Proceedings of the Standing Senate Committee on
Transport and Communications
Issue 9 - Evidence, December 8, 2009
OTTAWA, Tuesday, December 8, 2009
The Standing Senate Committee on Transport and Communications met this day at 9:31 a.m. to study emerging issues related to its communications mandate and to report on the wireless sector, including issues such as access to high-speed Internet, the supply of bandwidth, the nation-building role of wireless, the pace of the adoption of innovations, the financial aspects associated with possible changes to the sector, and Canada's development of the sector in comparison to the performance in other countries.
Senator Dennis Dawson (Chair) in the chair.
[English]
The Chair: Good morning. This is the Standing Senate Committee on Transport and Communications' sixteenth meeting for our study of the wireless sector.
This morning we have with us, from the Office of the Privacy Commissioner of Canada, Jennifer Stoddart, Privacy Commissioner of Canada; Elizabeth Denham, Assistant Privacy Commissioner of Canada; and Steve Johnston, Senior Security and Technology Adviser.
[Translation]
The Privacy Commissioner of Canada, Jennifer Stoddart, is another officer of Parliament, who reports directly to the House of Commons and the Senate. The mission of the Office of the Privacy Commissioner of Canada is to protect and promote the privacy rights of individuals.
[English]
Welcome to the committee. The floor is yours.
Jennifer Stoddart, Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada: Thank you for inviting us here and for the opportunity to speak to a topic that you are investigating of such paramount importance to my office. Indeed, at my office we have identified the impact of emerging information and communications technologies on the privacy of Canadians as one of our four strategic priorities.
In the next few minutes I propose to touch on some key issues, which are explored more fully in a background document that you have before you. That should leave time for questions for myself, for Assistant Commissioner Denham and for our senior security and technology adviser, Steve Johnston, who can answer, I hope, any technical question you might have.
[Translation]
I will start with the context. First, let me say that I applaud this committee for undertaking such a far-reaching and significant study. It takes courage to tackle issues that we know are critical to the social and economic future of Canadians but that seldom suggests a clear or unambiguous way forward.
[English]
That certainly is how my office views the privacy issues related to wireless technologies, universal mobile access, Web 2.0 and the next generation of Internet connectivity: With challenges so complex there can be no pat solutions. Within Canada and across international boundaries, the responses must be thoughtful, measured, collaborative and nuanced.
As Canada's privacy guardian, my approach is to explore the privacy implications of these new technologies and to work within our legislative framework, in concert with partners in Canada and globally, to strengthen the privacy protections enjoyed by Canadians.
One thing we can say for certain is that the future is now. Canadians of all ages have already gone wireless, free to work and play from wherever they may be. For most of us, the Internet is a useful and interesting place to visit, while some people live entire second lives there. Governments and private enterprises are harnessing the astonishing power of this digital universe to enhance their operations and advance their interests. Without a doubt, these are dazzling developments, yet we must not be blinded to the privacy implications.
At a practical level, we must ask whether safeguards are built into the designs of technological innovations — the passwords and encryption software, the privacy settings and the policies that will help keep personal information out of the wrong hands.
More broadly, we need to apply our existing laws to protect the privacy interests of Canadians. My office did that in last summer's Facebook investigation, which was headed by Assistant Commissioner Elizabeth Denham, and we will not shy away from doing it again should the need arise.
At a broader level still, we must accept that data will flow wherever it needs to go without regard for national boundaries.
[Translation]
And yet, nations are not without remedies. As Canada has shown through a series of investigative findings and guidelines, we can make clear our expectations for organizations operating within our borders. And we can work with the global community to set common standards for the inter-territorial protection of personal information.
[English]
Elizabeth Denham, Assistant Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada: The document the Office of the Privacy Commissioner of Canada has tabled with you explores these and many other questions, but permit me now to touch on three issues of primary concern to our office.
The first is behavioural marketing, in which the online activities of consumers are tracked over time and ads are targeted to their inferred interests. Marketers say the data is aggregated and individuals are not identified, but we have seen evidence that identities cannot always be concealed.
The practice also raises issues of consent, because people may not even know that their browsing habits are being monitored, collected, analyzed and used for other purposes.
The second issue is location-based data, particularly with GPS-enabled mobile devices. It is easier than ever to pinpoint people's exact whereabouts. Combining such geospatial information with other data, such as one's shopping or entertainment habits, for example, can yield a whole new class of personal information.
That is of immeasurable value to business and marketers, of course, and it also gives people instant services such as directions to the nearest hotel or coffee shop or bank machine. At the same time, though, it raises sensitive questions about surveillance and, again, consent for the use of their personal information.
The final issue is cloud computing, in which organizations rent computer usage from third-party providers who actually own the remote servers and related infrastructure. Many enterprises are turning to cloud computing providers to store data or for a range of other applications or services. The advantage is that they do not have to invest, maintain, repair, or upgrade their own computers.
[Translation]
The privacy concern for us, however, is that such servers could be anywhere, including in countries with weak privacy laws.
[English]
The data can be disaggregated and scattered among servers in many locations. It can also be copied, mirrored, many times over, which raises questions about unauthorized disclosure, retention and destruction of personal information.
Ms. Stoddart: In the light of the challenges posed by these issues, my office is organizing expert workshops to examine each in detail. The Personal Information Protection and Electronic Documents Act, known as PIPEDA, has been a powerful tool in our efforts to safeguard the privacy of Canadians and flexible enough to cope with these emerging technologies. Still, we look forward to refinements that would further strengthen this law.
We will also continue to carry out our other functions aimed at advancing the privacy rights of Canadians, including investigating complaints, conducting audits, reviewing departmental privacy impact assessments, and reaching out to stakeholders and Canadians at large through our research, public awareness and communications activities.
Under the Privacy Act — that is the other act we administer — we are currently completing an audit of the federal government's use of wireless networks and devices such as the BlackBerry and the iPhone.
[Translation]
We are equally gratified that a dozen of the world's leading data protection authorities agreed in Madrid last month to work toward standards for the protection of data flowing across international borders.
[English]
In conclusion, senators, I doubt anyone can really grasp all the privacy implications presented by emerging technologies. Nor should we be too confident in predicting the future. However, we can face up to the challenges of today by tapping into the best minds, by applying the tools we have and by working in concert towards policies and practices that will better safeguard the privacy of Canadians tomorrow.
[Translation]
I want to thank you very much for inviting us to appear. You are studying an issue of great importance, and we would be happy to try to answer any questions you may have.
[English]
Senator Johnson: I certainly agree with you. How do we predict the future? I do not know how we protect privacy in the future even on my BlackBerry.
One question in our study relates to technology moving so quickly that legislation cannot keep up with it. Can you comment on this in terms of the regulatory side of it?
Ms. Stoddart: That is generally true in Canada. Unlike other countries, we did not adopt a sectoral approach to personal information regulation; we adopted a global approach.
Parliament passed the Personal Information Protection and Electronic Documents Act nine years ago. It links to a set of fair information principles. It can be modulated to adapt to new technologies. However, it needs revision. We have made public our suggestions for revision. Notably, it needs a clause for data breach notification. The extent to which data is leaking, either through carelessness, crime or insider malfeasance, was not foreseen. That is one change that should be made, but generally our law can be adapted to new technologies.
Senator Johnson: Recent technological changes, especially with regard to the Internet, pose threats to privacy. How can your office possibly respond to these threats to privacy on the Internet?
