In the wake of the Maclean’s report, there’s a scramble to plug the breaches


The Canadian Radio-television and Telecommunications Commission is calling the country’s phone companies onto the carpet over revelations in Maclean’s that U.S. databrokers are selling the home and cellphone call records of Canadian consumers. In a terse letter dated Nov. 18, the telecommunications regulator demands that Bell Canada, Telus Mobility and Rogers Wireless immediately launch internal investigations into how the magazine was able to obtain the phone records of Jennifer Stoddart, Canada’s privacy commissioner, and another customer, via a Tennessee-based online service. “The article raises concerns with respect to the protection of confidential customer information,” writes the CRTC, calling the Maclean’s findings, which included details of incoming and outgoing calls on Stoddart’s government-issued BlackBerry phone, “a very serious matter.” The companies have been given a strict 10-day deadline to report back to the commission with a host of information. Among the specifics requested: descriptions of the safeguards that were in place when the privacy breaches occurred, explanations of how the companies verify customers’ identity, and a list of the new measures being taken to improve security.

The tough talk comes on the heels of amendments to the Telecommunications Act, introduced in Parliament last week, that will give the CRTC the power to impose huge fines—a maximum of $10 million for a first offence, $15 million for a second —on communications companies that fail

to play by government rules.

In Ottawa, the opposition is also calling for closer examination of the threat U.S. data brokers pose to the privacy of Canadians and the security of government communications. “I find it all absolutely shocking,” says Peter MacKay, the Conservative’s deputy leader and public safety critic. “This wide open, almost Wild West ability to access other people’s information is very unsettling.” With the government currently seeking parliamentary approval for even greater access to phone records as part of its new anti-terrorism legislation, MacKay argues that now is

It now appears that both the telecom industry and government regulators have known about U.S. companies inappropriately accessing Canadian phone records for more than seven years

the time to take action against those who are already abusing the system. “It has to be possible to clamp down, but I don’t think it’s a priority for this government,” he says. “These are basic, fundamental rights, and people have to know their government is striving to protect their privacy.”

Stoddart’s office has already launched its own investigation of how the data brokers accessed her Telus Mobility and Bell Canada records, a clear violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Although the phone carriers are co-operating with the privacy commissioner’s probe, they have had little to say publicly about what steps are being taken


Upon his return to Ottawa, long-ailing cabinet minister John Efford complained about all the media attention. “I don’t know why the press continually, day after day, wanted to talk about my health. I mean, I’m not the only person who has a sickness.” That’s for sure: an Efford special assistant, Rodney Mercer, has lodged a federal human rights complaint after losing his job, allegedly because he suffers from epilepsy.

to tighten internal security. But in response to the Maclean’s cover story, Bell Canada did issue a press release labelling itself a “victim” of “fraudulent and unethical activity.”

That shoot-the-messenger attitude typifies the industry response to security breaches, charges one of Canada’s top privacy advocates. “Clearly the phone companies don’t take this seriously,” says Pippa Lawson, executive director of the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. “They seem eager to try and shift the

blame. But the leak is from their ship and they’re responsible for it.” What’s needed is better training for employees, stricter procedures for confirming customer identity, and more assertive government oversight. Lawson points to a complaint that she lodged with Stoddart’s office in 2004 about another American data broker that still hasn’t been resolved. “The problem is enforcement, not jurisdiction,” she says.

In fact, it now appears that both the telecom industry and the government regulatory bodies have known about U.S. companies inappropriately accessing Canadian phone records for more than seven years, but have done little to combat the problem. The Ontario privacy commissioner warned the CRTC about the trade in confidential information in the spring of 1998. The CRTC in turn brought it to the attention of the telecom carriers, but no action was taken. (The Ontario privacy commissioner’s office declined to provide copies of the 1998 complaint, citing Stoddart’s ongoing investigation.) Peter Hope-Tindall, a former special adviser to the Ontario

commissioner who worked on the file, recalls being mystified by the phone companies’ response. “They basically shrugged it off, saying that most of these companies were in the U.S.,” he says. Hope-Tindall, who now runs a Toronto-based privacy and security consulting firm, says the ease with which Maclean ’s obtained the call records for Stoddart’s government-issued cellphone is even more troubling. “There are people in the government, police services and national security agencies who could be in great danger if this type of information is freely available,” he says.

Plugging the holes in the system will not be easy. As fast as the telecom companies close one breach, the data brokers and snoops seem to open another. Marek Roy, an IT security consultant from Quebec City, says he recently brought two new problems to the attention of Canadian phone carriers. The first—a weakness in Rogers’ automated customer service systems that made it possible to obtain a faxed copy of someone else’s call records if you simply knew their postal code—has been corrected. “What we’ve done now, across the whole Rogers group of companies, is no more faxed phone records, period,” says Ken Englehart, the company’s chief privacy officer. “We’ll

A shoot-the-messenger attitude typifies the industry’s response to the problems

only mail them to your billing address.” Rogers is also now demanding additional information to verify its customers’ identity. Roy contends that he was also able to similarly obtain confidential customer information from Bell Canada with only a postal code, something the company flatly denies. “That was never possible,” says spokesman Mohammed Nakhooda. “Our customer service centres don’t even have fax capability.” While not providing specifics, Nakhooda says Bell continues to upgrade its internal security to prevent unauthorized people from obtaining customer information. “Privacy is an absolute No. 1 priority for us,” he says.

The second problem that Roy detailedcomputer software that enables hackers to assume another person’s identity by making their number appear on call displays, regardless of where the call is really coming from— ^ cannot yet be stopped. “The phone companies rW really can’t fix it,” says Roy, who demonstrated the technology by calling a reporter from what appeared to be an internal Maclean’s phone number. Given that many of the phone companies use call display to help confirm the identity of their customers, the potential for abuse is huge, Roy says. “It’s all pretty alarming. I’ve called Bell and added all new passwords to my accounts.” M

jonathon.gatehouse@macleans. rogers. com