LWC 24/7

Your Personal Data is Priceless

2009-06-09T12:27:00.008+02:00

Ever wondered how much your personal data are worth in the open market? Are you even aware that your personal data are being traded by and between companies and may be easily bought by criminals? Well, be assured that there is a price tag on your data.

If you take a look at the Swipe Toolkit Data Calculator, you will see the value of each piece of personal data. According to this tool, a date of birth is worth US$2.00 in the open market, while a postal address is worth US$9.95. Now, imagine how much your personal data is worth in total? According to Ezine Articles, the price of personal data has dropped in the recent years. This only means access to your data is becoming increasingly easy; your identity is very highly likely to be stolen.

The general public fail to see that their personal data is priceless, and what are the consequences for not safeguarding their data. Identity theft has become a rampant crime (it is no longer a matter of "if it happens to you" but "when it happens to you"), and does not take an intelligent hacker to profile a person. The problem lies in the lack of education given to the public about identity theft, and that their personal data is the weapon in this crime. By not protecting our data we are aiding these criminals - can you blame these criminals when your identity is stolen?

The government and the media play an important role in creating awareness in the public on these matters, as well as educating them on the importance of protecting their privacy; how they should do so; and the technologies around that are used to monitor and to gain access to their data. The BBC is to be commended on its new programme called Who's Watching You? that investigates surveillance in the United Kingdom. Programmes such as these raise awareness that we are being watched, and make us value our privacy and the protection of our personal data for sad to say, our personal data is not so private.

So, the key point here is that the public must be educated on the value of their personal data, and organisations such as the Privacy Commission and the media ought to play an active role. Unfortunately, the current situation in Belgium is such that privacy is the last thing on anyone's mind. Try calling your phone company and find out how it protects the personal data it collects from you. Look at a website and see if there is a privacy statement available - it is after all, the first positive step towards upholding your privacy. You will find very few are concerned about the proper handling of personal data. Nevertheless, hopefully, you will enforce your right and put the necessary pressure on those who handle your personal data to take care of it. It begins with you.

Privacy Always

2009-04-29T14:32:00.011+02:00

Economic crisis, downsizing, budget issues, bankruptcy. These seem to be some of the more common issues faced by many companies today - so much so that if one approaches them concerning P-R-I-V-A-C-Y, they would show you the front door!

Who has the time to bother about someone's privacy and personal data when there are more "important" issues at hand? Perhaps at first glance, the protection of privacy seems minute at times like these, and even the data subject is not too concerned about the way his data is being handled - he has more pressing matters to think about such as the possibility of losing his job, going bankrupt and so on.

Nevertheless, do take note that whilst these matters affect your way of living and demand your immediate attention, they are not permanent - and life will go on, even if it is not the way we wish it to be. On the other hand, privacy and personal data IS your life - be it on paper or in an electronic carrier, and once breached, can have a lasting negative effect greater than we can imagine. Remember, the right to privacy is sacred, and should be protected - even in times of difficulty, because when the economic sun is shining again, you'll be glad you did.

Permission is the key

2008-11-18T11:56:00.010+01:00

Whilst unwanted electronic messages to natural persons are already taboo in the Netherlands, as of July 2009, spam will be completely prohibited - extending the illegality of spam to cover companies and other organisations. Indeed, this is the result of a modification to the existing Telecoms law.

Companies or organisations continuing to spam after the 1st of July 2009 can be punished with a maximum fine of 450,000€. If spam is still sent, then a complaint is possible on the spamklacht.nl site. The OPTA (Independent Post and Telecoms Authority, the Netherlands) will be supervising compliance to the law. Only upon explicit permission to receive such electronic messages (including SMS and faxes), can these be sent to the receiving party.

And what is the situation in Belgium?

In Belgium, permission is the general rule, with a limited number of exceptions.

With the Belgian E-commerce law, the opt in rule for publicity electronic messages is in effect. One can only send electronic messages for publicity purposes where there is a preceding authorisation. Also, the commercial communication, including its presentation, must be immediately recognisable to the receiving party as being such upon receipt of that communication. If this is followed, then it is technically not spam.

However, the opt-in rule is subject to a few exceptions, making it a soft opt-in approach:

First Exception: Own customers/clients
The rule is exempted where the commercial communication is aimed at the organisation's own customers/clients (natural or legal persons). This exception only applies in the following conditions:

a) The organisation has directly obtained the contact data of the person concerned in the course of a sale of a good/service. [NB: The privacy law concerning the collection of such data must be respected].

b) The electronic contact data are exclusively used for similar products and/or services which the organisation itself provides.

c) The organisation gives the customers (when the electronic data are collected) the possibility of objecting to the use of such data in an easy manner and free of charge.

Second Exception: Legal persons

The opt-in rule is exempted if the following 2 conditions are met:

a) If the contact data is impersonal, and

b) If the product promoted is intended for that legal person.

Hence, by laying down these ground rules, one can surely see that there is no room for spamming.

So get the intended recipient's permission first if you can't resist sending that commercial communication of yours!

