ATTN #hamont: We’ve been told by encampment residents that there will no longer be an eviction at Central Park tomorrow. HESN team members will be on standby at Central Park and communicate with the public should anything change.
This data also highlighted findings around use of force in relation to ‘Person in Crisis’ or ‘Medical Call’. Of all the incidents involving Use of Force (431 were recorded) 41 or 10% of those incidents included a ‘Person in Crisis’ or ‘Medical Call’. 9/15
Every time I have ever come up against this world and reached for the feature of civilization that was supposed to protect me or help me it turned to ash in my grasp. These were phantom things.
This is the grim reality of living in a period where the institutions we depend on are hollow shells, impotent and fearful. These things you spend your life thinking will protect you end up being toothless parodies of the ideals you believe they represent. Once mighty, they are now just cruel energy sinks sapping our will and our strength screaming into their emptiness.
What won me these fights were never these institutions but my demand they live up to the ideals that used to reside in their hearts. I shamed them. I was cruel to them. I mocked their false piety. Their platitudes. I demanded results. I gave no quarter. I accepted no substitute but what was mine by rights as a human being living in a society of human beings that care for each other and recognize they have rights that transcend all status, even as wretched a soul as mine.
You cannot help but be radicalized by it. The system itself pushes you to its fringes. You don’t want to be there, but you cannot escape the cruel reality that if there is to be any hope in fighting this it will require radical action in order to succeed. Doing less invites failure, permits our leaders to compromise and capitulate and tell us that’s the best they can do.
As a young man I bristled at authority as a certain kind of young man must. I rejected the world they wanted to sell me, the lifestyle. It never felt like the life I wanted to live, there never felt like a true place for me in all these careers and status objects. The experience of becoming a father softened my edges, like so many men before me.
So I did what the culture wanted me to do. I got a job and tried to build a career out of it. I bought the car. I saw myself maybe climbing up out of the poverty I was rising up from. I spent within my means. We never got a big mortgage we couldn’t afford, instead we made the place we rented home and worked to at least get the biggest apartment we could afford.
The things I did to try and have a career. The awful, humiliating compromises of my values as a human being. The pathetic self-rationalization I would wrap myself up in to justify why I was doing these things that contribute to the net misery of the world.
What did I do these things for if here I am 20 years older and still facing an ejection from society? Still staring down the prospect of where my family would go if we lost our grip on the tiny piece of security and dignity we have. Still grappling with the annihilation of myself. What did these compromises do for me? What did the people on whose behalf I made them really give me in exchange?
It is only after they make you betray yourself to fit into the world they created that they too betray you and leave you a hull of a human being.
In the 2003 film Oldboy, director Park Chan-Wook weaves a dizzying revenge story that turns into a wrenching Greek tragedy. Dae-su Oh is one day kidnapped and imprisoned for years by an unknown jailer for an unknown crime. Upon his release his search for justice tears on a bloody path of revenge to learn the name of his jailer and the nature of his imprisonment. It is a path that stops dead when he learns the truth and that perhaps he deserved his punishment, turning his revenge sour. Tortured now by his own existence, torn between two moral poles he sees clearly for the first time and pleads:
“Even though I’m worse than a beast, don’t I deserve to live?”
Though I may not be the ideal worker, do I not deserve to live?
Though I may not be the most upstanding citizen, do I not deserve to live?
Though I may not pay the most in rent, do I not deserve to live?
These are the questions that sit with me as I take my own path to justice and what choice have I but to answer in the affirmative? To do otherwise is to accept that some people just aren’t worth a bare minimum of existence. Who am I to judge what is worthy other than to see a human face and recognize a common cause? Who are you?
Where should I go if I no longer fit into what my society considers someone deserving of humanity? Set up a tent in a park somewhere? Perhaps find some peace in that kind of community?
Until the state shows up and takes that little piece of life from me as well. Smashes it with batons and poisons the air with pepper spray.
Where then, if every door, every possible place of refuge is closed to me or ready to be denied the moment someone decides I don’t deserve to live anymore? That I should be discarded like trash?
We are in the midst of an unprecedented economic crisis and our political leadership is failing us. It’s deciding that there are those among us who – beast or angel – who don’t deserve the same protections and dignity as the rest of so called “decent” society. Systems of control like Landlord Credit Bureau and their private enforcement arm Canadian Tenant Inspection Services are helping drive this insult to the sanctity of human lives and homes.
The only hope for those of us now deemed unworthy of continued humanity is to come together with those still entrenched in society and those still clinging to its bottom rungs who are willing to stand with us. People must recognize that the machines of dehumanization that come for my family today will only be coming for theirs tomorrow, that the need for profit will transcend all social classes, all barriers. The escape is rejection of these perverse values of profit over human beings and reckoning with the machinery we built to perpetuate it.
Remember this: “Be it a rock or a grain of sand, in water they sink as the same”.
On Monday July 12 I woke up to the following notice in my email, that Canadian Tenant Inspection Services would be coming to inspect my apartment:
Here is the notice:
In the four years Livewell have owned/run this building we’ve had people in to do repairs twice despite multiple requests over the years. We’ve never had a fire drill, nobody has ever come to check on the smoke detectors and I can’t remember the last time they tested the fire alarm. Possibly never. Other tenants report the same thing – no response to requests for repairs for years, now suddenly they were doing “inspections”. It struck a nerve.
