Why do companies collect so much data about us? And where do they put it? They cover unsecured Wi-Fi networks, GDPR guidelines, data breach semantics, Arnold Schwarzenegger and leaky kettles.
Episode 5 transcript
Shaun: I would say that it’s everyone’s responsibility to handle our data with care.
John: I’d agree.
Shaun: Oh. End of episode 😆
John: Of course it is.
Shaun: Why are companies collecting so much data about us?
John: I suppose primarily to sell us things. Or to know more about us so they can …
Shaun: Sell us things 😂 I’m on the fence on this one because I think it’s great when you get a service or innovation that uses our data and makes things easier for us, such as how to get somewhere; mapping data; it knows where home is, and that sort of thing.
John: It’s about intentions. What do they want to use that for – to help me or sell me something?
Shaun: And there’s an element of trust – we have to trust Google and Apple, and then when you see them on the news in front of a tribunal, you start to think “they know where I live!”
John: They do. And they know what food you buy.
Shaun: And what food I buy. How dare they!
John: And what websites you go on, and what podcasts you listen to.
Shaun: And it’s none of their business! 😲
John: Unless you tell them.
Shaun: But then, it’s not always a choice, is it?
John: It’s not.
Shaun: Sometimes it seems like you can’t sign up for the simplest of things without giving away an awful lot of information. Do you know one of my real pet hates is when someone takes your passport at a hotel and photocopies it.
John: Imagine how many photocopies of your passport there are around the world.
Shaun: I’ve stopped doing it.
John: What do you say to them when they ask?
Shaun: I don’t want you to photocopy my passport, please.
John: How do they react?
Shaun: Well, I think the last time I did it … you were with me, weren’t you? I think they said, “Oh we don’t need that”. I can’t remember how it panned out.
John: I think they realised they didn’t need it. It was out of habit.
Shaun: And they’d never had that resistance before, perhaps.
John: Isn’t security all about habits as well? It was needed in the past, that they had to have it photocopied, and then they realised … It takes someone to tell them: “Why do you need that?” All you’re doing is holding data that you then have to control. I think it’s pretty clear that most people don’t know how to control data.
Shaun: Most people don’t. Most people are not educated about it. Especially at work.
John: How many times have you received an email that says confidential, but there’s nothing confidential in it? Yet, they’ve marked it confidential. Doesn’t that then mean you can’t do certain things with that information?
Shaun: Absolutely. You don’t have to sign a document now. An email is legal proof of your acceptance. So surely if an email says confidential, then all of the rules around confidentiality apply.
John: How many people do you think understand about how you would mark a document or email?
Shaun: I think it would be a scarily low number of people who would actually understand. I don’t think it’s always their fault either. Security is one of those things that isn’t really spoken about as much as what to wear at work; your dress code. You know, the trivial things about work, when actually security is one of the biggest things. It’s not just security about the company – it’s security about your customers’ information. Where does that go? Who keeps it?
John: And who needs to see it?
Shaun: D’know what I did recently?
John: Go on.
Shaun: I got an email from a dental surgery that I haven’t been a customer of … a client of … what is the word?
John: A patient.
Shaun: … a patient for about three or four years. I don’t go to that dentist, but they sent me an email. I said thanks for sending me an email, and then asked them for my information under GDPR rules, and they have a month to comply, to tell me what information they hold on me. There’s no point to me telling you this until I hear back from them, but it’s interesting because it’s the first time I’ve done it. Now, how many of those GDPR requests – I think they’re called access requests – does a business get and doesn’t know what to do with them?
John: I have no idea. I imagine they don’t get that many requests because there’s probably not many people who understand that they can make that request. The ones who do maybe make that request to all sorts of businesses, and rightfully, because we pass through so many systems through our lives. We change jobs, we move house. A good example is that I bought a car three years ago, and the company I bought it from still hold information about me, and still pester me to buy another car from them, even though I live 300 miles away. 🚘
Shaun: They still know how to contact you, what your name is … The actual data you want them to know is that you’re not going to deal with them anymore! But they ignore that. They just take your name and address: Here’s a customer. Let’s go and pester him for three years.
John: So while a lot of us are working out of office these days, what are the best ways to stay secure? I mean, probably not at the moment because cafes are shut, but people sit in Starbucks, and hundreds of people sit in cafes around the UK working on laptops. How many of them are using the free Wi-Fi?
Shaun: Oh, can you imagine 😖 Open Wi-Fi that isn’t protected. It’s like opening your suitcase in the middle of an airport, and your suitcase is full of valuables …
John: And turning around and going to get a coffee!
Shaun: That’s a really good analogy! Yes, walking off to get a coffee and leaving your suitcase open in an airport. People always say, it won’t be me. I think you can play around with your own data if you like, but if you’re working on behalf of your employer while in a coffee shop, you need to be using a VPN (virtual private network). You need to make sure it’s private – tether off your phone or something. Don’t work off the coffee shop’s Wi-Fi. But your question is how many people are doing that without knowing that they shouldn’t be doing that? Are we saying that this is something an IT department needs to be saying more about?
John: I think they often are. Everywhere I’ve ever worked, the messages are there, but how do you make them get into people’s heads? I think one side is saying something, maybe not in an engaging way, so how do we as comms people get that message out there? ‘GDPR’ – that doesn’t sound exciting.
Shaun: Well it’s not. They never are.
John: ‘Password protection’ – that doesn’t sound exciting. ‘Marking documents’ doesn’t sound exciting. How do we make that better?
Shaun: Sexing it up. Making it sexy.
John: Comms’ing it up 🙄
Shaun: There was a data breach a while ago by Virgin Media. They tried to gloss over it by saying nothing was taken – it wasn’t really a data breach. It’s a strange thing because I absolutely do think it was a data breach. They said it didn’t occur as a hack, but it doesn’t have to. Sometimes the data breach is … Well, let’s take for instance that a breach is a breach: if a kettle leaks water, it has still been breached, whether it was a mouse with a blowtorch or whatever. It doesn’t take a hacker to take water from my kettle. It could just be me having left the kettle on its side and the water came out. I think that’s the same for companies. How do we help people understand that? It’s a minefield 💣
John: A good example is that we’re all washing our hands more.
Shaun: Arnold Schwarzenegger washes his hands 50 times a day.
John: I can imagine. If you have a tiny horse and a tiny donkey in your house, I imagine you need to wash your hands even more. Does it take the breach … does it take the incident, such as someone losing their job or a company losing lots of money for people to take these things seriously? How can we make people take it seriously beforehand?
Shaun: You’re talking to someone who thinks the worst of people sometimes! 🤦♂️ I think it often takes for something to happen before we do anything about it, and I think security is one of those things. It’s a sad fact that it would take a data breach such as leaving a clear plastic bin bag full of people’s information on the street, and a policeman coming by (I heard this anecdote recently) and going into that building and saying, “Did you know you just broke the law by leaving this on the street?” Even though you’ve finished with it, it’s still people’s information. And if that employee is then hauled through the coals … over the coals … (that’s hard to say after lunch), and sadly may be fired, and then there may be a fine on the company. And then the rest of the workforce understands how it works. It could have been stopped in the first place by someone sensible saying …
John: This is important.
Shaun: This is important information. You should cross-shred this and put it in black plastic bags, and don’t leave it out on the street.