Data Handling Procedures

2008-10-27T09:38:00.006+01:00

So, here we are again with another case in the series of data handling blunders. The recent careless use of personal data of the Luxembourg branch of Kaupthing bank confirms that proper data handling procedures are crucial. Email addresses of customers were leaked due to the misuse of email.

Inadequately defined procedures for data handling can, and will lead to improper and careless handling of personal data. We've seen this occur countless of times. For example, not too long ago, 25 million records were lost by the HM Revenue and Customs and according to the investigation, the problem was not with individual workers, but due to the lack of processes for data handling.

All organisations should have reasonable security measures to protect personal data from misuse, loss, unauthorised access, and abuse. These measures can be stated in a Data Handling Manual, and must be implemented in a way where all concerned parties are well informed of the handling procedures. It is simply a guideline for handling personal data that should and must be adhered to by all in an organisation.

Unfortunately, in most companies, not only are such manuals non-existent, but where there is such a manual, it is usually collecting dust in some shelf and most employees and contractors are not even aware of or do not adhere to the manual. The other problem is the fact that lack of adherence is usually not noted or if it is, it is not reprimanded regularly - well, at least until a big foul-up happens and becomes the headlines of major newspapers.

It is perhaps more than timely for organisations to draw up these guidelines and train their personnel, ensuring regular audits to maintain adherence - in addition to appointing data protection officers and registering processes of personal data.

If you would like some help in customising a data handling manual, please review our privacy policy and then contact Lee & White Consultants.

Protecting People's Data

2008-08-29T13:04:00.007+02:00

One of the duties of being a data controller is to adequately protect the personal data entrusted to you by your data subjects. The law remains pretty vague and does not specify how much 'adequately' is.

Amongst others it means that you need to implement adequate technical means to protect the data, and put the necessary security measures in place.

Another point tells you to limit who has access to that data, ensuring that data is accessed only on a need-to-know basis. For example, the receptionist needs to know the name and company of customers who will visit the company today, but does not need to have access to their credit card data. The IT technician needs to know names and user access rights to perform his duties, but not confidential financial data.

Speaking of which, most companies' IT departments are a serious risk to security. Developers need to be able to develop their software and to do so, need access to code and data. Often this means that they have not only access to test data on test servers but also to real data on production servers.

They implement easy to remember user accounts - so called super users - which give them access to every part of the applications and databases, even the most confidential. These are rarely changed and are accessible to the complete development team, not to a specific developer. This also means that when a developer or IT consultant leaves the company, the password is not changed, and possibly the developer would still have access to sensitive personal data entrusted to the company.

According to Cyber-Ark, 9 out of 10 disgruntled IT staff would steal confidential or proprietary data from their former employer. The article on Contractor UK further states that one third of leavers would take lists with 'super user' passwords, giving them access to all kinds of sensitive company and personal data. Only 12% would be honest and leave empty handed, leaving all company confidential data behind.

Companies are required to ensure that the personal data entrusted to them is adequately protected, so this is certainly an issue they need to address. Do take note that implementing high security measures to secure personal and sensitive data is not sufficient as grudging staff will find a way to bypass these security measures.

When Friends Sell You Out for a Date

2008-08-27T13:03:00.006+02:00

A Belgian dating website known as nicepeople.be has been sued by its competitor, toietmoi.be for requiring anyone who registers with them to give e-mail addresses of 5 friends. These people are then spammed with invitations to join nicepeople.be. It is nice to know that your friends can sell out your e-mail addresses in exchange for a bit of fun on a dating site - NOT.

Nevertheless, applause goes to the Belgian court for convicting nicepeople.be of sending unsolicited e-mails and spamming these third parties' inboxes. Punishing them with a 10,000 EUR fine is a good start and indeed, it is high time precedence is set for these privacy law-breaking websites and the people behind them.

The only question is, is there any way of stopping your friends from throwing in your e-mail addresses and any other personal information to the wolves? We know that the data protection law does not cover handling of personal data in the course of household activities, but what can we truly consider as being a strictly household activity and where do we draw the line? If it were up to me, the law should apply to these friends as well.

When selling a computer is more than selling a machine

2008-08-27T12:00:00.008+02:00

The frequency of one's personal data being so loosely taken care of is growing alarmingly fast these days. Then again, is it only now that such data is being mishandled, or has it been the case all along? Perhaps horror stories of mishandling of personal data have only recently emerged in the news owing to a growing awareness on the importance of privacy? If that was true, imagine the number of years gone by without our knowledge of the immensity of the abuse and mishandling of our personal data!

So what is the current horror report on personal data floating around?

"Bank customer data sold on eBay" - how does that sound? Frightful, I should think.

Yes, this is one of the latest reports by the BBC News concerning the commencement of an investigation into how a computer containing bank customers' personal data was sold on eBay.

According to the report, the computer was purchased by an IT manager for GBP77 and contained sensitive details of customers of three companies - including Royal Bank of Scotland (RBS) and its subsidiary Natwest, on its hard drive. Some of the details included customers' signatures, mothers' maiden names and mobile phone numbers.

