Last month, media reports covered a recently released Ontario court decision involving a Peel Regional Police warrant application for subscriber data from Telus and Rogers. The two telecom companies challenged the order, arguing that it was overbroad. The police withdrew the order in favour of a more limited request, but the court decided that the Charter issues raised by the request should still be examined.

The money quote from the judge – “the privacy rights of the tens of thousands of cell phone users is of obvious importance” – captured the attention, but the case is more interesting for the data it provides on police warrant applications for subscriber data. The case reveals that Telus received approximately 2,500 production orders and general warrants in 2013, while Rogers produced 13,800 files in response to production orders and search warrants that year.

Even more interesting is how the police were seeking access to a huge amount of subscriber information by asking for all records involving dozens of cell phone towers, including subscriber data, billing information, bank data, and credit card information. The specifics as described by the court:

The production orders against Rogers and Telus are in similar form. The orders require cell phone records for all phones activated, transmitting and receiving data through 21 specified Telus towers and 16 Rogers towers. The orders require the name and address of every subscriber making or attempting a communication and the particular cell tower being utilized. The orders are framed such that if both the person initiating and receiving the communication are Rogers (or Telus) subscribers, then information regarding the recipient must also be provided and the cell tower the recipient used must also be provided. The orders also require billing information which may include bank and credit card information.

Telus estimated that this would involve at least 9,000 subscribers, while Rogers anticipated retrieving 200,000 records on 34,000 subscribers. Note that the scope includes bank and credit card information as well as potentially data on hundreds of other cell phone tower where recipients were part of the same network. The case provides an important reminder of how disclosure demands can quickly spiral in a manner that affects the privacy of thousands of people with information that extends far beyond basic subscriber data.