In fact, we only had a response to a repair request this same week when we reported water leaking from the apartment upstairs from us. After years of asking for repairs, a plumber showed up Tuesday morning and fixed the issue. They didn’t do anything about the black mould that is still forming in our bathroom, nor did they put locks on our mailbox, nor did they fix the locks to our apartment.
What we do know is that at the same time we asked for them to check on this water leak again another tenant in another building of theirs made posts to Reddit about the total lack of responsiveness from Livewell since they moved in. The post was quickly removed from the site, citing a rule about “personal attacks and witch hunts”.
We think the sudden responsiveness was due to this posting and their concerns over more negative media attention over it.
What were they inspecting for? They didn’t seem to care about the building or the condition of the units therein so why “inspect” now?
The answer, it seems, was right in the name of the company they hired – Canadian Tenant Inspection Services. Emphasis on ‘tenant’.
Essentially you have law enforcement teaming up with landlords in order to secure evictions of tenants once charged with crimes. Not convicted of crimes, just charged. In fact, the article includes examples of tenants charged with crimes who lost their homes only to have the charges dropped or be exonerated. It’s a tool used to great effect in terrorizing low income renters.
There is no statutory provision in the Residential Tenancies Act which would enable inspections for “criminal activity”.
Here is the Crime Free Lease addendum CTI suggests:
Again, lease compliance inspections are not enabled by the Residential Tenancies Act.
So who is Canadian Tenant Inspection services?
Jim Garnett is listed online as their President. He boasts of being a retired RCMP drug enforcement agent and former Vancouver Transit Police investigator on his LinkedIn profile (ARCHIVE LINK). He is based out of Surrey BC.
Garnett has been conducting these kinds of inspections for years in the Surrey BC area under the trade name GV Inspections. You can find a web archive of their website here as the domain has changed hands and is being used by a different company today.
It’s interesting to note here that back in 2016 when this archive capture was taken, Garnett required landlords to include language in their lease agreements enabling quarterly inspections by former police. They seem aware that they need some kind of additional consent from tenants to do this work. Again, such provisions would likely not be enforceable under the Ontario Standard Lease.
Testimonials include work performed for the City of Surrey, indicating they had been contracting his services for “the last 5 years or so”.
GV Inspections was listed as a vendor in the Fall 2016 issue of The Key, a trade publication for BC Landlords. On page 28 you can see them listed under Inspections and then under the category of Narcotics Detection and Security.
On page 27 of the same issue you can find this vendor listing as well:
Note the promotion for Landlord Credit Bureau on the right panel.
But wait, there’s more!
Here is CTI being promoted in the Marketplace section of the current Landlord Credit Bureau website. This is in the Landlords member section:
So just to be clear here – Livewell and the Landlord Credit Bureau have been harvesting data from tenants in this building. Those tenants resist, make a website and file complaints with regulatory agencies which result in 2 current federal investigations and 1 current Provincial investigation into their business conduct. They have also sued us for making this website and trying to inform our neighbours.
In response, the Landlord Credit Bureau and Livewell send in “inspectors” who are ex-RCMP associates of their founder to conduct “inspections” of our units. These inspectors admittedly aren’t building inspectors or otherwise qualified to evaluate the engineering safety, fire safety or even just general maintenance issues. They are ex-cops who specialize in “narcotics detection”, investigations and “neutralizing volatile situations”.
CTI Services website was registered in 2016 according to domain registration records. Their web host is Netfirms, once considered to be among the best web hosts for small business. After acquisition in 2011 by Endurance International Group, that reputation rapidly dropped off. They are now among the worst-reviewed web hosts.
It’s also notable that their servers are located in Burlington Massachusetts, making all data stored on their site or on their email servers subject to US laws of search and seizure and exposure to NSA intelligence gathering.
For the sake of it let’s also note that most of their domain info is redacted for privacy, a standard feature of modern domain registration. The Landlord Credit Bureau argues in their lawsuit against us that this basic privacy feature is an attempt to hide our identities.
With all of this information in hand shortly after receiving the email notice I knew we had an obligation to warn other tenants about the true nature of these “inspections” and try to ensure they had access to some kind of legal counsel. For the first time we went knocking on doors attempting to warn and organize people in our building.
There are several long term residents in this building, some of them here for 30 plus years. We knew they would be targets for eviction.
Through this process we also learned that they had sent notices to other neighbours that the building was up for sale and being shown to potential buyers. We did not receive any communication about this.
For the next few days we worked to get in touch with tenants and worked with the amazing staff at the Hamilton Community Legal Clinic. They were very concerned about the situation and offered to provide over the phone legal support to any resident who felt they needed it so we distributed their number amongst our neighbours.
Not satisfied, we sought out legal observers to attend and witness what might happen on inspection day. We received responses from Hamilton Ward 3 Councillor Nrinder Nann who could not attend herself due to a family occasion but sent representatives from the Hamilton chapter of the Acorn tenants union.
