Archive for Canada

Canadian Government Warns Of Data Breach Impacting 25 Years Of Public Service Employee Data

Posted in Commentary with tags , on November 20, 2023 by itnerd

In a press release on Friday, the Canadian government warned current and former public service employees and members of the Royal Canadian Mounted Police and Canadian Armed Forces that their personal and financial information may have been accessed in a data breach involving two relocation support companies.

The breach occurred on October 19th and affects federal government data that was held by Brookfield Global Relocation Services and SIRVA Worldwide Relocation & Moving Services. Data may include any personal and financial information provided to the companies from as early as 1999.

“Given the significant volume of data being assessed, we cannot yet identify specific individuals impacted,” said the release.

“The Government of Canada is not waiting for the outcomes of this analysis and is taking a proactive, precautionary approach to support those potentially affected.

Jason Keirstead, VP Collective Threat Defense, Cyware had this comment:

   “Breaches that involve third-party subcontractors are increasingly one of the most challenging issues to manage on an organization’s risk register. One way an organization can reduce their own risk is by leveraging their capabilities to help protect their suppliers – for example by sharing both threat intelligence and defense information downstream with their supply chain.”

Given that Canada has very robust laws when it comes to this sort of thing, I fully expect that a robust investigation will take place. And I will be looking to see what the Canadian Government does to stop this sort thing from happening in the future based on said investigation.

WeChat & Kaspersky Have Been Banned On Canadian Government Devices

Posted in Commentary with tags on October 31, 2023 by itnerd

Citing security concerns, the Canadian Government has announced that WeChat and Kaspersky have both been banned on Canadian Government devices:

Effective October 30, 2023, the WeChat and Kaspersky suite of applications will be removed from government-issued mobile devices. Users of these devices will also be blocked from downloading the applications in the future.

The Chief Information Officer of Canada determined that WeChat and Kaspersky suite of applications present an unacceptable level of risk to privacy and security. On a mobile device, the WeChat and Kaspersky applications data collection methods provide considerable access to the device’s contents.

The decision to remove and block the WeChat and the Kaspersky applications was made to ensure that Government of Canada networks and data remain secure and protected and are in line with the approach of our international partners.

While the risks of using these applications are clear, we have no evidence that government information has been compromised.

Kaspersky didn’t waste any time in responding to this:

Kaspersky is disappointed with the decision by the Treasury Board of Canada Secretariat to prohibit the use of Kaspersky applications on government-issued mobile devices. This decision comes as a surprise, was made without any warning or opportunity for engagement by Kaspersky on the Canadian government’s underlying concerns, and is not based on any technical assessment of Kaspersky products – which the company continuously advocates for – but instead seems to be made on political grounds. 

I have not seen any reaction from WeChat. But I would imagine that they aren’t happy either. And I expect that there will be additional reaction coming from Russia as Kaspersky is a Russian company, and from China as WeChat is Chinese.

LockBit Pwns Commission des services electriques de Montréal… But The Victim Isn’t Paying Up

Posted in Commentary with tags , on September 1, 2023 by itnerd

On Wednesday, the LockBit ransomware gang took credit for an attack on the Commission des services electriques de Montréal (CSEM) — a 100-year-old municipal organization that manages electrical infrastructure in the city of Montreal.

The lock bit ransomware group has claimed credit (@FalconFeedsio) for an attack on the Montreal electricity supplier Commission des services electriques de Montréal (CSEM).

The company has confirmed the incident saying it was hit with ransomware on August 3rd but they refused to pay the ransom. They contacted authorities and law enforcement in Quebec and began efforts to restore its systems and claim that their IT infrastructure has been rebuilt.

“The criminal group at work in this case has made public today some of the stolen data. The CSEM denounces this illegal gesture, while specifying that the data disclosed represents a low risk for both the security of the public and for the operations carried out by the CSEM,” they said.

While public utility companies offer ransomware groups a broad target, it does seem that the attackers have not been doing their homework. The company pointed out: “It should be noted that all CSEM projects are the subject of public documents. Therefore, all these plans – engineering, construction and management – are already publicly available through the official process offices in Quebec.”

