[LINK] Intriguing demand for information

Roger Clarke Roger.Clarke at xamax.com.au
Wed Dec 31 21:29:35 AEDT 2014


At 20:12 +1100 31/12/14, David Boxall wrote:
>I'm puzzling over the message below.
>Given the ease with which a scan can be falsified, would providing scans
>of documents really validate anything?
>In view of the information on the documents they demand, are they in
>violation of privacy legislation?
>
>And yes, I'm aware that some customers of the site have had problems.

Very dodgy.  (I'm referring to the request, but it could apply to the organisation more generally).

Explain to them that the data they are asking for is sensitive, and of the kind used to perform identity fraud (but maybe use the silly term 'identity theft', because it scares people).

Say that the law requires them to demonstrate why it is necessary for them to have the information.

And draw to their attention that they have to demonstrate that the information is necessary to "protect our *customers* from potentially fraudulent online activities" (emphasis added).  They could conceivably argue that they need it to protect themselves, but to protect you, or to protect other customers, is a bigger challenge to even explain, let alone justify.

The relevant words in APP3.2 are (designed to be) unduly permissive, but they do set some kind of threshhold:  "reasonably necessary for one or more of the entity's functions or activities".  (I'd mention APP 3.2, but not quote the words.  Bluff is sometimes more effective than logical analysis, etc.).

There's a chance that they'll provide a response that's sufficient to satisfy you.  (I can sketch a few possible reasons - which sound pretty far-fetched, but then I'm not running their business).

When I'm occasionally forced to send a copy of a document that creates a risk of identity fraud, I copy it at the wrong size, on the angle, and obscure whichever parts of the data I think I can get away with.  (I've successfully resisted many demands, but some government agencies have the formal power to demand things like driver licences).

But if they don't provide a reasonable response, complain to the Privacy Commissioner, with a copy to them. 

(The Cc: may have more impact than the original copy.  The PC'er will probably do even less than they normally do, because they're under resource uncertainties and don't even know whether they belong to OAIC, HRC, or somewhere else;  but that's for the company to find out, so don't tell them).


Resources are here:
https://www.privacy.org.au/Resources/PLawsClth.html#PAct
http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles
http://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines/chapter-3-app-3-collection-of-solicited-personal-information#_Toc381351252

https://www.privacy.org.au/Resources/Complaints.html
http://www.oaic.gov.au/privacy/making-a-privacy-complaint

________________________________________


>--
>David Boxall                    |  I have not yet begun to fight!
>                                |          --John Paul Jones
>http://david.boxall.id.au       |
>
>
>
>-------- Forwarded Message --------
>Subject:	Please help us to validate your ValueBasket.com.au order (...)
>Date:	Wed, 31 Dec 2014 04:03:58 +0000
>From:	agatha at valuebasket.com
>To:	...
>
>
>
>ValueBasket.com.au 332140-663033
>
>Dear David,
>
>Thank you for placing an order with ValueBasket.com.au
>
>...
>
>With regards to your purchase made on 30/12/2014 , I am sorry to inform
>you that your order is temporarily on hold. To protect our customers
>from potentially fraudulent online activities, it is our policy to put
>all orders through a rigorous screening process, and on occasion some
>are held for further manual verification.
>
>This verification process requires you to provide us with some documents
>that serve as proof of your address and identity. This is a fairly
>standard industry procedure ? for your information I have provided some
>examples of other websites which adopt a similar process at the bottom
>of this email.
>
>In order to allow us to continue processing your order, could you please
>provide us with the following documentation:
>
>  * Billing Address proof (Your most current utility bill for your
>    electricity, water, etc)
>  * Photo ID such as driving license, passport, etc.
>
>
>
>
>While I understand that you might be reluctant to reveal your personal
>information, here at ValueBasket.com.au, we take the security and
>privacy of our customers very seriously. Therefore, I hope you
>understand that by asking for these documents, we are doing our best to
>protect both your interests and ours.
>
>Your immediate assistance will be greatly appreciated, as we look
>forward to continue processing your order.
>
>Please attach the documents with your reply to this email, and if you
>have any other concerns, please don?t hesitate to let us know in your reply.
>
>...
>A variety of online retailers use similar security procedures, including:
>
>  * B&H photo:
>    http://www.bhphotovideo.com/find/HelpCenter/Verification.jsp
>    <http://www.bhphotovideo.com/find/HelpCenter/Verification.jsp>
>  * Mvixusa.com: http://mvixusa.com/kb.php?id=61
>    <http://mvixusa.com/kb.php?id=61>
>  * Tristatecamera.com: http://www.tristatecamera.com/faq.php
>    <http://www.tristatecamera.com/faq.php>
>
>
>
>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list