1. FOIPOP security failure
This morning both the privacy commissioner and the auditor general released their reports on the FOIPOP website security failure.
I don’t have time right now to give a thorough review of each document, but my quick scan reveals a couple of things of note.
First, privacy commissioner Catherine Tully tells us that the security breach was broader than we have been previously told:
On April 9, 2018, the Department of Internal Services (Department) notified my office of the unauthorized access to and download of thousands of records from its Freedom of Information Access website (FOIA website) by an unknown actor associated with one Internet Protocol (IP) address. This first identified privacy breach appeared to have involved an automated program to download every document stored in the database behind the website.
… the Department eventually identified a total of 12 privacy breaches.
Privacy breach #1 was discovered after an initial review of the website’s activity logs. The Department’s further review of the activity logs subsequently identified an additional 11 instances of unauthorized download activity. The identity of the individuals involved in the 12 instances of unauthorized access is known only by the IP address of the computer used in the activity. Privacy breaches #2 through #10 are IP addresses assigned to the Atlantic School of Theology. Privacy breaches #11 and #12 are two different and private IP addresses hosted by the Bell Aliant network. These IP addresses were later determined to also be associated with the Atlantic School of Theology (AST). The IP addresses are assigned to visitors when AST grants guest access to its wifi. The evidence also suggests that breaches #2 through #12 all involved just one individual.
While the Department was able to identify activity in 12 instances that appeared to be unauthorized, the full extent of the potential breach of personal information will never be known. There may have been other incidents where individuals inadvertently or purposefully accessed third party personal information on the FOIA website that have not been identified. It was only where individuals repeatedly accessed numerous documents that the pattern of inappropriate access could be identified through the review of the website activity logs. There is no practical way of identifying one-off or limited unauthorized accesses. In addition, there are no activity logs available for the first four months that the FOIA website was in operation.
There were 818 documents downloaded at AST, and the people whose personal information was contained in those documents have not been notified.
And then there’s a section about lessons learned:
It is troubling that months after the privacy breaches, erroneous understandings about the nature of the breaches, their root cause and how to prevent them from occurring again persisted within the Department. Department witnesses and documents characterized the cause of the breaches as manipulation of the website address. One employee expressed the view during our investigation that the cause of the breaches was individuals using the website in a way that was not intended and maintained the view that the unauthorized downloads were theft. One employee expressed that her lesson learned was she hoped not to have to work with Unisys again. A management level employee expressed that the Department does not have time to conduct a post-incident review.
I suspect most of the information released was not worrying. For instance, my own information was released, but that contained at best my email address, and certainly nothing that concerns me. But some of the information released could have grave consequences. Tully notes:
The second complainant applied for access to her own personal information held by the Department of Community Services. In this case, the application and decision letter contained sensitive personal identifiers such as dates of birth. The disclosure package contained detailed information about the applicant and several of the applicant’s family members, including Social Insurance Number, details of government involvement with the family, as well as details of occurrences, vulnerabilities and challenges involving family members. The records also contained the community of residence, work and school locations, and detailed contact information. The complainant described a sense of extreme violation provoked by learning that this highly sensitive personal information was not protected and was breached by an unknown individual. Not knowing the status of who had the documents and what was done with them caused severe anxiety. In addition, this applicant informed our office that while she had received notification of the breach, other individuals mentioned in the documents did not.
As I say, I don’t have time to get further into it this morning.
2. SageCrowd, Ogden Pond, and alleged corporate crime
“Innovation” is all the rage, so any company that says it’s developing some whoop-de-doo technology will get financing help from the government. Take, for example, SageCrowd, Inc., which back in 2013 developed something called the SageCrowd Collaborative Learning Platform. As best I can understand it, and I spent far too much time trying to figure this out with little result, SageCrowd is a workplace training tool; the company explains itself with this chart:
Like I said, I have no idea what most of that means. Regardless, innovation! So in May 2013, the Atlantic Canada Opportunities Agency (ACOA) helped out with a $120,000 loan so SageCrowd could “develop an integrated online ‘cloud-based’ software platform to capture learners’ feedback.” Five months later, that amount was increased to a total of $268,625, and then in March 2014 increased again to a cool half-million dollars. The following year, ACOA gave SageCrowd a “Non-Repayable Contribution” of $45,000 to “Engage a Lead Generation Expert.” (I think “engage” means hire, or contract with, as opposed to just hanging out for drinks or whatever.)
