JUser: :_load: Unable to load user with ID: 63
Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Thursday, 20 January 2011 07:51

Privacy protection in telco land is a joke


Vodafone has been seriously embarrassed by the leak of customer details, but there seems little prospect of more serious consequences for the company. That needs to change.

Loss of privacy is a precursor to identity theft, and the problem with identity is that, unlike a stolen credit card number, it is not easily replaced; unless you want to change your name. So it should be incumbent upon telcos, and other companies, to provide the highest levels of security around customer data. And there should be serious consequences if that security is breached.

As the Vodafone incident has amply demonstrated neither of those applies. All the reports of Vodafone's security breach suggest that it had implemented a minimal level of security on its customer database and lacked any means of identifying, authenticating and tracking individuals' access and usage.

The situation was succinctly summed up by Electronic Frontiers Australia chairman, Colin Jacobs, interviewed on Channel 10's 7pm Project. "These companies have a legal obligation to protect our data. But that requires time, it requires money, and it requires expertise. And often they don't quite get around to doing it until something like this happens, it all blows up, and they've got a horde of angry customers banging on their door demanding to know what happened to their data."

So what about this legal obligation? There is a mandatory consumer protection code for telecommunications services providers. There are privacy laws. There's the ACMA administering and enforcing code compliance and there's the Privacy Commissioner implementing the Privacy Act. Surely these two wield sticks big enough to ensure that telcos give customer data the care and protection it deserves? Sadly the answer is no, on every count.

According to Elissa Freeman director of policy and campaigns at the Australian Communications Consumers Action Network (ACCAN), "The TCP [Telecommunications Consumer Protection] code does have provisions that require providers to protect the privacy of their customers' billing and personal information so there is a good case that Vodafone has breached the code."

However she says: "This is a great example of how toothless the code is. The ACMA can now investigate Vodafone for a possible breach of the code and can direct Vodafone to comply with the code, but that is about as tough as it gets."


You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...

Codes of conduct for the telecoms industry are developed by the industry, through Communications Alliance primarily. Then, if the ACMA decides to register them, compliance becomes mandatory, but this means little, according to Freeman.

"The industry would like to say the code is mandatory because it is enforced by the ACMA but the only enforcement available to the ACMA is to direct service providers to comply and then take action if they fail to comply'¦The code is voluntary until the service provider is directed by the ACMA. This is a very contentious point."

The code is presently being revised, but Freeman said there was little chance of the new code including any more specific requirements on telcos to protect the privacy of customer data. "Privacy laws operate alongside consumer protection and are much more prescriptive about how consumer information should be treated, so there probably won't be more requirements in the revised code."

However she said the revised code should incorporate much stronger measures for enforcement and punishment of breaches. "The challenge is to beef up compliance and enforcement so that there are serious consequences for any provider that fails to protect consumer information. The code at present has no compliance or enforcement built into it."

These powers could only be applied after the event. Hopefully the threat of serious consequences would ensure that telcos did a far better job of protecting customer data than Vodafone has done, but there would still be no prescription on minimal security levels, methods of protection, etc. So what about the Privacy Act?

According to Freeman "The privacy law sets out a series of principles to guide the protection of customer information but there is inadequate compliance and inadequate tools available to the Commissioner if a breach is found. There is a big push to enable the Privacy Commissioner to issue a fine and that is expected to happen very soon."


You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...

Don't hold your breath. According to privacy expert Graham Greenleaf, professor of law and information systems at the University of NSW, the Privacy Commissioner already has powers akin to fining offenders, but has failed to use them.

"The Privacy Commissioner has had the power to award compensation for breaches since the private sector provisions of the Privacy Act came in 10 year ago, but privacy commissioners have made only one binding determination and have never ordered compensation for any breaches," he told iTWire.

In the Vodafone case, he said that, if the Commissioner found the company to have breached the Privacy Act, "It could order $10,000 compensation to every person whose information has been leaked, That would send a very strong message [to all companies holding personal information]."

This lack of action by successive privacy commissioners, he added, created an additional problem in that there is no indication of what steps companies are required to take to protect personal information.

"National Privacy Principle 4.1 provides that companies must take reasonable steps to protect the security of people's personal information and you could fossick through the few reported complaint summaries that the Privacy Commissioner issues to find what the Commission thinks that means, but you won't find much. This means you don't get any details about what security breaches mean from actual decided cases. So we don't know what the security provisions of the Act actually mean."

Vodafone is presently facing a class action over the quality of its service to which some 18,000 customer are reported to have signed up. Could those who think their information might have been compromised take similar action? No, says Greenleaf.


You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...

"The only thing you can do is make a complaint to the Privacy Commissioner. You cannot go direct to court. However the Commissioner has no shortage of powers to investigate and to make binding determination including compensation."

He added that submissions to the Australian Law Reform Commission on reform of the Privacy Act had recommended that it be amended to allow individuals to initiate court action for alleged breaches, but without success.

So there are no detailed guidelines, voluntary or otherwise as to what telcos are supposed to do to protect your personal data and, it seems, few consequences other than bad publicity if they fail to do so.

No wonder then that with priorities like marketing, new products and customer acquisition/retention in the fast moving and highly competitive mobile industry all clamouring for management, financial and IT resources the small matter of keeping customer data safe goes to the back of the queue.

You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...



26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more




Recent Comments