Archive for the ‘Identity Theft’ Category

28 Jan 2010

It’s Data Privacy Day 2010: Are you taking the proper steps to ensure that your personal information is safe?

On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.

If you own a company, or work for a big one: in the past, you may have had to ensure that your customers’ name and address information (and in some cases credit card and billing information) were safe. Now, many of you are providing technology and tools for your customers to put increasing amounts of personal information online. Does your company have the systems in place to safeguard this information? Do you give your customers the tools and options to control how their information is used?

If you are a user of new and cool technology: in the past a telephone was a telephone, a video game was a video game, a stuffed toy was simply that – a stuffed toy. Today, more and more toys and handheld tools come with the ability to go online. Do you understand how to enjoy your toys and gadgets without putting your personal information at risk?

If you are a parent or guardian, teacher, coach or caregiver: do the young people in your life understand how to use all these new toys and gadgets while keeping their personal information safe? Our office has recently made youth privacy a key priority. Today, we have posted some new resources to the Parents & Teachers section of our youth web site. The resources include information on 12 privacy issues (such as the importance of privacy settings and knowing who your friends are on social networking sites), along with ideas for generating discussion about each issue with young people. You can use these resources to start discussion about personal privacy and the importance of thinking about what you post on the Internet.

Regardless of which group you are in – if you need any information about how to keep personal information secure, visit our web sites – and

24 Dec 2009

Give your loved ones a little Privacy this holiday

Do your loved ones have toys on their wish lists this holiday? A stuffed animal for a little one… a cell phone or a camera for a teen? These days, these toys and gadgets are more than they used to be. Just a few years ago a stuffed animal was something to cuddle with and a phone was, well, just a phone! Now, many stuffed animals come with codes that allow kids to register them online so that they can play games, feed and care for them, and even chat and play with other kids. And many cellphones are phones, computers and cameras, all in one.

And while such toys and gadgets can be fun, we want people to enjoy them without putting their privacy and personal information at risk.

Here are our tips for protecting your privacy as you and your loved ones enjoy your new gadgets and toys. For parents especially:

Understand new toys and their capabilities – It is important to understand the capabilities of new toys and how your children will use them. Speak with your kids about how they will use the toy and, where appropriate, agree on guidelines and limits.

Pay attention to privacy settings and parental controls – Privacy settings on social networking sites control what people see about you. Only allow your friends to see your page, your posts, your photos and your applications. Parents, if you depend on parental control software that is installed on your desktop, remember that. Those controls won’t be in place on new mobile devices.

Remember, with Wi-Fi, children can access the Internet from anywhere in the house – And if their new toy/gadget has Internet capabilities they can also use it to access the Internet from locations and networks outside your supervision and control.

Here are our tips for protecting your privacy as you and your loved ones enjoy your new gadgets and toys. For everyone:

Think before you click – The Internet is a public arena, and photos and comments you post are permanent. Even if you delete them from a web page, they could continue to exist in archived pages, in your computer’s cache or on the computers of other Internet users who may have copied them. If you don’t want certain people to see something, now or in the future, don’t post it!

Pick and protect the perfect password – Your information is only as safe as your passwords. Use different passwords for different systems; make sure they are strong (eight characters or more and a variety of letters or numbers); never share them with anybody; and change them regularly.

Know your friends – Online, you can’t be 100 per cent sure who you are talking to. Don’t accept friend requests from people you don’t know in real life.

Protect your identity – Identity theft is a growing problem and the Internet is the least private of spaces. Don’t post or e-mail personal details such as your social insurance number, phone number, home address or birth date.

Be careful on online gaming sites – Online gaming sites are hotbeds of people accessing personal information. Be aware that ill-intentioned people can use information from your profile to establish accounts in your name, or use your stolen identity to access your existing accounts.

Be wary of e-mail or instant messages from unknown people – Don’t open online messages that seem odd or are from someone you don’t know. They could contain a virus or let a hacker gain access to your computer.

Have a happy holiday and enjoy all your new toys!


8 Sep 2009

Protecting personal information online – do young people get it?

Our Commissioner, Jennifer Stoddart is worried that maybe they don’t. After conducting an investigation into Facebook’s privacy policies, we’re now turning our attention to youth as the school year gets underway. Because while they may be savvy about using social media, many of them still may not know how to create a secure online identity.

