News

Response from the independent counsel for the Canadian Wireless Telecommunications Association regarding information requests from government authorities

The independent counsel for the Canadian Wireless Telecommunications Association provided the following response to a letter from Privacy Commissioner of Canada Jennifer Stoddart asking for some general information related to requests for information from government authorities.

December 11, 2011

Karen E. Hennessey
Direct 613-783-8804
Direct Fax 613-788-3581
karen.hennessey@gowlings.com
File No. 02379950

December 14, 2011

PRIVATE AND CONFIDENTIAL

Office of the Privacy Commissioner of Canada
112 Kent Street
Place de Ville
Tower B, 3rd Floor
Ottawa, Ontario
KIA IH3

ATTN: Jennifer Stoddard

Dear Ms. Stoddard:

Re: Response to Request for General Information From Canadian Wireless Telecommunications Association (the "CWTA") Members

We are acting for the CWTA.

We write further to the Office of the Privacy Commissioner of Canada's ("OPC") request, which we understand was sent to twelve Canadian service providers asking for specific information about lawful access service in Canada.

A number of the service providers solicited by OPC are members of the CWTA. The CWTA members have expressed concern with providing the requested information on a company by company basis. After confirming with the OPC that they would accept information submitted on an aggregate basis, on September 14, 2011, the chair of the CWTA/ITAC Lawful Access Policy Committee, Bill Abbott, wrote to certain telecommunication service providers and requested that they submit their responses directly to Gowling Lafleur Henderson LLP for the assembly of a confidential aggregate report.

We have therefore agreed, as independent counsel for CWTA, to aggregate the responses received and provide a report in a format where quantitative and qualitative responses cannot be attributed to any one provider. We are bound to keep all company responses confidential.

We have received a response from nine providers. These providers provide wireline and wireless telephone service as well as retail and wholesale internet access service. As a group they represent a substantial proportion of Canada's telecommunications customer connections.

Please find attached as Appendix A hereto, the aggregated response to the OPC's general questions concerning lawful access. We note that this Appendix A only provides a subset of the actual lawful requests and is based on nine Canadian providers.

Yours very truly,

Gowling Lafleur Henderson LLP

Original signed by

Karen E. Hennessey

cc: Canadian Wireless Telecommunications Association


Appendix A:
Aggregated Response to the Office of the Privacy Commissioner Questions
Concerning Lawful Access

These responses have been aggregated and are being provided to the OPC, in accordance with the letter from Gowling Lafleur Henderson LLP dated December 14, 2011.

 

No. Question Company Response
1a Approximately how many data requests from government authorities does your organization receive annually, on average? Aggregate Average Annual Requests: 1,193,630 1, 2
1. This number includes an aggregation of responses from nine providers.

2. One provider provided the number of responses rather than the number of requests.
1b Similarly, approximately how many users or accounts are subject to disclosure to authorities in response to a valid request?

Explanatory Note
(This question
is difficult to answer. CNA requests usually correspond one request to one account/customer whereas Non-CNA requests may cover many accounts/customers.)
Aggregate users and accounts subject to disclosure: 784,756 1, 2, 3, 4
1. This total only includes three providers as five providers were unable to provide this information.

2. One provider replied that the average number of subscribers per request was 1.74.

3. One provider noted that all accounts are subject to disclosure with a valid request.

4. One provider replied that it cannot accurately determine the number of users and accounts subject to disclosure. Customer name and address requests usually correspond one request to one account/customer. Non-customer name and address requests may cover many accounts/customers.
2 Like some organizations, do you make these figures available to the  public in any form? No. 1
1. One provider noted that it was recently required to provide a list of dates, times and information to a customer related to information released to the LEA in response to a privacy complaint from the customer.
3a Do you keep internal, aggregate statistics on the types of requests you receive (such as production orders and emergency requests) and the kinds of information requested (e.g. subscriber records, non-content or transactional data, communications content, location information customer look-ups, location data, emergency requests, wiretap requests, production orders)? Yes. 1, 2, 3, 4, 5, 6
1. One provider noted that the numbers represent approximate numbers of requests received by law enforcement and government agencies of all levels nationally. In some cases, duplication and overlap may occur. For example, if a request is received to provide a name and address on a single account from 5 different law enforcement and government agencies, this is treated as five separate requests. Should the same request be submitted several times over the course of the year by the same law enforcement agency this is treated as an individual request. Such duplications are not tracked by the provider. Statistics pertaining to search warrants, production orders, government agency requirement letters and customer authorized third party disclosures (to government agencies or law enforcement) are tracked according to the number of customer files created in response to these disclosures, and not the number of actual authorizations received. For example, a single production order can require the production of records associated with 10 Individual telephone numbers. This production order would be tracked as 10 requests.