Emily Phelps, Director, Cyware had this comment:

   “Public utilities are critical to our day-to-day life, and while this attack acted as more of a warning shot, it reinforces the importance of cyber resilience for business continuity. Ransomware groups leverage their reputations to intimidate targets, and they adapt as security controls mature. Expediting threat intelligence and knowledge sharing can help mitigate the risks for enterprises. The sooner the right people get the right information about a known threat, the sooner they can adapt their defenses accordingly.”


Dave Ratner, CEO, HYAS follows with this:

   “While the risk of data disclosure from this particular attack is low, as the company has pointed out, the attack nevertheless re-enforces the need for all critical infrastructure providers to protect themselves.  

   “Attackers will continue to develop new ways to infiltrate and evade security systems; the deployment of business and operational resiliency systems, such as Protective DNS and others, is the best way to proactively ensure business continuity.”

I am happy that Commission des services electriques de Montréal didn’t pay the ransom as that only encourages these threat actors. Hopefully they take the money that they saved themselves and invest in better defensive measures so there isn’t a repeat of this.

Teamsters Accuse CN Rail Of Secretly Tracking Their Employees Movements Via Company Issued Tablets

Posted in Commentary with tags , on August 24, 2023 by itnerd

This is one of those topics that I always thought would come up more often. CTV News is reporting that the Teamsters union is accusing CN Rail of tracking employees movements, even after hours via the tablets that CN Rail issues their employees and not disclosing that they were doing so:

The Teamsters Canada Rail Conference, which is the union that represents 5,500 Canadian National railway employees, alleges CN has been monitoring the whereabouts of a train operator outside of work hours through a company-issued tablet.

“It’s spying, it’s wrong and it’s illegal in our view” according to Teamsters Canada’s director of public affairs Christopher Monette, who adds “on top of it being creepy, it’s downright dystopian. It’s something that shouldn’t be happening.” 

The union says they have reason to be concerned that a large number of CN Rail employees may have also had their location tracked by the company during their own personal time after work.Speaking to CTV National News, Monette says that CN “didn’t tell us this was going on and they didn’t seek consent from workers to use geolocation data” from their company issued devices and believes CN was trying to keep their tracking methods secret.

“We only found out about this by accident, through a disclosure process where the company was forced to disclose why they were disciplining a worker,” according to Monette.

Now CN Rail doesn’t want to comment on this. But frankly I am not surprised. Tablets and phones issued by companies are often what are called “managed” devices. Meaning that the devices are put into a type of software called Mobile Device Management software or MDM for short. This software allows a company to do a number of things. Get the status of the device, push out software updates, remote control the device for troubleshooting purposes, and most relevant to this story, track the device. Now a company may only decide to use this software to track a device if it is stolen. But I can see a scenario where a company may use this software to track a device at all times. Which if they disclose that up front, I guess that’s fine. But if they didn’t you get this situation.

Now if you have a company issued device and are afraid of being tracked, there are very low tech solutions to this:

Cyber security analyst and lawyer Ritesh Kotak believes employees who have a work phone, tablet or laptop should try and purchase their own personal devices to use off work hours.

“These high-tech problems have really low-tech solutions,” Kotak says.

He also says that he uses a tab to cover the camera on his work computer when he’s not on a video call. Kotak adds that, if possible, employees should turn their work devices onto airplane mode off work hours.

“It’s important to understand that information (from your devices) is being collected on a continuous basis by the employer, it’s probably being stored and there maybe third parties who have access to it.”

One thing to consider is that if you go this route, your company may complain at some point because the device isn’t on all the time. Another thing to consider is if you “BYOD” or bring your own device, and the company puts their MDM software on it, you could be in the same situation. So you may want to keep that in mind as well.

The bottom line is that if you use company property, or simply have their software installed on your own smartphone or computer, you should have no expectation of privacy. Ever. Unfortunate, but true.