If you’re listening to the radio today you may hear a message from our office that we created especially for young Canadians. In case you miss it, we’ve provided clips from it for you here . The gist of it is that many young people are still jeopardizing their safety, and possibly compromising their futures, by sharing photos and information – some of it inappropriate – with people they don’t know… people who may not be who they say they are.

Young people – everyone, really –  need to always be aware that the personal information that they post online could be used in a variety of shady ways, from embarrassing them, to stealing their identities – even for finding out where they live, go to school, or their plans for the weekend. Our radio message urges young people (and their parents and teachers) to regularly visit for information on safely using the Internet and social networking sites.

The message also reminds everyone that we’re inviting all young people, between the ages of 12 and 18, to participate in our second annual video contest. All they have to do is create a one- to two-minute public service announcement on the importance of privacy by Friday, December 11th and they could win some really cool prizes!

30 Jun 2009

Who are these identity thieves?

Many of you have serious reservations about conducting on-line transactions, and often associate identity theft with IT geniuses hacking into computer networks. We really can’t turn a blind eye to technological development and its close connection to the emergence of new techniques for exploiting personal information. However, identity theft transcends the virtual world, and it often hits much closer to home.  

A survey conducted by the Office of the Privacy Commissioner shows that one Canadian out of six has been the victim of some form of identity theft. More than 90% of Canadians report that they are concerned about identity theft.

Benoît Dupont, the Canada Research Chair in Security, Identity and Technology at l’Université de Montréal, and his colleague Guillaume Louis have published a report which offers a profile of identity thieves and examines the way they work. The resulting highlights are alarming. “Identity thieves: a common delinquency profile” reports that 1.7 million Canadians were affected by identity theft in 2008, and that 340,000 Quebeckers fell victim to this type of crime the previous year. A report released by the McMaster eBusiness Research Centre in 2008 confirmed these  figures and showed that victims spent more than 20 million hours and $150 million resolving problems associated with these crimes (Sproule and Archer, 2008).

The 90% of Canadians who report that they are concerned with identity theft have reason to worry! Dupont and Louis recently produced a profile of what they call “ordinary” offenders. This profile is more frightening than organized crime or the virtual profiles we tend to associate with “identity thieves.”

Not saying that we should underestimate cyberspace in light of this finding; it plays a considerable role nonetheless. More than 45% of cases of identity theft involve Internet use. However, the way “offenders” use the World Wide Web is not as significant as we might think in terms of acquiring the victim’s personal information. On the contrary, it plays a greater role in actually committing fraud. However, at issue here is understanding, first and foremost, how identity thieves acquire information, if not on-line. Who are these identity thieves?

The Université de Montréal research team based its work on 574 news articles collected from January to June 2008, containing 195 instances of identity theft involving 422 offenders. It identified ordinary individuals who use strategies that vary widely in terms of sophistication. The following highlights complete the profile of these ordinary individuals:

Women account for nearly 40% of offenders. We believe that this strong presence can be attributed to the absence of violence inherent to this sort of crime and the possibility of committing the crime without help from an accomplice.
Identity thieves are relatively older than other offenders; the average age is  33 years. The oldest offender identified in our database was 67 years old. 
Offenders acted alone in the majority of cases (64.6%), which seems to contradict the theory of extensive involvement by organized crime in this type of offence.

The approach to committing theft is as ordinary as the thief’s profile. It’s a far cry from hacking into computer networks: 53.4% of incidents involve the theft of wallets and purses, and fraud. The proportion of professionals who use the personal information they collect about their clients, patients, or beneficiaries for their own benefit accounts for 28.3% of identity theft.

But why steal identities? Simply because it’s easy! According to Dupont, identity theft is attractive because of the low risk involved and the ease of carrying on this activity. Fears of increased popularity are fuelled by the economic crisis and the direct profits that can be made (US$26,000 on average). Identity theft has one of the fastest growing crime rates seen in recent years (Finklea, 2009).

An increasing number of measures are taken to give Canadians the tools they need to prevent identity theft and to encourage businesses and government organizations to properly protect the personal information they store.

Nonetheless, in reality, day-to-day vigilance is necessary above all else.


1) Susan Sproule and Norm Archer, McMaster University, McMaster eBusiness Research Centre, “Measuring Identity Theft in Canada: 2008 Consumer Survey – Working Paper #23” July 2008. Online at:

2) Finklea, Kristin M. (2009). Identity theft: Trends and Issues. Congressional Research Service: Washington DC.

