Cybersecurity

Canada's new digital charter: a step in the right direction

Last week, the Government of Canada announced its new “digital charter,” aimed at emphasizing Canadians’ control over their personal data and penalizing big internet companies that break the law, as well as combating online extremism, hate speech and fake news. 

According to a copy of the charter obtained by the Toronto Star, though, the federal government will not immediately impose regulations on huge transnational companies such as Google, Facebook and Amazon — which practically control life as we know it online.

What is the charter?

The charter is being described as a set of principles against which existing or future Canadian laws will be judged, but at present, with no real action being taken, there’s nothing stopping these companies from going about their business as usual. And letting these companies self-regulate is like letting a five-year-old do your grocery shopping — you'll end up with junk that’s not good for anyone.  

These companies have been allowed to run free and create technologies with no regard for consequences — it's always been about the bottom line. Take Amazon, for example: they will deliver any item almost anywhere in the world. No one has stopped to ask whether this is beneficial to society — it’s just assumed that if the business is profitable, it must be a good thing. Amazon’s Alexa feature has been involved in egregious privacy breaches where voice recordings were compromised and sent to the wrong users, but that fact hasn’t dissuaded many people from having an Echo in their homes. 

Facebook may be the worst offender, with multiple privacy violations; as punishment, they’ve been slapped with fines so minimal the company has had no reason to change their data-collecting and privacy-violating behaviours.   

Anti-trust and digital privacy

Anti-trust laws are a broad category of laws that are meant to keep businesses operating honestly and fairly. In the past, these laws in North America have been around protecting profit rather than data. 

Germany has been using anti-trust laws to limit that data gathering, but North America is at least a decade behind Europe’s GDPR (General Data Protection Regulation), which puts privacy at the forefront and imposes strict fines on companies that collect too much data, that use data in undisclosed ways or without users’ full consent.  

What can we do?

It is a good sign that Canada is starting to take digital privacy issues more seriously. We can certainly maintain hope that the government elected this fall will continue to uphold privacy and regulate the online world in a way that protects our data. As citizens, we need to read the party platforms and consider voting in politicians who understand the importance of digital privacy and who demonstrate a commitment to protecting our sensitive data by reining in these big companies. 

To get the right information at the right time, contact the Beauceron Security Team at info@beauceronsecurity.com or 1-877-516-9245.

Protecting your digital identity in the era of mass surveillance – before it’s too late

San Francisco has just become the first U.S. city to ban facial recognition technology, to prevent discrimination and the inevitable curtailing of civil liberties that attends this type of artificial intelligence used by municipal agencies. Other cities are following suit, but despite this progress, the tech’s use is growing.   

If you frequent airports, sports stadiums, malls or grocery stores, facial recognition technology may soon be a big part of your life — whether you like it or not.   

Rather than check individual tickets, some airports are now using A.I. to scan faces as people pass the gates; if you’re paid up and your identity checks out, you’re allowed to board your flight.  Convenient, right?  

However, when the private sector uses our biometric data to discriminate their marketing tactics, we enter dangerous territory when it comes to the protection of your digital identity.  

Malls have been caught using facial recognition cameras to guess your age, gender and even mood to advertise accordingly, luring you to certain stores or kiosks where you’re likely to spend money.   

Even grocery stores can identify you in the aisles by your age and gender, displaying products on screens based on your marketing demographic. 

What is biometric data?

Biometric data — fingerprints, retinal scans, gait recognition (the way you walk), voice recognition, DNA, facial scans — are unique to the person, and aim to quickly confirm your identity.   

For individuals, the main benefits of using biometric data such as facial recognition are speed and convenience. You can avoid rummaging in your pockets for your concert or game tickets at a stadium. You can skip the lines, and just walk past scanning tech that can do the work instantly.   

For corporations, the benefits are more to do with the ability to sway purchasing behaviour. And for governments, they get to monitor and control populations by combining biometric and other surveillance data with artificial intelligence. 

