken Engelhart] said. "But we won't give them any personal information — no name, no address."”
– The Canadian Press, “Rogers will no longer hand customer info to police without a warrant” CBC News (16 July 2014), online: CBC <http://www.cbc.ca>.[10]
“Apart from situations involving life-threatening emergencies, Rogers said it now requires “lawful authority” – a court order, warrant or equivalent production order – to provide basic customer details to law-enforcement agencies or government agencies with the power to request information under legislation (for example, the Canada Revenue Agency). … Mr. Engelhart said the company decided to stop responding to [customer information requests relating to child exploitation cases] except in emergency situations immediately after the Supreme Court ruling [in R v Spencer]. He added that the change in policy announced Wednesday applies to a much broader category of “customer name/address checks,” under which Rogers received about 88,000 requests in 2013. He said the company will no longer confirm basic name, address and phone information without an order.”
Christine Dobby, “Rogers to require warrants for police requests”, The Globe and Mail (16 July 2014), online: The Globe and Mail <http://www.theglobeandmail.com>[11] Google searches used in seeking public evidence of a pro-privacy position (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.)
  • Rogers privacy (January 18, 2015).
  • Rogers transparency (January 18, 2015).
  • Rogers personal information (January 18, 2015).
  • Rogers “personal information” (January 18, 2015).
  • Rogers “customer information” (January 18, 2015).
  • Rogers “subscriber information” (January 18, 2015).
  • Rogers disclosure (January 18, 2015).
  • Rogers “lawful access” (January 18, 2015).
  • Rogers “warrant” (January 18, 2015).
  • Rogers “legal authority” (January 18, 2015).
  • Rogers bill c-13 (January 18, 2015).
  • Rogers “Bill C-13” (January 18, 2015).
  • Rogers user rights (January 18, 2015).
  • Rogers user privacy (January 18, 2015).
  • Rogers user rights (January 18, 2015).
  • Canada user privacy rights rogers (January 18, 2015).
  • Rogers privacy advocacy (January 18, 2015).
  • Rogers privacy lawsuit (January 18, 2015).
  • Rogers privacy litigation (January 18, 2015).
In addition, searches were also run specifically seeking news articles. (All searches are as of January 18, 2015) ProQuest:
  • Rogers AND Privacy policy.
  • Rogers AND privacy challenges.
  • Rogers Communication AND privacy issues.
Google News:
  • Rogers Privacy Case.
Searches used in seeking case law where Rogers defended user privacy rights in Canadian courts (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.) Westlaw Canada:
  • “Rogers Communications” back to 01/01/2010 (January 18, 2015).
  • “Rogers Wireless” back to 01/01/2010 (January 18, 2015).
  • intervener & “Rogers Communications” back to 01/01/2010 (January 18, 2015).
Quicklaw:
  • Rogers Communications in Case Name, limited to previous 5 years (January 18, 2015).
  • rogers wireless in Case Name, limited to previous 5 years (January 18, 2015).
  • “rogers communications” & intervener limited to previous 5 years (January 23, 2015).
CanLii:
  • “Rogers Communications” (January 18, 2015).
  • “Rogers Wireless” (January 18, 2015).

Appendix A: Provisions related to Transparency about conditions for third party data disclosures

(Criterion #4)