Home Depot Gave Customer Data To Meta Says Canadian Privacy Commissioner Without Customer Consent

Posted in Commentary with tags , on January 26, 2023 by itnerd

Home Depot is my go to for anything I need to fix stuff around my condo. But perhaps I should rethink that as the Canadian Privacy Commissioner has determined that Home Depot handed over customer data to Meta (aka Facebook) without consent from customers:

It is an issue highlighted in a recent investigation by the Office of the Privacy Commissioner of Canada (OPC) into Home Depot of Canada Inc. (Home Depot). By participating in Meta Platforms Inc.’s Offline Conversions program, Home Depot was found to be sharing details from e-receipts – including encoded email addresses and in-store purchase information – with Meta, which operates the Facebook social media platform, without the knowledge or consent of customers.

And:

The investigation found that Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt since at least 2018. However, the investigation revealed that during this period, the encoded email addresses, along with high-level details about each customer’s in-store purchases, were also sent to Meta.

Information sent to Meta was used to verify if a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta’s Offline Conversions contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.

Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook. Meta employed an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses not already associated with a Facebook account could not be linked to individuals.

While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality.

During the investigation, Home Depot said that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company uses “de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the Offline Conversions program.

The OPC, however, rejected Home Depot’s argument as the privacy statements Home Depot relied on for consent were not readily available to customers at the check-out counter, and consumers would have no reason to seek them out. Moreover, the OPC found that Home Depot’s privacy statement did not clearly explain the practice in question.

Now I have always been suspect of getting e-receipts from companies which is why I always prefer printed copies. This revelation makes me want to double down on never getting an e-receipt. Now I tried to find a comment from Home Depot or Meta but I couldn’t find one. Which in itself says something. But in the meantime, here’s what the Privacy Commissioner says that Home Depot has to do:

As a result of the investigation, the OPC recommended that Home Depot:

  • cease disclosing the personal information of customers requesting an e-receipt to Meta until it is able to implement measures to ensure valid consent;
  • implement measures to obtain express, opt-in consent from customers prior to sharing the information with Meta, should it resume the practice; and
  • ensure meaningful consent by providing customers requesting an e-receipt with key information regarding its sharing of information with Meta at the point of sale, and by strengthening its privacy statement to include a detailed explanation of its practices and how customers can withdraw consent.

It will be interesting to see if Home Depot complies with this. Because now that this is out there, Home Depot is going have to deal with customers who do not trust them. And that’s not a good place to be in.

BREAKING: Federal Court Dismisses Rogers/Shaw Appeal

Posted in Commentary with tags , , on January 24, 2023 by itnerd

In a blow to consumers, the Federal Court of Appeal has shot down the Competition Bureau’s request to blog the merger of Rogers and Shaw. That leaves this whole thing up to federal Innovation Minister François-Philippe Champagne. And he Tweeted this:

At this point, the Federal Government hasn’t shown any interest in shooting what is clearly a merger that harms consumers out of the sky. Thus I do not have high hopes that Champagne will do anything but allow this merger to go through. And consumers will literally pay the price at the end of the day.

It’s truly too bad that Canada doesn’t have a federal government who recognizes that Canada pays far too much money for their telco services and is prepared to address the issue. While I am free to be surprised on that front, I don’t think I will be.

If You’re Canadian, You Should Claim Your $20 (Or More) From The $30 Million Optical Disc Drive Class Action Payout

Posted in Commentary with tags , on July 20, 2022 by itnerd

If you’re Canadian, chances are you were not aware of a class action lawsuit regarding optical disc drive (ODD) products purchased in Canada between 2004-2010 in B.C., Ontario and Quebec. In short, a settlement of $29.7 million is available for people in B.C. and Quebec Courts because BenQ, Hitachi-LG, NEC, Panasonic, Phillips, Pioneer, Quanta, Sony, TEAC, and Toshiba Samsung are alleged to have “conspired to fix the prices for ODD, with the intention of raising prices for both ODD and ODD Products sold in Canada.”

So if you purchased a computer or a game console with an optical drive, you are eligible for a $20 payment if you don’t have supporting documents. Or if you do you can get more than that. Though you have to wonder who would still have the receipt from a computer or a Playstation or Xbox that they bought 12 or more years ago. In any case, you can put in a request by going to this website.

