Information & Ethics Committee on June 5th, 2014

Thank you for inviting Rogers Communications to appear before this committee.

You have broadened the scope of your hearings to include an examination of the disclosures that telecommunications carriers make to law enforcement agencies, and it is that topic that I will address in my remarks.

There has been considerable interest in this topic among members of the public and the media, and we are grateful for your committee's work and its allowing us to come forward to explain our procedures on the record.

Rogers is a diversified Canadian media and communications company, and the needs of our customers come first. We want to provide them with the best communications services possible and make sure they know that their personal information is safe and secure. However, as good corporate citizens, we also have to comply with law enforcement agencies who request Rogers' assistance in their efforts to keep our country safe.

I am pleased to share Rogers' “2013 Transparency Report” with the committee. It was just released this morning. This report is designed to provide more details on the number and types of requests we received from government and law enforcement agencies in 2013. We are proud to be the first telecommunications company in Canada to share this information publicly.

As you'll read in the report, Rogers received 174,917 requests for customer information in 2013. These requests fall into six categories, which l will detail for you now.

First, police and similar agencies provide us with court orders or warrants requiring us to release customer information to them.

Second, some government agencies have statutory authority to request information. For example, Revenue Canada has such authority under the Income Tax Act.

Third, we receive emergency requests from 911, public safety answering points, or police in life-threatening situations. These could include missing persons cases or cases of individuals in distress. We help them to locate someone with a cellphone and provide contact details for people who have called 911 and who may be unable to communicate.

Fourth, police sometimes send us a letter stating that they are investigating child exploitation and may need information so quickly that they do not have time to get a court order or warrant.

Fifth, we sometimes get an order from the courts pursuant to the Mutual Legal Assistance in Criminal Matters Act. These are requests from foreign jurisdictions that have contacted our Department of Justice. Because we have a treaty or convention with these countries, our courts process their requests. Note that we do not answer all requests that we receive. If we consider an order to be too broad, we push back and if necessary go to court to oppose the request.

The final area is the one which I believe has attracted the most attention. These are customer name and address checks. Very often the police are not sure which carrier they need to seek a warrant for. For example, they will come to us to ask whether a person who lives at a certain address or who has a certain phone number is a Rogers customer. We say either yes or no. There are other similar types of requests made under this category.

We believe this information is useful for the police so that they do not seek a warrant against the wrong carrier or regarding the wrong person. There has been a great deal of interest in the press about these warrantless searches, but they are a means by which the police can identify whom they should be getting a warrant or order against.

There has also been a great interest in the acquisition by some American agencies of metadata without search warrants. I can assure this committee that Rogers has not released and does not and will not release metadata to any law enforcement agency in Canada without a search warrant.

Further, as I said earlier, we would not process a request that amounted to a fishing expedition. Our customers' privacy is important to us. We believe more transparency is helpful and we encourage the Government of Canada to issue its own report to shed more light on these requests.

I would be most pleased to answer your questions.

Thank you very much, Mr. Chair.

I'm pleased to appear before the committee again, the first time this session, to speak about such an important subject, information security and identity theft.

My comments don't reflect this, but I'll just make a note right now that I'm glad that Rogers has come out with this transparency report. Much of what Ken has just described is contained in a similar report we issue every six months that can be found at www.google.com/transparency report.

Let me start off my comments with a short list. I have two, but I'll cut one to save time. It's just a series of phrases: 123456, password, welcome, ninja, abc123, 123456789, 12345678, sunshine, princess, and qwerty. That's right, those are passwords from a recent breach. The second list I have is quite similar.

Unfortunately, when it comes to information security, experience has shown that the weakest link in the chain is often the user.

Let's face it. None of us likes memorizing complex passwords made of strings of letters, numbers, and special characters, especially in a world where every website asks us to log in. Unfortunately, we're all possible targets. Not a month goes by without another effort to break into networks, steal passwords, and gain access to our accounts.

You've heard from previous speakers at this committee about the groups that try to hack payment systems, collect social insurance numbers, surreptitiously swipe financial data, and social engineer their way into offices and networks. These could be concerted criminal attacks or just the ham-handed attempts of relatively young script kiddies.

Many of their strategies rely on exploiting our habits, a willingness to believe a Facebook friend is truly stranded abroad, replying to a fake security warning from an e-mail provider, or believing network support is actually calling us at our desk but just needs our password to provide us with the support to make our work so much easier.

At Google we build systems and tools that alert our users to possible attempts to access their accounts and information. We give them information about sites that may try to inject malware and take over their computer and we work very hard to make the most secure networks in the world.

In a previous meeting, I asked this committee who uses Gmail, and so has my colleague and there's a consensus around the table.

Gmail processes billions of messages every day. It has an outstanding track record when it comes to protecting users from spam. Gmail users have become used to not seeing spam in their inbox for years and years. In fact, when a spammer tries a new type of junk mail, our systems often identify and block it from Google accounts within minutes and if it does happen to land in your inbox, you could press one button sending our systems a signal that we should consider similar messages as spam.

