I was a Messenger spoof victim

A few days ago I returned to my office after a meeting to find emails and voicemails telling me that someone was sending facebook messenger messages pretending they were from me.  The first message sent was an innocuous “Hello, how are you doing?” But if the recipient engaged it quickly turned into how I got a $300,000 government grant to pay off my bills, and tried to convince the recipient to send an email to “the agent in charge” to see if they were eligible.   I suspect if followed through it would either ask for payment of a loan application fee, or ask for credit card or other personal details.

Fortunately, it didn’t take long for my followers to realize it was a scam and not me.

This government grant scam is a known scam approach.  Typically one of two things has happened.  Either the malfeasant has hacked into my facebook account, or they took info from my public facebook presence and set up a spoof.

Some digging into my facebook profile, history, and security settings showed it was more likely a spoof than a hack.  I use strong passwords generated by a password manager for each account I have.  So it is unlikely that my password was compromised, unless there was some weakness in an app I have allowed to access facebook.  (For that very reason I allow very few apps to connect with facebook.)

But just in case, I changed my password, set up 2 factor authentication, and an email alert to notify me of questionable login attempts.  I have that set up on other platforms, but had not on facebook.  I hadn’t bothered before because I have very little personal info on facebook.  The mistake I made that allowed the spoofer to send messages to my friend list was to have my friend list open for everyone to see.  Too late for this scam, but I changed that anyway.

I also posted a message on facebook letting people know it was not me.

It is frustrating how difficult it is to report this to facebook in case they can stop (or at least make life difficult for) the spoofer.  Facebook has lots of ways to report various things – but they are all set up for very specific things – none of which worked in my situation.  Recipients can report it (there is a “report spam or abuse” option on the gear icon beside the sender’s name) – but I can’t.  There used to be a basic way to report things when they didn’t fit the methods provided – but that seems to be gone.  And it’s not just facebook that does that.  The thread one of my friends sent includes a gmail address for the “agent in charge”.  But reporting that to gmail to try and disable the address isn’t easy.  Their spoof/scam reporting method works only if you have received an email from the address – as the email header is a required field.

So how do you tell when you get a fake message, and what do you do about it?

Typical scam/phishing warnings apply. The messages are often out of character for the sender.  Or they are grammatically strange.  Or a gmail or similar generic email address is given rather than a corporate one.  Another flag is if it tries to get info or money.  If in doubt, contact the sender in another way to find out.  Facebook and other messaging platforms often have ways to report malicious communication attempts.  The victim will appreciate if you can take a minute to let them know and report it.

Cross-posted to Slaw

CRTC Compufinder decision lowers CASL spam penalty

The CRTC recently released 2 CASL decisions on Compufinder.  If this sounds familiar, it is because this is an appeal from an initial finding in 2015 that levied a $1.1 million penalty.

Compufinder took the position that CASL is unconstitutional.  Many legal experts have questioned the ability of the Federal Government to pass this legislation.  The CRTC decided that CASL is constitutional.  But this is not the last word. Inevitably this will be argued in court.  This decision is required reading for anyone who finds themselves in a position to challenge the act in the courts.  Ironically, the delay of the private right of action may have delayed getting the constitutionality issue to the appeal level.

In the substantive decision the penalty was reduced to $200,000.  This decision is required reading for anyone facing sanctions under CASL.

Topics covered include:

  • what the business to business exemption means (Compufinder failed to convince them that the exemption applied)
  • the conspicuously published implied consent, including who published it and message relevance
  • what is needed to show a diligence defence (it’s not easy)
  • factors in determining the size of the penalty

The decision shows that the CRTC will examine the CEM’s sent in individual detail, and that the business has a high onus of proof to show that they have done everything necessary to comply with the act for each and every one of them.

IMHO most small businesses simply don’t have the resources to meet the requirements.  And no matter how hard they try, larger businesses will have a difficult time attaining them.  To me CASL is like using a sledgehammer to kill a fly in a china shop.  You may or may not kill the fly, but the collateral damage simply isn’t worth it.

Hopefully changes will be made to CASL as a result of the current review of the statute.

Cross-posted to Slaw

Will quantum computing cause encryption’s Y2K?

At the Can-Tech (formerly known as IT.Can) conference this week Mike Brown of Isara Corporation spoke about quantum computing and security.  Within a few short years quantum computing will become commercially viable.  Quantum computing works differently than the binary computing we have today.  It will be able to do things that even today’s super computers can’t.

