Archive for Canada

Home Depot Gave Customer Data To Meta Says Canadian Privacy Commissioner Without Customer Consent

Posted in Commentary with tags , on January 26, 2023 by itnerd

Home Depot is my go to for anything I need to fix stuff around my condo. But perhaps I should rethink that as the Canadian Privacy Commissioner has determined that Home Depot handed over customer data to Meta (aka Facebook) without consent from customers:

It is an issue highlighted in a recent investigation by the Office of the Privacy Commissioner of Canada (OPC) into Home Depot of Canada Inc. (Home Depot). By participating in Meta Platforms Inc.’s Offline Conversions program, Home Depot was found to be sharing details from e-receipts – including encoded email addresses and in-store purchase information – with Meta, which operates the Facebook social media platform, without the knowledge or consent of customers.

And:

The investigation found that Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt since at least 2018. However, the investigation revealed that during this period, the encoded email addresses, along with high-level details about each customer’s in-store purchases, were also sent to Meta.

Information sent to Meta was used to verify if a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta’s Offline Conversions contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.

Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook. Meta employed an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses not already associated with a Facebook account could not be linked to individuals.

While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality.

During the investigation, Home Depot said that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company uses “de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the Offline Conversions program.

The OPC, however, rejected Home Depot’s argument as the privacy statements Home Depot relied on for consent were not readily available to customers at the check-out counter, and consumers would have no reason to seek them out. Moreover, the OPC found that Home Depot’s privacy statement did not clearly explain the practice in question.

Now I have always been suspect of getting e-receipts from companies which is why I always prefer printed copies. This revelation makes me want to double down on never getting an e-receipt. Now I tried to find a comment from Home Depot or Meta but I couldn’t find one. Which in itself says something. But in the meantime, here’s what the Privacy Commissioner says that Home Depot has to do:

As a result of the investigation, the OPC recommended that Home Depot:

  • cease disclosing the personal information of customers requesting an e-receipt to Meta until it is able to implement measures to ensure valid consent;
  • implement measures to obtain express, opt-in consent from customers prior to sharing the information with Meta, should it resume the practice; and
  • ensure meaningful consent by providing customers requesting an e-receipt with key information regarding its sharing of information with Meta at the point of sale, and by strengthening its privacy statement to include a detailed explanation of its practices and how customers can withdraw consent.

It will be interesting to see if Home Depot complies with this. Because now that this is out there, Home Depot is going have to deal with customers who do not trust them. And that’s not a good place to be in.

BREAKING: Federal Court Dismisses Rogers/Shaw Appeal

Posted in Commentary with tags , , on January 24, 2023 by itnerd

In a blow to consumers, the Federal Court of Appeal has shot down the Competition Bureau’s request to blog the merger of Rogers and Shaw. That leaves this whole thing up to federal Innovation Minister François-Philippe Champagne. And he Tweeted this:

At this point, the Federal Government hasn’t shown any interest in shooting what is clearly a merger that harms consumers out of the sky. Thus I do not have high hopes that Champagne will do anything but allow this merger to go through. And consumers will literally pay the price at the end of the day.

It’s truly too bad that Canada doesn’t have a federal government who recognizes that Canada pays far too much money for their telco services and is prepared to address the issue. While I am free to be surprised on that front, I don’t think I will be.

If You’re Canadian, You Should Claim Your $20 (Or More) From The $30 Million Optical Disc Drive Class Action Payout

Posted in Commentary with tags , on July 20, 2022 by itnerd

If you’re Canadian, chances are you were not aware of a class action lawsuit regarding optical disc drive (ODD) products purchased in Canada between 2004-2010 in B.C., Ontario and Quebec. In short, a settlement of $29.7 million is available for people in B.C. and Quebec Courts because BenQ, Hitachi-LG, NEC, Panasonic, Phillips, Pioneer, Quanta, Sony, TEAC, and Toshiba Samsung are alleged to have “conspired to fix the prices for ODD, with the intention of raising prices for both ODD and ODD Products sold in Canada.”

So if you purchased a computer or a game console with an optical drive, you are eligible for a $20 payment if you don’t have supporting documents. Or if you do you can get more than that. Though you have to wonder who would still have the receipt from a computer or a Playstation or Xbox that they bought 12 or more years ago. In any case, you can put in a request by going to this website.

