Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur I'acces a I'information Public Safety S?curit? pubiique Canada Canada Deputy Minister Sous-ministre Ottawa, Canada K1AOP8 SECRET w/attachments DATE: File No.: NS 6950-01 PS-000483 RDIMS No.: Dragon 25585 MEMORANDUM FOR THE MINISTER ISSUING GUIDANCE TO TELECOMNIUNICATION SERVICE PROVIDERS ON TRANSPARENCY REPORTING (Decision sought) ISSUE telecommunications service providers (TSPs) publishing transparency reports for lawful access requests. BACKGROUND Law enforcement and intelligence agencies use lawful access tools to investigate and solve crimes in the digital age. ?Lawful access? includes both the use of electronic surveillance tools, such as wiretapping or access to stored email or texts, and requests for basic subscriber information g. discrete identi?ers, such as name, phone number, or address). Law enforcement and intelligence agencies require prior judicial authorization to use electronic surveillance tools, except in exigent situations such as a kidnapping. Basic subscriber information may be obtained by court order or voluntarily, depending on the type of identi?er requested and other factors. Canadian police estimate that at least one form of lawful access request is made by government agencies to TSPs in about 80?95% of all investigations today. of growing interest in Canada. There has been a push from the Canadian public, media, civil society, industry, and other groups to be more open on lawful access matters in the wake of the unauthorized disclosures of former National Security Agency contractor Edward Snowden and the release of transparency reports by TSPs in the United States (US), such as Verizon and Microsoft. Several Canadian TSPs have demonstrated an interest in transparency reporting, and Telus met with Government of?cials in April 2014, seeking guidance on the matter. Canada 000001 -- Document Released Under the Access to 5'1 Information Act I Document divulgue en vertu de la Loi eur I'acces I'information s.1 5(1 SECRET (w/attachments) In June 2014, two Canadian TSPs, Rogers (TAB l) and TekSavvy (TAB 2) released transparency reports for the ?rst time. Telus publicly indicated that it had intended to release its own transparency report over the summer months, and has written you to con?rm that its report is imminent (TAB 3). 23 In the wake of these published report a PS and its partners have now completed their review and determined that there are essentially no legal prohibitions to TSPs publishing transparency reports in the aggregate. The US Government responded to this issue in January 2014 by issuing guidance to its TSPs recommending that all low ?gures be represented by a band g. 0-250) (TAB 4). 8.2 1 (1 b) CON SIQERATIONS 000002 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi eur I'acces a I'information SECRET gw/attachmentsz NEXT STEPS 9.21 (1 RECOMMENDATION Should you require additional information, please do not hesitate to contact me or Ms. Lynda Clairmont, Senior Assistant Deputy Minister, National and Cyber Security, at 613-990?4976. Francois Guimont Enclosures: (5) I approve: I do not approve: Steven Blaney, P.C., M.P. Date: Prepared by: Maciek Hawrylak 000003 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur I'acces a I'information S?curite publique Public Safety Canada Canada Sous-ministre Deputy Minister Ottawa. Canada K1AOP8 - . SECRET avec les i?ces omtes DATE du dossier NS 6950-01 PS-000483 du SGDDI Dragon 25655 NOTE A DU MINISTRE DIFFUSION DE DIRECTIVES AUX FOURNISSEURS DE SERVICES DE TELECOMNIUNICATION SUR LES RAPPORTS DE TRANSPARENCE (Decision 5. prendre) QUESTION EN JEU les fourmsseurs de serv1ces de telecommunication qu1 publient des rapports de transparence sur les demandes d?acces legal. HISTORIQUE Les organismes du renseignement et de l?application de la loi se servent d?outils en matiere d?acces legal pour enqu?ter sur des crimes et les r?soudre 51 Pete du num?rique. L?acces l?gal inclut l?utilisation d?outils de surveillance ?Iectronique, comme l??coute ?lectrom'que ou l?acces aux coun'iels ou aux textes stock?s ainsi que les demandes visant a obtenir les renseigiements de base sur les abonn?s ex. des identi?cateurs determines, comme le nom, 1e num?ro de t?l?phone ou l?adresse). Les organismes du renseignement et de l?application de la loi doivent obtenir une autorisation judiciaire avant d?utiliser des ou?ls de surveillance ?lectronique, sauf en situation d?urgence comme un enl?vement. Les renseignements de base sur les abonn?s peuvent ?tre obtenus sur ordonnance de la cour ou de facon volontaire, en fonction du type d?identi?cateur demand? et d?autres facteurs. Selon les estimations des forces policieres canadiennes, les organismes gouvemementaux font au moins un type de demande d?acc?s l?gal aupres des fournisseurs de services de telecommunication dans environ 80 a 95 de toutes les enqu?tes men?es de nos ours. foulee divulg par an en entrepren ur e1 nationale de la s?curit? Edward Snowden et la diffusion aux Etats?Unis de rapports de transparence par des foumisseurs de services de telecommunication comme Verizon et Microsoft, la population, les medias, la soci?t? civile, l?industrie et d?autres groupes ont . . Canad'?i 000004 $.23 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur I'acces a I'information SECRET gavec les pieces jointes) -2- exerc? des pressions a?n qu?il ait plus d?ouverture au sujet des questions d?acc?s l?gal. Bon nombre de foumisseurs canadiens de services de telecommunication ont manifest? de l?int?r?t envers les rapports de transparence, et des repr?sentants de Telus ont rcncontr? des fonctionnaires du gouvernement en avril 2014 a?n d?obtenir des directives 51 cc suj et. En juin 2014, deux fournisseurs canadiens, Rogers (ONGLET 1) et TekSavvy (ONGLET 2) ont diffuse des rapports de transparence pour la premiere fois. Telus a indique' publiquement qu?il avait l?intention de diffuser son propre rapport de transparence au cours de et vous a ?crit pour con?rmer que la publication de son rapport ?tait imminente (ONGLET 3). A la suite de la ublication de ces ra orts SP et ses partenaires ont maintenant termin? leur examen et ils ont determine qu?essentiellement i1 n?y avait pas d?interdiction l?gale ce que les fournissem's de services de telecommunication publient des rapports de transparence de facon regroup?e En janvier 2014, 1e gouvernement des Etats-Unis a r?pondu cc probleme en diffusant des directives a ses fournisseurs de services de telecommunication dans lesquelles on recommande que tous les chiffres peu ?lev?s soient repr?sent?s a l?aide d?un intervalle ex. 0-250) (ONGLET 4). Emboi?tant 1e pas, les intervenants cl?s au Canada ont prepare une version provisoire de dire 'ves semblables sur la trans arenc 000005 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur I'acces a I'information SECRET (avec les Ei?ces iointesl PROCHAINES ETAPES Si de amples renseignements vous sont n?cessaires, n?h?sitez pas 2?1 conununiquer ayec 9101 on avec Mme Lynda Clairmont, sous?ministre adjointe principale, Secteur de la secunt? et de la cybers?curit? nationale, au 613-990-4976. Francois Guimont Pieces jointes 5 J?approuve n?approuve pas Steven Blaney, d?put? Date Pr?par? par Maciek Hawrylak 000006 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur I'acces a I'information ROGERS COMMUNICATIONS REQUESTS FOR CUSTOMER INFORMATION I 2013 TRANSPARENCY REPORT 000007 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi eur I'acces a I'information As a communications company, government and law enforcement agencies approach Rogers looking for information about ourcustomers. This report is designed to provide more details on the numberand types of requests we received in 2013. We fully comply with Canadian privacy law and take active steps to safeguard our customers' information. At the same time we are compelled by law to respond to federal, provincialand municipal government and law enforcement agencies when they have a legally valid request?like a search warrant or court order. The requests we receive are to respond to warrants and orders from law enforcement agencies. In addition,we receive requests from government departments who are authorized to request information to enforce laws like the Income Tax Act. We also assist police services in emergency life threatening situations. About halfofthe requests we receive are to confirm a customer?s name and address, which we respond to so police do not issue a warrant to the wrong person. Otherwise, we only provide customerinformation when forced by law or in emergencies afterthe request has been thoroughly