Data Privacy: We Must Police Ourselves

Data drives a good chunk of modern-day assurance in telcos. That is well and good, in my view. If we have all this data, it must be telling us something and we might as well look for stories that show us when things are not going right, or else use it to confirm everything is okay. What sometimes worries me is the power that this gives assurance teams. In the book Revenue Assurance: Expert Opinions for Communications Providers, this power is also the subject of one of the sections – where the book asserts, it is very possible for RA folks, who occupy a trusted position in the company, working in very “fluid” conditions etc. to be the risk within. For example, in the course of some of my revenue assurance tasks, I have been awed by the amount and sensitivity of the data that I can access. Heck, I think one day I will demand the entire payroll file, on some ruse or other, and somebody will hand it over to me without hesitation.

With great power comes great responsibility. Allow me to puff up my chest as I declare that I can pretty much look at whatever I want to look at. I do, however, apply 4 rules to my work with data. I work in revenue assurance, but these rules do not just apply to RA. They should be applicable to anybody in audit, assurance, fraud, security… any folks who normally see and handle data that the ordinary telco employee will not be able to access.

  1. Do I need to see all this? If I am doing a billing assurance task, do I really need the name, location, gender, and bank details of the subscriber? Or will the MSISDN and tariff plan do?
  2. If I have to forward/share some of this data whilst doing my official work, do I take care to share it with only those who are authorized to see it? Do I make sure recipients of this information only receive the minimum details they need, especially when customer data is concerned?
  3. Are the methods of storing and transferring the file secure? Do I at least take some precautions to ensure that if any unscrupulous characters are snooping around, they cannot grab it midway?
  4. When I am done with the data, what happens to it? Do I leave it lying around in the FTP folder? Do I just move the file into a folder on my laptop named “old”?

I haven’t done any credible research but I would wager that a good percentage of the laptops and other mobile devices carried home every day by employees of CSPs contain files with subscriber information. The files may be tiny, innocuous slices of data in isolation, but in the hands of an evil mind, they can be reassembled into a montage that will change an innocent subscriber’s life forever, or alter the fortunes of the CSP in a significant way. I also posit that a lot of that data is ferried all over by folks in assurance using laptops and smart phones. These devices of convenience will be in the subway, they will be at coffee houses and connected to poorly encrypted Wi-Fi networks and they may just be physically stolen. CSPs can issue policies about data security but ultimately, ethical and diligent handling of data is difficult to enforce and is dependent on individuals buying into the maxim: with great power (access to data), comes great responsibility (self-policing not just because of, but even in the absence of written rules).

I imagine not everybody who has access to such data really treats it with the respect that it deserves and we should not be surprised that only 18% of customers trust CSPs when it comes to matters of data privacy, at least according to this study conducted by TNS Infratest on behalf of the Vodafone Institute. We must ask ourselves: what happens if that geeky assurance guy is a stalker or some voyeuristic bastard of some sort? Or what if he is very dissatisfied with his salary and, having figured that he did not get the salary raise that he deserved last year, decides to start selling subscriber call records to suspicious spouses so that they can nail their cheating mates? The CSP data is treasure trove for him and he can do much – all in a day’s work. The uncomfortable fact is that those who are charged with risk assurance are also likely to be the greatest risk and that is a sobering thought in deed.

A few years ago, I attended a cyber-security seminar where the presenter urged us to take better care of laptops. When I got back to the office, I spent hours cleaning out the laptop. I moved all files that I felt may be misused if they fell into wrong hands and especially anything that may compromise company and subscriber data – all these went back to my folder on the company’s network server. One could argue that the shared network file servers can also be breached but I figured it would take an intruder a little more effort than just grabbing my laptop as I waited at the bus stop (such an element would simply later crack the BIOS password and/or mirror my disk thus opening the whole world of my employer and some poor customers whose only fault was signing up to be our clients). I also used Paragon disk-wiper, a tool which enables more reliable erasure of data, cleaning free space etc. so that files I had deleted or moved back to shared file servers would not be recoverable on my machine. It’s amazing how many people think that deleting a file and/or formatting a disk that used to hold the files means the data is gone. All that has happened is that the pointer information to that file has been removed; the data is easily recoverable.

Roughly two weeks later, my apartment in Westlands, Nairobi, was burglarized. They stole a DVD player, all my shoes and also my daughter’s shoes. For some weird reason, this Ali Burglar and his fellow thieves did not steal a single pair of my wife’s shoes – this has been a mystery to date. And, yes, of course they also stole the laptop which I had left on the table. We called the cops – they came, finger-printed us all and made a huge show of dusting the place for fingerprints, never mind that I have never read of case where the police in the esteemed Republic of Kenya arrested anybody based on credible forensics analysis. They also nibbled on the cashew nuts that were on the table and drank copious amounts of tea. Finally, they threatened the apartment block’s security personnel and slapped one lad around as an example. They also (helpfully) warned the guards not to be dozing off at night. That marked the end of the case. With this caliber of crime-busters as my only hope I was so glad I had attended the seminar and I was even happier that I had done some things to reduce the exposure that the theft of my laptop would have occasioned.

We may be doing a great job looking over others’ shoulders. It is time we also looked back over our own shoulders. That scramble behind us will be the bad guys scampering to safety, so you better hope what was open/accessible on your laptop is not sensitive.

P.S. If you bought a used DVD player in Nairobi (around September 2010) and inside it you encountered a copy of the movie Something’s Gotta Give, please get in touch with me. I would like my movie back, if you don’t mind. I give you my word, I will not pursue you. The Kenya Police would however like to dust the DVD player for fingerprints – you would be wise to hide your snacks when they come around.

Joseph Nderitu
Joseph Nderitu
Joseph Nderitu is a director at Integrated Risk Services Ltd and specializes in revenue assurance. He previously worked as Head of Revenue Assurance and Fraud Management at Vodacom's operation in Tanzania, having previously served in the same role at Vodacom Mozambique.

Before his work with Vodacom, Joseph was an internal audit manager for Airtel, with responsibility that covered their 17 countries in Africa. Whilst at Airtel, Joseph led reviews of the Revenue Assurance, Customer Service and Sales & Marketing functions.

Prior to his stint at Airtel, Joseph was an RA manager at Safaricom in Kenya. He holds an MSc Degree in Information Systems.

1 Comment on "Data Privacy: We Must Police Ourselves"

  1. I am reminded of a true story from one of the smaller telcos where I briefly did some consulting work. A member of staff returned to her country of origin, for a holiday. She took her corporate laptop with her, seemingly so she could work whilst on holiday. She never returned from that ‘holiday’. On the laptop was stored the details of every single customer of that telco.

Comments are closed.