In a bit of a last-ditch move to try to and make sure everyone in the building knew what was happening we posted these signs on our balcony:
The morning of the inspections we were not sure who or what to expect. Could these possibly end up being innocuous inspections? Was it possible the connections to Landlord Credit Bureau were incidental and they weren’t targeting us?
First we were heartened when we saw supporters show up in the park across the street. What incredible people, showing up to support total strangers facing this bizarre situation. I still get emotional thinking about it.
Bobby Hristova showed up as promised and that was extremely encouraging as well.
Then CTI showed up. We weren’t sure who would actually attend. Jim Garnett had signed the Notice of Entry but it would be very strange for our landlords to have flown someone in all the way from Surrey BC for this task.
Imagine our surprise then when Jim Garnett himself arrived on the scene with our property manager and another “inspector”. They saw the assembled supporters and immediately called the Hamilton Police.
You can see the police leaving as neighbours approach Garnett and the property manager.
Here is Jim Garnett himself – President of Canadian Tenant Inspection Services, former federal drug enforcement agent and associate of Marv Steier – live and in the flesh in Hamilton all the way from Surrey BC. It was pretty shocking and was the first confirmation that my worst fears about the purposes of these “inspections” were likely true.
He was joined by Livewell property manager Jardena Goldshtein.
Speaking with my wife Joey and another resident and in front of supporters Jardena stated there would be drones flying over the building.
A third inspector was on the scene as well.
This man was with them. He refused to identify himself. When asked if he was a licensed Private Investigator he was forced to acknowledge that he was. When asked to show me his PI license he refused to do so.
Even more disturbing were reports from supporters and neighbours that they had seen this man flying drones around the building earlier.
According the Private Security and Investigative Services Act Private investigators are required to show their licence. Why did this man refuse? What legitimate purpose was he there for that he was unwilling to risk his professional licence for?
Clearly these were not going to be ordinary inspections.
Here is CBC reporter Bobby Hristova interviewing Garnett:
There are stories from this day that aren’t ours to tell but we can summarize a bit here. Like the story of the 30 year plus tenant renting well below market rent who was the only black resident in the building and how Garnett used the stick pictured here try and force his door open after he had already said no to the inspectors entering.
Or the story of a neighbour who said she was uncomfortable having a strange man in her unit because she had recently been assaulted. Garnett responded by mocking her before offering to get a female inspector here in “20 minutes”. The tenant also refused to let Jim or any of his inspectors into their home.
Here is video of Jim Garnett at our door. He acts as if he doesn’t know who I am at first but right as I close the door on him he uses my first name. We denied him entry on the advice of our legal counsel and Garnett immediately asks who our lawyer is, again something Jims buddies at the Landlord Credit Bureau would certainly love to know since we are tied up in litigation right now.
If you look at his tablet you can see file folders. What is in those file folders? Information about residents here?
Property managers called the police again to complain we were harassing them. Which ended up resulting in easily the nicest police interaction I’ve ever had in Hamilton, which was a pleasant surprise. They asked if everything was okay, we explained the situation and they left after saying they had no problem with our protest in the park or our signs.
It wasn’t long after that Jim and his merry band of inspectors packed up and headed out for the day. All in all it was an emotional and exhausting day for everyone but we were so grateful for our supporters from Hamilton Tenant Unity, ACORN Hamilton and of course the Hamilton Encampment Support Network. Also special thanks to the Hamilton Community Legal Clinic for their interest in what is happening here and the generous legal support they offered residents. If you can find a way to support these organizations please do.
It’s beyond clear to us that our landlord is attempting to use this service to intimidate, harass and evict residents here at our building. They also own 21 other properties in the city. How many got inspections last Thursday?
I think it’s important to point out one final thing before closing out this post. Let’s assume the inspections were innocuous routine checks and all of our worry is just paranoia. I’d have to wonder then why they will fly in CTI and their “tenant” inspectors to target us as renters while at the same time failing to perform key life safety inspections in compliance with the fire code?
This is the fire extinguisher right outside my door. No inspection since February of 2018. Livewell took over the property in 2017.
If Livewell was so worried about the safety of their property, wouldn’t they be doing the mandatory fire inspections before sending in ex-RCMP cops and unidentified private investigators to police tenant behaviour?
We are attempting to compile a list of all the known corporate landlords and property managers who use Landlord Credit Bureau.
We will not be publishing the details of small landlords and don’t feel there is a public interest in having their individual names made public.
Corporate landlords and property management firms we feel are fair to comment on. If you feel you have been listed here improperly please let us know at email@example.com and we will work with you to ensure the record is correct.
Landlord Credit Bureau CEO Zac Killam is a partner in LiveWell Property Management.
They are believed to own 21 + properties in the Hamilton area.
LiveWell partners Zac Killam and Matt Christie own the building I live in through a numbered Ontario corporation:
Since being exposed by the media and becoming the subject of a Federal privacy investigation, LiveWell Properties have been scrubbing their already slim online presence. More to come on this but for now here is LiveWell abandoning its online portal and rental listings:
They appear to be rebranding to LWPM as all their old URLS redirect to a new Buildium portal:
They no longer list any of their available properties for rent on their website.