vetted. lfwe consideran orderto be too broad, we push back and, if necessary, go to court to oppose the request. Our customers' privacy isimportantto us and that is why we are issuingthis report. We believe more transparency is helpful and encourage the Government of Canada to issue its own re port on these requests. Since rely, Ken Engelhart ChiefPrivacy Officer Canadian law governs how we protect private customerinformation and how government and law enforcement agencies can compel us to provide itto them: The Criminal Code and other laws allow government and law enforcement agencies to require us to provide customerinformation. The Personal Information Protection and Electronic Documents Act (PIPEDA) covers both how we protect customers' information and how we disclose it. The CRTC Confidential Customer information Rules (CRTC Rules) set out circumstances underwhich customerinformation ?otherthan name, address and listed numbers, which can always be provided ?may be disclosed to third parties including law enforcement agencies. Our Privacy Policy and Terms of Service outline how we safeguard customers' information underthese laws and rules. We only give out private customerinformation when required bylaw orin emergencies and afterthe request has been See Type of Requests below and our Frequently Asked Questions (FAQs) for more informationROGERS COMMUNICATIONS 2013 TRANSPARENCY REPORT 1 000008 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi eur l'acces a l'information The statistics below representthe total numberof requests we received last year. if we consideran orderto be too broad, we push back and, ifnecessary, goto court to oppose the request. Customer name/address checks 87,856 Court order/ warrant 74,415 Government requirement letter (compelled to provide undera federal/provincial law) 2,556 Emergency requests from police in life threatening situations 9,339 Child sexual exploitation emergency assistance requests 711 Court orderto comply with an international Mutual Legal Assistance Treaty request 40 Total 174,917 Notes: 1. These statistics include the following scenarios: (3) The information requested was provided; (bl Partial information was provided; No information was provided because it doesn?t exist or the person is not 3 Rogers customer; and We rejected the request or successfully fought it in court. 2. These statistics do not includeinformal requests such as phone calls from law enforcement looking for information they would require a warrant for. These requests are rejected because there is no legal authority and no formal response is provided 1. Customername/address checks: Legal authority: PIPEDA and CRTC Rules permit confirming basic information like name, address and listed phone number. Details: These requests are to confirm a customer's name and address, which we respond to so police do not issue a warrant to the wrong person. Examples of info provided: When provided with a name and address we will confirm whetheror not the person is 3 Rogers customerand when provided with a listed phone numberwe'll provide the name and address of a customer. IP address is not provided. 2. Court order/warrant: Legal authority: Issued underthe CriminalCode or other laws. Details: A court order or warrant includes production orders, summons, subpoenas and search warrants issued by ajudge or otherjudicial officer. It compels us to provide customer i nformation to police or other authorities orto attend court to provide evidence/testimony about customer information. Examples of info provided: Customeraccount information like name and address, payment history, billing records, or call records. 3. Government requirement order: Legal authority: Issued under laws such as the Customs Act or income Tax Act. Details: An orderthat compels us to provide customerinformation to the requesting agency. Examples ofinfo provided: Customer account. information like payment history, billing records, or call records. 4. Emergency requests from police in life threatening situations: Legal authority: The Criminal Code and PIPEDA. Details: We assist police services in emergency life threatening situations such as missing persons cases and individuals in distress. Examples of info provided: Helping locate someone with a cell phone and providing contact details for someone who has contacted emergency services and may be unable to communicate. 5. Child sexual exploitation emergency assistance requests: Legal authority: The Criminal Code and PIPEDA. Details: We assist police during child exploitation investigations. Examples of info provided: Confirming a customer?s name and address when provided with an IP address so that police can get a search or arrest warrant to stop the sexual exploitation ofa childROGERS COMMUNICATIONS 2013 TRANSPARENCY REPORT 2 000009 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information 6. Court order to comply with a Mutual Legal Assistance Treaty request: Legal authority: Issued underMutua/LegaIAssistance in CriminaIMattersAct. Details:We don?t respond to requests from foreign agencies, but we do advise them to have their country?sjustice authority contact the Department ofJustice Canada. lfthat country has a treaty or convention with Canada, the request is processed by Canadian authorities and an order may be issued by a Canadian courtto gather evidence. We're compelledto provide customerinformation tothe police or otherauthority in Canada conductingthe investigation. Examples of info provided: Customer account information like payment history, billing records, or call records. 1. Which agencies have requested information? We get requests from many different agencies, including: Federal agencies like the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canada BorderServices Agency, and Canada Revenue Agency Provincial and municipal agencies like police forces and coroners 2. Do you provide metadata or direct access to customer databases? No, we do not provide metadata without a warrant, or direct access to our customerdatabases. We only provide the information we are required to provide and this information is retrieved by our staff. 3. How many times did you provide info? Do you ever reject law enforcement requests? Our statistics representthe total numberof requests we received last year. Ifwe consideran orderto be too broad, we push back and, ifnecessary, go to court to oppose the request. 4. How much do you charge for requests? For most court-ordered responses for customer information, we assume all costs associated with providing a response. In some cases, we charge a minimal fee to recoverourcosts based on the work required to comply with requests. 5. Do you fight for customers' privacy rights? Absolutely, ifwe consideran orderto be too broad, we push back and, ifnecessary, goto court to oppose the request. Ourcustomers? privacy is importantto us and that?s why we?re issuingthis report. We believe more transparency is helpful and encourage the Government of Canada to issue its own report on these requests. 6. How long do you keep customer information? We only keep information foras long as it?s requiredfor business purposes oras required by law. For example, we are required by law to keep customerbills for seven years. We don?t keep our customers? communications like text messages and emails because our customers? privacy is important and we don?t need this information. Canada's Personal Information Protection and Electronic Documents Act Rogers' Terms Of Service and Privacy Policy Public Safety Canada's Annual Re port on the Use Of ElectronicSurveillance ROGERS COMMUNICATIONS 2013 TRANSPARENCY REPORT 1 3 000010 DIFFERENT. IN A 6000 WAY. TekSavvy Solutions Inc 800 Richmond Street Chatham ON N2M 5J5 TELEPHONE 519.360.1575 TOLL FREE 877.779.1575 Bram Abramson Direct Line 647.479.8093 Legal Regulatory Professor Lisa Austin, Faculty of Law, Professor Andrew Clement, Faculty of Information, Professor Ron Deibert, Citizen Lab, and Dr. Christopher Parsons, Citizen Lab, University of Toronto; Professor Colin Bennett, Department of Political Science University of Victoria; Professor Robert Diab, Faculty of Law Robert Thompson University; Professor Michael Geist, Faculty of Law and Professor Valerie Steeves, Department of Criminology, University of Ottawa; Dr, Adam Molnar, Surveillance Studies Centre, Queen?s University; Professor Andrea Slane, Faculty of Social Sciences Humanities, University of Ontario Institute of Technology; and Professor Kevin Walby, Department of Criminal Justice, University of Winnipeg. VIA E-MAIL: June 4, 2014 Document Released Under the Access to Information Act I Document divulgu? en vertu de la Loi sur I'acces a I'information FAX 519.360.1716 teksavvycom babramson@teksawy.ca RE: January 20 Data Request (items 1-10); May 1 Personal Information Template Dear Professors and Drs. Austin, Bennett, Clement, Deibert, Diab, Geist, Molnar, Parsons, Slane, Steeves, Walby, and Winseck: As you know, TekSavvy Solutions Inc. (?TekSavvy?) is a provider of Internet access. voice telephony, and related telecommunication services. On 20 January 2014, you forwarded an email setting out ten sets of questions and sub-questions about TekSavvy?s information disclosure practices. 