What about search results? Our technology examines billions of URLs across the web, looking for dangerous websites.

What do I mean by dangerous? It could be a site that injects malicious code. It could try to trick you into downloading a software package containing a virus. It could be a phishing site masquerading as a legitimate financial site.

We try to provide users with visual cues, like warning notes or even huge and obvious red interstitial images to prompt them not to click on dangerous links. The results? Every day we find more than 7,500 unsafe sites and show warnings on up to six million Google search results and one million downloads.

More than one billion people receive protection against phishing and malware every day because of the warnings we show users about unsafe websites through our safe browsing effort. We share this data with the other browsers Safari and Firefox, so their users are protected as well.

After all, the goal is to protect the Internet from illicit behaviour and extremely poor user experience, extremely poor being identity theft in its most horrible outcome.

At Google, we're continuously investing in network and data security. Security is a core part of our engineering culture. At our offices in California, New York, Munich, Zurich, and Montreal, we have a team of more than 250 full-time security engineering experts whose job is to help the company remain at the forefront of innovation in information security.

Let's return to passwords. We can agree that passwords are a compromise between security and convenience. We as users often abandon security in order to maximize convenience.

Just as a thought, do people around the room recognize why qwerty is a popular password? It's the sequence of five letters on the upper left-hand corner of the keyboard. It's the same combination in Russia on the Cyrillic keyboard.

The challenge is to create a verification process that is sufficiently complex to slow or halt attempts to access your accounts, but still convenient for the average user. Often this means innovation.

In 2011, we launched two-step verification for your Google account. Two-step verification demands that you verify your identity with a password and another passcode delivered to a separate device, whether a phone, a separate USB device on your computer, something specific. This provides a stronger layer of sign-in security. Even if a thief or hacker manages to steal your password, that's not enough to access your account. We offer this protection free to any account holder.

What about networks? Over the past year we've expanded session-wide secure sockets layer encryption to be the default when you're signed into Gmail, Google Search, Google Docs, and many other services. This protection stops others from snooping on your activity when you're on an open network, such as when you use your laptop at a coffee shop.

We've encrypted the data that flows between our data centres, and our security experts are continually working to extend and strengthen this protection across more services and links. This week we provided a tool to help our users identify how much e-mail sent between Gmail and external e-mail providers is encrypted in transit. After all, you can have the strongest encryption on your desktop, but if you're sending e-mails to someone with an unsecured system, that end of the system is insecure. This is important because e-mails are not encrypted in transit unless e-mail providers on both ends support it.

Finally, we react quickly to identified security threats. We have chromium and web vulnerability reward programs and pay hackers and security researchers significant amounts of money to identify security exploits and weaknesses in our programs and services. Over the past four years, we've paid out nearly $3 million to researchers.

Importantly, when a security exploit is identified, we have it patched and rolled out to hundreds of millions of users within hours. The sequence goes like this: A security researcher, who's worked on a particular weakness in our system and identified a way to win control of our system over a matter of months, comes to a contest and tells us about it. We tell them we're going to give them a large chunk of money, and by the end of the day, that's no longer a weakness because our engineers jump on it and solve that problem.

Google goes above and beyond to make sure our users' information is safe, secure, and always available. Our commitment to the security of our users' data is absolute, and we will keep fighting against anyone and everyone who tries to compromise it.

Thank you very much.

Thank you very much for that question.

I think the report we've circulated this morning is the first step in at least giving our customers and this committee and the government and interested parties an understanding of the extent to which law enforcement agencies request the information. I think, as other companies provide this information, it will start to provide some data so that informed debate can take place.

In terms of the specifics—

That's correct.

That's only in very limited circumstances, and it's really name-and-address type information, or in an emergency situation.

In an emergency, of course we're going to do it, because someone's life is at risk and they don't have time to get a warrant. For the name-and-address information, for example, whether Colin McKay is a Rogers customer, yes or no, we'll answer “yes” or “no”; otherwise, they get a warrant against us. If it turns out he's not our customer, then they will go to Telus. If it turns out he's not their customer, then they will go to Bell. It saves the police time. We don't think it's an infringement of our customers' rights, because it's just a way to save the police the difficulty of knowing whom to get the warrant against. That's why we do it.

In many cases it is. They could do a reverse lookup for some of it on the Internet. That's another reason we don't think it's terribly significant.

Let me give you an example of why they might.

We have something in the telecommunications system called number portability. Say you were a Rogers customer and you made the terrible decision to become a Bell customer. Then you could port your number or move your number from Rogers to Bell. It could happen that the number you looked up on the Internet was yours, but it's not the number of a Rogers customer anymore. That's one reason they might want to come to us.

It can also happen that the number was returned to the number pool and is now held by another customer and the Internet is still showing it as customer A but it's now customer B.

There are all those different reasons why, to save time, they come to us.

I can assure you that we would rather just provide telephone service. If we had our druthers, we would rather not respond to these police requests at all, but we're good corporate citizens and we try to do a balancing act between doing everything we can—

Oh, of course.

Yes, indeed.