Telecom - Staff Letter addressed to the Distribution List

Ottawa, 22 February 2023

Reference(s): 8000-C12-202203868

BY EMAIL

Distribution List

Subject:  Rogers Canada-wide service outage of July 2022 – Disclosure of information designated as confidential

Dear recipients:

This letter addresses requests for disclosure of certain information designated as confidential by Rogers Communications Inc. (Rogers) in its responses to requests for information (RFI) addressed to Rogers by Commission staff on 17 July and 5 August 2022 regarding Rogers’ service outage that began on 8 July 2022.

First RFI

On 22 July 2022, Rogers filed its confidential responses to the first RFI along with an abridged version, as well as six appendices filed entirely in confidence.

By letter dated 28 July 2022, Commission staff set out a process to request disclosure of information that Rogers designated as confidential.

The Commission received requests for disclosure from Matt Malone on 4 August 2022, and from the Canada Deaf Grassroots Movement and Deaf and Hard of Hearing Coalition (who filed jointly, hereafter referred to as the “Accessibility Groups”), the Competitive Network Operators of Canada (CNOC), PIAC, and Vaxination Informatique on 5 August 2022.

In its 12 August 2022 reply to the disclosure requests, Rogers disclosed additional information previously designated as confidential as well as one of the six appendices.

Additionally on 12 August 2022, the Deaf Wireless Canada Consultative Committee (DWCC) filed a document commenting on Rogers’ response to the first RFI, which included questions to Rogers from anaccessibility lens. By letters dated 15 August 2002, PIAC and CNOC each supported DWCC’s submission.

Second RFI

On 5 August 2022, Commission staff addressed a second RFI to Rogers, noting that any confidentiality determinations made in respect of the first RFI would be applied to Rogers’ response to this second RFI. Commission staff also noted that the procedure for further requests for disclosure for the second RFI would be addressed after the first RFI. The original deadline set for the second RFI was 15 August 2022, but this was subsequently extended to 22 August 2022.

On 22 August 2022, Rogers filed its confidential response to the second RFI along with an abridged version.

On 26 August 2022, Vaxination Informatique and PIAC requested disclosure of information contained in Rogers’ second RFI, and on 31 August 2022, CNOC requested the same. Rogers’ did not file a reply to these requests for disclosure. Commission staff notes that these requests for disclosure were submitted outside of the process established in the second RFI, which explicitly noted that the disclosure process for this information would be set out at a later date once disclosure of the first RFI had been addressed. These requests will therefore not be considered here. Vaxination Informatique, PIAC and CNOC may file new requests for disclosure in compliance with scope and timeframes of the process set out at the end of this letter.

General principles

Requests for disclosure of information designated as confidential are addressed in light of sections 38 and 39 of the Telecommunications Act (the Act) as well as sections 30 to 34 of the Canadian Radio-television and Telecommunications Commission Rules of Practice and Procedure (the Rules of Procedure).

Commission staff notes that the information filed confidentially by Rogers in response to the two RFIs was not submitted in the course of a proceeding. Rather, the RFIs were addressed to Rogers by Commission staff in order to provide the Commission with a better understanding of the circumstances of Rogers’ 8 July 2022 outage and its future plans. Moreover, the Commission declined to open an inquiry into the Rogers’ 8 July 2022 outage and also declined to issue a Notice of Consultation on the matter^Footnote1 . Instead, the Commission has adopted a more comprehensive approach of addressing the current and future challenges to telecommunications service reliability and improving the network resilience of all Carriers. The Commission has issued a Notice of Consultation CRTC 2023-39^Footnote2 , as its first step in considering network resiliency across all Carriers.  

Since the information subject to the requests for disclosure considered in this letter was not submitted to the Commission in the course of a proceeding, the Commission’s power to disclose the information is governed by section 39(5) of the Act.  Pursuant to this provision, disclosure may be required, after considering representations by interested parties, if it is determined that the information is relevant to the determination of a matter before the Commission and disclosure is in the public interest.

The determination as to whether information should be disclosed is based on the specific circumstances of any particular case.  Regard is generally had to whether the disclosure would result in specific direct harm and whether that harm outweighs the public interest in disclosure. Harm may be more likely to outweigh the public interest where the information is more disaggregated or where the degree of competition is greater. Further, in weighing the specific direct harm against the public interest in disclosure, it is relevant to consider that there is no public proceeding in connection with the specific information in question. That is, disclosure is not required for parties to prepare submissions for consideration by the Commission in rendering a decision.

