Personal data at stake
Flaws in the prepaid registration may spawn new security problems
January 16, 2006
There are several execution flaws to the Government’s directive to register all prepaid phone account clients, irrespective of new or existing ones, starting January 1. This is a follow-through of a 3-month pilot project in Penang and Malacca launched in the last quarter of 2005. At the nationwide level, a 6-month timeline is tied to the exercise, whereby the respective service providers must terminate the phone numbers if the users did not comply with the requirement.
There are three major issues involved. One: There is no legal framework pertaining to the guarantee of security and confidentiality of personal data, and the attorney power of the data custodian is not clearly defined. Two: Registration of user data is relegated to the retail/dealers level and there is no guarantee of quality of custodians of data in transit before the data is transmitted to the mobile operators. Three: Mobile operators are non-committal to a professional workflow while industry regulator, the MCMC, does not provide a clear guideline for operators to adhere.
Let’s take a look at the registration procedure. Recently, media reports said that the government and cellular operators were very satisfied with the cooperation of the public to the registration exercise. But the claim has been challenged, the validity of the statistics and information severely questioned.
The cellular operators have been accused of not being serious about carrying out the directive as they feared losing customers. This is evident in the loose registration procedure. It has been pointed out that prepaid card buyers only have to fill the registration form without having to give a copy of their identity card. Most cellular dealers do not to ask for the identity card for reference. Without verification, anyone can give false information.
According to Bernama, the operators admitted of receiving many enquiries about the matter from the public. They, however, said they were waiting for further instructions from the MCMC. What we heard from MCMC thus far is that this was not supposed to happen as it would frustrate the overall purpose of the registration exercise. How convenient in buck-passing. Didn’t the operators consult the MCMC on the registration procedure before the directive was announced?
Now, let’s look at the larger issue. In 2002, this column has discussed at the length the peril of the authority’s delay in passing the Personal Data Protection Act. Perhaps, it is timely to revisit this issue as we undertake the registration of prepaid cellular users as millions of people’s personal data are passing through the hands of untrained and unrestrained personnel.
Data attached to cellular phone accounts are critical by nature. Each entry will include a person’s name, his address, and his identification card numbers. These sets of personal data are then attached to specific phone numbers where call records can be traced. Frauds have happened before in the automobile hire-purchase industry when such personal data fell into the wrong hands. There is no guarantee that this cannot happen in the cellular industry.
This issue was highlighted in the US recently, albeit at an alarming scale. The sale of personal data and telephone calls record, obtained through sanctioned means or otherwise, has become a big money-spinning industry oblivious to the cellular users.
In early January, the Chicago Police Department issued a warning that dozens of online services – like locatecell.com operated by Tennessee-based Data Find Solutions Inc. -- are selling lists of phone calls made on mobile and land lines, raising security concerns among law enforcement and privacy experts. A Senator has called for legislation to criminalize phone record theft and use.
These online services might be skirting the law to obtain the phone lists. A common method for obtaining mobile phone records is "pretexting", which involves a data broker pretending to be a phone's owner and duping the phone company into providing the information. In some cases, telephone company insiders secretly sell customers' phone-call lists to online brokers, despite strict telephone company rules against such deals.
To test the clandestine service, the FBI paid Locatecell.com US$160 to buy the records for an agent's cell phone and received the list within three hours, the Chicago police bulletin said.
The Chicago Sun-Times did the same and Locatecell.com responded swiftly by emailing back a register of 78 telephone numbers recorded on a reporter’s call list, which included calls to law enforcement sources, story subjects and other Sun-Times reporters and editors.
In July last year, the Electronic Privacy Information Center (EPIC) filed a petition with the US Federal Communications Commission (FCC) seeking an end to the sale of telephone records. It has uncovered Locatecell.com as the company that sold the phone records of a Canadian official to a reporter with “no questions asked”. In other words, with digitisation, critical personal data could travel to foreign hands without your realising it.
So, can we establish that cellular phone numbers and their records are now the most powerful investigative tool? If that’s the case, isn’t it time we tightened the law by instituting the long-awaited Personal Data Protection Act before all hell breaks loose?