  “1. Customer name/address checks:
  • Legal authority: PIPEDA and CRTC Rules permit confirming basic information like name, address and listed phone number.
  • Details: These requests are to confirm a customer’s name and address, which we respond to so police do not issue a warrant to the wrong person.
  • Examples of info provided: When provided with a name and address we will confirm whether or not the person is a Rogers customer and when provided with a listed phone number we’ll provide the name and address of a customer. IP address is not provided.
2. Court order/warrant:
  • Legal authority: Issued under the Criminal Code or other laws.
  • Details: A court order or warrant includes production orders, summons, subpoenas and search warrants issued by a judge or other judicial officer. It compels us to provide customer information to police or other authorities or to attend court to provide evidence/testimony about customer information.
  • Examples of info provided: Customer account information like name and address, payment history, billing records, or call records.
3. Government requirement order:
  • Legal authority: Issued under laws such as the Customs Act or Income Tax Act.
  • Details: An order that compels us to provide customer information to the requesting agency.
  • Examples of info provided: Customer account information like payment history, billing records, or call records.
4. Emergency requests from police in life threatening situations:
  • Legal authority: The Criminal Code and PIPEDA.
  • Details: We assist police services in emergency life threatening situations such as missing persons cases and individuals in distress.
  • Examples of info provided: Helping locate someone with a cell phone and providing contact details for someone who has contacted emergency services and may be unable to communicate.
5. Child sexual exploitation emergency assistance requests:
  • Legal authority: The Criminal Code and PIPEDA.
  • Details: We assist police during child exploitation investigations.
  • Examples of info provided: Confirming a customer’s name and address when provided with an IP address so that police can get a search or arrest warrant to stop the sexual exploitation of a child.
6. Court order to comply with a Mutual Legal Assistance Treaty request:
  • Legal authority: Issued under Mutual Legal Assistance in Criminal Matters Act.
  • Details: We don’t respond to requests from foreign agencies, but we do advise them to have their country’s justice authority contact the Department of Justice Canada. If that country has a treaty or convention with Canada, the request is processed by Canadian authorities and an order may be issued by a Canadian court to gather evidence. We’re compelled to provide customer information to the police or other authority in Canada conducting the investigation.
  • Examples of info provided: Customer account information like payment history, billing records, or call records.”
– Rogers 2013 Transparency Report (“We Received Six Types of Requests”). See the discussion at Criterion #4 (Transparency about conditions for third party data disclosures) and Criterion #10 (Open advocacy for user privacy rights) for updates Rogers has made to its disclosure policy since its report was published. (Note that this information has been reformatted into bullets for ease of reading but the content has not been otherwise altered.) “Unless you provide express consent, or disclosure is required pursuant to a legal power, all information regarding you kept by us, other than your name, address and listed telephone number, is confidential and may not be disclosed by us to anyone other than:
  • you;
  • a person who, in our reasonable judgment, is seeking the information as your agent;
  • another telephone company, provided the information is required for the efficient and cost-effective provision of telephone service and disclosure is made on a confidential basis, with the information to be used only for that purpose;
  • a company involved in supplying you with telephone or telephone directory-related services, provided the information is required for that purpose and disclosure is made on a confidential basis, with the information to be used only for that purpose;
  • an agent retained by us in the collection of your account or to perform other administrative functions for us, provided the information is required for and used only for that purpose;
  • an agent retained by us to evaluate your creditworthiness, provided the information is required for and is to be used only for that purpose;
  • a law enforcement agency whenever we have reasonable grounds to believe that you have knowingly supplied us with false or misleading information or are otherwise involved in unlawful activities;
  • a public authority or agent of a public authority if, in our reasonable judgment, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information; or
  • a public authority or agent of a public authority, for emergency public alerting purposes, if a public authority has determined that there is an imminent or unfolding danger that threatens the life, health or security of an individual and that the danger could be avoided or minimized by disclosure of the information.
Express consent to disclosure may be obtained as follows:
  • by written consent;
  • by oral confirmation verified by an independent third party;
  • by electronic confirmation through the use of a toll-free number;
  • by electronic confirmation via the Internet;
  • by oral consent, where an audio recording of the consent is retained by us; or by consent through other methods, as long as an objective documented record of your consent is created by you or by an independent third party.”
– Rogers Terms of Service (“Privacy and Confidentiality of Your Information”/Provision #32). (Note that the Rogers Terms of Service and this provision were not formally a part of Rogers’ evaluation.)

Appendix B: Sources

The Rogers Group of Companies (Rogers) Commitment to Privacy
  • Applies to: Rogers Communications, Rogers Cable, Rogers Wireless and Rogers Media (per its first provision).
  • Last consulted January 18, 2015.
Rogers 2013 Transparency Report
  • This report does not specify its application.
    • However, it was issued by “Rogers Communications.” Rogers Communications’ annual report begins: “Rogers Communications is a diversified Canadian telecommunications and media company. Rogers Wireless is Canada’s largest wireless voice and data telecommunications services provider…”
    • In addition, the report includes examples of disclosure that clearly relate to wireless services, such as: “Helping locate someone with a cell phone and providing contact details for someone who has contacted emergency services and may be unable to communicate.”
    • It is therefore assumed that this report covers Rogers Wireless.
  • Last consulted January 18, 2015.
FAQs about Rogers Commitment to Privacy
  • FAQs about Rogers Commitment to Privacy does not specify its application. However, it refers throughout to “The Rogers Group of Companies” which it states includes “Rogers Cable, Rogers Wireless and Rogers Media” (per “Do the Rogers Group of Companies ask for personal information?”).
  • Last consulted January 18, 2015.
Privacy, CCTS & CRTC
  • This document is a landing page that links to Rogers’ privacy materials. It does not specify what is included in “Rogers” as it uses the term. As the policies it links to all appear to apply to Rogers’ wireless services, however, it is assumed this page does as well.
  • Last consulted January 17, 2015.
News archive back to May 1, 2010 (earliest date available on the Rogers website): http://about.rogers.com/About/Media_Relations/News.aspx
  • Last consulted January 17, 2015.
News articles (see Criterion #10 [Open advocacy for user privacy rights]).

 

[1] Andrew Clement & Jonathan A. Obar, “Keeping Internet Users in the Know or in the Dark: Data Privacy Transparency of Canadian Internet Service Providers” (27 March 2014), online: IXmaps & New Transparency Projects <http://ixmaps.ca/>. The report is available online at <http://ixmaps.ca/transparency/img/DataPrivacyTransparencyofCanadianISPs.pdf>.

[2] http://redboard.rogers.com/?s=transparency+report

[3] http://alphabeatic.com/rogers-warrants/

[4] http://www.cbc.ca/news/politics/rogers-will-no-longer-hand-customer-info-to-police-without-a-warrant-1.2709155

[5] http://www.thestar.com/news/canada/2014/09/17/supreme_court_ruling_hasnt_stopped_police_from_warrantless_requests_for_data.html

[6] http://www.theglobeandmail.com/report-on-business/rogers-now-requires-warrants-for-all-police-inquiries/article19634702/

[7] http://www.thestar.com/news/canada/2014/07/25/ontario_judge_to_examine_TELUSrogers_charter_of_rights_challenge.html

[8] http://redboard.rogers.com/?s=transparency+report

[9] http://alphabeatic.com/rogers-warrants/

[10] http://www.cbc.ca/news/politics/rogers-will-no-longer-hand-customer-info-to-police-without-a-warrant-1.2709155

[11] http://www.theglobeandmail.com/report-on-business/rogers-now-requires-warrants-for-all-police-inquiries/article19634702/