The Data Protection Paradox–Are You a Vulnerable Person?

Light Stream

Are you encouraging people to take advantage of vulnerable persons? Maybe, inadvertently, you are. Consider this experience.

The Cold Call

The phone rings and the conversation goes like this:

Me: Hello.

Caller: Is that Mr. J.

Me: Yes. Speaking.

Caller: Hello Mr. J. I’m calling from your mobile phone company. (Who shall remain nameless in order to protect what little reputation they have left!)

Me: What can I do for you?

Caller: Before I continue I must tell you that this call may be recorded for training and quality purposes. (He didn’t mention that it also covers legal aspects, but I knew that.)

Me: That’s fine.

Caller: In order to proceed with the call, Mr. J. please could you confirm your date of birth and your password. (Yeah! Right! Like I’m stupid! At precisely which hour, yesterday do you think I was born?)

Me: No. I don’t give that information out to cold callers.

Caller: But I need that information to confirm your identity.

Me: Why? You called me. You know who I am. I don’t know who you are, so I need to ask you some security questions. Please give me my date of birth and my password.

Caller: No, Mr. J. It doesn’t work like that. I cannot give out that information.

Me: And I have no intention of giving it to you.

Caller: Why not, sir?

Me: Because I don’t know who you are.

Caller: Mr. J. I told you who I am, and I have all your information on the screen in front of me.

Me: So you know who I am, then, and you can answer my security questions.

Caller: But I cannot do that because of data protection. Why will you not give it to me?

Me: Because if (Note: ‘If’.) If you were a criminal that’s exactly what you would say and exactly the sort of information that you would ask me for.

Caller: I find it insulting that you call me a criminal.

Me: I didn’t. I said, if you were a criminal. (So now he’s getting upset with me?)

Caller: Sir, I am not allowed to give out sensitive data. It’s for your protection.

Me: Yes. And I protect myself by not giving my information to cold callers.

Caller: But, sir, I cannot continue the call unless you are prepared to confirm your identity.

(I know. You can’t make this up!)

Me: Then I guess the call is over. Unless . . . I know. I have a solution for you. Why don’t you write me a letter?

(Now, this is where it gets really weird.)

Caller: I’m sorry. I cannot answer that.

Me: Why not?

Caller: (And this is exactly what he said.) If I say that I will write to you, I would be giving out sensitive data.

Analysis

As you can imagine, by this point I’m thinking, why don’t I just hang up, right? And, believe me, this call went on for much longer than it takes to read the above. I even spoke to his manager.

My point is that I’ve had such calls from some big businesses. For example, my bank called to try to sell me loan cover insurance. As it was, I was expecting that call, so I was a bit more flexible. But I still played them at their own game. You see, at the time I lived in a little Welsh village with a fairly difficult name for non-Welsh speakers to pronounce. So I told the guy I would compromise if he was willing to tell me the second line of my address, the village. I know. Cruelty knows no bounds. Fair play to him, he had a go. He managed the first three letters, ‘Pen.’ The rest is almost impossible if you aren’t familiar with Celtic languages. You should hear the computer generated voice version on my maps app. But he did try, so I put him out of his misery and gave him the information that he needed.

However, I’ve had similar calls from HM Revenue and Customs. (I believe they are called the IRS in America. They also get called other names that I don’t use because I’m too polite!) When I was employed in accountancy we would get an average of at least one or two calls every week. And they were usually from the revenue’s debt collectors chasing our clients. Now, let’s be honest and say that, while these people have a very important job to do, some of them have an inordinate sense of their own importance. So they are ripe for the wind up. And, yes, we would take advantage of the Data Protection Acts in just the same way that they would when we called them. (The conversation recorded above will give you an idea.)

The Danger

However, here’s the catch. Let’s say that a criminal were to call a vulnerable person using the details in the phone book. OK. They may have to call a number of people before they got the details right. But, once their hook is in, there’s no escaping. So, this vulnerable person hears words suggesting that their phone is going to be disconnected, or their bank account has been closed, and they are asked for their password, among other details, because this kind person from the bank wants to help them sort it out.

I know. That’s pure fantasy, isn’t it. Well, apparently, some big corporations don’t believe such things could happen. Really. They don’t believe it. They think that by simply name dropping their big corporation‘s name, everyone will trust them. The fact that their firewall is constantly under attack, and that they made the headlines for data breaches is supposed to be immaterial.

Now, ask yourself how many times you have read reports of scammers catching vulnerable people unawares? Why? Maybe it’s because the big corporations misapply the Data Protection Act. And maybe they do that because ordinary people trust them.

Seriously. Ask yourself another question. If your telephone started ringing, right now, and the voice on the other end of the phone was not familiar to you, would you trust that person to be who they say they are? If you do, then you could be perpetuating the abuse of vulnerable people.

The Solution

So, what is the solution?

Well, you could try what I have described above. Do not give out personal information to cold callers, even if they are from a business with which you have regular dealings. If they are genuinely interested in your welfare they will not ask for this information. For example, my bank has a policy that they will never send you a communication requesting your personal data, and certainly never ask you for your full password. In fact, they simply don’t ask unless you call them.

Now, if everyone refused to provide personal information to cold callers, sooner or later the big corporations would have to take notice. Then, we would all be protecting the more vulnerable people.

Another thing that you could do is to complain. I emailed my mobile phone provider to ask if this really is their policy. I included a comment that, if it was, then unless it is changed, they will be losing a customer. The reply was that it is, indeed, their policy, and please could I confirm my date of birth and post code so that they could identify me! (You really cannot make this up!) So I replied saying that the policy is fundamentally flawed and does not protect my data, nor anyone else’s, for that matter.

And, here’s the catch. I copied the email to the company CEO. I am still waiting for the response. It should be interesting.

I’m not one for campaigning. But I wanted to share with you my thoughts on my experience of cold telephone callers and the dangers to vulnerable people. Because the next scam could catch anyone. Even you.