Telecom txt spam – RTFC

Stuff reports that Telecom has been accused of “probably” breaching the anti-spam law:

Internal Affairs is looking into whether Telecom may have breached spam laws by sending text messages to customers that did not include instructions on how customers could unsubscribe from receiving such messages… Victoria University law student Hamish McConnochie drew attention to the texts, promoting Telecom’s pre-pay top-ups and roaming services …

Here’s a quick tip: look at Telecom’s Term’s & Conditions (see below).

The anti-spam law (the Unsolicited Electronic Messages Act 2007) requires certain types of commercial electronic messages to offer an unsubscribe facility. This law is “technology neutral” – it applies to all types of electronic messages, including emails, text messages, instant messages, etc. However, the unsubscribe facility is not needed where there is a “contract, arrangement or understanding” between the sender and receiver not to include an unsubscribe. Telcos are well aware of this law and usually take necessary steps to comply. Telecom argues it has such an arrangement as follows:

Telecom sent customers text messages in November telling recipients that unless they objected then, Telecom would deem they had agreed future text messages from the company need no longer include an opt-out message. Spokeswoman Anna Skerten said those messages created such an arrangement.

A “no response means you accept” text cannot create a contract. However, it is arguable that it could create an “arrangement or understanding” – which are clearly intended to mean something less than a contract or other form of express consent.

But what is unusual is that Telecom’s spokeswoman did not simply refer to Telecom’s mobile service terms and conditions (link is for the prepaid version – others exist). Clause 13(3) states:

From time to time we may send you sales and marketing information about Telecom products and services. You can let us know at any time if you do not want to receive sales and marketing information by contacting Telecom Customer Services

There is no need for messy arguments over whether some text sent last year created an “arrangement”, when there is a contract which clearly applies. Together with Telecom’s “opt-out” text, that would probably suffice (there may be a more specific opt-out in some of the other T&C’s but I’m not going to read them all…) Importantly, Telecom’s T&C’s, like most others, also include a “changes” provision allowing Telecom to modify its terms. So if Telecom decides it needs to change or clarify its T&C’s in response to this reportage, it can do so. It should. Vodafone’s T&C’s are much better, as they clearly state:

You agree that we and our Agents may send you marketing messages, electronic or otherwise, about our special offers, products and Services, and those of our selected Agents and third parties which may be of interest to you. You agree too that the electronic marketing message we, our Agents and third parties send need not include an unsubscribe facility.

Internal Affairs could allege that Telecom’s terms (together with the opt-out text) were insufficient and launch a prosecution. I don’t think it would succeed, and it would probably be a waste of taxpayer money:  the worst outcome for Telecom would be a relatively minor fine that would most likely not cover the costs of a defended prosecution. Also it is highly unlikely that any customer will be able to claim compensation (which requires loss to have occurred).

Finally there is room for argument that under clause 11(2)(a), third-party texts would still not be covered by the telco’s terms & conditions, but that is a separate question.

Telecom database update

The Herald reports more details of the alleged privacy breach involving a Telecom database:

The scale of a Telecom security breach is becoming apparent with hundreds of thousands of customers at risk of having had their personal details searched.

Sales staff working for commercial rival Slingshot have told the Herald on Sunday they would use Telecom’s Wireline database more than a thousand times on some days.

The Privacy Commissioner’s office has also announced an investigation:

“At this early stage we understand from Telecom that the security breach related to the login details for one Telecom dealer and that login has since been deactivated,” said Ms Evans.

“We will need to investigate further to find out how this happened and whether Telecom needs to make any improvements to its data security practices to adequately protect customer information.”

A key question is how can one login be used sometimes more than than a thousand times a day, over a multi-year period, without being detected?

A criminal investigation is also likely. Possible charges for improperly accessing a database include:

For criminal charges to stick, there must be the necessary criminal intent. A staff member who was told to use a database, and innocently did so with no idea that their access was not authorised, cannot be liable. Knowledge of improper access, or “reckless disregard”, is key.

The Privacy Commissioner’s office has also warned against the use of confidentiality agreements as “window dressing” for proper privacy protection. A confidentiality agreement cannot absolve third-party liability, but most of them do contain indemnity clauses, which can allow full (or nearly full) recovery of all losses and costs arising from a breach in appropriate circumstances.

Telecom database access privacy concerns

NZPA reports:

A marketing company working for Telecom’s rival, Slingshot, has been accused of accessing the telco’s Wireline database, which contains personal customer information.

Telecom Retail CEO Alan Gourdie said the telco was investigating the accusation of potentially fraudulently activity, detailed in today’s Herald on Sunday.

“If our investigation confirms unauthorised access we will pursue all appropriate action.”

Access to Telecom Retail’s Wireline information requires passwords and pin numbers and should only be accessed by authorised personnel, he said.

While the initial investigation will be on the marketing company’s conduct (and perhaps into possible criminal conduct on the part of several parties), questions must also be asked of Telecom – which Privacy Commissioner Marie Shroff has said she will do.

Regardless of whether a security breach has occurred, even if by the marketing company having acted unlawfully (and neither of these facts are yet established), there are obligations on Telecom (and other “agencies” making data available to third parties) to take reasonable measures to safeguard personal information. This is not limited to preventing unauthorised disclosure, but includes preventing unauthorised access and use. It can also extend to ensuring that systems are properly designed to protect personal information.

The reports do not say how long the alleged improper access went on, but does report that it was “common practice” by multiple staff (now former staff), which suggests a long time frame. The reports indicate that the access was via a single login (now deactivated) of a legitimate user. Questions include:

  • Were user logins (and failed logins) recorded?
  • If so, were they ever audited and how?
  • And if so, why was the improper use not detected?
  • Did the database allow multiple simultaneous logins, and if so was this intended / appropriate?
  • What password expiry regime (if any) was used for this database?
  • What restrictions (if any) were placed on legitimate users to prevent them from disclosing login information?
  • Were there any user warnings / confirmation processes as to appropriate use built into the database?
  • Was only the minimum amount of personal information necessary made available in Wireline in the first place?
  • Are there any other logins for this database, and other Telecom databases, showing unusual activity, which have not been adequately investigated?

Companies can and frequently do provide third-party access to their customer data. While proper contracts can ensure the commercial and legal aspects of these arrangements are appropriately documented, companies holding personal information must still be aware of their inherent obligations under the Privacy Act.