honestlyreal

Icon

About that Data Protection myth

If you follow me on Twitter you might have spotted a recent exchange of views over the last few days with Vodafone. They do a fair job, it has to be said, of engaging in that channel. I’m not sure how joined-up or consistent it is with their other channels, but at least it’s nice to be able to ask a question and get a sort-of-answer.

My question stemmed from a curious experience when trying to contact the Vodafons via their website. They’ve taken the “use our webform, not an email address” approach. And to use the webform, I have to be logged in to the Vodasite using what I consider to be fairly strong credentials: i.e. to register on the site in the first place I had to have the physical phone to hand so that an SMS could be received and a time-limited security code typed in (as well as account details and so on)–you get the picture, nice use of a reasonably secure channel to confirm who I am. [See update below: the same web form is available even if you're not logged in, going some way to explaining the subsequent requests for further information by email.]

I’m also required, during registration, to supply an email address. In this case, the same one as I then supplied on their webform for further contact.

So having duly completed and sent off my webform, I was surprised to receive the following email two days later [extract, verbatim]:

At Vodafone, we are very particular about the security of every customer’s account to ensure that account specific information is not being shared with a non-account holder.

For me to access your phone account and provide you the account information, please provide me below mentioned security details:

- First Line of Address with Postcode
- Date of Birth
- Payment method
- Account number

Now this seems like an awful lot of personal data to be supplying simply to “prove” that the email address which sits in my securely-registered account is actually mine. Doesn’t it? Is it just me?

And being a bit twitchy about personal data exchange, especially via a channel as insecure as unencrypted email, I take it up with them. And via Twitter, I get that old favourite answer for this odd request: “…because of Data Protection” — and later “…in order to pass Data Protection”.

It’s worth reminding ourselves at this point what the Data Protection Act actually says and does. It’s built around eight fundamental principles which are all fair and reasonable provisions like “you must have consent from someone for the purpose for which you want to hold and process their data”. That sort of thing.

Principle number seven is an interesting one: it requires the company holding personal information to have adequate measures in place to protect it.

And here’s where this particular Data Protection myth arises. A company will often say “Data Protection makes us…” when what they mean is: “in order to mitigate the risk of bad things happening with your data, we’ve decided to implement some internal procedures which we think do the job”.

See the difference?

Let’s just scrutinise what’s happening here: I am being asked to provide personal information via an insecure channel to validate identical information that’s held within an account already held by them, which was created in a more secure channel.

And the company have the brass neck to tell me that “Data Protection” is making them do this?

Frankly, how well or badly they choose to implement their own processes is up to them. Up until the point at which their customers think they’re just so awful that they move to another service provider. That’s the free market; and perhaps this sort of oddness isn’t so whingeworthy.

But what’s made this into a blog post, and something I will be following up with the Information Commissioner’s Office, is this lazy use of tired, old mythspeak to try and present a poorly-designed, internal attempt at risk mitigation as something that the nasty old government has forced them to do.

(I’ve asked for a contact in Vodafone’s Data Protection team to explore this further, but haven’t received one at the time of writing.)

UPDATE: 2100, 17 Oct

Well, Vodafone certainly got engaged (at an accelerated pace once I’d posted this, and it had had a bit of RT love). Tweets, the address for the Data Protection team, and finally a very friendly phone call. Nice work. So it turns out I made an inaccurate assumption in the post above, which puts a different cast on some of the story, but raises other questions. You don’t have to be logged in to the site to use the “contact us” web form. In fact, whether you’re logged in or not (I happened to be), the web form simply has the function of sending an email to Vodafone, to which they will then respond via “standard” email. One might ask why they don’t just provide an email address: I suppose they avoid some spam this way, but you also lose the benefit of being able to see what you reported in your sent items… Swings and roundabouts.

