Home opinion-and-analysis Cornered! Privacy protection in telco land is a joke


JUser: :_load: Unable to load user with ID: 63

Privacy protection in telco land is a joke

  • 20 January 2011
  • Written by 
  • Published in Cornered!

Vodafone has been seriously embarrassed by the leak of customer details, but there seems little prospect of more serious consequences for the company. That needs to change.

Loss of privacy is a precursor to identity theft, and the problem with identity is that, unlike a stolen credit card number, it is not easily replaced; unless you want to change your name. So it should be incumbent upon telcos, and other companies, to provide the highest levels of security around customer data. And there should be serious consequences if that security is breached.

As the Vodafone incident has amply demonstrated neither of those applies. All the reports of Vodafone's security breach suggest that it had implemented a minimal level of security on its customer database and lacked any means of identifying, authenticating and tracking individuals' access and usage.

The situation was succinctly summed up by Electronic Frontiers Australia chairman, Colin Jacobs, interviewed on Channel 10's 7pm Project. "These companies have a legal obligation to protect our data. But that requires time, it requires money, and it requires expertise. And often they don't quite get around to doing it until something like this happens, it all blows up, and they've got a horde of angry customers banging on their door demanding to know what happened to their data."

So what about this legal obligation? There is a mandatory consumer protection code for telecommunications services providers. There are privacy laws. There's the ACMA administering and enforcing code compliance and there's the Privacy Commissioner implementing the Privacy Act. Surely these two wield sticks big enough to ensure that telcos give customer data the care and protection it deserves? Sadly the answer is no, on every count.

According to Elissa Freeman director of policy and campaigns at the Australian Communications Consumers Action Network (ACCAN), "The TCP [Telecommunications Consumer Protection] code does have provisions that require providers to protect the privacy of their customers' billing and personal information so there is a good case that Vodafone has breached the code."

However she says: "This is a great example of how toothless the code is. The ACMA can now investigate Vodafone for a possible breach of the code and can direct Vodafone to comply with the code, but that is about as tough as it gets."


You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...

Codes of conduct for the telecoms industry are developed by the industry, through Communications Alliance primarily. Then, if the ACMA decides to register them, compliance becomes mandatory, but this means little, according to Freeman.

"The industry would like to say the code is mandatory because it is enforced by the ACMA but the only enforcement available to the ACMA is to direct service providers to comply and then take action if they fail to comply'¦The code is voluntary until the service provider is directed by the ACMA. This is a very contentious point."

The code is presently being revised, but Freeman said there was little chance of the new code including any more specific requirements on telcos to protect the privacy of customer data. "Privacy laws operate alongside consumer protection and are much more prescriptive about how consumer information should be treated, so there probably won't be more requirements in the revised code."

However she said the revised code should incorporate much stronger measures for enforcement and punishment of breaches. "The challenge is to beef up compliance and enforcement so that there are serious consequences for any provider that fails to protect consumer information. The code at present has no compliance or enforcement built into it."

These powers could only be applied after the event. Hopefully the threat of serious consequences would ensure that telcos did a far better job of protecting customer data than Vodafone has done, but there would still be no prescription on minimal security levels, methods of protection, etc. So what about the Privacy Act?

According to Freeman "The privacy law sets out a series of principles to guide the protection of customer information but there is inadequate compliance and inadequate tools available to the Commissioner if a breach is found. There is a big push to enable the Privacy Commissioner to issue a fine and that is expected to happen very soon."


You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...

Don't hold your breath. According to privacy expert Graham Greenleaf, professor of law and information systems at the University of NSW, the Privacy Commissioner already has powers akin to fining offenders, but has failed to use them.

"The Privacy Commissioner has had the power to award compensation for breaches since the private sector provisions of the Privacy Act came in 10 year ago, but privacy commissioners have made only one binding determination and have never ordered compensation for any breaches," he told iTWire.

In the Vodafone case, he said that, if the Commissioner found the company to have breached the Privacy Act, "It could order $10,000 compensation to every person whose information has been leaked, That would send a very strong message [to all companies holding personal information]."

This lack of action by successive privacy commissioners, he added, created an additional problem in that there is no indication of what steps companies are required to take to protect personal information.

"National Privacy Principle 4.1 provides that companies must take reasonable steps to protect the security of people's personal information and you could fossick through the few reported complaint summaries that the Privacy Commissioner issues to find what the Commission thinks that means, but you won't find much. This means you don't get any details about what security breaches mean from actual decided cases. So we don't know what the security provisions of the Act actually mean."

Vodafone is presently facing a class action over the quality of its service to which some 18,000 customer are reported to have signed up. Could those who think their information might have been compromised take similar action? No, says Greenleaf.


You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...

"The only thing you can do is make a complaint to the Privacy Commissioner. You cannot go direct to court. However the Commissioner has no shortage of powers to investigate and to make binding determination including compensation."

He added that submissions to the Australian Law Reform Commission on reform of the Privacy Act had recommended that it be amended to allow individuals to initiate court action for alleged breaches, but without success.

So there are no detailed guidelines, voluntary or otherwise as to what telcos are supposed to do to protect your personal data and, it seems, few consequences other than bad publicity if they fail to do so.

No wonder then that with priorities like marketing, new products and customer acquisition/retention in the fast moving and highly competitive mobile industry all clamouring for management, financial and IT resources the small matter of keeping customer data safe goes to the back of the queue.

You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Ransomware attacks on businesses and institutions are now the most common type of malware breach, accounting for 39% of all IT security incidents, and they are still growing.

Criminal ransomware revenues are projected to reach $11.5B by 2019.

With a few simple policies and procedures, plus some cutting-edge endpoint countermeasures, you can effectively protect your business from the ransomware menace.



Popular News