Bill C-11 Passes…. Why This Is A Incredibly Dumb Idea From The Canadian Government

Posted in Commentary with tags on June 22, 2022 by itnerd

Last night, Canada’s parliament approved legislation that targets what video and audio-sharing platforms like YouTube and TikTok can broadcast to a Canadian audience via bill C-11. In short, this is what the bill purports to do (via the Wikipedia link):

The bill seeks to amend the Broadcasting Act to account for the increased prominence of internet video and digital media, and to prioritize the “needs and interests” of Canadians, and the inclusion and involvement of Canadians of diverse backgrounds in broadcast programming. It adds undertakings that conduct “broadcasting” over the internet to the regulatory scope of the Canadian Radio-television and Telecommunications Commission (CRTC), which would give the CRTC the power to regulate almost all audiovisual content distributed via online platforms (including monetized content on social media services). This can include compelling them to make use of Canadian talent, mandating that they make contributions to the Canada Media Fund to support the production of Canadian content, and improve the discoverability of Canadian content on their platforms. 

Alongside this, the bill also removes the seven-year term limit for CRTC-issued broadcast licenses (a regulatory process which will not apply to internet broadcasters), adds a mechanism of imposing “conditions” on broadcasters without them being bound to a license term, and introduces monetary fines for violating orders and regulations issued by the CRTC.

That all sounds good. But it isn’t good. If you’re a Canadian YouTuber like Linus Sebastian or Rene Ritchie for example, the YouTube algorithm curates and recommends videos based on feedback from users based on everything from how long a video is viewed to how quickly it is skipped. Thus if their videos are promoted by YouTube to adhere to Bill C-11 and the content isn’t a match for the viewer, the viewer might skip that video, causing the creator’s channel to drop in visibility. The bill would also regulate the types of advertising a Canadian creator’s channel can have. That would significantly limit their sources of revenue.

Creators are going to discover very quickly that the kind of content that has previously been successful on YouTube is no longer successful in a bill C-11 regulated YouTube. As a result, they will either have to change the nature of content that they make in order to make it more overtly Canadian…. Whatever that means. In short, the Canadian Government is killing the people that they’re trying to protect. The thing is that this was feedback provided to the Canadian Government in various hearings on bill C-11, and it was ignored. Which makes me wonder what the true agenda that the Canadian Government has when it comes to this bill.

Here’s another thing to consider. Canadians on platforms like YouTube punch well above their weight. Linus Sebastian has 14.6 million subscribers for example which makes him one of the top YouTube creators on the planet. There are many others who are among the top content creators, meaning YouTube, TikTok, and whatever other platforms are out there who are doing the same thing. Thus I don’t think that Canadians need the “protection” that this bill supposedly provides.

But there’s really a darker thing that should concern you about bill C-11. This bill gives the CRTC the power to regulate the pictures, podcasts and videos every Canadian posts online as ‘broadcasting’ content. So if you post a Instagram reel, the CRTC could knock on your door. Something that the CRTC admits is true. But they promise that they won’t use that power.

That falls under the category of not believable because if someone gives you power, you’re going to use it at some point.

The reason why this is the case is that this bill sets no revenue threshold on who it will target, meaning every Canadian on every platform could soon be forced to make Canadian content contributions, or potentially get into trouble if the CRTC decides that they didn’t. Which is a #Fail.

The only hope for Canadians who like things the way they are is that the Senate will step in and either shoot this bill out of the sky, or send it back to parliament for major revisions. But even if this doesn’t happen, I would keep this in mind. This bill was passed by the Liberal Party with help from the NDP and Block Quebecois. Seeing as Canada has a minority government which introduces the possibility that an election could be called at any time, I would keep that in mind the next time a federal candidate from any of those parties comes knocking at your door asking for your support. Because frankly based on how broken this bill is, they don’t deserve it.

Huawei & ZTE Punted From Canadian 5G Networks…. What Took Canada So Long To Do This???

Posted in Commentary with tags , , , on May 20, 2022 by itnerd

Late yesterday news filtered out that both Huawei and ZTE have been banned from Canadian 5G networks over national security concerns. And any telco that are using their gear needs to rip it out ASAP. This mirrors similar moves by the US, UK, New Zealand, and Australia who along with Canada are known as the “Five Eyes” which is an alliance of these five countries to share intelligence. The difference is that Canada was late to this decision while the other four made this call years ago. Thus one has to wonder why it took Canada so long to make this move.

In my opinion, one factor had to be the Michael Kovrig and Michael Spavor situation where those two Canadian citizens were essentially held hostage by the Chinese government in retaliation for the arrest of Meng Wanzhou who is the CFO of Huawei in Vancouver and at the request of the US government. That eventually got sorted when the US cut a deal with Wanzhou which allowed the two Michael’s to be released by China as that’s how “hostage diplomacy” works. But even then, that was over a year ago and they are only banning Huawei and ZTE now. So that can’t be the only reason. Though it’s not clear to me what other reasons exist.

