This post is the third (and final) in a series on known data security claims made by the Landlord Credit Bureau. See below for the previous entries:
I wanted to examine the last bit of the LCB Security Policy to make sure we covered the whole thing. The policy statement in question is here:
The claims about Amazon are fairly uncontroversial but do contain some points worth raising.
On the surface my main criticism is that Amazon AWS and Amazon RDS Encryption describe a whole host of technologies and capabilities that depend very much on the specific technologies implemented by the user.
Amazon RDS, for example, is Amazon Relational Database Services. It’s a broad category description of a huge toolbox of technologies offered by Amazon. Generally speaking we can say that Amazon has a very robust security infrastructure and they do indeed contract for US Military and Intelligence work. What we don’t know is what kind of technology stack LCB is using. Amazon RDS allows many different database types, each with their own advantages and drawbacks. Some of these technologies are free and open source, some of them are extremely pricey closed source solutions designed for maximum security.
Without this specific knowledge it’s difficult to critique these claims effectively. On the whole its at least encouraging from a data security perspective because Amazon RDP does not allow customers root level access on their systems and manages all patches/upgrades/updates, reducing the probability of some unpatched vulnerability exposing their database to hackers. Other than that and agreeing overall with the physical security advantages of Amazon servers there isn’t much more to intelligently add.
What we did find interesting was when we went to try and verify that Landlord Credit Bureau was indeed using Amazon Web Services. Typically websites and applications using AWS leave a signature you can spot if you do a WHOIS lookup of their web domain.
Users of AWS typically have to change the DNS name servers they use over to Amazon DNS name servers – dubbed Amazon Route 53 by Amazon. Thinking this would be an easy way to verify the LCB was using Amazon AWS we did some digging through their WHOIS records. We found a few matters of interest but we’ll start with the Amazon claims.
First though we need to take a look at how users interact with the LCB websites and the actual LCB web application.
Since we are Canadian users, we are going to start with the Canadian version of the LCB website – landlordcreditbureau.ca
Two things I want to point out about this record:
- The IP address resolves to Canadian servers so we can be fairly comfortable knowing the data being stored and transmitted from this address is at least staying in Canada.
- The domain name registrar they used has made their WHOIS record private, which is standard practice now for most internet domains
The reason I bring up point #2 here and that is because when I registered the domain for Landlord Credit Bureau Facts, my WHOIS information was also kept private by my registrar, DreamHost. Again, this is a standard practice, you don’t have to ask for it, you don’t have to pay extra.
In his lawsuit against us, Zac Killam claims that by having my WHOIS information kept private (a default setting for all new registrations) I was “hiding” my identity:
So I find it very interesting that when I check the WHOIS for his websites and find the records are all private. He accuses me of some kind of plot to hide my identity when his domains are set up the exact same way. Should I assume he is trying to hide his identity? What nefarious plot is he hiding here? Or are we just talking about a standard feature of all new domain registrations in the modern era of the internet? Readers can judge for themselves.
This doesn’t paint the whole picture however, since the actual Landlord Credit Bureau web application doesn’t run off the Canadian .ca domain. Requests to sign in to either the Tenant or Landlord side of the application, regardless of what country the user is logging in from all go through this URL: app.landlordcreditbureau.com
So let’s look at the WHOIS for landlordcreditbureau.com
Some really interesting things happening on this record but let’s start with the Amazon claim. If we focus in on the Name Servers section of the WHOIS record you can see they are the DNS servers for their domain registrar, EasyDNS. What we would expect to see here is Amazon AWS name servers, not the EasyDNS servers.
Based on this evidence one might conclude that Landlord Credit Bureau aren’t using Amazon Web Services because there is no apparent route to Amazon Route 53 in their DNS setup. Case closed, right?
Wrong.
Since at least 2017, EasyDNS has been offering a service called easyroute53:
It took a bit of a deep dive but I think it’s pretty easy now to see that while we can’t explicitly prove they are using AWS and other Amazon technologies they are certainly set up to do so. Given the evidence I’ve been able to assemble so far I see no reason to doubt their Amazon claims at this time.
Moving on from Amazon, let’s focus in on something that really jumped out at me the first time I saw this record: the IP address for the server is located in the United States, in Ashburn Virginia to be precise and under a GoDaddy.com ASN.
GoDaddy leases a major data center in Ashburn Virginia, according to IPO filings from the company.
The data center space is leased from a company called Digital Realty.
It’s a legit data center, well appointed and with physical security features that you would expect from a facility of its kind.
What concerns me about this record is that it reveals that all of the tenant data being generated in Canada is being stored in the United States. Every time a landlord logs in to the service the data is being sent to and recovered from the US. Every time a tenant logs in to the service that data is being sent to and recovered from the US.
Recall that this is highly sensitive information about Canadians – rental payment history, home address, your Equifax credit score, name, date of birth, details of problems you’ve had with the landlord, comments from the landlord about you. All of it hopping across the border to servers in the United States.
Why is this significant?
When your data leaves Canada and gets stored on servers in the US, that data is now subject to US law. There are no US federal laws governing privacy of personal data, only individual state laws. Your data is also subject to search and seizure by US law enforcement as well as monitoring by US intelligence agencies through provisions in the USA PATRIOT Act.
Virginia is only second state in the US to adopt a comprehensive privacy law. They only did so as of March 4 2021, just over a month from this writing, and the law isn’t as robust or tested as the PIPEDA is in Canada. It also includes exceptions if you aren’t storing the personal data of 100,000 people or more, or 25,000 if more than half of your revenue comes from the sale of personal data.
It’s also worth noting that Quebec and Alberta prohibit businesses from storing Canadians personal data outside Canada entirely. LCB doesn’t operate in Quebec, but they do in Alberta. In fact, their legal framework page has a full Alberta section but none of it mentions how its legal for them to store your data in the US.
Here in Ontario, the LCB is governed by the Consumer Reporting Act as they are a licensed Credit Reporting Agency. Does the CRA have anything to say about storing data outside of Canada?
If we look at a comparison of service packages published by the Landlord Credit Bureau on the Landlord portal there’s this entry, which seems to indicate your data isn’t just being shared with Canadian landlords, it’s landlords all over the world potentially. They claim to be the “only international tenant database”.
In conclusion, Landlord Credit Bureau is storing your data in the US, possibly in contravention of Canadian laws. This also means your data is now subject to US laws and to search by US law enforcement and intelligence agencies. To most Canadians this isn’t exactly comforting.