Now, was this due to carelessness and negligence on the part of these banks? How did the computer get on the eBay market for sale? All will be revealed after the investigation, I suppose.

However, it surely does not look good for these banks to have made such a blunder - since security and protection of personal data is of utmost importance and this is a duty that should never have been shirked in the first place.

The Early Bird

2008-08-19T13:33:00.008+02:00

We manage IT projects on a daily basis, and in every project there is the returning constant of processing personal data.

I must say that most clients we have worked with show the goodwill to properly handle personal data, but sometimes other priorities, like financial limitations or time constraints, make it such that proper processing is seen to be a lower, if not the lowest priority.

Sometimes we get called in to audit a company to check existing processes and applications for compliance to data processing laws. We then need to inventorise what kind of data is kept and where, how it is handled, and what the procedures and communications are. Basically, a thorough in-depth audit that involves and affects all levels of the business.

When we are involved from the very start, we can, even already on a requirements or functional level, pinpoint where issues would arise, and through small changes in the design and implementation process, ensure that applicable laws and good practices are met.

It is the same for all problems; if you can catch and fix it at an early stage, the cost is a factor lower than if you have to fix it at a later stage. If, of course, even at that stage you do not fix it, then the cost of being caught after go-live is enormous. This can not only have financial implications, but also cause damage to reputation and brand, as well as have criminal consequences.

A data protection officer should be involved at every stage of a new project. He should validate business requirements, check functional analyses, approve technical designs and audit proper handling after go-live. If properly executed, the amount of time (and budget) spent on this role would be minimal, and as such only big corporations need a full FTE to perform this role. Most companies can hire external consultants to do this on a part time or time and material basis.

Some companies make the mistake of asking their in-house legal department or company lawyer to advise on data protection issues. Unfortunately, these individuals are not specialized to give this kind of advice and are usually fully booked to solve other company related legal issues. Also, they might be too deeply involved in the business to give impartial advice.

Specialized legal consultants have the experience and know-how through different projects to handle these kind of problems on a daily basis. They can also deliver impartial advice without risk of conflict of interest.

So, in conclusion

Hire a professional to get a professional job done.
Fix problems before they arise.
Do not ignore laws and best practices.

How your personal data is collected on a website.

2008-07-30T18:17:00.006+02:00

When you surf on the Internet, and browse through a website, do you realise some of the methods by which your personal data are collected?

Well, there are several ways:

Personal data visibly collected on the website
If you are aware that you are providing personal details on a website, then the website is visibly or explicitly processing personal data. To that extent, you can control the type of personal data you wish to divulge.

Some ways in which personal data can be visibly collected include:

Forms
Most websites have more than one type of form, depending on the purpose of the form. Since forms are usually designed for a particular purpose, they are a good way of ensuring only relevant data is collected. At the same time, you can easily deduce and have a minimum form of control over the personal data you wish to provide - based on the fields you must fill in prior to submitting the form.

Email forms however, may be contentious. Using an email to send the form is not a good system as it gives rise to the possibility of collecting another email address which is not disclosed by the user for some reason. For example, the sample below marks Name, Surname, Street and number, Postcode and Municipality as mandatory whilst email is amongst the optional fields.

Hence, whilst testing this form, I opted to leave out my email address. However, upon clicking SUBMIT, the message as seen below appeared and my email address would nevertheless be collected by the website despite negating to disclose it initially.

Email
Whether it is a mail-to function (an email link on the website) which enables you to contact the organization by clicking on the email link, or it is an email address given on the website for contact without the link, you will divulge your personal data such as your email address and name in the email you send. Postal address, phone and fax, phone calls made, faxes sent, or letters written to the organization, will also lead to personal data being divulged by you in the course of obtaining more information about the organization.

To that extent, it does not differ from online forms on the website as the purpose is the same, and you should be informed that your personal data will/may be collected through these means as well.

Personal data invisibly collected on the website
This is where you are unaware of the collection - usually where a specific technology is used to perform the collection, unknown to you.

Technology per se is advantageous, but it can unfortunately, prove to be a menace as
well - sometimes by design, at other times by surreptitious use.

Cookies are a common method of invisible collection and are widely used on websites. Here, it is important that you are informed of the technology used to collect your personal data. Otherwise, being unaware, you are no longer in control of your personal data and such act is a breach of privacy.

Hopefully, this brief information on the subject will give you a hint on what to look out for before disclosing your personal data.

For an in-depth read on the subject, please consider the Privacy Report 2006 on the compliance of Belgian non-profit organizations' and political parties' websites with regard to the processing of personal data in accordance with the Belgian Law on Privacy Protection in relation to the Processing of Personal Data, implementing European Union Directive 95/46/EC.

Basic understanding of your duty as the data controller

2008-06-30T10:54:00.004+02:00

A person's privacy is a fundamental right which requires recognition and protection. Whilst it is incapable of precise definition, the concept has been linked with data protection, which interprets privacy in terms of management and handling of personal data.