ACOA appears not to have issued any press releases about this financing. However, of course Peter Moreira was all over the company, announcing in January 2014 that SageCrowd had secured $850,000 in investment:
In a statement, the company said the investors were the Ogden Pond Group, the Halifax-based First Angel Network, and various angel investors. The Ogden Pond Group is a Halifax incubator and merchant bank in which SageCrowd Co-Founder and Chair Sean Sears is involved.
Moreira also took a stab at explaining just what it is that SageCrowd does:
SageCrowd is an online learning network that will deepen the relationship between some of the world’s leading personal improvement authors and their legions of followers. The company believes that personal improvement writers often fail to alter their readers’ lives because reading a book doesn’t change your personal habits and behavior. SageCrowd transforms each author’s work into a series of monthly online lessons so followers can develop habits that improve their performance, brings them success and make them happier.
The company launched last year with the works of Marshall Goldsmith, the author of What Got You Here Won’t Get You There and other books whose sales have totaled millions of copies. SageCrowd started off with only one channel dealing with Goldsmith’s works and wanted to nail down that channel before including other authors.
It has since added: Gloria Feldt, cofounder of Take The Lead and author of No Excuses: 9 Ways Woman Can Change the Way We Think About Power; Jim Smith Jr, co-author of Masters of Success; and Justin Gittelman, author of Whole Mind Thinking.
So, if you force your employees to take SageCrowd’s courses, maybe they’ll turn into these happy people:
Anyway, with ACOA and First Angel Network money under its belt, SageCrowd went searching for some tax breaks, too.
According to a lawsuit filed at the Nova Scotia Supreme Court yesterday, SageCrowd hired BeneFACT Consulting Group, a Mississauga, Ontario firm, to help secure federal tax credits through the Scientific Research and Experimental Development Program (SR&ED), which “provides tax incentives to encourage Canadian companies of all sizes and in all industry sectors to conduct scientific research and experimental development (SR&ED). These tax incentives come in three forms: an income tax deduction, an investment tax credit (ITC), and, in certain circumstances, a refund.”
“Our government makes $4B in tax credits available to catalyze technical innovation,” explains BeneFACT on its website. “Naturally, claiming is a comprehensive process. It benefits from due diligence, technical expertise, and experience. So we build an organization with precisely those components. We hold your hand through the whole process…” [The ellipse is BeneFACT’s, not mine.]
Someone should chart the use of buzzwords against successful consulting. And it’s oh so meta that BeneFACT’s purpose is to coach the people who coach others about how to use still other life coaches.
As an aside, the history of federal tax incentives for firms conducting scientific research reads like a chronology of a bureaucracy dealing with constant fraud. Take, for example, these phrases plucked out of the CRA’s “Evolution of the SR&ED Program – a historical perspective” webpage:
As a result of reported abuses, the federal government abolished the 50% incremental deduction in 1983 and introduced new tax provisions.
In an effort to broaden Canada’s tax base and to limit abuses of the tax system related to scientific research, the May 1985 budget…
The legislation was also amended to ensure that the beneficiary of SR&ED tax incentives was directly associated with the research activities. Companies could no longer qualify for tax incentives unless the expenditures incurred were directly related or directly attributable to SR&ED activities. The government also moved to exclude expenses incurred for the purchase of buildings from the definition of SR&ED expenditures.
Also in 1994, a time limit was set for identifying SR&ED expenditures incurred in previous years. This change resulted from concerns expressed by the Auditor General of Canada. He had noted that some corporations were using the carry-forward provision to claim tax credits for SR&ED performed as far back as ten years, making the verification of claimed work increasingly difficult.
The 1995 changes ensured that expenditures eligible for the tax incentives under contracts with related parties would be limited to the actual costs incurred by the performers in carrying out the SR&ED.
In 1999, in order to prevent unintended benefits under the regime of SR&ED tax incentives, a mechanism was implemented…
In 2013, the Income Tax Act was modified to introduce a penalty of $1,000 per SR&ED claim if tax preparer information requested on the SR&ED claim form is missing, incomplete, or inaccurate.