000011 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information -2- Part of the mission that TekSavvy has set for itself is to innovate in the protection of consumer rights online. Thus far, our focus has been on ensuring that we do so by providing an open, network-neutral, consumer-oriented service. However, the Edward Snowden leaks based in the U.S. and the multi-national investigative activity following them have helped underline a key commitment that is required to achieve this mission, which is strong data privacy and transparency. In part to better address challenges such as those raised by your letter, by Dr. Parsons? January 22 and March 6 Citizen Lab blog posts relating to it,1 and a number of public disclosures that have come to light since then, TekSavvy has taken steps to strengthen our internal team dedicated to legal and regulatory matters. In particular, we in April initiated a review of our privacy policy, consumer terms and conditions, and internal practices with respect to information that we treat as personal. This includes all of the information available to us that is about identifiable individuals, including unique device identi?ers and metadata that are able to be correlated with an individual's or household?s subscription. Our review involves a full audit of the systems that we have developed as our company has grown from a small access provider to its current size. The purpose of the review is to evaluate how our formal and informal collection, storage, and disclosure practices reflect our commitment and, where appropriate, to formalize our policies and practices in this regard, strengthen them, or both, including the issuance of regular transparency reports. The review is ongoing. Your questions and suggestions have been an important tool in focusing that review. Because you asked that we respond by 3 March 2014, I would like first to apologise that we have not been able to do so until now. In view of overlap both in content and in audience, our answers are also responsive to a template published and publicized beginning May 1, when Citizen Lab advocated that Canadian telecommunications subscribers forward it to their providers in order to seek the personal information that their providers collect, retain, manage, and disclose about them. As you can imagine, a not-insignificant portion of our legal and regulatory resources have been devoted to process and responding to those template requests. General information about our policies and practices as they relate to that template is set out beginning on page 14 below, after the answers to your January 20 questions and sub- questions. Q1. In 2012 and in 2013, how many total requests did your company receive from government agencies to provide information about your customers? usage of communications devices and services: A1. In 2012, and 2013, we received 52 requests from government agencies about our customers' usage of communications devices and services. All of these requests were restricted to correlating Internet Protocol addresses with subscriber name and information. Ali of them were received from law enforcement agencies. Q1a) Within that total, please list the amount of requests your company received for each type of usage, including but not limited to: 1) Geolocation of device (please distinguish between real-time and historical); 2) Call detail records (as obtained by number recorders or by disclosure of stored data); 1 Christopher Parsons, ?Towards Transparency in Canadian Telecommunications", 22 January 2014, online: and ?The Murky State of Canadian Telecommunications Surveillance", March 6, 2014, online: 000012 A1a) Q1 b) A1 b) 01c) A1 c) 01d) A1d) Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information -3- 3) Text message content; 4) Voicemail; 5) Cell tower logs; 6) Real-time interception of communications wiretapping); 7) Subscriber information; 8) Transmission data duration of interaction, port numbers, communications routing data, etc.); 9) Data requests web sites visited, IP address logs); 10) Any other kinds of data requests pertaining to the operation of your network and business. All of those requests were received for 7) subscriber information. None of these requests were received for 1) geolocation, 2) call detail records, 3) text message content, 4) voicemail, 5) cell tower logs, 6) real-time interception, 8) transmission data, including duration of interaction, port numbers, and communications routing data, 9) data requests, including web sites visited, IP address logs, or 10) other kinds of data requests not covered by the categories you have indicated. For each of the request types, please detail all of the data fields that are disclosed as part of responding to a request. For request type 7 (subscriber information), the data fields we disclosed were: subscriber name, postal address, telephone number, and e-mail address. All of these disclosures were made to government institutions acting with lawful authority in the context of a criminal investigation. Within the aforementioned total, how many of the requests were made for realtime disclosures, and how many were made retroactively for stored data? Within the aforementioned total, all of the requests were made retroactively for stored data (subscriber name and contact details). None of them were made for real-time disclosures, nor related to information to which real-time disclosures would be relevant. Within the aforementioned total, how many of the requests were made in exigent circumstances, and how many were made in non-exigent circumstances? The aforementioned total is for 2012 and 2013. During that period, we did not store information as to which requests were made in exigent, and which in non- exigent, circumstances. Rather, during that period it was our practice, consistent with sub-paragraph of to produce information where pursuant to a lawful authority, in the context of a law enforcement investigation, and restricted to basic subscriber information. Since that time, we have further restricted our practice as a result of the aforementioned review of all of our privacy policies and practices. It is now our policy to make such disclosures only in response to a warrant, production order, Personal Information Protection and Electronic Documents Act, 8.0. 2000, c. 5. 000013 Document Released Under the Access to Information Act Document divulgue en vertu - de la Loi sur l'acces a l'information -4- or instances in which the conditions for such a warrant or order were present but exigent circumstances3 prevented one from being obtained. In relation to the above, we understand that draft legislation is currently before the Senate (Bill 8-4) which, among other things, would revise subsection 7(3) of PIPEDA. These revisions would, irrespective of any ?ndings the Supreme Court of Canada may make in the interim,4 broaden the circumstances in which organizations may disclose personal information on their own initiative to third parties, and without a judicial order. The revisions would allow organizations to make such disclosures to government institutions or other organizations in relation to a contravention of laws that has been, is being, or about to be committed.5 It has been suggested that, had such legislation been introduced earlier, TekSavvy could have responded to the Voltage request6 differently, such as by choosing to disclose the subscriber information that Voltage requested. To be clear, the policy described above was arrived at despite the draft legislatiOn before the Senate. Should Bill S-4 be passed in its current format, it will not affect TekSavvy?s approach to copyright matters.7 Q1e) Within the total, how many of the requests were made subject to a court order? A1e) Within the total, one of the requests was made subject to a court order. Q1f) Within the total, how many of the requests did your company fulfill and how many did it deny? If your company denied requests, for what reasons