Bill C-11 Passes…. Why This Is A Incredibly Dumb Idea From The Canadian Government

Posted in Commentary with tags on June 22, 2022 by itnerd

Last night, Canada’s parliament approved legislation that targets what video and audio-sharing platforms like YouTube and TikTok can broadcast to a Canadian audience via bill C-11. In short, this is what the bill purports to do (via the Wikipedia link):

The bill seeks to amend the Broadcasting Act to account for the increased prominence of internet video and digital media, and to prioritize the “needs and interests” of Canadians, and the inclusion and involvement of Canadians of diverse backgrounds in broadcast programming. It adds undertakings that conduct “broadcasting” over the internet to the regulatory scope of the Canadian Radio-television and Telecommunications Commission (CRTC), which would give the CRTC the power to regulate almost all audiovisual content distributed via online platforms (including monetized content on social media services). This can include compelling them to make use of Canadian talent, mandating that they make contributions to the Canada Media Fund to support the production of Canadian content, and improve the discoverability of Canadian content on their platforms. 

Alongside this, the bill also removes the seven-year term limit for CRTC-issued broadcast licenses (a regulatory process which will not apply to internet broadcasters), adds a mechanism of imposing “conditions” on broadcasters without them being bound to a license term, and introduces monetary fines for violating orders and regulations issued by the CRTC.

That all sounds good. But it isn’t good. If you’re a Canadian YouTuber like Linus Sebastian or Rene Ritchie for example, the YouTube algorithm curates and recommends videos based on feedback from users based on everything from how long a video is viewed to how quickly it is skipped. Thus if their videos are promoted by YouTube to adhere to Bill C-11 and the content isn’t a match for the viewer, the viewer might skip that video, causing the creator’s channel to drop in visibility. The bill would also regulate the types of advertising a Canadian creator’s channel can have. That would significantly limit their sources of revenue.

Creators are going to discover very quickly that the kind of content that has previously been successful on YouTube is no longer successful in a bill C-11 regulated YouTube. As a result, they will either have to change the nature of content that they make in order to make it more overtly Canadian…. Whatever that means. In short, the Canadian Government is killing the people that they’re trying to protect. The thing is that this was feedback provided to the Canadian Government in various hearings on bill C-11, and it was ignored. Which makes me wonder what the true agenda that the Canadian Government has when it comes to this bill.

Here’s another thing to consider. Canadians on platforms like YouTube punch well above their weight. Linus Sebastian has 14.6 million subscribers for example which makes him one of the top YouTube creators on the planet. There are many others who are among the top content creators, meaning YouTube, TikTok, and whatever other platforms are out there who are doing the same thing. Thus I don’t think that Canadians need the “protection” that this bill supposedly provides.

But there’s really a darker thing that should concern you about bill C-11. This bill gives the CRTC the power to regulate the pictures, podcasts and videos every Canadian posts online as ‘broadcasting’ content. So if you post a Instagram reel, the CRTC could knock on your door. Something that the CRTC admits is true. But they promise that they won’t use that power.

That falls under the category of not believable because if someone gives you power, you’re going to use it at some point.

The reason why this is the case is that this bill sets no revenue threshold on who it will target, meaning every Canadian on every platform could soon be forced to make Canadian content contributions, or potentially get into trouble if the CRTC decides that they didn’t. Which is a #Fail.

The only hope for Canadians who like things the way they are is that the Senate will step in and either shoot this bill out of the sky, or send it back to parliament for major revisions. But even if this doesn’t happen, I would keep this in mind. This bill was passed by the Liberal Party with help from the NDP and Block Quebecois. Seeing as Canada has a minority government which introduces the possibility that an election could be called at any time, I would keep that in mind the next time a federal candidate from any of those parties comes knocking at your door asking for your support. Because frankly based on how broken this bill is, they don’t deserve it.

Huawei & ZTE Punted From Canadian 5G Networks…. What Took Canada So Long To Do This???

Posted in Commentary with tags , , , on May 20, 2022 by itnerd

Late yesterday news filtered out that both Huawei and ZTE have been banned from Canadian 5G networks over national security concerns. And any telco that are using their gear needs to rip it out ASAP. This mirrors similar moves by the US, UK, New Zealand, and Australia who along with Canada are known as the “Five Eyes” which is an alliance of these five countries to share intelligence. The difference is that Canada was late to this decision while the other four made this call years ago. Thus one has to wonder why it took Canada so long to make this move.