Further information regarding the general procedures and the factors considered may be found in Procedures for filing confidential information and requesting its disclosure in Commission proceedings, Broadcasting and Telecom Information Bulletin CRTC 2010-961 (Information Bulletin 2010-961), 23 December 2010, as amended by Broadcasting and Telecom Information Bulletin CRTC 2010-961-1, 26 October 2012.

Commission staff determinations

Network and outage information: Q1.A.i, Q1.A.ii, Q1.A.iii, Q1.A.ix, Q1.A.x, Q1.A.xiii, Q1.A.xiv, and Q3

Concerning Q1.A.i, and Q1.A.ii PIAC requested disclosure of all information filed in confidence by Rogers, providing a full timeline of the outage and recovery, as well the detailed root cause analysis of the outage. PIAC noted that it sought this information to ensure that the public could understand what happened, seek compensation, and to hold Rogers’ accountable to ensure such outages do not happen in the future.

Similarly concerning Q1.A.ix, Q1.A.x, and Q1.A.xiv, PIAC submitted that more detailed information on Rogers’ response to the outage and planned improvements should be available for public scrutiny and investigation. PIAC did recognize that much of this information would be commercially sensitive and security adjacent, but reasoned that customers that rely on Rogers for connectivity need the information to ensure Rogers’ current and future procedures are sufficient to ensure network resiliency.

Concerning Q3, PIAC requested disclosure of Rogers’ filings concerning three previous outages that impacted its network. PIAC commented that the public interest in evaluating whether the outages were linked overrides the specific direct harm to Rogers’ competitive position or the security of its network. PIAC also noted that, because Rogers’ stated the root causes of these outages were different, it had also waived confidentiality over its responses.

PIAC also requested that information in Q1.A.iii and Q1.A.xiii be disclosed on the grounds that it is unclear what information was designated as confidential.

With respect to specific direct harm, Rogers indicated that disclosure of this information would provide granular technical information that could jeopardize its network security and would not provide the public greater understanding of how the outage occurred or the recovery in light of its already extensive disclosures. Rogers went further noting that its customers were already aware of how they were impacted by the outage.

Commission staff considers this information eligible for confidentiality, as it falls within the categories under section 39(1) of the Act.

Commission staff considers that the information filed confidentially in response to Q1.A.i, Q1.A.ii, the first part of Q1.A.iii, Q1.A.ix, Q1.A.x, Q1.A.xiii, Q1.A.xiv, and Q3 concerns network design, assets, as well as security process and that public disclosure of this information would jeopardize Rogers’ telecommunications network integrity. Commission staff also considers that the specific direct harm likely to result from public disclosure significantly outweighs the public interest in disclosure of this information. Specifically, the direct harm in this instance would be incurred not only by Rogers whose network could be damaged or otherwise compromised by bad actors seeking unauthorized access, but potentially all those that rely on Rogers’ network for access or transit across the wider internet.

Commission staff considers that the information filed confidentially in response to the latter part of Q1.A.iii concerns the back end of Rogers’ broadcasting services and how certain services rely on Rogers’ telecommunications networks for ultimate distribution. Commission staff also considers that the specific direct harm likely to result from public disclosure outweighs the public interest in disclosure of this information. Specifically, the direct harm in this instance involves the risk of bad actors targeting Rogers’ media broadcasting services while not providing any additional meaningful information that would help the public’s understanding of the outage.

No further disclosure of information is required.

Network and outage information filed in response to the second RFI: Q5, Q6, Q7, Q8, Q9, Q10 and Q11

Building upon Rogers’ responses to the first RFI, Commission staff addressed a second RFI to obtain additional details related to network design, cause of the outage, service restoration process, and notification to public-safety answering points (PSAPs) of the outage.

As noted above, Commission staff stated in its 5 August 2022 letter that determinations made regarding requests for disclosure of information designated as confidential in response to the first RFI would be applied to Rogers’ responses to the second RFI.  Commission staff has reviewed the information designated as confidential in response to Q5, Q6, Q7, Q8, Q9, Q10 and Q11 of the second RFI in light of it determinations set out above concerning Q1.A.i, Q1.A.ii, Q1.A.iii, Q1.A.ix, Q1.A.x, Q1.A.xiii, Q1.A.xiv, and Q3. Staff considers that its analysis and determinations that no further disclosure is required apply to similar information filed in response to the second set of RFIs. Accordingly, no further process is required for disclosure requests of the information filed in confidence in response to Q5, Q6, Q7, Q8, Q9, Q10 and Q11, subject to the following.  Commission staff note that, in its amended abridged response, Rogers disclosed the confidential information upon which Commission staff issued Q10 and marked as confidential. Reflecting this disclosure, Q10 reads as follows:

Q10.  With respect to the immediate actions Rogers is taking in examining its "change, planning and implementation" in response to the 8 July 2022 outage as detailed in the response to Rogers (CRTC)11July 2022 - 1(x):, #the steps include approval of high-risk changes by the CTIO.# How was this change classified? Was it high-risk?