did it do so? A1f) Within the total, we made 17 disclosures (33 percent) pursuant to lawful authority related to criminal investigations, and denied the remaining 35 (67 percent). Criminal Code, R.S.C. 1985, C. 0?4. section 487.11 peace officer, or a public of?cer who has been appointed or designated to administer or enforce any federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament, may, in the course of his or her duties, exercise any of the powers described in subsection 487(1) or 492.1(1 without a warrant if the conditions for obtaining a warrant exist but by reason of exigent circumstances it would be impracticable to obtain a warrant?). Spencer v. the Queen, Case 34644, Supreme Court of Canada, appealing R. v. Spencer, 2011 SKCA 144. Digital Privacy Act, Bill 8?4 (415? Parl., 2"d Sess), second reading (8 May 2014), subsections Voltage Pictures LLC v. John Doe, 2014 FC 161. However. in the event Bill 8?4 continues to move forward, TekSawy intends to review whether Bill S-4's disclosure powers would affect our practice in the following scenario: we are approached directly by a non- Canadian police force in exigent circumstances, such as a US. police force acting on a live hostage or bomb threat traced back by an application provider to a TekSavvy IP address. As currently drafted, it is not clear that PIPEDA allows a telecommunications service provider to respond to such a situation without informing that individual in writing without delay of the disclosure, notwithstanding such disclosure's possible effect on the ongoing response to the live situation. Refer to PIPEDA, paragraph since a non- Canadian law enforcement agency is not a ?government institution" as contemplated by sub-paragraph Outsourcing of canadacom email services to U. S.-based ?rm raises questions for subscribers, PIPEDA Case Summary 2008-394. 000014 02. A2. Q1 9) A19) Q1 h) A1 h) Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a 'information -5- While we did not, for 2012 and 2013, store information as to the reasons for denial, please refer to A1d above with respect to our general practice. Non- exigent requests by a government institution that were not made (I) pursuant to a lawful authority, (it) in the context of a law enforcement investigation, and restricted to basic subscriber information, would generally have been denied without a warrant or production order. Within the total, please identify how many requests were made by Federal, by provincial, and by municipal government agencies? Within the total, 19 requests were by federal government agencies (37 percent). The remainder were made by provincial agencies, of which five were non- municipal (10 percent) and 28 were municipal (54 percent). These agencies were police forces. Do you notify your customers when government agencies request their personal information? If so, how many customers per year have you no??ed? All government agency requests we have received for personal information have related to criminal investigations. Warrants and production orders generally prohibit notification of customers or disclosure of the warrant?s or production order?s existence to anyone. We have taken the position that the mere aggregation of warrants, production orders, and other requests received in order to enumerate them by relevant category would not in any way inform any third party of the content speci?c to, or specific existence of, any such judicial order. We would note that in a non-criminal context, in response to a 2012 request by a third party for disclosure of subscriber information in a civil copyright matter,B we notified 2,114 subscribers that the subscriber name and contact details corresponding to their IP address had been requested by a that had apparently tied those IP addresses to unauthorized peer-to-peer transfers of a particular ?lm. To date we have not released any subscriber information to that third party. The judicial order under which we are to do so, which followed court proceedings and ongoing follow-ups, limited the request to name and address information, and maintained strong court oversight as to how this information could be used and when it was required to be disclosed. We believe that this created an important protective framework for consumers. For each type of usage in how long does your company retain those records and the data ?elds associated with them? 013) asked about ten types of usage: 0201) Geolocation of device (please distinguish between real-time and historical). Please refer to note 6 above. 000015 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information -6- A2.01) We do not undertake geolocation of devices, such as through third-party lP address geolocation. We do undertake the following chain of activity: collect modem identifiers (Media Access Control addresses) in order to authenticate their subscription; (ii) associate lP addresses with those MAC addresses, in order to provide Internet access to them; and insert those IP addresses into routing tables organized geographically, in order to route Internet traf?c to and from those Internet access points. Taken together, these data tables would permit geolocation of devices down to the community level. It is our policy, which we are now implementing, to maintain information that is in the correlation table outlined in (ii) for 30 days. This has been reduced from our previous retention policy, which is 90 days, as a result of the aforementioned review, and we are currently in the process of auditing our systems to ensure the universal deployment of this approach. 02.02) Call detail records (as obtained by number recorders or by disclosure of stored data). A2.02) Call Detail Records are call-level metadata records maintained in respect of voice telephony services. We currently provide two voice telephony services, both of them interconnected with the Public Switched Telephone System TekTalk, a managed voice-over?lnternet service; and Home Phone, a dedicated primary exchange service. We do not have number record records for either service, but do have some stored data, as follows. TekTalk generates CDRs only for long-distance calls, since local calls are not tolled, and our operational requirement for CDRs is billing-related. At present, those CDRs are archived indefinitely in order to support subsequent billing disputes and analysis and, more broadly, tax and anti-fraud requirements. Our policy review is currently engaged with determining the extent to which we can meet these requirements through aggregation that would allow the deletion of individual CDRs. TekSavvy Home Phone is based on an incumbent Local Exchange Carrier wholesale service. Any CDR connected with a TekSavvy customer?s use of TekSavvy Home Phone is generated and retained by the ILEC which, in turn, provides billing records to TekSavvy. Like TekTalk toll CDRs, these billing records have thus far been archived indefinitely, which policy is subject to current review. 02.03) Text message content. A2.03) We do not have text message records. 02.04) Voicemail. 000016 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information -7- A2.04) Deleted TekTaIk voicemail messages can be retrieved by users for up to 14 days. We have not enabled functionality that would allow the onward storage or retrieval of voicemail messages deleted by the user. We do not store TekSavvy Home Phone voicemail messages, in respect of which we direct users to the third-party providers of these services. 02.05) Cell tower logs. A2.05) We do not have cell tower logs. 02.06) Real-time interception of communications wiretapping). A206) We do not have real-time interception records. 02.07) Subscriber information. A2.07) We retain subscriber information (subscriber name, street address, telephone number, email address where available, social media handles where available) and related billing information even after a subscription ends, in part in order to support the tax, anti-fraud, and related audit functions described earlier. We are currently reviewing our ability to shorten this period to two years after a subscription ends, based on the CASL9 definition of an ?existing business relationship?, through techniques such as data de-identification and depersonalization. We retain correlation tables linking subscriber information to device identifier, as described elsewhere in this response. it is now our policy to overwrite records in these correlation tables after 30 days. 02.08) Transmission data duration of interaction, port numbers, communications routing data, etc.). A2.08) With respect to Internet access, we avoid logging transmission data that is personal information, such as lP-address-specific transmission data. The transmission data that we do retain in respect of IP addresses is the time and date on which the IP address began to be used (or "leased?) and on which the lease expired due to prolonged inactivity. Apart from this information, and except where operational reasons require it such as for troubleshooting, we do not have further relevant transmission data outside the short window during which it is being read and written by our routing and switching equipment. Any such records retained for operational reasons are used only for that purpose and deleted as soon as is practicable. 