Ash's Ramblings
Crap Doodles
Links

Translucent Privacy

Just recently there's been a lot of hoo-hah about information privacy. I think it started with the almighty cock-up at ACS:Law - effectively they were hacked and all their company email was leaked onto the internet. The emails contained lists of people accused of online piracy (that's accused, not convicted). Now there's legal challenges left right and centre from ISPs against legal firms trying to get customer information so they know who to sue. The farcical Digital Economies Act obliges the ISPs to simply hand over all information requested, but then that's what you get for passing a piece of legislation that most MPs clearly didn't bother to read.

DEA rant aside, I've received a lot of privacy-related stuff from lots of companies recently. My ISP has contacted me with a copy of their privacy policy, and my credit card company has done the same. Any company of which I am a customer I have actually looked for their privacy policy. And although they give lots of information - my credit card company for example gives two A4 pages of text about what information they collect and store, how they collect it, how it's used, etc - none of the privacy policies I've seen so far actually answer the two most important questions I have about my personal data: how it's stored, and who has access to it.

I got a sales call from my phone company the other day, they asked me how much on average I spend a month. I simply answered "if you really are from my phone company then you can tell me", to which I was told that the sales team only have access to names and phone numbers, not to actual customer records. Which actually annoyed me. Firstly, if they had access to this information they could tell I spend very little on my phone bill and am therefore highly unlikely to want to upgrade to a more expensive service. But secondly and more importantly, this implies that the information the phone company actually owns, ie my phone records, is treated with a higher level of security than my personal details. I'd love to know exactly what parts of my personal information are accessible to which parts of the company, but the privacy policy makes no attempt to tell me, and if I perform a freedom of information request I'll only get the data they hold on me, not who has access to it.

Additionally, the ACS:Law cock-up happened because ACS:Law don't encrypt their internal email. Not only that, but BT have since admitted that they've sent customer details across the internet in plain text email without using any encryption or security whatsoever. This genuinely concerns me, and I'll certainly think twice about using BT for anything in the future. But what worries me the most is that BT and ACS:Law clearly both have a very lapse attitude to information security - so how many other companies have the same attitude? You can't tell simply with a freedom of information request or a privacy policy if a company has a competant information security policy... or indeed any security policy at all.

My solution? Simple: along with each privacy policy should be an information security policy. In the same way that a company is not allowed to store personal information unless they provide a privacy policy outlining what information is collected and how it is used, I believe that no company should be allowed to use, collect or store personal information unless they also provide an up-to-date document describing their information storage systems, what level of security is being used, and who has access to it. Perhaps there should even be a requirement that anyone storing personal info should be required to make their security systems available for independent inspection, although I see how certain industries (ie defence) might have a legitimate problem with that.

I think the biggest problem with storing personal information in the digital age has nothing to do with evil intent, it's ignorance that's the biggest problem.

Permalink | 13 Oct 2010, 2:02 p.m. geek insight