The title of this blog post doesn’t really capture the essence of it. I feel like the title should be something along the lines of “and now for something completely different” because what I planned to write and what I’m posting are two different things. Sometimes life gets in the way and sometimes it shows you the way. This week, the latter is true.
Three times in two days I’ve been reminded about the roles consumers and businesses have in safeguarding data and how the choices we make impact not only ourselves but others. I’ve also been reminded that one of my favorite sayings – just because you can doesn’t mean you should – is just as true now as it was ten years ago (or thereabouts) when I started using it to describe information technology, security, data and privacy. Also, policies and practices aren’t one and the same.
Cautionary Tale #1
I’ll call this cautionary tale The Opt In. On Monday I received a call about an account that, because I pay the bill, I am authorized to access. The caller needed to confirm information about an asset because the company he works with – and that bills me – was conducting an audit of sorts. If the asset didn’t meet certain criteria, it was going to be reclassified and the bill would increase. To avoid reclassification, I needed to confirm a few details and seal the deal with a photo of the asset.
I know what you’re thinking at this point. The call was a scam. No, it was a legitimate request (though I can’t say that I agree with a company changing the rules after more than 15 years).
I took the picture and I sent it. Two minutes later my phone started sounding off. One notification…thank you for requesting to receive text messages about the account. Second notification…say yes to receive additional messages about the account. Plus an email notification…thank you for updating your preference to receive electronic communications. From this point on, you can log into an online account to receive updates and notices.
Wait. Hold on. I didn’t opt in. Long story short, after three phone calls over the course of two days I was finally able to opt out.
Observations – The system the caller used to receive my message required him to opt me in without my consent. We need to do a better job designing information systems so that we maintain consumer choice when it comes to electronic communications. We also need to streamline the process for opting out.
Cautionary Tale #2
Let’s call this cautionary tale The App. Late last week I decided it was time for me to get my second “pandemic” haircut. After I researched salons, I contacted one, only to find out the salon was closed due to COVID-19. I contacted another a few days later, and after a brief online chat – I received an automated reply followed up with a reply by a live person – I booked an appointment by phone. Then, a few minutes later I received a text message to say I’d scheduled an appointment.
But then yesterday, I received another text message. I was asked to click a link to confirm my appointment. While a bit of a nuisance and something like this might be a concern if I didn’t think the message was legitimate, I understand time is money and cancellations hurt small businesses, especially now. I clicked on the link to confirm, but instead of being able to confirm the appointment, I was directed to a web page that just said “Install app”.
Fast forward. I checked the app’s permissions before deciding to contact the salon via chat and confirm the appointment. Here’s the quick run down for the Android version:
- Identity – accounts, including add/remove
- Calendar – read, including confidential information, and add/modify
- Contacts – find accounts and read contacts
- Location – precise (GPS and network-based)
- Photos/Media/Files – read, modify, or delete contents of USB storage
- Camera – take pictures and videos
- Other – full network, control Near Field Communication, run at startup, use accounts, prevent device from sleeping, read Google service configuration
Observations – Businesses shouldn’t assume that customers will want to download and install apps, nor should vendors, who provide online booking services and more to retailers and service providers, make installing apps a requirement for engagement. Apps should be created for specific audiences, i.e. app for salon owners and app for salon customers. App developers should limit the access they need to our data and device functionality. (On a side note, we should also consider the costs associated with storing this data, especially if it’s not used, and whether it increases the likelihood an organization will be a target or worse, a victim.)
Cautionary Tale #3
Actions Speak Louder is an appropriate title for this cautionary tale. About seven months ago I set up an account that required me to submit documentation so that I wouldn’t be charged sales tax on certain purchases. A couple of weeks into the relationship, I received an email confirmation my new account was “all set”. After something like twenty emails, four faxes, several phone calls, and seven months, I was still being asked to provide documentation and, on Monday, I was charged sales tax on an invoice. As of this morning, after faxing the documentation again yesterday, I was informed the account is now good to go.
Observations – How organizations onboard new accounts and handle “paperwork” can be an indication of how an organization will view your business (and possibly your customers), and by extension, your data, privacy, and security. Even if an organization has outstanding policies for data collection, usage, and retention – and not all do – that doesn’t mean that internal processes and systems support those policies.