TekSavvy Solutions Inc 800 Richmond Street TELEPHONE +1 519 360-1575 FAX 519.360.1716 Chatham ON N2M 5J5 TOLL FREE 1 877-779-1575 teksavvy.com
Bram Abramson Legal & Regulatory Direct Line +1 647 479-8093 [email protected]
RE: Request to Access Personal Information
Dear TekSavvy User:
Thank you for requesting a copy of records containing information directly associated with your name, phone number, e-mail, or account number. This is TekSavvy’s response. It consists of:
A. background about this response; B. a description of our policies and practices with respect to the management of personal information, including responses addressing each type of specific record you asked about; C. an overview of the attached report, in light of the above; and D. a PDF containing records responsive to your request.
Items A through C are set out below. Item D is provided in a separate document.
A. Background
I would first like to apologize both for this letter’s impersonal nature and for its longer-than- hoped-for response time. The volume of access requests we have received has made it impracticable to prepare a separate cover letter for each one, and has made the timelines under which we must prepare it challenging. I would like to explain why.
We have received two waves of access requests based, like yours, on a template relying on Principle 9 (“Individual Access”) of the Model Code for the Protection of Personal Information which, reproduced at Schedule 1, section 4.9 of the Personal Protection and Electronic Documents Act (“PIPEDA”), is given force by sections 5 and 8 of the same Act.
The first day of the first wave of such requests, which followed online publication of the template you used, saw more requests than TekSavvy had, by all accounts, previously received in its history as a company. The second wave of these requests was enabled by an online web form allowing these templates to be filled in and emailed in a few keystrokes, and in turn dwarfed the first wave. Put simply, we have been swamped.
Principle 9 requires us to inform individuals of the existence, use, and disclosure of their personal information and give them access to that information, attempting to be as specific as possible, within a reasonable time and at minimal or no cost to the individual. Section 8 sets out the procedural rules by which such information is to be provided. In developing our response to templated access requests like yours, we reviewed the Model Code scheduled to PIPEDA, section 8 of PIPEDA, and some of the surrounding case decisions and summaries, and took note of the following. - 2 -
First, organizations which receive access requests under Principle 9 may extend them in certain circumstances. For instance:
where meeting the 30-day time limit would unreasonably interfere with the activities of the organization receiving the request, the organization may extend the time limit for a maximum of 30 days,1 and
if the personal information is to be converted into an alternative format, then the organization may extend the time limit for “the period that is necessary in order to be able” to do so.2
We have revised our organization’s activities in order to work to meet PIPEDA’s deadlines as nearly as possible. A significant portion of our effort has been related to converting the personal information requested into a format that could be outputted within a reasonable timeframe. So, while we have moved as expeditiously as we are able, you should know that both of the above circumstances were in place.
Second, organizations seeking to respond to very broad information requests that could be extremely far-reaching and even prohibitively costly to fulfill are given two options. They can (a) ask the requesting party to be more specific, or (b) conduct a reasonable search of information that is reasonably responsive to the request made, such as by searching the information collected, used, and disclosed in the course of ordinary business operations.3 Given the content and context of the template you used, we came to the conclusion that the second option was the better approach. In particular, we concluded that access requests based on the template were likely intended to obtain better information in view of reports of enormous volumes of information disclosed by certain Canadian telecommunications companies to state agencies.4 We have therefore conducted a reasonable search of information collected, used, and disclosed in the course of our business operations.
Third, adjacent to Principle 9 (“Individual Access”), under which your access request was filed, the Model Code also advances a Principle 8 (“Openness”) stating that “[a]n organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information”, including: a) the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded; b) the means of gaining access to personal information held by the organization; c) a description of the type of personal information held by the organization, including a general account of its use;
1 S.C. 2000, c. 5, sub-paragraph 8(4)(a)(i). 2 Paragraph 8(4)(b). 3 Johnson v. Bell Canada, 2008 FC 1086. 4 See, e.g., Christopher Parsons, “The Murky State of Canadian Telecommunications Surveillance”, March 6, 2014 (online: https://citizenlab.org/2014/03/murky-state-canadian- telecommunications-surveillance/), and Openmedia.ca, n.d. “Request access to your personal information” (online: https://openmedia.ca/myinfo). - 3 - d) a copy of any brochures or other information that explain the organization's policies, standards, or codes; and e) what personal information is made available to related organizations (e.g., subsidiaries).