Vionell Holdings Partnership is a licensed multi-family, condominium property management firm that has operations in Brandon, Portage la Prairie, and Thompson, Manitoba. Our team of professionals manage the properties by providing excellent service in the areas of leasing, maintenance, budgeting and financial reporting.
In a major reversal of policy the company says it will be revealing the “secret” database field to tenants. The field was previously only viewable by other landlords, raising serious concerns about potential abuse. This represents a major victory for tenants rights across the country but it is a change that isn’t without its own controversies.
Previously, the Tenant Record generated by Landlord Credit Bureau had a field called “Landlords Experience Regarding This Tenancy” which consisted of six yes or no questions. It was made clear that this field was not shared with tenants, only other landlords.
Once the existence of the secret field was made public, Landlord Credit Bureau made a series of alterations to the tenant record which we documented here:
On Friday April 16th, this message was posted to the Landlord section of the LCB website:
There is some cause for celebration here because this secret field was potentially truly insidious. Imagine being a tenant on LCB and your record looks clean on your end, yet you keep getting denied apartments. You might never know the reason was a past landlord decided to answer “Yes” to one or more of the six questions. If you can’t see what you are being accused of, how can you correct it?
Making this field transparent to all users is a major victory for tenants who were being exploited by this field hidden to the advantage of landlords. What remains are serious concerns about how they are going about this process of “transparency”.
Note that the landlord is asked if they want to keep their responses as is or to reset the whole field in bulk for all their tenants. If the landlord doesn’t respond to this question by April 30th, LCB says they will reset the questions in the field.
We believe tenants have a right to see what their landlords reported about them in that field when they thought it was going to be a secret. Allowing landlords to reset their answers or resetting by default if landlords don’t respond in time denies tenants access to information that never should have been hidden from them in the first place and permits landlords to conceal potential abuse of this formerly landlords-only field.
If a landlord wrongly reported a tenant on one of the six questions and the reporting may have harmed the rental prospects of that tenant they have a right to know. They have a right to pursue their landlord for damages if they feel like this field was unfairly used against them. By wiping out the entries in this field before tenants get a chance to see them, Landlord Credit Bureau is essentially wiping out the evidence tenants would need in order to prove abuse or malfeasance on the part of their landlord.
It also demonstrates a shocking lack of confidence in the integrity of their data. Landlord Credit Bureau is so concerned about how landlords have been using this secret field that it would prefer to wipe the whole record clean rather than risk letting tenants see what was recorded in there.
Take note of the timing. They make the announcement on the website on the 16th of April. The landlord is told if they don’t answer by April 30th their answers in that field for all tenants will be reset. May 3rd they are going to let tenants see the field. Most landlords won’t be logging in to the site between April 16th and the 30th – by the 15th most reporting is finished for the month. It’s safe to assume many landlords won’t be logging in until May 1st and finding their records reset.
No proactive email communication went out to landlords or tenants about this major change. Nothing that would prompt the landlord to go log in and check their answers for accuracy. Nothing that would alert the tenant to the fact that there has been a secret field this whole time that is about to be revealed to them.
When we became aware of this change and the potential loss of crucial evidence it represented we immediately reported it to investigators from the Office of the Privacy Commissioner and the Ministry of Government and Consumer Affairs. We also provided the information to several elected officials who are working on the LCB file as well as journalists we have been working with.
In our letter to the Ministry of Government and Consumer Affairs we asked them to invoke their investigatory powers under the Consumer Reporting Act and obtain a warrant to search for and seize the Landlord Credit Bureau database and all backups. We are not made privy to details of the investigation so we do not know if anything like this was done, all we can confirm is that both agencies received our letter. At this point we can only assume they took whatever appropriate action is within their power.
The end of the LCBs secret field is a big win for tenants in Canada but now we need to know what was documented about us in that field. If the LCB want to be truly transparent they could release the unedited contents of the secret field to each tenant so they can review and verify. Until there is real transparency where we get to hear what landlords will say about us when they think we can’t hear them this is little more than a coverup operation to protect landlords who LCB is clearly also concerned have abused the hidden field.
This post is the third (and final) in a series on known data security claims made by the Landlord Credit Bureau. See below for the previous entries:
I wanted to examine the last bit of the LCB Security Policy to make sure we covered the whole thing. The policy statement in question is here:
The claims about Amazon are fairly uncontroversial but do contain some points worth raising.
On the surface my main criticism is that Amazon AWS and Amazon RDS Encryption describe a whole host of technologies and capabilities that depend very much on the specific technologies implemented by the user.
Amazon RDS, for example, is Amazon Relational Database Services. It’s a broad category description of a huge toolbox of technologies offered by Amazon. Generally speaking we can say that Amazon has a very robust security infrastructure and they do indeed contract for US Military and Intelligence work. What we don’t know is what kind of technology stack LCB is using. Amazon RDS allows many different database types, each with their own advantages and drawbacks. Some of these technologies are free and open source, some of them are extremely pricey closed source solutions designed for maximum security.
Without this specific knowledge it’s difficult to critique these claims effectively. On the whole its at least encouraging from a data security perspective because Amazon RDP does not allow customers root level access on their systems and manages all patches/upgrades/updates, reducing the probability of some unpatched vulnerability exposing their database to hackers. Other than that and agreeing overall with the physical security advantages of Amazon servers there isn’t much more to intelligently add.
