[GTALUG] [OT] Phishing is no mirage...

Alvin Starr alvin at netvel.net
Wed Dec 18 11:16:25 EST 2019 

On 12/18/19 7:48 AM, Russell Reiter wrote:
> On Tue, Dec 17, 2019, 2:57 PM Alvin Starr via talk <talk at gtalug.org 
> <mailto:talk at gtalug.org>> wrote:
>
>     On 12/17/19 2:27 PM, Russell Reiter via talk wrote:
>     [snip]
>>
>>
>>         | I wonder why, especially in this data stealing age, the
>>         practice is not firmly
>>         | against the law?
>>
>>         Yes.  And the boundaries clearly marked.
>>
>>
>>     The problem is that its a matter of private law. The government
>>     would essentially fetter itself if it actually made it illegal
>>     for you to give out your SIN voluntarily. This might be the case
>>     in settlement if someone has sued you, won and now has the right
>>     to a full accounting of your income and assets.
>>
>>     Enforcing laws is expensive and there is a threshold which is
>>     bounded by economy of scale. As a general matter of private law,
>>     caveat emptor (let the buyer beware) is the rule.
>>
>>     Its kind of like the government is a national park with a grand
>>     canyon running through it. The can put up signs which say don't
>>     get too close to the edge or you may fall in but they can't
>>     really stop you from jumping off the edge.
>>
>>
>     Its not that I was giving out my SIN voluntarily. It was a
>     requirement of getting service from a telecom provider.
>     Yes I could have refused to fill out the the application and
>     walked out of the store.
>     But then I would not have had the telecom service that I needed at
>     the time.
>
>
> Yes you did volunteer the information when they asked for it. The law 
> presumed you have a choice in the matter. There are enough providers 
> who don't collect SIN numbers that you could have used one of them. 
> You jumped into the canyon by wanting services immediately. There is 
> an old saw that says decide in haste, repent at leisure.
>
> The law of contracts is offer and acceptance. Getting a cell phone 
> contract is not the same as applying for a loan. The business may do a 
> credit check and withdraw the offer if you don't meet a credit 
> threshold, but they don't need a SIN number to do that. However having 
> the SIN it makes it easier for them to get access to your funds 
> through the court system if you owe them a significant debt.
Here is a bit of a thought experiment.

Lets say I am interviewing to hire someone.
I ask the person for sexual favors to get the job.
If they say yes then they have accepted my offer and  we have a contract.
So its a lawful transaction and the person providing the favors has 
little right to suffer buyers remorse following your logic.
As distasteful as the above example may be, it may still be legal.


Contracts are funny things.

Clearly if you beat someone to force them to sign a contract, the 
agreement is unenforceable.
If I gently say "Oh come on its a good deal" then likely the contract 
would stand.
Where is the line between force and gentle coercion, then add into that 
a power imbalance.



>
>     So now the Telecom provider has my SIN.
>     Are they free to use as they wish?
>
>
> No, they have a fiduciary duty to you to protect that sensitive 
> information. It was collected as a kind of trust article.
The only fiduciary responsibility is to the shareholders.
Short of committing premeditated murder there is little that can pierce 
the corporation other than doing something that deliberately 
dis-advantages the shareholders.


>
>     Could they use it as my client ID and paste it on the front the
>     bills they send out to me?
>
>
> I think if they did that you could sue for injunctive relief, assuming 
> that they didn't reveal that was their contractual policy at the 
> outset. It would be on your copy of the contract if they did.
It was an a bit of an extreme example but the point to be made is what 
are the limits of the businesses use of that personal information.

Yes there is always the remedy of legal action but that in general only 
happens long after the damage is done.

>
>     Part of my concern was that enough personal information for
>     someone to completely steal my identity was provided to a call
>     center in a third world country with little or no oversight.
>
>
> You don't have to live in a marginalized area of the world to suffer 
> from a lack of oversight in your own actions. Just saying ...
I never actually said that I was hard done by or that I was taken 
advantage of.
My point is that the personal information gleaned is being badly handled.
Just saying ...
>
> How did that happen? You purchased the service from a brick and mortar 
> location, in Canada I presume. Accounting and financial data are 
> different than technical and service information. It would be highly 
> unlikely that a service technician or even a first tier collection 
> representative would have access to your complete data file.
This was first tier support person who was asking for my SIN as a proof 
of who I was.
The information he had included my address, account information, past 
bills and my SIN.
The first questions were about my invoice/account and since I was on a 
train I had not access to that information at which point I was asked 
for my SIN.
The conversation stopped quickly at that point because there was no way 
I was reading out my SIN in a crowded public location over a phone.

This event occurred several(5-10) years after the initial purchase 
through a bricks and mortar reseller.

So if you believe that the first person you speak to on the phone at 
Bell,Rogers et al does not have ALL your personal details on the screen 
in front of them you are sadly mistaken.


>
>     The carrier should have an obligation of care with my information.
>
>     But the only obligation that the carrier has is to maximize the
>     shareholder value.
>
>
> Cybercare of personal information starts with the individual, 
> unfortunately it's all downhill from there.
>
That is true and this was something like 30 years ago I was much more 
naive then.

The environment has changed in the intervening time.
When I was a child access to personal information was controlled by 
physical access to paper and security was a matter of locks and keys.
The rules around information protection are woefully inadequate in 
today's hyper connected environment.

For example I later this morning will need to start looking at what of 
my information LifeLabs has leaked.

-- 
Alvin Starr                   ||   land:  (647)478-6285
Netvel Inc.                   ||   Cell:  (416)806-0133
alvin at netvel.net              ||

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20191218/1692f307/attachment.html>

More information about the talk mailing list