For the most part that is a good thing.  The downside is that quantum computers will be able to break many current forms of encryption.  So it will be necessary to update current encryption models with something different.

That may not be a simple or quick exercise, given the layers and complexity of encryption.  His message was that we need to start planning for this now, and it may take an effort greater and more challenging than the one that fixed the Y2K problem.

For the record, Isara sells security solutions that are designed to be quantum computer safe.  For some validation that this really is a thing, take a look at this Wikipedia article on Post-quantum cryptography.  

Cross-posted to Slaw

Cars and the data they share

Anyone interested in cars and the data they will increasingly collect should read the article in the November Automobile magazine titled The Big Data Boom – How the race to monetize the connected car will drive change in the auto industry.

It talks about how much data might be generated (4,000 GB per day), how that sheer volume will be handled, and how it might be monetized. And the challenges of cybersecurity and privacy.

Auto makers are well aware of the privacy issues.  Challenges will include how to deal with privacy laws that vary dramatically around the world.  Will they default to the highest standard? Or will the data be valuable enough to make it worth their while to deal with information differently in different countries?

How will auto makers give drivers comfort that their information will be secure and won’t be misused?  How will they explain what info will be anonymized, and what will remain identified with the driver?

How many drivers will not be eager to share driving info with insurers and others either for privacy reasons or skepticism about what arbitrary decisions about them will be made based on that info?

For more about this topic, see this post I wrote a few months ago.  It is also on the agenda for the upcoming Canadian IT Law Association conference.

Cross-posted to Slaw

Canadian IT Law Association annual conference

I just signed up to attend the fall IT-Can conference, and thought the conference was worth mentioning.  It is a consistent high quality conference for lawyers practicing in the IT/IP fields, and for others such as CIO’s.

Topics this year include fintech, quantum computing, blockchain and smart contracts, connected vehicles, big data, health care tech, cybersecurity, and control over online content.

Perhaps I’ll see you there in Toronto on Oct 23.

Cross-posted to Slaw

PIPEDA privacy breach notification regulations published for comment

The draft privacy breach regulations under PIPEDA have just been published.  They are open for comment for 30 days.

These regulations detail the mechanics of notifying the Privacy Commissioner and individuals when there is a privacy breach.   PIPEDA was amended some time ago to require mandatory notification when there is a breach that results in “real risk of significant harm”.  Those provisions will come into force after the regulations are passed.

The draft regulations are about what were expected.  They are similar to those under Alberta privacy legislation.

I agree with David Fraser’s view that section 4(a) that says notification to individuals can be sent “by email or any other secure form of communication if the affected individual has consented to receiving information from the organization in that manner” is uncalled for.  A notice of this nature is not spam, and it does not make sense to require that an individual has given consent for communication in that manner to notify of a privacy breach.  These notifications are for the benefit of the individual, so why make it harder for organizations to send it?

The amendments and regulations have provisions requiring organizations to keep records of all privacy breaches, including information that allows the Privacy Commissioner to determine if the organization properly considered the notice threshold tests.  In other words, organizations must be able to prove that any decision not to notify was justified.

Cross-posted to Slaw

Artificial Intelligence and the Legal Profession

Artificial Intelligence is going to have a disruptive effect on the legal profession.  The question is how soon, how much, and what areas of law come first.  This kind of disruptive change builds up slowly, but once it hits a tipping point, it happens quickly.

Futurist Richard Worzel wrote an article titled Three Things You Need to Know About Artificial Intelligence  that is worth a read.  Here are some excerpts:

Every once in while, something happens that tosses a huge rock into the pond of human affairs. Such rocks include things like the discovery of fire, the invention of the wheel, written language, movable type, the telegraph, computers, and the Internet. These kinds of massive disturbances produce pronounced, remarkable, unexpected changes, and radically alter human life.

Artificial Intelligence is just such a rock, and will produce exactly those kinds of disturbances. We’re not prepared for the tsunami that AI is going to throw at us.

But now AI is becoming a reality, and it is going to hit us far faster than we now expect. This will lead to an avalanche of effects that will reach into all aspects of our lives, society, the economy, business, and the job market. It will lead to perhaps the most dramatic technological revolution we have yet experienced – even greater than the advent of computers, smartphones, or the Internet.