There’s no suggestion that SageCrowd did anything improper in going after the SR&ED tax credits. It’s mind-boggling inane that we give tax breaks to companies shilling the work of “life coaches” preaching mumbo jumbo — Marshall Goldsmith invented something he calls “Stakeholder Centered Coaching“; Gloria Felt has a supposed feminist take on life coaching called “Take the Lead” — but this is the world we live in, alas. Bullshit rises to the top.
In its lawsuit, BeneFACT doesn’t say whether SageCrowd was successful in pursuit of SR&ED tax credits, or how much the company received in SR&ED credits. However, BeneFACT does say it was hired for two contracts, one dated December 10, 2014, the second dated April 22, 2015.
“SageCrowd, Inc. was required to pay for the services rendered under the Consulting Contracts by May 2016,” claims the lawsuit. “BeneFACT provided the services contemplated in the Consulting Contracts. SageCrowd failed to pay.”
Then, claims BeneFACT, “SageCrowd, Inc. was insolvent as of, at the latest, October 1, 2015. As of at least then, it was unable to meet its liabilities as they became due.”
BeneFACT sued SageCrowd for the debt in an Ontario court, and in June 2017, got a judgment of $148,558.20, plus post-judgment interest.
But this is not just the familiar story of a business gone bust. There’s more.
Let’s take a side trip through a Labour Board decision regarding SageCrowd and a fellow named Peter Bidgood, who was for a while SageCrowd’s president. After he was fired, Bigood successfully got a Labour Board ruling in his favour for $79,999.92 as pay in lieu of notice. The Chair of SageCrowd’s board, Sean Sears, appealed the ruling, to no avail, but the published decision explains the complex corporate relationships between Sears’ companies:
The Complainant [Bigood] began employment in August 2000 as Product Manager with Abridean Inc., a software company. Sean Sears was Director and President at the time.
In January 2008 the Complainant was promoted to Vice-President of Service Provisioning Solutions, and then to President. In June 2011 his employment contract was transferred to Abridean International Inc. (hereafter referred to as ‘AI’) as a result of receivership. Ogden Pond Technology Group Inc. (hereafter referred to as ‘OPTG’) paid the receiver to acquire the assets of Abridean Inc. These assets were then placed into AI. In 2012 Sean Sears (President and Director of AI) created SageCrowd Inc. (hereafter referred to as ‘SCI’) and the Complainant was asked to assist with certain SCI projects. The Complainant was named President of SCI in July 2013, while still being paid by AI. In 2014 the Complainant began to be paid by SCI instead of AI.
On January 2, 2015 the Complainant’s employment was terminated. The letter of termination states as follows:
Re: Notice of end of employment Friday Feb 27th
Peter this is notice that your employment with SageCrowd and Abridean will both end on February 27th. This is working notice and your presence and continued work effort are anticipated for the entire period. You are to continue to report to the office for regular hours, but will be provided flexibility in order that you might have the opportunity to find replacement employment. Should you find alternative employment we shall provide an earlier release date at your request.
Earlier this year, I provided a formal performance review of your role as President of SageCrowd. Specifically, we outlined four areas we felt were significantly deficient as to affect your role and on-going employment. President of SageCrowd includes managing all personnel and back-end operations of the Company. We feel you have not made significant enough progress on these improvements and that the company efforts to achieve its objectives are being thwarted. Effective immediately, you are no longer the President and until your employment lapses you will be assigned special projects and not work on the management team of SageCrowd.
Specifically your assignments are to complete the Company’s SHRD claim and all the necessary source documentation for such a claim and to complete the demo environment and to train a designated SageCrowd staff member in its execution.
We look forward to an ongoing positive work environment.
Maybe Bidgood could’ve used a life coach, eh?
The decision continues:
Mr. Sears explained the relationship between the three companies. OPTG invests and incubates software companies. It has 185 shareholders, and its own Board. SCI was incubated in OPTG, which had investments in both AI and SCI. OPTG is not involved in the running of SCI’s business. Mr. Sears agreed that while the Complainant was working at AI, he was assigned to projects at SCI, for which AI was paid. According to Mr. Sears, the Complainant’s involvement with AI ended when he became President of SCI in 2013, as they felt the project required his full attention, and that it would be difficult to manage both positions.
Mr. Sears described the difference in the work of AI and SCI. In his view, AI is an infrastructure company and sells product. SCI is a service being run using “the cloud.” They have different business models, customers and focus. They are in the same office space, but he indicated that it is not unusual in the industry to co-locate. Here, OPTG incubated SCI, gave support including co-location, but does not control SCI. AI sends all its revenues to OPTG. Each entity has its own Board.
