Tuesday, 24 May 2011

Information Leakage

One of the confounding things about calling up a supplier whether that be an insurance, telecom or TV company is that there is always the series of silly security questions at the start which are supposedly there to prove your identity, protect your data and comply with certain laws about data protection. We should, in the face of such questions, laud our suppliers for their diligence.

So I was sitting at a client's desk yesterday in an office some distance from my designated home office with a very different postcode. As a background to this, I had recently updated my mobile phone with my small business supplier, Vodafone. While I am working away, my mobile phone rings with an 'Unknown Number' which is not unusual so I answer it.

Amidst a great deal of background noise that sounds like a busy call centre, a young lady a foreign accent says, 'Hi, I am calling from Vodafone. Have you upgraded your mobile handset in the last 12 months?'

Thinking that this is indeed Vodafone calling, I answer, 'Yes'.

'And are you at RG2X XXX?' she asks. This is a full and specific postcode she has mentioned. Spookily, this postcode is not the one coinciding with my business or even home address. This happens to be the exact postal code of the specific building I am sitting at the very instant I am taking the phone call.

Thinking she is asking about my contract, I answer, 'No.' Before I could qualify that as I thought she meant my business address, she rang off. Alarm bells rang. How on earth would this person know my mobile number and my exact location at that specific instant?

The reality is that it would be easy to know my exact location at that time. She already somehow knew my mobile phone number and my provider. She must then have had access to one or two or possibly both feeds of my cellular signal and/or my GPS location - at that time. The cellular location is likely to be reasonably accurate but may not get me down to the exact postcode. But GPS would.

I called Vodafone immediately and they confirmed that as a company they had not called me. When I explained what had happened, they investigated further by looking on their network systems. From these they could actually recognise the number which had called me. They even dialled it while I waited. They told me that it was a mobile number, not on the Vodafone network and that it went immediately to a non-descript answer phone message.

Another example of the same issue is that my wife and I get texts continually from either single or multiple companies telling us that we could be liable for compensation of very specific amounts from an accident either one of us is meant to have had. As it happens, we made a claim over a year ago on an insurance policy. However, since we initiated that claim we have changed insurers.

So the party texting must have pretty current access to real data on not just accident data, but insurance holders and their personal data like mobile phone numbers.

The point I am making here in the wake of, at one end of the spectrum, Sony's embarrassing XBOX network hacking and at the other, the 'outing' of Ryan Giggs as the holder of the Super Injunction to protect his privacy, our data is both at the mercy of able thieves who want our data and the companies who would claim legal access to our information.

To some extent, our data is always at risk from malicious hackers and the like and there is only so much protection we and our suppliers can take. For the most part, data protection systems are reasonably robust. But what is more worrying is what our suppliers are doing with our data willingly.

You see, we often, when buying services online or otherwise, tick boxes accepting either the terms and conditions of a company or even some extra agreement on the use of our data. Because of the positioning of that tick box, most of us would believe that we must accept those terms in order to buy the service. In fact, most supplier systems would stop the transaction at that point and you would end up without the product or service. In other words, you are compelled to tick the box and accept the terms if you what that item. What we don't know is whether we have just waived our rights to certain aspects of the law, particularly Consumer Law but usually Data protection.

If you read such conditions avidly, you may find prominently or otherwise that the firm is inviting you to allow them to share the data with other parties who may either have a legal requirement to access the data or not. The fact is, you tick the box and you have given free rein. What companies are doing here is forcing you to waive your rights.

In practice, they have no right to force you to waive your rights to proper use of the law and that should not be a condition of trading with them as they too are under legal obligation to trade within the confines of the law.

How else does my insurance data end up in the hands of companies who want to sell me an extra service? How else can someone have my mobile number and know my exact location at a given time when calling? How else can maintenance companies know exactly when my Sky Digibox has come off its 3 warranty and call me up the week before it ends purporting to be from Sky? I don't remember being asked if this data could be shared but you can bet your bottom dollar it will be imbedded in the conditions you and I don't bother to read.

The fact is that the rarity is the XBOX network getting hacked. The norm is for companies like Vodafone to allow pretty free access to paying third parties to our data. While they make life improbably and unnecessarily hard for us to access our own accounts, it's easy for third parties to legitimately buy access to our information and plenty of it.

Before we tackle the absurdity of Super Injunctions which, let's face it, are a low number and involve only the rich and are no more than titillation value, why don't we get down to the mundane, everyday misuse of our data from the very companies we contract to, pay the through the nose to, for mundane everyday services.

This is the real problem we face about invasion of our privacy.

- Posted using BlogPress from my iPad

No comments: