Lee & White

Finally something is happening in the Belgian Data Protection World.

OIVO, the research and information centre of the consumer organisations in Belgium, has filed a complaint against the Belgacom group to the Privacy Commission and the Federal Ministry of Economics.

OIVO states that the privacy notification on the invoices sent out by Belgacom clause is a violation of the Data Protection law. This notification states that 'customer data is stored in databases of the Belgacom group (Belgacom nv, Belgacom Mobile, Telindus, Skynet) and can be used by any member of that group for customer management and to send commercial information'. It also states that if a customer does not want to receive such commercial information, it should contact customer service.

This violates the data protection law on several points

If you worry about your DNA and personal information being used to invade your privacy, now you have something else to add to your worries. According to a research by theElectronic Frontier Foundation (EFF) documents you print on your colour laser printer are able to indirectly identify you by encoding information that is not visible to the naked eye. Tiny dots are scattered on each page of your document. The information encoded includes time, date and the serial number of your printer. These are just the information that the EFF has managed to crack at the moment.

So, who is behind this brilliant system? The U.S. government, of course. They claim the purpose of this tool is to enable them to identify counterfeiters. Is that the only purpose for this tool? It is yet to be discovered.

Yesterday, the UK's Information Commissioner's Office (ICO) foundCarphone Warehouse, and its sister company TalkTalk, in breach of the Data Protection Act after investigating complaints concerning the way in which both organisations processed and stored personal information. It has now ordered both these companies to refine their data protection practices or be prosecuted.

Dutch care insurance company, CZ, recently made the headlines as a result of a faulty online quote system. Personal information of about 55000 people with regard to past applications could be retrieved by other parties. Such information included the
date of birth, bank numbers, social fiscal numbers, gender, name, address, post code, phone number and email address of these people. The online quote system has been removed from CZ's website.

The blunder was first discovered by two programmers who used the system for a quote and found the leak. CZ was informed of this but five days later, the information was still accessible and this led to contact with the newspaper, Algemeen Dagblad.

Whilst there is no proof of abuse of such personal information - or no proof yet, the fact that such a leak is happening should be sending warning bells to us. How many more websites visited are carelessly giving access to the same? How many more companies are just as negligent? This is just the privacy breach of one Dutch company - its negligence in implementing proper security measures to protect these personal information.

Also, if you look at CZ's website, you will come to discover that the vital online privacy policy which should be available to inform visitors of CZ's privacy practice and security is lacking.

What you should always look for when surfing on a website is its privacy policy and if you are not satisfied, do grill the organisation on it without divulging too much personal information. Use a pseudonym, or create a separate email account without using your name. Do read our previous entry Who is abusing my email? for more information on this.

Well, just to let you know that personal information is carelessly handled everyday.

Summary: This article will show you how to stop people abusing your email address or at least find out who did.

1. Use another email address

There are a lot of well known free email providers such as gmail.com,yahoo.com, hotmail.com, only to name a few, where you can get a free email address to receive your registration information.

Another option is to use a disposable email address, which saves you the hassle of having to close down your email address once you received what you needed to receive. A few of these: Mailinator, NoClickEmail, or10MinuteMail. Just Google for 'temporary email' to find more providers.

The downside of this method is that once your free or disposable email address is closed down, critical and genuine information can be missed.

2. Track usage of your email address

A little known fact is that you can append information before the @ sign in your address by using the + sign.

An example: you visit a website called spammersite.net and you are asked to register your email address.

For this, append +spammersite.net to your name, registering firstname.lastname+spammersite.net@mydomain.com. Emails sent to that address will be received on firstname.lastname@mydomain.com, but you will be able to see the extra information in the 'to:' field, showing you who has been messing with your information.

Note that although most providers support this, it will not work with some. Send a test mail to yourself (with the + suffix) to test if it works.

The downside of this method is that you are not stopping spam, but at least you can learn where it came from, taking legal steps to stop them.

If you have any questions regarding this or other articles in this blog, send an email to comments@leeandwhite.com after reviewing our Privacy Policy.

How many of you know Jeremy Clarkson? The wise guy host of Top Gear?

Well, like many people who do not seem to grasp the importance of keeping their personal data secure and ensuring that those who handle their personal data do the same, he has also thrown caution to the wind.

But that is quite alright. According to the BBC, he has been superbly proven wrong. The man recently revealed his account numbers in the Sun newspaper after ridiculing the commotion over the loss of 25 million people's personal details on two computer discs in the UK. He wanted to prove that it was all a big fuss over nothing, but thanks to a reader, he has been put in his place! The details have been used to create a £500 direct debit to the charity Diabetes UK!

"I was wrong and I have been punished for my mistake," says Clarkson.

Indeed you have.

Now the question is, have we all learnt our lesson or do we have to be proven wrong through a loss to understand the consequences of disregarding the importance of privacy?

Numerous incidents of data loss or theft have occurred all through 2007 and before. A recurring cause of these incidents is the human factor. Information Technology these days is quite secure, and scam artists are turning more and more to the human factor as it is much easier to crack than those highly protected IT systems.

If you look at the incidents that happened in 2007, you will notice that most were due to human error: a junior sending CDs with unauthorized copies of databases, mail getting lost, laptops and thumb drives getting stolen, gullible and greedy people getting scammed, user accounts being compromised.