The legal profession seems to be particularly susceptible to early occupation by AIs:

“At JPMorgan Chase & Co., a learning machine is parsing financial deals that once kept legal teams busy for thousands of hours. The program, called COIN, for Contract Intelligence, does the mind-numbing job of interpreting commercial-loan agreements that, until the project went online in June, consumed 360,000 hours of work each year by lawyers and loan officers.”

So, before June of 2017, lawyers and loan officers spent 360,000 hours a year interpreting commercial loan agreements for JPMorgan Chase. Since June, that specific kind of work has vanished.

Cross-posted to Slaw

Transport Canada publishes draft drone rules – still not hobbyist friendly

In March I wrote about Transport Canada’s overly restrictive drone rules.  A few weeks ago they lightened those rules a bit.

Transport Canada just released draft permanent rules for comment.  They propose a complex set of rules that vary among 5 different categories of drone.  While the proposed rules will make commercial use a bit easier, they are not friendly to personal use.

MobileSyrup details the proposed rules and comments that: “The new rules, if approved, would dramatically reduce the paperwork burden on both Transport Canada and commercial drone operators, but they would also increase the costs for all pilots while their impact on air safety remains uncertain.”

Unless the drone is 250 grams or less, even hobbyists must have insurance, and must pass a written test.  Drones must also be compliant with a yet to be named standard.

This is being done in the name of safety, but strikes me as being overly complex and burdensome.  The rules are open for comment until mid October.

Cross-posted to Slaw

Feds crack down on use of word “banking” by non-banks

OSFI just issued an advisory threatening to bring criminal sanctions against non-banks that use the words “bank”, “banker”, or “banking”.  Their cover note gives specific dates by which use must stop.  This derives from section 983 of the Bank Act, which says in part that a non-bank can’t use: “… the word “bank”, “banker” or “banking” to indicate or describe a business in Canada or any part of a business in Canada…”.  Examples given of improper use include: “Come do your banking with us”, “Automated Banking Machine”, “Bank Accounts”, “Better Banking”, and “Mobile Banking”.  It also says they can’t advertise under a “banks” heading of a directory.

The Canadian Credit Union Association was quick to respond with a press release saying:  “Ottawa is telling credit unions to stop using the words Canadians use to describe the work we do … This rule will prevent credit unions from advertising their ‘business banking’ services or even having an ‘on-line banking’ button on a website.”  And that: “OSFI has taken a position that is inconsistent with its past practices and with common sense.”

What do readers think?

Is this crackdown needed to stop confusion in the marketplace and to preserve the rights of banks?

Have terms like “banking” become a generic and acceptable way for credit unions and other non banks to describe their services?

Cross-posted to Slaw

Supreme Court of Canada overrides forum clause in Facebook agreement

The Supreme Court of Canada has decided that a British Columbia privacy class action may proceed against Facebook in the courts of BC, despite the contract naming California as the forum for legal actions.

My personal view is that in business to consumer contracts, if a court decides that a local law is important enough, or if the actions of the business offends local sensibilities, it will find a way to apply local laws and hear the case. This Douez v Facebook decision will be relevant for any future actions in Canada that question the applicability of portions of online or other business to consumer agreements.

Here are some points to take away from the case.

  • The decision only decided that the class action may proceed in BC. The substantive privacy claim has yet to be litigated.
  • The decision shows how difficult this issue is to decide. Of the 7 SCC judges, there were 2 different majority opinions, and a dissent by 3 judges. They were fairly consistent about the test, but came to different conclusions based on the facts and legal philosophy.
  • The case was decided based on the BC Privacy Act that includes a statutory privacy breach tort. It remains to be seen how it would apply to other provinces that may only have a common law privacy tort. Or how it would apply to other issues.
  • It does not render choice of law clauses irrelevant. Nor does it render click-wrap agreements unenforceable. It is still important for vendors to include clear choice of law and forum clauses.
  • It has created uncertainty, and vendors need to know that courts may choose to override forum clauses and perhaps others. The fairer a court perceives the document to be in general (especially in the context of local laws), the more likely it will be followed.
  • Getting privacy right is crucial. If vendors offer services to those in countries with strong privacy laws, they must pay close attention to those laws when designing their products and new features. That includes developing Canadian laws, and for those providing services to European customers, the pending GDPR.

Cross-posted to Slaw