Customer information: Q1.A.iv, Q1.A.v, Q.1.A.vi, Q1.A.vii, and Q1.A.xxii

PIAC requested disclosure of Rogers’ responses to all five of these questions. CNOC specifically requested disclosure of Q1.A.iv concerning third party internet access (TPIA) customers, and Vaxination Informatique requested disclosure of Q1.A.vii related to Interac and other critical infrastructure.

With regard to Q1.A.iv, CNOC submitted that TPIA customers should know what Rogers communicated to the Commission concerning the impact they experienced, so that those customers can provide their own submissions on the outage as well as potentially seek compensation for the adverse consequences they have experienced.  PIAC submitted that many of the relationships between Rogers and its customers, including the names of those customers, had been disclosed in one form or another and would not prejudice Rogers’ competitive position. PIAC provided examples of partner networks and TPIA customers that proactively disclosed through their own communications channels that they were experiencing their service issues due to the Rogers’ outage.

PIAC provided similar reasoning in relation to its request to disclose impacted services that were listed in Rogers’ response to Q1.A.vi and Q1.A.vii. Vaxination Informatique also commented on the public interest in understanding how critical infrastructure was impacted by the outage.

Rogers replied that it could not disclose its customer information due to customer contracts as well as Commission rules. The fact that some customers have disclosed publicly they were impacted by the outage, does not alter Rogers’ regulatory and contractual obligations to protect customer information that is not already in the public domain. Business and TPIA customers are free to disclose how they were impacted by the outage on their own initiative. Rogers further submitted that it had a particular duty to protect the confidentiality of important operations such as Interac or public agencies, as their experience during the outage could be exploited in the future. Finally, Rogers noted that the public’s understanding of the outage would not be helped by disclosure of this information but competitors would gain access to sensitive information that could harm Rogers’ business.

Commission staff considers confidential customer information falls within the categories under section 39(1) of the Act.

In cases where the identity of a customer affected by the Rogers’ outage was made public by the customer and has been included on this record, Commission staff considers that subsequent disclosure of that specific information by Rogers on the public record could not result in any material specific direct harm given that it is already known to the public.

Staff therefore concludes that disclosure of certain customers names contained in Rogers response to Q1.A.iv, Q1.A.vi, and Q1.A.vii is appropriate. Accordingly, Rogers is requested to disclose the names of customers identified in its RFI responses that: a) self-identified they were experiencing their own service interruptions due to the outage and b) in respect of which the party requesting disclosure has provided on the record evidence of that self-identification.  Disclosure of any additional customer information, including specific services provided to these customers, that has not been placed in the public domain and was not identified on the record is likely to result in specific harm to Rogers that outweighs the public interest in disclosure and, therefore, disclosure is not required.

Concerning Q1.A.v, PIAC requested disclosure of the total number of impacted customers, broken down by province, by TSP, and where possible, by type of end-customer, as submitted in the redacted table on page 7.

In response, Rogers noted that this information at the level provided in its response is never made publicly available, and that its disclosure would not assist the public in better understanding the outage but would cause Rogers competitive harm from the disclosure of disaggregated customer information.  However, Rogers disclosed the totals in its amended abridged response.

Concerning Q1.A.xxii, PIAC noted that it was also unclear what type of information was designated as confidential. Rogers responded that this information relates to its enterprise customers and that it is protected by the contracts with the customers in question, and therefore cannot be disclosed.

Commission staff considers this information is also eligible for confidentiality, as it falls within the categories under section 39(1) of the Act.

Commission staff considers that the information filed confidentially in response to Q1.A.v is disaggregated customer information that is competitively sensitive and is consistently treated as confidential by both the Commission as well as industry participants. Commission staff concludes that public disclosure of this information is likely to result in specific direct harm to Rogers that outweighs the public interest in disclosure.

Commission staff considers that the information subject to a claim of confidence filed in response to Q1.A.xxii constitutes enterprise customer information that is consistently treated as confidential by Rogers as well as the Commission. Further, the benefit, if any, to the public in disclosing such information in the circumstances of this case is minimal. Therefore, Commission staff concludes that the public interest in disclosure is outweighed by the specific direct harm to Rogers likely to result from public disclosure.

No further disclosure of information is required.

9-1-1 and Emergency Alerting Information: Q2.A.i, Q2.A.iii, Q2.A.ix, Q2.A.xi, Q2.A.xii

PIAC, Matt Malone, and Vaxination Informatique requested disclosure of Rogers confidential filings related to how the outage impacted 9-1-1 calling, including 9-1-1 calling statistics, and emergency alerting services.

These parties noted that, due to the lifesaving importance of 9-1-1 and emergency alerts, the public interest in disclosing how these services were disrupted as well as Rogers future plans significantly outweigh any specific direct harm to Rogers. Further, not providing a full accounting of the disruptions minimizes how Rogers’ actions harmed public safety, specifically for those families that were unable to dial 9-1-1. That harm to public safety also significantly outweighs any specific direct harm Rogers may experience through disclosure.

PIAC also requested that information in Q2.A.ix on pages 5 of 10 be disclosed on the grounds it is unclear what information was designated as confidential.

In response, Rogers commented that disclosure of 9-1-1 calling statistics and third-party information contained in Q2.A.i, Q2.A.ix, and Q2.A.xi would not advance the public’s understanding of Rogers’ initiatives to ensure network resiliency moving forward. Rogers further noted that it had considered disclosing this information but did not on the grounds that it could assist bad actors seeking to compromise Rogers’ networks. Rogers applied the same reasoning to the information it submitted in confidence in Q2.A.ii and Q2.A.xii.

Commission staff considers this information eligible for confidentiality, as it falls within the categories under section 39(1) of the Act.

Commission staff notes that Rogers has publicly filed aggregate 9-1-1 calling statistics in response to Commission staff’s second RFI. As a result, the public now has substantive information concerning how the outage impacted 9-1-1 services than was known when Rogers’ filed its first response.

Commission staff considers that bad actors could potentially use the specific 9-1-1 calling statistics, third-party information, and network information in question to interfere with 9-1-1 calling and emergency alerting services.  Commission staff acknowledges the public’s strong interest in knowing the granular details of how 9-1-1 and emergency services are disrupted through outages and Rogers’ 8 July 2022 outage in particular; however, it is the Commission’s consistent practice to maintain the confidentiality of this information for all Carriers. Further, it is Commission staff’s view that this level of detail would not advance the public’s understanding of the steps Rogers has taken and will be taking to ensure the reliability of 9-1-1 dialing and emergency services. Commission staff concludes that the specific direct harm to all those that rely on its network for 9-1-1 calling and emergency alerting services as well as to Rogers likely to result from disclosure of this information outweighs the public interest in disclosure.

No further disclosure of information is required.

Procedural matters

Appendices filed entirely in confidence

Five of the six appendices filed by Rogers remain entirely confidential. PIAC submitted that it is inappropriate to claim confidentiality over entire documents, noting that at least some of the information contained in these appendices had been disclosed publicly in the body of the responses, albeit in an abridged form. PIAC further requested that the Commission disclose each appendix and redact only where necessary and, at the very least, disclose the information upon which the main responses were based.

Rogers noted that, in light of its extensive responses to the RFI, disclosure of these appendices – including in an abridged manner – would not improve the public’s understanding of the network outages and how Rogers seeks to ensure they do not happen in the future. Rogers submitted that disclosing the information contained in the appendices could jeopardize Rogers’ network security due to the technical, granular, and highly sensitive nature of the information or would otherwise reveal confidential customer information, leading to significant direct harm that outweighs the public interest in disclosure.

Commission staff addressed a similar issue in its procedural letter dated 18 February 2022^Footnote3   in response to Roger’s request that a party be required to file an abridged version of certain RFI responses filed completely in confidence.  As noted in that letter, section 32(2) of the Rules of Procedure requires that a party filing information designated as confidential must provide an abridged version of the document that contains the confidential information or provide reasons, as well as any supporting documents, to explain why an abridged version cannot be filed.

As also noted in that letter, Information Bulletin 2010-961 explains that the abridged version of a document must omit only that information which is designated confidential. Information that is not itself inherently sensitive, such as tables of contents, headings and sentences that do not themselves contain information designated confidential, should not be omitted from the document. Essentially, the abridged version should not be edited in a manner that makes it difficult or impossible to determine the places where, and the extent to which, information has been omitted.

In line with the Commission’s Rules of Procedure and the Information Bulletin 2010-961, Rogers is requested to file abridged versions of the five appendices filed on 22 July 2022. Rogers is reminded that it is expected to disclose information on the public record to the maximum extent possible, given the immense public interest in understanding the facts surrounding the outage.

