Data hoarders leave customers in danger, so why do we play along? | David Penberthy
One of the big outstanding questions stemming from the Optus and Medibank scandals is why these firms stash so much of our data anyway, writes David Penberthy.
Opinion
Don't miss out on the headlines from Opinion. Followed categories will be added to My News.
A couple of months back I headed into one of our major department stores and bought my wife some perfume for her birthday. As I paid, the lady behind the counter asked me for my email address. Sure, I said, and she typed it into the system.
I have reflected on the totally unnecessary nature of that information exchange during the past few weeks as two of our biggest companies have been rocked by hacking scandals.
There was another more curious moment involving the provision of a much more important piece of personal information that now strikes me as even more bizarre.
I got an email not long ago from a financial planner who I have used for years. He is a lovely, reputable bloke who I check in with once a year about my mortgage and superannuation, and his office emailed a few weeks ago asking for my driver’s licence details.
Not out of any sense of paranoia, but journalistic curiosity, I asked why they needed it. He replied saying that under federal laws, all financial planners must keep personal information including driver’s licence details of their clients to comply with AUSTRAC’s anti-money laundering and anti-terrorism laws.
The weird thing is that if I turn my driver’s licence around and read the back of it, it bears the following warning, made on behalf of its issuer which in my case is the South Australian government.
“Use of this permit/licence for identification purposes, other than policing road traffic laws, is not intended or authorised, and is solely at the risk of the user.”
So we have a situation where one tier of government is telling us to keep our licence details secret while another tier is telling them we have to hand them over to comply with the law.
Be it your local department store perfume counter or the vagaries of our driver’s licences, one of the key problems we are facing now in terms of protecting our privacy is the willy-nilly distribution of private information.
Clearly there is no reason why buying a bottle of J’Adore necessitates the exchange of an email address. It’s not like I am going to take it back to the shop, or start some chain of correspondence with the store about how well the perfume has been working, or not working.
The reason, obviously, that businesses such as this one seek our information is twofold – to pester us in future to achieve further sales, and in many cases, to on-sell or use that information to frame advertising and marketing campaigns.
The nature of information that was compromised in the Optus hack and now in the Medibank extortion attempt is obviously far more serious than a simple email address.
Australia’s privacy laws are now under review and not a moment too soon, as they were crafted in what was really still an analogue era when the digital world was just starting to take shape. They are completely antiquated and have not kept pace with a world where some new encryption app appears every week, and a shady new group emerges trying to break down its defences.
With the Optus case, I suspect many people would have some much simpler questions. The first of these is why did Optus need so much personal data in the first place? The second is why did they need to hold on to it for so long?
It is baffling that the simple act of buying a mobile phone and data plan – or in my case some years ago a month-long subscription to watch the soccer World Cup on my iPad – should require the provision of a Medicare and passport number as well as a driver’s licence.
More bizarre was the fact it involved thousands of lapsed customers who had not had any dealings with Optus for more than a decade, yet the telco giant sloppily hung on to all that data anyway, possibly out of nothing more than laziness.
As far as I can tell Optus has done a pretty poor job explaining any of the above questions.
One big fear with all this is what would happen if hackers got into your bank accounts and started erasing mortgage payments and savings. None of us have printed passbooks any more, most people cannot readily recall how much they have paid off their house, so how on earth would anyone be able to prove where they were at financially?
Clearly, both Optus and Medibank are reputable companies that have found themselves in the unfortunate position of being targeted by people who have no moral compass and a desire only to extort cash by preying on the natural desire of business to defend its reputation and protect its customers.
The problem is whether the customers were being properly protected in the first place, not just through the conduct of the companies in terms of the collection and storage of date, but in the protection offered by the law itself.
As I understand it, not one Australian company has ever been fined for a breach of the privacy laws, which truly beggars belief given the frequency with which they seem to happen.
There might be a bigger headache for businesses soon, namely a wilful level of non co-operation from us punters, the next time we are trying to buy a bottle of perfume, or talking to our financial planner about how best to pay the mortgage down.
The use of licences that are meant to permit you to drive, and passports that are meant to let you clear customs, should really have nothing to do with a basic commercial purchase.
More Coverage
Voice, Welcome to Country? No, this is what Dutton got so wrong
Usually when you conduct a post-mortem the courteous thing to do is wait until the patient is dead – but it’s easy to see what went wrong for the Coalition, Joe Hildebrand explains.
Penbo: Complete rort behind infuriating Trumpet spam
Clive Palmer’s man behind the phone spam might be the most annoying person in Australia but he’s actually done us a favour, writes David Penberthy. Have your say.