Pirate Party of Canada Evidence Based Policy Making

Bell Customer Data Leak Highlights Need For More Attention On Cyber Security and Data Privacy

Bell, one of Canada’s largest internet providing monopolies, was hacked and had their client information stolen and posted to the Internet on Monday. I have obtained a preliminary list of customers who are effected (which contains over 1.5 million email addresses) and verified a few to ensure the data is real (Bell has since released an apology to the affected customers, also confirming the data).

At a not-small-cost to the Pirate Party we have decided to send an email to each person affected by this breach and let them know their email address and data are now publicly available. Furthermore, there is no telling what additional data (Bandwidth usage records are already available as are internal usernames and passwords) was taken by the hackers including Credit Card information, Pay Per View, customer notes, address information, phone numbers, and account passwords are all items that attackers may (and likely) have access to and could post publicly.

We always advise people to use different passwords for different services, if you are using the same password for any service that’s the same as your Bell password you should change it. If your security question for your banking is the same as your Bell security question, you should change it. If you have a credit card on file with Bell you should consider having it reissued with a new number.

This is a great highlight on why corporations should limit the data they store on their users. When I worked at Shaw, there was a case where a coworker once showed me the account of an ex premier of BC who had adult movies in their Pay-Per-View list, something Shaw keeps indefinitely on their servers. Over the course of my job I encountered a popular Vancouver MP who had their bank information written down in the comments of their account. Their account was closed at that point but Shaw kept the records and that information would be publicly visible if they were ever hacked.

Canada needs stronger data privacy laws to ensure your data, like the information listed above, isn’t inadvertently made public. We also need stronger emphasis on cyber security, it’s a point of pride in our country to defend our relatively safe Northern borders, but what our money should be going into is protecting and bolstering our internet infrastructure that every Canadian relies on every day.

– Travis McCrea

Elections Canada Acts Outside Elections Act Making Things Difficult For Smaller Parties

We need your help, be sure to just skip to the bottom if you don’t care about the background.

The Elections Act is very specific: Every three years a political party must show that it has 250 electors who support it. We would provide 300 just incase some members were not on the registry or had not updated their information on the registry.

This year, however, Elections Canada is doing things different. Instead of validating our forms using the information provided (information that would be hard to obtain fraudulently), they are now validating all parties membership by mailing them forms to validate their membership. This provides multiple levels that our members can fail verification:

  • They can have an address that hasn’t been updated with Elections Canada
  • They can’t be in any transient living situation where they move within 3 months of filling out the form or wont know where they will be in 3 months.
  • They must mail us a form with all the details properly filled out, including putting their birthday on the form where many people sign with the current date (because in other forms that’s where you would put the current date, making the form confusing)
  • The form must make it to us by mail (no digital copies) and then make it from us to Elections Canada by mail, and then the validation form must make it from Elections Canada to them by mail, then they must get it back to Elections Canada by mail again.

These are just a few of the issues with the new audit procedure by Elections Canada and it’s no wonder that of our 275 signatures that we turned in initially this year only 90 of them passed all these levels of validation.

The problem, however, is with this additional level of validation Elections Canada is essentially asking us for 750 members to sign the forms. Instead of the old system which required us to get a 25% buffer, the new system requires that we achieve a 250% buffer. This is acting well outside of a reasonable view of the Elections Act.

We have sent a more detailed complaint to the Elections Commissioner, who oversees violations of the Elections Act and we anticipate they will rule in our favour.

We Need Your Help

If you have not already filled out a form (or never got a verification letter from Elections Canada), please Download This Form and mail it to:

Pirate Party of Canada ICO Travis McCrea
1601-788 Jervis St
Vancouver, BC V6E0B5

While we fully anticipate a judgement in our favour regarding these abusive new audit procedures by Elections Canada we also need to be prepared for the worst and that means trying to get up to 750 signatures. If you have already filled out the form, make sure you print another and get someone else to fill it out too.

I appreciate all your effort and we will overcome any obstacle that is given to us because we are the Pirate Party and ingenuity is our greatest strength. We succeed together.

– Travis McCrea

Time To Get Serious

Over the past month as leader, I have been attempting to bring our party back from the ashes and really turn it into a meaningful part of the Canadian political discussion. This isn’t an effort made alone, but through the hard work and dedication of our members and now it’s time to ramp it up.

Our platforms are currently in need of review. I am doing an in-depth look into our platforms and will be working within the rules of the party to ensure they are updated as quickly as possible to meet my standards. I have already started working with a team of francophone volunteers to ensure our website and platforms are properly translated into French.

It will now be an emphasis by the leadership of the party to focus at least a bit of energy into fundraising. This doesn’t mean harassing you with emails begging for money every day, that isn’t us. It does mean reminding our members when possible that it costs money to run a party, and it costs even more money to make sure other people hear about us.

Finally, no more passive Pirate Party, we are a legitimate option for Canadians looking for a party with real solutions for the 21st century. Basic Income is the solution to job automation, homelessness, and other issues Canadians face today and will face in the near future. We are the only party talking about that, and we need to remind people of this. We also need to call out other parties when they do wrong, or when they show their ignorance to technology and the future of Canada.

It’s the 21st century, it’s time for 21st century politics. The Pirate Party is here, and we are ready to serve you. Let’s do this!

– Travis McCrea

Pirate Party Privacy Mishap Notice

This is a notice to all old members of the Pirate Party who have used crm.pirateparty.ca / my.pirateparty.ca but have never signed into sso.pirateparty.ca.

