Sunday, January 15, 2006

I'm not losing a housemate, I'm gaining a Privacy Activist

Kudos to Dave T for noticing a big privacy breach on the Rogers website and drawing it to the attention of ace reporter Jim Bronskill. Dave's been on a real high this weekend, but as Phil G says, "he gets that way when he's going after 'the man'". Here's the whole story as it appeared in one of the papers. (If this copyright violation bothers anyone, I'll take it down.)

January 13, 2006

Privacy glitch allows easy access to cable-TV subscribers' info By JIM BRONSKILL

OTTAWA (CP) - Viewers with cable-television services like the Hustler channel or Red Light District TV might be a little sheepish about their neighbours knowing. But the Rogers Cable website has long allowed anyone with Internet access to find out which packages and specialty channels - including several adult services - the company's customers enjoy.

The ready access to such personal information is "completely appalling and unacceptable," said Anne-Marie Hayden, a spokeswoman for federal Privacy Commissioner Jennifer Stoddart.

The commissioner's office is looking at initiating a complaint into the matter, which would trigger an investigation under the national privacy law governing businesses, Hayden said.

"Because it does potentially reveal very personal information, the choices that people make - these are personal."

A Rogers executive acknowledged Friday the site could be abused. "And so we have asked our website team to shut down this feature," said Taanta Gupta, vice-president of communications.

"I just couldn't believe it," said David Taylor, an Ottawa business analyst... "It is really wild..."

With a few computer keystrokes, The Canadian Press easily found details about the cable packages of NDP Leader Jack Layton, current and former cabinet ministers, the head of Canada's spy agency, a big-city mayor, the chief of a metropolitan police force, a former Supreme Court chief justice and the editor of a major newspaper.

The Rogers website was designed to help customers order additional services by first checking their existing packages. But it also allowed anyone with a subscriber's name, phone number and postal code - often readily available from other online databases - to check up on that person's cable services.

"I just couldn't believe it," said David Taylor, an Ottawa business analyst who moved recently and noticed the easy access to personal information while looking up cable packages on the Rogers site. It is really wild how, right now, anybody can go to that site and find out about their neighbours or noted people if they just know a few basics that are all in the public domain."

Rogers Cable serves almost 2.3 million homes in Ontario, New Brunswick and Newfoundland. In addition to basic cable channels, Rogers offers the majority of its customers an array of specialty and digital services.

A privacy policy note on the Rogers website says it has "reasonable security measures in place to protect against loss, misuse and interception by third parties." Under the Personal Information Protection and Electronic Documents Act, businesses must ensure individuals' personal data is protected by security safeguards.

Hayden said the privacy commissioner had not received any complaints about the Rogers site. "But when we heard about it, it's something we found completely appalling and unacceptable," she said. "The situation is something we're extremely troubled by. And we have brought the matter to the attention of Rogers."

The website feature was meant as a "customer-friendly exercise" that enabled people to quickly change their service package, said Gupta. "And I guess nobody thought at the time of what the risks might be," she said, adding the page on the site has existed "for a couple of years." Gupta said Rogers was unaware of the privacy implications of the feature until the issue was pointed out to the company Friday. "I'm just thinking of an opportunity for somebody to find out about somebody else's account. So that's why we'll shut it down."

Hayden said the privacy watchdog's office is generally concerned about whether Internet sites that allow customers to conduct transactions require adequate proof of identity. "We know that this is an issue - the issue of online authentication, so it's something we're studying more broadly as far as industry standards go."

The cable privacy episode comes just weeks after word that associates of terrorist group Hezbollah had cloned the cell phone of Ted Rogers, chief executive of Rogers Communications, parent of the cable company. Cloning involves replication of a phone's number and special security code, allowing a person to make unauthorized calls.

Further kudoes to Jim for working terrorism and "cloning" into a story in which the most dangerous thing would have been somebody famous with a porn channel. Not that they did find anybody with the Playboy or Hustler channel, but they might have.

No comments: