[GTALUG] [OT] Phishing is no mirage...

[D. Hugh Redelmeier]

| From: Russell Reiter via talk <talk at gtalug.org>

| Yes you did volunteer the information when they asked for it.

"ask" isn't quite accurate.  "demand" is closer.

I'm sure that no negotiation was possible.

| The law
| presumed you have a choice in the matter. There are enough providers who
| don't collect SIN numbers that you could have used one of them.

Do you know this?  Or are you guessing?

I do think that you are probably right: I don't remember being asked for 
my SIN for phone contracts.

|  However having the SIN it makes it easier for
| them to get access to your funds through the court system if you owe them a
| significant debt.

Really?  How would that work?

| > So now the Telecom provider has my SIN.
| > Are they free to use as they wish?
| >
| 
| No, they have a fiduciary duty to you to protect that sensitive
| information. It was collected as a kind of trust article.

Really?  "Fiduciary duty" is a very strong standard.  Can you point to
anything that says they have such a duty?

| > Could they use it as my client ID and paste it on the front the bills they
| > send out to me?
| 
| I think if they did that you could sue for injunctive relief, assuming that
| they didn't reveal that was their contractual policy at the outset. It
| would be on your copy of the contract if they did.

I don't know the limits of "injunctive relief", but my guess is that it 
just means a court order to "stop doing that".  No penalty.  No undoing of 
damage.  If so, that's not very satisfactory.

| > Part of my concern was that enough personal information for someone to
| > completely steal my identity was provided to a call center in a third world
| > country with little or no oversight.

Or: transfer your data to a datacenter in the US where the laws are
different and nasty.  That's completely normal in Canada.

| How did that happen? You purchased the service from a brick and mortar
| location, in Canada I presume. Accounting and financial data are different
| than technical and service information. It would be highly unlikely that a
| service technician or even a first tier collection representative would
| have access to your complete data file.

Strangers have access to poorly stored corporate data.  Just look at
the LifeLabs case revealed yesterday.

| > The carrier should have an obligation of care with my information.
| > But the only obligation that the carrier has is to maximize the shareholder
| > value.

Not a "fiduciary responsibility" to the customer that you claimed
earlier?

| Cybercare of personal information starts with the individual, unfortunately
| it's all downhill from there.

There are many components to this.

We need to push back on unreasonable requests.
We need to have better privacy legislation.
We need better consumer education.
We need consumers to demand better privacy.
We need real competition, so bad actors suffer in the market.
And so on.

Right now, the power imbalance between a customer and a corporation
limits the effectiveness of your statement.

Some aspects of privacy are like vaccination.  Privacy is easier to
defend if we all have it.  If we each stand alone, we will lose.

You are essentially "blaming the victim".  That's not completely wrong
but it seems like this is mostly a systemic failure.

A friend of mine probably died due to standing on such principles.
(In the US, he could not afford health care.  He had wealth that he
could not access due to these principles.)