Telecom database access privacy concerns

NZPA reports:

A marketing company working for Telecom’s rival, Slingshot, has been accused of accessing the telco’s Wireline database, which contains personal customer information.

Telecom Retail CEO Alan Gourdie said the telco was investigating the accusation of potentially fraudulently activity, detailed in today’s Herald on Sunday.

“If our investigation confirms unauthorised access we will pursue all appropriate action.”

Access to Telecom Retail’s Wireline information requires passwords and pin numbers and should only be accessed by authorised personnel, he said.

While the initial investigation will be on the marketing company’s conduct (and perhaps into possible criminal conduct on the part of several parties), questions must also be asked of Telecom – which Privacy Commissioner Marie Shroff has said she will do.

Regardless of whether a security breach has occurred, even if by the marketing company having acted unlawfully (and neither of these facts are yet established), there are obligations on Telecom (and other “agencies” making data available to third parties) to take reasonable measures to safeguard personal information. This is not limited to preventing unauthorised disclosure, but includes preventing unauthorised access and use. It can also extend to ensuring that systems are properly designed to protect personal information.

The reports do not say how long the alleged improper access went on, but does report that it was “common practice” by multiple staff (now former staff), which suggests a long time frame. The reports indicate that the access was via a single login (now deactivated) of a legitimate user. Questions include:

  • Were user logins (and failed logins) recorded?
  • If so, were they ever audited and how?
  • And if so, why was the improper use not detected?
  • Did the database allow multiple simultaneous logins, and if so was this intended / appropriate?
  • What password expiry regime (if any) was used for this database?
  • What restrictions (if any) were placed on legitimate users to prevent them from disclosing login information?
  • Were there any user warnings / confirmation processes as to appropriate use built into the database?
  • Was only the minimum amount of personal information necessary made available in Wireline in the first place?
  • Are there any other logins for this database, and other Telecom databases, showing unusual activity, which have not been adequately investigated?

Companies can and frequently do provide third-party access to their customer data. While proper contracts can ensure the commercial and legal aspects of these arrangements are appropriately documented, companies holding personal information must still be aware of their inherent obligations under the Privacy Act.

Website security privacy complaint

A recent case note issued by the Privacy Commissioner is a reminder that insecure website design is more than just a programming and credit card issue, but can result in potential privacy complaints. Credit card information was not involved in this particular incident – it was personal travel booking details instead:

A customer purchased travel related services from a company. The company sent him an email with a link to his booking details on its website. The customer noticed that the website URL link ended with his booking number. He observed that by changing the booking number, he could view booking details for other customers. He realised that other individuals would also be able to view his booking information.

The case note says that the travel company in question contacted its website design company, who fixed the problem very quickly.

Insecure URLs, or more specifically insecure query strings, are a prime cause of this type of disclosure. However, they are fundamental and somewhat trivial for competent web-designers to secure. In this case, it sounds as if the travel company acted responsibly, and was probably not aware of the flaw, instead relying on its website designer to build a reasonably secure site. If the travel company did suffer loss as a result of poor (insecure) website design, they may be able to seek compensation from the designer – this will depend on the contract between the travel company and the website designer. The travel company could also limit its liability to customers with an appropriate disclaimer (which could take into account that the website was designed by another firm), although it is not possible to exclude all liability in this manner.

Another, often overlooked, way for firms to gain some protection from these types of incidents is technology liability insurance offered by some insurers – for example, Lumley Insurance’s Technology Liability Insurance.

E-dealing: get over it

The Herald recently reported on a lawyer’s “negligent or incompetent” use of the Landonline e-dealing system that was said to “imperil the electronic system” of land titles. The incident prompted another lawyer to warn that the e-dealing system was insecure.

While any improper or irregular dealings with something as important as land titles is a serious matter, is the integrity of the Landonline system – or the concept of e-dealing for land titles generally – called into question based on one, or even several, such incidents? No – at least not before a proper comparison with the rate of mistakes/problems/fraud under the old system before such a comparison is made.

There were of course occasional issues with old, paper-based land title system. It is too early to tell if the new system (which was only fully phased-in in 2009) is, statistically, more or less secure than the old system. In the meantime, the Registrar-General of Land, Robbie Muir, has defended the new system, making the point that an electronic register is more secure than the old paper-based one:

[The old system had] the potential for forgery and the land registry did not have reliable means of verifying the authenticity of land owners’ signatures or establishing that proper identity checks had been undertaken.

Muir is right. The reality is that modern technology is usually far superior to an “ink and paper” equivalent. Technology can implement mathematically-verifiable encryption and validation methods to confirm certain transactions and events have occurred. The idea that mashed-up pieces of wood stained with ink provides superior integrity and efficiency to a well-designed electronic system is quaint, but plainly wrong. Of course, the key requirement in the previous sentence is “well-designed”. A system with crucial flaws may be completely insecure. Replacing a good paper-based system with a poor electronic one is a recipe for disaster.

Technology is, and for a long time yet will be, subjected to a double standard when compared with a non-technical equivalent. For example, there are thousands of instances of mail stolen from letterboxes, mail-rooms and post offices each year. Generally, none of this is particularly newsworthy. However, if an ISP has some emails “stolen” by a hacker or staff member, it would likely be reported. In the same vein, credit card fraud is common in the physical world, yet often reported with alarm if the same thing happens online.

The recent incident with the e-dealing system highlights this. As Robbie Muir points out:

Given the large volume of land transactions registered each year, there will inevitably be isolated cases where things go wrong. The same was true of the paper-based system. However, under the Landonline system it is possible to quickly establish what has occurred and who is responsible.

Some lawyers I know or have dealt with – young and old – remain curiously uncomfortable, and even suspicious, of email, electronic data, online dealings, and the like. On several occasions I have had lawyers refuse to correspond by email supposedly because of “problems previously encountered” with this new-fangled technology. So I send them emails, and they reply with snail-mail and faxes (yes, in 2010).

A particular hang-up is the occasional insistence on “originals”. Back in the days when important documents were drawn up by hand (really important documents were on goatskin parchment), it was fairly obvious what was the original document, and what was a copy. The need for requiring an original was clearer. And when there is a piece of paper, it is usually easy to tell whether it has been physically signed, photocopied, or had a computer printed signature applied. But with electronic files, concepts such as the “original document” quickly lose meaning, as does the need for an “original” and signing at all. However, a suitable “original” (if insisted upon) can usually be made by printing off a file and signing it. Whether this is necessary at all – other than for “ceremonial” purposes – is questionable.

It comes down to the perceived comfort of having a piece paper – something physical that can be put into a folder and filed in a filing cabinet. But the reality is that digital documents and digital signatures are capable of achieving a much higher level of security than a signature.