This post originally appeared on PogoWasRight.org. I am cross-posting it here because I think NullCrew’s hack should inform policy decisions and public debate about a program of Bell’s that involves a lot of sharing of consumers’ personal information with “affiliates.”
Bell (BCE, Bell Canada, Bell Mobility, Bell Aliant and their affiliates) believes it is engaging in lawful conduct by sharing customers’ data with “affiliates” to deliver more “relevant ads” to customers. In and of itself, targeted behavioral advertising is cause for concern. But in light of questions about Bell’s data security raised by a recent hack, Canada’s Privacy Commissioner and the CRTC should exert their authority to protect consumers’ personal information.
Background
In October 2013, Bell posted an announcement on its site that began:
Starting on November 16, 2013, Bell will begin using certain information about your account and network usage for select purposes, such as continuing to improve network performance and product offers through new business and marketing reports, making some of the ads and marketing partner offers you see more relevant to you, and providing increased levels of fraud detection and prevention. We will not share any information that identifies you personally outside of Bell Canada and its affiliates. If you do not want us to use this information for these purposes, you can let us know by visiting bell.ca/relevantads.
The information that Bell started sharing with its affiliates includes customers’ network usage information, such as web pages visited from mobile devices or Internet access at home, including search terms entered in browsers; location information; app and device feature usage; TV viewing; calling patterns; account information including information about use of Bell products and services (such as device type, postal code, payment patterns and language preference); and demographic information, such as gender or age range.
That’s a lot of personal information being shared with an unspecified number of unnamed “affiliates.”
Additionally, Bell indicated it would share information with yet other companies, “in a way that does not personally identify you.” Of course, one can reasonably ask whether individuals’ data could easily be re-identified by combination with other databases or sources of information.
Since Bell’s announcement, the Office of the Privacy Commissioner opened an investigation, acknowledging that they have received over 150 complaints about the “Relevant Ads Program.”
PIAC/CAC File an Application with the CRTC
The Public Interest Advocacy Centre (PIAC) and Consumers’ Association of Canada (CAC) did not look favorably upon Bell’s new “Relevant Ads” program and filed an application (zipped archive of their application) on January 27 with the Canadian Radio-television and Telecommunications Commission (CRTC). In its submission, PIAC/CAC reviewed the application of the Telecommunications Act and other relevant policies and rules, and asked the Commission to exercise its authority and:
(i) Declare that the Bell Relevant Ads Program is contrary to the Telecommunications Act;
(ii) Declare that the Bell Relevant Ads Program violates the Commission’s confidential customer information rules;
(iii) Declare that the Bell Relevant Ads Program is contrary to the ITMP framework; or contrary to the privacy principle reflected in the ITMP framework and in the Telecommunications Act;
(iv) Declare that the Bell Relevant Ads Program violates Section 36 of the Telecommunications Act;
(v) Prohibit Bell from collecting and using customer information for advertising and marketing purposes as set out in the Bell Relevant Ads Program.
(vi) Initiate a larger, follow-up proceeding to examine the data collection, use and disclosure practices of all other telecommunications service providers and BDUs; and
(i) grant PIAC/CAC their costs of making this Part 1 application in accordance with Section 56 of the Telecommunications Act.
Although PIAC and CAC focused mainly on the privacy aspects, their complaint also mentions data security issues raised by Bell’s program:
With the rise in smartphone adoption and use and the push toward an all IP-architecture through which more and more Canadians experience more and more of their lives, the risk of a major data breach from a program such as Bell’s are too great to not give Canadians the full benefit of protection from data collection and use by their telecommunications service providers and BDUs.
High-profile data breaches, such as the recent data breach of at least 70 million Target customers’ information, (including names, mailing addresses, telephone numbers and email addresses), warrant serious scrutiny by the Commission of the practice of data collection and use by a telecommunications service provider (with broadcasting undertaking, and broadcasting distribution undertaking and retail affiliates).