At 0200 PSDT (actually due to time paradox of DST I am not sure if this is 0200 PST or PDST), an email was sent to all older members of our party who had not yet signed into our new SSO system. An email was written to inform them of the new system and to request they update their information in our backend. Sadly, due to a bug in the script which emails out the members, it iterated the list to each member who came after them in the database.

IE Member 1 got their email, then Member 1 got Member 2’s email, Member 1 AND Member 2 then got Member 3s email.

We tried to stop the emails from completing, as our email partner SendGrid has failsafes against this. Sadly, by the time we got ahold of SendGrid the emails had already cleared the queue and we have no way of knowing how many of the 315 people who were on this list actually received the emails. What we do know is 4,072 were sent, and the code has already been updated so this problem never happens again. The damage, however, has been done and for a party that prides itself on personal privacy this mishap is even worse.

Technical Details

Our codebase is PHP, the code which caused the problem was a loop where the array wasn’t reset between looping. This means for each additional member, instead of replacing the previous email, it added to it:

$sql = "SELECT email, name FROM users WHERE password = ''";
//$sql = "SELECT * FROM `users` WHERE `email` LIKE 'travis.mccrea@pirateparty.ca' ORDER BY `activateemail` DESC";

$result = mysqli_query($conn, $sql);
$json_string['category'] = 'welcomeemail';
if (mysqli_num_rows($result) > 0) {
    // output data of each row
    while($row = mysqli_fetch_assoc($result)) {
        $json_string['to'][] = $row["email"];
        $emailto = $row["email"];
        if($row['name'] == '') {
		} else {
			$name = ' '.$row['name'];
		$textbody = "

I try to keep emails to members a minimum but I wanted to ask that you come sign into our new member management system. As your account was rolled over from our old system you will need to create a new password. You can do that by using the password reset link below. Keeping an active account with the Pirate Party is just a tiny thing you can do to help us better organize and understand who our members are.

This may be the first time you are hearing from us in a long time, so let me just say we are rallying back after a few years of slacking. No more long meetings on insignificant internal bureaucratic policies, no more half baked projects that are not maintained, none of that. Just a simple website that tells you what we are about and better communication with the people who matter most (our members).  Welcome back to the Pirate Party! 

Reset your password: https://sso.pirateparty.ca/reset/$emailto

Thank you,

Travis McCrea - @TravisVancouver
Party Leader
604.500.4524 ";

//I have removed the CURL  as it didn't provide any help

} else {
    echo "0 results";

This was purely sloppy coding, and it was my own fault. I had tested it, of course, but as you can see from my commented out test call it wasn’t enough to show this problem. It was a problem that could only show in a test of multiple emails.

How To Prevent This

There are many ways this can be prevented in the future, the most obvious one is sleeping and coming back to things in the morning just to double check it. It seems like a lousy excuse and maybe a pointless step, but at least for me this is the hour where many of these issues start popping up so I am going to stick to it more closely.

On the technical side, I have added multiple accounts under a dummy name that no one else will have and emails will be tested against this list before others.

Also, the proper code was put into place to reset the array.

I am truly sorry to anyone who was affected by this, there is no action you need to take… no password information was shared (and our passwords are encrypted using B_CRYPT with 12 rounds of strength anyway). This information is here because I screwed up, and one of the things we do in the Pirate Party is admit our failures, we try not to spin them, and we move forward. So far the people who were up at this hour and have responded have seemed fairly understanding, I appreciate that and all I can do is promise to do better next time.

EDIT: A previous version of this post refer to this as a “breach”, to avoid confusion between malicious intrusion and stupidity we are using the term “mishap”. Further we would like to remind everyone that we at no time have credit card data either in our servers or in our database. We use a secure payment gateway and your information is securely kept in their fully PCI compliant system

– Travis McCrea

Welcome New People!

Welcome New Supporters and Media (lots and lots of media),

Many of you (especially the media, apparently) might have never known that our party exists. While we have been around since 2009, we haven’t done the best at letting Canadians know that we are here and ready to work for them. So let’s do a brief introduction to The Pirate Party of Canada and why we are a real political party with real good ideas:

  • We have existed since 2009 run in both major elections since then as well as some by-elections.
  • We are a civil liberties party focusing on protection of the Internet, copyright reform, and evidence based policy making. Our flagship platform is Universal Basic Income, something we have been talking about since 2011.
  • We are currently the only party with a plan that addresses job automation and job losses associated with it. Basic Income being the cornerstone of that plan.
  • We call ourselves Pirates because it’s a great introduction in conversation, we could be the Purple Party or the Humanist Party but no one wants to be stopped on the street by someone who calls themselves “Purples” but everyone always wants to know why we are called Pirates. We were given this name by the copyright industry, our counterculture movement has always been called pirates and instead of trying to shy away from it, we have decided to embrace it and take empowerment from it.
  • We have caught members of Parliament, the RCMP, and Industry Canada all having IP addresses which were downloading torrent files.
  • We are free to join, and voting membership can be as little as $1 per year.

We are ramping this party up, no more sitting in the shadows and waiting for people to come to us. We are hopeful that Justin Trudeau passes meaningful and democratic election reform, but we are not waiting around for others to tell us how relevant we are in Canadian Politics, it’s time we make ourselves relevant.

People who are interested in evidence based policy making, progressive values, and a party whose leadership all know how to use technology… you should check out our platforms and then sign up for free