With this right, we are able to strengthen essential values such as the freedom of thought, conscience and religion and the freedom of expression.

And alongside this right is a duty to protect it. This fundamental duty affects everyone as employers/persons processing personal data. Basically, if you determine the purposes and means of processing personal data, whether or not you are a natural person, you become the data controller and you are imposed with the duty to protect the right to privacy. Of course, failure to uphold your duty would give rise to illegal intrusions to the personal data and privacy of those whom you are supposed to protect and consequentially, you will be held responsible.

So whose personal data are you responsible for? You are responsible for all personal data that you collect apart from those you collect in the course of exclusively personal or household activities, for the processing of personal data carried out exclusively for journalistic, artistic or
literary expression purposes, or for public security.

Hence, your responsibility encompasses the protection of personal data belonging to your employees, potential and actual customers and suppliers, visitors, consultants and job applicants.
Of course, your duty to protect personal data does not imply a prevention of processing that personal data. To do so would paralyse businesses. It is indeed unavoidable that a data controller will process personal data.

However, whilst you, as the data controller, can establish that processing personal data is a necessary course of business, you must not be allowed to abuse the personal data received. It's a balancing act of right and duty. The only way to resolve the conflict of interests between
the company and the individual is by building trust into the individual who is about to divulge his personal data.

And transparency in processing personal data is the source of that trust relationship. Offer this from the very instant personal data is about to be collected and this attitude of yours towards upholding a person's privacy (both online and offline) will measure your failure or success in building a relationship with your customers, gaining their trust and developing that essential viable edge in the marketplace.

Believe it or not, you stand to gain a lot when you comply with your duty. It is a chain reaction - so get the ball rolling.

Spam Not

2008-05-20T06:46:00.010+02:00

About 75% of mail in Belgium is spam, usually associated with shady products or dodgy deals. But spam is just another word for unsolicited publicity mail - an email which you didn't ask for and which is completely useless to you or your business.

If you are sending out emails, be it just one email or in bulk, then consider very carefully if your email is going to be useful to the recipient. The best - and only legal - way is to actually have that recipient ask for the email in the first place - the opt-in. At any time the recipient must be able to revoke his request, and stop receiving further emails - the opt-out.

The law governing this is quite clear, the repercussions of not complying with that law aren't. In Belgium, BIPT - The Belgian Institute of Postal Services and Telecommunications - is concentrating on forcing ISPs - Internet Service Providers - to filter out unsolicited mail. BIPT confirms that they are unable to punish non-compliant ISP's. In any case, it is a useless exercise, as it only protects those companies or individuals who use the ISP's own email service. Those who use external email providers such as Gmail, Live or have their own email server are not benefiting from this.

Companies which send out unsolicited mail are neither targeted nor punished. In practice, the best that Belgium can do is to reprimand non-complying companies.

In the Netherlands, in a landmark case, Opta, the Dutch Independent Post and Telecoms Authority, reprimanded two companies and imposed a total of 510,000 euro fine for sending out unsolicited mail. This seems to be the highest fine ever imposed by Opta for spamming.

Belgium can certainly learn a lesson from its fellow EU member state.

What's the big deal anyway?

2008-05-01T12:48:00.011+02:00

"What's the big deal anyway?". A remark we hear very often when discussing personal data issues. "Nothing to be concerned about, who would be interested in my personal data, and what can they do with it anyway?"

Everyone agrees that a credit card number or bank account number is not something you should share (even Jeremy Clarkson eventually). But what can people do with my name and address, social security number or date of birth?

Personal data can be used for identity theft - impersonating someone by using as much as you know about that person to get financial or other benefit in that person's name. For example you could go to a bank and request - and receive - a new credit card in the name of the person you are impersonating, with the bills of course being sent to the original person.

How do criminals get their hands on your data? Everybody knows about skimming - a technique where a debit or credit card gets copied by attaching a small device onto an ATM machine. Another well known technique is to steal files from people's computers, by hacking them or by installing viruses or Trojan horses. And of course there is social hacking, asking seemingly harmless questions to a person online or in person, and using that information to build a complete profile.

And criminals move with the times. A BBC team exposed, in a proof of concept, how easy it is to socially hack Facebook and harvest information on other users, including names, passwords and other information.

How do criminals use this data? It seems that data thieves set up data supermarkets to sell stolen personal data to whomever might be interested. Yes, you can get a working credit card number for a few euro, or even buy complete corporate log files (containing names and passwords, server locations, numbers and confidential information) for as little as 200 euro. When closed down, they just reopen on another location.

Stuff to think about. Perhaps you will consider this the next time before revealing some of your personal data to anyone.

How much is your personal data worth?

2008-04-18T18:43:00.004+02:00

How much or should I say, what would it take for you to give out your personal data? A trip to Paris? A brand new car? Or perhaps, a bar of chocolate would do? Apparently, based on a survey conducted by Infosecurity Europe on 576 office workers outside Liverpool Street Station in London, a free bar of chocolate is good enough for 45% of women and 10% of men to give out their passwords. Only 21% surveyed were unwilling to give their password of which 60% later provided personal data such as date of birth. 60% of men and 62% of women happily provided their names and telephone numbers to enter a draw to go to Paris.