What we did find interesting was when we went to try and verify that Landlord Credit Bureau was indeed using Amazon Web Services. Typically websites and applications using AWS leave a signature you can spot if you do a WHOIS lookup of their web domain.
Users of AWS typically have to change the DNS name servers they use over to Amazon DNS name servers – dubbed Amazon Route 53 by Amazon. Thinking this would be an easy way to verify the LCB was using Amazon AWS we did some digging through their WHOIS records. We found a few matters of interest but we’ll start with the Amazon claims.
First though we need to take a look at how users interact with the LCB websites and the actual LCB web application.
Since we are Canadian users, we are going to start with the Canadian version of the LCB website – landlordcreditbureau.ca
The IP address resolves to Canadian servers so we can be fairly comfortable knowing the data being stored and transmitted from this address is at least staying in Canada.
The domain name registrar they used has made their WHOIS record private, which is standard practice now for most internet domains
The reason I bring up point #2 here and that is because when I registered the domain for Landlord Credit Bureau Facts, my WHOIS information was also kept private by my registrar, DreamHost. Again, this is a standard practice, you don’t have to ask for it, you don’t have to pay extra.
In his lawsuit against us, Zac Killam claims that by having my WHOIS information kept private (a default setting for all new registrations) I was “hiding” my identity:
So I find it very interesting that when I check the WHOIS for his websites and find the records are all private. He accuses me of some kind of plot to hide my identity when his domains are set up the exact same way. Should I assume he is trying to hide his identity? What nefarious plot is he hiding here? Or are we just talking about a standard feature of all new domain registrations in the modern era of the internet? Readers can judge for themselves.
This doesn’t paint the whole picture however, since the actual Landlord Credit Bureau web application doesn’t run off the Canadian .ca domain. Requests to sign in to either the Tenant or Landlord side of the application, regardless of what country the user is logging in from all go through this URL: app.landlordcreditbureau.com
So let’s look at the WHOIS for landlordcreditbureau.com
Some really interesting things happening on this record but let’s start with the Amazon claim. If we focus in on the Name Servers section of the WHOIS record you can see they are the DNS servers for their domain registrar, EasyDNS. What we would expect to see here is Amazon AWS name servers, not the EasyDNS servers.
Based on this evidence one might conclude that Landlord Credit Bureau aren’t using Amazon Web Services because there is no apparent route to Amazon Route 53 in their DNS setup. Case closed, right?
It took a bit of a deep dive but I think it’s pretty easy now to see that while we can’t explicitly prove they are using AWS and other Amazon technologies they are certainly set up to do so. Given the evidence I’ve been able to assemble so far I see no reason to doubt their Amazon claims at this time.
Moving on from Amazon, let’s focus in on something that really jumped out at me the first time I saw this record: the IP address for the server is located in the United States, in Ashburn Virginia to be precise and under a GoDaddy.com ASN.
It’s a legit data center, well appointed and with physical security features that you would expect from a facility of its kind.
What concerns me about this record is that it reveals that all of the tenant data being generated in Canada is being stored in the United States. Every time a landlord logs in to the service the data is being sent to and recovered from the US. Every time a tenant logs in to the service that data is being sent to and recovered from the US.
Recall that this is highly sensitive information about Canadians – rental payment history, home address, your Equifax credit score, name, date of birth, details of problems you’ve had with the landlord, comments from the landlord about you. All of it hopping across the border to servers in the United States.
Why is this significant?
When your data leaves Canada and gets stored on servers in the US, that data is now subject to US law. There are no US federal laws governing privacy of personal data, only individual state laws. Your data is also subject to search and seizure by US law enforcement as well as monitoring by US intelligence agencies through provisions in the USA PATRIOT Act.
Virginia is only second state in the US to adopt a comprehensive privacy law. They only did so as of March 4 2021, just over a month from this writing, and the law isn’t as robust or tested as the PIPEDA is in Canada. It also includes exceptions if you aren’t storing the personal data of 100,000 people or more, or 25,000 if more than half of your revenue comes from the sale of personal data.
It’s also worth noting that Quebec and Alberta prohibit businesses from storing Canadians personal data outside Canada entirely. LCB doesn’t operate in Quebec, but they do in Alberta. In fact, their legal framework page has a full Alberta section but none of it mentions how its legal for them to store your data in the US.
Here in Ontario, the LCB is governed by the Consumer Reporting Act as they are a licensed Credit Reporting Agency. Does the CRA have anything to say about storing data outside of Canada?
If we look at a comparison of service packages published by the Landlord Credit Bureau on the Landlord portal there’s this entry, which seems to indicate your data isn’t just being shared with Canadian landlords, it’s landlords all over the world potentially. They claim to be the “only international tenant database”.
In conclusion, Landlord Credit Bureau is storing your data in the US, possibly in contravention of Canadian laws. This also means your data is now subject to US laws and to search by US law enforcement and intelligence agencies. To most Canadians this isn’t exactly comforting.
