Mobile phone hacking and the e-Privacy Regulations

The recent furore about the News of the World and other tabloids engaging in unauthorised access voicemails I thought it might be worth pondering the potential Irish legal situation. Now, I’m not a lawyer. This post is intended to work through some of the relevant legislation and the potential issues that might arise in Irish law. It is not legal advice. I fully expect members of the Irish legal blogging community to leap in and make comments and corrections as needed.

The law

There are a few pieces of legislation in Ireland that would come into play here:

  1. The Data Protection Acts 1988 and 2003
  2. The Criminal Damage Act 1991
  3. The Criminal Justice (Theft and Fraud Offences) Act 2001
  4. The Postal and Telecommunications Services Act 1983
  5. Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
  6. The ePrivacy Regulations 2011 (http://www.dataprotection.ie/documents/legal/SI336of2011.pdf)

The Data Protection Acts

The Data Protection Acts require that personal data be obtained and processed fairly.

Journalistic exemptions to this and other provisions of the Acts exist under s22A, but only insofar as there is an actual intent to publish a story or other work based on the information which has been obtained. So… if a journalist and/or a private eye in the pay of a newspaper were to obtain personal information about Celebrity A on foot of a fishing trip through the voicemails of celebrities A through F when there was no intent to publish a story about Celebrity A until such time as the information was obtained, then the journalist might not be able to rely on their exemptions under the Acts. The protection of the right to Freedom of Expression is only protected where there is an intent to actually express something, and if the publication of that story is in the Public Interest (which is a thorny topic I won’t delve into here).

Criminal Damages Act 1991 and Criminal Justice (Theft & Fraud Offences) Act 2001

Journalists who engage in unauthorised access to voicemails may also be committing an offence under the Criminal Damages Act 1991. This Act makes it an offence to access information without authorisation and to modify that information whether or not that modification has an adverse effect. Listening to a voicemail modifies the content and nature of the information (at the very minimum changing a flag from “new” to “listened to”. The Act does make use of the word “computer”, which would suggest to a lay person that it would only be an issue if a device meeting the traditional view of a computer was used. However the term is undefined and as such it is open-ended as to what type of device might meet the legal test of a “computer”. In that regard, the definition applied in the Data Protection Acts (“a device operating automatically in response to instructions”) might be relevant.

So… accessing a voice mail box (which is itself stored on a device operating automatically in response to instructions computer of some sort) without permission and listening to the recording is likely to be a criminal offence in Ireland, given the breadth of the definitions in play.

This is doubly so when the Criminal Justice (Theft and Fraud Offences) Act is taken into consideration. It provides for an offence of “dishonestly” using a computer or causing a computer to be used within the jurisdiction of the State. The big question to answer here is

  • What’s a computer?
  • What’s dishonest?

It might be argued that going on a fishing trip for personal data without any prior formed intent to publish a specific story about a specific individual could constitute dishonesty.

The 1983 and 1993 Acts

Section 98 of the 1983 Act deals, in the first instance, with a general prohibition on the interception of “telecommunications messages”. In short… it’s illegal except in certain defined circumstances. Interception is defined as being

“listening to, or recording by any means, or acquiring the substance or purport of, any telecommunications message without the agreement of the person on whose behalf that message is transmitted by the company and of the person intended by him to receive that message”

The term “telecommunications message” is not actually defined in the legislation, which creates an interesting situation when you consider that this Act was drafted in the early 1980s when there was no digital voice mail, no email, limited use of fax services, and (importantly) when there was only one company laying cable and connecting people to a telecommunications network in Ireland. Significantly, the 1983 Act only applies to telecommunications services which require a license… which would exclude a lot of on-line communications tools such as VOIP, web-based email or IM chat.

The 1993 Act deals essentially with phone tapping and interception of postal packets. The legislation is couched in terms suggesting that data at rest (e.g. a voice mail recording sitting on a server or an email sitting in in a mail host somewhere) may not be covered.

Digital Rights Ireland argued in 2009 that the framework in place under the 1983 and 1993 legislation most likely did not cover most on-line activities and as such there was, strictly speaking, no clear legislative prohibition on the interception of SMS, email, VOIP etc., technologies which simply did not exist at the time the legislation was being drafted and as such probably left the State falling short of their obligations under the ePrivacy Directive.

