Lee & White

Yesterday, the UK's Information Commissioner's Office (ICO) foundCarphone Warehouse, and its sister company TalkTalk, in breach of the Data Protection Act after investigating complaints concerning the way in which both organisations processed and stored personal information. It has now ordered both these companies to refine their data protection practices or be prosecuted.

Dutch care insurance company, CZ, recently made the headlines as a result of a faulty online quote system. Personal information of about 55000 people with regard to past applications could be retrieved by other parties. Such information included the
date of birth, bank numbers, social fiscal numbers, gender, name, address, post code, phone number and email address of these people. The online quote system has been removed from CZ's website.

The blunder was first discovered by two programmers who used the system for a quote and found the leak. CZ was informed of this but five days later, the information was still accessible and this led to contact with the newspaper, Algemeen Dagblad.

Whilst there is no proof of abuse of such personal information - or no proof yet, the fact that such a leak is happening should be sending warning bells to us. How many more websites visited are carelessly giving access to the same? How many more companies are just as negligent? This is just the privacy breach of one Dutch company - its negligence in implementing proper security measures to protect these personal information.

Also, if you look at CZ's website, you will come to discover that the vital online privacy policy which should be available to inform visitors of CZ's privacy practice and security is lacking.

What you should always look for when surfing on a website is its privacy policy and if you are not satisfied, do grill the organisation on it without divulging too much personal information. Use a pseudonym, or create a separate email account without using your name. Do read our previous entry Who is abusing my email? for more information on this.

Well, just to let you know that personal information is carelessly handled everyday.

Summary: This article will show you how to stop people abusing your email address or at least find out who did.

1. Use another email address

There are a lot of well known free email providers such as gmail.com,yahoo.com, hotmail.com, only to name a few, where you can get a free email address to receive your registration information.

Another option is to use a disposable email address, which saves you the hassle of having to close down your email address once you received what you needed to receive. A few of these: Mailinator, NoClickEmail, or10MinuteMail. Just Google for 'temporary email' to find more providers.

The downside of this method is that once your free or disposable email address is closed down, critical and genuine information can be missed.

2. Track usage of your email address

A little known fact is that you can append information before the @ sign in your address by using the + sign.

An example: you visit a website called spammersite.net and you are asked to register your email address.

For this, append +spammersite.net to your name, registering firstname.lastname+spammersite.net@mydomain.com. Emails sent to that address will be received on firstname.lastname@mydomain.com, but you will be able to see the extra information in the 'to:' field, showing you who has been messing with your information.

Note that although most providers support this, it will not work with some. Send a test mail to yourself (with the + suffix) to test if it works.

The downside of this method is that you are not stopping spam, but at least you can learn where it came from, taking legal steps to stop them.

If you have any questions regarding this or other articles in this blog, send an email to comments@leeandwhite.com after reviewing our Privacy Policy.

How many of you know Jeremy Clarkson? The wise guy host of Top Gear?

Well, like many people who do not seem to grasp the importance of keeping their personal data secure and ensuring that those who handle their personal data do the same, he has also thrown caution to the wind.

But that is quite alright. According to the BBC, he has been superbly proven wrong. The man recently revealed his account numbers in the Sun newspaper after ridiculing the commotion over the loss of 25 million people's personal details on two computer discs in the UK. He wanted to prove that it was all a big fuss over nothing, but thanks to a reader, he has been put in his place! The details have been used to create a £500 direct debit to the charity Diabetes UK!

"I was wrong and I have been punished for my mistake," says Clarkson.

Indeed you have.

Now the question is, have we all learnt our lesson or do we have to be proven wrong through a loss to understand the consequences of disregarding the importance of privacy?

Numerous incidents of data loss or theft have occurred all through 2007 and before. A recurring cause of these incidents is the human factor. Information Technology these days is quite secure, and scam artists are turning more and more to the human factor as it is much easier to crack than those highly protected IT systems.

If you look at the incidents that happened in 2007, you will notice that most were due to human error: a junior sending CDs with unauthorized copies of databases, mail getting lost, laptops and thumb drives getting stolen, gullible and greedy people getting scammed, user accounts being compromised.

The latter is usually quite easy, as most people choose an easy to remember password such as the name of their child, spouse, dog or their date or city of birth. You would be surprised how many people still keep a post-it note with their password stuck to their screen or in their top desk drawer. Some even store it on their mobile phone.

Some of the rules for a good password:

• You need to be able to remember it without writing it down.
• Do not reuse a password and use a different password for every user account or site.
• Make it sufficiently long and complex so it cannot be easily be 'guessed' or 'cracked'.

To avoid making passwords easy to guess or crack:

• Use a password of at least 10 characters long.
• Use a mix of upper- and lowercase letters, numbers and punctuation characters.
• Do not use dictionary words, in your own or a foreign language, forward or reversed.
• Do not repeat characters.
• Do not use personal information such as your name, your spouse's name, phone numbers, memorable dates, your car registration or house number.
• Do not encode dictionary words, substituting letters by numbers ('l' by '1' and 'e' by '3' in 'letter' to '13tt3r').

The secret to making a password memorable and unique is to use a mix of the above techniques with a few memorable and/or imaginary words.

For example, I need a password for my Facebook account. To create this, I will interleave the following ingredients:

• an imaginary word with mixed case: 'sLopAry',
• a memorable number, part of my phone number, namely the middle 4 digits: 1234,
• some punctuation marks: * and ",
• the name 'Facebook'

• The first 4 letters of my memorable word,
• 2 digits of my memorable number,
• the first punctuation mark,
• the consonants of 'Facebook',
• the second punctuation mark,
• the last 2 digits of my memorable number
• and finally the last 3 letters of my memorable word.

If you would apply the same method for your LinkedIn account, you would obtain the following password: sLop12*Lnkdn"34Ary

Devise a variation of the above algorithm, using the principles outlined, and you will have your own algorithm that allows you to create a unique password for every site you visit.

It is important to keep a record of all sites where you used this method (not the passwords themselves), as it is imperative that you change all passwords created using this algorithm if one of the sites gets compromised, through whatever reason.