What Can We Learn From Canada Revenue Agency’s Privacy Practices?
When opening a new account on the Canada Revenue Agency’s site, a newly-streamlined process made it easy for me to open an account and even allowed me to choose an adequately obscure username, not to mention password.
The fact that the CRA considers not only passwords but also usernames as being user-selected secrets is a sign of maturity that bodes well for an agency that has historically been plagued by data breaches and security snafus.
“Agency admits it vastly underreported cyberattacks against Canadian taxpayers to Parliament” — A quick search seems to point to some serious recent security incidents.
Upon visiting the CRA site, I am reassured by what appears to be an acknowledgment of past breaches, but also an excuse for underreporting them:
Since 2020, there has been an increase in the number of identity theft cases and unauthorized use of taxpayer information by a third party (UUTP). This appears to be driven by data breaches at third-party organizations enabling threat actors to obtain user credentials, the introduction of new or revised benefits administered by the CRA, and increased risks from social media, e-commerce, digital services, and cryptocurrencies, which offer new avenues for exploitation. Since the CRA began tracking cases of UUTP affecting individuals from May 11, 2020, to August 26, 2024, there have been more than 31,000 confirmed privacy breaches.
It is important to note that as soon as the CRA becomes aware of an alleged incident of identity theft, or suspects an account could be the target of a threat actor, it takes swift and immediate precautionary measures on the client’s account, such as locking it to prevent transactions, and conducting an in-depth review. The volume and complex nature of these cases limits our ability to report these breaches to the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board of Canada Secretariat (TBS) immediately upon confirmation. The CRA is working closely with the OPC and TBS on a way forward.
Okay, let’s move forward.
The next screen is encouraging: it’s an offer to set up multi-factor authentication using a preferred method, such as SMS messaging or the superior alternative, an authenticator app on my phone. I scan the QR code and we’re off to the races.
Or so I thought.
Alas, I’m presented by a screen demanding the answers to — gasp — Security Questions. This so-called authentication method has been my pet peeve for years as it does little more than serve as an aggregator of personal information, which can serve criminals to bypass account security and gain access to user accounts.
The CRA asks for the answer to not one or three, but five such personal questions.
And they’re all quite personal.
In fact, they’re so personal the CRA anticipates questions about privacy and volunteers their privacy policy as a way to defuse user concerns.
But seriously, we’re over a quarter of a century into the new millennium and we are still using security questions to create the vague aura of being ‘protected’ with even more shared secrets?
Haven’t we learned from numerous data breaches including BMO and LifeLabs? One company that is no stranger to data breaches says it plainly:
A quick search shows that aside from forgotten answers to security questions and various types of user error, security questions unnecessarily plague society by offering a false sense of security while effectively increasing the risk of personal information compromises.
This type Knowledge-Based Authentication (KBA) long been flagged by industry standards and data protection legislation as being a weak and risky form of user identification.
Most industry guidance like PCI-DSS or ISO27001 abstains from passing judgment specific to security questions in favour of discouraging weak authentication and emphasizing strong access control measures.
But my favourite such guidance comes from the National Institute of Standards and Technology (NIST 63B) where it’s unambiguously indicated in ALL CAPS:
<web sites> SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
Since this is a privacy blog after all, it should be mentioned that personal information protection goes beyond the site you’re on. Organizations should consider the risk associated with aggregating such data, which cybercriminals clearly specialize in, over time and across a variety of sites entrusted with user data. As such, privacy legislation makes a point of alluding to such accountability on the part of sites that insist on collecting it:
Logging into the account the first time, the site offers a feature that would be useful, if it were more complete. It indicates the date of last login. Not the last two or three logins, but the last one.
Consider for a moment that many account take-overs take place on the same date and at the same time as the last legitimate account access. This makes it less than useful to know whether I was the user who accessed it. Helpfully, clicking the “Manage CRA Security Options” offers a view of the sign-in history, listing the most recent visits to the account.
