Evidence of meeting #27 for Access to Information, Privacy and Ethics in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was police.
A recording is available from Parliament.
11:25 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
They have asked you for more information than you're willing to give out.
11:25 a.m.
Senior Vice-President, Regulatory and Chief Privacy Officer, Rogers Communications Inc.
They ask for both warranted and warrantless, and we often push back.
11:25 a.m.
NDP
The Chair NDP Pat Martin
I'm afraid your time is up, Mr. Ravignat.
We'll move to the Conservatives, to Mr. Calandra, for five minutes, please.
11:30 a.m.
Conservative
Paul Calandra Conservative Oak Ridges—Markham, ON
Thank you, Mr. Chair.
Thank you very much, witnesses.
Mr. McKay, I have to tell you that I've been on the committee a number of times when Google has had an extraordinarily difficult time of it, but I think that today I'm going to just focus on Rogers for a little bit.
It might be surprising to you, but I want to congratulate you on this report, Mr. Englehart. I'm not sure if Bell or Telus does this, but this is actually very informative. I don't know if we could inquire with Bell or Telus to see if they put something like this together, but I think this really helps us understand what access is.
Mr. Ravignat talked about government accessing or calling you. I think he has left the impression that the Prime Minister's Office is calling you and seeking the information on a subscriber. Is that what we're talking about here? When we talk about government, your statistics seem to suggest that either the revenue department is calling you or a law enforcement agency is calling you. Am I correct that those are the types of requests you're getting?
11:30 a.m.
Senior Vice-President, Regulatory and Chief Privacy Officer, Rogers Communications Inc.
That is absolutely correct, sir. It's either a department that has a specific statutory power to make that request, or it's a law enforcement agency.
11:30 a.m.
Conservative
Paul Calandra Conservative Oak Ridges—Markham, ON
In the law enforcement agency, we've heard a lot about this and I've done reverse lookups myself. When I got back here in October there was a little bit of an issue going on with the Senate and there were some e-mails and phone calls that were almost troubling, let's put it that way. In the course of that, you do a reverse lookup and you can see, but your number portability is a cause of grief because people do transfer now from Rogers to Bell.
I'm wondering, when the police are contacting you, if you have some examples of emergency situations. Do you have any examples at all of an emergency situation where Rogers was asked by the police to help and what type of information you provided or what the situation was?
11:30 a.m.
Senior Vice-President, Regulatory and Chief Privacy Officer, Rogers Communications Inc.
Yes. In fact, my colleague Mr. Storr and I flew up on the plane today and he showed me an e-mail that he got this morning, which was an e-mail of thanks. What happened was a police officer on a post-traumatic stress disorder website posted that they were going to commit suicide. Mr. Storr's group got an emergency request, could they give them the name associated with this IP address. He provided the name and address information and this morning the thank you note he got told him that a life had been saved as a result.
Those type of events are very common. We get those type of requests all the time.
11:30 a.m.
Conservative
Paul Calandra Conservative Oak Ridges—Markham, ON
This might be an unfair question to ask. I guess I can ask both of you. What kind of investments are you talking about? I assume protecting identity is a massive...I don't want to say it's a new problem, but the way people are attacking and getting access to identity now is changing, obviously. What kind of resources...I know you say you have 250 engineers, Colin, but what type of financial investment are you talking of making, both of you, to combat this?
Colin, do you want to start?
11:30 a.m.
Head, Public Policy and Government Relations, Google Inc.
I think the answer can only be anecdotal because, obviously, we're in a very well-placed position to make significant investments. The reason you see new companies and new software initiatives frequently being the victims of data breaches and large scale criminal enterprise is they don't have the resources to apply to security. They have the barest skills and investments.
We are talking about significant investments in the technical infrastructure. Also there is a skills war for people that understand this space and understand the latest vulnerabilities and how to resolve them. As well, there's the compliance and legal regime that it takes to build the sort of reporting structure that Rogers has just announced today that we have in order to deal with law enforcement requests in a fair, equitable, and rapid manner. It's a sizeable investment.
For us it's one that we're willing to make because we need to maintain our users' trust and provide them with accountability, but honestly it's a continuing challenge. In many cases it's one where you have to share resources between companies as well.
11:35 a.m.
NDP
The Chair NDP Pat Martin
Thank you, Mr. Calandra. Your time is up.
I do apologize to everybody for this truncated version of what is otherwise really interesting and important information.
To the Liberals now, Scott Andrews, for five minutes, please.
11:35 a.m.
