A security researcher is calling foul after discovering the Canada Revenue Agency appears to force users into accepting questionable terms and conditions that put their data at risk when visiting the government website.
We Hack Purple Founder Tanya Janca detailed her concerns in a recent Twitter post. Upon logging into the CRA website, she was asked to accept terms and conditions. Janca decries the policies that suggest: “If there's a cyberattack and… tax data is stolen, it's not [CRA’s] fault.”
The reason for the agency’s assertion is that “CRA has taken all responsible steps to ensure the security of the website,” including the use of sophisticated encryption and implementation of “other procedures” to protect personal data “at all times.”
“The internet is a public network, and there is the remote possibility of data security violations,” according to the policy. “In the event of such occurrences, CRA is not responsible for any damages experienced as a result.”
However, it appears CRA is lacking some standard security measures on its website. Janca found that the site doesn’t use any of the recommended security headers, nor were secure configurations used on its website cookies. In short, “those are security basics.”
What’s more, these issues were found with just a brief “public passive scan,” which suggests there could be other, more severe security lapses. The discovery comes just two months before the country’s official tax date, April 30.
“Forcing Canadians to accept the risk in terms and conditions is grotesque,” Janca wrote. “CRA should not be able to shirk its responsibility of securing” the data of its citizens. “If we must give it to you, you must be responsible for it.”
In an emailed statement to SC Media, Janca added further context: “Potential harm that could come from CRA’s stance that they are not responsible for any data that is lost from using their website include Canadians not being able to sue or otherwise hold CRA accountable for their actions. We are forced to give them our data, and then if they lose it there is zero recourse.”
Fallout from August 2020 hack of Canadian Revenue Agency?
The recent policy changes appear to come in response to an ongoing legal battle over a massive security breach reported in August 2020. The government agency shut down its online services temporarily after confirming two cyberattacks compromised 48,500 user accounts.
The compromised user accounts led to nearly 13,000 potential fraud incidents where hackers changed the direct deposit information of taxpayers to fraudulently apply for Canada Emergency Response Benefits (CERB). The victims soon filed a lawsuit, which was certified as a class action in August 2022. The legal filing is still in mediation.
Given the ongoing legal issues and the previous hack, it’s reasonable to be concerned by the new CRA policy. For Janca, “if some or all of CRA’s collected data were to be made public or otherwise be breached,” every Canadian could be at risk of identity theft, and blackmail (depending upon the data stolen and the individual’s situation).
There are potential physical harms, as well, such as stalking, injury, and/or death, “if addresses are of Canadians whose home addresses are revealed who are in hiding for various reasons,” she explained. Nation-state actors could use the type of information provided to CRA to even “manipulate Canadian democracy or other political manipulation, embarrassment or other uncomfortable social implications for some Canadians.”
“It would also likely lead to a lot of people being robbed, when people realized just how much money various people bring in,” Janca added.
For now, researchers like Janca are bringing attention to these real concerns in hopes the government will rectify the risks to protect its citizens.