More serious though is that much is made of the web form being secure (https). A level of comfort which is then utterly undermined by the subsequent request for that personal information to be sent back to them in clear email. I offered some alternative approaches, including taking advantage of the ability to log in securely in order to establish a much smoother, and less risky, communication channel. And a few pointers on copywriting to ensure that users don’t get the sort of surprise I did at being asked to email a bunch of personal data back at them.

It makes a certain, convoluted sense that they then have to ask these personal information questions in order to satisfy their Principle Seven obligations, but only because they’ve paid insufficient attention to contact design in the first place. I noted that in all the online transactions I’ve used (and that’s quite a lot) some of them involving rather bigger lumps of money, or data of greater sensitivity, than a phone account, I’d never been asked to provide information in clear like this. And that by itself should be a clue that all was not as it should be. The combination of address, date of birth, and an account number provides a malefactor with a heck of a headstart in further social engineering, and there’s really no excuse for asking it to be passed over like that.

We’ll see what changes.

Category: Other

Tagged: , , , ,

8 Responses

  1. Haha, I feel more sorry for the poor developers, designers and product managers that were no doubt involved in many endless and soul destroying meetings necessary to put this kind of ridiculously broken process in place.

    Anyway, don’t waste too much time on Vodafone. Big companies doing things really badly is actually a good thing because it means there’s an opportunity for smaller startups to come along and do it in a better way – and hopefully one day take their customers too :-)

  2. Dan Knowlson says:

    Great blog and so very true. Probably too many people involved in makign the decisions along the way

  3. Phil says:

    Good afternoon Paul,

    I’ve taken a read of your blog around Data Protection and can understand that you have questions around the Data Protection system along with supplying information on an email.

    I’ve responded to your tweets on Twitter and given you the contact details for the team who will be able to answer your queries around this.

    I appreciate that this has been going on for sometime and hasn’t been resolved as quickly as it could have. I’m keen to help resolve the issue that lead you to our ‘contact us’ page so if you could get in touch with us on Twitter I’ll be happy to contact you to discuss further.

    Many thanks,

    Phil
    Web Relations Team
    Vodafone UK

  4. Ken Davidson says:

    …and it’s all well and good if your personal data matches what they have on file. Carphone Warehouse (let that name forever be tarnished!) advised me that I couldn’t get a refund on an amount they’d taken in error via Direct Debit because my d.o.b. didn’t match what they had on file. What they had on file was wrong, but they couldn’t tell me (obviously) what it was. I was given two options: firstly I could guess another 364 times (seriously, wtf?!), or visit one of their shops with all my ID. When asked if they’d pick up the tab for loss of time and travel costs they said no. At the time I tweeted and blogged about it until I was blue in the face. I wrote letters. Next step was Mr Ombudsman. In the end they won £6 from me because I value my time more than the £6 they blagged. Hmmm. A conspiracy theorist would have a field day.

  5. Failing to supply an email address (rather than a web contact form) might well be a breach of the e-commerce directive. Certainly if they were providing an information society service it would be. You are not allowed to restrict contact to a webform. You can suck up the spam. I run a small (niche tech. law) business and publish my email address (see above) and that’s how I do it.

  6. Ali Granger says:

    I have had exactly the same issue with Virgin Media. I have raised issues from a secure webform, logged in, but am emailed back to ask for my password before we proceed.

    I like the service I receive from them, but this seems like an incredible fail on their part. So far I have not had any response from them when I’ve queried the workings of their systems, but I suspect it will be similar to the reasoning Vodafone have given you.

  7. Dave W says:

    Oh please, someone look into if there’s a breach of code by them not supplying a contact email address!! :)

  8. Dan Knowlson says:

    An email address is required under the legislation, which clearly states that a contact form only is not sufficient.

    Take a look at http://www.out-law.com/page-431 and the “Minimum information to be provided” section, second bullet point.

Leave a Reply

Flickr Photos

Dirty Old Town

Thames currents

Swaziland ship

Skeletal Office of Information

Hercules House, end of Act V

COI dismantled

Moving storm cloud front

Fork

Storm cloud

Boiling sky

More Photos