However, adding a bit more information about those last few accesses, such as the originating IP, web browser, operating system, device used, time spent on the site and even some of the actions performed while on the site would be immensely more useful than: “if this is not correct, contact us”. This sounds a lot like “if you‘re not sharp enough to flat an unauthorized access based on this timestamp alone, it’s on you.”
Not ideal, but better than nothing.
Moving on to the identity verification stage, where the CRA sends a code to my phone to help me snap a selfie to go with my passport picture.
This smooth process detected my face and rewarded me with a green checkmark. Upon checking the URL, I see that a company called Onfido was selected by the CRA to carry out this task, but one aspect of the process catches my eye.
The cynic in me asks: is AI just being used as a buzzword to give the tool a flair of modernity, or is it merely a synonym for data collection overreach, previously known as big data?
A quick search curiously fails to show any press release or mention of Onfido in association with the CRA. The privacy commissioner says that the CRA contravened the section 8 disclosure provisions of the Privacy Act, which specifies that a department must not disclose personal information under its control except in exceptional circumstances. Is it possible that it’s simply trying to reduce privacy salience?
Let’s have a quick look: Is Onfido a Canadian company? Apparently not, but its Wikipedia page appears to indicate that it is the brainchild of 3 young entrepreneurs:
They seem to have done well, as On April 9, 2024, Entrust Corporation announced its acquisition of Onfido for $650m in an all-cash deal.
Who is Entrust? — I ask Google.
For its part, the company’s Wikipedia page cheekily includes a heading called “Distrust”:
Distrust
In June 2024, Google announced that due to long-standing issues with compliance, Entrust would be removed as a trusted Certificate Authority in the Chrome browser, and PKI certificates issued by Entrust would no longer be trusted in the browser after October 2024.[32] In July 2024, Mozilla announced due the long-standing issues will also remove Entrust as a trusted Certificate Authority in their Firefox Browser. This will affect all certificates granted after 30 November 2024. [33]
That’s a pretty big slap-down for a company that was proudly established back in 1994 as it built and sold the first commercially available public key infrastructure. In 1997, Nortel (formerly Northern Telecom) spun off Entrust. In April 2002, Entrust’s public key infrastructure technology served as the foundation for the prototype of what is now the United States Federal Bridge Certification Authority. The authority is an element of the trust infrastructure that provides the basis for intergovernmental and cross-governmental secure communications.
All that to say, the Internet no longer appears to trust Entrust.
So who owns Entrust now? Its Crunchbase profile modestly states that “Entrust is a privately-owned software and credential company with over 2,000 employees”.
Way back in 2009, Entrust was acquired by Thoma Bravo, a controversial U.S.-based private equity firm, for $124 million recently involved in antitrust allegations filed by the US Department of Justice and separately sued for promoting fraudulent investments as part of the FTX crypto scam.
But anyone who can fat-finger a Google search knows that private equity doesn’t hold on to companies for very long. And indeed, back in 2013 Entrust was acquired by Datacard.
Datacard who? Datacard is apparently a Canadian company (yay for CRA due diligence) based in Kanata, Ontario.
But wait, who are the private owners behind Datacard/Entrust/Onfido today?
The venerable Quandt family, billed as “one of Germany’s wealthiest and most influential industrial dynasties” is known to the Western world as one of the major owners of luxury automobile brand BMW, but there’s so much more to this organization than that.
Wikipedia says: “According to the award-winning documentary film The Silence of the Quandts[5][6] by the German public broadcaster ARD described in October 2007 the role of the Quandt family businesses during the Second World War. The family’s Nazi past was not well known, but the documentary film revealed this to a wide audience and confronted the Quandts about the use of slave labourers in the family’s factories during World War II.
As a result, five days after the showing,[1] four family members announced, on behalf of the entire Quandt family, their intention to fund a research project in which a historian would examine the family’s activities during Adolf Hitler’s dictatorship.[7] The independent 1,200-page study that was released in 2011 concluded: “The Quandts were linked inseparably with the crimes of the Nazis.”