02.09) Data requests web sites visited, IP address logs). An Act to promote the ef?ciency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, 8.0. 2010, c. 23, paragraph 10(10)(a). 000017 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur I'acces a 'information -3- A2.09) We avoid logging user data request records that are personal information, such as lP-address~specific web sites or other activity logs. Except where operational reasons require it, such as for troubleshooting, we therefore do not have relevant data request records outside the short window during which it is being read and written by our routing and switching equipment. Any such records retained for operational reasons are used only for that purpose and deleted as soon as is practicable. 02.10) Any other kinds of data requests pertaining to the operation of your network and business. A210) The wholesale access services that are an input into our retail Internet access services are billed to us partly on the basis of capacity (?Capacity-Based Billing", or We therefore monitor our users? Internet data usage, which may be reflected on a given bill depending on the package and options they have chosen for that month. This monitoring generates capacity usage records at regular intervals. The capacity usage records do not include port numbers, communications routing data, web sites visited, or other transmission data or metadata. They are aggregated for billing purposes, following which the individual records that have been aggregated are discarded as soon as is practicable. Our Internet access service is bundled with domain name and email services. DNS requests are anonymized and are not logged. Our email Services consist of internet Message Access Protocol inbound Post Office Protocol and outbound Simple Mail Transfer Protocol services: 0 Deleted IMAP and POP3 email messages that can no longer be retrieved by the accountholder are deleted, and no further metadata is stored in their regard?we have not enabled functionality that would allow the onward storage or retrieval of the email messages they have deleted. 0 However, use of SMTP to send email generates metadata that is maintained for operational purposes, including spam filtering. At present, those SMTP logs are archived to support subsequent billing disputes and operations analysis, especially trouble-shooting. We are currently reviewing our ability to impose a rolling deletion window for these logs in respect of personal information without hampering operational purposes, such as through aggregation and de-personalization. We maintain Web pages in order to provide information about our services and, in addition, are active on a range of social media platforms. We are currently reviewing our privacy practices in respect of these activities, particularly with regard to the log files that relate to IP addresses that visit our sites and with regard to our use of third-party marketing-related analysis tools like Google Analytics. Outside our use of third-party analysis tools, our correlation of IP addresses to subscribers is limited by the rolling 30-day window policy described above. 000018 Q3. A3. Q4. A4. 05. Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information .9. What is the average amount of time law enforcement requests for each of the information requests in 1(a) 3-5 days of records)? What is the average amount of time that your company is typically provided to fulfill each of the information requests in Law enforcement requests that we receive typically relate to subscriber information, for which average time is not a relevant measure. We are typically provided 30 days to respond to a production order. We are asked to respond as soon as possible in exigent circumstances such as a hostage or bomb threat. How many times were you asked to disclose information noted in 1(a) based speci?cally on: 04a) 04b) 04c) Q4d) child exploitation grounds? terrorism grounds? national security grounds? foreign intelligence grounds? For 2012 and 2013, we did not store information asto which requests were made according to the classification set out above. It is our intent to do so going fonNard. What protocol or policies does your company use to respond to requests for data that are noted in To respond to requests for data that are noted in Qia, we first determine whether the requester is a government institution or not. If they are not a government institution, we generally ask them to address themselves to one. If they are a government institution, we follow the legal standard set out in A5a. 05a) What legal standard do you require government agencies to meet for each type of data request noted in Our general legal standard is to require that government agencies provide a warrant, provide a production order, or demonstrate that obtaining one is justified but unfeasible due to exigent circumstances, such as a live bomb threat. A5a) You have asked how the legal standard that we require applies to each type of data request noted in Q1a, which asked about ten types of usage: Q5a01) Geolocation of device (please distinguish between real-time and historical). A5601) We do not undertake geolocation of devices, such as through third-party IP address geolocation. We would apply the above-noted general legal standard in response to data requests for disclosure of the information set out in A201. Call detail records (as obtained by number recorders or by disclosure of stored data). 000019 05b) Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information 10 A5a.02) We would apply the above-noted general legal standard to disclosure of stored CDRs that are in our possession. We do not have number recorder records. 05a03) Text message content. A5a.03) We do not have text message records. Voicemail. A5a.04) We would apply the above-noted general legal standard to disclosure of stored voicemails that are in our possession. 059.05) Cell tower logs. A5a.05) We do not have cell tower logs. Q5a06) Real-time interception of communications wiretapping). A5a.06) We do not have real-time interception records. Subscriber information. A5a.07) We would apply the above-noted general legal standard to subscriber information and lP-to-subscriber correlation disclosure. 05a.08) Transmission data duration of interaction, port numbers, communications routing data, etc.). A5a.08) We do not generally have such transmission data. In the unlikely event that we do have it, as a result of trouble-shooting or other operational needs, we would apply our general legal standard to its disclosure. Q5a09) Data requests web sites visited, IP address logs). A5a.09) We do not generally have such data request records. In the unlikely event that we did have it, we would apply the above?noted general legal standard to its disclosure. Q5a10) Any other kinds of data requests pertaining to the operation of your network and business. A5a.10) We would apply the above-noted general legal standard to data requests pertaining to the operation of our network and business. What are the average number of subscribers who typically have their information disclosed in government agencies requests, for each type of request noted in 000020 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information -11- A5b) The answers to Q1a noted that all of the requests we received in 2012 and 2013 from government agencies, to provide information about our customers? usage of communications devices and services, pertained to 7) subscriber information. None of these requests were received for 1) geolocation, 2) call detail records, 3) text message content, 4) voicemail, 5) cell tower logs, 6) real-time interception, 8) transmission data, including duration of interaction, port numbers, and communications routing data, 9) data requests, including web sites visited, IP address logs, or 10) other kinds of data requests not covered by the categories indicated. Such requests from law enforcement agencies typically covered single subscribers. In response to your question as to the average number of subscribers who typically have their information disclosed in law enforcement agencies requests, the number therefore varies between zero and one. While Q13 and 05b do not relate to government agencies requests for 2014, we have received one such request in 2014 that relates to more than one subscriber. It is the Federal Court order in respect of a copyright claim noted in Aid and A1h (Voltage), in respect of which no subscribers have had their information disclosed to date. 05c) Does your company have distinct policies to respond to exigent and non- exigent requests? If yes, what are these policies or how do they differ? A50) Yes. In non-exigent circumstances, it is our poiicy to require a warrant or production order. In exigent circumstances, it is our policy to require that the government institution, generally a law enforcement agency, demonstrate that obtaining one is justified but unfeasible due to the circumstances; and to (ii) confirm the veracity of such demonstrations. 