Monday, May 6, 2013

Bell Canada and the Privacy Fiasco

My battle with Bell Canada over privacy questions is still continuing.  We're now into the third month.

You may remember that I recently I found a breached customer of Bell's and took the initiative to substitute their personal details and turned it into the Bell Canada account ID before reporting it on Twitter, because obviously nobody can tell who a person is by their account ID.  

As you can guess, given Bell's propensity to make a bad situation worse, they cautioned me against taking that initiative again.

Now, I'm quite happy to follow their request that I not go through the holes that Bell Canada's security presents, but I equally don't think Bell (or any customer at issue) would like it more if I just reported people's names and phone numbers when I find them.  Bell seems to have forgotten that I'm actually going out of my way to protect their customer - and that's something that I didn't have to do, but chose to do because I think it was the correct course of action in the circumstances, even if I did put Bell in a corporate spin over regulations and rules.  

Additionally, Bell hasn't any other way to report this stuff in private. So, the lesson here is don't report breaches to Bell Canada? 

I've also been informed that Bell now has their security team looking into these issues (this is a good thing), and apparently they are going to be contacting me for help.  However, if demonstrating a hole that they have to fix means I'm going to get slapped for accessing such holes, then I'm effectively not going to be of much help.

Bell likes to quote this paragraph of the rule book to me:

Unauthorized use of computer
42.1 (1) Everyone who, fraudulently and without colour of right, (a) obtains, directly or indirectly, any computer service, (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system, (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or (d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.


What the above translates into is this:  When you spot a security hole because they've let Google's bot slurp it their code into Google's cache, you're still on the hook for "indirectly" having unauthorised access to it.  

Bell appears to be using it's own rulebook to paint itself into a very unsecure corner by disallowing people to demonstrate failures to Bell.  

What I have discovered in this exercise so far though, can be outlined as follows:

  • Bell has a lot of customers, and it appears that there are regular breaches.  Whilst I've reported one to Bell, I am already aware of three others.
  • Bell doesn't have a solid way to allow the public to report breaches in confidence.  When you let them know via twitter that there's a breach, it's not dealt with quickly enough.  When you escalate it and demonstrate that the breach was reported (by showing the Twitter Feed) and then prove that it's still wide open and Bell is still failing to close it, they caution you for unauthorised access.
  • Their application of arcane rules are contradictory to the public's own interests, and Bell's own security.  
  • Requests to remove your information from third parties doesn't work:  Three months after pulling details from Canada411 (run by Yellow Pages), 411.ca (also run by Yellow Pages) still has the same details.  Ergo, Bell's requests to YPG to remove information is toothless and ineffective.
  • Bell will not answer the question of who they have given customer details to if you ask them repeatedly.  At this point in time, I'm aware of two sites - and Bell has yet to name either in it's response.
  • Bell doesn't appear to be proactively protecting customer data.  If I can find holes that have been sitting there for 2 years, then what was Bell doing for the rest of the time?

So, that's where things lie currently.  I'll keep you posted if my question ever gets answered.