The European Commission rejected DRI’s submission at the time

Electronic Privacy Regulations

The new electronic Privacy Regulations place mobile phone operators in an interesting position with regards to phone hacking. The means by which voicemails were accessed, in the main, appears to have been default voicemail passwords being left unchanged. This is a security weakness in mobile phones and, for that matter, fixed line services which provide a voice mailbox service.

For example, for most mobile phone operators, the default password for a voicemail account is 0000. In many fixed line systems, the password might be 1234. Failing to change this password leaves the data which is being recorded in the mailbox unsecure.

The complication in Irish law for the telcos is that section 4 of the EPrivacy Regulations (SI 336 of 2011) requires providers of electronic communications services to

  1. Ensure appropriate security safeguards so that data is only accessed by authorised persons, with respect to the state of the art and cost of implementing (section 4(1))
  2. Ensure that the security measures can protect against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure (section 4(2)(b))

Section 4(4) is the doozy I feel.

In the case of a particular risk of a breach of the security of the public communications network, the undertaking providing the publicly available electroniccommunications service shall inform its subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to betaken by the relevant service provider, any possible remedies including an indicationof the likely costs involved.

My reading of that section is that mobile phone and landline operators who apply default passwords to voicemail accounts need to be more proactive about alerting customers to the risk and, ideally,  implement a process which mitigates or eliminates the risk (such as having a randomly assigned password associated to a voicemail that is SMS’d or posted to the customer – just like bank security codes for on-line banking). I’ve asked the Data Protection Commissioner about it and it appears that my reading is, by and large, correct.

And as the SI implements an EU wide directive this could get interesting in light of the NoTW noises.

Conclusion

The world of telecommunications and person to person linking using tools like VOIP, SMS, Instant messaging, voice mail, email, and “Unified Communications” which we find ourselves in today was almost unimaginable even fifteen years ago. I can recall when I started working with a large telco in the summer of 1997 that digital voice mail was a massively new fangled thing, had you told me that I would be getting voicemails emailed to me from a virtual VOIP phone system which I could open and read or listen to on my mobile phone I’d probably have laughed.

But that is what we do every day now.

The legislation may not have kept pace. However, where the legislation has caught up, providers of telecommunications services need to do their bit to raise awareness and understanding of how the world may have outstripped the law (at least for now).

I invite any comments or corrections from more learned colleagues.

 

New Rules, Old Principles

This was first posted on the Irish Computer Society Data Protection Blog. I am republishing it here as it is my original work and I am putting all my Data Protection musings in one place.

So, the revised e-Privacy Directive has been given legal effect as of 1st July (only a little over a month late). The Data Protection Commissioner has issued revised guidance on the processing of personal data in the context of electronic communications. Some of what is contained in this legislation is new. However, even the new stuff is merely an incremental evolution of the underlying principles of Data Protection to address the privacy concerns presented by new technologies, the maturing of existing technologies, and the emergence of new ways of processing personal data.

The key to ensuring compliance with these revised rules is to ensure that you have a solid understanding of the underlying principles of Data Protection and the role of information in your organisation (it’s meaning and purpose) so that you can better understand how the actions of your staff and the systems you use to interact with your customers might affect your ability to work within the regulations.

An earlier post discussed the likely impact on Cookies from the regulations. In short, you need to understand when, where, how, and why your websites and mobile device apps are writing data to your customer’s “subscriber equipment” [aka the device that is at the end of the telecommunications service connection, be that a physical phone line, wifi, 3G, GPRS, HSPDA etc.]. Once you know that information you can figure out what data storage requires consent and what data storage is essential to the delivery of the information age service.

Another interesting and subtle change is that the Commissioner has removed the ‘grey area’ around collecting email addresses in business networking or similar activities. Before there was an assumption of “one bite free” where you could contact people once but give them the option to opt out of future contact. This is now very categorically an opt-in thing where you are sending emails to an identifiable natural person, particularly where that person is not party to a customer relationship.

You can still avail of the “free bite of the apple” when dealing with non-individually identifiable business entities, and with individuals in organisationswho might reasonably be interested in the product, service, or subject matter of the message.

A worked example might help explain this better.

