About that Data Protection myth

If you follow me on Twitter you might have spotted a recent exchange of views over the last few days with Vodafone. They do a fair job, it has to be said, of engaging in that channel. I’m not sure how joined-up or consistent it is with their other channels, but at least it’s nice to be able to ask a question and get a sort-of-answer.

My question stemmed from a curious experience when trying to contact the Vodafons via their website. They’ve taken the “use our webform, not an email address” approach. And to use the webform, I have to be logged in to the Vodasite using what I consider to be fairly strong credentials: i.e. to register on the site in the first place I had to have the physical phone to hand so that an SMS could be received and a time-limited security code typed in (as well as account details and so on)–you get the picture, nice use of a reasonably secure channel to confirm who I am. [See update below: the same web form is available even if you’re not logged in, going some way to explaining the subsequent requests for further information by email.]

I’m also required, during registration, to supply an email address. In this case, the same one as I then supplied on their webform for further contact.

So having duly completed and sent off my webform, I was surprised to receive the following email two days later [extract, verbatim]:

At Vodafone, we are very particular about the security of every customer’s account to ensure that account specific information is not being shared with a non-account holder.

For me to access your phone account and provide you the account information, please provide me below mentioned security details:

– First Line of Address with Postcode
– Date of Birth
– Payment method
– Account number

Now this seems like an awful lot of personal data to be supplying simply to “prove” that the email address which sits in my securely-registered account is actually mine. Doesn’t it? Is it just me?

And being a bit twitchy about personal data exchange, especially via a channel as insecure as unencrypted email, I take it up with them. And via Twitter, I get that old favourite answer for this odd request: “…because of Data Protection” — and later “…in order to pass Data Protection”.

It’s worth reminding ourselves at this point what the Data Protection Act actually says and does. It’s built around eight fundamental principles which are all fair and reasonable provisions like “you must have consent from someone for the purpose for which you want to hold and process their data”. That sort of thing.

Principle number seven is an interesting one: it requires the company holding personal information to have adequate measures in place to protect it.

And here’s where this particular Data Protection myth arises. A company will often say “Data Protection makes us…” when what they mean is: “in order to mitigate the risk of bad things happening with your data, we’ve decided to implement some internal procedures which we think do the job”.

See the difference?

Let’s just scrutinise what’s happening here: I am being asked to provide personal information via an insecure channel to validate identical information that’s held within an account already held by them, which was created in a more secure channel.

And the company have the brass neck to tell me that “Data Protection” is making them do this?

Frankly, how well or badly they choose to implement their own processes is up to them. Up until the point at which their customers think they’re just so awful that they move to another service provider. That’s the free market; and perhaps this sort of oddness isn’t so whingeworthy.

But what’s made this into a blog post, and something I will be following up with the Information Commissioner’s Office, is this lazy use of tired, old mythspeak to try and present a poorly-designed, internal attempt at risk mitigation as something that the nasty old government has forced them to do.

(I’ve asked for a contact in Vodafone’s Data Protection team to explore this further, but haven’t received one at the time of writing.)

UPDATE: 2100, 17 Oct

Well, Vodafone certainly got engaged (at an accelerated pace once I’d posted this, and it had had a bit of RT love). Tweets, the address for the Data Protection team, and finally a very friendly phone call. Nice work. So it turns out I made an inaccurate assumption in the post above, which puts a different cast on some of the story, but raises other questions. You don’t have to be logged in to the site to use the “contact us” web form. In fact, whether you’re logged in or not (I happened to be), the web form simply has the function of sending an email to Vodafone, to which they will then respond via “standard” email. One might ask why they don’t just provide an email address: I suppose they avoid some spam this way, but you also lose the benefit of being able to see what you reported in your sent items… Swings and roundabouts.

More serious though is that much is made of the web form being secure (https). A level of comfort which is then utterly undermined by the subsequent request for that personal information to be sent back to them in clear email. I offered some alternative approaches, including taking advantage of the ability to log in securely in order to establish a much smoother, and less risky, communication channel. And a few pointers on copywriting to ensure that users don’t get the sort of surprise I did at being asked to email a bunch of personal data back at them.

It makes a certain, convoluted sense that they then have to ask these personal information questions in order to satisfy their Principle Seven obligations, but only because they’ve paid insufficient attention to contact design in the first place. I noted that in all the online transactions I’ve used (and that’s quite a lot) some of them involving rather bigger lumps of money, or data of greater sensitivity, than a phone account, I’d never been asked to provide information in clear like this. And that by itself should be a clue that all was not as it should be. The combination of address, date of birth, and an account number provides a malefactor with a heck of a headstart in further social engineering, and there’s really no excuse for asking it to be passed over like that.

We’ll see what changes.

Vodafone fan mail…

Dear Arun

Would you mind confirming the first line of your address, your postcode and your date of birth?

Thought so. It’s not much of a way to begin a conversation, is it? So imagine how things went last Thursday when Vodafone called up and asked me precisely that. Or go and dig out the recording – around 5pm on 9 April 2009, to 07*** *84100. You may find it enlightening.

“Is it important that I answer these questions?” I said. “Surely as you’ve called me, shouldn’t I be trying to prove you who are who you say you are rather than the other way around?” “What exactly is the purpose of this call anyway?”

And so on. But to each request, the same stonewall: “I can’t say anything more to you until you confirm your personal details to me”. “Not even to let me know if this is a sales call: yes, or no?”. “I can’t tell you that until…”

“Sounds like phishing,” I said, “cold calling and asking me for information. This really must be important…”

Deadlocked, I gave in, concerned that not doing so might result in continuation of a fraud, or loss of future service on that number. Because those are the real and only reasons I want to hear from you like that. If I’m the villain with the stolen phone then I need to be rumbled, so you can shut the line down. That protects my interests. That’s your job as my service provider.

Instead your happy call-centre employee says: “I am pleased to tell you that you’ve been pre-selected for…”

When you play the call back, Arun, you’ll hear that things go a little downhill at this point. Mainly because I’m bellowing along the lines of: “How dare you…”

I cannot quite believe any company could be so stupid as to treat its customers like this. Before the cold calls are made do you pay the faintest attention to the actual relationship you have with the person you’re calling? If you had, you’d realise that my Vodafone number is a £20/month deal, with a one month’s notice termination option. It’s a commodity, for heaven’s sake. I can (and will) go to any other service provider to replace it.

And stupid enough to think that someone needs to be securely authenticated in order to sell them things. Let’s imagine I had been Mr Burglar, heading away from my house with that phone. Would you have cut the line off if the right answers hadn’t been forthcoming? Actually, I’m slightly scared that the answer might even be yes to that one…

What a total waste of my time. And a great way to embed in customers’ heads that it’s perfectly normal to get calls out of the blue requiring ‘essential’ personal information.

Big round of applause to Vodafone for this particular stroke of brilliance. You’re doing the phishers a nice big favour with that one!

I’d love to hear your side of this one, by the way. Doesn’t it seem just ever so slightly crass to you?

Yours sincerely,