Note:this grump was originally published in July 2018, and updated in December 2018
I know that in money7 click here to read it and other linked grumps I have been quite vociferous in decrying the habits of many mail order companies. Recently, there was a new data protection law enacted, but like many of these legislative documents it is not really clear what it does or even if it does a complete job. Grumpy has his doubts believing that big business has influenced not only the structure, but also content of the document. As usual like many terms and conditions that one comes across on web purchase sites, the document is terribly wordy and if one is looking to see if it protects the consumer on a particular topic, it is not always easy to find. But then, what's new? (click here bigbro 3 to read more)
Grumpy has become increasingly concerned at the high-handed way in which many mail order companies, (Amazon being a good example) ride roughshod over the legal position storing whatever data they like, for as long as they like. In an ideal world this data would be rocksolid secure, Grumpy may be able to live with that, however he believes that is not the case. Time and time again we keep hearing of ‘data breaches’ and it is now becoming more and more prevalent for it to be some months after the event that the end user (you and I) become aware of the problem, if ever.
I am sure that many of you have noticed that most mail-order sites will store your credit card access details (card number, expiry date, security code). The storage of this data on the majority of sites is the default situation. Grumpy believes this is wrong and every time his card is used he should get a specific request asking ‘do we have your permission to retain and continue to retain this card information for future use?’. To give that permission a positive response should be required. (An already clicked box does not, in Grumpy's view constitute that permission, as the default gives the shop permission to retain the data.)
No doubt the vendor will claim that they wish to store the information to enhance the ‘shoppers experience’. What bull shit, in Grumpy's view, all it does is to lay open the shoppers credit/banking and many other details to any competent hacker. Within this context, should the shopper give retention permission then he should automatically receive a warning that this information will be computer stored and potentially available to data theft. Note also, once computer stored, it is very difficult to erase. In most cases it is still stored and never physically removed from memory. (See ....business4 to read more.... )
I am sure that many online shopping sites fail to keep their security software fully up-to-date as to reduce the ease with which some hackers seem to freely avail themselves of the stored data. Remember the motto "if it's in the computer, some bugger, who shouldn't, will find a way to read it ".
Grumpy actually remembers years ago going to a shop with a bundle of what are called ‘used one-cers’ (to the uninitiated, cash) and actually exchanging this for goods. The shop concerned was more than happy to do business on this basis and did not ask the Customer to fill out a form including data on his address, date of birth, sexual preferences, what you had for breakfast last Thursday and if you have a birthmark on your right buttock! It seems these days online shops feel at liberty to ask whatever questions they like. What is of great concern is that they don't tell you the purpose for which this information is required. I know for a fact, that this and other information collected from website shops is used for vendor's marketing. In other words he is collecting, without permission or payment, personal data about his customers which is then used for commercial purposes. It would seem reasonable that the collection of personal private data for use in marketing purposes counts as ‘market research ’, ergo has value. The vendor is collecting information and not offering to pay for it and into the bargain is f requently so incompetent as to be unable to keep it secure. Furthermore, this data is stored for a totally undefined length of time. Is that what you really want with your personal data? Grumpy says ‘no way Josť’ . The retention of personal data should only be by positive permission i.e. an empty ‘tick box’ to tick if you give the vendor permission to retain, at his risk, your private personal data. There should be no default or small print giving him the right to retain anything.
There is another trick the big online vendors such as Amazon UK use. The trick is that they are not a UK company. They are a subsidiary of Amazon SARL registered in Luxembourg and as such trade under Luxembourg law. Grumpy believes this is not only wrong, but immoral, sharp and opportunistic. As an example, Grumpy lives in Republic of Ireland, items purchased from Amazon UK are delivered to the Republic of Ireland, frequently paid for in sterling. The goods are dispatched from a warehouse in Scotland, or even sometimes Ireland, Germany or Spain and the goods delivered in Ireland. Note nothing has been anywhere near Luxembourg probably not even the order. To add insult to injury VAT is charged at the Irish rate! In querying their retention of credit card data, Amazon UK hide behind the excuse that they are a subsidiary of Amazon SARL in Luxembourg and therefore subject to Luxembourg law. Personally I think that's a copout and wonder what will happen with Brexit!
Huge numbers of us use shop loyalty cards for which we will be paid, nominally, one percent of the money we spend in the shop. But are you aware that our purchase details are actually retained in the shops computer and accessed for marketing purposes? You can actually see this at work, if you shop online. The shop's computer will tell you what you regularly purchase. As this information is stored by the shop, you can't tell me they won't be making use of it, with or without your permission.
Another aspect of this retention of computer data is the large online shops even store information on what you have just been looking at or browsing over. I find this obvious when in my email account I frequently get pop-up adverts from shops suggesting offers on items I have been looking at. This can vary from food mixers to books to hotel room reservations! What is annoying is that these adverts are very persistent, and awkward to get rid of, particularly when all one wanted in the first place was a rough order of cost for the particular item, not to be pestered, ad nauseam for months afterwards, even after you have purchased the item.