  • Frank is a sales man for BloggoTech. At a trade fair he meets Jerry, who is a purchasing manager from ClientCo, who BloggoTech have an existing relationship with.
  • Frank also meets Mary, a marketing manager from ProspectCo. Neither Mary nor ProspectCo are clients of Bloggotech.
  • Jerry gives Frank an email address to contact him at: Jerry.Client@ClientCo.ie
  • Frank also has ClientCo’s general contact email address: info@clientco.ie
  • Mary gives Frank her business card with email, phone, SMS etc.
  • The business card also has “info@prospectco.com” as a general contact email address.

Frank can contact Jerry by any contact point he has for him (subject to Jerry making his preferences known) because ClientCo are an existing client who have purchased within the last 12 months. As soon as Jerry asks Frank to stop contact him by whatever contact mechanisms or for whatever purposes, Frank must do so.

Mary, however, poses a problem in light of the revised guidance. If Frank has not gotten her permission to do a follow up contact with her then the only email address he can use is the “info@prospectco.com” email, unless he is communicating with Mary about something that he knows will be of interest to her. Of course, he has the option of sending a fax for her attention (which the company can opt out of), or posting her materials by snail mail (which she can opt out of).

This relates to the fundamental principle that personal data must be obtained fairly, for a specified and lawful purpose.

Many people might protest that requiring people at conferences to get consent before doing a follow up contact is unduly burdensome but it is actually quite simple. When handing over your business cards, simply ask “Is it OK if I drop you an email later in the week with some information about [insert subject matter here] and a link to our newsletter sign up?”. This simple conversation point clarifies that you will be contact the person, and clarifies the context in which you will be communicating with them.

There.. consent obtained.

The real challenge is presented to event organisers who might share lists of delegates at an event with other attendees. Care must be taken to remove any means of electronic contact. But most large data management events I attend provide heavily redacted delegate lists that identify the person and the company, and perhaps their country, but not enough that you could contact them directly from it. So, event organisers need to start thinking about contact information as valuable data which should not be shared.

I’ve had experience with a business networking event sharing my details willy-nilly in an attachment sent to the other 100+ people who had registered for the event (which would be a notifiable disclosure under the Data Breach Code of Practice). The problem could have been prevented by simply having an opt-in box telling me that my details could be shared if I wanted them to be.

In short… designing privacy into the process, not inspecting breaches out.

Companies exhibiting at events need to up their game away from the “business card fishbowl” with a spurious raffle to collate contact details. Again, a little thought can help design a safer and more compliant process (a tick box for consent to further contact for purposes not related to the raffle for example, or clarification that anyone entering the raffle will receive one marketing email). After all, if the guidance from the DPC is that the communication needs to be relevant to the interests of the Data Subject, I might only want to receive communications from the company about the iPad I’ve won.

The new rules are built on old principles. If you understand the principles and take them to heart you can begin to develop strategies for using the new rules to your advantage.

Three strikes – you’re out(?)

I’ve recently been pondering the 3-strikes process which is used by eircom to police illegal content uploaders and the Data Protection implications of same. [By way of full disclosure, I used to work there in a role that involved me analysing processes and finding out where they were broken and potentially non-compliant with host of regulations. That said, given that when employed there a big part of my job was to call b*llshit on defective processes and get them fixed or killed, I would not consider myself an apologist for eircom].

The process (as I understand it) is this.

  1. A person goes onto torrent site and seeds a torrent with copyright protected material.
  2. As part of seeding the torrent, their IP address is published in the torrent service.
  3. A 3rd party company monitors torrents and flags to eircom IP addresses and details of copyrighted materials that are being seeded.
  4. eircom checks the IP addresses provided against the IP addresses in use by customers at the time of the seeding and a letter is produced informing the customer that copyright protected content was being distributed illegally via their account. They are given three chances to prevent this distribution before their account is suspended.

So. What is happening here? An illegal act is being committed in a public place (IP addresses are published in the torrent service). This public data is passed to an ISP who seeks to associate the IP address with a named ‘controller’ of the service, who is then advised that an illegal act was committed using their service and advising them to ensure that the activity ceases.  Music labels are not told of the offenders. Personal data of eircom customers is not transferred to music labels.

No data is passed about individual customers to any 3rd party by eircom. eircom acts on public data compiled and processed by a 3rd party on their behalf. Eircom processes this information in order to enforce sections 5.5 and 5.6 of the Terms and Conditions which govern their Broadband service.

