Canada's Tax Revenue Agency Tries To ToS Itself Out of Hacking Liability (substack.com) 55
schwit1 shares an excerpt from a Substack article, written by former cybersecurity reporter Catalin Cimpanu: The Canada Revenue Agency (CRA), the tax department of Canada, recently updated its terms and conditions to force taxpayers to agree that CRA is not liable if their personal information is stolen while using the My Account online service portal -- which, ironically, all Canadians must use when doing their taxes and/or running their business. The CRA's terms of use assert the agency is not liable because they have "taken all reasonable steps to ensure the security of this Web site."
Excerpt from the CRA terms statement: "10. The Canada Revenue Agency has taken all reasonable steps to ensure the security of this Web site. We have used sophisticated encryption technology and incorporated other procedures to protect your personal information at all times. However, the Internet is a public network and there is the remote possibility of data security violations. In the event of such occurrences, the Canada Revenue Agency is not responsible for any damages you may experience as a result."
Unfortunately, that is not true. After reviewing the HTTP responses from the CRA My Account login page, it's clear the agency has not configured even some of the most basic security features. For example, security protections for their cookies are not configured, nor are all the recommended security headers used. Not only is that not "all reasonable steps," but the CRA is missing the very basics for securing online web applications.
The terms of use also state that users are not allowed to use "any script, robot, spider, Web crawler, screen scraper, automated query program or other automated device or any manual process to monitor or copy the content contained in any online services." Looking at the HTTP response headers using web browser developer tools doesn't breach the terms of services, but the CRA must be well aware that internet users perform scans like this all the time. And it's not the legitimate My Account users who are likely to be the culprits. Unfortunately for Canadians, threat actors don't read terms of use pages. A statement like this doesn't protect anyone, except CRA, from being held responsible for failing to properly secure Canadian citizens' personal data.
Excerpt from the CRA terms statement: "10. The Canada Revenue Agency has taken all reasonable steps to ensure the security of this Web site. We have used sophisticated encryption technology and incorporated other procedures to protect your personal information at all times. However, the Internet is a public network and there is the remote possibility of data security violations. In the event of such occurrences, the Canada Revenue Agency is not responsible for any damages you may experience as a result."
Unfortunately, that is not true. After reviewing the HTTP responses from the CRA My Account login page, it's clear the agency has not configured even some of the most basic security features. For example, security protections for their cookies are not configured, nor are all the recommended security headers used. Not only is that not "all reasonable steps," but the CRA is missing the very basics for securing online web applications.
The terms of use also state that users are not allowed to use "any script, robot, spider, Web crawler, screen scraper, automated query program or other automated device or any manual process to monitor or copy the content contained in any online services." Looking at the HTTP response headers using web browser developer tools doesn't breach the terms of services, but the CRA must be well aware that internet users perform scans like this all the time. And it's not the legitimate My Account users who are likely to be the culprits. Unfortunately for Canadians, threat actors don't read terms of use pages. A statement like this doesn't protect anyone, except CRA, from being held responsible for failing to properly secure Canadian citizens' personal data.
Re: (Score:1)
French speaking Canadians call him Troud'eau which means a hole in the ground filled with water or "water hole".
My tax submission ToS (Score:5, Funny)
In order to accept my tax payment/filing, the government must accept my terms of service which include the following ridiculous things....
I wish I had the same ability of government idiots to pull shit like that.
Re:My tax submission ToS (Score:5, Interesting)
It all went to hell when they had the bright idea to change the status of the Department of National Revenue to become Canada Revenue Agency . A department is a direct branch of the government thus having to conform to stricter regulations for all kinds of stuff including citizen respect and protection. The "Agency" it has become is more like a private enterprise doing the job for the government and is not responsible for their wrong doings as much and have much less responsibilities with regards to that.
Things have only gotten worse since then. The legal status change was especially made so the "Agency" wouldn't have to report as much to the government and wouldn't be liable to the citizen as much. It's basically like the if the government hired a private company to collect taxes while protecting them from doing anything wrong.
See here:
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
I don't follow most Canadian internal events but wow that sucks. Look carefully whenever anyone outsources a key function to separate themselves from the actions of their new entity be it a contracting firm or in this case an "agency".
Re: (Score:2)
Would this stand up in court though?
