On April 29, 2014, University of Ottawa law professor Michael Geist revealed that in 2011, nine of Canada’s major telecom providers and social media sites received 1.2 million data requests from government agencies. The companies complied in 784,756 cases. The total number of requests and disclosures from all telecom companies is likely higher. Read PEN Canada’s statement here.

Postdoctoral Fellow Christopher Parsons put together a guide for customers to request their personal information directly from telecom providers. In this blog, originally published by the Citizen Lab, Parsons argues that “Canadians are not powerless,” and outlines how individuals can take action.



Responding to the Crisis in Canadian Telecommunications

Why You Can Request Your Personal Information

Per Canadian privacy law, all Canadians can request that companies explain and disclose the kinds of personal information that they retain about the requesting Canadian citizen. Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), legitimizes such requests and compels organizations to respond to requests when those companies have significant connections with Canada. Obviously, Canadian telecommunications companies that have their headquarters in Canada and that primarily service Canadians meet this requirement.

Using PIPEDA it is possible for Canadians to learn what information their telecommunications companies hold about them, for how long, for what purposes, and when they disclose that information. In effect, it can empower Canadians to understand how companies manage the personal information entrusted to them and then make informed decisions about whether they want to maintain that commercial relationship. Significantly, based on the disclosures from the Privacy Commissioner of Canada, it was only after a telecommunications subscriber complained about how their information might be shared that they learned their information had been disclosed to government state agencies.

A Template to Request Access

The following template can be used to compel information your telecommunications provider to disclose the personal information it collects, retains, manages, and discloses about you. The text is written without an assumption of you sending it by email or letter mail, nor is is written for specific services (i.e. for just wireless or just internet services information). As a result, you should be able to send the letter to whatever companies that are providing you with telecommunications service.

Feel free to modify the text as you deem necessary. Sections that are bolded require you to insert information, such as the company, the mailing address, your personal information, or your account information.

[Subscriber mailing address]

[Date]

[Mailing information for company]

To: [Company] Privacy Officer,

Re: [Name of Account Subscriber]

Dear Privacy Officer:

I am a subscriber to your telecommunications service, and am interested in understanding the kinds of personal information that you maintain and retain about me. This is a request to access my personal data under Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).

I am requesting a copy of all records which contain my personal information from your organization. The following is a non-exclusive listing of all information that [name of company] may hold about me, including the following:

All logs of IP addresses associated with me, my devices, and/or my account (e.g. IP addresses assigned to my devices/router, IP addresses or domain names of sites I visit and the times, dates, and port numbers)

Listing of “subscriber information” that you store about me, my devices, and/or my account

Any geolocational information that you may have collected about me, my devices, and/or associated with my account (e.g. GPS information, cell tower information)

Text messages or multimedia messages (sent and received, including date, time, and recipient information)

Call logs (e.g. numbers dialed, times and dates of calls, call durations, routing information, and any geolocational or cellular tower information associated with the calls)

Information collected about me, or persons/devices associated with my account, using one of your company’s mobile device applications

Any additional kinds of information that you have collected, retained, or derived from the telecommunications services or devices that I, or someone associated with my account, have transmitted or received using your company’s services

Any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies

If your organization has other information in addition to these items, I formally request access to that as well. Please ensure that you include all information that is directly associated with my name, phone number, email, or account number, as well as any other account identifiers that your company may associate with my personal information.

You are obligated to provide copies at a free or minimal cost within thirty (30) days in receipt of this message. If you choose to deny this request, you must provide a valid reason for doing so under Canada’s PIPEDA. Ignoring a written request is the same as refusing access. See the guide from the Office of the Privacy Commissioner at: http://www.priv.gc.ca/information/guide_e.asp#014. The Commissioner is an independent oversight body that handles privacy complaints from the public.

Please let me know if your organization requires additional information from me before proceeding with my request.

Here is information that may help you identify my records:

Full Name: [Name]

Account Number: [Number]

Email Associated With Account: [Email address]

Phone Number Associated with Account: [Phone number]

Sincerely,

[Name]

Contact Information

The following includes contact information for many of Canada’s telecommunications companies. It parallels the list of companies that Citizen Lab previously asked to voluntarily disclose how, how often, and why they share information with government agencies.

Bell

The Office of the Bell Privacy Ombudsman

160 Elgin St.

Ottawa ON K2P 2C4 Bell Aliant

Attn: Privacy Manager

1st Floor, Fort William Building

P.O. Box 2110

St. John’s, NL A1C 5H6

email: PrivacyManager@bellaliant.ca Bragg Communications

Eastlink

Attn: Privacy Officer

P.O. Box 8660, Station A

6080 Young Street, 8th Floor

Halifax, NS, B3K 5M3

email: privacy@corp.eastlink.ca Cogeco

COGECO CABLE INC.

Attn: Caroline Dignard, Chief Privacy Officer

5 Place Ville-Marie, Suite 1700

Montréal, Québec, H3B 0B3

email: privacy@cogeco.com Distributel

Distributel Communications Limited. c/o Privacy Officer

177 Nepean St. Suite 300,

Ottawa, ON, K2P 0B4

email: privacy.officer@distributel.ca Fido

Chief Privacy Officer

Fido Solutions

800 De La Gauchetière Street West

Suite 4000

Montréal, Quebec, H5A 1K3 MTS Allstream

Allstream Privacy Officer

200 Wellington Street West, Suite 1200

Toronto, Ontario M5V 3G2

email: privacyoffice@mtsallstream.com Primus

Primus Telecommunications Canada Inc.