People are not aware of the extensive possibilities in which their personal data can be utilised. A mere name and telephone number is substantial information for a social engineer to gain further information about you which could then lead to your life being turned upside down. Call me dramatic or far fetched - remember Kevin Mitnick?

As a bid to prove just how easily people do give out their personal data, the Belgian consumer organisation - OIVO, set up a website called CelBel which asks youths between 13 to 21 years of age to register with them in exchange for free mobile phone subscription until they reach the age of 21. Sounds too good to be true? Once the user has entered their information and clicked on the submit button, they are taken to a page which informs that the site is fake and then takes you to a website which explains the abuses of personal data.

Well, good thing OIVO is legit, but do you see how easily the art of deception and manipulation can be practised on the Internet to get you to give out your personal data? And better still, do you see how easy it is for you to fall into that trap?

The fine print

2008-03-01T12:03:00.004+01:00

Finally something is happening in the Belgian Data Protection World.

OIVO, the research and information centre of the consumer organisations in Belgium, has filed a complaint against the Belgacom group to the Privacy Commission and the Federal Ministry of Economics.

OIVO states that the privacy notification on the invoices sent out by Belgacom clause is a violation of the Data Protection law. This notification states that 'customer data is stored in databases of the Belgacom group (Belgacom nv, Belgacom Mobile, Telindus, Skynet) and can be used by any member of that group for customer management and to send commercial information'. It also states that if a customer does not want to receive such commercial information, it should contact customer service.

This violates the data protection law on several points

Belgacom has not given the customer the option to opt-in to commercial information.
Belgacom does not mention how to contact customer service (address, email, phone number) and that this would be free of charge.
Belgacom does not inform exactly what will be done with the personal data.

Belgacom is surprised at the complaint from OIVO and state that they comply with the law by providing the opt-out option. A letter was sent to every Belgacom customer to launch the new free 0800 customer service number, which was sufficient information as already 13.592 people have called and noted that they do not want to receive personal data. They also note that OIVO's approach is not elegant and that they should have contacted Belgacom directly first.

Of course OIVO's point of view is correct, and I am not surprised by Belgacom's reaction, as it is one of the most heard excuses used by companies and organisations. Even though Belgacom is making an effort to implement the data protection law, it needs to go the extra mile and do it exactly right.

Our Printers Are Spying On Us!

2008-02-20T13:30:00.008+01:00

If you worry about your DNA and personal information being used to invade your privacy, now you have something else to add to your worries. According to a research by the Electronic Frontier Foundation (EFF) documents you print on your colour laser printer are able to indirectly identify you by encoding information that is not visible to the naked eye. Tiny dots are scattered on each page of your document. The information encoded includes time, date and the serial number of your printer. These are just the information that the EFF has managed to crack at the moment.

So, who is behind this brilliant system? The U.S. government, of course. They claim the purpose of this tool is to enable them to identify counterfeiters. Is that the only purpose for this tool? It is yet to be discovered.

According to Mr. Franco Frattini, the EU Commissioner for Justice and Security, there are no laws against tracking mechanisms in colour printers and photocopiers. "... the information based on tracking printed or copied material does not necessarily include data relating to identified or identifiable individual, i.e. personal data.

To the extent that individuals may be identified through material printed or copied using certain equipment, such processing may give rise to the violation of fundamental human rights, namely the right to privacy and private life. It also might violate the right to protection of personal data."

The EU acknowledges that this tracking system is a violation to human rights and is an invasion of our privacy. We have the laws to protect our privacy but seeing this tracking system in printers is part of the U.S. government's policy how far will the EU go to protect us?

Toothless lions need more bite

2008-01-17T12:08:00.000+01:00

Yesterday, the UK's Information Commissioner's Office (ICO) found Carphone Warehouse, and its sister company TalkTalk, in breach of the Data Protection Act after investigating complaints concerning the way in which both organisations processed and stored personal information. It has now ordered both these companies to refine their data protection practices or be prosecuted.

We must applaud the ICO for taking enforcement action on this matter. Without a doubt, the ICO seems to be taking centre stage these days with the heightened number of privacy breaches in the UK (and believe me, with the rest of the world too). It is now asking for several improvements to its powers which are currently too weak to enforce the law effectively.

According to Privacy Laws and Business, the House of Commons Justice Committee published a "Protection of Personal Data" report on the 3rd of January 2008 amongst others, recording evidence given on the 4th of December 2007 by Richard Thomas, the Information Commissioner, to the Justice Committee hearing on the protection of personal data. The ICO is seeking for mandatory audits, criminal offence and data breach notification.

In Belgium, the situation is no better. Perhaps it is worse - for many breaches are not publicised, contrary to the UK. Perhaps we need to put it out in the open here. Perhaps we need to complain more, and not just accept it when something goes wrong with our personal data. Perhaps the Belgian public must be better educated. Perhaps Belgian organisations too. Perhaps we need the Belgian press to provide greater publicity on privacy issues.

