Rogers, Bell and Public Safety refused interviews on phone hack - but talked about it in private
Federal government, private sector have a lot of work ahead to protect Canadians' privacy, says NDP MP
After a CBC News/Radio-Canada investigation in November showed how relatively easy it was to hack phones on the Bell and Rogers mobile networks, the telecom companies and Public Safety Canada refused to grant interviews.
Instead, they chose to talk about the issue among themselves and in private, according to the federal lobbying registry.
The November investigation showed that, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.
The NDP's public safety and emergency preparedness critic had agreed to let his telephone be hacked as part of the investigation.
The phone was connected to the Rogers mobile network, but CBC News/Radio-Canada journalists were also able to successfully hack Bell Canada's network.
The hack was done with the help of cybersecurity experts in Germany who exploited a weakness in the global telecommunications networks' Signalling System No. 7, or SS7. Any network that fails to adopt adequate security measures is vulnerable to hacking through SS7.
In November, CBC/Radio-Canada requested interviews with both Bell and Rogers to discuss a vulnerability in the SS7 system that puts the privacy of their subscribers at risk. The two companies refused to speak publicly and limited their responses to brief emails.
Public Safety Minister Ralph Goodale also refused an interview, claiming that SS7's flaws are not among his ministry's responsibilities.
Protecting Canadians' privacy
But Goodale's office did meet with Bell and Rogers to discuss the issue. According to the lobbying registry, David Hurl, Goodale's director of policy and parliamentary affairs, sat down with the telecommunications firms in December. Hurl has confirmed that both meetings were at the request of the companies.
"We discussed measures they have been taking on the SS7 issue and then discussed the work we are doing on the government's new cyber strategy," said Hurl.
Dubé said both companies called him the day of the CBC News/Radio-Canada report asking to meet, but due to his busy schedule the meetings did not take place until December.
He said the meetings did not reassure him.
"They talked about what they are doing to improve on this issue and that they take their customers' privacy very seriously," he said. "While I don't doubt their good intentions, at the end of the day there's a lot of work that needs to be done by the private sector and by government to ensure that we're doing all we can to protect Canadians' privacy."
Still no interviews
Bell and Rogers also held several meetings with the Ministry of Innovation, Science and Economic Development in December and January, but the office of Minister Navdeep Bains would not say if they discussed SS7's vulnerabilities.
CBC/Radio Canada asked Bell and Rogers for interviews while researching this article. They again refused.
In an email, a spokesperson for Bell Canada said that "Bell's networks are protected by state of the art technology ... We wouldn't comment on any specific measures we take to ensure the security of our networks."
Rogers took a similar line.
"We have already introduced and continue to implement the most advanced technologies to address threats related to SS7," wrote a spokesperson in an email. "For security reasons we are unable to publicly share specific details on our ongoing investments in cybersecurity."