However Grumpy finds the recent furore over Facebook to have all the examples of things to avoid in ‘ social media ’and ‘sales’ websites. Grumpy admits that in the early days of his website he considered Facebook as an area for possible promotion for the website. When registering for a Facebook account I was horrified by the amount of detail and personal information not only requested but labelled as ‘mandatory’ in order to open the account. Grumpy remembers thinking at the time ‘for what in the world do they require all of this information ?’. As the problems at Facebook were uncovered it became apparent for what purpose this information was being used. Much of it pointless trivialities and details not only of personal life, but personal views, likes and dislikes. It was clear to Grumpy that all this information was being used to automatically match up ‘partners’ or in Facebook parlance ‘Friends’ with each other and their activities.
Taking a step back, this information must have given many a marketing man the proverbial wet dream. As, here in one place, was in the ‘marketing target's ’ own language was what the target liked, did, what he didn't like and probably what he had for tea last Thursday! To say nothing of the thought of a hackers dream, Facebook staff proceeded to bundle all of this data up (without a ‘by your leave’ of the people concerned) and sell it for their own financial gain to a company that by any other name can only be described as a ‘market research’ operation. To them this must have been manna from heaven.
The action by Facebook shows the vulnerability of allowing third parties to store private data about yourself. You never know who is accessing it, why or when. In the case of Facebook, it appears to Grumpy that the founder of the company is either a very naive juvenile or very astute Business whiz kid. Only time will tell. The original concept of promoting contact with like-minded and thinking people is great but I intuitively believe it was never intended to go worldwide. Neither was it ever intended to be the marketing man's goldmine. Perhaps, it should have stayed local but that is perhaps a vain hope as the original participants maintained its use after graduation to maintain contact with their friends from University, now living around the world.
It appears that certain Data Regulators are fining Facebook for their action. From current news reports the fine would appear to be of the order of £500.000, which is absolute peanuts compared with the turnover reputed to be generated by Facebook. (As an aside, it is appalling that this is the maximum amount the legislation allows the regulator to fine the company.) The cavalier manner in which the company tried to capitalise on the stupidity of its clients by selling their personal data beggars belief. Grumpy believes that the company should be fined 50% of their annual turnover, which would have actually brought many other companies up short and made them think twice about their use of their clients private personal data.
Finally it is high time that the law caught up with this new technology and began to establish a framework around which it can operate. The basic tenets of that philosophy must be that the user to which the data relates must be given the opportunity to positively allow its use outside the company, the default situation of inferred permission is just not acceptable. If said user gives permission, then he should receive an immediate notification that the company will store the data and is unable to guarantee its security. It is Grumpy's view that this permission is far too important to be buried in standard contractual terms and conditions. Additionally every time customers use the site they should be asked to reaffirm his position on the retention of such data. Again, the default position must be positive rather than inferred affirmation. Within that context I believe that the recently introduced data protection law requires much enhancement.
The bottom line of all this is to ask all users of such websites ‘have you given this company specific permission to use your personal data for ‘third party’ applications?’ What is perhaps also important is that this permission must be reaffirmed at each visit to the site. The default position must always be data deletion.
And now here is a very recent case example of how just about everything can go wrong. I refer to a recent incident with the Police Service of Northern Ireland.
As part of a legitimate investigation the police service had confiscated (for forensic examination) a laptop computer owned by ‘suspected Loyalist terrorists’. As would be expected on completion of that examination, the computer was returned to the suspect. It appears however, when the equipment was returned it had a small addition in the shape of a memory stick that wasn't there when the machine was confiscated. Reports suggest the memory stick had been generated by the ‘Paramilitary Crime Task Force’ during an investigation of a third party. The memory stick reputedly contained files, some encrypted, some openly accessible. They included details of personal internet traffic, emails, server addresses and passwords together with private addresses of thousands of members of the general public and commercial businesses.
If the police force cannot keep collected data secure, what right have they to be collecting the information in the first place? After all, they have a greater than normal duty of care to properly protect data collected, during the course of their normal business, from falling into the wrong hands.
Although the data given away is currently thought to have no obvious use, it demonstrates just how lax this particular police service's security procedures are. This is extremely disturbing given the permanent highly charged political situation in the province where the most seemingly innocuous spark can soon ignite a full-blown forest fire.
One hopes that other arms of the security and intelligence community operate far more stringent and watertight security procedures.
At the end of the day, the individuals and businesses whose information has been compromised always have a right to know what information is held, what the police service are doing with the information and what steps are being taken to retrieve it. Being on a memory stick however, it is unfortunate that there will never be a way of knowing if information on the returned memory stick (if it ever does turn up) has been accessed. An extremely disturbing situation within the realms of an organisation that should know better. Again it raises the simple questions, were the people concerned aware of the information storage, were they asked, perhaps not, and was the security of the information to an adequate standard? The answer to the latter question seems to be an abysmal no and quite frankly it appears that nobody cares, which is perhaps even more worrying.
