privacy and confidentiality

WARNING: Mild rant ahead.

I’m writing this post to out a particular behavior that I am seeing more and more often lately.

Example 1:

Whilst activating a prepaid SIM I was asked to provide my driver’s license number. Already knowing the answer, I asked the operator why they needed this information.

Their response?

It’s for your safety.

Ultimately this is sort of true. The AMCA passed an act in 2008 which meant that sufficient ID was required to purchase a prepaid SIM or phone. This act was designed to help government authorities or mobile operators to eliminate ‘anonymous’ users. For supporters of mandatory registration, anonymity is a condition that threatens public safety and security. Without opening up the debate of whether or not this is ethical/effective/true, it should be pointed out that prepaid anonymous “burner” phones are a communication tool of choice for everything from drug dealing to remote-controlled explosives. Making it difficult to access these phones anonymously is meant to provide a level of deterrence for these sorts of uses, or at a bare minimum provide investigators with a place to start should something bad ever happen.

So, regardless of your/my position on the legislation, you can understand why it’s there.

But that’s not my point.

The response “It’s for your safety” is meant to evoke a reaction of “Oh, Ok. The phone company knows better, I trust decisions about my safety to them because they are a large corporate with my best interests at heart”. The idea of the nice telco man “looking after my safety” is more palatable the idea of my phone company making sure that I’m not a terrorist or a drug dealer.

This type of response has been specifically designed to leverage the general public trust and willingness to outsource their privacy and personal security to whichever big business will volunteer to look after it for them. The operator could have just as easily used a higher authority close and said “it’s required by law” – no further explanation required.

Example 2:

I had a recruiter contact me recently. She’d found me through LinkedIn, or Twitter, or something like that – I’m hardly anonymous on the interwebs. In my field I work in this is very common. After the pitch of her available roles she asked I send her my CV in Word format. Already knowing the answer, I asked why she wanted it in Word format.

Her response?

It’s so I can redact your details for your confidentiality.

Again, sort of true – but bollocks at the same time.

I am perfectly capable of redacting my own CV…. The real reason was for HER confidentiality. If a recruiter puts forward a candidate CV with their details still on it, their client can simply say “we know the candidate already and will deal with them directly”. They don’t even need to actually know the candidate… At this point, the recruiter has lost the ability to “sell” the candidate to that client. Worse still, the client is now aware that the candidate is willing to give their CV to a recruiter and is quite likely approachable about a role.

Bad business for the recruiter…

But, again, that’s not the point.

Rather than being transparent about how she was planning to use my information, this particular recruiter opted to use the idea of “looking after my best interests” as a path of least resistance to get the information she wanted. The idea of her making sure my “confidentiality is protected” is much more palatable than the idea of her getting she gets her cut should I change jobs.

Do you see what I mean? It’s not a whole lie… but it ain’t a whole truth either.

The odd part about all of this is that in both cases I’d give over the required information if the occasion called for it. I accept that the telco is bound by the rules of the ACMA. I understand that recruiters need to commercially protect themselves from the threat of direct selling.

Whilst the motives were fairly benign, the two examples above are stories of people who purposefully used a misplaced trust to obtain confidential information. In the security industry, we call it “social engineering”, more specifically “pretexting”. Perhaps these two examples, and the countless others I’m sure are out there, are a contributor to why the easiest way to break into a company is through its people.

I realize that I may be over-reacting and more than a tad bit idealistic here – I understand that it’s “good business” to choose the path of least resistance wherever possible – but at the core of this little rant is a belief that, if not an ethical duty, it’s at least basic courtesy to be upfront and honest about matters that affect privacy and confidentiality.

The alternative only serves to foster the warm fluffy cloud of permissiveness and apathy that causes so many of the issues I see day-to-day.

Very interested to hear any thoughts or feedback on this.