Ms. Stoddart: We can respond in many ways. This is a major issue in our office. We investigate complaints. We audit questionable practices on the Internet. We are in the midst of assembling a specialized unit to investigate privacy issues on the Internet. We issue guidance and fact sheets. We are holding a series of seminars this winter on Internet issues like behavioural advertising. We approach it from many angles.
Senator Johnson: Who goes to these seminars, and where are they held? Are you talking about seminars for government people?
Ms. Stoddart: No. They are for Canadians generally. The assistant commissioner is organizing them. I suggest that she respond.
Ms. Denham: We will hold three workshops focused on the three areas that we think are the biggest threat to Canadians on the Internet: behavioural advertising, cloud computing and location-based services. These are expert workshops to bring academics, industry representatives, consumer groups and other privacy commissioners together around the table to examine the issues, what needs to be done and how much guidance needs to be issued on these important topics. We will also look at whether our law — PIPEDA — is up to the job of regulating the Internet in the face of these new technological threats.
Senator Johnson: The Internet to some extent has made national borders less of a barrier to transaction with foreigners outside of our country. Do you feel there is a greater need for international cooperation in a world where borders are less effective to limit or shape transactions with other countries?
Ms. Stoddart: Yes, international cooperation is essential. You cannot enforce your own law if what you are trying to enforce is happening outside the country without active cooperation of other data protection authorities.
Senator Johnson: Have many countries managed this in a different way that you admire or would use?
Ms. Stoddart: Yes. The United States does not have an overarching privacy law, but it does a good job regarding consumer protection. We look to the American Federal Trade Commission that is now over 100 years old. It has a huge amount of experience, particularly in relation to Internet investigations.
Senator Johnson: The United States is a good example.
Ms. Stoddart: Yes, the United States and the U.K.
Senator Johnson: What about Estonia?
Ms. Stoddart: Well, they are struggling. Steve Johnston has an active work relationship with France's Commission nationale de l'informatique et des libertés, CNIL. He is also Canada's representative on the International Organization for Standardization because it is important that countries agree on common standards for personal information protection and definitions of component parts of those standards.
Senator Johnson: Have you anything further to add on the international front?
Steve Johnston, Senior Security and Technology Advisor, Office of the Privacy Commissioner of Canada: I belong to the International Working Group on Data Protection in Telecommunications as Commissioner Stoddart's representative. Other countries are doing excellent work. They include Germany and Norway, particularly in terms of protection of children online and social network services. Spain has recently completed a major study on online protection of children. A number of countries are doing very good work.
Senator Johnson: Online protection of children is a huge issue now. There are hundreds of sites.
Mr. Johnston: The common understanding is that because children are much younger and do not have the life experience, they do not have the framework to make appropriate risk assessments in what they post and how they interact online. Part of what we are trying to do through our education process is to give them those tools.
Senator Johnson: Thank you.
Senator Cochrane: Would you elaborate on the term ''leaking'' that you used in regards to carelessness?
Ms. Stoddart: Do you mean the leaking of data?
Senator Cochrane: Yes.
Ms. Stoddart: I will ask Mr. Johnston to go into the detail of how data leaks and how personal information is lost.
Mr. Johnston: In reviewing breaches we have been notified of in our office and following breaches in industry generally, we have found that most are due to human error — a failure to follow appropriate policy or practice. For example, we have seen medical records put out for recycling as opposed to being shredded.
The other major contributor to data leakage is insider malfeasance. Someone deliberately exceeds the authorities they have or presumes authorities they do not have to access information. An excellent example is the people in the U.S. Department of State who were fired for sneaking looks at passport applications. They simply exceeded the authority they had.
The challenge is creating a balance between giving people the access they need to do their job and ensuring they cannot exceed those authorities to do something inappropriate with the information.
Senator Cochrane: Have hospitals been notified that they must shred hospital records that are being thrown out?
Mr. Johnston: Yes. The Personal Information Protection and Electronic Documents Act requires the secure disposal of information when it is no longer required. The Ontario office, in conjunction with the National Association for Information Destruction, has issued specific guidance on what secure destruction means. For example, they should use crosscut shredders to chop paper into very fine pieces, use burning, et cetera.
Ms. Denham: I would like to add a comment relevant to the committee about the wireless world.
Our office investigated a breach that involved the compromise of 98 million credit and debit cards worldwide. The wireless system was hacked in 2006-07 at a company called TJX, based in the U.S. The company owns Winners and HomeSense stores in Canada.
Our office investigated and found that TJX was using inadequate encryption, and that allowed the thieves, over a long period of time, to break into the system and compromise the numbers. There is an extreme vulnerability when it comes to wireless technology, and this is an example of the need to keep the encryption standard refreshed and up to par.
Senator Cochrane: That is one. Are there others you have been made aware of?
Ms. Denham: Other investigations of wireless vulnerabilities?
Senator Cochrane: Or any other.
Ms. Denham: We have investigated many breaches. As my colleague, Mr. Johnston, outlined, many times they are insider issues, employees or contractors who are using the information for fraud or identity theft. Many of the breaches are just down to human error or employees not being trained properly. The really significant breaches like TJX point out the vulnerabilities of wireless technology.
Senator Cochrane: How do you deal with that? Do you go back to the companies? Could you go through the process for us.
Ms. Denham: In this case, we investigated the breach, and we issued a public report that named the company, with our recommendations on how they need to fix the problem. The commissioner is an ombudsman. She does not have order-making power and cannot issue fines. Really, it is working with the company to get them to agree to our findings and recommendations. If a company does not agree, then we have the ability to take the company to Federal Court for enforcement of our action. We rarely have to do that. In this case with TJX, they complied with all of our recommendations, including no longer collecting and maintaining a database of driver's license information, which is fodder for identity theft.
Ms. Stoddart: This is why this particular amendment to PIPEDA would be important in its obligatory data breach notification to our office and to the effected people, let us say the potential victims, when a certain threshold of significance is reached. We suspect there are far more data breaches happening than we can imagine. We have had a program running for about two and a half years. We have now, in the second year, twice as many voluntary notifications to our office. We suspect this is just the tip of the iceberg in terms of the data breaches that happen.
Making companies report data breaches to our office allows us to analyze the phenomenon better. We hope it makes them more aware that this is something serious and that some regulatory action will follow from their carelessness or their unwillingness to invest in new technology to go to a higher encryption level or things like that.
Senator Cochrane: Where is this amendment now?
Ms. Stoddart: I believe the amendment is somewhere in Industry Canada. It is not a bill yet. These are amendments to PIPEDA that we hope will be coming through very soon.
Senator Cochrane: After Christmas?
Ms. Stoddart: Hopefully after Christmas, but only the Minister of Industry knows at the moment.
Senator Cochrane: My concern is about the children. It is so very difficult for parents who are working. When their children come home from school, the first thing they do is go on the computer. Is there a safety net for that? Children are vulnerable. It is not that they do not understand, but they are not always aware of the dangers of someone else getting their information and things like that.
Ms. Stoddart: It is a concern of many people. In fact, it has been a priority for our office for the last few years. We have established a separate but connected website. If you go onto our websites, you can link through to youthprivacy.ca. We work with provincial commissioners across Canada on youth-related activities. We borrow things from as far away as our partners in Hong Kong. We have a video that was made in Hong Kong to try to attract young people to look at these messages. You have to tailor the message in a way that is attractive to them.
We funded research through our contributions program on youth privacy. Canada was the writer and the sponsor of an international resolution on youth privacy that was adopted by the data protection commissioners of the world in Madrid last month. This is a huge part of our ongoing activities.