The analogy I would draw is with the system for enforcing speed limits using traffic cameras. If your car is on the motorway doing 135kmh and you are snapped by a traffic camera in a GATSO van operated by a private company working on behalf of the authorities, your car registration number and the record of the speed you were doing when snapped is sent for processing against the vehicle licensing database which associates the registration number with a named person (the registered owner of the car). A few weeks after you are snapped you receive a letter in the post with a copy of the photograph, details of the speed, and details of the fine you will have to pay.

An illegal act, in a public place, where a publicly visible identifier can be recorded, which can then be associated with other information to identify the nominated responsible person for the conduct of that vehicle. The parallel is, at least to me, very clear.

It is also very clear that in both the Broadband case and the Traffic camera case that there are certain evidentiary controls that need to be in place to ensure that data is being processed fairly and accurately and appropriate safeguards need to be in place to ensure that data is not processed or disclosed unlawfully.

For example, eircom recently had an issue where a number of customers received warning letters about downloading which did not relate to them. The root cause was a failure of a server to update to Summer Time from Daylight Savings time, meaning the timestamps associated with IP addresses were out by an hour. Accurate timestamping and recording of location data of traffic cameras is also important, as the Australian State of New South Wales and the US  city of Long View discovered recently.

Of course, it is important to point out that eircom did not send personal data about Customer A to Customer B. They simply attributed, erroneously, the actions of Customer A to Customer B.

The Data Protection Acts do not provide a shield behind which people who commit offences can hide. The right to Privacy is not an absolute one and must be balanced. So long as the processing of the data is done in a manner which does not infringe privacy or result in unwarranted disclosure of personal data companies have a legitimate interest in ensuring that they can enforce the terms and conditions of contracts that are entered into.

Where people chose to commit an illegal act in a public manner, or where through neglect or lack of domestic control they allow such acts to be committed, then a polite but firm reminder of their duties as parties to the contract is to be expected. Where that reminder is provided without personal data being disclosed to 3rd parties (as was the case previously) then this is a half-way house that balances competing rights but which must be kept under constant scrutiny to ensure that there is no scope creep, function spread, leakage or abuse.

The Cookie Monster Cometh

First published on the Irish Computer Society Data Protection Blog. Republished here as it is my original work and I’m putting all my Data Protection musings in one place.

So, this day next week (26th May) will see the introduction into Irish Law of Directive 2009/136/EC. It’s a tweak to the existing electronic privacy regulations. The ones that relate to spamming by fax, email and SMS and carry penalties of up to €5000 per breach.

[update: Well the deadline came and went without the Irish Government enacting the legislation. We await further developments]

[Update 2: Legislation in effect from 1st July 2011. See Data Protection Commissioner website for Guidance Note]

These new regulations relate to Cookies, those little text files which are written to your computer by websites. Of course, it’s not just text files. Flash also has a version of ‘cookies’ to help track your interactions with flash movies or activites (so if you go away you can restart where you left off rather than having to go back to the beginning – for example in an e-learning package). The intention of the Directive is (amongst other things) to improve the personal privacy of internet users by controlling the use of cookies.

While the intent of the Directive (to come into effect in a Statutory Instrument next Thursday) is relatively straightforward, the practicalities of implementing it may be challenging for organisations. Added to that there is a level of unawareness about the issue in Ireland, particularly on the business side of organisations. This will actually be the biggest challenge to Compliance.

Organisations now need to step back and stop thinking of cookies and web development as a techie issue. Cookies are a data asset of the organisation which you use to achieve certain goals and purposes. The key key issues that need to be considered are:

  • What are your processes and their objectives?
  • How do cookies help you achieve those goals?
  • What information do you need to be writing to cookies to achieve your goals?
  • What things/services that people want to use on your site won’t work without cookies?

The Regulations set out two sets of conditions where the use of the cookies is permitted. Either:

  1. You have gotten informed consent from the Data Subject by way of providing prominent and accessible information about your use of cookies and providing some means of recording the consent to those purposes (fyi: this cannot be a ‘passive’ process) OR
  2. Being able to identify that the use of the Cookies is strictly necessary for the delivery of services explicitly requested by the subscriber

Being a little bit blunt about this, the first condition is only slightly more onerous than the existing requirements on websites who process personal data about individuals who have to provide a coherent statement of what they are going to use the personal data for (most don’t in my experience – the standards of some that I have looked at over the past few years often leaves a lot to be desired and is indicative of a ‘tick the box’ approach to Compliance).