In my opinion, one factor had to be the Michael Kovrig and Michael Spavor situation where those two Canadian citizens were essentially held hostage by the Chinese government in retaliation for the arrest of Meng Wanzhou who is the CFO of Huawei in Vancouver and at the request of the US government. That eventually got sorted when the US cut a deal with Wanzhou which allowed the two Michael’s to be released by China as that’s how “hostage diplomacy” works. But even then, that was over a year ago and they are only banning Huawei and ZTE now. So that can’t be the only reason. Though it’s not clear to me what other reasons exist.

Regardless of what reasons exist, here’s the thing that really bothers me about this rather late decision by the Canadian government to ban Huawei and ZTE. If you accept that both of these companies are arms of Chinese intelligence, which I happen to believe to some degree, then this inaction by the Canadian government has given both these companies an inside look at not only the telecommunications networks in Canada, but how Canadians use those networks. Not to mention that they could have been doing who knows what to gather whatever information that the Chinese government wanted them to gather. All while the Canadian government sat on its hands and did nothing. So even though they’re now banned, Huawei, ZTE, and the Chinese government still win. And that highlights how the Canadian government has failed miserably on this issue.

When it comes to national security, governments have to take it seriously. They have to make decisions that lean towards ensuring security and they have to make those decisions quickly. That didn’t happen here, and I have to wonder if it is going to cost Canada down the road. Because it’s pretty clear that the Canadian government dropped the ball here, and there needs to be some accountability on that front.

Is It Time To Make The Internet An Essential Service And Hold Canadian Telcos Accountable For Providing That Service?

Posted in Commentary with tags , on May 18, 2022 by itnerd

Back in 2016, the CRTC said that high speed Internet was “essential”. This is what they meant by that at the time:

As part of declaring broadband a “basic” or essential service, the CRTC has also set new goals for download and upload speeds. For fixed broadband services, all citizens should have the option of unlimited data with speeds of at least 50 megabits per second for downloads and 10 megabits per second for uploads — a tenfold increase of previous targets set in 2011. The goals for mobile coverage are less ambitious, and simply call for “access to the latest mobile wireless technology” in cities and major transport corridors.

The CRTC estimates that some two million Canadian households, or 18 percent of the population, do not currently have access to their desired speeds. The $750 million government fund will help to pay for infrastructure to remedy this. The money will be distributed over five years, with the CRTC expecting 90 percent of Canadians to access the new speeds by 2021. 

The new digital plan also touches on accessibility problems, with CRTC mandating that wireless service providers will have to offer platforms that address the needs of people with hearing or speech disabilities within six months. Blais said this timeline was necessary, as the country “can’t depend on market forces to address these issues.”

Fast forward to 2022 and this really doesn’t go far enough to address what I think “essential” means to Canadians. Given that a lot of us still work from home, and the Internet is the difference between earning a paycheque and not earning one, or learning and not learning, I think that this needs to change. Now Public Safety Canada has a list of what it defines as “Essential Services” which it defines as this:

Canada’s National Strategy for Critical Infrastructure defines critical infrastructure as the processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. 

And while this list does list “Information and Communication Technologies” as part of this, I think it needs to go further to include not only the Internet specifically, but it should also include telcos like Rogers, Bell, and Telus so that they are responsible for maintaining and resolving issues to a high standard. As in resolving issues within hours and not days. And having a minimum uptime guarantee that said telcos are held accountable to. Now I know that Rogers, Bell, Telus and others would say that this isn’t required and they go above and beyond for their customers. But while I agree that these telcos do the best that they can to resolve customer issues in what they consider to be a timely manner, I don’t think that’s good enough. When the Internet goes out for a single home or a group of homes, even for a few hours, there are people who aren’t learning or making a living. That affects the economy. That alone makes it worthwhile to explore this idea and to take action to make it reality. And perhaps if something like this came into effect, telcos would spend a lot more time and effort to ensure that their networks were resilient enough so that outages became corner cases. That would be good for all Canadians.

What do you think? Should Canada do more to make the Internet an “essential service” as I’ve described above? Please leave a comment and share your thoughts.