Data breaches and leaks have grown so large, entire countries have now started getting hit. Yet, privacy reform continues to be elusive.
If an entire city burns to the ground, there’s little hesitation for the media to cover the story and lawmakers getting involved. What’s more, there are endless followups where questions are raised over what preventative measures are going to be in place to prevent such a tragedy from happening again. Additionally, those endless followups are filled with questions on whether or not enough is being done to rebuild because so many lives were turned upside down with homes being burned to the ground.
Now, imagine, if you would, how people would react if, say, lawmakers just didn’t care in such a scenario. Imagine if lawmakers were responding to such a tragedy by saying, “well, things happen. These sorts of tragedies happen all the time. Fire is a natural part of the environment anyway and it’s not like there’s anything government can do. Besides, is it really that big of a deal if a whole city burned down when there’s millions of other homes throughout the rest of the country that haven’t been impacted? The numbers really are quite small, so it’s no big deal.”
Any sensible person would be stunned and infuriated by such a response. People would demand better and if the politician insists on a do nothing approach, there would be considerable pressure to get that politician to resign. Such a scenario would be kind of unimaginable, wouldn’t it?
Now, let’s take things a step further. What if multiple towns were burning to the ground. These tragedies were happening on a regular basis and even the media has grown numb to such a thing. Sure, some people might complain, but it gets relegated to, at best, a footnote in the evening broadcast. The logic behind such a decision being that towns burning down to the ground has become so commonplace that it’s questionable if it’s even news at that point. What’s more, politicians of all stripes continue to react by saying nothing can be done about this and refuse to enact any legislation for years on end to prevent towns burning to the ground. Such a scenario would be both exasperatingly stupid and well beyond the realm of possibility that society, as a whole, could be that ridiculously negligent, you might argue.
Well, what if I told you a similar situation is happening right now, today. Ridiculous, right? You might argue that if that kind of thing would happen, you’d hear about such a thing easily. Well, it is true that such a thing is happening in the world of personal privacy and personal information. If your personal information gets leaked or hacked, the level of damage a malicious actor can do depends on the nature of the information. For instance, if a picture of your cat happens to leak online, chances are low a malicious third party from half way around the world could do much. Conversely, if your Social Security Number (SSN)/Social Insurance Number (SIN), date of birth, credit card numbers, bank accounts, and pins get leaked, a malicious third party basically has your life and can do darn well anything at that point. Your life can easily turn upside down because of that situation.
For those who are saying there is no comparison between personal information getting looted and a house burning down, well, the comparison is not that different. For instance, a malicious third party can use your personal information to take out a massive new mortgage on your house, rack up your credit cards, clean out your bank accounts, and skip the country. In both scenarios, you’re basically losing your house. As far as you’re concerned, the house might as well have burned down to the ground since you went from having a decent life to living on the streets almost overnight. For those thinking that systems are in place to prevent that, I’ve seen way too many stories where the banks response boils down to “not our problem” in such a scenario – even when the fraud is ridiculously obvious.
It’s for reasons like these that I have long advocated for federal privacy reform in both Canada and the United States. I’ve seen countless stories that brought hope that both countries would finally get that wakeup call that things need to change. Whether it was Europe passing the GDPR in 2018, the shocking Equifax data breach, the TicketMaster hack, the Desjardins data breach, the Newfoundland hack, the Tim Hortons privacy scandal, the Home Depot scandal, the RCMP Stingray controversy, the RCMP Clearview AI scandal, or even the Global Affairs data breach. This is far from a comprehensive list of stories, but you get the idea. You would think that lawmakers would finally get the hint and start working towards privacy reform so we have a good foundation for how to respond to such incidences.
At most, Canada tabled Bill C-27, a piece of legislation that continues to be stalled and slow walked with lawmakers continuing to be reluctant to move it forward by much. The US, meanwhile, currently has patchwork enforcement with certain government agencies bending over backwards to try and offer something somewhat resembling enforcement of personal privacy even though there isn’t a whole lot currently in the law books properly enforcing people’s personal privacy.
