Have you ever come across a site that takes great pains to tell you exactly the kind of password you should be using, with what seems to be a pot-pourri of creative ideas for arriving at a string of characters guaranteed to be impossible to memorize?
While acknowledging that the line between memorable and guessable is a thin one, so that it theoretically makes sense to force users through violent contortions designed to build a 'strong password' we should nevertheless not deprive ourselves of the opportunity to exercise critical thinking when registering for new accounts.
Koodo Mobile is a Canadian telco owned by Telus Corporation, whose focus is a younger demographic looking for fixed prices on smartphone plans. As such, the brand has been carefully crafted to balance a trendy vibe with a budget flair. That vibe manifests itself in the header of every web page, starting with the slogan "Choose Happy".
Ostensibly, that happiness ends when you try to request support, or get service from a human being, because its telephone hotline literally hangs up on you as soon as you request help with a prepaid plan. Before doing so however, it sends you to a cryptic URL that looks like a badly planned week-end vibe coding project: https://widget.telus.tiia.ai/koodoprepaid/koodoprepaid.html
The jarring experience of an experimental widget that assumes we're in a relationship, is just starting. By going to its home page, we can see that tiia.ai is, well, a bit rough around the edges, as it claims to still be under construction and shows no signs of any privacy policy to help us understand where our discussions go.
That said, scrolling to the bottom of the page rewards the visitor with all the assurance a nonclickable image can offer: a lock icon and the words 'safe and secure'. What more can you ask for?
In case you're looking to delve deeper into your budding relationship with Koodo's AI assistant the parent site does offer an FAQ, or what they call "As to your Qs":
This page proudly extols the virtues of a chatbot installed two years ago, in the early days of generative AI, so it comes as a surprise to discover that this tool is still in BETA.
The word salad continues a somewhat strained description of the recipe used by Telus to concoct this AI helper using "a blend of open-source and proprietary technologies". The cognitive dissonance continues as it is said to have been trained by OpenAI (makers of ChatGPT) and is 'proprietary'. By that, we assume that neither Telus nor Koodo own any of it, since the proprietary bit belongs to OpenAI and the non-proprietary aspect is open source code with no guarantees whatsoever.
This is why when the page touts its "commitment to protecting your privacy", it's followed by the stern warning "You must never share any personal information with the tool". That certainly got serious fast. But rest assured: "It’s made to be helpful, safe, and respectful of your privacy."
And in case you thought that relationship was in any way meaningful to "the tool", the FAQ is quick to dispel the claim of the voice mail that hung up on you earlier: "It cannot answer account-specific questions and cannot access information about your Koodo account."
If it is indeed the case that Koodo does respect user privacy, then let's ask its own LLM, by querying ChatGPT itself about the veracity of the claims made in the privacy policy. The response was swift:
My assessment: partially true, but overstated. The policies contain several real privacy-rights commitments that align with Canadian privacy principles, but the claim that they “respect Canadians’ privacy rights” is too broad if read as a guarantee of privacy-protective practices in every case.
It went on:
The weaknesses are significant. Canadian privacy regulators say meaningful consent requires clear explanation of what is collected, who it is shared with, why, and what risks or consequences exist; they also warn that vague purposes such as “service improvement” are not enough. TELUS/Koodo use very broad purposes such as “understand your needs and preferences,” “develop, enhance, market or provide products and services,” and “manage and develop our business and operations.” TELUS’ own examples include device identifiers, usage patterns, Optik TV viewing preferences, inferred lifestyle/product preferences, location data, call/SMS metadata, IP addresses and port numbers, recorded customer interactions, real-time analytics, chatbots, and AI-supported offers. That is a lot of behavioural data for a budget telco customer to be deemed to understand through a layered policy.
In other words, the claims overstate reality, but as with many other companies, the hope is that no one will ever peruse or challenge the privacy policy. Chatgpt states:
The biggest red flag is implied consent by continued use. TELUS’ Privacy Code says that, in general, using products and services constitutes implied consent for TELUS to collect, use and disclose personal information for all identified purposes.