Senator Cochrane: Do you feel it is working? Do you have any measurement?
Ms. Stoddart: I do not think we have a direct measurement for the moment, but we see encouraging signs. We are invited into schools. We make material for schools that schools can use. We have quite a few visits to the youthprivacy.ca site. Whether it is the young people themselves or their parents who are scrambling to keep up with the kids, we find there is a lot of take-up for our activities.
Senator Cochrane: Thank you.
Senator Plett: I was watching the news yesterday, and they were talking about a site called Nickelodeon, which is apparently a children's site, but if you follow the site along, you get to some adult site. What laws are there to kill a site if something like that happens? Obviously there is a limited amount of what you can do with adult sites. They are legal and so forth.
Ms. Stoddart: We can look into it. I did not catch that part of the news. There are laws that apply. We could look to see whether parts of PIPEDA apply in terms of transparency and consent. If you go to that site, a children's site, is it clear that what you are getting into is in fact an adult site? The Competition Bureau could have a role in this, because this sounds like it might be misleading advertising. There are also parts of the Criminal Code. We would have to look at it to see just how it is set up and what demographic it is aimed at and so on.
Mr. Johnston: I would have to look into the specific details, but this sounds very much like other incidents I am aware of where a legitimate website is compromised by malicious individuals. By going to the site, several possible consequences occur. One is malicious code, so a Trojan horse or worm or something could be downloaded to your computer. In a number of cases, we are finding that links on the legitimate website, when clicked, actually redirect you to other sites. The other possibility is that there is something known as domain name squatting, cyber squatting, where someone will register a domain name that is very similar to a legitimate website. For example, whitehouse.gov takes you to the legitimate White House site; whitehouse.com does not. It takes you to an adult site. There are a number of possible explanations for why this particular event occurred. It comes down to the legitimate website ensuring that its security practices are up to date and the software is patched, and so on. I can certainly have a closer look and double-check that.
Senator Plett: Thank you. I certainly would appreciate it, and I hope that the owner of the legitimate site is doing something about it as well.
Senator Mercer: I thank the witnesses for being here. This is a fascinating topic. The possible compromise of 98 million transactions at Winners and HomeSense, which is T.J. Maxx in the U.S — and it also operates in Britain, Ireland and a number of other countries — is a great number.
Another fascinating thing, which you touched on but did not spend much time talking about, maybe because it is slightly off topic, is the proper destruction of medical records, which does need to happen. We do not spend much time educating Canadians about the destruction of our personal data. For years I would read my mail, whether it was junk mail or legitimate mail, and then throw it out. I am not allowed to do that anymore at my house. My wife insists that everything be ripped up. I take anything that has details of my bills and shred it in a personal shredder. This is a whole education thing that we probably need to address.
I want to talk about a term you used that I was not familiar with and perhaps have you explain it in detail. That is ''cloud computing.'' Perhaps you could tell me a little more about cloud computing. I thought I caught the essence of it, but perhaps you could explain it to me in more detail and give an example or two. You may not be able to name the individuals or companies involved, but could you give us a couple of examples?
Ms. Stoddart: I certainly know companies involved. Google is very open about setting up cloud computing facilities and so on, but the best explanation would be from Mr. Johnston about what cloud computing is and what it involves.
Mr. Johnston: If you ever recall seeing network diagrams that showed the Internet, they rendered it as a cloud because for most people the details were hidden. You did not really need to know how that operated. However, there are three basic types of service that are considered to be part of cloud computing. The first is known as infrastructure as a service. That is basically where you can rent space on servers to host your own software application. For example, I could go to someone like RackForce and basically just rent hardware, and on that I would then host my own software and use that as my computing capacity.
Senator Mercer: Who is responsible for the content and the policing of that content?
Mr. Johnston: The organizations that rent the space are typically considered to be responsible for the content that is on those servers. It is similar to owning your own computing, your own data centre, except that someone provides the hardware, the cooling, the power, et cetera, for you. It is probably the closest thing to a traditional outsourcing of computing capability.
The second type of service is known as platform as a service. That is where you go to a site like salesforce.com, which has the infrastructure, the hardware and the software. They have provided you with raw database applications, et cetera, and then you can develop and run your own software on top of that service.
The last is software as a service, where you are basically renting everything. You are renting the infrastructure and the software applications. Again, using salesforce.com as an example, you would use their infrastructure and software to provide services to your employees.
Ms. Denham: I will add some comments about the privacy implications of cloud computing. This is a new form of distributed computing. What happens is that a company in a sense outsources someone else to take care of the data. The data is distributed, not at one set of servers; it could in servers across the world, and doing a data flow diagram where this data follows the sun, let us say, in a 24-7 service, you cannot actually pinpoint where the data is at a particular point in time. You can see from a jurisdiction point of view that data protection commissioners would share jurisdiction over what happens if that data is breached, where the data was when it happened and who is responsible. A single company could outsource to a cloud provider who then outsources again and again and again to other providers, so this business model is complex when it comes to privacy oversight.
Senator Mercer: I want to move on to PIPEDA. I come from the third sector. I have been involved in not-for-profit and charity work all of my life. This piece of legislation has had a tremendous impact on that sector, and I have to say that we have had terrific cooperation in trying to figure out how we get this done without impeding the activities of some very important charities.
Ms. Stoddart, I would like your opinion overall on PIPEDA, what you see is working well and what you see is not working, and then specifically how do you see it working in the field of charities and not-for-profits? Do you see any major problems that need to be addressed, either from a legislative point of view, a regulation point of view, or from just an implementation point of view, either by the charities themselves or by government agencies that may regulate charities?
Ms. Stoddart: I am just looking for my notes to remind me. Overall, PIPEDA is working quite well, and in fact it is increasingly looked at by other countries as a model of an effective and flexible piece of legislation that can apply to Canadians' data in a very adaptive way. It can apply to new technologies and situations. It will apply to cloud computing with collaboration from other enforcement agencies. That is the good news.
Some of the challenges that have come up with PIPEDA are the subject, hopefully, of the forthcoming amendments. There is a certain amount of consensus on them. I mentioned breach notification, which is important and being adopted everywhere. There are also a few practical things. For instance, when PIPEDA was drafted, for some reason in business contact information, business emails are technically personal information. That seems to have been a slip-up. That should be changed so it is not subject to privacy strictures. Business doing due diligence when transferring or selling businesses, and so on, are more in the way of housekeeping affairs.
Senator Mercer: That would be a natural evolution of legislation in a new field, would it not? It would be a natural evolution since we have had legislation in effect for a while and we now sit back and say what works and what does not work.
Ms. Stoddart: Exactly, yes. Major changes, no; I am not asking for any major changes at this stage except for data breach notification. I believe a bill will come before you this winter, called ECPA, an electric commerce protection act, basically an anti-spam act, and tacked on to that are some small changes to PIPEDA to make it specific that I can cooperate with other enforcement authorities in Canada and abroad. An example would be in the case of investigating a personal information breach that has crossed any provincial boundary or in fact any national boundary, when that can bring relief to the situation.
Also, it would give added discretion not to investigate certain kinds of cases. We are a bit overwhelmed by people who have persistent problems with financial institutions, for example, and given a limited budget, it would be better if we went after the systemic issues that will affect all Canadians. We would like to not to have to deal with every single complaint, especially if the solution is known, but simply give information to the person, send him or her back to the financial institution, for example, and work on the big, new, technological, systemic issues. The U.K. commissioner now has this power.
