Support for Ukraine



Blog Archive



Canada's Tax Revenue Agency Tries To ToS Itself Out of Hacking Liability

Full Story Blog Post Friday, March 10, 2023 in Internet   View No Comments No Comments
Internet
The Canada Revenue Agency (CRA), the tax department of Canada, recently updated its terms and conditions to force taxpayers to agree that CRA is not liable if their personal information is stolen while using the My Account online service portal—which, ironically, all Canadians must use when doing their taxes and/or running their business.

The CRA's terms of use assert the agency is not liable because they have "taken all reasonable steps to ensure the security of this Web site".

Excerpt from the CRA terms statement:
"10. The Canada Revenue Agency has taken all reasonable steps to ensure the security of this Web site. We have used sophisticated encryption technology and incorporated other procedures to protect your personal information at all times. However, the Internet is a public network and there is the remote possibility of data security violations. In the event of such occurrences, the Canada Revenue Agency is not responsible for any damages you may experience as a result."
Unfortunately, that is not true. After reviewing the HTTP responses from the CRA My Account login page, it's clear the agency has not configured even some of the most basic security features. For example, security protections for their cookies are not configured, nor are all the recommended security headers used.

Not only is that not "all reasonable steps," but the CRA is missing the very basics for securing online web applications.

riskybiznews.substack.com



No Comments