Businesses in Québec Should Prepare to Deal with “Assistants” to the Elderly

Further to the adoption of Bill 18, Québec individuals, including the elderly, who may wish to do so will soon be allowed to appoint one or two “assistants” to help them -a role that will be legally recognized through an amendment being made to the Civil Code of Québec.

Many feel the various protection regimes currently available for vulnerable individuals in Québec leave a gap, especially for family members wishing to help parents and the like with their everyday lives. This sort of situation often includes helping parents understand situations they may find themselves in, asking questions (from government officials or businesses, for example) and interacting with third parties with which the elderly may be required to deal with day-to-day. A good example may be calling a bank, on behalf of a parent who is a client of the institution but unwilling or unable to call him/herself.

The new role of assistants is being created to help fill that gap and avoid often-seen situations where an organization may refuse to talk to a person who is not the citizen or the client at issue him/herself, unless the caller can show he/she has legal authority. To avoid this problem, assistants will be provided with a special status under Québec law, being understood that their role will NOT be to decide or make decisions for protected individuals, but rather to assist and speak for them, whenever it may be required.

After November 1, Quebecers who regularly require help will thus be allowed to designate a loved-on (who is willing to take on this role) to assist them. After going through the formal process of appointing this person, the name of the assistant will be entered into an online database to be hosted and made available by the Québec Curateur public (pursuant to the new C.c.Q. Article 297.10). Thereafter, anyone who needs to confirm whether a person they get contacted by has been duly authorized (as somebody else’s “assistant”) will be allowed to check the database.

One should note that this possibility will be available not only for the elderly but also for other individuals who would benefit from the help of a loved one day-to-day, including those with physical or intellectual limitations, etc.

This change to Québec law will require that for businesses and organizations update their protocols to take into account the possibility that users and customers may soon be contacting them through duly appointed intermediaries. Whenever this happens, assuming the proper verifications are made, businesses and organizations will be legally prohibited from refusing to interact with a customer’s assistant. Indeed, assuming the identity of the assistant is ascertained adequately, one will then be obligated by the Civil Code of Québec to deal with the assistant as the assisted person’s representative and intermediary.

Business and organizations operating in Québec should start training their staff and update their internal protocols, rules and procedures to allow for this change as to “assistants”.

2FA Codes by SMS: the Illusion of Better Security?

Even though two-factor authentication (“2FA“) is great to secure apps and online accounts, it’s not perfect and hacks do remain possible, even when this is available and turned on by a user. That said, by and large, the odds of getting hacked once you turn on 2FA (for an app or a service) drop dramatically. In today’s world, given the ever-increasing number of computer intrusions, anyone not turning on 2FA for all their accounts is playing with fire, even more so for professionals and businesses.

Though users have a role to play, as you generally need to turn this feature on (at least your organization must), a recent article in TechRepulic pointed to the fact that 2FA is often not as strong as users may think, in particular for apps and services for which 2FA allows transmission of 2FA codes by texts (SMS).

By now, most experts agree that allowing users to get their 2FA codes by SMS, as opposed to generating and receiving them by a dedicated utilities such as Google Authenticator, is a bad idea. In fact, it seems allowing this greatly reduces the level of security you get when turning on 2FA. Using 2FA with an authenticator app -great! Using 2FA and getting your codes through SMS -not so much.

The issue here lies in certain businesses (including banks!) electing to still allow 2FA by SMS, presumably to avoid annoying certain customers that may find using an authenticator app bothersome. To appease these users, the feature is allowed to endure to this day, thereby potentially endangering the data of all users.

Basically, we should all turn on 2FA on all apps and online services that allow it (most do in today’s age) AND check whether each app/service allows sending code by SMS. Often, you (or your organization) may be able to deactivate that functionality, thereby requiring codes to be issued by an authenticator app. If an app/service insists on allowing the issuance of 2FA codes by SMS, you may want to look for an alternate product/service. This is especially important if the data accessed through this tool is sensitive or, God forbid, a third parties’, such client-data or personal information of your customers, etc.

Given the ever-increasing legal requirements to adequately protect data hosted by organizations, implementing adequate (I mean really adequate) cybersecurity it becoming everyone’s business. Don’t be content with activating 2FA, make sure it is actually secure and not just “technically” considered 2FA.

Remember: not all 2FA is good enough. If you get your codes by SMS (or can), you may be getting the poor man’s 2FA, thereby putting your data (or that of your clients) at risk.

And Just Who Really Controls that New Shiny Connected Device of Yours?

With a little help from a friend, I happened on 3 different stories in the news this week and that all relate, to some degree or another, to connected devices, including IoT devices and vehicles. If you ask me, it’s hard not to conclude that these 3 stories aren’t symptomatic of a trend. See for yourself:

The first story from this article relates to BMW, in South Korea, that now offers drivers access to certain functionalities installed in their new cars subject to the payment of subscription fees. The article mentions as an example heated seats which may only be used once the user agrees to fork over monthly fees. Failing this, BMW deactivates (or does not activate) the functionality remotely, so that, even though the vehicle technically includes it, it is inoperable. You read this right: you buy the car but not everything works off the bat, until you agree to pay monthly fees, in addition to your purchase price. After all, you just paid $80,000 for that car, what’s $20 per month?

The second story on that theme comes from this article  and relates to JOHN DEERE tractors. As you may have read recently, with the war in Ukraine, Russian forces are not only destroying things but also looting, including production and property found on farms. This happened to a bunch of tractors (a couple of millions dollars worth, apparently) which the Russians “confiscated” and quickly sent back to Russia as spoils of war. Unfortunately for them, once the tractors made it to their new home, Russian forces realized the machines has been (remotely) deactivated by the manufacturer, after they were reported stolen. As Russia just learned, it today’s world, yup, even farm equipment is connected, big time.

I happened on the third story through this article which deals with one of Amazon’s subsidiary admitting, this week, that it sometimes provides police with images from RING cameras (installed at customers’), without either consent from those owners or any warrants. Given this is done to help maintain order and ensure safety in our communities, why bother with such trivialities, right?

All three cases are symptoms of the control that manufacturers of connected devices and equipment do retain nowadays. This may be used for good or ill, but the bottom line is that we, as buyers of technology, can no longer assume we will retain control over OUR things, not total control anyway. In the age of the Internet of Things, the truth of the matter is that control will often rest elsewhere, something that can be so even though we may have bought a thing outright.

Next time you buy something that is connected, do ask yourself (and whoever’s selling it to you) to what extent the manufacturer may interact with it remotely, not only to update its firmware but also to disable it or do other things. The answer may surprise you.