Regulators and Telecoms Are Refusing to Release Data About SIM Swapping In Canada

Canada’s federal telecom regulator and a group of telecom companies are refusing to release data about the prevalence of SIM card fraud in the country and any measures proposed to combat the practice, saying that to do so would help fraudsters commit crimes. 

In a letter responding to an information request from the Public Interest Advocacy Centre (PIAC), a non-profit that advocates for consumer rights, the Canadian Radio-television and Telecommunications Commission (CRTC) supported telecom companies' refusal to disclose any details about measures being proposed by mobile phone carriers to prevent SIM card fraud—also known as SIM swapping—or any data about how often SIM fraud is happening across the country. The CRTC also declined to open a public consultation into the issue of SIM swapping. 

SIM swapping, sometimes called SIM hijacking, occurs when a bad actor convinces a telecom carrier to transfer a mobile phone number to a SIM card they control. Once a fraudster associates a victim's phone number with a new SIM card, they can use the number to access bank accounts or other sensitive information associated with it. SIM swapping is on the rise across Canada and around the world. 

In the U.S., SIM swapping has attracted the attention of lawmakers demanding to know what mobile phone carriers are doing to protect consumers. In January, six Democratic members of Congress sent a letter to the Federal Communications Commission (FCC) urging the agency to require wireless carriers to "protect consumers from fraud and the theft of their most sensitive personal data." 

To date, the FCC has not announced if any new protections have been put in place. 

In July, the PIAC filed a request with CRTC asking the regulator to provide information about measures to combat SIM fraud proposed by the Canadian Wireless Telecommunications Association (CWTA), a consortium of Canadian telecom companies. Previously, the Commission had requested this same information from CWTA without receiving a response. After PIAC requested the info under the Telecommunications Act, the telecom consortium sent back "heavily redacted" responses that included no useful information about measures wireless providers were proposing to fight SIM fraud, when they would be implemented, or the scope of the problem in Canada, reads the decision letter from CRTC. 

In defending its decision to keep details about SIM fraud out of the public eye, the CWTA argued that disclosing "technical and procedural steps to be used to enhance the verification process" to protect people from SIM swaps would benefit crooks, as would providing any details about when new safeguards for consumers would be implemented.

"CWTA considers that these specific and direct harms (resulting from disclosure) overwhelmingly outweigh any public interest in disclosure," reads the CRTC letter. 

Canadian telecom companies also argued forcefully in the CRTC letter against releasing any information about SIM fraud and measures being taken to protect victims. Eastlink, Inc. said there is "no benefit to the public disclosure" and that releasing data would "undermine the work that has been done to implement measures to prevent unauthorized mobile telephone number transfers and SIM swapping in Canada." Rogers Communications, SaskTel and Shaw Communications all made similar arguments, with Shaw stating that telling the public how many SIM swaps mobile users in Canada suffer would be "dangerous information to put on the public record."

Fenwick McKelvey, associate professor of Communication Studies at Concordia University, says the CRTC and telecom companies need to provide clearer justifications for the secrecy, which McKelvey says is "undermining democratic oversight" of the telecom sector to the detriment of consumers. 

"The practice of security through obscurity (seems) to have become the default at the CRTC," McKelvey told Motherboard in an email. "I understand the need to protect security matters, but public oversight at the CRTC is difficult at the best of times." McKelvey said regulators and telecoms should focus on increasing public confidence in telecommunications systems through transparency efforts, rather than secrecy. 

When it comes to complex issues of mobile data security and consumer protection, CRTC should "work toward compromises that allow for better public knowledge and trust" in the process between regulators, telecom companies and the public, McKelvey added. 

Follow Nathan on Twitter.