Monday, 2 June 2008

Why UK Privacy is Dead

I can’t recall who originally coined the expression “Privacy is Dead”, but whoever it was, I have to say that I agree. A couple of months back I was speaking about companies and the UK government protecting personal data on BBC News 24, when in a typical BBC newsreader style I was put on the spot and asked “…but isn’t this information you say needs protecting available in the phone book anyway?” Which is true, even if you made the effort to go ex-directory and de-list from the public phone book, your name and address (given a rough geographic location), can still be easily found online, because Privacy in the UK is Dead, lets be honest it was never really alive in the first place.

Part of the problem is very simple, when it comes to personal privacy; generally the default stance and settings for privacy is to have it “disabled”. Why? Well the online world and the information age is all about sharing information, and these days many companies are making money out of this information sharing. So in today’s information world it is very much up to the individual to ensure their personal privacy is being protected, yet this in itself can be a real trauma, even banks don’t play ball, don’t believe me? Then close your bank account and try ensuring the bank removes all of your personal details from their systems, here's a tip, use the Freedom of Information Act to check what they are still holding about you post closure. And have you ever tried permanently removing your profile from social networking sites like Facebook?

Going back to the BBC Newsreader question, let’s take “going ex-directory” with British Telecom, which basically means BT will remove your name, address and phone number from the publicly printed and distributed phone book, as well as from their online phone book, called “The Phone Book”. Is there any information within BT’s “The Phone Book” web site or even within the BT web site’s privacy statement about how a member of the public can de-list their private detail? No! Even if you search the main BT website for the terms “ex-directory” or “x-directory”, no results are returned. To go ex-directory you have to phone BT through their general enquiry number, and then specifically ask to go ex-directory. Could it be it is not in BT’s interest to encourage private citizens to ensure their private details aren’t placed in the public domain, because BT make so much money out of the advertising on their phone book web site and within the publicly printed edition, which is circulated nationwide. Yet it is generally accepted unless you asked to opted out, your name, address and phone number will be in there. Make no mistake the BT Phone Book is one of a number of “free” online tools which UK and overseas identity thieves make use of today.

It’s not just private companies that are at fault either, take the UK government who are responsible for managing the country’s electoral roll, again the individual has to tick the box to ensure their full personal details aren’t placed online, these details include not only your name and full home address, but your children’s names as well, all are placed into a public accessible and unmonitored database, which is fully searchable online from anywhere on the planet, and is even printed and stored at your local library. Ever wondered how those marketing mail shots and Indian cold calls in the middle of the night are obtaining your details from? The online electoral role, yet another popular “free” tool used by identity thieves. Just in case you forgot or missed that tick box, I’ll provide full details on how to opt out at the bottom of this post. But even if you do tick that “privacy” box, guess what your personal details can still be easily found online for just a small fee.

Then there is the Social networking web sites, most of them have privacy switched off by default when you sign up, well that's how they make their money be exploiting personal information to direct marketing advertisements. Still too many users don't realise the information they are sharing to the world and to marketing groups, shouldn't they be protected from themselves by setting privacy on by default? Hell even Xbox Live has privacy settings now, again switched off by default.

The lack of privacy of personal information makes life so much easier for identity thieves and fraudsters. Lets say you dropped your bank debit card in the street, which often holds your bank account number and sort number as well as your name. A bad guy finds your card in a street in “X Town”; he can search the “X Town” electoral roll using your name as a guide, from which gain your full address and phone number. Then just a few more clicks away the bad guy can build up a frightening profile on you, all based on information which relatively easily to find. We are talking information like your mother’s maiden name, your date of birth, the place of your birth and even the schools you attended as a child. Why this sort of important? Well think about the typical security questions you are asked when accessing sensitive accounts, resetting passwords….”Can you confirm the first line of your address?”…”What’s you post code?”….”What’s the first school you attended?”…”What’s your place of birth?”…”What’s your mother’s maiden name?”…”What’s your date of birth?”…and it’s amazing how many people use their children’s names as a verbal password! Another even more sinister side of the coin is this information is enough to steal your identity, and to go on to obtain all sorts of credit and products in your name.

