Canada's tax revenue agency tries to ToS itself out of hacking liability

The Canada Revenue Agency (CRA), the tax department of Canada, recently updated its terms and conditions to force taxpayers to agree that CRA is not liable if their personal information is stolen while using the My Account online service portal—which, ironically, all Canadians must use when doing their taxes and/or running their business.

The CRA’s terms of use assert the agency is not liable because they have “taken all reasonable steps to ensure the security of this Web site”.

Excerpt from the CRA terms statement:

“10. The Canada Revenue Agency has taken all reasonable steps to ensure the security of this Web site. We have used sophisticated encryption technology and incorporated other procedures to protect your personal information at all times. However, the Internet is a public network and there is the remote possibility of data security violations. In the event of such occurrences, the Canada Revenue Agency is not responsible for any damages you may experience as a result.”

Unfortunately, that is not true. After reviewing the HTTP responses from the CRA My Account login page, it’s clear the agency has not configured even some of the most basic security features. For example, security protections for their cookies are not configured, nor are all the recommended security headers used.

Not only is that not “all reasonable steps,” but the CRA is missing the very basics for securing online web applications.

The terms of use also state that users are not allowed to use “any script, robot, spider, Web crawler, screen scraper, automated query program or other automated device or any manual process to monitor or copy the content contained in any online services.”

Looking at the HTTP response headers using web browser developer tools doesn’t breach the terms of services, but the CRA must be well aware that internet users perform scans like this all the time.

And it’s not the legitimate My Account users who are likely to be the culprits. Unfortunately for Canadians, threat actors don’t read terms of use pages.

A statement like this doesn’t protect anyone, except CRA, from being held responsible for failing to properly secure Canadian citizens’ personal data.

The changes to the terms of service may be the result of numerous data breaches (see below ) that have already occurred at the CRA (see below), as well as the result of a class action lawsuit filed against the agency last August.

The CRA offloading its responsibility for securing citizens’ data via a benign ToS update is a worrisome development from the government agency that should be safeguarding their data in the first place.

The data that CRA holds on every single Canadian is more than enough to help threat actors steal their identity or decide who might be worth robbing or blackmailing.

If threat actors identify particular vulnerabilities in the CRA website, they could also erase or modify taxpayers’ data, creating infinitely more terrifying scenarios.

Nation states, criminal organizations, and even political rivals would be very interested in obtaining the data that the CRA is entrusted with holding on behalf of the citizens of Canada.

You can view the CRA’s new terms of use here.

Attempts to get the CRA to address its web security posture have been met with silence (Twitter).


This is so irresponsible.

given that there argument for not being liable is leaning on the claim that they use advanced security to ensure hackers wont get there way. and you can proof its false.

cant you sue them for this?

The cost incurred to do your taxes with the IRS is tax deductible. If your required to have an account then that is an additional cost. I wonder what all you could claim as an expense just to have an account!