2. One provider noted that statistics relating to requests for customer information, emergency requests, wiretap requests, and court orders received are kept at a high levelof security for internal use only.

3. One provider noted that statistics relating to requests for customer information, emergency requests, wiretap requests, and Court Orders are kept at a high security level for internal use only.

4. One provider noted that it tracks the type of request, but not the kind of information requested.

5. One provider tracks the types of orders (production warrants, court orders, registered owner etc.) in its database system. The system records what is required from each order, such as CDR, text, tower, subscriber and information. This provider also keeps records of all lawful Intercept warrants and orders in its database system. However, while certain statistics can be extracted from this database, it would require considerable manual effort as there are no existing reports. In addition, this data is classified as restricted information and cannot be disclosed without proper authorization.

6. One provider only tracks court orders on a monthly basis by province.
3b If so, would you be willing to provide a copy of this information? No.
4 If your enterprise uses Deep Packet Inspection equipment or software, have you used it in response to a request from federal authorities? Two providers responded "Yes". 1

Five providers replied 'No". 2, 3

Two providers did not provide a response to the question asked.
1. One provider noted that it uses Deep Packet Inspection equipment for the limited use of decoding packets for source and destination routing Information to facilitate delivery of Part 6 data delivery on Internet target interception. There is no packet inspection and analysis done.

2. One provider noted that it does not use Deep Packet Inspection equipment or software for the purposes of responding to requests from federal authorities. Interception of communications over data networks is accomplished by sending what is essentially a mirror image of the packet data as it transits the network of data nodes. This packet data is then sent directly to the agency who has obtained lawful access to the information. Deep packet inspection is then performed by the law enforcement agency for their purposes.

3. One provider noted that it commenced using Deep Packet Inspection equipment, in a lab environment in the beginning of Sept 2011, set to launch in its production environments in mid-October. It is intended to be used for traffic management purposes only.
5 Like some organizations, do you notify your customers, when the law allows, that their information has been requested, thus giving them an opportunity to contest the request in court? No.
6a Like some organizations, do you currently seek reimbursement for the cost of complying with these requests? (a) Eight providers replied "Yes". 1, 2, 3, 4, 5, 6, 7

(b) One provider replied "No".
1. One provider replied that it seeks reimbursement for the costs of complying with certain types of requests. Those include disclosure of customer name and address where judicial authorization does not exist and interception of communications.

2. One provider noted that its charges depend on the type of information requested. It provides assistance on a best efforts basis with cost recovery billing for lawful intercepts and technical assistance. It notes that some LEA's have refused to pay where the request is authorized by a court. There is no charge to LEA for emergency support, other than applicable levies for E911 tariffs.

3. One provider replied that LEA's are billed.

4. One provider replied that they seek reimbursement only for lawful intercepts at this time.

5. One provider bills agencies for establishing connections and their usage of telecommunication services on part 6 authorizations. These charges are based on cost recovery estimates.

6. One provider charges for CNAs and warrants which LEAs do not typical pay for. This provider also charges labour and facilities used for intercepts and notes that LEA's typical pay these charges.

7. One provider replied that they seek reimbursement only where costs are significant.
6b If so, do federal authorities pay their bills in a prompt manner? (a) Eight providers replied generally yes, with exceptions. 1

(b) This question is not applicable to the provider who replied "No" in Section 6 above.
1. The general consensus was that the providers do not usually have any problems getting reimbursed but most providers also noted that there have been some difficulties with certain municipal police forces which refuse to reimburse the provider for their costs of complying with the requests.
6c If not, what steps if any have you taken in order to obtain payment (such as terminating wiretaps and withholding data)? (a) Six providers provided their payment process. 1, 2, 3, 4

(b) Three providers responded "Not Applicable."
1. One provider noted that it has been provided with an explanation that they are awaiting Legislation compelling them to pay for warranted information, so this provider (at this time) takes no action to collect.

2. One provider replied that it still responds within a reasonable timeframe and at a minimum, as required by law.

3. One provider noted that it proceeds to take informal steps.

4. Three providers replied that at this time they do not take any of the measures as described in order to obtain recuperation of such costs in the event a law enforcement agency refuses to reimburse it for its costs.
7 Like some organizations, do you make a schedule of these tariffs or fees available to the public? (a) Seven providers provided a reply with an explanation. 1, 2, 3, 4, 5

(b) Two providers replied "Not Applicable".
1. One provider noted that they make available only to the extent there is a CRTC approved tariff.

2. Two providers noted that it complies with its general tariff on this issue.

3. Two providers noted that it does not make available to the general public, schedules of tariffs and fees associated with recoverable costs related to disclosures to law enforcement and government agencies.

4. One provider noted that this does not currently apply to its exchange of services.

5. One provider replied that it does not make its schedule of tariffs or fees available to the public, but does provide to Enforcement and Government Agencies.