Liberal
Scott Andrews Liberal Avalon, NL
Thank you very much, Mr. Chair.
Mr. Engelhart, the 87,000 yes or no requests obviously take a lot of time. Is there a centralized port for these requests in your organization? If it goes beyond a yes or no and it gets to an emergency level, how do you process these internally?
11:35 a.m.
Senior Vice-President, Regulatory and Chief Privacy Officer, Rogers Communications Inc.
There's a group of professionals that Mr. Storr manages that is staffed 24-7. They do those type of requests and also 911 requests.
11:35 a.m.
Liberal
Scott Andrews Liberal Avalon, NL
You talked about no IP addresses are given. Could you give an example of where an IP address would be given? Under what conditions would an IP address be given?
11:35 a.m.
Senior Vice-President, Regulatory and Chief Privacy Officer, Rogers Communications Inc.
It's only with a warrant, or if you notice from the numbers, there are 711 child exploitation requests. We will give an IP address with a child exploitation request. The third category is an emergency. Those are the three categories.
11:35 a.m.
Liberal
Scott Andrews Liberal Avalon, NL
The emergency number is 9,000. Do you think that's high or is that reasonable? I did some quick math on it and it's some 25 a day. Is that a reasonable number?
11:35 a.m.
Senior Vice-President, Regulatory and Chief Privacy Officer, Rogers Communications Inc.
Yes, but you have to realize that these are for the most part from the police. There's another probably five times that number that come from 911 operators which are sometimes police and sometimes not, so it's even bigger than that number, but because those are 911 operators, we don't consider that to be a law enforcement request, but a telephone request. That's why they're not included in that number.
11:35 a.m.
Liberal
Scott Andrews Liberal Avalon, NL
When we hear about identity theft, we hear about people building identities. Quite often, commonly, that's around obtaining an address, a phone number, and all that. Could you shed some light on that, on people trying to gain someone's identity, getting a phone number, and building up this type of identity? Could you then tie that into burner phones and people who are reselling phones? Is that a big issue for identity thieves?
11:35 a.m.
Senior Vice-President, Regulatory and Chief Privacy Officer, Rogers Communications Inc.
Yes, I would agree with everything that Colin said. There are high-tech breaches or high-tech attacks, and there are also low-tech attacks. We have a huge bunch of engineers and computer scientists who are constantly protecting our networks from attack, but there's also low tech. For example, the Target breach in the U.S., when the information of 40 million customers was stolen, started with someone getting a job as a caretaker at a Target store so that he could attach some devices at night when no one was looking.
That's a real problem, too, when organized crime is infiltrating call centres and infiltrating stores to try to steal identities. You have to be very vigilant about the high-tech stuff and also very vigilant about the low-tech stuff. Then there are the good old-fashioned con artists, who will call the call centre and pretend to be you or pretend to be me. We have to be vigilant with all that too.
Those are the kinds of areas where we're fighting identity theft every day.
11:35 a.m.
Liberal
Scott Andrews Liberal Avalon, NL
Colin, in regard to fictitious e-mail accounts and people setting up fictitious e-mail accounts to establish identity, do you see a lot of this? Do you have a lot of interaction with law enforcement in terms of people setting up these types of accounts to build identities for individuals?
11:35 a.m.
Head, Public Policy and Government Relations, Google Inc.
I can't speak specifically to whether we've had a relationship with law enforcement about that, but certainly, any open e-mail system provides some level of anonymity or pseudonymity, and you can create an e-mail account under whatever name and specific identity you'd like. There are certain safety measures as you try to build out that relationship with us as a company, because then you start to provide more information about you as an individual, which is harder to fake. It needs more of an element of verification, but it's certainly still quite an easy process to follow through on.
On the tail end, as law enforcement is looking for information about that account, I have to echo what Ken has been saying about the processes Rogers follows. We don't hand over information without a warrant, without a court order, except in a situation where there are exigent circumstances, where there's going to be harm, or specifically in the case of child sexual imagery, where we take as many steps as we can with partners that we have worked with over the long term to shut down that activity and provide information so that the case can be followed up.
11:40 a.m.
Liberal
Scott Andrews Liberal Avalon, NL
Kenneth, on Rogers helping with victim support for people whose identities have been stolen, does Rogers have any mechanisms to support victims of identity theft?
11:40 a.m.
Senior Vice-President, Regulatory and Chief Privacy Officer, Rogers Communications Inc.
If we have a breach that has happened to one of our customers, we of course inform them right away. Then we will give them free access to credit-limit monitoring so they can monitor their credit score and make sure no one is impersonating them.