Last week we took a look at Landlord Credit Bureaus claims about EI3PA data security compliance and found they left us with more questions than answers. You can check out that coverage here:
NOTE: Since publishing the above post last week, Landlord Credit Bureau has removed all references to being EI3PA compliant from its website without noting the change.
Here is how their FAQ looked last week:
Here is what it looks like this week:
So were they mistaken about being EI3PA compliant or did they deliberately mislead the public about their practices? If they can’t be honest or accurate about their data security claims, how secure do you think your data is?
Today we are going to examine the first half of their published Security Policy. You can view their policy here.
The first paragraph is notable only for the fact that the writer chooses to highlight how they use SSL encryption on their site. That’s great, SSL is important in keeping data being transferred between their site and your device secure but SSL is commonplace technology. Google won’t index your website anymore unless you have a valid SSL certificate and have HTTPS enabled. It’s not the first technology I’d be invoking to assure users of my system that their highly sensitive personal information was safe.
The second paragraph is where things get interesting because specific technology and methodology is addressed a bit. First they claim that unique usernames allow them to track and audit user activity, which again is fair enough and what you’d expect. It would be interesting to know what kind of user activity is logged though and how long change logs are kept but otherwise take no issue with this part.
Hashing passwords is the practice of not storing a users actual password in a database table but instead storing an encrypted version of it. The ins and outs of it are complex if you aren’t well versed in cryptography (and I’m no expert in it) but if you want a primer on basic crypto jargon and how some of it works The Guardian has a pretty informative piece here. Let me stand on the shoulders of giants a bit and offer their explanation:
The cryptographic method deployed by Landlord Credit Bureau is called bcrypt. The Guardian piece helpfully has a section on the technology so once again I will defer to them:
My understanding of bcrypt is that it is a highly effective way to encrypt hashes as it is what is considered “computationally infeasible” to crack by brute force. This essentially means that it could take millions of years to brute force crack a single hashed value.
This sounds like a highly secure system and it is – in theory. It’s deployed all over the place protecting your passwords for all kinds of things. It turns out that how secure bcrypt is becomes highly dependent on how the individual user implements it and what kind of hardware and software tools the hacker has at their disposal.
Let’s look at two example cases.
Workplace-focused team chat app Slack was hacked in March of 2015. They used bcrypt to encrypt user passwords, as reported by TechCrunch:
In the case of the Slack hack, attackers were able to exploit the app so they could log passwords in real time as they were entered. In this case bcrypt did its job but the infrastructure around it failed. The impacts of the hack could still be felt at Slack 4 years later when they had to force password resets on 100,00 more accounts they confirmed were compromised.
So it’s clear that even when bcrypt works it depends on the rest of the applications infrastructure also being secure.
A more concerning example is the infamous Ashley Madison hack of September 2015. This time hackers were able to obtain the database for the popular adult “affair seekers” website and directly attack the user passwords, which were protected by bcrypt.
Once again, what we are seeing is not a specific vulnerability in bcrypt being exploited but rather attackers taking advantage of errors made in the sites programming. So far, bcrypt hasn’t been the point of failure in these examples.
So what about directly attacking a bcrypt hash? How long would it take?
To understand that we need to understand something called a Work Factor, which is a system cryptographers use to describe the amount of effort it takes to break a code.
Going by the above benchmark from 2016, a Work Factor (cost) of 5 allows a pretty standard desktop server to process 384.04 passwords per second. Using a specialized rig of 8 high-end GPUS you can achieve 115,642 hash functions a second. As you scale up, the fewer hash functions you can perform per second, creating a bottleneck for the performance of your site or application.
So how long to crack these different Work Factors?
This chart assumes you are using the same kind of high-end GPU rig. The main factor after Work is what kind of password scheme you are implementing. Ironically, we can see that passwords which would be considered PCI DSS compliant are the most vulnerable. A Work Factor 5, PCI compliant password could be cracked in a mere 5 days.
So what kind of password is the Good kind that’s taking 29 million years to crack?
The US Department of Commerce National Institute of Standards and Technology published a draft standard for digital identify management in 2017. You can read the full paper here.
Here are their findings about passwords (referred to here as Memorized Secrets):
These standards are a long way from being adopted and so most implementations of bcrypt aren’t really taking advantage of its features to provide maximum protection.
Technology deployed by attackers has come a long way since these 2015 breaches as well. Using GPUs in cracking setups has become yesterdays tech – modern crackers have moved on to clusters of Field Programmable Gate Arrays or FPGAs to take on the job and the performance gains are massive.
Here are their benchmarking numbers for CPU and GPU based hashing:
Now here is a comparison between a single GPU and a single FPGA:
FPGAs can run 4x the hashing operations of a normal GPU. When clustered in an array of 18 FPGAs:
So that’s 2.1 million password attempts per second. All in one neat little 4U rack mountable package.
Scattered Secrets began using a cluster of 4 of these arrays to achieve 8 million plus attempts per second.
These devices dramatically alter the time considerations for brute force cracking bcrypt and other hash functions. But how effective is FPGA-based bcrypt cracking in real world scenarios?
