Indian Call Centers Selling Private Data

A year ago, Britons learned that Indian call centers were selling their private identity information. It sems there's nothing new. SC Magazine reports that Indian call centers are still selling private credit card data on the black market. According to the article:

The Payment Card Industry Data Security Standard (PCI DSS) – adopted by the major credit card brands – requires organisations to monitor outsourcing service providers and states they are liable for fines if that provider compromises their data.

Good job, guys.

Another Laptop Stolen – More Personal Data At Risk

I checked the mail after getting home from work and found an envelope from th Harley Owner's Group (HOG). That got my attention, since Biketoberfest is around the corner in Daytona. Could it be an interesting offer coming to town during that event?

No, it was a Personal Information Advisery. It seems that a Harley-Davidson employee reported a missing laptop on Monday, August 14, 2006. The laptop contained HOG member data to facilitate registration at HOG events.

The letter claims that Harley-Davidson conducted an extensive investigation, notified law enforcement, and still want to retrieve the laptop. I'm sure that's true, though the word “extensive” means different things to different people. There are no circumstances provided regarding how the laptop disappeared, whether it was stolen or misplaced.

Harley-Davidson sent a letter to 60,000 people (including me) because the file contained either a credit card number and/or driver's license number. I know that HOG has both pieces of information from me, since I had to provide that information for a Fly & Ride rental during a trip to Salt Lake City in April this year.

Additionally, Harley-Davidson provided me with a free one-year account with to provide credit monitoring. There's a forum on the HOG members web site, and a promise to mail any pertinent information to me about the case.

This is a case where I understand why an employee had customer data on a laptop. Event registrations happen in the field without network access to a corporate database. Also, you never know who may attend an event. Harley owners frequently travel to HOG events out of their own state, so it makes sense to keep information on hand to accommodate those travelers.

However, I do not see any mention of security measures taken to protect data on the laptop. Theft or loss in the field is a reasonably high probability risk. Is the information password protected? Was the disk encrypted? I tend to doubt it, or the letter would probably try to assure me that my identity information was reasonably secure. How can a major corporation allow sensitive customer information outside of its walls without taking these reasonable precautions to protect it? These days, it's inexcusable to let a laptop with sensitive information go without disk encryption.

I appreciate the notification and apology from Mike Keefe, Vice President and Director of Harley Owner's Group. To Mike, I strongly recommend that you take my advice. Encrypt the hard drive on all of your remaining laptops. Customers like me depend upon your precautions.

Spies in the Valley

Thanks to HP, another catch phrase enters the public consciousness. Pretexting. It's a technique of social engineering, or gaining access to systems by manipulating people into divulging information that should remain confidential. Many people never heard of the phrase “pretexting” before private investigators, hired by HP's top manageent, collected the private phone records of its directors and a CNet reporter. Why? Someone on the board of directors leaked information to the reporter and, damn it, HP was going to find out who did it. I won't go into further details here because you can read about the story elsewhere.

The part that interests me is how easily the investigators collected private information. Pretexting is a means of deceiving someone with an untruth. In this case, the investigators pretended to be the people whose records they wanted to retrieve from the phone company. In short, they lied. They also broke the law.

Under federal law — the Gramm-Leach-Bliley Act — it’s illegal for anyone to:

  • Use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
  • Use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
  • Ask another person to get someone else’s customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents.

The Federal Trade Commission Act also generally prohibits pretexting for sensitive consumer information.

According to that third bullet, the HP management who ordered this theft of information may also be at fault under the law. I'm sure they'll claim they never knew the investigators would use illegal means, but I wouldn't buy that if I were sitting in a jury.

Think of the confidential information companies collect about you. They know your name and where you live. Some have your credit card data, and part or all of your Social Security Number. Stores know what you're buying, and when you're likely to buy a product again. Think of your medical records or credit card transactions getting into the wrong hands. Your search engine queries may reveal things that you have a right, and a wish, to keep private.

The problem with raw data is that it provides no context. The records don't say why you purchased a banana and a jar of vaseline at the grocery store last Tuesday. If you were running for election this year, imagine the uncomfortable suggestions that an opposing political rival could make those that tidbit.

We hear about invasions of other people's privacy almost daily, but how often do we make changes to protect ourselves? For example, do you have a GMail or Yahoo Mail account? If so, all of your searches while logged into those accounts trace back to your identity. Even if you don't login with an account, the search engine records the IP address you use for your query. In real world encounters, how much information do you give to an unknown source when you register to win that “free” car sitting in the mall, or answer a telephone survey?