The broad-ranging nature of the requests we received may also have reflected the potential perception that information about our own policies and practices relating to the management of personal information were difficult to find so that, rather than ask for further information about those policies, you chose instead to ask about the specific information that pertains to you that arises from those policies and practices. We have therefore included, in Part B of this cover letter, information responsive to Principle 8 (“Openness”) about TekSavvy’s policies and practices relating to the management of personal information. But we also invite you to consult our privacy policy as it currently stands,5 and the more detailed information which we provided in early June6 and which is the initial portion of an update we will complete later this year to that policy.
Based in part on our approach to the three items described above, we began responding to the first wave of templated access requests manually, based on the records to which we have access by searching the information collected, used, and disclosed in the course of ordinary business operations. I estimate that fulfilling each such response took at least six hours..
The second wave of templated access requests made it clear that we would no longer be able to respond to them manually, as it would not have been possible to meet these requests within 30 nor, likely, within 60 days. Ironically, our systems are simply not set up to provide the ease of access to your personal information that fulfilling these requests quickly requires. We therefore instead reallocated software development resources to automating as much of this process as possible within a month. The attached records reflect the results of reports which we now have the ability to generate automatically, although not instantly.
We have not yet been able to automate the conversion of certain information into a format that can be detached from our internal systems. In particular:
We continue to work towards automating the correlation of IP addresses to subscriber name and account, which is challenging, particularly in view of the range of access networks with which we interact and there heterogeneous systems in place for enabling access on them. That automation is not complete. As a result, if you are an Internet access subscriber then, unless you have purchased the use of a static IP address that does not change, the attached report does not include IP address logs which are generated and stored for a limited time by our systems. We have therefore set out below our policy, which we hope will address your general concerns. Should you require your IP address correlation records, please let us know, and we will task a team member with generating them as soon as we can.
5 Online:
Our marketing systems, including our CASL tracking information, are maintained separately, and their setup is such that automating the production of records that can be detached from our internal systems, which is very challenging, was well beyond the scope of what we were able to accomplish in 30 days. Here, too, we have therefore set out our policy and, in addition, provided screen shots in order to show you the type of information we collect, but also invite you to inform us should you require your specific information.
However, we hope you will first review the information below, and attached report attached, to assess whether it satisfies your requirements.
B. Policies, Practices, and Records
Our approach to the management of personal information is bound, as well as by PIPEDA, by our network management policies and by the CRTC’s confidentiality provisions.
Our policy for network management is to not use technical Internet Traffic Management Practices (“ITMPs”) to discriminate against any application, any protocol, or any class of application or protocol. We therefore do not have a business purpose for detailed information about your behaviour, such as traffic destinations or types, and so we do not collect it and would be unable to disclose it. We do have a business purpose for (a) data based on correlating the subscriber name and address information that we pair with your modem’s unique identifier (MAC address) and the Internet Protocol address you lease, which it is our policy to delete that information within 30 days, and (b) aggregate data volumes downloaded and uploaded each day, which we require in order to enable our non-unlimited Internet plans that involve a non- overnight download cap plus overage. If you are an Internet access customer, then this data is included in the attached report.
We are also bound by, and adhere to, the CRTC’s confidentiality provisions. They are rules that prohibit, unless pursuant to the customer’s express consent or to “a legal power”, disclosure of information other than a customer’s name, address, and listed telephone number to anyone but (a) customers themselves or (b) their agents; another (c) telephone company or (d) service provider, for operational purposes and provided it is on a confidential basis; or (e) a collections agent, again on a limited basis.7
By “a legal power” TekSavvy has understood the CRTC, and related provisions in PIPEDA, to mean a situation in which the service provider is legally compelled to disclose personal information, not simply one in which we are permitted to. We therefore have not, since we came to this view earlier this year, disclosed customer name and address information, which is the only personal information we have ever disclosed, except in response to: a legally binding obligation, which thus far has always been either a warrant or a production order; or instances in which the conditions for such an obligation were present but emergency “exigent circumstances”8 prevented a warrant or production order from being obtained.9 As a result,
7 Confidentiality provisions of Canadian carriers, Telecom Decision CRTC 2003-33, 30 May 2003, paragraph 49, as extended by the follow-up in Telecom Decision CRTC 2004-27, 22 April 2004, paragraph 22. 8 See, e.g., Criminal Code, R.S.C. 1985, c. C-4, section 487.11 (“A peace officer, or a public officer who has been appointed or designated to administer or enforce any federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament, may, in the course of his or her duties, exercise any of the powers described in subsection 487(1) or 492.1(1) without a - 5 -
TekSavvy has disclosed few records to Canadian state agencies without consent, and to my knowledge has not done so in any context other than a criminal investigation, which we are typically not allowed to tell anyone about, or exigent circumstances. If you have not been informed that your information was disclosed to a state agency, and have not been involved in a criminal investigation, then your information has not been disclosed to a state agency.