As for the charitable sector, I believe there were some challenges in the beginning in working out where PIPEDA did and did not exist, but as far as I know, the boundaries are clear now, and I have not heard about any recent problems with that.
Senator Mercer: Where does the indirect and what might appear to be hidden collection of data fall into the privacy realm?
Air Miles is a good example of a reward program. I purchase something at a retail store and use my Air Miles card to obtain rewards. Someone is recording what I bought. Is there protection for how that data is managed when I use my Air Miles card or any other similar card? The data says I tend to buy a particular product. I do not want to be exposed to marketing particular to that.
Ms. Stoddart: PIPEDA generally applies to the collection of personal information. We have investigated cases where the consent to use your personal information in return for getting Air Miles is not clear enough, and the collection of personal information has not had valid consent under the law. However, if there is valid consent, you agree that all transactions go to Air Miles or Aeroplan to get all these goodies. That is legal under the law as long as you consent to it.
We are concerned about the behavioural advertising that Assistant Commissioner Denham discussed where consent is much less clear. From surveys we have done, most people do not realize that their online behaviour is being tracked. Our studies also show that most Canadians are concerned about having their web browsing tracked and identified to companies that will flash the right advertisements not to them personally but to their computer.
This will be a focus for us in the coming months. We will possibly develop guidelines and perhaps investigate some of the sites where this kind of tracking is occurring.
The Chair: Ms. Stoddart, beyond your appearance here today, if you have suggestions that you think we could incorporate into our report, including emphasis on potential amendments, feel free to correspond with the clerk to give us those amendments. One objective of these committees is making Canadians aware of these issues and putting as much light as possible on the issue. It is not only the report.
Ms. Stoddart: We would be happy to.
Senator Fox: I have one less question after the chair's intervention.
I would like to go back to the concept of encryption and the possibility of the state's intervening into private life. The former Information Highway Advisory Council was under Industry Canada and chaired by David Johnston, now president of the University of Waterloo. One of its concerns either has been solved or has disappeared from the radar. Incipient state practice at the time was to require that the key to encryption software be divulged to state authorities if you wanted encrypted messages to go through your territory. I would like to hear your comments on this.
Ms. Stoddart: I believe these are discussions that took place in the mid-1990s.
Senator Fox: Yes.
Ms. Stoddart: This was referred to as the crypto wars. I was not in this field at that time and cannot tell you much about it. I believe the issue has been solved to the extent that states will not allow encryption by private individuals of a type that the state could not deal with for security purposes.
Mr. Johnston is a specialist in this, so I will not venture any further.
Mr. Johnston: I believe you are referring to the notion of key escrow. The idea is that encryption keys are held in safe hands for possible use by law enforcement to decrypt communications subject to lawful warrants.
For the most part, the notion of key escrow has gone away simply because the parties involved in the communication could never agree who the escrow agent would be. Private individuals and corporations did not trust government; government did not trust corporations; private citizens did not trust corporations, et cetera.
As far as I am aware, there is not a general key escrow scheme currently in use. The state of the art for encryption continues to advance simply because computing power now available to attack encrypted communications is much more significant than it was 5, 10 or 20 years ago. The strength of an encryption system is based on how good the algorithm is, which is the basic mathematics behind how the information is transformed from plain to encrypted text, and the length of the key used to drive information through the algorithm. The standard is now 128 bit encryption. Basically, it is theoretically unfeasible to break anything encrypted with that kind of cryptosystem.
Having said that, with the advent of quantum computing and so on, those standards may fall. The new international standard, known as the advanced encryption standard, allows for longer key lengths, which basically compounds the problem of trying to guess the right key. For example, if you have a 128 bit key, you have to guess 2128 possible combinations. Even guessing one million possible keys per second, it would take a very long time.
Senator Fox: The problem at the time was associated with the United States. It was a question of the United States not allowing encrypted messages to go through their territory unless they had the encryption key.
Mr. Johnston: The U.S., at least until recently, considered cryptographic technology to be equivalent to arms subject to regulation under the International Traffic in Arms Regulations, ITAR. They were limiting export of cryptographic technology to key lengths small enough that the computing power of the National Security Agency, for example, was sufficient to try all possible combinations and guess the right key. Those restrictions were lifted a few years ago. Basically, anyone can now use any available encryption system.
For example, until not long ago, France would not allow business people to bring in laptops that had encryption software on them. They wanted to be able to monitor the communications that went back and forth.
Senator Fox: Did anything happen after 9/11 to strengthen this?
Mr. Johnston: Not that I am aware of.
Senator Fox: I would assume that if a Canadian agency wanted to try to decode an encryption it would need the authorization of a judge.
Ms. Stoddart: It depends on which agency, under which law, doing what. Are these personal emails and so on?
Senator Fox: Let us assume it is CSIS, the Canadian Security Intelligence Service, for example. It would need an authority somewhere to print a message.
Ms. Stoddart: I am not sufficiently familiar with how the law works. I would presume CSIS can, but I do not know in what cases it has to get legal authorization.
Senator Fox: In a federation like Canada, we have federal and provincial jurisdiction. I assume your agency can operate only under federal jurisdiction. We have a range of agencies across Canada. Is there any weak link in Canada in privacy protection? I think the provinces were ahead of the federal government for a while. They had privacy commissioners before us. With this federal-provincial aspect involved, are there any holes in our legislation that would make it easier to operate out of one area rather than another?
Ms. Stoddart: No, I do not think there are holes. Between us, the provincial and the federal legislations overlap and come together, and they sometimes repeat each other in the case of the substantially similar provinces, Quebec, Alberta and B.C. Where there is a gap, it is in the employment practices of organizations that are federally regulated for their business activities under PIPEDA but whose province does not then regulate the use of personal information of employees. That is one gap, but the federal government cannot fill that gap. It is up to the provinces to move ahead. None of them have, outside those three provinces that I mentioned.
Senator Fox: Are there any frictions, federally or provincially, amongst the agencies?
Ms. Stoddart: No, there are not. We cooperate intensively. You can refer to our recent work on Google Street View and its deployment across Canada. We do joint letters to Google Street View stating our position, with the Quebec, Alberta and B.C. commissioners, because we have joint jurisdiction over all of Canada in that case.
Senator Fox: You said you are currently completing an audit of the federal government's use of wireless networks and devices such as the BlackBerry and the iPhone. What is at the origin of the inquiry? Why are you doing this, and what are you looking at?
Ms. Stoddart: We are doing this because we think we should use our audit powers to look at things that are new and relevant to possibly prevent privacy threats. As the federal government, like everyone else, moved to the BlackBerry, it seemed to us a good audit topic to see how personal information was being treated in that context.
Senator Fox: Thank you.
Senator Plett: This question is somewhat personal in nature. A friend of mine used to be a business partner with another individual, and they separated their partnership, not in any bad manner. I sent her an email last week, and I got an automatic out-of-office reply from the individual that she used to be in business with. When we followed that up, we found out that he in fact was reading all of her emails, because when they were partners, he was senior partner and managed to talk to whoever the servers were and was getting her emails. This was the first time he had been out of office or was not getting the emails, so we got an automatic bounce back. We followed it up and found that he had been reading all of my friend's emails over a lengthy period of time. What laws are there in this regard? I know you are not lawyers, so I do not expect legal counsel here, but tell me a little bit about that.
Ms. Stoddart: In fact, I am a lawyer, but, as a matter of ethics, I probably should not give you individual legal advice in this particular setting, given my job.