The second condition however gives a conditional pass, similar to the Lawful Processing condition of ‘Necessary to complete a contract’ under section 2 of the Data Protection Acts 1988 and 2003. Basically if you can demonstrate that the thing that the customer wants to do (and has asked to do) can’t be done without having a cookie to temporarily store some data on the subscribers ‘terminal equipment’.

So. How do you do that? And how do you identify which of the cookies your site and processes are writing fall into the camp of needing to be flagged and consented to and which ones fall into the ‘doable because we can’t deliver without it’?

By stepping back and looking at the MEANING and PURPOSE of the information you are writing to the devices of people who are visiting your site you can start to make informed business driven choices about what needs to be changed and why in terms of how your websites work. This means having to look at the process flow and information flow underpinning your website and informing yourself about what is being done where, why, how, and by whom.

I can’t upload graphics to this blog, but over the next few weeks I’ll post some articles over on my company website that will examine some of the approaches to doing that kind of analysis as part of an Information Governance framework that will support Data Protection goals. However, it is important to note that this is not a job (just) for techies because you need to be very clear on the “Just because you can doesn’t mean you should” aspects of Data Protection. This must be lead by the Business leadership of the organisation because, ultimately, they are the people who will have to explain to the Data Protection Commissioner, the Courts, and Joe Duffy what the cookies on the website were doing.

When you write a cookie to someone’s device (pc, phone etc.) you are essentially renting space from them to store information about them or their behaviour or what their interactions might be. Individuals can limit your ability to rent that space using browser settings to block cookies, but at the current state of the art these are somewhat crude tools and, in the case of Flash, are not actually a complete set of tools (you need to do different things to block Flash Cookies).

The forthcoming regulations seek to introduce a rebalancing of the rights and duties relating to the information stored by and represented in cookies in line with the spirit and practice of Data Protection law and Privacy rights. It will take time for that balance to settle, but those who take the time now to understand the meaning and purpose of cookies they are using and their role in the processes running on their websites will be in a much stronger position to meet future Compliance standards under these regulations.

Bank of Ireland Customers – check your balances

As the May Bank Holiday draws to a close, I’d like to remind customers of Bank of Ireland that they should take a careful look at their account balances this week if they have been using laser (debit card) or ATM services over the weekend. If you do find you’ve been ‘double-dipped’, please let me know via this blog.

Double Dip confectionery

Double Dip - Nice Confectionery but leaves a bitter taste if it happens to your bank account

Laser-like accuracy

Word reaches me this morning of yet another incident of Bank Of Ireland double-dipping laser card transactions on or around a Bank Holiday.

BOI will, doubtless, claim that this is a once off and hasn’t happened before. That’s what they said the last time (when it had actually happened before). Furthermore, I hope that BOI are more certain this time as to the root cause (last time out it was variously “retailer error” or “a software upgrade glitch”).

And hopefully their process for catching “shadow transactions” which lead to the double-dipping will kick into play and actually refund the customers affected  (which if this glitch is on the scale of their 2009 one could be up to 200,000 card holders).

For reference the relevant blog posts are:

http://obriend.info/2009/09/09/bank-of-ireland-double-charging/

http://obriend.info/2009/09/09/bank-of-ireland-double-charging-a-clarifying-post/

http://obriend.info/2009/09/10/bank-of-ireland-overcharging-another-follow-up/

http://obriend.info/2009/10/28/bank-of-ireland-again/

The issue also featured over on IQTrainwrecks.com.

My €0.02: This issue appears to manifest itself around Bank Holidays. This suggests a batch load process or some human triggered action doesn’t work correctly when there is a Bank Holiday. Having a process to detect the double-dipped transactions is not a fix, as if it doesn’t work (as seems might be the case here) then the incorrect data gets through.

BOI might want to pay attention to Ferguson v British Gas, which while a UK case, could be arguable precedent for the view that Irish Courts won’t care how complex your IT systems are if a customer is impacted through a failure of your systems to process information correctly.

BOI need to identify the precipitating root cause of this problem, based on the data they have available… I’d start with looking at the dates of incidents (BOI should have more data than newspaper headlines to go on) and seeking to confirm or disprove the ‘Bank Holiday hypothesis’.