As I said, Bidgood prevailed, and he’s now a project manager at IBM. You can read the Labour Board’s decision here. But let’s return to BeneFACT’s lawsuit, which names not SageCrowd, but Ogden Pond Technology Group Inc., Sean Sears, David Gough, Ying Tam, and Gerard Wadden. All four men are described as directors of Ogden Pond, and Sears and Wadden are additionally described as officers of Ogden Pond.
The lawsuit has a section headlined “The Defendants’ Scheme to Defeat BeneFACT’s Rights.” It reads:
Beginning in or about October 2016, the Defendants began enacting a scheme to deprive BeneFACT of the ability to recover judgment debt from SageCrowd Inc. The Defendants acted in concert, by agreement or with common design to unlawfully defeat BeneFACT’s rights as SageCrowd Inc.’s creditor. They knew or ought to have known that their conduct would cause BeneFACT commercial harm, which in fact occurred. The relevant known details, which BeneFACT began to discover in 2018, include:
a) In October 2016, without consideration, SageCrowd Inc. gave to Ogden a purported perpetual licence for the SageCrowd Technology, which was SageCrowd’s chief asset. Each Defendant was involved in orchestrating and carrying out this arrangement.
b) In May 2017, the Defendants similarly participated together in facilitating SageCrowd Inc.’s grant to Ogden of a General Security Agreement (“GSA”) securing all the assets and undertakings of SageCrowd Inc. The GSA was registered in the Personal Property Security Registry on May 4, 2017.
c) On June 16, 2017, BeneFACT obtained the Ontario Judgment.
d) On November 21, 2017, the Ontario Judgment was made a judgment of the Supreme Court of Nova Scotia.
e) On November 30, 2017, Sears, with the knowledge and involvement of the other Defendants, caused SageCrowd Inc.’s registered name to be changed to 3263287 Nova Scotia Limited.
f) On March 6, 2018, the Defendants arranged for Ogden to register the name “SageCrowd” as a business name of Ogden.
g) Ogden has operated the same business as SageCrowd Inc., using the SageCrowd business name and the SageCrowd Technology.
h) Ogden received SageCrowd’s business name and has used the SageCrowd Technology without consideration.
i) The Defendants’ goal was to strip SageCrowd Inc. of everything but its debts, and move its assets out of creditor reach, so that Ogden could benefit from those assets. Their conduct deprived BeneFACT of assets that would have allowed it to recover on the Ontario Judgment. SageCrowd Inc.’s judgment debt remains outstanding.
The lawsuit calls the defendants’ actions “an unlawful conduct conspiracy,” and makes one other noteworthy claim:
In addition to participating in this scheme, Sears unjustifiably transferred funds from SageCrowd Inc. to himself before and after SageCrowd Inc.’s insolvency. These payments constituted fraudulent preferences and fraudulent conveyances.
BeneFACT wants the court to find the defendants responsible individually for the SageCrowd debt, to declare the transfer of technology rights to Ogden void, and to order the payments made from SageCrowd to Sears void because they constitute fraud.
BeneFACT is represented by Joseph Herschorn of Cox & Palmer. The allegations in the lawsuit have not been tested in court, and none of the defendants have yet to respond to the lawsuit.
But let’s step back and consider what would happen if BeneFACT prevails. If so, a judge will have found that Sears and company essentially robbed their own company in order to avoid a $148,558.20 debt, so in effect robbed BeneFACT of $148,558.20. What could we expect would happen to Sears and the other three personally? Maybe they’d get a lien on their houses until the debt is paid?
Now consider any of the defendants who will show up at provincial court today. The people shoplifting $20 steaks from Sobeys, or using a stolen credit card to buy gas. What do you suppose will happen to them?
I went on at length about this case because I want to make a point about class and crime. We seem to box corporate crime off into some other realm, where the offenders never face criminal prosecution, never have to deal with potential jail time or be regarded as anything other than fine upstanding business people; certainly (with the exception of the Halifax Examiner), news media won’t name and shame them.
But some poor kid from the ‘hood lifting from the grocery store? Hey man, rev up the vilification engines.