In addition to the general information on our policies and practices set out above, the template on which your inquiry was based identified certain specific kinds of record.
Q1. All logs of IP addresses associated with me, my devices, and/or my account (e.g. IP addresses assigned to my devices/router, IP addresses or domain names of sites I visit and the times, dates, and port numbers).
A1. We do not log any information, such as IP addresses, domain names, or port numbers, of sites that you visit, so we do not have such logs.
We do log IP addresses associated with your devices and account. For DSL-based access, we log IP addresses assigned directly to user accounts. For cable-based access, we log IP addresses assigned to devices’ MAC addresses through which we, in turn, link the IP address to the associated user account.
It is our policy to retain this correlation information for up to 30 days following the end of each IP address lease. We have continued to propagate this policy through our systems. We diverge from this policy if this policy has not yet been implemented on a particular subsystem, a process from which the automation of these access reports has drawn away resources; or when the correlation information is the object of a litigation or law enforcement hold, in which case we safeguard the information for a limited period subject to the production of a judicial order.
On the latter, please note that with the recent proclamation into force of sections 41.25 and 41.26 of the Copyright Act effective January 1, 2015, we—and all providers of “the means” for “electronic locations” such as an IP address to be “connected to the Internet or another digital network”—will be required to place such a hold for six months on the records linking any “electronic location” in respect of which we receive a conforming notice of claimed infringement, to an account. Anyone whose account information becomes subject to such a hold, which we will limit to what is legally compelled to be disclosed and will not release to any third party without a warrant or production order, will be notified immediately upon the start of that six-month period and, if a court orders an extension of it, any such extension.
Q2. Listing of ‘subscriber information’ that you store about me, my devices, and/or my account.
A2. Our subscribers can access much of the information that we store about them online through TekSavvy’s My Account portal. This includes name, address, billing email, service and billing addresses, and phone number. It also includes usage information,
warrant if the conditions for obtaining a warrant exist but by reason of exigent circumstances it would be impracticable to obtain a warrant.” [emphasis added]) 9 The Supreme Court’s decision in R. v. Spencer, 2014 SCC 43, confirms this view. - 6 -
billing summary and next bill date, Internet bandwidth usage (typically for the current and previous two months), modem type, and MAC address.
Please, therefore, refer to your MyAccount information and to the attached records. Certain third-party personal information pertaining either to our employees, or to other parties identified on your account but who are not signatories to your access request, may have been redacted. With respect to our employees, all redactions consist of some combination of the employee’s first initial, first name, and last name. With respect to other parties, redactions consist of individual names or identifiers.
Q3. Any geolocational information that you may have collected about me, my devices, and/or associated with my account (e.g. GPS information, cell tower information).
A3. As we do not provide mobile services, we do not have GPS or cell tower information, nor undertake targeted geolocation of devices. We lease out IP addresses internally by neighbourhood, so someone with access to our routing tables could collate information in order to identify the neighbourhood likely associated with such an IP address. However, that would not provide for the style of specific geolocation referred to in the question.
Q4. Text messages or multi-media messages sent and received, including date, time, and recipient information.
A4. As we do not provide mobile services, we do not have text (“SMS”) or multimedia (“MMS”) messages.
Q5. Call logs (e.g. numbers dialed, times and dates of calls, call durations, routing information, and any geolocation or cellular tower information associated with the calls).
A5. We currently provide two voice calling services. Both of them are interconnected with the Public Switched Telephone Network. The first, TekTalk, is a managed voice-over- Internet service. The second, Home Phone, is a dedicated primary exchange service.
For TekTalk, we maintain last-ten call information (last ten calls missed answered, and dialed, respectively) and long-distance call detail records. These detailed long-distance records are used for billing, and are archived for tax and dispute resolution purposes.
Home Phone is based on an Incumbent Local Exchange Carrier (“ILEC”) service. Any log or detail record connected with a TekSavvy customer’s use of Home Phone is generated and retained by the ILEC which, in turn, provides monthly billing records to TekSavvy.
Q6. Information collected about me, or persons/devices associated with my account, using one of your company’s mobile device applications.
A6. Our company does not have mobile device applications.