Privacy concerns amid surveillance

The convenience of these technologies comes at a steep cost, especially regarding privacy. The most extreme example is China, where the government is known for abusing biometric data collection: they publicly shame people who jaywalk; they can capture facial scans and recognize citizens’ gaits to prevent those with a low social score from flying or from purchasing real estate; they can track anyone’s location at any time, often unfairly targeting ethnic or religious minorities.   

Closer to home, Toronto has been piloting the Sidewalk Labs project, a data-driven smart city initiative that facilitates things like snow removal and traffic planning, and can curb crime by way of sophisticated security cameras. But because Sidewalk Labs have refused to de-identify people, privacy expert Dr. Ann Cavoukian and others have denounced it as little more than a data mine that could cause harm if that data is leaked or abused.  

Glaring flaws in biometrics

Beyond surveillance, biometric identification has a major flaw: you can replace a compromised credit card, but if there’s a breach of your biometric data, you can’t change your face. Not easily, anyway!   

There’s a big possibility of false positives, too. In London last year, the Metropolitan Police misidentified and fingerprinted a 14-year-old black boy, and figures reveal this kind of mistake is no anomaly; in fact, facial recognition software wrongly identified members of the public as criminals 96% of the time.  

In its current iteration, facial scanning can also be racist and sexist; these technologies are prone to error when it comes to recognizing women and people of colour.  

Yet another issue: It can be used to advertise to you without your permission in malls and grocery stores, even in taxis. And with all facial recognition in the public sphere, the individual can never be sure when or how their sensitive data is being used, or whether or where it’s being stored.

The cost of convenience

While there are obvious pros to facial recognition — such as increasing border security and facilitating police efforts to track down dangerous criminals — as a society we need to ask how much of our personal data we’re willing to sacrifice in the name of safety and convenience. If it’s becoming too much, we need to call on legislators to stand up for citizens’ privacy before we become even more accepting of surveillance tech and all the risks that go along with it.   

Awareness training is the first step towards protecting your digital identity. Reach out to the Beauceron team to get informed on how our learning content can support your organization, info@beauceronsecurity.com

Verified.Me app makes proving your identity easy

Last week, banks in Canada announced the launch of Verified.Me, a free app that helps you prove your identity online.   

Because practically every online service requires a different username and password, it can be tough to prove who you are when you’re logging into your various accounts. Not only do you need to remember dozens of these credentials, but you often need to answer security questions, show physical identification — and it’s all getting too complicated.

Security AND speed

The goal of the app is to speed up the process of authentication while maintaining security and privacy. Logging into accounts and juggling passwords and identities is a pain, and people tend to sacrifice security in favour of convenience. Verified.Me aims to provide both. 

sign-in partner.PNG

This kind of service is already used by federal agencies like Canada Revenue Agency where you can log into your personal or business tax account through your bank, also known as a “sign-in partner.”  

How does Verified.Me work?

Think of any online service that requires you to create a username and password; instead, you log into your bank account only, through the Verified.Me app. If the bank deems that particular service to be trustworthy, you can log in automatically.  

You’ve already proven your identity at the bank; it’s the most important — and most tedious — step when opening your account. There are strict regulations in place, you need to show government-issued I.D. and open a real account as the real you. Of all the online entities, banks truly know who you are as a person. 

One identity to rule them all

The idea of a “federated identity” — a way of linking your identity and attributes, stored across multiple identity management systems — is coming up more and more these days, as identity becomes increasingly complex.   

“Single sign-on" (SSO) lets users log in to one service with a single ID and password to gain access to several sites and accounts. SSO is a good idea that has been mismanaged in the past by Google and Facebook and others — companies that have shown they can’t be trusted to manage and secure our digital identities. 