I don't know much about Canada's laws, but typically unfair terms like this are void if you true to sue them for negligent handling of your data.
Re: (Score:1)
Re: (Score:2)
I have no idea how a Canadian court would handle it. In a U.S. court, it's 50/50 how the court would rule but what would the winning plaintiff get anyway? Once your data is stolen, it's over. No getting it back. No court is going to give you a few million bucks for that.
My data was one of a few million people stolen from the Office of Personnel Management. The OPM handles Federal government employee data. I got a nice letter acknowledging it happened and the option to sign up for free credit watch for
Oh really? (Score:2, Troll)
..which, ironically, all Canadians must use when doing their taxes and/or running their business
You only need an online account to do your taxes online. You can file them by paper and mail just the same as ever [canada.ca].
Re:Oh really? (Score:5, Informative)
only need an online account to do your taxes online
This is only true for personal income tax. Business owners at all sizes are required to use the online system. It's also not true for students, who must use the online system for student loans. I'm sure I could come up with a few dozen other exceptions to your "oh, just do it on paper same as ever".
Re:Oh really? (Score:5, Insightful)
This is only true for personal income tax.
Which means the summary is incorrect.
Re: (Score:1)
Which means [I'm being pedantic]
Yes, yes you are.
Re: (Score:2)
Re:Oh really? (Score:4, Informative)
Business owners at all sizes are required to use the online system.
Only a few are required to file online as you can see [canada.ca]
Re: (Score:2)
Your link refers to GST/HST, not income tax. Most businesses with an annual gross revenue over $1 million must file corporate income tax returns electronically.
Re: (Score:2)
Re: (Score:3)
The link is here. [canada.ca]. Search in that page for "Beginning with tax years ending after 2009, corporations with gross revenues in excess of $1 million are required to Internet file their T2 Corporation Income Tax Return using CRA approved commercial software."
Re: (Score:2)
Re:Oh really? (Score:5, Informative)
I came here to say this, "My Account" is absolutely NOT required. Jesus, when you sign up for it, they make you very well aware of the risks, as well as the fact that they take no liability. they even tell you if you loose your password they will make your like hell to recover it. It is however the most convenient way to file if you expect a return, you can have a return in less than 2 weeks auto deposited into your bank account in less than 2 weeks this way.
But this is certainly not something Canadians must "ironically use", in fact I would say my parents generation are still generally very un-trusting of anything online, and they wouldn't imagine filing taxes unless it was old school with the family accountant....
Happily, if you don't mind the manual paperwork, you can pick up a free kit, enter your numbers, and mail via snail mail, and have no part of this!
Re:Oh really? (Score:4, Insightful)
That's like saying a computer is not required just because books exist, or cars are not required because we have legs. For most governments (honestly I don't know about Canada but I've lived in a few places now and have experience filing taxes for several countries) the process of filing taxes online is orders of magnitude simplified, and in some cases even done for you.
Where I live currently if I have no deductions or complicated investments I could spend about a day gathering all relevant data and calculating how to fill it in to the sumarised boxes on our paper form. Or I could login, and click "review", and click "submit" as the online system literally pre-fills everything it knows about your tax situation for you.
So sure you *can* do it offline. But that doesn't make it a really viable alternative.
Re:Oh really? (Score:5, Insightful)
Unfortunately, Canada's online tax system does not simplify filing taxes online. In fact, there is no way to actually file your taxes online unless you use commercial software or you get your accountant to do it.
The Canada Revenue Agency is really terrible at technology. And I suspect there's pressure from Turbotax and other software companies, as well as tax preparers, for CRA not to make it easy to file taxes. It would kill a large part of their market.
Re: (Score:2)
Oh really? I thought Canada was America without the bad government policy :-)
Well there's really no point in having an account then. I stand corrected (well I'm sitting corrected, but point is the same).
Re: (Score:2)
Canada is America without the bad government policy in many ways, but our government is (even) less transparent than the US federal government. And the CRA is a behemoth that does whatever it wants and doesn't care about taxpayers.
Re: Oh really? (Score:2)
You can file your taxes online for free unless your taxes are more complicated than average.
I've done mine for free for the past several years using TurboTax free tier. (Not hidden as well as it was in the US)
Re: (Score:2)
Yes, you can file online if you use proprietary software that doesn't run on Linux. There are even third-party services that let you fill in your tax forms in a Web browser and that then file them for you.