And perhaps the Belgian Privacy Commission should follow in its fellow privacy defender's footsteps and demand the same. These privacy promoters are currently toothless lions, sad to say.

Currently, the Belgian Privacy Commission's powers are merely supervisory - giving advice and recommendations, and whilst being able to send warnings, and denounce violations to the public prosecutor, it is unable to sanction. One must remember though, that with regard to the latter powers, a complaint must first reach the Commission. Yes, so it does have to start with you, the individual who suffers.

Given the large number of malpractices in organisations with regard to the protection of personal data, and given the attitude of the public in not wanting to prolong their suffering, Privacy Commissions' powers, both in the EU and the rest of the world should be reviewed. It is high time they are given greater control and ability to protect personal data. It is after all, for our well-being.

The privacy breach of one Dutch company

2008-01-14T12:20:00.000+01:00

Dutch care insurance company, CZ, recently made the headlines as a result of a faulty online quote system. Personal information of about 55000 people with regard to past applications could be retrieved by other parties. Such information included the
date of birth, bank numbers, social fiscal numbers, gender, name, address, post code, phone number and email address of these people. The online quote system has been removed from CZ's website.

The blunder was first discovered by two programmers who used the system for a quote and found the leak. CZ was informed of this but five days later, the information was still accessible and this led to contact with the newspaper, Algemeen Dagblad.

Whilst there is no proof of abuse of such personal information - or no proof yet, the fact that such a leak is happening should be sending warning bells to us. How many more websites visited are carelessly giving access to the same? How many more companies are just as negligent? This is just the privacy breach of one Dutch company - its negligence in implementing proper security measures to protect these personal information.

Also, if you look at CZ's website, you will come to discover that the vital online privacy policy which should be available to inform visitors of CZ's privacy practice and security is lacking.

What you should always look for when surfing on a website is its privacy policy and if you are not satisfied, do grill the organisation on it without divulging too much personal information. Use a pseudonym, or create a separate email account without using your name. Do read our previous entry Who is abusing my email? for more information on this.

Well, just to let you know that personal information is carelessly handled everyday.

Jeremy Clarkson - wise guy humbled.

2008-01-08T12:16:00.000+01:00

How many of you know Jeremy Clarkson? The wise guy host of Top Gear?

Well, like many people who do not seem to grasp the importance of keeping their personal data secure and ensuring that those who handle their personal data do the same, he has also thrown caution to the wind.

But that is quite alright. According to the BBC, he has been superbly proven wrong. The man recently revealed his account numbers in the Sun newspaper after ridiculing the commotion over the loss of 25 million people's personal details on two computer discs in the UK. He wanted to prove that it was all a big fuss over nothing, but thanks to a reader, he has been put in his place! The details have been used to create a £500 direct debit to the charity Diabetes UK!

"I was wrong and I have been punished for my mistake," says Clarkson.

Indeed you have.

Now the question is, have we all learnt our lesson or do we have to be proven wrong through a loss to understand the consequences of disregarding the importance of privacy?

Who is abusing my email?

2008-01-08T11:58:00.000+01:00

Summary: This article will show you how to stop people abusing your email address or at least find out who did.

You start a company, you register a domain and you get yourself a nice email address with your name in it, firstname.lastname@mydomain.com, and everything is great.

You now have a prestigious address at your own company and as nobody knows the email address, you receive no spam.

And then you register with a few online websites, known or not, and suddenly the spam starts to trickle in, more and more each day, until it turns into a flood that wastes your time and often contains risks such as phishing mails and viruses.

So what can you do? You can hardly change your name or company name. Listed below are a few options:

1. Use another email address

There are a lot of well known free email providers such as gmail.com, yahoo.com, hotmail.com, only to name a few, where you can get a free email address to receive your registration information.

Another option is to use a disposable email address, which saves you the hassle of having to close down your email address once you received what you needed to receive. A few of these: Mailinator, NoClickEmail, or 10MinuteMail. Just Google for 'temporary email' to find more providers.

The downside of this method is that once your free or disposable email address is closed down, critical and genuine information can be missed.

2. Track usage of your email address

A little known fact is that you can append information before the @ sign in your address by using the + sign.

An example: you visit a website called spammersite.net and you are asked to register your email address.

For this, append +spammersite.net to your name, registering firstname.lastname+spammersite.net@mydomain.com. Emails sent to that address will be received on firstname.lastname@mydomain.com, but you will be able to see the extra information in the 'to:' field, showing you who has been messing with your information.

Note that although most providers support this, it will not work with some. Send a test mail to yourself (with the + suffix) to test if it works.

The downside of this method is that you are not stopping spam, but at least you can learn where it came from, taking legal steps to stop them.

If you have any questions regarding this or other articles in this blog, send an email to comments@leewhiteconsultants.com after reviewing our Privacy Policy.