Q7. Any additional kinds of information that you have collected, retained, or derived from the telecommunications services or devices that I, or someone associated with my account, have transmitted or received using your company’s services. - 7 -
A7. Your transmission and receipt of data using our services does not generate significant records. The attached records contain virtually all of these records to the extent we collect and use them in the course of our business operations. We have excluded the records which you have already received, like billing statements, or to which you have direct access through your My Account customer portal; and have not been able to include dynamic IP address correlation or marketing database information at this time. Further information about them is provided in Item C of this letter. With respect to marketing, please also note that we are reviewing our practices with regard to the log files that relate to IP addresses that visit our sites and with regard to our use of third- party marketing-related analysis tools like Google Analytics.
Q8. Any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies.
A8. With respect to state agencies: TekSavvy does not disclose personal information, including information about your account or devices, to law enforcement or other state agencies, without either being legally compelled to do so by a court order, or in instances in which the conditions for such an obligation were present but emergency exigent circumstances prevented a warrant or production order from being obtained.
When we are required to disclose information in the context of a criminal investigation, the court order usually contains an order along the lines of the following:
TekSavvy Solutions Inc. and any employee, servant or agent shall not directly or indirectly disclose or permit disclosure of the content, existence or operation of this order, in any matter, or to any person except as may be necessary for the purposes of compliance with its terms or obtaining the advice or assistance of legal counsel unless otherwise ordered by a Court of competent jurisdiction.
If you have not been informed that your information was disclosed to a state agency, and have not been involved in a criminal investigation, then your information has not been disclosed to a state agency.
With respect to non-state third parties: first, please refer to our discussion of the CRTC’s confidentiality provisions above. If we do not have your express consent and have not been legally compelled to do so by a court order, we do not disclose your information other than for limited, operational purposes, and on a confidential basis, to other service providers or to collections agents.
If you purchase cable- or DSL-based Internet access from TekSavvy then, as you know, we have shared your name and address information with one of the following incumbent cable or local exchange carriers in order to provision the underlying access connection that we connect to TekSavvy’s servers and, from there, to the Internet:
Cogeco Cable Canada LP and Cogeco Cable Quebec GP, Rogers Communications LP, Shaw Cablesystems GP, and Vidéotron GP, for cable-based connections; and
Bell Aliant Regional Communications LP, Bell Canada, and TELUS Communications Inc., for DSL-based connections. - 8 -
In the same manner, our Home Phone service is purchased from a third party, Bell Canada, which generates its own billing records and provides them to TekSavvy, as described in A5.
The above general information and specific responses is a description of the type of personal information that TekSavvy holds and uses. As noted, you can access much of the personal information we hold about you by logging onto your My Account portal, including name, address, service address, phone number, email address, usage information, and past bills; and can access the remainder by contacting us directly.
Finally, should you have further questions, complaints, or inquiries about TekSavvy’s policies and practices for the management of personal information, please contact [email protected], or please contact me personally at the coordinates set out on the first page of this letter.
C. Report Overview
TekSavvy adopts an expansive view of what may constitute your personal information, which we believe to be a pro-privacy stance. The attached records therefore pull records from as many data sources as we were able to automate access that are part of our ordinary business operations and that may include personal information collected, used, and disclosed about you. This letter has provided detailed information, above, about these records. Should you require your IP address correlation records to the extent that the attached report does not provide them, or your specific marketing database screenshots, please let us know. We will task a team member with converting them into text files or screenshot formats, as appropriate, that are able to be provided to you as extracted records.
The following screenshots set out my own information in respect of responses to our marketing e-mails, which we track, followed by the marketing data fields we have defined in order to store information—generally, no more than a handful of these fields are actually populated. - 9 - - 10 -
The attached report attempts to include at least the following information, if available:
customer information (name, address, city, postal code, province, phone, fax, language, status), payment method, and email address; hardware, login, and IP address information for static IP address subscriptions; long distance usage and charges; order details and charges, including charges generated through our AccPac system; ticket details, including our notes and communications with you; and specific details for each of the services we provide, a number of which may overlap with the above, and several of which pertain to services that we no longer provide. Most of these fields will be blank.
We do not collect personal information unless we have a business purpose for it, including operations, tax compliance and accountability, and billing disputes. Therefore, should you wish to correct any of the attached information or come to the view that TekSavvy ought not have a business purpose for any of it, please let me know. The bulk of our privacy work in the recent past has been devoted to preparing these access reports. We are anxious to resume auditing our systems for privacy impact and gaps, resulting in the review of what changes to make to our policies and practices with respect to the management of personal information. As an informed user who has already reached out to express your interest and concern on privacy issues, in the form of your access request, we very much welcome your input into that process.
Yours sincerely,
[transmitted electronically]
Bram Abramson Chief Legal and Regulatory Officer
Encl.