05d) Is your company required to design your networks and services so government agencies can more readily access customer data in a real time or in a retroactive manner? If yes, please detail those requirements. A5d) TekSavvy does not provide mobile PSTN services subject to the Solicitor- General?s Enforcement Standards for Lawful Interception of Telecommunications. We are aware of Criminal Code provisions under which law enforcement requests could result in an order to provide for real-time interception or install tracking devices or number recorders,1O CSIS Act provisions under which CSIS requests cold result in a real-time interception order,11 National Defence Act provisions under which CSEC requests could result in a real-time foreign- communications interception order,12 and Child Pornography Reporting Act provisions under which we could be required to preserve data at a secure offline ?0 Criminal Code, sections 184.1, 194.2, 194.3, 185, 186 (telewarrant), 492.1 and 492.2. ?1 CSIS Act, R.S.C. 1985, c. C-23, section 21. ?2 National Defence Act, R.S.C. 1985, c. N-5, section 273.65. 000021 Q6. A6. Q7. A7. Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information -12- location.13 In the event we become subject to such orders, we may not have an avenue to be compensated for the costs of compliance unless ?the financial consequences [are] so burdensome that it would be unreasonable in the circumstances to expect compliance."14 We also anticipate the coming into force of. CopyrightAct paragraph 41 requiring us to retain records for six months?and, if a claimant commences proceedings during that period, one year after proceedings have been commenced?in respect of which regulatory provisions may provide a way to recover our compliance costs. All of these provisions could create an incentive for TekSavvy to design its networks and services so that the cost of any mandatory orders can reasonably be absorbed. However, to date we have not acted on that incentive with respect to our network and services design. Does your company have a dedicated group for responding to data requests from government agents? Are members of this group required to have special clearances in order to process such requests? What is the highest level company official that has direct and detailed knowledge of the activities of this group? A5e) Our company does not have a dedicated group for responding to data requests from government agents. We do not require employees to have special clearances in order to be available for processing such requests. Company officials at our company?s highest levels have direct and detailed knowledge of our responses to data requests from government agents. What is the maximum number of subscribers that the government requires you to be able to monitor for government agencies? purposes, for each of the information types identified in Have you ever received an of?cial order ministerial authorization court order, etc.) to expand one of those maximum numbers? Government agencies have not sought. to require TekSavvy to undertake real-time monitoring of subscribers. Please see also A5b (above). Has your company received inappropriate requests for information identified in If yes, why were such requests identified as inappropriate and who makes a decision that a request is inappropriate? And if yes, how did your company respond? TekSavvy denied 67 percent of requests received in 2012 and 2013 forthe reasons set out in Md and A1f (above). Although we did not, for 2012 and 2013, store information as to the reasons for denial, we did not generally receive requests from government institutions that had the appearance of being frivolous, for an improper purpose, or anything other than professional. Child Pornography Reporting Act, SC. 2011, c. 4, section 4. Tale-Mobile Co. v. Ontario, [2008] 1 S.C.R. 305, paragraph 67. 000022 08. A8. 09. A9. Q10. A10. Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information -13- Does your company have any knowledge of government agencies using their own: 08a) tracking products Catchers?)? 08b) infiltration software zero day exploits, malware, such as FinFisher, etc.)? 08c) interception hardware placed within or integrated with your company?s network)? Q8d) If yes to or please explain. We do not have any experience of government agency tracking products, infiltration software, or interception hardware on our network. Does your company cooperate with government agencies that use their own tracking equipment or provide information on how to interoperate with your company?s network and associated information and subscriber information? If yes, how does it cooperate, how many requeSts does it receive for such cooperation, and how many of your subscribers have been affected by such equipment or interoperation? No, we do not cooperate or provide the kind of information referred to. in 2012 and 2013, did your company receive money or other forms of compensation in exchange for providing information to government agencies? If yes, how much money did your company receive? And if yes, how much does your company typically charge for specific services (please refer to the list in 1(a) above)? No, we did not receive compensation in 2012 and 2013 for providing information to government agencies. Q10a) Does your company charge different amounts depending on whether the request is exigent or non-exigent? Does your company charge fees for exigent cell phone tracking requests from law enforcement authorities? A10a) Please refer to A1 0. Q10b) Please include any written schedule of fees that your company charges law enforcement for these services? A10b) We are aware of ILEC Law Enforcement Agency Services Service") tariffs establishing charges for Customer Name and Address and for Service Provider Identification Service requests relating to telephone numbers.15 TekSavvy, whose services are not tariffed, has not created any similar schedule of fees. In any case, our current policy of requiring a warrant, production order, or exigent Provision of subscribers? telecommunications service provider identi?cation information to law enforcement agencies, Order CRTC 2001 -279. 30 March 2001; Provision of subscribers?telecommunications service provider identi?cation to law enforcement agencies, Telecom Decision CRTC 2002-21, 12 April 2002. 