Certainly PIPEDA, our act, would cover that. This is someone reading someone else's personal email without their consent. Your friend could make a complaint. Some of the new amendments to the Criminal Code about misusing other people's personal information may also apply in that case. Your friend might want to seek damages from the person who has done this, depending on what province they are situated in and where the tort of infringement of privacy is developing. It is gradually developing at common law in many provinces. Some provinces have legislated it. She could also look at what the consequences were. Presumably there is a reason, as there is business information there, I guess, so I would think that would be very fertile ground for some kind of action against this person in order to claim the damages that must have occurred. I presume this other person is taking business from your friend?
Senator Plett: No, I do not think he is. He is not in a business that is now in competition, so I do not think it is business. It is more of a personal nature.
Ms. Stoddart: There are remedies for loss of privacy.
Senator Plett: Let me take that one step further. If my friend's partner had been the chair of a board and this board shared an email server, or she was the chair and left, and they were using a common server, would they be able to continue taking her emails if she was still on the server? Would that be legal if she had remained on the same server?
Ms. Stoddart: There may be technical issues here, but I think the issue is of consent. It is unusual to have people reading other people's emails. They are generally considered to be personal information. The exception is when are you at work, supposedly doing the work of the organization, whether it is a company or the Government of Canada. You expect the employer, the head of the organization, to have a policy that tells you when your emails can be read. Generally, employers and heads of organizations have to have some kind of policy where, from time to time, they drop in and see that people are working, not visiting sites, for example, and the Government of Canada has a rule against visiting pornographic sites. If there is some kind of problem in the system that is being traced to one particular computer, they have to be able to go in and review the emails. It depends of the framework around this, but it is highly unusual to have one person having total access to someone else's emails.
Senator Plett: Would you then go to that individual and say, ''We need to look at your computer?''
Ms. Stoddart: Yes.
Senator Plett: You would not be stealing the emails as you are going along. You would say, ''We need to look at your computer to see what you have been doing?''
Ms. Stoddart: Exactly, but people know that ahead of time. For example, with my own employees, we certainly do not monitor all their emails, but if there is a problem or we suspect a problem for a reason, we do have the right to go and look at that employee's computer and see what he or she is doing with it.
[Translation]
The Chair: When we went to Paris and London, we had the opportunity to meet with people from ACMIL. At France Digital and at Digital Britain, we saw that there was a high degree of political involvement. That is the case for those two countries specifically, but we observed the same thing in a few other countries.
Do you think it is necessary to appoint a minister who is responsible for the digital economy? Do you think there is a way to close the time gap in terms of technology outpacing legislation?
You mentioned some amendments that you wish to put forward. We discussed the anti-spam bill, which is slow in coming, and we know that we are a few years behind in terms of copyright royalty legislation. What are your recommendations for speeding up the process and bringing legislation more in line with technological advances in order to control those advances?
Ms. Stoddart: Those are very good questions, Mr. Chair. I am not sure whether appointing a specific minister would be a solution. I think you are in a better position than us to consider that possibility. But what is clear is that everyone agrees that Canada was at the forefront of the developing digital economy in 1997, and we have lost that edge.
According to Industry Canada data, we have lost that edge. I do not think that the government has made a concerted effort to focus on these issues since 1997. We adopted PIPEDA and have not done much since. We are the last country in the G8 to adopt anti-spam legislation.
I am not exactly sure which structures could help. I think it is less a matter of structures than the level of importance placed on this issue by the government of the day, and we have been lagging well behind for the past few years. The Criminal Code amendments on identity theft have just been adopted. PIPEDA is supposed to be reviewed every five years, and we assume that changes will follow, but we are three years behind our reasonable schedule. Indeed, we need to pay greater attention to digital data issues, but I leave it to you to examine the matter and determine which structure is appropriate.
The Chair: Thank you, Commissioner. Our next group of witnesses is waiting. We greatly appreciate you being here today, and as I mentioned earlier, if you have any written recommendations for us, which you can submit to the clerk, we would be happy to receive your feedback. Thank you again for appearing before the committee.
Ms. Stoddart: Thank you for inviting me.
(The sitting is suspended.)
(The sitting resumed.)
[English]
The Chair: This is our second panel of the morning. With us, from the Office of the Complaints for Telecommunications Services Inc. is Howard Maker, Commissioner, and Josée Thibault, Director of Complaints and Inquiries.
[Translation]
The Office of the Commissioner for Complaints for Telecommunications Services, an agency created by telecommunications service providers and approved by the Canadian Radio-television and Telecommunications Commission, began operating in July 2007.
[English]
Welcome to the committee. The floor is yours.
[Translation]
Howard Maker, Commissioner for Complaints for Telecommunications Services, Office of the Complaints for Telecommunications Services Inc.: Mr. Chair, I would like to thank you, on behalf of the Office of the Complaints for Telecommunications Services Inc. and its board of directors, for inviting us to appear before the committee today. Rest assured that we appreciate the opportunity to assist the committee with its work in regard to the wireless communications sector, and we hope that our contribution will be helpful.
[English]
We have provided the committee with a couple of documents. One is our recently released annual report for 2008-09, released this past October, as well as a slide deck that provides some useful information, we hope. I propose to arrange my remarks based on the slide deck that hopefully you have before you.
By way of background, the Commissioner for Complaints for Telecommunications Services, CCTS, is a creature of an order-in-council from April 2007. The order directed the creation of an independent and industry-funded consumer agency to resolve complaints from individual and small business retail telecom customers. The organization was put together by industry and in July 2007 was incorporated and began operations.
Later that year, in December, the Canadian Radio-television and Telecommunications Commission, CRTC, held hearings and public proceedings to determine the mandate, structure and so forth for CCTS, and following a second hearing in May, it formally approved the structure. Following that, in June of 2008, governance was passed over to an independent board of directors, and the real CCTS life took root.
We are a not-for-profit corporation. The telecommunications service providers are our members, and they fund the organization. However, our organization essentially is an industry ombudsman service, and for that reason we are required to be independent of both industry and consumers.
We are governed by a seven-person board of directors, four of whom are independent of the telecommunications industry — in fact two are nominees of consumer groups — and we have three directors representing three segments of the industry — the cable companies, the incumbent local exchange carriers, or ILECs, and other telecommunications service provider members.
By a decision of the CRTC, every telecommunications service provider in Canada whose annual Canadian telecom revenues exceed $10 million is required to be a member of CCTS and to take part in funding the organization and in having our office eligible to review complaints of its customers.
We operate with a procedural code that sets out all the processes that we follow in connection with assessing whether complaints are eligible for us to review, how we will attempt to resolve them and how we will investigate them when necessary. Our watch words are impartiality, timeliness, efficiency and informality.
There will be a review by the CRTC in 2010 of all of the mandate, structure and operations of CCTS. This will include the mandatory membership requirement for telecom providers. Currently we have about 50 members, including all wireless carriers currently conducting business in Canada.
It is important to spend a couple of minutes describing our mandate. That will inform the rest of the information that we will provide to you this morning.
Our mandate is to facilitate and to attempt to resolve complaints about deregulated telecommunications services between customers and providers. We do this impartially without being an advocate for either side. As I indicated previously, we are essentially an industry ombudsman, although we have some additional powers that most ombudsmen do not have. In particular, we can bind the provider to an outcome if the complaint goes that far in our process.
We try to resolve complaints. That is job number 1 at CCTS. If we unable to resolve them, we investigate them in a more formal way and make written recommendation for the parties based on the merits. We tell them how we believe they ought to resolve the dispute. We do this in the context of our standard of review described in our procedural code. We look at whether the provider has reasonably performed its obligations under the contract in place with the consumer. As you know, nearly all telecom services in the retail market are contract-driven.
