Striking the Balance

[Ian G Batten]

On Wed, 30 Oct 2002, Watkin Simon wrote:
> > Yes, that's right.  The main difference is that Vodafone don't have a
> > police force.
> 
> But - hypothetically - the scope for blackmail, revelation to the tabloids
> is the same whether the privacy intruder works in the CSP or the police.

Yes.

> The CSP can't engage in liberty deprivation but the capacity for ruining
> people's lives is the same.  And if a corrupt CSP official were in league
> with a corrupt law enforcer ......

Absolutely.

> So what do we do?

We discourage CSPs from holding more data than they require, and we
impose severe criminal penalties for misuse.  I know, we could call this
the ``Data Protection Act''.

> Now you could say keep no data, trust no one.  Everytime I use my credit
> card these days I ask myself, "does that waiter or shop assistant look like
> a skimmer, do I trust them with my credit card", everytime I buy over the
> phone or online I wonder is this the time I'm going to get ripped off.  No,
> you make judgements about who to buy from and who to give your card to and
> who to pay in cash - and by and large, we're trusting.  Very few waiters and
> shop assistants skim cards.  But a small number do.  Very few cardholder not
> present transactions are abused by the retailer receiving the data.  But a
> small number do.

Yes, and there is a strong legislative framework, including but not
limited to the Consumer Credit Act, coupled to a large body of industry
practice and case law, which provides strong protection to the customer
in this scenario.  This is a variation on the Direct Debit industry,
where the code of practice is heavily weighted in favour of the
consumer, precisely to overcome long-held fears of ``letting people just
mess around with your bank account''.  Yes, there are mistakes.  Yes,
there are frauds.  But the system is weighted in the consumer's favour.

[[ You're expected to take reasonable care, London Joint Stock Bank Ltd
v Macmillan and Arthur, and notify the bank promptly if you have reason
to believe that a transaction may be fraudulent, Greenwood v Martins
Bank Ltd.  Conversely, there's a case which says that customers are
under no obligation to read their statement in order to retain rights to
act if a mistake or fraud later emerges, which my memory of my wife's
banking law exams said was Brown v Westminster Bank, but a swift
websearch reveals Tai Hing Cotton Mill Ltd v Liu Chong Hing Bank Ltd to
be a more recent current case ]]

>  We don't stop using credit cards though.

Mostly because the legal framework to protect us from malfeasance is
robust.  We would know that our credit card had been misused (in the
limit, by it being refused, but probably at the end of the month when
the bill came) and we know that, within reason, the banks have a
reasonable history of swallowing or charging back losses.  And for items
over 100 pounds, there's the Consumer Credit Act.  Ross will say,
correctly, that there are cases where the oversight breaks down: phantom
withdrawals is a case in point.  However, in many cases it doesn't, so
it is a watchdog with at least a reasonable number of teeth, and the bad
scenarios are evidence that the system is fallible, not that the system
is totally worthless.

> Most CSP and police workers
> are trust worthy, but a small number aren't.  So what do we do?

Supervise them all, and punish those that misbehave.  The Home Office's
take on interception includes weak supervision with no penalties for
wrong doers, which is reversing the situation for financial
transactions.

ian