Note:this grump was originally published in July 2018, and updated in December 2018
I'm not totally familiar with all the ins and outs of GDPR but as far as I can see it seems to do little to address the problems identified above. When it came out most selling websites put out new terms and conditions that were, again, so long that, very few people would read them see bigbro3. However before any purchase was made, you had to tick that you agreed to them. I'm sure that within those new terms and conditions, all rights regarding data protection, collection and retention were abrogated in favour of the " site ". In other words, there was no effective change. Certainly this year, there have been some prime examples of why change is necessary, or the misuse of data needs to be far more customer rather than site holder controlled. Apart from problems identified elsewhere on this website, major problems have been reported by Ticketmaster , British Airways and Marriot Hotels. Little detailed information was given in the popular press on the level of illegal data access but, as a result of the hacks of Ticket Master data files, a number of banks were faced with no option but to freeze accounts and reissue credit and debit cards, it must, therefore, have been quite significant. This of course all takes time and while it was going on, the account holders were unable to access their bank accounts. One does wonder therefore if the banks data protection measures were also compromised, a most worrying situation.
To return to the Marriot Hotels hack, it was stated that the illegal access was aimed at the Marriot Hotels booking service which also dealt with a number of other hotels, trading under different names, with connections to or partially or wholly owned by Marriot Hotels. Rumour had it that many millions of clients within this group had their personal details accessed, including names, addresses, banking, debit and credit card information. What concerned Grumpy about this was that it was openly admitted that the data accessed went back many years. These three hacks demonstrate a number of problems that really should have been addressed by GDPR and either weren't or data collection users have ignored the requirements due to lack of oversight by data controller/regulators.
The first question raised refers particularly to the Marriot Hotels debacle in which Grumpy would ask why in the world are they retaining data that was so old? Grumpy does not travel much nowadays but even he can't remember whether he stayed in a Marriot, or Marriot associated hotel four years ago and with the number of accounts accessed he doubts the hotel concerned will be contacting him to warn him of possible illegal access of his personal data. Again Grumpy must ask why does the company feel the need to retain the data? The only reason that immediately springs to mind is that the company is using the data for marketing purposes. Is this right, is it fair and very much to the point is it legal? After all, if the retained data is being used for marketing purposes of any sort, it is being utilised for a purpose above and beyond that for which it was collected. Furthermore its collection and ongoing use for marketing purposes was certainly not authorised by the subject.
Grumpy actually finds the level at which this goes on as being rather insidious. Living some way from major conurbation, mail-order is frequently used in the grumpy household. I find it very concerning that an organisation like Amazon not only store your orders but also retain information on things for which you have searched, pestering you for months afterwards with "pop-up" adverts. And they are not very good at doing that either. Grumpy still gets advertisements from Amazon for items that were purchased (from them) over twelve months ago.
Grumpy is a strong believer that the amount of data a vendor is legally allowed to retain should be very limited in quantity and time lapsed and restricted solely to a particular purchase. Not only should it be restricted to only basic data referring to the purchase but once the transaction is complete then the data should be removed from the vendors computer. Grumpy has recently come across instances where the vendor will claim is that is not possible. A major online vendor told Grumpy that "it is a legal requirement". I'm afraid Grumpy believes that to be so much bulls**t, but if true should be changed.
Again, I have come across vendors claiming they need to retain credit/debit card data in case a refund is required. They claim that legally they can only make such refund to the card originally used when making the purchase. That also is not true. Grumpy has particular experience of receiving a refund for the cost of repair of damaged goods and the agency making the repair asked for a card number to which the refund could be credited. They were at great pains to say that this need not be the card that was used to make the original purchase!
It seems that, nowadays, it is impossible to make a purchase of any sort without having to "register" or "open an account" both frequently requiring reams of most obtuse and personal data. (Grumpy has even had to do this for receipt of a freebie!). What has happened to the days when one could use cash to buy something and all one had from the vendors was "thank you very much Sir please call again". You walk out of his door with your new goodies on your arm and he hasn't a clue who you are, where you live and certainly not what colour knickers you're wearing!
Vendor's websites invariably have a tick box which says "I agree to vendor's terms and conditions". This box you must tick every time you purchase from the site. I see no reason whatsoever why similar facilities should not be available for the retention of payment data along the lines that "can we store your payment details to facilitate our market research and your next purchase?" And perhaps even a second box that reads "the purchaser gives the vendors the right to use collected personal information for marketing and market assessment purposes" Once again these should both be an open option where the purchaser has to tick the particular box, at each purchase, to give that authority. The default must be no permission. I must emphasise that under no circumstances should this sort of authority be buried in sixty-three pages of standard terms and conditions of purchase. (As asked earlier, have you ever read all of these terms and conditions, no of course you haven't?)
GDPR legislation is a step in the right direction. It is however, only a step and still leaves far too much leeway for the vendor. Control of payment and personal data must be returned to its rightful place, in this case the purchaser.
Grumpy will shortly be writing to data protection Commissioners in UK, Ireland and EU on the matter as he believes that the "vendor" have a vested interest in the data and is thus are not in a position to decide whether to retain or not.
Retention must be a positive decision by the purchaser made during every purchase, never a default decision imposed by the vendor. Curently held data should be made inacessible by "multiple overwriting", yes, a costly process but the nearest you will get to full deletion. At the end of the day, I believe that the website holder is actually stored personal data without the subjects express permission. This who regards as an infringement of the subjects personal and civil liberties. This must be changed.