Scattered Secrets were able to put it to the test in 2019 when the database of Dutch adult web forum Hookers.nl was leaked to the web. The site used a mix of older MD5 hashed passwords and newer bcrypt hashed passwords. In just 3 days the group was able to crack 57% of the total user passwords on the site using very basic dictionary attacks.
How did they perform against bcrypt? In 3 days they were able to crack 11,675 of the passwords protected by bcrypt – 24% of the total.
The vulnerability? Weak passwords that are easily recognized by dictionary-based cracking software. You use dictionaries to help you make educated guesses about passwords, dramatically reducing the amount of time needed to crack them. Here are the top 35 passwords used by users of Hookers.nl:
What we are seeing is that the answer to whether bcrypt is secure or not relies on factors that can have little to do with bcrypt itself. What really counts are the Work Factor and the complexity of your password. Since we know Landlord Credit Bureau doesn’t enforce any special password schemes resembling the type recommended by groups like NIST, it’s safe to assume there are plenty of accounts which would be vulnerable to this kind of attack.
Let’s assume a fairly robust Work Factor for LCB though. Ashley Madison used a work factor of 12 back in 2015 and needed to be cracked through other software exploits. How would a Work Factor 12 site stand up, even with regular PCI compliant passwords?
Back in 2016 the benchmark was 641 days to break a Work Factor 12 password using an 8xGPU cluster. It could manage just over 900 attempts per second. We’ve shown that FPGAs give about 4x the performance over GPUs so using a single FGPA we should expect to reduce that 641 days to about 160. Add 17 more FPGAs and you can see how that time is going to keep shrinking until it’s down to just a few short days. Given current technology I’d consider even Work Factor 12 to be vulnerable to brute force at this point and that capability will only increase as the technology improves.
In the case of the Landlord Credit Bureau, let’s highlight some risk factors:
Cryptographically strong passwords not enforced on the site
Unknown bcrypt Work Factor (anything less than 12 with their password schema should be considered easily crackable)
No two-factor authentication
Potential vulnerabilities in other aspects of the LCB infrastructure that could be exploited in order to reveal passwords and other data
The currently published Security Policy of the Landlord Credit Bureau doesn’t do anything to address these risk factors, nor does it reveal any kind of corporate quality system that would address things like routine vulnerability testing. Adoption of standards like PCI DSS and ISO 27001 would be very welcome first steps towards a more robust and open model for data security but as we have seen, even these standards have been found to be lacking when it comes to meeting the challenges of the modern Internet.
Next time we will take a look at the rest of the Security Policy and examine the claims being made.
This evening we received an amended notice of civil claim from Blakes law firm on behalf of Zac Killam and the Landlord Credit Bureau. Note that it is from Iris Fischer, the new lawyer leading the case, and not Laura Cundari who originally launched the suit. Why the change? Never did get an answer on that.
All the copyright infringement claims have been dropped.
They have dramatically decided to label our website, blog and Twitter account the Unlawful Blog, Unlawful Twitter Account.
They added the Twitter account, which was not active prior to the first lawsuit.
They’ve added a whole bunch of “defamatory statements” to the list of issues they take with the blog. Literally every single one of the things they take issue with is demonstrably true or well within fair commentary.
They now claim that we have a “vendetta” against Landlord Credit Bureau and Zac Killam. Why? What prompted such a vendetta? They don’t even bother to speculate, they just assert it and run with it.
It’s also notable that Mr. Killam has not opted to sue QP Briefing or The Hamilton Spectator. I have a feeling he’s not going to sue Canadaland either.
NOTE: Since publishing this post last week, Landlord Credit Bureau has removed all references to being EI3PA compliant from its website without noting the change. So were they mistaken about being EI3PA compliant or did they deliberately mislead the public about their practices?
Here is what the FAQ section looks like now:
While reviewing a copy of the Frequently Asked Questions section of the Landlord Credit Bureau site for tenants something jumped out at me immediately when they began talking about data security.
A longtime concern of mine has been how LCB stores its data and to what extent it is compliant with existing standards for Information Technology security in general and sensitive payment data in particular. To date I’ve only seen vague claims of compliance with “regulatory bodies”.
With the discovery of the FAQ that LCB publishes on the tenant member section of its website we’ve found new claims they’ve made about data security that are extremely troubling. Let’s take a look.
Experian is a competitor to Equifax and TransUnion. Notably they have not operated in Canada since April of 2009.
So why is Landlord Credit Bureau saying they are EI3PA compliant when this certification is only for doing business with Experian and they don’t do business with Experian? When it’s impossible for them to be doing business with Experian in Canada? Great questions. Presumably only Zac Killam knows how they are making this very specific claim of data security certification which is obviously not correct.
LCB is in business with Equifax in both its Canadian and US operations so they can’t even claim it’s for the US side of the business. It’s truly baffling.
Since we know they are doing business with Equifax, let’s just examine the data security standards that we know Equifax claims compliance with. We know a lot about the data protection standards Equifax has implemented because of an investigation into their security practices by the Privacy Commissioner of Canada following a data breach that saw the personal data of 143 million Equifax customers hacked in 2017.
Here is a summary of the oversight mechanisms Equifax reported to the Privacy Commissioner:
The two main data security compliance models used by Equifax are ISO 27001, which is an Information Security Management certification and PCI DSS which is a certification system for payment card data security. No mention of EI3PA because it’s not a standard used by anyone but Experian.