Koodo’s provided page similarly says that unless the customer says otherwise, Koodo will assume consent for the identified purposes. That may be legally common in telecom privacy notices, but it is not the most privacy-respecting posture, especially where the “identified purposes” include analytics, marketing, inferred preferences, location-derived insights, third-party cookies, and AI-driven offer targeting.
There are also cross-border and third-party concerns. TELUS says personal information may be stored or processed outside Canada, including in the cloud, and may be available to foreign government agencies under applicable law.
Ouch. It seems that claims of 'trendy' and 'cheap' eventually lead to implied statements such as 'What do you expect from a budget telco, anyway'? Once you lower your expectations of privacy, everything is fine. As ChatGPT says:
As a privacy-rights claim, it is incomplete and promotional. A more accurate claim would be: “Koodo/TELUS publish privacy commitments aligned with Canadian privacy law and provide some rights and opt-outs, but they also rely on broad purposes, implied consent, analytics, AI-driven personalization, cross-border processing, and third-party advertising technologies.”
Some of those carefully worded claims can be said to be loosely related to the concept of Dark Patterns, particularly as they're used throughout the site to placate users and lower privacy salience.
The fact that ChatGPT insisted on using bold text should not be lost on us, but let's move on, because this is not the Bad Privacy Blog, so we do, eventually, have to get to the security aspects of this messy affair.
What about the security?
Ah yes, the security! Well, let's have a look, shall we? A good place to start is a password form, such as the password reset mechanism for user accounts:
Right off the bat, I tried to use a passphrase - one of the best ways to create a secret that's both easy to remember and difficult to guess - and it told me that I broke one of its numerous cardinal rules, by using a space character.
No space? Why not? That's literally my favourite thing to include in a long passphrase. How can it be a passphrase without being a phrase? Are phrases less secure than passwords?
In the interest of full disclosure, this is an old trick I use to determine whether a site can be trusted with my password or not. What most sites would like us to forget is that websites are not supposed to "know" users passwords at all.
They're supposed to turn them into mush as soon as they're typed in. In effect, behind those asterisks you see on-screen is a 'digest' of encrypted letters that can't be decrypted. So when users return to the site and attempt to login, the site must only be able to compare the new "mush" with the stored digest.
Your password is never meant to be stored in the clear. Besides the promise of confidentiality, the reason for this is that entering arbitrary characters such as spaces, slashes and other punctuation often used in coding can inadvertently allow malicious users to literally inject nefarious code that can breach security and cause havoc. So as far back as the 90s, registration forms made it clear that such characters are unwelcome.
Since then, and with the advent of simple, effective encryption methods available to coders both novice and advanced, the practice has become a kind of a canary, hinting at the potential for improper password handling on the part of the website.
So if the Koodo site can't be trusted to encrypt passwords, can we at least trust it to manage them?
After a few attempts at finding a suitably complex password, I settled on one that checked all the boxes and hit 'Reset', confident that I had run the gauntlet and gotten the minor dopamine hit of this convoluted process.
Alas, it was not to be.
In what appeared to be decidedly rude about-face, the site dismissed its previous assertion and decided that I didn't belong after all.
What's more, as if to goad me into giving it yet another shot after having tried at least a dozen times, it offered an image of a friendly and colourful piñata. I eventually gave up after a few more valiant attempts. After all, there's an actual Koodo office presumably staffed by humans in the middle of town, and I intend to give them a chance to prove that they will not be easily replaced by digital twins.
Not to be outdone, Gemini wanted to make itself useful and remind users that this year's breach of Koodo's parent company, Telus, continues to be one of the largest in history, at over a thousand terabytes of stolen sensitive corporate and personal customer data. Ironically, it allegedly happened because of mishandled passwords.
Some 4 months after extortionists demanded $65 Million from Telus under threat of going public with the data, the company's "Cybersecurity Update" site continues to indicate that the investigation continues, and really... there's no reason to believe that any of your sensitive personal information has been accessed.
A petabyte of data.
No reason.
In conclusion, keep questioning security claims and always take another shot at the piñata when you're told that certain characters should be excluded for your protection.
