Thursday, April 26, 2018

Fail of the week: Quebec Revenu Agency... but don't worry, they won an award!



I was especially unimpressed by the response to a news investigation performed for an event hosted by the Quebec revenu agency.   

You see, they seem to think it is a good idea to use public, group live chat sessions to interact with their clients that are hosted on Facebook.

It is understandable for them to wish to have a Facebook presence.  No issues with that.

It is understandable to want to do cool and modern things.  Almost no issues with that.

Why almost.  They are tax collectors.  I fail to see the business need to be cool.

That is like when Hydro Quebec says that their image is the most important thing.  Calm down.  Your the only source of electricity we have, no one is getting a dozen hamsters and telling you to F-Off.

As for this genius Facebook idea, I was misquoted (well... partially quoted) in the paper this morning as saying "Why?", my statement was actually two parts and a little bit deeper: 

- "What is the actual business need being addressed?".

- "Why, do they not host the actual group chat session on a private system that they control instead of Facebook?".  You see, the entire public chat session on Facebook remains available for review long after the event.  On a private system, you can clean the information or simply remove all of it.  Not so on Facebook.  You have no control and anything anyone typed is not just accessible to the attendees at the moment of the event, but remain accessible afterwards.

So what motivated me to blog about this is the response from the revenu agencies PR person, which in my view should take an early retirement.

She stated at least two things that are dead wrong.

Stupid rebuttal #1  "We ensure that no private or sensitive information is disclosed"

WRONG:  The journalists that contacted you told you that the group chat session contained numerous private details such as "I'm going bankrupt.  My revenu this year is $x.  I declared $x in RRSP's.  I just had my bank account seized.

So how exactly do you ENSURE that NO PRIVATE INFORMATION IS EXPOSED ?

Stupid rebuttal #2 We even won an award for our excellent public relations.

WHO CARES:  I love any rebuttal that starts with "we even won an award".  Sensitive information is being exposed.  It is a bad idea, and I challenge you to find a security expert that says it isn't.  The fact you won an award just pisses me off because you are using my taxes to boost your ego with bad ideas.  



If a kid in school hands out free Redbull to all his friends, he might win the award for best public relations.... doesn't mean what he is doing is a good idea.  How can you say something this stupid as your rebuttal....

Baffling.

And she goes on to say "you know. we have a code of ethics and we asked our lawyers....".  Another pointless piece of bullshit.

The lawyers protect your interest first.  They told you to advise everyone participating that "we will not answer personal questions".  That certainly doesn't stop someone from asking one, as is proven in the group chat logs. And how exactly do you prevent personal questions on a group chat designed to ask questions with regards to the Quebec Revenu agency !!!!

Are the participants only there to ask what your mailing address is ?????

What kind of crack cocaine are these people smoking.

Your code of ethics is a failure.  You should include a portion that talks about your duty as a higher power to preach good cyber security practices you single celled amoeba inbreed idiots.

In light of all the bad press around Facebook this month, you certainly picked the right time to continue using Facebook as a group chat system, after all, it is not like we know that Facebook uses ALL available data as their business model since the service is free.

Now here is a tip.  If you want to actually have good customer experiences, try answering the phone when someone calls and needs to talk to you.   

I know it is a lot cooler on Facebook, but I hear a lot of people bitching that they can never get any assistance when they need it.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



No comments:

Post a Comment

Imagine a Vulnerability Testing tool that defaults to showing you partial results

Well, to my surprise, Tenable.IO has added a new setting that defaults to NOT showing you everything. So when creating a new scan, you are f...