Second RFI: Further process concerning requests for disclosure of Rogers’ 22 August 2022 responses

When Commission staff issued the second RFI, staff noted that further process would be established in light of the determinations made concerning Rogers’ response to the first RFI. Commission staff also noted that determinations made concerning responses to the first RFI would be automatically applied to Rogers’ responses to the second RFI. Commission staff is of the view that the only information contained in the second RFI that has not already been addressed through staff’s determinations in this letter, is the information subject to a claim of confidence filed in Rogers’ responses to Question 2 and Question 18.  

Process

To provide interested persons with sufficient time to comment on these documents, Commission staff establish the following additional process:

• Rogers is to file abridged versions of its five appendices, as well as another amended abridged response including the information requested in this letter, serving a copy on all parties that have already requested additional disclosure, by 1 March 2023.
• Any interested person may request additional disclosure of information designated by Rogers as confidential in its abridged appendices or its response to Questions 2 and 18 of the second RFI, serving a copy on Rogers, by 8 March 2023.  A person requesting disclosure must provide reasons as well as any supporting documents for why the disclosure would be in the public interest, including how the information is relevant to the Commission’s regulatory responsibilities.
• Rogers may respond to any requests for additional disclosure, serving a copy to all who have requested additional disclosures thus far, by 15 March 2023. 

Accessibility Groups and DWCC Requests for New Information

In Commission staff’s view, the request made by the Accessibility Groups, as well as the late request made by the DWCC, should be considered as requests for new information rather than disclosure requests of information already filed in confidence.

As Rogers noted in both its reply to the disclosure requests as well as in its response to the second RFI, the information these parties have requested disclosure of was not included in Rogers’ response to the first^Footnote4 or second RFI.  Rogers also stated that its separation of wireless and wireline networks will ensure that Deaf, Deaf-Blind, and Hard of Heading (DDBHH) customers will continue to have access to 9-1-1 and data services during an outage either through Rogers’ wireless network or WiFi.

Commission staff does not intend to issue additional RFIs to Rogers at this time concerning information specific to the impact on the DDBHH of Rogers’ outage. As noted, the Commission is in the process of retaining an independent expert to support the Commission’s review of Rogers’ wireline and wireless networks and to evaluate Rogers’ future investment plan to improve network resiliency^Footnote5 . The Commission may issue RFIs to Rogers in future in relation to this review process.

Nevertheless, Commission staff notes that the Commission has directed, as an interim measure pending the outcome of Notice of Consultation CRTC 2023-39, that following the occurrence of a major service outage, Canadian carriers must provide information about how customers with accessibility needs are impacted as a part of a mandatory 14 day post-outage report. The Commission also announced in that Notice that it is considering imposing this requirement as a condition of service pursuant to section 24 of the Act and will make its determination based on the record of that proceeding.  Finally, the Commission indicated that Notice of Consultation CRTC 2023-39 is part of a multistage consultation process regarding improving resilience and reliability of the telecommunications networks of all Carriers. In that Notice, the Commissions stated that as a part of its general process to consider issues related to resiliency and reliability, it could examine issues related to accessibility among others.

Reminders

All documents filed and served must be received, not merely sent, by the date provided. Parties are to send an electronic copy of all documents to Commission staff copied on this letter.

The Commission requires the response or other documents to be submitted electronically by using the secured service “My CRTC Account” (Partner Log In or GCKey).

A copy of this letter and all related correspondence will be added to the public record of the proceeding.

Yours Sincerely,

Original signed by

Fiona Gilfillan
Executive Director
Telecommunications Sector

Distribution List

Ted Woodhead, Rogers Communications Canada Inc., regulatory@rci.rogers.com
Jean-François Mezei, Vaxination Informatique, jfmezei@vaxination.ca
Lisa Anderson, Deaf Wireless Canada Consultative Committee, regulatory@deafwireless.ca
Geoff White, Competitive Network Operators of Canada, geoff.white@cnoc.ca
Kimberly Wood, Canada Deaf Grassroots Movement, canadadeafgrassrootsmovement@gmail.com
Elliott Richman, Myles Murphy, Donald Prong, Deaf and Hard of Hearing Coalition, daans1976@gmail.com; ;myles.murphy@nf.sympatico.ca ; dprong@deafontario.ca
John Lawford, Public Interest Advocacy Centre, jlawford@piac.ca
Noah Moser, CRTC, noah.moser@crtc.gc.ca
Michel Murray, CRTC, michel.murray@crtc.gc.ca
Salahuddin Rafiquddin, CRTC, salahuddin.rafiquddin@crtc.gc.ca

Date modified:

2023-02-22