Commonplace

This commonplace is an archive of articles, notes and quotes from books, writing and other things.

Browse by section:

Subscribe via RSS

  • 15th Jan, 2022

    Changing 186 email addresses

    As part of my ongoing de-Googling, I recently finished removing my old personal Gmail account from as many accounts as I can. Along with switching email provider, I’ve switched to using masked emails instead of an actual inbox.

    My password manager revealed 186 accounts that needed updating. For each, I’d either update the email address or delete the account if no longer needed.

    The flows and user experience varied greatly, but I hadn’t anticipated the number of issues that would come up.

    Some of these were down to poor design. In once case, the email verification link failed if I wasn’t logged in, with no indication that I had to be logged in for it to work.

    More concerning were the security and data protection issues that were revealed.

    Security theatre

    As you might expect, many of the password requirements limitations were horrendously weak: numbers/letters only, must be no longer than 10 characters. In one example the password had to ‘start with a letter’!

    For reasons entirely unknown, a surprisingly large number of services forced me to contact support to change my email or delete my account. In many cases, I wasn’t able to change the email address at all.

    This could be because the company/organisation wouldn’t permit it, or the reset flow was entirely broken (e.g. email not sent, the verification link didn’t work, etc). Tough luck if you lose access to your email account!

    A surprisingly large number of services forced me to contact support to change my email or delete my account.

    In one case, the company wouldn’t let me change email address without providing a screenshot of the inbox – impossible with a forwarding address! They only relented when I asked them to show me the requirement in their T&Cs for the account email address to have an associated inbox...

    Many websites still don’t verify email addresses, too. This perpetuates entirely preventable unintended privacy and data breaches for people mistyping their email address.

    Extraordinary data retention

    It was concerning to discover that several sites I hadn’t interacted with in over a decade retained lots of personal data: name, phone number, history of delivery addresses, payment details, etc. This was true even in situations where a membership/subscription had lapsed many years ago or where I hadn’t purchased anything at all (e.g. abandoned checkout).

    Are these places really “not keeping data longer than they need to” as their privacy policies so often claim? At what point would they delete this?

    Many accounts also force individuals to keep unnecessary information on file. Why do we have to keep an address in our accounts? Or a phone number? Or our names?

    In some cases, I wasn’t allowed to update a single piece of information – such as my email address – without also supplying additional information the company didn’t have: address, phone number, address, etc.

    Several sites I hadn’t interacted with in over a decade retained lots of personal data

    To combat this, I took a leaf out of Terence Eden’s book, entering ‘alternative information’ for required fields.

    Lots of contact forms don’t practice data protection by design, requiring entirely superfluous fields: surname, address, phone number, date of birth. Some companies required me to enter credit card and transaction information just to change my email address.

    Account deletion

    I deleted a lot of accounts. In most cases this was because I was unlikely to need the account in future. But sometimes this was necessary as the company made it difficult/impossible to update information.

    Very few sites make account deletion easy. Even fewer made it crystal clear that they delete your account and data. Account deletion is often framed as ‘deactivation’, which sounds suspiciously like they hold onto your data after deleting the account.

    In most cases, deleting an account required searching through help pages, an internet search or contacting support. This led to a new personal policy: if a company doesn’t make account deletion easy or clear, I do a quick search of their privacy policy for their data protection officer’s email address and ask them to delete my data. This usually resulted in quick action.

    NB: I wouldn’t do, or recommend doing, this to a microbusiness.

    All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?

    This might seem over-the-top, but account deletion should be clear and quick. Users shouldn’t be forced to spend 10–15 minutes, longer if it involves contacting support, trying to work out how to delete their account.

    All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?

    A permanent record for convenience

    I’m glad I did this but it was work. It also revealed just how much of our personal data is peppered through the databases of companies we no longer have a relationship with.

    Yes, this information is necessary to perform transactions. But it was surprising and concerning to see how many sites retain this data for many years after my last transaction or interaction. In more than a couple of cases, over a decade had passed since I’d last logged in.

    There are clear and obvious benefits both to users and companies for data to be held for a period of time. But going back through so many accounts, it was startling to see so many pieces of still-accurate data (e.g. phone number) retained in accounts I hadn’t touched in many years. This digital trail also revealed many old addresses and the contact details/addresses of people I might have sent things to.

    Where does the responsibility lie? Is it down to individuals to keep tabs on every single account they create or purchase they make? Should we all be making diary notes to check in and delete our details? Or should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?

    It seems the default position is to hold user data indefinitely, despite privacy policies frequently saying “we don’t hold data any longer than they need to”. Generally speaking, this statement seems worthless.

    Should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?

    This causes problems for users, who seem solely responsible for cleansing their data from every single company they interact with, even if it’s not be clear or obvious their data is being held (i.e. when retained after an abandoned checkout).