It goes on to describe Herbert Quandt (whose mother married the infamous Joseph Goebbels) and his personal Nazi activities:
During his time as director he personally oversaw the deaths of 40 to 80 people each month through the use of slave labor with each slave staying alive approximately 6 months.[8] This turnover was due in large part to the concentration of acid gas in the air of the factory in which the slave labor was forced to work. Slave labor was used extensively throughout the Quandt factories and as early as 1938.
Quandt’s businesses supplied ammunition, rifles, artillery and batteries, using slave labourers from concentration camps in at least three factories. 80% of these labourers, numbering in the tens of thousands, died. An execution area was set up in the grounds of AFA’s Hanover factory.
Fascinating. So who runs the company today?
Wikipedia unambiguously states: “<Stefan> Quandt was born in Bad Homburg to Herbert Quandt, a German industrialist and prominent Nazi”.
So this is the private company that the CRA decided should collect all our private passport data, facial biometrics and is currently busy crunching all that personal information using artificial intelligence?
Now scroll back up to the top and re-read the CRA’s helpful defense of its poor record of data breaches and see if it doesn’t come across entirely differently:
Since 2020, there has been an increase in the number of identity theft cases and unauthorized use of taxpayer information by a third party (UUTP). This appears to be driven by data breaches at third-party organizations enabling threat actors to obtain user credentials, the introduction of new or revised benefits administered by the CRA, and increased risks from social media, e-commerce, digital services, and cryptocurrencies, which offer new avenues for exploitation.
Does it though? What if some of those data breaches at third-party organizations were due to poor judgment about the tools used by the CRA, the security practices being promoted and the service providers trusted with the personal information of Canadians?
Whether the lost data occurs as a result of an account compromise or a “third party” the CRA places the onus squarely on users:
The second suggestion is particularly interesting as it creates password churn, increases the chance of errors and forgetting the answers to security questions. Oh, and industry standards have officially discouraged the practice since 2016 (as per NIST SP 800–63B Section 5.1. 1.2 paragraph 9 if you insist on looking it up).
In conclusion, I have a long memory, and I recall that the CRA has long been involved in annual data breaches, many of which are still listed on the Privacy Commissioner’s website. I’m certain that all of these have been unintentional and entirely accidental, but should the CRA have known better, and does the Agency demonstrate a track record of learning over time?
Way back in 2012 — when Onfido was just being incorporated by those ambitious youngsters who would come to boost their net worth by inventing a creative mechanism to collect the valuable data of strangers — the Privacy Commissioner’s investigators wrote:
Only once in the last 10 years has the Canada Revenue Agency not featured in the Top Five list of institutions about which our Office has received complaints under the Privacy Act.
Since our first Annual Report in 1983–1984, we have investigated approximately 4,000 such complaints against the agency.
And, again, the reasons for the consistently high number of complaints are not difficult to imagine.
Again: should the CRA have known better, or are knowledge acquisition and transfer a pervasive challenge at the agency? The availability of public information into the ownership structure of the CRA’s new AI-powered data collection tools has been widely documented, not only in books such as investigative journalist David de Jong’s “Nazi Billionaires: The Dark History of Germany’s Wealthiest Dynasties”, but also in the courageous work of researchers who had toiled for years before releasing their explosive documentary with no prior announcement, ostensibly for fear of retribution.
The murky details of Onfido’s use of AI on Canadians raises serious questions about the sufficiency of the agency’s due diligence to assure Canadian taxpayers that their personal information will not be stored outside the country, used or shared by other organizations and kept indefinitely, among other, even more basic notions of informed consent and openness.
Today, based on the fact that Canada’s Privacy Commissioner again has an open and ongoing investigation into more than 31,000 breached taxpayer CRA accounts and some $8 billion in fraudulent payments related to Covid-19 aid, it’s clear that the embattled agency continues to experience significant challenges with some of the most fundamental aspects of information security and data protection, not the least of which arise from simple failures to conduct due diligence into the partners and vendors that make up their supply chain.
As for my account opening process, it eventually went off the rails and upon calling a helpful CRA representative to ask about the details of my own file, I was told that they were ‘unable to give me that information due to privacy and security concerns’.
It’s good to know that at least in spirit, those words still have a practical purpose.
