Rogers surprised many yesterday by becoming the first major Canadian telecom provider to release a transparency report (TekSavvy, a leading independent ISP beat them by a few hours in issuing a very detailed report on its policies and activities). The company was rightly lauded for releasing the report, which seems likely to end the silence among all Canadian telecom companies. Telus now says it is working on a transparency report for release this summer and it is reasonable to guess that others will follow.
Much of the focus on the report came from its big number: nearly 175,000 requests for subscriber information last year. Yet requests for information is only part of the story. The report only contained data on requests for information with no numbers on how many times the company disclosed the information to the authorities upon request. The reason for the omission is shocking admission: Rogers says it has not tracked when it discloses subscriber information in response to these requests. When asked how often authorities’ requests were granted, the company stated:
“We don’t keep track of it. Our tracking to date has really been for internal management purposes, not for creating a transparency report. So that’s something we’re going to look to expand in the future and hopefully provide more information in the future.“
By contrast, the TekSavvy report provides data on both requests and disclosures as do many other transparency reports (Google, Twitter, Microsoft).
The claim that Rogers only tracks in-bound requests and not out-bound data is hard to believe. The reason may be financial – the “internal management purpose” may be to charge a fee to law enforcement for the process. Further, the company says that if it considers an order too overbroad, it will “push back and, if necessary, go to court to oppose the request.” Is it really possible that the company has no records of when it has gone to court to oppose a request?
[Update 7/6/14: Rogers has provided a private response in which it indicates that it does have records of individual responses to requests for subscriber information, but that it does not track aggregate numbers. Further, it does know the number of times it went to court, but did not include that information in the transparency report.]
Tracking disclosures of subscriber information should not be viewed as optional. Privacy law gives individuals a right of access to their information:
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.
The statute continues at 4.9.3:
In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.
If Rogers is not tracking disclosures, the approach raises privacy compliance concerns. Moreover, this helps explain why it does not notify customers that their information has been disclosed since it does not seem to track the information itself. title
Shocking… Why?
A lot of businesses are really lazy or sloppy at such things.
Gregg,
Businesses are lazy? What exactly are you saying?
I think you are saying that the Rogers executive in charge Privacy may not be fit for the function she/he is tasted with if said privacy officer can’t even comply with Canadian privacy legislation.
There is lazy and then there is negligent in a job. This would fall under negligent and not really caring about your job and people.
Transparency is only good when there’s also credibility
Since most of the big providers routinely lie about everything they do, what possible benefit could we derive from any transparency reports they’re “willing” to produce?
We are in need of new regulations
First it must become a right for the citizen to be informed all the time when and who requested a disclosure of his personal data.
Second a company that doesn’t have any means to track requests (hard to believe in an information driven society) should be not allowed to disclose personal information at all especially when they are charging money for it.
Well, it’s obvious why Rogers didn’t keep track of the number of times it handed over the info. If anyone wants to know if their info was given out, Rogers can say “I don’t know”. Planned incompetence. It’s a fabulous way to easily justify being evil …
Osgoode Hall should be ashamed
I wonder if Ken Engelhart will update his curriculum vitae to state:
As Chief Privacy Officer, I have no clue how much personal info on Canadians I doled out over the years to various entities.
And it appears Osgoode Hall Law School pays this guy to teach kids, http://www.osgoode.yorku.ca/faculty/adjunct/ken-engelhart
That doesn’t say much for Osgoode. They should be equally embarrassed for having this guy.
And like all the other telco’s, after he states he has no clue what privacy is, nor can he quantify anything (because he must be from Osgoode), he says “Our customers’ privacy is important to us”
What a joke.
Is this the kind of people Osgoode pumps out and lets others learn from? Seriously?
This is the “privacy professional” Rogers wants? It also speaks volumes about Rogers.
Ur exaggerating. The Big 3 ISPs Rogers keeps ISP logs for 2 years, Bell stores for 5+ years and Shaw around 2 to 4 years. The logs are for billing purposes and preventing criminal activity and hate crimes.
Nobody is spying on anyone. The tinfoil hat must be too tight.