What’s worst, you don’t need to be hacker or some kind of fraud expert, it only takes a few minutes, as all this information can be effortlessly gained from the Internet. Furthermore once you have a profile, it’s very easy to obtain fake yet genuine looking documentation to back up the identity theft, from gas bills to fake drivers licenses complete with a picture, even passports and national insurance numbers, all can be purchased online. (Before anyone asks I’m not going to post how or any links). So small wonder Identity Theft is the UK’s fasting growing crime.

So that’s the problem, the answer is to secure all private information, but it’s too late, the horse has well and truly bolted, so privacy is indeed very dead. But surely more can do be done, so how about trying to turn the tide, but it’s down to the Information Commission and UK Government to tighten up in this area and perhaps pass a few laws and actually crack down. Never mind them complaining about the private sector, UK government departments should focus in getting their own house in order first, starting with properly protecting the electoral role information. Another such issue I haven't mentioned yet, is it fairly easy to "con" a full list of an area's electoral role through the proper channels, probably best not to elaborate too much about that one.

What can we do now apart from whinge at the powers that be, well there are some good services out there which can help reduce your "privacy footprint". These include the Mail Preference Service (MPS) to stop junk mail (mail shots) and the TPS (Telephone Preference Service). I have several friends use both these services, give them a month or two to kick in and they will reduce the amount of junk mail and cold calls, however in recent months I've noticed an increasing trend in the number of International (usually of an Indian origin) cold calls despite the TPS service.

To remove your records from all Direct Marketing databases and prevent companies sending unwanted mail or making unwanted telephone calls to you, you can register on with "MPS (Mail Preference Service) and TPS (Telephone Preference Service) database which is maintained by the DMA.

Once registered it is an offence for a company to contact you unsolicited (with a fine of £5,000).

Mailing Preference Service (MPS)

Mailing Preference Service (MPS)
DMA House
70 Margaret Street

MPS Registration line: 0845 703 4599 Tel: 020 7291 3310 Fax: 020 7323 4226
E-mail: Web:
Licence Department: 020 7291 3327
Complaints Department: 020 7291 3321

Telephone Preference Service (TPS)

Telephone Preference Service (TPS)
DMA House
70 Margaret Street
London W1W 8SS

TPS Registration line : 0845 070 0707 Tel: 020 7291 3320 Fax: 020 7323 4226
E-mail: Web:
Licence Department: 020 7291 3326
Complaints Department: 020 7291 3323

Removal from (Online electoral role)
download a CO1 form or write to by post and request removal of your details:

The CO1 Requests Administrator
I-CD Publishing (UK) Limited
8-10 Quayside Lodge

By fax: 0906 34 34 192 (calls cost £1.50/ min)


Stephen Buel said...

I believe the first person to publicly proclaim that privacy is dead was Scott McNealy, then the CEO of Sun Microsystems. He made the comments back in 1999, I believe.

Dave Whitelegg CISSP said...

Many Thanks, it's coming back to me now, it caused a bit of fuss at the time (and still does) when he said "You have zero privacy anyway – get over it”. It just goes to underlines the vision of the man, who also back in 1999 predicted all software will be free, which is clearly the way it is heading today. I must try to read a biography type book on the guy such as High Noon during my next transatlantic crossing, I'll certainly quote Scott McNealy in future when I talk about privacy being dead.

Home Security Guy said...

This is very useul information, thanks. I understood I was not on the public electrol register - but online, it looks like my details are available. I will be rectifing that shortly.
Also didnt realise putting your details on some of these registers expires after 5 years.
Great info, thanks.

Anonymous said...

All the information you provided is very useful. Could you suggest any books or knowledge links with practical advice or examples for a network security beginner - preferably once where you do not have to register or log in. Thanks

gianna said...

Very useful - thank you. Where else can one find more info on the subject preferrably without registering?

Brian said...

Very good information, I wonder if I will find anything else on this topic.

locksmith sw6