The Privacy Commissioner and CRTC should take an even harder look at data security concerns in light of revelations this past weekend that Bell customers’ data – including, in some cases, unencrypted passwords and credit card information – were dumped on the Internet by the hacking collective NullCrew.
In response to the breach, Bell issued a statement denying that its server was compromised and stated that the breach was at a third-party supplier in Ottawa. They did acknowledge, however, that it was Bell’s problem, as it was their customers’ data. Indeed, customers who wished to avail themselves of the services offered by the third-party supplier would be sent to a url that is a subdomain of bell.ca. and may have erroneously believed that Bell would protect any data they entered into an order form on that subdomain, including name, address, and credit card number.
While at first blush, it might sound reassuring to hear that servers under Bell’s direct control weren’t breached, the hack raises crucial questions about Bell’s protection of customer data for the Privacy Commissioner and CRTC to consider. I reached out to Bell twice with a series of questions, but received no response, so I am posting some questions here for the benefit of those who may be more successful in getting answers from them:
1. Did Bell have a contract in place with the supplier that required the supplier to encrypt or otherwise protect Bell customers’ data? If so, did the supplier adhere to the terms of the contract with respect to data security? If not, what steps is Bell taking to ensure that they do going forward?
2. Does Bell audit its suppliers, vendors, associates and/or affiliates to ensure that they adequately secure customer data? If so, how does it do that and how frequently does it do it?
3. From inspection of the records in the data dump, it appears that the supplier had retained data from “closed” accounts. I’m not an expert on PIPEDA or Canadian law, but it’s my understanding that data should not be retained past the purpose for which they were collected. Did Bell know that data from “Closed” accounts was being retained by its third-party supplier? If this is what happened, what does Bell do – and what will it do going forward – to ensure that personally identifiable information is not retained past its intended use by its suppliers, vendors, and affiliates?
4. As the hackers (NullCrew) demonstrated to me with a screen shot that I published [on DataBreaches.net], the hackers attempted to alert Bell customer support that there was a security problem with the site but got nowhere. In an interview conducted by chat, NullCrew informed me:
I informed them they didn’t have much time, and the world would soon see their failure…. Their response was exactly what you see in their article, bullshit. “Bell Internet is a secure service.” They did not even say they would look into it, they did not try and assess the exploit.. it was up, for two weeks. And only taken down after we released our data.
Did that support person ever forward the alert up the chain? Did Bell have an escalation policy in place that all employees were trained in, and if not, what steps is Bell taking to ensure that should this type of situation arise again, the alert will get transmitted to its IT security team? Related to this, does Bell’s contracts with its “affiliates” require prompt breach notification to Bell in the event of a security breach at the affiliates involving customer data?
Some commenters have noted that the breach could have been much worse as it “only” contained five credit card numbers. From tweets made yesterday by one of the hackers, it seems that the data we saw in the data dump may not be all the data the hackers acquired:
@fairyocarina @NullCrew_FTS Not sure I follow. If we wanted to upset people we’d have released the entire dump…
— siph0n – #NullCrew (@siph0n_NC) February 5, 2014
and:
@fairyocarina @NullCrew_FTS QQ? We could’ve released EVERY credit card captured, prefer that?
— siph0n – #NullCrew (@siph0n_NC) February 5, 2014
So what else did NullCrew get – and as importantly – does Bell and/or their third-party supplier even know what was acquired from their forensic investigation? They only acknowledged 5 credit card numbers, but if @siph0n_NC is being truthful, there may have been many more. And if Bell hasn’t figured that out, what does that say about the data security of Bell customer data?
In this privacy advocate’s opinion, the CRTC should heed the concerns of PIAC/CAC. Maybe some customers would prefer “relevant ads” to “random ads,” but I doubt they’d prefer them if they came at the price of increased risk of having their total stolen, leaked, or breached. Bell’s increased data sharing has multiplied the risk of privacy and security breaches exponentially and needs to be halted.