000023 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information _14_ circumstances, which is described in Md and A5c above, limits the circumstances in which imposition of a fee schedule is likely possible. Q10c) Does your company operate purely on a cost recovery basis for providing information to government agencies? A100) Please refer to A10. in the past the combined volume of private information requests, from government agencies seeking third-party information and from individuals requesting records containing their own information, has not required in-depth review of costs incurred. We are now reviewing these costs in the context of the aforementioned policy review. The above-noted questions were posed, and our answers to them provided, in part in order to tell you about our data retention and sharing policies. On 1 May 2014 Citizen Lab published a biog posting entitled ?Responding to the Crisis in Canadian Telecommunications". The blog posting argued that Canadians ought to fill in a provided template and issue it to the telecommunications companies providing them with service. The blog posting suggested that doing so would help Canadians improve their ability to understand how companies manage the personal information entrusted to them and then make informed decisions about whether they want to maintain that commercial relationship.?3 As a telecommunications company providing Canadians with service, we have received many such template requests, whose content relates to the above-noted questions and answers. in view of the overlap between your 20 January 2014 letter and Citizen Lab's 1 May 2014 blog posting, we are therefore providing further information that is responsive to the Citizen Lab template, relating the information it seeks to the answers set out above. It is our intent that the review we have initiated of our privacy policy, consumer terms and conditions, and internal practices result in the making available of this information to our users in a readily-accessible format. it is our hope that, in the interim, including it in this published letter will be of assistance. T1. All logs of IP addresses associated with me, my devices, and/or my account IP addresses assigned to my devices/router, IP addresses or domain names of sites I visit and the times, dates, and port numbers). T1 (R). We log the IP addresses associated with the MAC addresses that correspond to particular devices, and log which of those devices are associated with particular customers, in the manner described in A201. It is our policy to retain the lP-to-MAC?address correlation information for 30 days. As described in A208 and A209, we do not store information as to the IP addresses or domain names of sites that subscribers visit or their times, dates, or port numbers. T2. Listing of ?subscriber information? that you store about me, my devices, and/or my account 1 16 Christopher Parsons, "Responding to the Crisis in Canadian Telecommunications", 22 January 2014, online: 000024 T3. T4. T5. T6. T7. Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur l'acces a l'information .15. Our subscribers can access much of the information that we store about them online through TekSavvy?s My Account portal, including name, address, service address, phone number, email address, usage information, and past bills. The subscriber information that we store that cannot yet be accessed through the My Account portal consists generally of: modem type, firmware, and MAC address; current-billing-cycle usage information; communications opt-ins; and internal notes on file, including call logs. Please also refer to the answers provided above, particularly A2.07, A2.10, and A5a.07. Any geolocational information that you may have collected about me, my devices, and/or associated with my account GPS information, cell tower information). As we do not provide mobile services, we do not have GPS or cell tower information, nor undertake targeted geolocation of devices. However, please refer to A2.01 above with respect to routing table information that could geolocate a subscriber?s device down to the neighbourhood. Text messages or multi-media messages (sent and received, including date, time, and recipient information). As we do not provide mobile services, we do not have text or multimedia messages. We do provide voicemail and email services, which are addressed above at A2.02 and A5a.04 (voicemail) and A2.10 (email), respectively Call logs numbers dialed, times and dates of calls, call durations, routing information, and any geolocation or cellular tower information associated with the calls). We maintain logs for operational purposes whose information is deleted after one week. We also maintain last-ten call information (last ten calls missed, answered, and dialed, respectively) that is available, if applicable, in the My Account portal. However, most call logs and the related data fields described in parentheses are stored either in Call Detail Records that we retain, and in billing records. Our treatment of CDRs is set out above in A2.02. Our treatment of bills is set out above in Information collected about me, or personsldevices associated with my account, using one of your company?s mobile device applications. Our company does not have mobile device applications. Any additional kinds of information that you have collected, retained, or derived from the telecommunications services or devices that l, or someone associated with my account, have transmitted or received using your company?s services. 000025 Document Released Under the Access to Information Act Document divulgue en vertu de la Loi sur l'acces a l'information -15- All of the kinds of information that we routinely collect, retain, or derive are described in the answers included in this letter. Please refer, in particular, to A2.01 through A2.10, which address related issues. T8. Any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies. Our approach to such disclosures is addressed above at A1 h. We trust that the information we have provided in this letter responds to your questions. As noted, this information is part of an ongoing process at TekSavvy. We work to ensure that all of our practices comply with our PIPEDA17 and CRTC18 obligations. However, we have come to believe that it is also TekSavvy?s responsibility, as part of its understanding with its subscribers and as part of the value it delivers to Canadian telecommunications markets, to lead with respect to going beyond those obligations. While that process is ongoing, we are glad to have embarked upon it, and would be pleased to continue this dialogue with you as we further refine our policies and practices in this area. Yours sincerely, [transmitted electronically] Bram Abramson Chief Legal and Regulatory Officer ?7 Cited above, at note 2. 18 We note, in particular, the con?dentiality provisions requiring that, unless a customer pr0vides express consent or disclosure pursuant to a legal power, information other than the customer?s name, address, and listed telephone number is not to be disclosed to anyone but: the customer or their agent; another telephone company or service provider, for operational purposes and provided it is on a con?dential basis; or a collections agent, again on a limited basis. Confidentiality provisions of Canadian carriers, Telecom Decision CRTC 2003-33, 30 May 2003, paragraph 49, as extended by Follow-up to Telecom Decision CRTC 2003-33 Confidentiality provisions of Canadian carriers, Telecom Decision CRTC 2004- 27, 22 April 2004, paragraph 22. 000026 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur I'acces a I'information gag. (for?) i, Darren Entwistle Membre de I'?quipe TELUS Le 29 seat 2014 L?honorable Steven Blaney Ministre de la S?curit? publique et de la Protection civile Chambre des communes Ottawa 0A6 Objet Rapport sur la transparence de TELUS Monsieur ie Ministre, Je tiens a vous informer de I'intention de TELUS de pubiier dans une dizaine de iours son premier rapport sur la transparence. Ce rapport vient appuyer notre engagement a entretenir des communications ouvertes et transparentes avec nos clients at bien stir, avec tous les citoyens a i'?gard de la quantit? et de la variet? de demandes d?information que nous recevons cheque ann?e de is part des organismes d?appiication de la lot at d'autres organismes gouvernementaux. En outre, notre rapport sur la transparence fournira un apergu de l?approche et des pratiques que nous adoptons pour acquiescer a ces demendes ou les remettre en question apres une evaluation n'goureuse de leur bien?fond?. Comme vous Ie savez sans doute deja, TELUS s?est entretenue avec le sous-ministre Francois Guimont en avrii demier pour soiliciter son avis et obtenir ses conseils sur i'approche optimale a privii?gier dans la production de notre rapport sur la transparence. Organis?e a i'initiative de TELUS, devant Ia pression croissants pour que soient rendus publics de tels renseignements. cette rencontre a egalement motiv?e par notre souci de rendre nos pratiques transparentes a cet ?gard. Nous constatons aussi que les entreprises de telecommunications et les fournisseurs de services Internet sont de plus en plus nombreux a publler un rapport sur la transparence. bien que certains de ces rappons soient publi?s sans dans la nature de l'information divulgu?e. Inversement, a TELUS, nous avons refuse de pubiier d?une maniere unilat?raie un tel rapport parce que nous affichions une volont? de coilaborer avec la gouvernement. D'aitleurs. nous comptons aborder toutes les questions d?interet common de cette meme facon a l'avenir. Nous accordons beaucoup d?importance a la relation que nous entretenons avec la gouvemement du Canada at bien que nous reconnaissions