Lee & White

Dutch care insurance company, CZ, recently made the headlines as a result of a faulty online quote system. Personal information of about 55000 people with regard to past applications could be retrieved by other parties. Such information included the
date of birth, bank numbers, social fiscal numbers, gender, name, address, post code, phone number and email address of these people. The online quote system has been removed from CZ's website.

The blunder was first discovered by two programmers who used the system for a quote and found the leak. CZ was informed of this but five days later, the information was still accessible and this led to contact with the newspaper, Algemeen Dagblad.

Whilst there is no proof of abuse of such personal information - or no proof yet, the fact that such a leak is happening should be sending warning bells to us. How many more websites visited are carelessly giving access to the same? How many more companies are just as negligent? This is just the privacy breach of one Dutch company - its negligence in implementing proper security measures to protect these personal information.

Also, if you look at CZ's website, you will come to discover that the vital online privacy policy which should be available to inform visitors of CZ's privacy practice and security is lacking.

What you should always look for when surfing on a website is its privacy policy and if you are not satisfied, do grill the organisation on it without divulging too much personal information. Use a pseudonym, or create a separate email account without using your name. Do read our previous entry Who is abusing my email? for more information on this.

Well, just to let you know that personal information is carelessly handled everyday.

Summary: This article will show you how to stop people abusing your email address or at least find out who did.

1. Use another email address

There are a lot of well known free email providers such as gmail.com,yahoo.com, hotmail.com, only to name a few, where you can get a free email address to receive your registration information.

Another option is to use a disposable email address, which saves you the hassle of having to close down your email address once you received what you needed to receive. A few of these: Mailinator, NoClickEmail, or10MinuteMail. Just Google for 'temporary email' to find more providers.

The downside of this method is that once your free or disposable email address is closed down, critical and genuine information can be missed.

2. Track usage of your email address

A little known fact is that you can append information before the @ sign in your address by using the + sign.

An example: you visit a website called spammersite.net and you are asked to register your email address.

For this, append +spammersite.net to your name, registering firstname.lastname+spammersite.net@mydomain.com. Emails sent to that address will be received on firstname.lastname@mydomain.com, but you will be able to see the extra information in the 'to:' field, showing you who has been messing with your information.

Note that although most providers support this, it will not work with some. Send a test mail to yourself (with the + suffix) to test if it works.

The downside of this method is that you are not stopping spam, but at least you can learn where it came from, taking legal steps to stop them.

If you have any questions regarding this or other articles in this blog, send an email to comments@leeandwhite.com after reviewing our Privacy Policy.

How many of you know Jeremy Clarkson? The wise guy host of Top Gear?

Well, like many people who do not seem to grasp the importance of keeping their personal data secure and ensuring that those who handle their personal data do the same, he has also thrown caution to the wind.

But that is quite alright. According to the BBC, he has been superbly proven wrong. The man recently revealed his account numbers in the Sun newspaper after ridiculing the commotion over the loss of 25 million people's personal details on two computer discs in the UK. He wanted to prove that it was all a big fuss over nothing, but thanks to a reader, he has been put in his place! The details have been used to create a £500 direct debit to the charity Diabetes UK!

"I was wrong and I have been punished for my mistake," says Clarkson.

Indeed you have.

Now the question is, have we all learnt our lesson or do we have to be proven wrong through a loss to understand the consequences of disregarding the importance of privacy?

Will it not end? Will we have to keep reading (almost on a daily basis now) about the security breaches involved concerning personal data?

Where is the fire this time? NHS Trusts in the UK, it would seem.

According to Reuters, nine National Health Service trusts have lost the records of hundreds of thousands of adults and children, in the latest embarrassing loss of data by official bodies.

Ever since the concern for data protection was augmented not too long ago by the UK government when it acknowledged it had lost CDs with the names and bank account details of 25 million people and exposing nearly half the population to possible fraud and identity theft, more and more news of failures to protect personal data by official bodies have been pouring in.

Yes, the government informed last week that one of its contractors had lost the detail of 3 million learner drivers! Now, how is this possible? How can it just be lost? What has happened to the compliance of strict procedures in protecting personal data? If this is happening within official bodies, how much more within companies and other organisations where almost no form of security procedure is adhered to concerning the protection of personal data? And whilst this is reported in the UK, where, mind you, they are much more strict about such matters, what is the situation like in other countries?

I shudder to think what is happening in Belgium, for instance - whereby about 97% of the companies (in a research in 2005) are not compliant to the Belgian Data Protection Law. To top it off, in a research in 2006, none of the non-profit organisations including the political parties were compliant either. And in Belgium, many cases do not make it to the headlines for some reason.