12 May 2009

It’s all fun and games until someone brings up FiFi

As we mentioned earlier, Twitter is where everyone seems to be these days.

Until recently, identity theft on the popular microblogging site seemed to be limited to pranksters impersonating celebrities, the most famous being a fake Tina Fey who, according to rumour, even got a laugh out of Tina Fey herself.

Today, though, it appears the non-famous among us are the targets of the latest identity theft scam — and the consequences are not exactly funny. (here, and here)

Because many of us run out of things to tweet about, even in 140 characters or less, we sometimes take part in games and trends. Among the latest were several variants on the “porn star name game,” where you form a fictional, adult-movie screen name for yourself by combining different names from your past, such as your mother’s maiden name, the name of your first pet, the name of the street where you grew up …

Wait a minute. Each of those names is often used as a security question when accessing online email services, using online banking sites, or even when speaking to your bank on the phone. Is it any wonder that phishers encouraged everyone on Twitter to take part in the fun?

Maybe the hilarity of introducing yourself as “Sasha Johnson Mount Royal” to the entire online world isn’t worth the chuckle after all.

4 May 2009

Do your young people “think before they upload”?

Did you know it’s Privacy Awareness Week in the Asia Pacific Region? If you’ve got young people in your life, who you’re trying to impart the privacy-awareness message to, have them check out the three-minute video, featured on our YouTube channel, that the Asia Pacific Privacy Authorities (APPA) launched to mark the week.

The video features a series of animated scenarios that highlight the potential consequences of posting personal information online. Would your child, niece, nephew or student want their grandma, coach or teacher to see what they’re posting online? If the answer is “no” they need to watch this video – and learn to think before they upload!

18 Dec 2008

Your information – what’s it worth?

South of the border, Sony Music recently settled with the U.S. Federal Trade Commission (FTC) after the FTC filed a suit against Sony claiming the company had violated children’s privacy rights.

Last Wednesday, the FTC accused Sony of being in violation of the Children’s Online Privacy Protection Act, or COPPA, by collecting, maintaining and disclosing personal information of children under the age of 13 without parental consent.

The FTC estimates that Sony collected the personal information of about 30,000 children on 196 websites operated by Sony Music. That includes names, addresses, mobile phone numbers, e-mail addresses, dates of birth, ZIP codes, usernames and gender. But that’s not all:

“Many of these sites also enable children to create personal fan pages, review artists’ albums, upload photos or videos, post comments on message boards and in online forums, and engage in private messaging.”

The following day, Sony and the FTC announced the suit had been settled, with the company agreeing to pay a fine of $1 million, put in place a screening process that complies with the FTC rules and hire a Web compliance officer to monitor the issue. The fine is reportedly the largest settlement for a case involving COPPA, which came into effect in 2000.

One way (and a fairly simplistic way at that) to view this settlement is that it works out to about $33 for each child’s information.

But these kids – and the rest of Sony’s website visitors – may see the value of their information in another way. A recent study by IBM found that people – and especially younger people – were willing to trade away their information for incentives like free high quality music or videos, discounts to favourite stores and air travel or hotel points:

“Close to 60 percent of total respondents were willing to provide information about themselves — such as age, gender, lifestyle or communications preferences — in exchange for something of value. Younger respondents had fewer concerns about revealing personal preferences, and a sizeable portion of participants over the age of 45 were also willing to share information about themselves. However, all respondents indicated the need for perceived value and incentives as a trade-off to provide personal information.”

And finally – what’s your information worth on the black market?

Cybercrime is big business – now reportedly even bigger than the international drug trade. In this world, credit card information can be bought and sold for as little as $1, and entire identities can be purchased for $5.

So how much is your information worth? As much as you care to protect it.

4 Dec 2008

Remember Mafiaboy?

In 2000, this 15-year-old hacker brought down some of the most heavily visited websites on the net: Amazon, eBay, CNN, Yahoo!. At the time, reports claimed the hack caused a billion dollars’ worth of damage to these companies.

Since that time, cybercrime has become big business, with some reports suggesting it’s on par with or bigger than the illicit drug trade. Identity theft features prominently in this underground frontier, with credit card information and entire identities up for sale by the thousands.