Our mandate includes most of these services: wireless, which will be of most interest to you; local and long distance telephone; Internet access; white pages; directory assistance; and operator services. For statistical purposes, we have broadly categorized the issue as indicated at the bottom of slide 6. We seek compliance with contract terms, billing, service delivery, credit management and — less in the wireless world — unauthorized transfer of service or slamming.
Some types of complaints are not within our mandate. They are indicated on slide 7. For example, we do not look at the specifics of contract terms. We determine whether providers have complied with the contract terms in place, but we do not have a mandate to assist a customer whose complaint is that the contract should not say what it does.
We also do not review operating policies and procedures of the providers. We do not tell them what their policy should be, but if we find one of their policies or procedures has disadvantaged a customer, we will require them to make it right.
We do not look at Internet content, only access. We do not do broadcasting. We do not do emergency services, because they remain regulated.
For a variety of other things, we prefer to defer in cases where more expert bodies exist. Telemarketing has the availability of the National Do Not Call List. The Privacy Commissioner is in place to deal with privacy issues. The Competition Tribunal deals with cases of false or misleading advertising.
During our last fiscal year, ending July 31, 2009, we were contacted by Canadians over 17,500 times as shown on slide 8. We opened 3,200 formal complaints. As in the previous year, more consumers complained about wireless services than anything else; 38 per cent of our complaints related to wireless service.
Slide 9 shows statistics related to the issues that wireless customers have complained about based on our standard categorization. People are primarily concerned about their bills and the contract terms under which they do business. Service delivery is of a significantly lesser scope at 12 per cent of our complaints. The three categories total over 90 per cent of our wireless complaints.
We want to provide you with information about what we are seeing and hearing from consumers related to those three main categories since they are clearly our big business in wireless complaints.
First, people complain about a number of things in regard to their wireless billing. For example, they generally complain — as do other telecom customers — about the difficulty providers have in providing accurate billing. This is probably more complex in the wireless world than in other telecom services given the complexity of the service. There are complicated rate plans: what is included; what is not included; how to bill for voice, text and data; and how roaming works is different for data, text and voice. Needless to say, there is confusion in the minds of many consumers, which affects how they think their bills should look.
We also see general billing difficulties in the way payments are attributed. When there is a problem with the bill and payments are not made or they are made but not recorded, we wind up with consumers subjected to collections treatment and potential derogatory comments on their credit ratings. This is typically more important to people than they realize at the time they file a complaint. This will also typically lead to suspension or cancellation of their service.
We have also heard many complaints about premium text messages that people receive on their wireless devices. As an organization, CCTS has received relatively few formal complaints about this. However, we have heard much disquiet in the consumer community about it. These are concerns about not knowing why one received these messages; not having been aware of subscribing for something; not being able to make them stop; and not necessarily being able to get help from the provider in taking those measures. Those are a challenge for us, because the program is administered through the Canadian Wireless Telecommunications Association, CWTA — the industry association. It deals with third-party providers over whom we have no authority.
We also anecdotally identified prepaid service. We do not get many complaints about prepaid service. In most situations, the prepaid model has an absence of billing and usage information to tell you how much you have used, what your balance is and whether it is being debited correctly. In the worst case scenario, consumers run out of credit. We have heard of situations where consumers do not activate their service in a timely way and wind up losing their phone number.
These are the typical billing complaints we are hearing from consumers today.
The second category of complaints is contract disputes. Complaints in this category are equal in number and equally challenging in many ways. Consumers complain about lengthy contract terms and technicality. We will talk about this later, but the specific terms or business models are not in our mandate.
Consumers complain a lot about early termination charges. Most contracts provide that if you do not serve out your committed contract term with your carrier, you will be subject to early termination charges. They tend to be costly, are calculated differently by different carriers and sometimes not as clearly disclosed as one might expect to see.
We see complaints generally about terms of service. Leaving apart those who think terms are unfair or unbalanced, we also hear about how long, complicated and legalistic they are. We also get particular concerns about a provision we frequently see in contracts that allows a provider to change materially the contract terms in the middle of a term. Historically, the only recourse customers would have in such a situation is to cancel if they found the change to the terms too severe or not in keeping with their needs, but that would result in the charging of an early termination fee.
The wireless code of conduct that you heard about from Bernard Lord some weeks ago is designed, as I understand it, to give consumers an option in the case of material changes to their contracts. It requires that they be given 30 days notice and be provided with an option of staying on the old contract or terminating without termination fees. The future will show us how that will work out.
There is a lot of confusion in consumers' minds about plans versus features. Typically, in the wireless world, most providers will guarantee not to change your plan for the committed term that you have signed up for, but they do feel at liberty to change features, which are things for which you have not subscribed for a set period of time. You want to have unlimited texts today, and tomorrow you can phone up and remove the text messaging package, so they feel at liberty, because there is no fixed commitment, to change those whenever they deem it appropriate for their business model. Customers find that confusing, and some determine their purchasing choices based on features that were in place when they signed up and bought a device, but suddenly those got changed.
We also hear about consumers who did not understand their rate plan, found it confusing, complained it was not fully disclosed when they signed up, and the contract documentation maybe does not describe it clearly. The invoice may be ambiguous or not describe it at all. That leads to additional confusion, which we see repeatedly.
There is also what I call phantom contracts. We see this a bit less so in the wireless industry than we do in other telecom services. People call up to tell their provider they are no longer going to retain their service and are told that they have a contract. The customers find that surprising because they did not believe they had a contract. From my personal experience, as well as the complaints we are seeing in the wireless world, the providers are pretty good about providing documentation at point of sale to ensure that customers understand what the commitment is and when it expires. Some other services are often over the phone or through online purchases. Typically, consumers are in a wireless store getting a device, so we see less of this in the wireless world, but it is certainly a concern for all telecom subscribers.
We also see service delivery complaints in the wireless world, often concerns about network coverage and situations in which a provider cannot provide service at a particular location. As a consumer, I experienced that myself when I bought a cell phone. It worked delightfully until I got home and found out the one place it did not work was in my house. I hear some chuckling, but this is the reality sometimes. We hear about this not infrequently. Our providers generally try to resolve those concerns for customers, because they want to retain their business, but sometimes the network just is not capable of getting that signal where you need it.
Senator Fox: What do they do then? They will not build a tower just for one person. Do they end the contract with no cancellation fees in those circumstances?
Mr. Maker: It varies from carrier to carrier. They will typically try a different device or a series of devices to see whether there is better access to the signal that way. If that does not work, most providers are pretty good about letting customers out of that situation. Some wireless providers have a 14- or 15-day trial period with the device, so the customer does have an opportunity to return it in that situation.
We heard some concerns recently about a provider in B.C. that made some changes to its local calling area. If you live in a big city, the local calling area is clear, but sometimes, in smaller, more rural areas, the local calling area for your device might include a number of different communities. Providers usually reserve to themselves for all sorts of reasons the right to make changes to that. We heard some complaints recently about one provider on the West Coast that made such a change.
These are anecdotal, I am afraid, because we do not have specific statistics on each of these specific kinds of concerns. These are the complaints we are hearing that do fall within our mandate. We also get complaints that unfortunately are not within our mandate. We had about 800 or so last year.
People complain generally about the cost of service in Canada and read about foreign studies that talk about the cost and quality of service. There are particular concerns about network access fees and incoming text message charges. We have seen recently that some providers have moved to do away with the network access fees and the 911 charges and so forth.