So, what do we do? Make more noise? Let this continue? If only those in power would start enforcing the sanctions and make examples of these organisations.

It is remarkable how far Christmas and New Year celebrations have been utilised for commercial gain. From selling ridiculous products under the pretext of Christmas gifts to spamming, Christmas has become nothing more than a time for advertising and marketing.

So what is Christmas spamming? Well, under the guise of sending you a Christmas and New Year wish through an email, these companies are actually trying to lure you into some new product or service. Yes, it is a commercial email and in many cases, there is no opportunity to unsubscribe from such emails and you might find yourself receiving it again in the following years if you don't put a stop to it instantly. A typical message would be something like:

"We at XABCX wish you a very Merry Christmas and a prosperous 2008!

By the way, do check our website http://www.xabcx.com as we are having some great promotions on VVVVV..."

Now, note that it is spam if you never asked or subscribed for such commercial emails. It is spam if you are not a customer of theirs and if you are a company, it is also spam if such goods/services offered are not similar to the ones in your company - meaning they are not intended for you. Oh and one more spam point. If the email is sent to your company at your personal email address, then that is spam too.

So, do look out for such emails and please, do your bit and get them to stop spamming! Happy Christmas and a great 2008 everyone!

It has happened again. It seems to be getting more and more frequent these days for organisations to lose or mishandle personal data belonging to employees, clients and/or suppliers. Proper security measures and procedures are not instituted or even if they are, these procedures are not complied with in the daily operations of the organisations.

It is a great shame that these companies cannot grasp the simple concept of privacy and its extreme importance. I cannot emphasize how vital the protection of personal data is. How many times must those advocating for privacy and the protection of personal data repeat the recurring problems that the world is facing with regard to such loose dissemination of personal information? Why can people not see the harm it is causing or likely to cause? Do you think it only happens to someone else and it is far-fetched to think it could happen to you?

Toyota Brussels is of no exception. It has joined the ever-growing pool of misfit companies with regard to the manner in which they handle personal data. The personal data of 2000 employees has gone missing. Great confidential information such as name, address, national number, date of birth and the names of partners and children of these 2000 members of staff.

According to spokesperson Etienne Plas, one of its employees took the CD with him and it was claimed to be stolen while using public transport on November 19. 'Of course, the disc should never have left our premises, but the employee was still young and inexperienced. We are taking the whole responsibility upon ourselves as a company, the man has hence not been fired.'

So, the mishap occurred on November 19. But when was this actually discovered by Toyota Brussels seeing that it is only out in the papers today, December 13? In the meantime, what has been happening to these personal data? Toyota Brussels says that the police and insurance companies have reassured the company that the chance of criminal abuse of the data is very small. It is confounding that they minimise the risk of abuse to make things not as bad as they seem. Everyday, personal data up for grabs are used by criminals for their benefit in every possible way - ranging from identity theft to kidnapping.

It is always the same sad story with these companies in Belgium. Never realising the risk, never understanding the consequences of failing to protect privacy. When such things happen in other EU member states such as the UK, the risk is not downplayed. It is emphasized repeatedly because the worst is possible. Yes, just take a look at one example from the UK's recent data loss which put 25 million people at risk of identity theft. At least they admit there is such a risk.

Toyota finds that the fact that the data is now up for grabs in the streets is very regrettable and apologises. But do you know what is truly regrettable Toyota? That you did not establish proper security measures and made sure they were followed through in the first place.

When we talk to people about the risks of publishing their own personal data on personal websites or social networking sites, their first reaction would usually be that they enjoy the fact that their friends or family members can see how they are and keep contact with them. They usually do not understand the implications of publishing on a world wide web without boundaries.

1. Search Engines

Search engines such as Google index and cache the information you publish on the web and keep this for an undetermined time on their servers. This can happen within seconds, so even accidentally publishing information and then -relatively- immediately removing it can already be too late, as the information can already be copied.

Any Internet-savvy user can use Google and other search engines to draw up a complete personal file of any person, including date of birth, address, mobile number, email address, work history, relatives and friends.

2. Aggregation

Blogging is very popular these days, and you can pen down your thoughts and feelings and share them with your friends.

What most people do not realise is that the standard settings of these blog sites (such as Blogger) are set in such a way that any posting is immediately sent (pinged) to aggregation sites (such as Feedburner), which aggregate part or complete articles and present them on their site. Some of these sites are also owned by or affiliated with search engine sites (resulting in the action above).

Furthermore, the aggregation is made using the initial post, so if you write a harsh article and then after consideration mellow it down, chances are great that the original article is not updated in the aggregation or search engine sites.