Relying on a ‘scrap and rework’ kludge that might itself fail is not a sustainable approach to ensuring information quality or quality of customer service.

Doing the right thing

So, imagine for a moment that you have just found out about a technology that, according to the sales person, will have an immediate impact on preventing children being abused, tortured and worse. Imagine you’ve been told that it won’t require you to do a thing, that it will operate “out there” (possibly in “The Cloud”) and perform its function on your behalf without you having any need to actually do anything yourself to put the processes in play.

How much would you, personally, pay for such a technology? €1 a month? €5 a month? €10 a month?

What if it turned out that:

  1. The technology actually didn’t stop the hurt or damage to children, just made it a little harder for people who paid for access to images of that to get at it and, at best, curtails demand slightly
  2. Was relatively easily circumvented using free or low cost tools
  3. Had been found not to work in other countries where it had been made available, with innocent individuals and businesses suffering due to poor quality data existing in the processes which meant they were tagged as “offending” and were being closed off from their market (in the case of businesses) or from their legitimate personal activities (in the case of individuals).

That’s what the Irish police have asked ISPs to do with their recent requests to implement IP filtering, outlined by Digital Rights Ireland today. IP Filtering has been found be ineffective in the Netherlands, has had declining effectiveness in the UK, and doesn’t actually address the problem of the images being accessible on the Internet. In Australia a leaking of the black list revealed valid businesses that had no child porn content, with almost 50% of the list being unrelated to the target intent of controlling access to images of child pornography (thanks to DigitalRights.ie for the linked to stories).

A far more effective approach is to get the images removed from the sites that are hosting them. Perhaps this is problematic and onerous. Let’s look at some statistics:

  • Of the 72 requests to remove images of child pornography made by the UK’s Internet Watch Foundation in 2010, a paltry 100% were complied with in a geological “few hours” (source: BBC report on IWF’s Annual Report)
  • Researchers in Germany working with AK-Zensur.de found that the 3 active sites on the sample of watch list data they worked with were taken down within 90 minutes of requests being made to hosting companies and/or domain registrars. In each case the images had been blocked but were still on-line for up to 2 years.

So… making requests to the hosting providers tends to be effective at removing the problem at source. Indeed, a draft EU Directive is calling for exactly that approach to be taken.

Which leaves us back at the start, asking the question about how much you’d be willing to pay to have such a technology in place to block access to sites. Because a price will have to be paid in some way and in some form. On one hand, Irish telcos are not exactly awash with cash at the moment and the implementation of any blacklisting process will require some governance and resourcing (both technology and people) which will come at a price. Currently there is no proposal that the State would contribute to this cost, and the model of the Data Retention regulations would suggest that no such stipend would be forthcoming.

So the cost of web filtering would likely have to be borne by the ISP. Which would mean either higher bills or reduced investment in other areas as the money would have to be found somewhere (it is worth remembering in this context that eircom is currently trying to restructure its debts and cut costs by €92million). So, realistically, the costs will emerge somewhere on your bill. How much are you willing to pay for technology that doesn’t achieve its goals?

The other price to pay is the privacy cost.

The Garda proposal is, to my reading, an outrageous trampling of personal privacy rights while they take a lump hammer to swat a fly. In essence, they amount to a “guilty until proven innocent” position where inadvertent access will need to be explained by way of the ISP giving EVEN MORE data to the Gardaí about an individuals browsing history. As Digital Rights Ireland point out in their letter to the Data Protection Commissioner about these measures, such disclosures might actually be illegal in and of themselves under other legislation. And if your domain name can identify you as an individual there is always the potential for your personal reputation to be damaged if you are put on the blacklist in error given the text of the “stop page” message.

  • What ever happened to “Adequate, Relevant, and Not Excessive”?
  • And how bullet proof are you against malicious uploading of content to your website anyway?

It would seem that the only entity not incurring a cost in the entire equation is the Gardaí, as their letter does not outline any form of “right of reply”, any avenue for validating or correcting entries on any black list which might be created, or any form of judicial oversight or regulation of the powers which the Gardaí are taking upon themselves in this context.  Who do I contact if my business site is compromised, becomes a host for offensive content (if only for a few hours until it is spotted and removed) and is blacklisted? What steps have the Gardaí taken to ensure that they don’t mirror the Thai experience, where a blacklist introduced to control access to child pornography has experienced “scope creep” to include any criticism of the Royal family, or the Australian experience where, according to one expert:

“It seems to me as if just about anything can potentially get on the list”

Doing the right thing is very important. But equally important is doing the thing right. Internet filtering is ineffective as a tool. It is the equivalent of telling one part of a town they can’t shop in B&Q while the rest of the town sates their bricolage requirements at the “banned” store.