Regardless of what reasons exist, here’s the thing that really bothers me about this rather late decision by the Canadian government to ban Huawei and ZTE. If you accept that both of these companies are arms of Chinese intelligence, which I happen to believe to some degree, then this inaction by the Canadian government has given both these companies an inside look at not only the telecommunications networks in Canada, but how Canadians use those networks. Not to mention that they could have been doing who knows what to gather whatever information that the Chinese government wanted them to gather. All while the Canadian government sat on its hands and did nothing. So even though they’re now banned, Huawei, ZTE, and the Chinese government still win. And that highlights how the Canadian government has failed miserably on this issue.

When it comes to national security, governments have to take it seriously. They have to make decisions that lean towards ensuring security and they have to make those decisions quickly. That didn’t happen here, and I have to wonder if it is going to cost Canada down the road. Because it’s pretty clear that the Canadian government dropped the ball here, and there needs to be some accountability on that front.

Is It Time To Make The Internet An Essential Service And Hold Canadian Telcos Accountable For Providing That Service?

Posted in Commentary with tags , on May 18, 2022 by itnerd

Back in 2016, the CRTC said that high speed Internet was “essential”. This is what they meant by that at the time:

As part of declaring broadband a “basic” or essential service, the CRTC has also set new goals for download and upload speeds. For fixed broadband services, all citizens should have the option of unlimited data with speeds of at least 50 megabits per second for downloads and 10 megabits per second for uploads — a tenfold increase of previous targets set in 2011. The goals for mobile coverage are less ambitious, and simply call for “access to the latest mobile wireless technology” in cities and major transport corridors.

The CRTC estimates that some two million Canadian households, or 18 percent of the population, do not currently have access to their desired speeds. The $750 million government fund will help to pay for infrastructure to remedy this. The money will be distributed over five years, with the CRTC expecting 90 percent of Canadians to access the new speeds by 2021. 

The new digital plan also touches on accessibility problems, with CRTC mandating that wireless service providers will have to offer platforms that address the needs of people with hearing or speech disabilities within six months. Blais said this timeline was necessary, as the country “can’t depend on market forces to address these issues.”

Fast forward to 2022 and this really doesn’t go far enough to address what I think “essential” means to Canadians. Given that a lot of us still work from home, and the Internet is the difference between earning a paycheque and not earning one, or learning and not learning, I think that this needs to change. Now Public Safety Canada has a list of what it defines as “Essential Services” which it defines as this:

Canada’s National Strategy for Critical Infrastructure defines critical infrastructure as the processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. 

And while this list does list “Information and Communication Technologies” as part of this, I think it needs to go further to include not only the Internet specifically, but it should also include telcos like Rogers, Bell, and Telus so that they are responsible for maintaining and resolving issues to a high standard. As in resolving issues within hours and not days. And having a minimum uptime guarantee that said telcos are held accountable to. Now I know that Rogers, Bell, Telus and others would say that this isn’t required and they go above and beyond for their customers. But while I agree that these telcos do the best that they can to resolve customer issues in what they consider to be a timely manner, I don’t think that’s good enough. When the Internet goes out for a single home or a group of homes, even for a few hours, there are people who aren’t learning or making a living. That affects the economy. That alone makes it worthwhile to explore this idea and to take action to make it reality. And perhaps if something like this came into effect, telcos would spend a lot more time and effort to ensure that their networks were resilient enough so that outages became corner cases. That would be good for all Canadians.

What do you think? Should Canada do more to make the Internet an “essential service” as I’ve described above? Please leave a comment and share your thoughts.

2022 Canadian Federal Budget Includes Spending On Cybersecurity

Posted in Commentary with tags on April 8, 2022 by itnerd

Yesterday’s Federal Budget had a lot in it for people to pick apart. But being an IT Nerd, I am focused on the new spending for cybersecurity:

Announced this afternoon, Budget 2022 also proposes to provide $238.2 million per year after the initial five year period for additional measures to address the rapidly evolving cyber threat landscape. The budget still has to be passed by Parliament.

The spending will include:
–$263.9 million over five years, starting in 2022-23, and $96.5 million annually ongoing to enhance the Communications Security Establishment’s (CSE’s) abilities to launch offensive cyber operations to prevent and defend against cyber attacks. The CSE is a division within the Defence Department that is responsible for protecting federal IT networks;
–$180.3 million over five years, starting in 2022-23, and $40.6 million per year ongoing to enhance CSE’s abilities to prevent and respond to cyberattacks on critical infrastructure;
–$178.7 million over five years, starting in 2022-23, and $39.5 million annually ongoing to expand cyber security protection for small departments, agencies, and Crown corporations; and,
–$252.3 million over five years, starting in 2022-23, and $61.7 million per year ongoing for CSE to make critical government systems more resilient to cyber incidents.

There would also be extra money to help cybersecurity researchers in fields such as quantum computing and artificial intelligence.

Those are big numbers. Thus this must be good. Right? I reached out to an expert to answer this question. Specifically David Masson, Director of Enterprise Security at cybersecurity AI firm, Darktrace:

“The Canadian Centre for Cyber Security, the public-facing arm of the CSE, has issued several cyber threat bulletins and advisories warning Canadian organizations operating critical infrastructure (CI) of the threat of cyber-attacks from Russia and Russian sponsored-proxies. It is no surprise that the Canadian Government underscores this priority with the allotment of $180 million to protect these increasingly vulnerable organizations and an additional $252 million to build government cyber-resilience in the face of incoming cyber-threats.  

 In addition to protecting CI and strengthening government defences, the vast majority of the announced budget will support the CSE in boosting its cyber capabilities, including launching offensive cyber operations against malicious actors. This shift to offensive cyber operations to succinctly combat cyber-attacks may indicate troubling intelligence surrounding impending cyber-threats. Overall, the new budget emphasizes cyber “defence,” where the strategic advantage will be with those who can defend most successfully and quickly – not focused on attacking their enemy. This funding is an essential step in ensuring that Canadian organizations do not get left behind in the global cyber war.”

It seems that Mr. Masson thinks this is positive. So I will go with that. Hopefully the Federal Government spends this money wisely so that Canadians are protected from cyber threats of all sorts.

CRTC Takes Out A Dark Web Marketplace Called Canadian HeadQuarters ….. For Now

Posted in Commentary with tags , on February 1, 2022 by itnerd

In all the Spotify related news, I forgot to do a post on the CRTC taking out Canadian HeadQuarters. This was a Dark Web marketplace and the four people behind it have been slapped with fines:

Before shutting down, CanadianHQ was one of the largest Dark Web marketplaces in the world and significantly contributed to harmful cyber activity in Canada. It specialized in the sale of goods and services, including spamming services, phishing kits, stolen credentials and access to compromised computers, which were used by purchasers to engage in a variety of malicious activities.

The CRTC’s investigation focused on four individuals who allegedly sent emails mimicking well-known brands in order to obtain personal data including credit card numbers, banking credentials and other sensitive information. The following individuals have been issued penalties for sending commercial electronic messages without consent in violation of Canada’s anti-spam legislation (CASL):

  • Chris Tyrone Dracos (a.k.a. Poseidon) – $150,000
  • Marc Anthony Younes (a.k.a CASHOUT00 and Masteratm) – $50,000
  • Souial Amarak (a.k.a Wealtyman and Supreme) – $50,000
  • Moustapha Sabir (a.k.a La3sa) – $50,000

As the creator and administrator of the marketplace, a higher penalty is being issued to Mr. Dracos for allegedly aiding in the commission of numerous violations of CASL by the platform’s vendors and customers.

As part of this investigation, a number of other vendors have been identified and enforcement actions will be taken against them in the near future.

That’s great. But experts say that this may be a short term victory:

“Like Silk Road and more recently the White House marketplace takedown, it’s probable that another Canadian-specific marketplace for illicit goods will likely re-appear,” Ryan Westman, manager of threat intelligence team at eSentire, said in an interview.

“Individuals who are harvesting personally identifiable information to sell for the purposes of fraud will have to find a new marketplaces to do business … As long as there’s demand there’s going to be individuals who are interested in fulfilling it.”

To get another perspective, I reached out to Darktrace’s David Masson and here’s what he said:

Despite occasional news items about the arrests and, even rarer, the convictions of cyber-attackers, most people would be forgiven for thinking that bad actors almost always get away with it. It can be challenging to find those responsible and hold them accountable, thanks to the anonymity of the internet and a host of sophisticated applications designed to cloak offenders’ identities. 

In terms of getting an arrest and a subsequent legal trial, knowing “who done it” is not the same as being able to prove it in a Court of Law. It is also difficult to prove what was done. While it may be clear that attackers stole money or identities, how it happened and who is to blame can be more challenging to prove with evidence. Nevertheless, legal mitigations can still occur with more creativity and bigger thinking.