There is always someone who can use your private infomation to their benefit. Only you control how much information you give. Once that information is out of your hands, you have no control over it. We trust certain organizations – banks, insurance companies, phone companies, utilities, blood banks, schools, employers, physicians and hospitals – to keep our information safe and confidential. Some succeed. Some fail. It's up to you to understand the privacy policies of an organization when you provide your information. There are laws to protect us, but laws won't stop criminals.

I believe that the inherent weaknesses of organizations that are vulnerable to pretexting are exactly why we need secure credentials. When you vote or conduct some financial transactions in person, you have to show a photo identification to authorize your access. Why do we not demand authentication for more transactions to retrieve confidential data? It's time for greater use of fully proofed and vetted identification systems to become the standard for personal and electronic interactions. It's too easy to fake your way through an informal interrogation or compromise a password. Identity requires something you know and something you have.

How much does EA Games need to know about you?

It's almost automatic. When you install software, there's a point where you have to accept the user license agreement before you can continue. If you don't click a button to agree, the installation ceases. Have you ever tried to return opened software or a game with the excuse “I don't agree to the license?” Chances are that it won't work. Once you break the shrinkwrap, you're chances of a refund decreased almost 100%.

Do we even look at the user license agreement anymore, even on video games? Fortunately, someone did. That's why there's a buzz now about EA Games license agreement for XBox Live games.

[box type=”info”]If you sign up to play EA games through Microsoft’s Xbox Live Service, Microsoft will provide your Xbox Live user account information to EA so that we can establish an EA Online account for you. You need an EA Online account to play EA’s Xbox Live titles. By signing up to play EA's Xbox Live titles, you agree that Microsoft can transfer your user account information to EA. Information collected will vary depending upon the activity and may include your name, e-mail address, phone number, mobile number, home address, birth date and credit card information. In addition, we may collect demographic information such as gender, zip code, information about your computer, hardware, software, platform, media, Internet IP address and connection, information about online activity such as feature usage, game play statistics and scores, user rankings and click paths and other data that you may provide in surveys or online profiles, for instance. We may combine demographic information with personal information.[/box]

That content comes from EA's Privacy Policy web site. For its part, Microsoft has two privacy policy sites. The first one mentions the following about Personal Information:

  • When you register for certain Microsoft services, we will ask you to provide personal information.
  • The information we collect may be combined with information obtained from other Microsoft services and other companies.
  • We use cookies and other technologies to keep track of your interactions with our sites and services to offer a personalized experience.

The second bullet states that information may be combined with infomation obtained from other sources. What does that mean? Combining information from multiple sources does not indicate distribution, as I understand the statement. Now let's look at the next set of bullets about Uses of User Information:

  • We use the information we collect to provide the services you request. Our services may include the display of personalized content and advertising.
  • We use your information to inform you of other products or services offered by Microsoft and its affiliates, and to send you relevant survey invitations related to Microsoft services.
  • We do not sell, rent, or lease our customer lists to third parties. In order to help provide our services, we occasionally provide information to other companies that work on our behalf.

The third bullet states that Microsoft does not sell, rent, or lease customer lists to third parties. That would seem to indicate that they do not distrubute (although there's no mention of freely giving away your private information). However, the second sentence in the third bullet does seem to indicate that Microsoft does distribute your private information to companies that work on Microsoft's behalf.

Does EA Games work on behalf of Microsoft? If you buy a copy of Madden NFL '07, does EA work for Microsoft? I doubt it. Maybe I'll have to ask some of the guys at my gym who work for EA – they make Madden right across the street.

Of course, I mentioned that Microsoft has another privacy policy statement. This is Microsoft's full disclosure for online privacy. I think the pertinent statement in the full disclosure is this line:

[box type=”info”]Except as described in this statement, we will not disclose your personal information outside of Microsoft and its controlled subsidiaries and affiliates without your consent.[/box]

So what exception described in this statement is the one that allows Microsoft and EA Games to pass your private data around like a beach ball at an outdoor concert? Why, I think it's this one:

[box type=”info”]Some Microsoft services may be co-branded and offered in conjunction with another company. If you register for or use such services, both Microsoft and the other company may receive information collected in conjunction with the co-branded services.[/box]

EA Games and Microsoft's XBox Live must come under the “co-branded” loophole. That means neither of them will make it obviously clear where your information is going. Once EA Games has your information how does it protect you?

[box type=”info”]We will only collect and use personal information in accordance with this privacy policy to the extent deemed reasonably necessary to serve our legitimate business purposes, and we will maintain appropriate safeguards to ensure the security, integrity, accuracy and privacy of the information you have provided. In addition, we will take reasonable steps to assure that third parties to whom we transfer any personal information will provide sufficient protection of that information.[/box]

In other words, “Trust us. We know what's best for you.” Who knows where your information will end up? Congratulations to the co-branded offerings from Microsoft and EA Games. You've developed identity transivity. If only your customers knew.
SlashDot article