People complain about having to sign up to a three-year contract. Unfortunately, it is not within our mandate to deal with that, but they do compare that to the situation in other jurisdictions where shorter contracts may be the rule.
People feel that the contract terms are unbalanced or drafted in favour of the providers and that there is no legal or regulatory requirement that they be fair. They feel that competition in the marketplace to date has not impacted on that at all. As we said, they talk about network coverage or problems with equipment. Again, that is not within our mandate because we do not have any sway over the equipment providers.
They complain about lousy customer service, which is something we have all experienced, being on hold for a long time trying to get through to an agent, or, because of the complexity of the environment, receiving conflicting information or sometimes contradictory advice from different representatives of the same company in consecutive phone calls. Unfortunately, there is not much we can do about how well companies train their representatives, but if we feel a customer was misled as a result of something he or she was told, we will require the provider to make it right.
The last slide talks about the future. We wonder about the impact on CCTS that will come from the 2010 review by the CRTC. We believe we provide a useful and helpful service for consumers and industry. We wonder about the impact that the wireless code will have. There have been a number of commitments, and we will see whether providers are prepared to stand up to the minimum commitment they made.
As you all know, we are supposed to be seeing the advent of more competition in wireless very soon, although I do not know how soon, but it remains to be seen what effect that will have, what kind of contracts we will see, how much consumers will pay and how good the service will turn out to be. Other technologies out there, like Google Voice and other things, may affect providers and how they do business. I do not know how friendly the future is, but we look forward to seeing how it unfolds.
The Chair: Thank you.
Senator Johnson: This area is certainly critical for the future, with the increasing use of technology. You said in your 2008-09 report, according to my notes, that it is important for customers to be fully informed about what they are contracting for with telecommunications service providers, as generally we will expect all parties to respect the rights and obligations detailed in the terms. Given how complicated wireless plans and services can be, is it reasonable for a consumer to understand all the terms of a contract?
Mr. Maker: It is definitely a challenge for consumers to understand all of the ins and outs of contracts. The fundamental provisions are within the ambit of the traditional consumer. There are tools out there, I should say as well, to assist consumers. I know that Industry Canada's Office of Consumer Affairs has a very good glossary on its website to assist consumers with terminology and to assist them with a buying decision regarding what they do or do not need.
It is reasonable for consumers to come into a wireless dealer knowing essentially what they are looking for in a device and the service, such as what model, prepaid or post-paid, voice, text, data, how many minutes they need, day time or night time. Those are fundamental things. There are lots of choices, as you know.
Senator Johnson: Are people getting savvier? There are a few complaints, but not that many. Is it a reasonable number, do you think, or do you know? You have only been there for two years.
Mr. Maker: That is it, senator. We are the new kid on the block. We are not as well-known in the public domain as we would like to be. We have a public awareness plan that we are in the process of unfolding. Therefore it is hard for me to answer with any certainty whether our novelty in the marketplace is limiting the number of complaints. I think it is.
Although things are more complex, the fact of more complaints does not necessarily indicate more problems. Perhaps it indicates that consumers are more aware.
Senator Johnson: You are funded by the wireless service providers. Where did the initiative come from to set up your order-in-council? How did you get that?
Mr. Maker: The Telecommunications Policy Review Panel was struck and made a variety of recommendations about Canadian telecom policy. One of its recommendations was the creation of this consumer agency, so the order-in-council followed the recommendations of the panel.
Senator Johnson: Is there something comparable in other countries? Do you have counterparts?
Mr. Maker: Yes, we do. In Australia, the telecom industry ombudsman has been in place since the mid-1990s. They have a very developed infrastructure that, as a provider of this kind of service, I envy. They are way ahead of us, but we are hoping to get there.
Senator Johnson: Are you using them as a model in any way for the work you do? Is that the only country you can talk about in this respect?
Mr. Maker: The U.K. also has two telecom ombudsman services. In those countries, the ombudsman service is a function of the regulators. There is a connection between the regulator and the ombudsman service. In Canada, both in telecom and in other sectors, the ombudsman services tend to be free-standing. For example, CCTS is a not-for-profit private corporation, so clearly we have a lot to learn from those who have come before us; it is nice to not have to reinvent the wheel.
The Australians document extremely well. They document their policy and their procedures, and they document and publish material on how they look at particular issues and particular aspects of complaints. Although our marketplace and our services are different in many ways from theirs, it is certainly a great model for us to be working with.
Senator Johnson: You talked about the impact on consumers and industry of the 2010 CRTC review of CCTS. Do you have any further comment on that at this time?
Mr. Maker: Yes. Prior to the creation of CCTS, telecom consumers and particularly wireless consumers did not really have anywhere to go. The only recourse consumers had was that consumers of regulated services, typically local phone service, could go to the CRTC and make a complaint. As a regulator, the CRTC would deal with the provider and make sure that the provider was not breaching any regulatory requirements, but the CRTC has no authority, as I understand it, to offer any recourse to customers. We are a novel creation in the sense of having the ability to, if needed, require providers to provide recourse to customers who have not been treated in accordance with the contract terms.
In my respectful view, that is a huge gain for consumers, and the degree of gain will increase as we become better known and more effective.
Senator Johnson: Good luck.
Senator Fox: Going through your document — I must have missed a page somewhere — I see all sorts of statistics on overview of wireless complaints and wireless issues. Did I miss the page that says how many of these consumer complaints were solved to the consumers' satisfaction?
Mr. Maker: No, you did not. Actually we do not record the wins and losses, if you will, because we find them a bit ephemeral. The fact that we make a recommendation that is in favour of a customer, or a formal decision that is in favour of a customer, might be described as a win for the customer, but often even what we recommend does not satisfy the customer. Therefore we have, at least for now, decided that we will not have a score card. We do not have any formal statistics about customer satisfaction other than in our decisions. When we do issue a decision, it is a matter of public record, and we record how many of those are accepted by the customer.
Senator Fox: Did you say that the CRTC will evaluate the effectiveness of your organization at some point?
Mr. Maker: That is correct.
Senator Fox: If you do not have a score card, how will the CRTC measure the success or failure of the organization?
Mr. Maker: With respect, I think that is a question they might be better suited to answer than I. I think they will have a public proceeding and will ask for submissions from providers, from consumers and from other stakeholders, including consumer groups. They will take the temperature of the stakeholder community and make decisions on that basis. Certainly we will attempt to inform those discussions with whatever information we can provide.
Senator Fox: I find that unsatisfactory, but that is your problem, I guess. You will have to explain.
[Translation]
You should explain that to the CRTC instead of me, but it seems like a bit of a vague answer and is a rather disappointing approach. An agency such as this should aim to surpass the previous year's success rate or, at least, to reduce the number of complaints.
You mentioned consumer practices. I am more of the opinion that a consumer, who walks into a store to buy a cell phone, especially if it is for the first time, really does not know what they need.
Take, for example, a consumer who signs a three-year contract that includes a certain number of minutes and then discovers that that number of minutes is not what they actually need; it is either too much or too little. Can that consumer change plans?
Josée Thibault, Director of Complaints and Inquiries, Office of the Complaints for Telecommunications Services Inc.: Consumers can change plans, but it depends on the service provider. Sometimes, changing plans results in a new contract. If the consumer signed a three-year contract and, two years later, decides to change it, the service provider may require the customer to commit to another three years. There are options, but basically, they are not always good for the consumer.
Senator Fox: Can penalties be imposed for changing plans?