Primus Legal Department c/o Privacy Officer

5343 Dundas Street West

Toronto, ON, M9B 6K5 Rogers

Chief Privacy Officer

Rogers Group of Companies

333 Bloor Street East

Toronto, Ontario, M4W 1G9 Sasktel

Chief Privacy Officer

SaskTel

13th Floor, 2121 Saskatchewan Drive

Regina , SK. S4P 3Y2

email: privacy.matters@sasktel.sk.ca Shaw

Shaw Privacy Officer

630–3rd Ave. S.W.

Calgary, AB, T3P 4L4

email: privacy@shaw.ca TekSavvy

Privacy Ombudsman

TekSavvy Solutions Inc.

800 Richmond Street

Chatham, Ontario N7M 5J5

Fax: 519–360–1716

email: privacy@teksavvy.com TELUS

TELUS Communications Company Privacy Request Centre

PO Box 2590, Station M

Calgary, Alberta

Canada T2P 5J6

email: privacy@telus.com Videotron

Videotron

Attn: Alain Charlebois, Vice-President, Human Resources

612 St-Jacques Street West, 4th floor, North Tower

Montreal (Quebec) H3C 4M8

Wind Mobile

Globalive Wireless Management Corp.

Chief Privacy Officer

207 Queen’s Quay West

Suite 710, PO Box 114

Toronto, ON M5J 1A7

Canada

email: privacyofficer@windmobile.ca Xplornet

Xplornet Communications Inc.

Attn: Chief Privacy Officer

300 Lockhart Mill Road

P.O. Box 9060

Woodstock, NB, E7M 6B5

Dealing with Non-Responses

Most Canadian companies, and their associated privacy officers, should be familiar with receiving, processing, and responding to these requests for personal information. However, you may find that companies ignore you, or actively resist disclosing information, or attempt to mislead you. Here are a few tips to try to get your personal information if you think the company that you’re working with is failing to comply with your request.

A Reminder

Many of Canada’s ISPs have significant bureaucracies and not all of them are equally resourced or staffed. As a result, sometimes things just get lost. The first thing you can do if you don’t receive a response (including an acknowledgement of receiving your request) is to send a polite note or reminder. This will, ideally, (re)initiate’s the company’s policies and bureaucratic structures to respond to your request. If 30 days go by and you don’t hear anything, then send a polite note asking why they have failed to provide you with your personal information. If you still haven’t heard from them after this reminder, then you can complain to the federal privacy commissioner.

Complaint to the Privacy Commissioner of Canada

The federal Office of the Privacy Commissioner of Canada (OPC) is a designated ombudsperson; the office effectively acts as the federal point-institution for all things privacy. If a company either refuses to disclose your information, or is providing information in a manner that you think is misleading or false (e.g. they say they’ve given you everything, but you have very good reason to believe that the company has/is collecting further information about you) then you have the option of filing a written request to the Office. In your written complaint you’ll want to explain everything that you’ve done to date: when you sent your first request, responses from the company (if there have been any), and why you have a problem with their (lack of) response. Importantly, you don’t need to be a lawyer or privacy specialist to file a complaint!

Note that the OPC does not accept complains by email so you’ll need to file by letter mail to the below address or submit via their website:

Office of the Privacy Commissioner of Canada

Place de Ville, Tower B

112 Kent Street, 3rd Floor

Ottawa, Ontario K1A 1H3

Telephone: 613–947–1698 or 1–800–282–1376

Fax: 613–947–6850

Web complaint address: https://complaint-plainte.priv.gc.ca/en/

The OPC can act as a mediator between you and the telecommunications company in question, helping all parties involved to resolve the company’s failure to disclose your information. Alternately, they can investigate the company’s practices to see if they are actively flouting federal law. Ideally, however, getting the OPC involved will mean that the company will (eventually) disclose your personal information.

Why Your Requests Matter

Beyond simply exercising your legal rights, these requests matter on both the personal and the national level. Personally, by filing these requests you will be empowered to think about whether you’re OK with the amount(s) of information that your telecommunications companies collect or record about you, the duration of time they record that information, and their willingness to explain who they share information with. In effect, you won’t be at the mercy of pundits and talking heads to explain whether the collection of data matters to your life, in the abstract, because you’ll have the data in hand to make your own decisions and reach your own conclusions.

Beyond self-empowerment, it’s important for Canadians generally to file these requests to telecommunications companies because the companies have so steadfastly refused to communicate with the experts, with government bodies, and with interested members of the press. Almost all of the “polite” ways of figuring out what these companies are up to have been exhausted: it’s time, unfortunately, to compel these companies to explain why they collect data, how much of it they collect, and explain why they disclose the information. To be clear, telecommunications companies in the United States and Europe have already begun releasing “transparency reports”, or documents explaining how and why the companies share information with state agencies. Those reports are the result of American and European publics supporting their civil advocates and privacy officers, lending their incredibly powerful voices to the policy and legal efforts that had been ongoing for years. Canadians are amongst the most digitally connected populations on earth: now it’s time for us all to figure out who’s been monitoring, and disclosing, who we’ve been connecting to and whether existing practices need to be reined in.

Christopher Parsons is a Postdoctoral Fellow at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto and a Principal at Block G Privacy and Security Consulting. His research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance and the normative implications that such surveillance has in (and on) contemporary Western political systems. He is currently attending to a particular set of technologies that facilitate digitally mediated surveillance, including Deep Packet Inspection (DPI), behavioral advertising, and mobile device security. He is interested in how these technologies influence citizens in their decisions to openly express themselves or to engage in self-censoring behavior on a regular basis.

Photo credit: Headshot from christopher-parsons.com. Slider photo by credit Lord Bullgod via Flickr.