In all the Spotify related news, I forgot to do a post on the CRTC taking out Canadian HeadQuarters. This was a Dark Web marketplace and the four people behind it have been slapped with fines:
Before shutting down, CanadianHQ was one of the largest Dark Web marketplaces in the world and significantly contributed to harmful cyber activity in Canada. It specialized in the sale of goods and services, including spamming services, phishing kits, stolen credentials and access to compromised computers, which were used by purchasers to engage in a variety of malicious activities.
The CRTC’s investigation focused on four individuals who allegedly sent emails mimicking well-known brands in order to obtain personal data including credit card numbers, banking credentials and other sensitive information. The following individuals have been issued penalties for sending commercial electronic messages without consent in violation of Canada’s anti-spam legislation (CASL):
- Chris Tyrone Dracos (a.k.a. Poseidon) – $150,000
- Marc Anthony Younes (a.k.a CASHOUT00 and Masteratm) – $50,000
- Souial Amarak (a.k.a Wealtyman and Supreme) – $50,000
- Moustapha Sabir (a.k.a La3sa) – $50,000
As the creator and administrator of the marketplace, a higher penalty is being issued to Mr. Dracos for allegedly aiding in the commission of numerous violations of CASL by the platform’s vendors and customers.
As part of this investigation, a number of other vendors have been identified and enforcement actions will be taken against them in the near future.
That’s great. But experts say that this may be a short term victory:
“Like Silk Road and more recently the White House marketplace takedown, it’s probable that another Canadian-specific marketplace for illicit goods will likely re-appear,” Ryan Westman, manager of threat intelligence team at eSentire, said in an interview.
“Individuals who are harvesting personally identifiable information to sell for the purposes of fraud will have to find a new marketplaces to do business … As long as there’s demand there’s going to be individuals who are interested in fulfilling it.”
To get another perspective, I reached out to Darktrace’s David Masson and here’s what he said:
Despite occasional news items about the arrests and, even rarer, the convictions of cyber-attackers, most people would be forgiven for thinking that bad actors almost always get away with it. It can be challenging to find those responsible and hold them accountable, thanks to the anonymity of the internet and a host of sophisticated applications designed to cloak offenders’ identities.
In terms of getting an arrest and a subsequent legal trial, knowing “who done it” is not the same as being able to prove it in a Court of Law. It is also difficult to prove what was done. While it may be clear that attackers stole money or identities, how it happened and who is to blame can be more challenging to prove with evidence. Nevertheless, legal mitigations can still occur with more creativity and bigger thinking.
With the above in mind, we should congratulate the Canadian Radio-Television and Telecommunications Commission (CRTC) for recently issuing penalties to four individuals in Canada for their involvement in the Dark Web marketplace Canadian HeadQuarters (also known as CanadianHQ). According to a CRTC statement, “The CRTC’s investigation focused on four individuals who allegedly sent emails mimicking well-known brands to obtain personal data including credit card numbers, banking credentials and other sensitive information.”
In actuality, the CRTC issued the penalties “for sending commercial electronic messages without consent in violation of Canada’s anti-spam legislation (CASL).” We should remember, it was an inability to pay his taxes that took down Al Capone, not his other much more malicious activities. Still a result nonetheless, but both secured via more nuanced means.
It will be interesting to see how long it takes for this operation to reappear on the Dark Web. Because in my view, fines are great. But jail time would have been better. But given how hard these crimes are to prosecute, I’ll take anything that I can get in terms of punishing those behind these operations.
Home Depot Gave Customer Data To Meta Says Canadian Privacy Commissioner Without Customer Consent
Posted in Commentary with tags Canada, Privacy on January 26, 2023 by itnerdHome Depot is my go to for anything I need to fix stuff around my condo. But perhaps I should rethink that as the Canadian Privacy Commissioner has determined that Home Depot handed over customer data to Meta (aka Facebook) without consent from customers:
It is an issue highlighted in a recent investigation by the Office of the Privacy Commissioner of Canada (OPC) into Home Depot of Canada Inc. (Home Depot). By participating in Meta Platforms Inc.’s Offline Conversions program, Home Depot was found to be sharing details from e-receipts – including encoded email addresses and in-store purchase information – with Meta, which operates the Facebook social media platform, without the knowledge or consent of customers.
And:
The investigation found that Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt since at least 2018. However, the investigation revealed that during this period, the encoded email addresses, along with high-level details about each customer’s in-store purchases, were also sent to Meta.
Information sent to Meta was used to verify if a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta’s Offline Conversions contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.
Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook. Meta employed an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses not already associated with a Facebook account could not be linked to individuals.
While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality.
During the investigation, Home Depot said that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company uses “de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the Offline Conversions program.
The OPC, however, rejected Home Depot’s argument as the privacy statements Home Depot relied on for consent were not readily available to customers at the check-out counter, and consumers would have no reason to seek them out. Moreover, the OPC found that Home Depot’s privacy statement did not clearly explain the practice in question.
Now I have always been suspect of getting e-receipts from companies which is why I always prefer printed copies. This revelation makes me want to double down on never getting an e-receipt. Now I tried to find a comment from Home Depot or Meta but I couldn’t find one. Which in itself says something. But in the meantime, here’s what the Privacy Commissioner says that Home Depot has to do:
As a result of the investigation, the OPC recommended that Home Depot:
It will be interesting to see if Home Depot complies with this. Because now that this is out there, Home Depot is going have to deal with customers who do not trust them. And that’s not a good place to be in.
Leave a comment »