Most sites include a feature called RSS, which allows users to keep an eye on your site and get an alert when information is updated. For example, our site also publishes an RSS feed here.

This means that the lag time between publishing and reading is shortened even more, reducing your chance to correct mistakes.

3. Archiving

Certain websites keep a cache or archive of many sites on the Internet. Google is one example, another one is www.archive.org. Have a look at what Microsoft's website looked like in October 1996, or Google inJanuary 1999, or even November 1998.

Then have a look at your own information, and think what people in 2018 will think of this.

When it comes to children, which parent does not want to announce to the world all about theirs?

And let me add, what better way to "boast" (for lack of a better word) than by setting up a website displaying all possible information about your child/children?

Indeed, from the start of the child's life to his/her daily development, many uninformed parents today seem to be putting up websites with all kinds of personal information regarding themselves and their children. Some soon-to-be parents even set up websites counting the days to their child's birth.

You will usually and easily find the following information about a child in the order below:

1. at birth - name of child, name of parents, weight and height of child, time of birth, contact details of the family for well wishes, and not to forget, pictures! Yes, and these pictures sometimes include pictures of their little ones in the nude - which in my opinion should not be published. You may think it is simply innocent and your child may look absolutely adorable, but in today's society where paedophiles roam and child pornography is rampant, I think it is better to keep your precious moment locked in your cupboard rather than displaying it on a global communications network!
2. after birth - daily/monthly development of the child, pictures, likes/dislikes of the child, hobbies, etc, and again, contact details including the home address and phone number. Basically, you will know all about the child just by browsing through the website and never needing to have met him/her. And if a stalker or a kidnapper happens to be on the hunt for your child, how much easier can it get for them? The parent has given them all they need to know.

What is wrong in wanting to share all about your child? Everything.

Let us look at it from the perspective of the Belgian law of 8 December 1992 on the protection of privacy.

We know that the Internet is a communication means that, in comparison to other communication means, promotes the distribution of and access to information freely and on a world scale. Such a distribution can easily bring with it a loss of control of the individual over his data which he has communicated online.

There are many who cannot imagine that, when they disseminate personal information online, this data will be able to be used numerous times. This observation is even more apparent when children are surfing the Internet. Why?

Well, a child is himself in a weak position when he comes into contact with third parties via the Internet: he/she is more impressionable than an adult, less suspicious and probably does not know all his rights. Given the fact that a child is innocent, impressionable and vulnerable, the law seeks to protect him/her by ensuring that his/her personal information is not freely available both on and off the Internet and that whatever information available is kept secure and only obtained by outsiders with the permission of his/her parents.

Now take note. The law assumes that parents (who have supposedly reached the understanding capacity age) will take care and exercise their parental responsibility to protect and guard their children against harm. The law in fact entrusts parents with this duty. It goes without saying then that parents should only give permission to third parties to handle their children's personal information in necessary circumstances. All this is said on the acceptance of a child's vulnerability.

Further on, whilst the granting of permission usually requires it to be anexpressed permission, a parent who sets up a website for himself and divulges his child's personal information is actually impliedly giving the world (an uncountable number of third parties) permission to make use and sometimes abuse such personal information.

Can we stop to imagine the worst that could happen given the availability of such information concerning the child?

For example, there is nothing stopping outsiders from profiling the family and saving the pictures of the child/children made available by his/her parents on the website by simply right-clicking with the mouse. Only God knows the potential abuse of innocent children's pictures that could take place.

If we look at the Belgian Privacy Commission's recommendation concerning the protection of the privacy of minors on the Internet, when it concerns the distribution of pictures of minors, not only must their preceding permission be obtained, but also those of their parents in the case of a minor who has not yet reached the understanding capacity age. Just as it is with the case of sensitive data, so also is a picture of the object of a specific protection, framed with the theory of the right to image. By virtue of these provisions, in principle, the permission of the person concerned must be obtained for every use of his picture.

Thus, those who wish to handle personal information including pictures, must obtain the expressed permission of the data subject, and in the case of children, the permission of their parents.

But if parents themselves seem to shirk their responsibility in this matter and make such personal information including pictures of their children so readily available for abuse, then what more can the law do to protect these young ones? Who is to blame when something does go wrong? Do stop to ponder on what I have just said. Is what I am saying so far-fetched? I do not think so. Not in today's world at least. We are certainly not living in the age of well-manicured gardens, dutiful housewives and newspaper-pipe-slippers husbands.

So, the next time you want to set up a website with your little child's pictures and personal details on because you are bursting with pride, think. Don't just feel. Then think again.