What is true is that the EI3PA is basically the same program as PCI DSS, just tweaked for credit reporting and exclusive to Experian data aggregators. What is also true is that the Privacy Commissioner found that ISO 27001 compliance and PCI DSS compliance was insufficient in the case of Equifax for protecting customer data.
If we are expecting Landlord Credit Bureau to be at least as secure as Equifax – and we should considering they are handling the same kind of sensitive personal information and credit data – then at a minimum we’d expect to see ISO 27001 and PCI DSS certifications. So when LCB claims to be compliant in a security standard that is vendor-specific for a vendor that doesn’t even operate in this country I start to get very worried about the actual integrity of their data because it sounds an awful lot like they are just making it up. If they are willing to make up their data security compliance regime, what do you think their actual security practices are like?
Unfortunately the concerns don’t end here. Recall that their statement in the FAQ said that they “won’t go into detail here because we don’t want to share with hackers”. Not only is this just a really weird thing for a company tasked with storing credit information about you to say, it’s also the opposite of what open information security standards are about and not compliant with even the EI3PA program they claim to be compliant with.
Compliance regimes like ISO or PCI DSS rely on openly published standards that anyone with the time and inclination can go look up and evaluate for themselves. Obscurity is not security and thinking you are protecting yourself by not openly sharing your security standards is not an industry best practice, it’s a naive delusion.
The fact is, what security professionals the world over rely on is openly published and vetted standards and practices that are frequently presented as challenges to hackers. There are no big secrets in this world, just people who are diligent in their tradecraft and people who aren’t.
Worse in this case though is that LCB claims this EI3PA certification and part of getting this certification is having a detailed, openly published security policy.
Here is what Landlord Credit Bureau has published in public about their data security policies:
None of this even mentions EI3PA or any other kind of data security certification.
Looking for more evidence of this EI3PA compliance I take note of the following from the RSI security websites breakdown of the standard:
The Landlord Credit Bureau tenant and landlord portal do not support multi-factor authentication. So once again, even if EI3PA certification was something relevant to LCB operations in Canada they would still not be compliant with the standard.
Another red flag that comes up is the EI3PA standard for avoiding vendor-supplied defaults. This is a common information security practice as many hardware and software vendors provide their wares with a bunch of default settings already enabled. Part of the discipline of information security is keeping these defaults from being exploited. This often involves disabling or otherwise altering the default setting so it cannot be easily exploited.
If you visit the following URL on the Landlord Credit Bureau website you will be taken to a login page that allows administrator access to the site (https://landlordcreditbureau.ca/wp-login.php). The LCB site is run by popular content management software called WordPress and they provide this URL as one of several defaults for admin logins.
Once again we can see that Landlord Credit Bureau is not compliant with the EI3PA certification standard. Nor would any of these issues see them in compliance with PCI DSS or ISO 27001. These observations should raise serious concerns in the minds of anyone who has their data being stored and used by Landlord Credit Bureau at this point. The Ministry of Government and Consumer Affairs needs to demand an audit into LCBs data security practices in order to restore public confidence.
As reported in The Hamilton Spectator as well as this blog, Landlord Credit Bureau had set up a secret field in their tenancy records that only other landlords can see, posing some obvious questions about how tenants can even dispute reports they aren’t able to see.
Originally, the tenant record contained a field that looked like this:
In response to the Hamilton Spectator piece, Zac Killam took to Outline.com, using the annotation feature to defend himself and his business.
In those annotations, Zac Killam addresses the question of the secret field, something he didn’t do when given the opportunity by the Spectator.
In it he defends the practice, comparing it to a landlord phoning references. This comment was made on March 25 2021.
By March 30th however, the language on the tenancy record changed:
Suddenly, the information IS shared with the tenants. Funny there’s no announcement of this big change.
Now by April 7th things have changed again and we have not one but two variant tenancy records with very different language. The first reads as follows:
Now it’s kind of difficult to tell if this field is shared between all parties or not. The language is very unclear and seems to leave things up to the landlord to ask the tenant about things reported in this field to “verify” them. Which really sounds like what LCB should be doing in the first place – sharing this field with tenants so they can see it and dispute it. Putting the onus on the landlord allows them to keep collecting and hiding this data.
Confusing the matter further is the existence of another sample tenancy record with much different language once again:
This version tells us that by May 3rd 2021 the field once shown only to other landlords will be visible to tenants as well. Is there a reason to delay this until May 3rd? Difficult to say without knowing more but presumably it’s to give landlords some time to verify their records and ensure what they are reporting is accurate so when tenants finally see the field there should be no disputes.
It’s interesting to note the part about tenants providing consent for future landlords to pull their record. The current mechanism for ensuring a tenant has given consent to have their record pulled constitutes a checkbox where the landlord affirms they have consent. No uploading a signed consent form, just a checkbox. Scouts honour.
It should be deeply concerning that a company which is supposed to be trusted with extremely sensitive personal data that can have a huge impact on our daily lives can’t seem to settle on a major piece of corporate policy like this. It’s almost as if they’re just making it up as they go along.