Facebook’s SSO was hacked in 2018, when it was revealed that it had fallen victim to an attack that breached 50 million user accounts. Google’s SSO has issues, too — if someone breaches your Google account, for example, they then have access to your passport information in Expedia, private messages on Tinder, location data on Uber — literally any site or service you access through the Google single sign-on.   

Why trust the banks?

Banks spend more on cybersecurity than any other organization in the country. They’re dealing with huge amounts of money so it makes sense that they have a vested interest in verifying their customers' identity and protecting against fraud.  

Unlike Facebook or Google, their entire business relies on being secure. 

How to get started

Download the Verified.Me app on your phone, open it and choose your bank from the list of options (Scotiabank, RBC, CIBC, TD or Desjardins). You’ll then be redirected to your bank’s app or website, where you can log in using your username or card number and password. Once you’re in, you can add “Connections” to your personal list and use the app to log into all those services.   

You’re in control of how and when your personal information is used, and no personal info is stored in the app — it's a win from all angles!  

To learn more about protecting your identity at home or at work, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245.  

Seven reasons to start using a password manager today

1) You aren’t alone

If you’re not sure what a password manager is, you’re not alone. And if you’re familiar with password managers but haven’t gotten around to using one, unfortunately you’re in the majority there, too.  

Good news — The Pack Has Your Back. Here’s the rundown! 

2) It’s easier than you think

Think of it as a diary where you’ve written all your secrets. But unlike any diary you kept as a kid, this one has a nearly impenetrable lock, and only you hold the key. In this case, the key is a strong, secure “master password.”  

Most people have weak passwords and use the same passwords on multiple sites and services. (And no, using the same password with a “1” after it does NOT count as a new password!) A password manager does the dirty work for you by generating random, strong passwords for all your logins, and storing them in one place that’s easy for you to access.

3) Less stuff to remember

With a password manager, you only have to remember that one master password. Period. Without a password manager, you have to remember dozens for all of your online accounts and services: phone and internet services, social media pages, banking sites, work and personal email accounts — everything these days requires a password!   

4) We’ve narrowed down the choices

LastPass is widely trusted and offers its best features — like a secure and searchable password “vault” where you can store all passwords, access on all devices, multi-factor authentication, and secure “notes” for files and information beyond just your passwords — for free.  

Other good options include 1Password, Dashlane or Keeper.

Some are free, some come with a small fee. Do your research and see which one best suits your needs. 

5) It’s safer than what you’re doing now

The obvious question people have about password managers is: what if that one master password gets hacked? Then the hacker would have access to all my online services and life as I know it would come to an end!   

Of course no security measure online or in real life is 100% infallible, but your “last password ever” is highly secure. It’s long, it’s complex, it’s got letters, numbers, and other characters that would be almost impossible to crack.   

It’s a lot safer than writing them down on a piece of paper or logging them away in a Google Doc, right? A password manager offers the best combination of security and convenience.

6) Who doesn’t like a good story?

What if I forget my master password? How to beat it: make your password into a story — a memorable phrase or a catchy song lyric.   

Many people don’t realize that a longer password is tougher to crack than a random one. So, for example (don’t use this one!) the password “afd%#T”, though complex and involving symbols as well as upper- and lower-case characters, would be easier to hack than something that tells a story, like “mydog8theblackcat@midnighT.” There are recognizable words in the second one, but it’s longer and therefore harder to crack.   

Make it personal to you.  

7) It’s free and quick

Go to LastPass.com (if that’s the one you choose), click the “Get LastPass Free” button, and enter your email, the master password, and an optional reminder. That’s the basic version. You can add services such as a GB of encrypted file storage and priority tech support if you pay a minor monthly fee.   

Then you just install the extension in your browser — it'll walk you through it, don’t worry — in order to capture and store passwords into its vault as you go about life online.   

It takes seconds. Okay, maybe a minute. But that’s really it!
   

If you want to learn more about how you can reduce your cyber risk at home and at work, contact Beauceron Security to learn more! info@beauceronsecurity.com