    And it could cause problems for companies, too: it increases the risk of unnecessary data being exposed in data breaches, which could lead to uncomfortable questions about their data retention practices.

    If data was regularly purged when users become ‘inactive’, it would help users and companies alike. Individual’s personal data would be held in fewer places, their digital footprint would be minimised and companies would reduce their exposure in the event of a breach.

    Ultimately, buying from or creating an account with a website doesn’t mean we give the company permission to hold our data forever. But in many cases, it seems that is exactly what’s happening.

  • 10th Jan, 2022
  • 9th Jan, 2022

    The barrier between the physical and digital worlds is wearing thin. “Everything can be intercepted” is right, and most everything important already has: our personal data, our intellectual property, our chemical factories, our nuclear plants, even our own cyber weapons. Our infrastructure is now virtualised, and only becoming more so as the pandemic thrusts us online with a scope and speed we could never have imagined only weeks ago. As a result, our attack surface – and potential for sabotage – has never been greater.

    One decade ago, the primary threats to our national security were still, for the most part, in the physical domain: hijackers flying planes into buildings, rogue nations getting a hold of nukes, drug mules tunneling in through the southern border, the improvised explosive devices tormeting our troops in the Middle East, and the homegrown terrorists detonating them in the middle of America. Developing the means to track those threats and stave off the next attack has always been in the NSA’s job description.

    If the next 9/11 struck tomorrow, the first question we would ask ourselves is the same question we would ask some two decades ago: how did we miss this? But in the two decades since 9/11, the threat landscape has been dramatically overhauled.

    It is now arguably easier for a rogue actor or nation state to sabotage the software embedded in the Boeing 737 Max than it is for terrorists to hijack planes and send them careening into buildings.

    Threats that were only hypotheticals a decade ago are now very real. Russia proved it can turn off power in the dead of winter. The same Russian hackers who switched off the safety locks at the Saudi petrochemical plant are now doing digital drive-bys of American targets.

    A rudimentary phishing attack arguable changed the course of the American Presidential election. We’ve seen patients turned away from hospital because of a North Korean cyber attack. We’ve caught Iranian hackers rifling through our dams. Our hospitals, towns, cities and, more recently, our gas pipelines have been held hostage with ransomware.

    We’ve caught foreign allies repeatedly using cyber means to spy on and harass innocent civilians, including Americans. And over the course of the coronavirus pandemic, the usual suspects, like China and Iran and newer players, like Vietnam and South Korea, are targeting the institutions leading our response.

    For years, intelligence agencies rationalised the consealment of digital vulnerabilities as critical to monitoring America’s adversaries, to war-planning, to our national security. But those rationalisations are buckling. They ignore the fact that the internet, like so much we are now witnessing in a global pandemic, has left us inextricably connected. Digital vulnerabilities that affect one, affect us all.

  • 8th Jan, 2022
  • 7th Jan, 2022
  • 6th Jan, 2022
  • 2nd Jan, 2022
  • 29th Dec, 2021

    Trace + Search

    My wife and I have been dealing with the fallout of a service companies use to try and identify people liable for unpaid bills. A few months ago, we were forward a bill from Ovo Energy, sent to our old address.

    We were in a strong position to deal with this: there was no conceivable way we were liable and the due amount was small. But extracting information from Ovo about the trace and search process was tricky, and internet searches didn’t reveal much.

    This account is to help others who might find themselves in a similar position and provide some transparency on what I’ve been able to discover about trace and search.

    The episode also unveiled some data protection concerns: it shows how data is shared between third parties and the actions they might take. All without a subject’s knowledge or consent.


    The invoice we received showed a billing period that started roughly nine months after we’d moved out: we weren’t Ovo customers when we left.

    Our initial suspicion was identity theft. We knew that some mail hadn’t been redirected to our new address and wondered if a someone had tried to get away with dodging some bills.

    We did a credit check to see if anything had changed on my wife’s account and called Ovo to ask about the bill. I was told my wife would be removed from the account and I should hear from someone within a few days...

    Trace and search

    Two weeks later, the only communication we’d received was a debt collection email sent to the address I’d provided in the initial phone call. Following up with Ovo, I was eventually told this wasn’t identity theft but a process called trace and search.

    Ovo said trace and search had identified my wife as financially responsible for this address. Their debt collection department said this involved a credit check and someone visiting the address to verify this.

    This wasn’t identity theft but a process called trace and search.

    I was told my wife would have to prove she no longer lived at the address by providing a tenancy agreement for the previous address or a council tax bill at the new address.

    This seemed odd, not least as a tenancy agreement would do nothing to prove we no longer lived at the property. Our agreement only stated the months of our initial year, after which we moved to a rolling tenancy.

