[GTALUG] [OT] Phishing is no mirage...

Russell Reiter rreiter91 at gmail.com
Wed Dec 18 12:32:07 EST 2019 

On Wed, Dec 18, 2019, 11:16 AM Alvin Starr <alvin at netvel.net> wrote:

> On 12/18/19 7:48 AM, Russell Reiter wrote:
>
> On Tue, Dec 17, 2019, 2:57 PM Alvin Starr via talk <talk at gtalug.org>
> wrote:
>
>> On 12/17/19 2:27 PM, Russell Reiter via talk wrote:
>> [snip]
>>
>>
>>
>>> | I wonder why, especially in this data stealing age, the practice is
>>> not firmly
>>> | against the law?
>>>
>>> Yes.  And the boundaries clearly marked.
>>>
>>
>> The problem is that its a matter of private law. The government would
>> essentially fetter itself if it actually made it illegal for you to give
>> out your SIN voluntarily. This might be the case in settlement if someone
>> has sued you, won and now has the right to a full accounting of your income
>> and assets.
>>
>> Enforcing laws is expensive and there is a threshold which is bounded by
>> economy of scale. As a general matter of private law, caveat emptor (let
>> the buyer beware) is the rule.
>>
>> Its kind of like the government is a national park with a grand canyon
>> running through it. The can put up signs which say don't get too close to
>> the edge or you may fall in but they can't really stop you from jumping off
>> the edge.
>>
>>
>> Its not that I was giving out my SIN voluntarily. It was a requirement of
>> getting service from a telecom provider.
>> Yes I could have refused to fill out the the application and walked out
>> of the store.
>> But then I would not have had the telecom service that I needed at the
>> time.
>>
>
> Yes you did volunteer the information when they asked for it. The law
> presumed you have a choice in the matter. There are enough providers who
> don't collect SIN numbers that you could have used one of them. You jumped
> into the canyon by wanting services immediately. There is an old saw that
> says decide in haste, repent at leisure.
>
> The law of contracts is offer and acceptance. Getting a cell phone
> contract is not the same as applying for a loan. The business may do a
> credit check and withdraw the offer if you don't meet a credit threshold,
> but they don't need a SIN number to do that. However having the SIN it
> makes it easier for them to get access to your funds through the court
> system if you owe them a significant debt.
>
> Here is a bit of a thought experiment.
>
> Lets say I am interviewing to hire someone.
> I ask the person for sexual favors to get the job.
>

If you are a corporate employee that is grounds for sanction. You expose
them to a lawsuit for sexual harassment. If you are a sole or small
business proprietor, that's just plain creepy.

If they say yes then they have accepted my offer and  we have a contract.
>

This kind of agreement is not supported under contract law and the courts
are enjoined to respect that fact and they cannot enforce it's terms.

So its a lawful transaction and the person providing the favors has little
> right to suffer buyers remorse following your logic.
> As distasteful as the above example may be, it may still be legal.
>
>
> Contracts are funny things.
>

> Clearly if you beat someone to force them to sign a contract, the
> agreement is unenforceable.
> If I gently say "Oh come on its a good deal" then likely the contract
> would stand.
> Where is the line between force and gentle coercion, then add into that a
> power imbalance.
>

>
>
>
>> So now the Telecom provider has my SIN.
>> Are they free to use as they wish?
>>
>
> No, they have a fiduciary duty to you to protect that sensitive
> information. It was collected as a kind of trust article.
>
> The only fiduciary responsibility is to the shareholders.
> Short of committing premeditated murder there is little that can pierce
> the corporation other than doing something that deliberately dis-advantages
> the shareholders.
>
>

A corporation has a fiscal responsibility to shareholders, they have
fiduciary obligations to all the person's they contract with.


>
> Could they use it as my client ID and paste it on the front the bills they
>> send out to me?
>>
>
> I think if they did that you could sue for injunctive relief, assuming
> that they didn't reveal that was their contractual policy at the outset. It
> would be on your copy of the contract if they did.
>
> It was an a bit of an extreme example but the point to be made is what are
> the limits of the businesses use of that personal information.
>
> Yes there is always the remedy of legal action but that in general only
> happens long after the damage is done.
>
>
>> Part of my concern was that enough personal information for someone to
>> completely steal my identity was provided to a call center in a third world
>> country with little or no oversight.
>>
>
> You don't have to live in a marginalized area of the world to suffer from
> a lack of oversight in your own actions. Just saying ...
>
> I never actually said that I was hard done by or that I was taken
> advantage of.
> My point is that the personal information gleaned is being badly handled.
> Just saying ...
>
>
> How did that happen? You purchased the service from a brick and mortar
> location, in Canada I presume. Accounting and financial data are different
> than technical and service information. It would be highly unlikely that a
> service technician or even a first tier collection representative would
> have access to your complete data file.
>
> This was first tier support person who was asking for my SIN as a proof of
> who I was.
> The information he had included my address, account information, past
> bills and my SIN.
> The first questions were about my invoice/account and since I was on a
> train I had not access to that information at which point I was asked for
> my SIN.
> The conversation stopped quickly at that point because there was no way I
> was reading out my SIN in a crowded public location over a phone.
>

> This event occurred several(5-10) years after the initial purchase through
> a bricks and mortar reseller.
>
> So if you believe that the first person you speak to on the phone at
> Bell,Rogers et al does not have ALL your personal details on the screen in
> front of them you are sadly mistaken.
>

I would hope, for billing and service inquiries, they would have all the
personal information I provided to them. I wouldn't give my SIN to a phone
provider tho. I don't ever remember giving it out to get a landline or
cable service and the agents I use now never have asked me for a SIN in
order start services.


>
>
>> The carrier should have an obligation of care with my information.
>>
> But the only obligation that the carrier has is to maximize the
>> shareholder value.
>>
>
> Cybercare of personal information starts with the individual,
> unfortunately it's all downhill from there.
>
> That is true and this was something like 30 years ago I was much more
> naive then.
>
> The environment has changed in the intervening time.
> When I was a child access to personal information was controlled by
> physical access to paper and security was a matter of locks and keys.
> The rules around information protection are woefully inadequate in today's
> hyper connected environment.
>

> For example I later this morning will need to start looking at what of my
> information LifeLabs has leaked.
>

As you say times have changed. I only recently found out, in the recent
past, that they don't even issue replacement SIN cards anymore.

>
> --
> Alvin Starr                   ||   land:  (647)478-6285
> Netvel Inc.                   ||   Cell:  (416)806-0133alvin at netvel.net              ||
>
> --
Russell

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20191218/75b18930/attachment.html>

More information about the talk mailing list