The latter is usually quite easy, as most people choose an easy to remember password such as the name of their child, spouse, dog or their date or city of birth. You would be surprised how many people still keep a post-it note with their password stuck to their screen or in their top desk drawer. Some even store it on their mobile phone.

Some of the rules for a good password:

• You need to be able to remember it without writing it down.
• Do not reuse a password and use a different password for every user account or site.
• Make it sufficiently long and complex so it cannot be easily be 'guessed' or 'cracked'.

To avoid making passwords easy to guess or crack:

• Use a password of at least 10 characters long.
• Use a mix of upper- and lowercase letters, numbers and punctuation characters.
• Do not use dictionary words, in your own or a foreign language, forward or reversed.
• Do not repeat characters.
• Do not use personal information such as your name, your spouse's name, phone numbers, memorable dates, your car registration or house number.
• Do not encode dictionary words, substituting letters by numbers ('l' by '1' and 'e' by '3' in 'letter' to '13tt3r').

The secret to making a password memorable and unique is to use a mix of the above techniques with a few memorable and/or imaginary words.

For example, I need a password for my Facebook account. To create this, I will interleave the following ingredients:

• an imaginary word with mixed case: 'sLopAry',
• a memorable number, part of my phone number, namely the middle 4 digits: 1234,
• some punctuation marks: * and ",
• the name 'Facebook'

• The first 4 letters of my memorable word,
• 2 digits of my memorable number,
• the first punctuation mark,
• the consonants of 'Facebook',
• the second punctuation mark,
• the last 2 digits of my memorable number
• and finally the last 3 letters of my memorable word.

If you would apply the same method for your LinkedIn account, you would obtain the following password: sLop12*Lnkdn"34Ary

Devise a variation of the above algorithm, using the principles outlined, and you will have your own algorithm that allows you to create a unique password for every site you visit.

It is important to keep a record of all sites where you used this method (not the passwords themselves), as it is imperative that you change all passwords created using this algorithm if one of the sites gets compromised, through whatever reason.

Will it not end? Will we have to keep reading (almost on a daily basis now) about the security breaches involved concerning personal data?

Where is the fire this time? NHS Trusts in the UK, it would seem.

According to Reuters, nine National Health Service trusts have lost the records of hundreds of thousands of adults and children, in the latest embarrassing loss of data by official bodies.

Ever since the concern for data protection was augmented not too long ago by the UK government when it acknowledged it had lost CDs with the names and bank account details of 25 million people and exposing nearly half the population to possible fraud and identity theft, more and more news of failures to protect personal data by official bodies have been pouring in.

Yes, the government informed last week that one of its contractors had lost the detail of 3 million learner drivers! Now, how is this possible? How can it just be lost? What has happened to the compliance of strict procedures in protecting personal data? If this is happening within official bodies, how much more within companies and other organisations where almost no form of security procedure is adhered to concerning the protection of personal data? And whilst this is reported in the UK, where, mind you, they are much more strict about such matters, what is the situation like in other countries?

I shudder to think what is happening in Belgium, for instance - whereby about 97% of the companies (in a research in 2005) are not compliant to the Belgian Data Protection Law. To top it off, in a research in 2006, none of the non-profit organisations including the political parties were compliant either. And in Belgium, many cases do not make it to the headlines for some reason.

So, what do we do? Make more noise? Let this continue? If only those in power would start enforcing the sanctions and make examples of these organisations.

Microsoft has some serious thinking to do about its latest operating system - Vista. I'm sure we were all very excited when the eagerly awaited, glossy Vista was released early this year.

There is no doubt that Microsoft did an excellent job with the graphics and animations for Vista. However, is that all there is to Vista? A pretty image on your screen? It certainly does not do much if it is slow and hangs every few minutes. It would seem like Microsoft paid full concentration on visuals to make Vista trendy looking with its cool sidebar, and the animated switching between windows. However, they should have paid equal amount of attention to performance and efficiency.

With 30% of businesses (according to InformationWeek) having no plans to switch to Vista in the near future, will Microsoft re-engineer Vista? We hope so and soon too.

It is remarkable how far Christmas and New Year celebrations have been utilised for commercial gain. From selling ridiculous products under the pretext of Christmas gifts to spamming, Christmas has become nothing more than a time for advertising and marketing.

So what is Christmas spamming? Well, under the guise of sending you a Christmas and New Year wish through an email, these companies are actually trying to lure you into some new product or service. Yes, it is a commercial email and in many cases, there is no opportunity to unsubscribe from such emails and you might find yourself receiving it again in the following years if you don't put a stop to it instantly. A typical message would be something like:

"We at XABCX wish you a very Merry Christmas and a prosperous 2008!

By the way, do check our website http://www.xabcx.com as we are having some great promotions on VVVVV..."

Now, note that it is spam if you never asked or subscribed for such commercial emails. It is spam if you are not a customer of theirs and if you are a company, it is also spam if such goods/services offered are not similar to the ones in your company - meaning they are not intended for you. Oh and one more spam point. If the email is sent to your company at your personal email address, then that is spam too.

So, do look out for such emails and please, do your bit and get them to stop spamming! Happy Christmas and a great 2008 everyone!