An analogy to the Garda proposal is this: Anyone entering certain areas of the country (“black-zones”) would be overtly tagged as probable criminals by reason of their being in that location. They might even be given a badge to wear at all times as a result. Where they are ‘just passing through’,  the probable criminal will need to provide evidence of their normal habitual movements to the authorities so they can satisfy themselves that the visit was accidental or as a result of an unexpected detour. Residents will not be told about their status as a “black-zone” and will have no ready right of appeal or opportunity to challenge the designation. Visitors will be told they are about to enter a “black-zone” that hosts criminal elements and activity by way of a large sign on the side of the road.

Would that be acceptable in Irish society?

Internet blocking is ineffective. The current proposal lacks sufficient checks and balances, and may even require ISPs and telcos to break other laws to comply. It will inevitably result in innocents being tarred as offenders. Data Protection principles (such as “Adequate, Relevant, and Not Excessive” are being blatantly ignored to implement an ineffective solution.

Far better is to shut down the shop by removing the images at source and invest time, energy, and resources into a more transparent effort to manage this issue.

Data Breach Code of Practice

A while back I had the privilege of being part of a group who formulated submissions to the Data Protection Commissioner regarding the Data Security Breach Code of Practice.

That Code of Practice was presented to the Minister for Justice in July 2010, long before the dissolution of the Dáil in January 2011. There was one administrative step required to give it full legal effect. That step has not yet been taken.

Apparently, carelessness with Personal Data (and, in the case of the Security Breach Code of practice, financial data as well) would appear not to be a ‘real crime’ in the eyes of the Dept of Justice. Despite the fact that it costs the UK economy £27bn per annum.

Given that Fine Gael spearheaded moves to improve the protection of personal data privacy through a Private Members bill proposed by Simon Coveney TD, and during their election campaign they trumpeted the policy of “getting tough on white-collar crime” perhaps they should start with a holistic view of the culture of business and begin with one common element across all business, whether it is Financial Services, Healthcare, Telecommunications, or plumbing – the fact that every business, at some level, processes personal data about individuals in order to conduct business.

What would I like to see from the new Govt which will take the reins of power in the coming week or so?

  1. Tie up the loose ends. Put the Code of Practice on a fully formed legal footing (and perhaps bump up the penalties that can be levied)
  2. Begin the process of renewing the Data Protection Acts. Even in advance of the new EU Directives in May and further down the road there are a number of things which can and should be done:
    1. Consolidate and simplify the legislation.
    2. Implement clear penalties for infringement of the Acts and penalise non-compliance
    3. Provide clear statutory frameworks to encourage compliance (e.g. Voluntary disclosure, whistleblower protections)
    4. Make clear the alignment between Data Protection regulation and other areas of good corporate governance.
  3. Require Enterprise Ireland and the various business development incubators that are promoting entrepreneurship to include some information/training/guidance on Data Protection principles and practice in their supports for start-ups (I’ve been through a Business Development programme and, despite the importance of personal data to the business models of 90% of the participants it was not even mentioned as a topic).
  4. Make the Office of the Commissioner revenue generating to a greater extent by having higher potential penalties and ensuring that prosecutions are taken to the fullest extent of the available penalties. In the UK the maximum penalty for a breach is £500k. Here it is, on a good day, only a fraction of that.

Finally, the Government should ensure that the Data Protection Commissioner has adequate funding, resources, and supports to properly conduct and execute their responsibilities under the legislation. Whether that is achieved through the absorption of other agencies into the Commissioner’s remit is a matter for the Government (and the Commissioner) to decide on.

CRM Insanity (another update)

So, I have the phone now. I’m still with Vodafone. I’m a no longer irately angry customer. I’m not a happy one. It will be sometime before I am that. I may still move my landline business just to make a point.

But my experience in getting the phone sums up the difference between the CRM success of the Vodafone retail store and the CRM insanity of the Vodafone Retail policy.