Yet, while lawmakers continue to show reluctance to really do anything about this immense problem, issues continue to crop up. More recently, a massive hack saw the Social Security Numbers of, well, pretty much every American (not to mention people’s personal information from other countries) stolen. From Bleeping Computers:
Almost 2.7 billion records of personal information for people in the United States were leaked on a hacking forum, exposing names, social security numbers, all known physical addresses, and possible aliases.
The data allegedly comes from National Public Data, a company that collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators.
National Public Data is believed to scrape this information from public sources to compile individual user profiles for people in the US and other countries.
In April, a threat actor known as USDoD claimed to be selling 2.9 billion records containing the personal data of people in the US, UK, and Canada that was stolen from National Public Data.
Skeptics might look at this and say something along the lines of, “well, you can’t protect from every possible threat.” While that may be true, it turns out, breaking into these huge silos of information may be a heck of a lot easier than you think. According to an article published on Krebs On Security, a hack on the same service was as easy as looking up the password in a public place:
New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.
In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).
NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.
Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.
A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.
Yeah, they basically had the same level of security as leaving the door key under the doormat. So much for the bravado of having the highest standards of security to safeguard that information. How’s that “industry standard” catchphrase working out for you now?
This is why I get infuriated about a complete lack of privacy reform in North America these days. Politician’s prove time and time again that they don’t give a flip about these shoddy business practices that the free market has zero shot at fixing. For corporations, even if fines are handed out or lawsuits are filed, it’s just the cost of doing business to them. They haven’t changed in the last decade and they don’t intend on changing any time soon.
What really should grind your gears in all of this (over top of everything you are already seeing in this article) is the likely motivation for all of this slow walking or lack of concern for privacy reform. It may have less to do with bureaucracy, negligence, and laziness and more to do with corporate greed and looking out for their own political interests.
As we noted last year, Canadian politicians did pass privacy reform through the budget bill. It as a small tweak that allows political parties to collect and use targeted surveillance for political purposes. This especially under the scenario that Canada is in a federal election. Today, there is an entire industry devoted to collecting and using your personal information for political purposes. This is what an investigation by OpenMedia and Tactical Tech found:
Today, OpenMedia is releasing a new report that takes a deep dive into all these questions, and more. Inspired by the groundbreaking investigative work into the global Political Influence Industry carried out by our friends at Tactical Tech, our report sheds light on the extent and nature of the Political Influence Industry right here in Canada. Accompanying our report, we’re also publishing a Canadian Political Influence Industry Database of the companies, large and small, who are employed by Canadian political parties to leverage their data for election campaigns.
This work is funded through two research grants from the Social Sciences and Humanities Research Council of Canada, administered through the University of Victoria by Professor Colin Bennett, one of Canada’s top privacy experts. We hope our report helps to better inform Canadians about the Political Influence Industry, and stimulate a wider debate about its role in our democracy.
So is there something wrong with how parties are handling your data? Of course, interactions between voters and those who seek to represent them are at the heart of any healthy democracy. And there’s nothing inherently wrong with political parties seeking a better understanding of their voters’ concerns. But, as our report outlines, Canada stands almost alone amongst advanced democracies in having next to no safeguards to ensure political parties handle your data responsibly.
That’s not acceptable and it needs to change. Here at OpenMedia, we know that the right to privacy is fundamental to our democratic process. That’s why our community has, for many years, been fighting for stronger privacy safeguards — exposing the inadequacies of the political parties’ privacy policies, fighting back against their self-serving political and legal attempts to permanently exclude themselves from privacy rules, and urging lawmakers to take action. Tens of thousands of you have already spoken out, and the report we’re publishing today would never have been possible without your help — our small team here couldn’t be more thankful.
In short, politician and political parties in general are part of the problem as things currently stand today. When their political advantages depend on a lack of privacy reform, it becomes extremely easy to see why politician’s are so reluctant to do anything about all of these problems. Their financially and politically motivated to do as little about these problems as humanly possible. That means you, as a citizen, pay the price of all of this over and over and over again.
It’s a situation that is beyond frustrating, yet this important issue continues to get relegated to the list of “minor side issues” or “niche topics” even though the impacts on everyone is ridiculously obvious. It is insanely frustrating to see all of this happening. As a result, the only question I’m left with is “how can you not be angry at this situation?”
