When a connection is made

Today I was having problems with the home internet connection. Not only am I a member of the over-privileged web generation, I’m also a freelancer who works from home a lot. So this was a big deal. I rang O2 to find out what was going on.

I’m impressed with how quickly I got through to their British-based call centre. Yes, there was the usual automated phone-answering system, but this one wasn’t too bad, and I got through to the correct human within minutes.

But one thing struck me as odd, and it’s something that strikes me as odd over and over again when I deal with call centres. The friendly, Scottish-accented employee asked me for the name of the account holder (my husband), then paused and asked for my own name. Presumably he’d already worked out that the male-looking name on the account didn’t tally with the female-sounding voice on the phone, but when I said my own name he sounded flummoxed and said he wasn’t sure how to proceed, given that I’m not the account holder. He brought up the Data Protection Act and said I would have to answer a security question before he could give me any details about the account.

“Would you be able to answer the security question?” he asked. I told him I wouldn’t know until he asked it. If it’s “What is your husband’s date of birth?” I’m pretty confident I could get an A-grade on that, but if it’s “What 20-digit alphanumeric code did we give your husband when he opened the account?” I probably wouldn’t do so well.

He decided not to test me by asking the question. He found a way to sort out the connection from their end which didn’t require giving me any account information. I was happy, but he warned me that in future, if the problem involved account information, I would have to know the answer to that security question or they wouldn’t be able to help, because of the Data Protection Act.

“But you can see I’m ringing you from the landline we’re talking about, right?” “No. We don’t have caller recognition here.”

I’m not a lawyer, but I can’t see anything in the Data Protection Act that prevents a broadband company from giving out information to a third party when that information will be used solely for the purposes of fixing the customer’s broken broadband connection. Information about someone’s broadband connection surely doesn’t carry the same duty of confidence as information about something sensitive (such as their medical records, for example).

There are two things I find really interesting about this corporate citing of the DPA: the security theatre and the irony surrounding the concept of consent.

Security theatre

If I had a male (or plausibly male-sounding) voice and phoned up claiming to actually be my husband, there would probably have been no security checks. Call centres are more likely to bust out the “data protection” routine when you’re honest about not being the person named on the account. My dad was once refused help by a call centre because the account was in my mum’s name, and he asked “What would you do if I just pretended to be her?” They said they would proceed with the call as if it was her – yes, even if his impression was really unconvincing.

The key thing is that the caller says they are the account holder. If that’s not security theatre, I don’t know what is. It doesn’t make the account any more secure; it just means that if anything does go wrong, companies can blame the caller for masquerading as the account holder. It penalises honest callers.

The irony of “implicit consent”

The Data Protection Act covers the concept of “implicit consent” or “passive consent”, which basically means “The absence of a ‘no’ must be a ‘yes’.” In the data protection world, it means “If you haven’t bothered to tell us otherwise, we’ll send you lots of marketing crap and pretend you said you wanted it.” Implicit consent is what spawned the ticky-boxes saying “If you do NOT wish to receive further marketing communications from us, please tick the box”.

Implicit consent is what allowed Travelodge to store my personal information, because I once booked a stay in a Travelodge hotel and I didn’t afterwards inform them in writing that I objected to their keeping my details on file. (That information is now in the hands of spammers, since Travelodge’s database was hacked, but hey, I took that risk when I gave my “implicit consent”, right?)

What’s interesting here is that “implicit consent” in the Data Protection Act is about organisational use of data. There’s no presumption in the DPA of implicit consent for your life-partner to handle routine customer service queries on your behalf. There’s also little organisational understanding that a human being will often share their life with another human being, no grasp of the idea that two or more adults could share a house, share the bills and make joint decisions. This lack of understanding can lead to some ridiculous situations, especially when combined with “implicit consent” in the “let our company spam you” sense. I’ll give an example in my next post.

Maybe corporate culture needs the equivalent of the birds-and-the-bees talk. “When two people love each other very much, sometimes they don’t care whose name goes on the water bill.”


Andrew (not verified)

Wed, 2011-07-27 15:04

What frustrates me is that they often bring this up when the flow of information is solely one-way, FROM you TO O2. Whether consent is implied or not, if they are not providing any information to you, that consent is irrelevant.

If you are saying " the broadband link at 01234 567483 is broken, please fix it", then it's difficult to see how any data protection issues arise. The only possible complaint is that you may be phoning every broadband provider pretending to have a fault until you hit on one who admits that, yes, they are the provider of the service on that line, but even then, I think it would take a ridiculously pedantic data protection compliance officer to get too fussed about this.

And don't get me started on people who phone ME and then ask me to prove MY identity to THEM!

- Andrew

I gave a very nice man a very hard time for ringing me about my insurance claim and expecting me to give him my personal details. The problem was he was from the loss adjuster not my insurance company and I wasn't expecting the call so he had to answer my questions first. He had to tell me exactly what the claim was for and then exactly what the quote to repair the problem was, only then did I give him any details to confirm he was talking to me. I would have thought by that point any security questions to me were irrelevant.

Thanks for your comment, Carole. I agree: if they ring you, why do they ask so many security questions? If a stranger has stolen my mobile phone or got into my house to answer my landline, I already have bigger security problems than they can handle!

What frustrates me is that they often bring this up when the flow of information is solely one-way, FROM you TO O2. Whether consent is implied or not, if they are not providing any information to you, that consent is irrelevant.

Bang on. Thank you for this comment.

Implicit consent is a bit of a joke, isn't it? Like Andrew suggests, it's basically a weapon of customer control and responsibility avoidance, only when the information flow is going in a particular direction.

I'm Kate's husband. I've just started getting spam SMSes from 65655, claiming that they're from O2. As I can't ask the sender a security question, I obviously can't verify their identity, but I'm happy to assume it's O2 for the sake of this comment. So that means that: Kate rang them to get our jointly owned and jointly used broadband fixed; they gave her a bit of a hard time for not being me, or at any rate for not sounding a bit like me; but now they're sending me unsolicited texts to ask how it went, and I have to answer on a scale of 1 to 4 (no option to say "your attitude to the Data Protection Act is completely screwed.")

The implication, as I've just mentioned on Twitter, is that I can implicitly consent to O2 spamming me with feedback requests via SMS, but I can't implicitly consent to my wife ringing regarding problems with our shared broadband resource.