What Can We Learn From Canada Revenue Agency’s Privacy Practices? [Preview]

When opening a new account on the Canada Revenue Agency’s site, a newly-streamlined process made it easy for me to open an account and even allowed me to choose an adequately obscure username, not to mention password.

The fact that the CRA considers not only passwords but also usernames as being user-selected secrets is a sign of maturity that bodes well for an agency that has historically been plagued by data breaches and security snafus.

“Agency admits it vastly underreported cyberattacks against Canadian taxpayers to Parliament” — A quick search seems to point to some serious recent security incidents.

Upon visiting the CRA site, I am reassured by what appears to be an acknowledgment of past breaches, but also an excuse for underreporting them:

Since 2020, there has been an increase in the number of identity theft cases and unauthorized use of taxpayer information by a third party (UUTP). This appears to be driven by data breaches at third-party organizations enabling threat actors to obtain user credentials, the introduction of new or revised benefits administered by the CRA, and increased risks from social media, e-commerce, digital services, and cryptocurrencies, which offer new avenues for exploitation. Since the CRA began tracking cases of UUTP affecting individuals from May 11, 2020, to August 26, 2024, there have been more than 31,000 confirmed privacy breaches.

Okay, let’s move forward.

The next screen is encouraging: it’s an offer to set up multi-factor authentication using a preferred method, such as SMS messaging or the superior alternative, an authenticator app on my phone. I scan the QR code and we’re off to the races.

Or so I thought.

Alas, I’m presented by a screen demanding the answers to — gasp — Security Questions. This so-called authentication method has been my pet peeve for years as it does little more than serve as an aggregator of personal information, which can serve criminals to bypass account security and gain access to user accounts.

The CRA asks for the answer to not one or three, but five such personal questions.

And they’re all quite personal.

In fact, they’re so personal the CRA anticipates questions about privacy and volunteers their privacy policy as a way to defuse user concerns.

But seriously, we’re over a quarter of a century into the new millennium and we are still using security questions to create the vague aura of being ‘protected’ with even more shared secrets?

...

Read the rest of my article on the Bad Privacy Blog at www.BadPrivacy.com