With the above in mind, we should congratulate the Canadian Radio-Television and Telecommunications Commission (CRTC) for recently issuing penalties to four individuals in Canada for their involvement in the Dark Web marketplace Canadian HeadQuarters (also known as CanadianHQ). According to a CRTC statement, “The CRTC’s investigation focused on four individuals who allegedly sent emails mimicking well-known brands to obtain personal data including credit card numbers, banking credentials and other sensitive information.” 

In actuality, the CRTC issued the penalties “for sending commercial electronic messages without consent in violation of Canada’s anti-spam legislation (CASL).” We should remember, it was an inability to pay his taxes that took down Al Capone, not his other much more malicious activities. Still a result nonetheless, but both secured via more nuanced means.

It will be interesting to see how long it takes for this operation to reappear on the Dark Web. Because in my view, fines are great. But jail time would have been better. But given how hard these crimes are to prosecute, I’ll take anything that I can get in terms of punishing those behind these operations.

Canada’s Foreign Affairs Ministry Pwned By Hackers…. Russia Suspected

Posted in Commentary with tags , on January 25, 2022 by itnerd

Late yesterday it came to light that Foreign Affairs Canada had been hit by some sort of cyberattack with pretty serious consequences according to Reuters:

The incident was detected last Wednesday, a day before Canada’s signals intelligence agency said network operators of critical infrastructure should boost their defenses against Russian state-sponsored threats.

“Critical services … are currently functioning. Some access to internet and internet-based services are currently not working,” said a statement from the Treasury Board, which has overall responsibility for government operations.

As you can tell from that statement, the suspicion is that Russia is behind this. Which isn’t a surprise with their actions against Ukraine and the tensions that it created. Canada doesn’t typically comment on these sorts of things. But I suspect that we’ll hear more about this in the coming days.

UPDATE: Chris Olson, CEO of The Media Trust, had this comment:

“As highlighted by recent events, the ability to disrupt digital channels has become a strategic weapon in today’s geopolitical environment. Shutting off or redirecting websites/mobile apps harms not only consumers looking to access those services but also revenue and communication channels for business and government entities. Avoiding this scenario requires continuous monitoring of client-side experience to detect anomalous activity (domains, vendors) before it propagates and causes extensive damage. Establishing and maintaining digital trust and safety is a priority in 2022.”

UPDATE #2: Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“As Canada’s own intelligence agencies have recommended just prior to the attack, organizations need to upgrade their security capabilities in lieu of potential Russian attacks. Outside of even nation state threats, threat actor groups continue to evolve their campaigns. However, despite existing investments in perimeter and defensive solutions, endpoint, XDR, and SIEM, threat actors are still evading these tools successfully. With stolen credentials and phishing attacks being used to get inside networks easily, upgraded solutions that offer behavioral based threat detection along with adaptable machine learning (ML), not rule-based, and true artificial intelligence models found in a small set of next generation SIEMs are critical to stop these multi-staged attack campaigns.”

BREAKING: Governor General’s Internal Network Pwned

Posted in Commentary with tags , on December 2, 2021 by itnerd

For those of you who aren’t in Canada, the Governor General is the representative of the Queen Elizabeth II in Canada. If you want to find out what responsibility that this position entails, you can click here. But with that out of the way, news is breaking that the internal network of the Governor General has had ‘unauthorized access to its internal network’ which is code for saying that their network got pwned. Here’s a snippet from the statement that the Governor General’s office put out:

The Office of the Secretary to the Governor General (OSGG) confirms that there was an unauthorized access to its internal network. The OSGG is working with the Canadian Centre for Cyber Security on the investigation and took immediate action to strengthen its network.

The CSE who are the people who are responsible for providing the Government of Canada with information technology security and foreign signals intelligence put out a statement on this as well:

CSE and its Canadian Centre for Cyber Security (Cyber Centre) can confirm we are working with the Office of the Secretary of the Governor General (OSGG) in response to a recent cyber incident. We are unable to comment further on any specific details regarding this incident.

Although this investigation is ongoing we can assure you that we are working closely with OSGG to ensure there are robust systems and tools in place to monitor, detect, and investigate potential threats, and to neutralize threats when they occur.

While there’s no word on the extent of the breach. Any breach of any network for any government is not trivial. Thus you can fully expect that there will be a lot of work over the coming days to figure out what happened and what was done. I also expect to see over the coming days commentary from the Canadian government on this. Especially since Revenue Canada has been pwned in the past. Thus you should watch this space for more on this story.