No Sims at the Inn

It turned out that though they had a phone in stock they didn’t have microsims in stock in the shop. Not a show stopper. The manager went to Carphone Warehouse and got one from them for me while his team sorted the phone out and upsold me a case.

What a clever win. Very little effort for him to do so. Kept me in store longer. I will buy from them again soon (I need a bluetooth kit for the baby-carrier car). I will tell the story of how they didn’t let a stock issue prevent them from satisfying a customer.

A1 service. It counterbalances my experience on Friday when they told me they had no phones (now I know they were acting under orders).

Tweet happens

Having had no satisfaction over the last few weeks with Vodafone on the phone (or for that matter in store), it took posts on twitter to get the issue resolved. And it was resolved fast. Less than 3 hours later I have the phone that 4 hours ago I believed I was not going to be able to get.

So, Tweet happens.

But it shouldn’t. It shouldn’t take an angry customer writing an analytical breakdown of their customer value and posting it to twitter (and Facebook) to get action. That is just wrong as it requires the customer to push for what they are entitled to, and it means that the loudest shoutiest customer gets things done.

A better way?

As I stood in the Vodafone store today I noticed how they are doing lots of product pricing offers for customers of both mobile and fixed line business. They should perhaps consider using that as a criteria for rationing phones where supply issues exist. If you are a customer of both, you get preferential treatment for stock. Because you are WORTH more. A customer of the mid-tier Perfect Choice Access package for mobile and a moderate broadband package is worth the better part of €2000 a year to Vodafone just in line rental and connection. They should take preference over virtual customers with an unquantified value.

That’s just a thought.

CRM Insanity (An Update)

I’ve elected to switch to 3 and have shortlisted some options for the home phone. I made comments to that effect on Twitter this morning.

At 12:32 today Vodafone Ireland contacted me on Twitter (after I’d posted a few tweets back to this post) and Daz on that team is looking into the situation. As of 13:09, apparently they have managed to secure stock in a local Vodafone store for me.  (Why they couldn’t do this on FRIDAY or any other time I’ve rung them over the past few weeks, or when I went into that shop on Friday, baffles me).

I’ve indicated I’m holding off going switching until 13:30 today.

But it appears that to get Vodafone to actually give a shit you have to be either a non-customer who they wish to woo or a high “cost-to-service” complainer who goes very public with problems. That too is just plain insane CRM, which results in people like Steven (who I spoke to on Friday) and Daz having to bear the brunt of customer issues that COULD BE AVOIDED with a bit of sanity.

I fully accept that Vodafone have supply issues with the iPhone4 (which no other network seems to have BTW). It makes sense to ration the supply and impose some restrictions. But to completely block existing customers from the upgrade makes no strategic sense (unless Voda want to get rid of existing iphone customers to other networks). This is particularly the case for Voda who will soon have a lot of customers who took the 3Gs when it came out on Vodafone looking to upgrade after 12 months on an 18month contract (thereby locking them in to another contract).

A better approach might be to:

  • Require new customers to enter into a longer contract (“Hey, you can have it. But it is in short supply so you’ll need to give us your soul for 6 months longer to get it”).
  • Allow customers who have been with you less than 24 months to get it but only if they go for certain tariffs.
  • Allow existing customers who are over 24 months on contract to upgrade as normal.

Supply is rationed. Everyone can GET the phone, but existing customers in good standing have a reward for not churning out to competitor.

Of course, Vodafone now have the issue that I’m pissed off. And publicly so.

Just getting me the iphone isn’t going to be enough now (I know I can get it with 3). So there will now be an additional retention cost to be built into the deal (which would be on top of the 1 month credit I’d already been offered due to other screw ups on my account).

THIS IS AN AVOIDABLE COST, or would have been if they hadn’t had such crappy customer service up to this point. Now it is pretty much required as I can get the same phone for cheaper cost and similar cost per month on the other network, with whom I have no current frustration (Vodafone on the other hand have

  • left me with the wrong SIM card type for the phone I have
  • failed to properly activate my mobile broadband dongle when I upgraded it late last year
  • failed to keep my personal data accurate and up to date as per the Data Protection Acts
  • failed the attitude test about the iphone upgrade)
  • send me direct marketing pieces addressed to “Ms Daragh O Brien”

By having a screwed up CRM strategy for existing customers, Vodafone have put themselves in the position where they are now negotiating with me to stay, not simply handing me some forms and taking my money.