Which raises the question... if third-parties can implement a Web-based filing system, then why the f*** can't CRA implement a standard way to file your taxes using a web browser???
Re: (Score:2)
Sounds to me like the real problem is that the paper forms are too damn complicated.
Here in the USA, state tax forms (at least in my state) are MUCH more complicated than the federal forms. Back when Massachusetts had free online filing, it took me about 10 minutes to file. They eventually killed that, and now you either pay massive fees to have commercial companies do the forms for you, or spend hour filling out paper forms which are way, way more complicated than necessary, regardless of what income you
Doesn't mean what they think it means (Score:4, Interesting)
Declaring themselves "not liable" doesn't actually make them "not liable" otherwise I'd be the ruler of all the known universe.
Re: (Score:2)
Finally, someone who does think. And it's an AC, of all people :)
Joke aside, one could put whatever they want in ToS, but it holds no water in case of problems, because it can't be stronger than the law.
Re: (Score:2)
It's true that just saying it doesn't make it so. But taking on the CRA is not for the faint of heart. They can outspend most people on lawyers 100 to 1 without even blinking.
Re: (Score:3)
If they say so, they're not liable. Since they have become an "Agency" , they can basically do whatever they want. See my other post:
https://news.slashdot.org/comm... [slashdot.org]
Re: (Score:2)
Well, you see, natural laws are binding no matter what. But human laws can be bent or broken, and twice so by those making them.
Now ponder what category tax laws belong to. Hint: Natural laws generally follow a logic and are universally applicable anywhere, on anything and anyone.
Re: (Score:1)
It's getting to the point where I'm embarrassed to be called human. Just kidding, I've been there for a long time now....
Welp (Score:2)
It's a government agency (Score:2)
Aren't they already practically immune from any meaningful lawsuit on this?
Sweet, we can do that now? (Score:2)
We're no longer liable for blunders that we could avoid or that we deliberately do because it's easier?
Hope you remember that when processing my taxes, because I couldn't be assed to do it right either.
Not versed in Canadian law, but sounds invalid. (Score:2)
Re: (Score:2)
Nobody is required to use the My Account portal, at least not for personal income taxes.
Re: (Score:2)
Re: (Score:2)
Yes, the article is incorrect.
Re: (Score:2)
Re: (Score:2)
Don't worry, Canadians are nice (Score:2)
Canada (Score:2)
...it's becoming more Soviet every single week?
Control, is Everything. (Score:5, Insightful)
"Unfortunately, that is not true. After reviewing the HTTP responses from the CRA My Account login page, it's clear the agency has not configured even some of the most basic security features. For example, security protections for their cookies are not configured, nor are all the recommended security headers used. Not only is that not "all reasonable steps," but the CRA is missing the very basics for securing online web applications."
When it's that easy to prove the "all reasonable steps" is bullshit, then it becomes rather obvious as to the actual power and control citizens have against the Canadian government.
I've spoken about Corporate Arrogance before. Government Arrogance is no different, and there's no question anymore as to how much of an arrogant fuck Trudeau is. They don't have to give you any more explanation other than "all reasonable steps" because they already know you don't actually have the power or control to do a fucking thing about it no matter what happens to your data. Legal statement is nothing more than feel-good window dressing.
Re: (Score:3)
Generally, from what I've seen, once a corporation gets sufficiently large, it's not that different from a government department/agency. Same bureaucracy, same politics, same asscovering. And yes, same arrogance.
Re: (Score:2)
Generally, from what I've seen, once a corporation gets sufficiently large, it's not that different from a government department/agency. Same bureaucracy, same politics, same asscovering. And yes, same arrogance.
From what I'm seeing, unless we get a real leash on anti-monopoly laws, Greed N. Corruption is going to be running the 100 mega-corps left on the planet within 30 years.
You won't be able to escape the arrogance then. You'll be enslaved by it instead.
it's not a government thing (Score:2)
They shirk all responsibility while claiming worldwide copyrights to all data on their networks. Note: Apple is the same, and actually all carriers too.
So if you press this button my minions will come and gun down your whole family.
--> _ACCEPT_ <--
This is totally legal. Press the button. You want the software don't you?
Like, really, EVERYONE's doing it these day, why is anyone surprised?