Ms. Thibault: If the consumer decides to cancel the contract before it ends, most of the time, a cancellation fee is charged. If we receive a complaint, we investigate. Then, most of the time, we talk with the providers. That is what Mr. Maker is talking about. We cannot talk about losses or gains for the consumer, but we can negotiate, which makes it easier to resolve the complaint. The policy may be to apply the cancellation fee, but in this case, the service providers decided not to charge the fee.
Senator Fox: Lawmakers often get involved because they find that companies follow practices that are unfair to their customers. Do you think Quebec's new legislation, which seems to go a lot further than yours, reflects the dissatisfaction of provincial lawmakers with the work being done in this sector, including yours?
Ms. Thibault: No doubt. It seems that consumers in Quebec have more effective ways of seeking recourse. Mr. Maker would also agree on the issue of our mandate with respect to terms of service.
As we discussed, the organization was not mandated to make decisions as to the meaning of terms of service. It is simply required to determine whether the provider's actions were appropriate under the terms of service. At that point, we cannot start telling providers that they should change their terms of service.
[English]
Senator Fox: Quite clearly, yours is an industry-type response, and usually an industry-type response is to try to solve issues within the industry rather than inviting, in this case, a provincial legislation, because it is mostly consumer matters, to intervene. I suggest that the Quebec government's new legislation in this area is an indication of the legislature's unhappiness with the type of proceedings that you people have and that you are inviting other provincial legislators to intervene.
I suggest that you should be much more aggressive in what you do. It boggles my imagination that you cannot even come up with a model for early termination fee plan. That an industry organization cannot say this is what we should be doing in the area of early termination fee, which is a major area of complaint, I find very surprising. It is not your fault, but your people should be much more aggressive in the mandate they give you to solve these problems.
Mr. Maker: A committee of our board is currently reviewing many of these issues, including the standard of review. To go back briefly, all of the constating documents, including our procedural code, were drafted by industry in preparation for proceedings before the CRTC. The CRTC ordered that there be some changes to add some balance to those, and we opened our doors on the basis of that order. Part of the order, if not explicitly, certainly implicitly required that the board and the organization look at all those documents afresh with an independent board in place. We are in the process of doing that now.
Senator Fox: Thank you.
Senator Cochrane: You mentioned wireless complaints. Have you received complaints about exorbitant user fees when outside the country?
Mr. Maker: I am complaining about them to my own provider.
Yes, we do hear complaints about that. In the industry it is called a roaming charge. It is a charge paid to your provider's partner that provides the network service wherever you are that your provider does not have access to service. I generally agree with you. We do hear people say it is very expensive.
Senator Cochrane: When you get a complaint like that, do you go to the company and follow up to see if anything has been done or will be done?
Mr. Maker: The actual price of the service is not within our mandate. As I understand the policy of the government, the goal is to increase competition in the marketplace in order to provide consumers with more options, including pricing structures. We do not have a mandate to resolve complaints that the service costs too much. We cannot tell the provider what to charge.
Senator Cochrane: But it is within your mandate to let the company know that you are getting these are complaints, is it not?
Mr. Maker: Certainly, and we do.
Senator Cochrane: And that maybe they should do something about it.
Mr. Maker: When we receive a complaint, our first action is to send it to the provider, and we do that for a couple of reasons. The first is that we want the providers to know what their customers are complaining about. The second is that we find that we are able to get the complaints to a more senior level in the provider's organization. We find that about 60 per cent of complaints are resolved at that stage, so we ensure that they understand exactly what their customers are concerned about.
Senator Cochrane: You do some kind of an evaluation of results if you know that 60 per cent are being resolved.
Mr. Maker: Absolutely. We track the number of complaints that are within our mandate. We send them to the provider, and we learn from the providers and the consumers how many are resolved at that level, and we publish those statistics.
Senator Cochrane: Do you operate right across the country?
Mr. Maker: Yes, we do. Consumers from all across Canada are eligible to complain to CCTS, although our head office is here in Ottawa.
Senator Cochrane: What remedies are available to complainants? Give us a typical example.
Mr. Maker: The remedies available to us are fairly broad. If a customer complains about something to do with his or her bill, for example, which is a pretty common situation, we will send the complaint to the provider with a copy of the customer's concerns and ask the provider to talk to the customer and see whether they can sort it out. They have 20 business days to do that, failing which we take it on ourselves. We collect whatever material the provider has related to the complaint and whatever material the customer wishes to provide, and we try to resolve it. We try to educate ourselves about what happened, what the obligations of the providers were, and what evidence there is to support either side of the case. We try to bring the parties together to come to a mutually agreeable resolution of the complaint. A significant number of complaints are resolved at that stage.
For those that are not, we have a formal investigative process that culminates in the writing of a formal recommendation. For example, in the case of a billing complaint, we might say that the billing was appropriate, based on what we understood the customer had signed up for. In that case, we would recommend no action.
Alternatively, we might determine that the customer had been improperly billed and that some money should be returned to the customer, and we could make a recommendation to that effect.
We sometimes see in billing complaints that the input is what is wrong. It is not just that the calculation is wrong, but they have the wrong plan on the bill, or they have the wrong termination date, or they have not given the customer the number of minutes they are supposed to have, so the charges are too high. There could be any number of issues. We have the authority to recommend to the provider at the first stage that they fix those inputs as well as correct bills.
At a subsequent stage, if the provider is unwilling to do that, we can require them to do it. It is a stage of our process called a decision. We can also require providers to compensate customers in an amount up to $5,000 related to direct losses that have been suffered as a result of issues that have gone wrong for them in the service that was provided to them. Typically that does not happen frequently in billing cases, but we do have the authority to provide financial redress for consumers as well.
Senator Cochrane: Have some done it?
Mr. Maker: Indeed, many have done it, often related to inconvenience incurred as a result of a service outage and various other issues that come up in the course of day-to-day affairs.
Senator Plett: My question was similar to that of Senator Cochrane, and Mr. Maker just gave a great explanation of the authority is his organization. Therefore, my question has been answered.
The Chair: I have two short questions.
Is your relationship with the CWTA or with the members of the CWTA?
Mr. Maker: All the telecommunications service providers are members of our organization. The wireless carriers have their own industry association. I believe that most of them are members of CWTA, and there is also membership in CCTS, so there is common membership. They are an industry association, and we are the dispute resolution provider.
The Chair: However, your relationship is more with the members than with the associations?
Mr. Maker: Yes. We have had interaction with the association on issues in common, such as premium text messages and the code of conduct related to that issue, as well as the wireless code of conduct, but they are an independent organization and we are completely independent from them.
The Chair: We have seen and have heard of many countries that have a user-friendly website that makes clearly accessible comparisons of costs related to services. Belgium is a prime example. Many of the European Union countries have either common or shared websites in which you can get user-friendly comparisons on costs. Would it not reduce the number of complaints if we had that same type of information available here?
Mr. Maker: Anything that provides more information, better disclosure and more clarity in language that consumers can understand and absorb would assist. The opportunity to compare certainly would be advantageous. There is no question about that.
The Chair: Would it reduce the number of complaints?
Mr. Maker: That is hard to say. I would like to think that it would, but I do not have any empirical data to rely on to support that answer.
Senator Plett: How are the three directors that represent the industry nominated or put on it?
Mr. Maker: The providers are grouped into three categories. Each category has a number of different providers — cable companies, ILECs and others, Internet providers, resellers and so forth. Each group nominates its own representative.
The Chair: Thank you very much.
(The committee adjourned.)