Tonight, CBC is airing Web Warriors, a one-hour documentary with an exclusive look at the world of hackers, and the cyber-sleuths who pursue them. If you miss it on TV, the entire documentary is available on CBC’s site as well.

And on the subject of teenage hackers, we’d like to point you towards Little Brother, the novel for young adults by BoingBoing blog coeditor Cory Doctorow. Little Brother takes place in the not-so-distant future where a group of teens use technology to protest the ever-increasing government surveillance around them. It’s a story that looks at hacking, jamming and surveillance, and offers insight into the privacy vs. security debate…all through the eyes of a 17-year-old.

5 Nov 2008

How your handheld handles your data

The popularity of mobile computing is skyrocketing – from teenagers to business travelers, hand held devices such as Blackberrys, iPhones and smart phones allow users to surf their favourite sites, manage their relationships within a social network, review work documents or download music.

Using traditional privacy protections such as passwords on your handheld device is a step in the right direction, but there are a number of other privacy concerns that are worth considering.

According to a CTV news report, personal information is turning up in refurbished handheld devices being purchased by Canadian consumers.

Reselling refurbished devices, whether by a large company or an individual on EBay, is a common practice. Many people also donate or recycle their unwanted electronic equipment, but never really know where those old handhelds may end up.

Sensitive files stored on handhelds can provide a wealth of personal information or valuable company data.

Despite their widespread use, the full privacy implications of losing a device are still largely unknown. A lost or stolen handheld can expose personal data to unintended parties, and this could be used for illicit or simply mischievous purposes.

As well, some devices appear to be susceptible to unauthorized access – whether through the carrier’s network, the phone’s built-in WiFi capabilities or with the intervention of a nearby Bluetooth device.

So how can we protect privacy while using mobile devices?

  • First off, always use the built-in password protection. Use a strong password, with a combination of lower case and capital letters as well as numbers.
  • Remove sensitive files from handhelds once you are finished using them.
  • If you have to keep sensitive files on a mobile device, encrypt the file, install a correctly configured firewall and/or password protect the file.
  • If your device is Bluetooth enabled and you do not use it, disable the feature.
  • When you upgrade your device, take the time to wipe it of personal information. A quick search will provide resources that will show how to clean a device such as a Blackberry or an iPhone. Installing anti-theft software on a device can allow a user to erase personal data remotely and even render the device unusable if it is ever lost or stolen.

There’s a further risk involved in mobile computing, a risk that we are in the process of evaluating: the privacy protections found (or absent) in the third party applications (apps) now common on handheld devices.

By their very design, apps installed on or downloaded to mobile devices may put personal data at risk.

It appears that apps are being built by a range of developers – from students to multi-national companies. As you would expect, these developers can have very different standards when it comes to accessing and protecting your personal information.

  • Before installing an app, check out the developer. You may need to make a personal judgment about whether you trust them with access to your device and your information.
  • Check your favourite apps for safeguards like password protection.
  • When you change your password on a non-mobile application (the web site), make sure the app reflects that change.
  • Make it a habit to log out of apps on a regular basis.

Mobile computing offers the opportunity to carry more of your life around in your pocket. Taking a bit of time to secure your device and personal information can help safeguard your privacy.

7 May 2008

Privacy in Facebook apps – the risk of the SuperPoke

The social networking site Facebook has been under scrutiny lately for lax security with its applications feature. Applications in Facebook are created by third-party software developers and are run on third-party servers. These applications can take many forms – a quiz, a game, or just another way to reach out to friends – but the common feature in all is that they allow software developers to access Facebook users’ personal data.

And while Facebook says it advises its users to “employ…precautions” when downloading applications, any Facebook user will tell you that most applications simply won’t work if you don’t agree to give the developer access to your information.

BBC’s technology program Click decided to test out this security flaw by creating its own Facebook application meant solely to “steal the personal details of you and all your Facebook friends without you knowing”. The application took them three hours to create and allowed them to not only collect personal information about the Facebook user who had downloaded the application, but all of his friends as well.

Click’s experiment suggests that the concerns of privacy advocates (including those of us at the Office of the Privacy Commissioner) that the applications feature on Facebook exposes users to significant privacy risks, are warranted.  As well, the collection and use of this data by third-party developers could mean that some developers aren’t complying with PIPEDA, Canada’s private sector privacy legislation.

Something to think about the next time you feel like throwing a sheep.