The secret of a good password

2008-01-02T08:24:00.000+01:00

Numerous incidents of data loss or theft have occurred all through 2007 and before. A recurring cause of these incidents is the human factor. Information Technology these days is quite secure, and scam artists are turning more and more to the human factor as it is much easier to crack than those highly protected IT systems.

If you look at the incidents that happened in 2007, you will notice that most were due to human error: a junior sending CDs with unauthorized copies of databases, mail getting lost, laptops and thumb drives getting stolen, gullible and greedy people getting scammed, user accounts being compromised.

The latter is usually quite easy, as most people choose an easy to remember password such as the name of their child, spouse, dog or their date or city of birth. You would be surprised how many people still keep a post-it note with their password stuck to their screen or in their top desk drawer. Some even store it on their mobile phone.

Some of the rules for a good password:

You need to be able to remember it without writing it down.
Do not reuse a password and use a different password for every user account or site.
Make it sufficiently long and complex so it cannot be easily be 'guessed' or 'cracked'.

To avoid making passwords easy to guess or crack:

Use a password of at least 10 characters long.
Use a mix of upper- and lowercase letters, numbers and punctuation characters.
Do not use dictionary words, in your own or a foreign language, forward or reversed.
Do not repeat characters.
Do not use personal information such as your name, your spouse's name, phone numbers, memorable dates, your car registration or house number.
Do not encode dictionary words, substituting letters by numbers ('l' by '1' and 'e' by '3' in 'letter' to '13tt3r').

The secret to making a password memorable and unique is to use a mix of the above techniques with a few memorable and/or imaginary words.

For example, I need a password for my Facebook account. To create this, I will interleave the following ingredients:

an imaginary word with mixed case: 'sLopAry',
a memorable number, part of my phone number, namely the middle 4 digits: 1234,
some punctuation marks: * and ",
the name 'Facebook'

Then the password would be: sLop12*Fcbk"34Ary composed of

The first 4 letters of my memorable word,
2 digits of my memorable number,
the first punctuation mark,
the consonants of 'Facebook',
the second punctuation mark,
the last 2 digits of my memorable number
and finally the last 3 letters of my memorable word.

If you would apply the same method for your LinkedIn account, you would obtain the following password: sLop12*Lnkdn"34Ary

Devise a variation of the above algorithm, using the principles outlined, and you will have your own algorithm that allows you to create a unique password for every site you visit.

It is important to keep a record of all sites where you used this method (not the passwords themselves), as it is imperative that you change all passwords created using this algorithm if one of the sites gets compromised, through whatever reason.

Where did Microsoft go wrong with Vista?

2007-12-26T22:49:00.000+01:00

Microsoft has some serious thinking to do about its latest operating system - Vista. I'm sure we were all very excited when the eagerly awaited, glossy Vista was released early this year.

There is no doubt that Microsoft did an excellent job with the graphics and animations for Vista. However, is that all there is to Vista? A pretty image on your screen? It certainly does not do much if it is slow and hangs every few minutes. It would seem like Microsoft paid full concentration on visuals to make Vista trendy looking with its cool sidebar, and the animated switching between windows. However, they should have paid equal amount of attention to performance and efficiency.

With 30% of businesses (according to InformationWeek) having no plans to switch to Vista in the near future, will Microsoft re-engineer Vista? We hope so and soon too.

Personal data goes missing again!

2007-12-26T11:55:00.000+01:00

Will it not end? Will we have to keep reading (almost on a daily basis now) about the security breaches involved concerning personal data?

Where is the fire this time? NHS Trusts in the UK, it would seem.

According to Reuters, nine National Health Service trusts have lost the records of hundreds of thousands of adults and children, in the latest embarrassing loss of data by official bodies.

Ever since the concern for data protection was augmented not too long ago by the UK government when it acknowledged it had lost CDs with the names and bank account details of 25 million people and exposing nearly half the population to possible fraud and identity theft, more and more news of failures to protect personal data by official bodies have been pouring in.

Yes, the government informed last week that one of its contractors had lost the detail of 3 million learner drivers! Now, how is this possible? How can it just be lost? What has happened to the compliance of strict procedures in protecting personal data? If this is happening within official bodies, how much more within companies and other organisations where almost no form of security procedure is adhered to concerning the protection of personal data? And whilst this is reported in the UK, where, mind you, they are much more strict about such matters, what is the situation like in other countries?

I shudder to think what is happening in Belgium, for instance - whereby about 97% of the companies (in a research in 2005) are not compliant to the Belgian Data Protection Law. To top it off, in a research in 2006, none of the non-profit organisations including the political parties were compliant either. And in Belgium, many cases do not make it to the headlines for some reason.

So, what do we do? Make more noise? Let this continue? If only those in power would start enforcing the sanctions and make examples of these organisations.

'Tis the season to be spamming - Not!

2007-12-19T12:35:00.000+01:00

It is remarkable how far Christmas and New Year celebrations have been utilised for commercial gain. From selling ridiculous products under the pretext of Christmas gifts to spamming, Christmas has become nothing more than a time for advertising and marketing.