i'lmportance des int?r?ts priv?s pour les Canadians. nous sommes tout a fait conscients que la divuigation de renseignements dans les circonstances appropri?es se'rt grandement a assurer la s?curit? du public. Notre rapport met notamment en exergue ie fait que plus de la moiti? des demandes de divulgation que nous avons recues en 2013 concernait one situation d?urgence pour la vie, la sant? ou la s?curit? d?une personne ?tait menac?e. TELUS entend pubiier son rapport sur la transparence sur une base annuelie dans la cadre de son rapport sur la responsabilit? sociaie de i'entreprise. Confonn?ment a notre pratique ?tablie. nous continuerons de vous informer a l?avance de sa publication dans ies annees a venir. Si vous avez des commentaires ou des pr?OCCupations. n'h?sitez pas a communique-r avec moi ou a demander a un membre de votre personnel de communiquer avec notre chef du service de la sarete. Ken Haertling, au num?ro (604) 290?3020 on a I?adresse kenneth.haertiing@teius.com. Notre ?quipe est impatiente de collaborer a nouveau avec vous et votre gouvernement a la publication des prochains rapports sur la tranSparence et de continuer a renforcer notre cooperation. Cordialement, Darren Entwistle Pr?sident-directeur du conseil d'administration Membre de l'?quipe TELUS cc. Sous-ministre Francois Guimont 000027 We of the ?eputg (general ?asher-gran. @621- January 27, 2014 Sent via Email Colin Stretch, Esquire Vice President and General Counsel acebook Corporate Of?ce 1601 Willow Road Menlo Park, CA 94025 Kent Walker, Esquire Senior Vice President and General Counsel Google Corporate Office Headquarters 1600 Amphitheater Parkway Mountain View, CA 94043 Erika Rottenberg, Esquire Vice President, General Counsel/Secretary Linkedln Corporation 2029 Stierlin Court Mountain View, CA 94043 Brad Smith, Esquire Executive Vice President and General Counsel Microso? Corporate Office Headquarters One Microsoft Way Redmond, WA 98052-7329 Ronald Bell, Esquire General Counsel Yahoo inc. Corporate Office and Headquarters 701 First Avenue Sunnyvale, CA 94089 Dear General Counsels: Document Released Under the Access to Information Act I Document divulgu? en vertu de la Loi sur I'acces a 'information Pursuant to my discussions with you over the last month, this letter memorializes the new and additional ways in which the government?will permit your company to report data concerning requests for customer information. We are sending this in connection with the Notice we ?led with the Foreign Intelligence Surveillance Court today. In the summer of 201 3, the government agreed that providers could report in aggregate the total number of all requests received for customer data, including all criminal process, NSLs, 000028 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur I'acces a I'information Letter to Colin Stretch, Kent Walker, Erika Rottenberg, Brad Smith and Ronald Bell Page 2 and FISA orders, and the total number of accounts targeted by those requests, in bands of 1000. In the alternative, the provider could separately report precise numbers of criminal process received and number of accounts affected thereby, as well as the number of NSLs received and the number of accounts affected thereby in bands of 1000. Under this latter option, however, a provider could not include in its reporting any data about FISA process received. The government is now providing two alternative ways in which companies may inform their customers about requests for data. Consistent with the President?s direction in his speech on January 17, 2014, these new reporting methods enable communications providers to make public more information than ever before about the orders that they have received to provide data to the government. Option One. A provider may report aggregate data in the following separate categories: 1. Criminal process, subject to no restrictions. 2. The number of NSLs received, reported in bands of 1000 starting with 0-999. 3. The number of customer accounts affected by NSLs, reported in bands of 1000 starting with 0-999. 4. The number of FISA orders for content, reported in bands of 1000 starting with 0-999. 5. The number of customer selectors targeted under FISA content orders, in bands of 1000 7 starting with 0-999. 6. The nulrnber of FISA orders for non~content, reported in bands of 1000 starting with 0-999. 7. The number of customer selectors targeted under FISA non?content orders, in bands of 1000 starting with 0?999. A provider may publish the FISA and NSL numbers every six months. For FISA information, there will be a six-month delay between the publication date and the period covered 1 As the Director of National intelligence stated on November 18, 2013, the Government several years ago discontinued a program under which it collected bulk interact metadata, and no longer issues FISA orders for such information in bulk. See intelligence. With regard to the bulk collection of telephone metadata, the President has ordered a transition that will end the Section 215 bulk metadata program as it currently exists and has requested recommendations about how the program should be restructured. The result of that transition will determine the manner in which data about any continued collection of that kind is most appropriately reported. 000029 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi sur I'acces a I'information Letter to Colin Stretch, Kent Walker, Erika Rottenberg, Brad Smith and Ronald Bell Page 3 by the report. For example, a report published on July 1, 2015, will re?ect the FISA data for the period ending December 31, 2014. in addition, there will be a delay of two years for data relating to the ?rst order that is served on a company for a platform, product, or service (whether developed or acquired) for which the company has not previously received such an order, and that is designated by the government as a ?New Capability Order? because disclosing it would reveal that the platform, product, or service is subjeCt to previously undisclosed collection through FISA orders. For example, a report published on July 1, 2015, will not re?ect data relating to any New Capability Order received during the period ending December 31, 2014. Such data will be re?ected in a report published on January 1, 2017. After data about a New Capability Order has been published, that type of order will no longer be considered a New Capability Order, and the ordinary six-month delay will apply. The two~year delay described above does not apply to a FISA order directed at an enhancement to or iteration of an existing, already publicly available platform, product, or service when the company has received previously disclosed FISA orders of the same type for that platform, product, or service. A provider may include in its transparency report general qualifying language regarding the existence of this additional delay mechanism to ensure the accuracy of its reported data, to the effect that the transparency report may or may not include orders subject to such additional delay (but without speci?cally continuing or denying that it has received such new capability orders). Option Two. In the alternative, a provider may report aggregate data in the following separate categories: 1. Criminal process, subject to no restrictions. 2. The total number of all national security process received, including all NSLs and orders, reported as a single number in the following bands: 0-249 and thereafter in bands of 250. 3. The totalnumber of customer selectors targeted under all national security process, including all NSLs and PISA orders, reported as a single number in the following bands, 0-249, and thereafter in bands of 250. I have appreciated the opportunity to discuss these issues with you, and I am grateful for the time, effort, and input of your companies in reaching a result that we believe strikes an appropriate balance between the competing interests of protecting national security and furthering transparency. We look forward to continuing to discuss with you ways in which the 000030 Document Released Under the Access to Information Act I Document divulgue en vertu de la Loi eur I'acces a I'information Letter to Colin Stretch, Kent Walker, Erika Rottenberg, Brad Smith and Ronald Bell Page 4 government and industry can similarly ?nd common ground on other issues raised by the surveillance debates of recent months. Sincerely, James M. Cole Deputy Attorney General 000031 Pages 32 to I a 35 are withheld pursuant to section sont retenues en vertu de l'article 21(1)(a) of the Access to Information de la Loi sur l'acc?s a l'information