The Grumpy Old Man

Index News Home Eco Life Etiquette Big Bro Business Money Contact About Forum Blog

Online Vendors Storage of Data

Are you fully aware of what "online shops" do with the payment details you submit with your order?

Do you use a computer? Of course you do, you're using one to read this.

Do you use your computer for online shopping? Of course you do, after all it is one of the fastest-growing marketplaces around.

Do you use online banking? Of course you do, most of us do nowadays.

Are you concerned about computer hacking? Grumpy believes you'd have to be an idiot not to be!

Are you concerned about the security of your payment details used for purchases from various institutions?

In Grumpy's opinion, you damn well should be.

I won't give a full list of all the data breaches involving financial information, but here are a few examples; Vodafone (about a thousand records), Talk Talk (hit three times), the US government personnel data files, (reported to be between one and two million records), Loyalty Build (reputed to be in the millions) and if you really want to be worried, JP Morgan Chase the American commercial bank (reputed to be hundreds of millions of people over an eight-year period).

We are always being warned of sending banking data by email or answering spam email purporting to come from your bank, but we quite happily fill in credit and debit card details when shopping online to pay for goods or services.

Grumpy recently decided that the time had come to tighten up this procedure. This was based on the premise, that if the information is not stored in the computer then it can't be hacked. I started to work round my regular online shops checking on their security arrangements regarding payments to them.

Being a fairly regular user of Amazon, I decided to start with them. I found that although I could remove all card details from "my account", the information still remained within the Amazon computer. I was so concerned that I contacted them on the basis that once an order had been fulfilled and their returns period had passed, I could see no reason for them to retain the card information. After all when we shop in the high Street, we pay cash and the shopkeeper as no idea who we are.

The letter I received in response went into great detail as to how secure Amazon considered their retention of card information. From my experiences as an Engineer, I know that no matter how small the likelihood of an event (i.e. hackers breaking Amazon security) taking place, sooner or later it will happen. No matter how deep and encrypted Amazon have made that data, if it is stored in their computer and they can read it, then some other bugger from outside will find a way to get in and also crack the code. Thus, the most secure route is not to have the information there in the first place.

Amazon informed me that it is a legal retirement for them to retain this information! No timescale for that retention was given. The letter also stated that they were not in a position to discuss the matter any further.

As an aside, a recent order with Amazon was placed with "Amazon UK", paid for in Sterling, dispatched from Dunfermline in Scotland and delivered to the Irish Republic (within the Eurozone).

A quick investigation of Amazon UK showed that they are a subsidiary of Amazon SARL which is a company incorporated in Luxembourg. Consequently it seems they are subject to Luxembourg law. (Even if my last order went nowhere near Luxembourg).

Gordon Bennett what a tangled web we weave!

Grumpy has queried all of this, particularly the retention of credit card data, with Data Commissioners in Ireland and Luxembourg. Ireland said "not them", I await a reply from Luxembourg.

The retention of this data is not only a gross infringement of my privacy and civil liberties but is also putting personal financial data at unnecessary risk. To add insult to injury, I am now being told it's a legal requirement.

Gordon Bennett!

So what can we do? Grumpy is contacting firms with whom he has done Internet business. He is requesting that they remove all payment data from their computer and if they are unable to do so, he should be notified as to why they are unable to comply with his request.

This survey, together with even more observations is now as complete asI believe it will ever get and can be seen by following this read more.....

You can do likewise and if some companies say they are unable to do this, query it with the company. If you are fobbed off with some legal gobbledygook, then make a complaint to your National Data Commissioner. We regularly read in the papers of people being defrauded by, in some cases, considerable sums of money. It is high time the little man, you and I, stood up for ourselves and were counted by making our concerns, complaints and voices known.

I would add that my experience of National Data Commissioners is that they can be contacted through their website. So do it now before it's too late and some hacking criminal empties your bank account.

Need I say it, but this particular grump will be updated just as soon as I have more information from the Luxembourg Data Commissioner.