So what is Christmas spamming? Well, under the guise of sending you a Christmas and New Year wish through an email, these companies are actually trying to lure you into some new product or service. Yes, it is a commercial email and in many cases, there is no opportunity to unsubscribe from such emails and you might find yourself receiving it again in the following years if you don't put a stop to it instantly. A typical message would be something like:

"We at XABCX wish you a very Merry Christmas and a prosperous 2008!

By the way, do check our website http://www.xabcx.com as we are having some great promotions on VVVVV..."

Now, note that it is spam if you never asked or subscribed for such commercial emails. It is spam if you are not a customer of theirs and if you are a company, it is also spam if such goods/services offered are not similar to the ones in your company - meaning they are not intended for you. Oh and one more spam point. If the email is sent to your company at your personal email address, then that is spam too.

So, do look out for such emails and please, do your bit and get them to stop spamming! Happy Christmas and a great 2008 everyone!

Toyota Brussels botches up on privacy

2007-12-13T12:16:00.000+01:00

It has happened again. It seems to be getting more and more frequent these days for organisations to lose or mishandle personal data belonging to employees, clients and/or suppliers. Proper security measures and procedures are not instituted or even if they are, these procedures are not complied with in the daily operations of the organisations.

It is a great shame that these companies cannot grasp the simple concept of privacy and its extreme importance. I cannot emphasize how vital the protection of personal data is. How many times must those advocating for privacy and the protection of personal data repeat the recurring problems that the world is facing with regard to such loose dissemination of personal information? Why can people not see the harm it is causing or likely to cause? Do you think it only happens to someone else and it is far-fetched to think it could happen to you?

Toyota Brussels is of no exception. It has joined the ever-growing pool of misfit companies with regard to the manner in which they handle personal data. The personal data of 2000 employees has gone missing. Great confidential information such as name, address, national number, date of birth and the names of partners and children of these 2000 members of staff.

According to spokesperson Etienne Plas, one of its employees took the CD with him and it was claimed to be stolen while using public transport on November 19. 'Of course, the disc should never have left our premises, but the employee was still young and inexperienced. We are taking the whole responsibility upon ourselves as a company, the man has hence not been fired.'

So, the mishap occurred on November 19. But when was this actually discovered by Toyota Brussels seeing that it is only out in the papers today, December 13? In the meantime, what has been happening to these personal data? Toyota Brussels says that the police and insurance companies have reassured the company that the chance of criminal abuse of the data is very small. It is confounding that they minimise the risk of abuse to make things not as bad as they seem. Everyday, personal data up for grabs are used by criminals for their benefit in every possible way - ranging from identity theft to kidnapping.

It is always the same sad story with these companies in Belgium. Never realising the risk, never understanding the consequences of failing to protect privacy. When such things happen in other EU member states such as the UK, the risk is not downplayed. It is emphasized repeatedly because the worst is possible. Yes, just take a look at one example from the UK's recent data loss which put 25 million people at risk of identity theft. At least they admit there is such a risk.

Toyota finds that the fact that the data is now up for grabs in the streets is very regrettable and apologises. But do you know what is truly regrettable Toyota? That you did not establish proper security measures and made sure they were followed through in the first place.

On the persistence of the Internet

2007-11-23T12:30:00.000+01:00

When we talk to people about the risks of publishing their own personal data on personal websites or social networking sites, their first reaction would usually be that they enjoy the fact that their friends or family members can see how they are and keep contact with them. They usually do not understand the implications of publishing on a world wide web without boundaries.

1. Search Engines

Search engines such as Google index and cache the information you publish on the web and keep this for an undetermined time on their servers. This can happen within seconds, so even accidentally publishing information and then -relatively- immediately removing it can already be too late, as the information can already be copied.

Any Internet-savvy user can use Google and other search engines to draw up a complete personal file of any person, including date of birth, address, mobile number, email address, work history, relatives and friends.

2. Aggregation

Blogging is very popular these days, and you can pen down your thoughts and feelings and share them with your friends.

What most people do not realise is that the standard settings of these blog sites (such as Blogger) are set in such a way that any posting is immediately sent (pinged) to aggregation sites (such as Feedburner), which aggregate part or complete articles and present them on their site. Some of these sites are also owned by or affiliated with search engine sites (resulting in the action above).

Furthermore, the aggregation is made using the initial post, so if you write a harsh article and then after consideration mellow it down, chances are great that the original article is not updated in the aggregation or search engine sites.

Most sites include a feature called RSS, which allows users to keep an eye on your site and get an alert when information is updated. For example, our site also publishes an RSS feed here.

This means that the lag time between publishing and reading is shortened even more, reducing your chance to correct mistakes.

3. Archiving

Certain websites keep a cache or archive of many sites on the Internet. Google is one example, another one is www.archive.org. Have a look at what Microsoft's website looked like in October 1996, or Google in January 1999, or even November 1998.

Then have a look at your own information, and think what people in 2018 will think of this.