City Council (Tuesday, 10am, City Hall) — agenda
Budget Committee (Wednesday, 9:30am, City Hall) — agenda
Community Services (Tuesday, 10am, One Government Place) — a per diem meeting.
Veterans Affairs (Tuesday, 2pm, One Government Place) — ditto
Health (Tuesday, 3:30pm, location tba: One Government Place OR Province House) — this is the first meeting of the newly created Standing Committee on Health. See Stephen Kimber’s comments about the uselessness of the committee (link above).
Public Accounts (Wednesday, 9am, Province House) — Auditor General Michael Pickup will be asked about his report (released this morning) on the FOIPOP website privacy failure.
Architecture Lecture (Tuesday, 9am, Cineplex Theatre 7, Park Lane Mall) — philosopher Letitia Meynell from Dalhousie University will speak. More info here.
A Conversation on Conducting (Tuesday, 10am, Room 121, Dalhousie Arts Centre) — Q&A with Judith Yan.
Developing and Retaining Talent in Canada (Tuesday, 11am, 2nd Floor Atrium, Ocean Sciences Building) — a panel discussion “focusing on talent retention and development in our region, and the importance of collaboration between academia and industry.” Panelists include George Palikaras, Metamaterial Technologies Inc.; Ian Hill, Dalhousie University; Simon Jacques, Airbus Canada; Eric Bosco, Mitacs. Moderator: Alice Aiken, Vice President Research and Newfangling, Dalhousie University.
Seafloor habitat mapping in an ocean of big data: Development of data analysis approaches for map production (Tuesday, 11:30am, Room 127, Goldberg Computer Science Building) — Craig J. Brown from the Nova Scotia Community College will speak.
Architecture Lecture (Tuesday, 6pm, Auditorium, Design Building, 5257 Morris Street) — Marianne McKenna from KPMB Architects will speak. More info here.)
Architecture Lecture (Wednesday, 9am, Cineplex Theatre 7, Park Lane Mall) — Manon Asselin from the University of Montreal School of Architecture will speak. More info here.
USMCeh? Is the New Deal Merely the Old NAFTA, But Less? (Wednesday, 12pm, Lord Dalhousie Room, Henry Hicks Building) — Robert Wolfe, Professor Emeritus from Queen’s University will speak. From the listing:
The United States-Mexico-Canada Agreement (USMCA, or CUSMA) is a little less than the North American Free Trade Agreement (NAFTA), but in some areas a little more since it incorporates some updates introduced in the Trans-Pacific Partnership. The deal avoids the worst of what the US wanted and reduces uncertainty for investors and traders about the rules for North American trade. On balance, the deal is not bad — which is a considerable Canadian achievement, if it gets through Congress….
Two aspects of cholesterol homeostasis: Cholesterol in mitochondria and neuronal cholesterol turnover (Wednesday, 4pm, Theatre A, Tupper Medical Building) — Barbara Karten will speak.
Architecture Lecture (Wednesday, 6pm, Auditorium, Design Building, 5257 Morris Street) — Annmarie Adams from McGill University will speak. More info here.)
Mount Saint Vincent
Stanley’s Dream: The Canadian Medical Expedition to Easter Island (Wednesday, 7pm, Alumni Hall) — Jacalyn Duffin from Queens’ University will speak on her new book project. Info here.
In the harbour
01:00: Horizon Star, offshore supply ship, sails from Pier 9 for sea
03:00: CSL Tacoma, bulker, arrives at National Gypsum from Norfolk
05:30: Glorious Leader, car carrier, arrives at Autoport from Southampton, England
18:00: Atlantic Enterprise, tug, sails from Pier 9 for sea
20:30: Glorious Leader sails for sea
I’m going on radio silence for a few days. That means we’ll have guest writers for Morning File the next three days, and I won’t be responding to email or be in the comments or on social media. Check for new posts either at the Halifax Examiner Facebook page or on the Examiner’s Twitter account. If you have some truly pressing need, email iris “at” halifaxexaminer.ca, and she can get in touch with me if it’s absolutely necessary. Otherwise, the Examiner is in the extremely capable hands of Iris; she’s in charge for a while.
The Halifax Examiner is an advertising-free, subscriber-supported news site. Your subscription makes this work possible; please subscribe.
Great reporting here. What scares me is that there is probably so much going on that never gets covered at all.
This is amazing reporting. The innovation industry is such crap – I know, I’ve worked in it.