    The most concerning aspect of this was it revealed Ovo had fraudulently created an account in my wife’s name and put the onus on her to prove she shouldn’t be associated with it.

    On top of this, Ovo had acquired details about my wife and wanted further details to cancel this account. Without the slightest hint of irony, Ovo used these details – name, date of birth, supply address – for ‘data protection’ each time I called.

    Ovo had fraudulently created an account in my wife’s name and put the onus on her to prove she shouldn’t be associated with it.

    When I pressed for details about the trace and search process – particularly who they had spoken to at the address – none were forthcoming. Customer services stuck to a script and reiterated that it was my wife’s responsibility to demonstrate she was not financially responsible.

    Resolution

    It took several weeks before we were contacted by an Advanced Resolution Specialist. In the meantime, we’d checked my wife’s credit report again.

    The report showed she had a couple of accounts associated with our old address. One was a bank account she didn’t use and another was a credit agreement for a phone – the bank was easily changed, the other not so much.

    It can’t be unusual for people to forget to update an address or two – the house we’ve moved to still receives plenty of mail for the previous occupant. Yet it seems any active credit linked to an address is enough for a trace and search to:

    1. Determine a person currently lives at an address
    2. Arbitrarily assign the financial responsibility to that person
    3. Create an account in their name
    4. Require that person to prove they don’t live there

    The Advanced Resolution Specialist spoke openly about how this situation had occured. But there was no satisfactory explanation of why the account had been assigned to my wife. Our previous address comprised of several flats: any of the other occupants could have been deemed responsible for the bill.

    They also explained that this was an entirely automated process – no-one had been to the address – and the active credit was the sole link between my wife and address. This confirmed my assumptions about trace and search.

    In the six weeks between initially contacting Ovo and speaking to the Advanced Resolution Specialist, we received debt collection emails from Ovo’s attack dogs. These emails were punctuated with the following threat:

    Please know, we share data with credit reference agencies, which might affect your credit rating. So the sooner we sort this, the better.

    Nice.

    Ultimately, Ovo sent us £50 as a resolution and the following apology:

    On behalf of OVO Energy I would like to apologise for the recent trace and search that identified [your wife] as still updating credit at the address. This led to OVO Energy assigning charges in her name.

    And that was the end of it, or it should have been...

    Data concerns

    As part of the resolution, I submitted an erasure request to remove my wife’s details from Ovo’s systems. A few weeks earlier, we’d also submitted a subject access request to find out what data Ovo held about her.

    A couple of days later, I received an email from another Advanced Resolution Specialist to say the erasure request had been “rejected as it technically needs to be requested by the person who's details need to be erased”.

    Throughout this entire debacle, I’d wondered what the the legal basis for collecting, storing and processing my wife’s data was. Ovo had created the account without her knowledge or consent and made no effort to contact her apart from the initial bill.

    Ovo’s pushback on the erasure request raised further questions:

    1. What was the legal basis for continuing to store and process her data now Ovo acknowledge the account was incorrectly associated with her?
    2. In the case of an incorrectly created account, is an erasure request necessary?
    3. If my wife decided to submit erasure request herself, how would Ovo expect her to prove her identity?

    Ovo don’t have our address or my wife’s email address. As far as I can tell, they only have her name, date or birth and supply address: all information I was able to provide to get her case this far.

    Would Ovo seriously be looking for her to provide more information: data they can’t verify?

    One month on and Ovo haven’t responded to these questions. The 30-day deadline for the subject access request has passed, too.

    I’ll update this article when I have answers regarding their basis for processing my wife’s data.


    Summary

    The last time I spoke to Ovo, I was told the Advanced Resolution Specialist I originally spoke to has left the company and the second has taken a different role. Apparently, our complaint is in a queue waiting to be reassigned: you couldn’t make it up.

    Trace and search is an aggressive and opaque practice for companies to recover funds. With next-to-zero effort or evidence, companies are able to:

    1. Create accounts for people
    2. Issue bills for whatever they feel they are owed
    3. Threaten their credit rating

    We only received Ovo’s invoice because of our mail redirection. If that hadn’t been in place, Ovo’s actions could easily have affected my wife’s credit rating and we would have no knowledge about the incident.

    The worst part about this was how long Ovo took to remove my wife from the account. Matters like this should not take months to resolve: the company has unilaterally created her account.

    Ovo made no effort to contact my wife before sending the invoice, nor did they verify the data they received. But as Ovo deem the onus is on her, there’s no incentive for them to move quickly.

    Ovo told me that someone has subsequently taken over the energy supply for address. One would think that might be a good place to start making enquiries, but why bother when you can outsource the work to an automated credit check with no accountability?

  • 27th Dec, 2021
  • 24th Dec, 2021
The start!

1 / 5 pages

Next →