Understanding Nothing

I’ve been having some more difficulties with BT over the last few days (more details later, when I discover what has actually happened), and I found myself looking at their SMS webpages again.

As regular readers know, shortly after I complained to them about their previous system, whereby you could find out when anyone last paid their phone bill, just by knowing their phone number, the service was replaced by one that required you to also know their BT account number.

What I didn’t realise until today was that now, as long as you know their account number, you can find out not just when someone last paid their bill, but also how much they paid.

This is quite an astounding breach of basic privacy and Data Protection principles. BT bizarrely seem to think that your account number is a sensible security barrier, even though it’s casually printed on almost all correspondence from them.

Even aside from the normal misdirected/stolen mail, unshredded mail in bin, identity theft type scenarios, surely BT are well aware that a significant number of companies (banks, utilities etc) accept, or even ask for, a recent phone bill as proof of identity?

When I fought with BT on this issue last month I never got around to actually reporting the issue to the Information Commissioner, mostly due to BT’s friendly offer of £25 compensation (which I discovered yesterday they haven’t actually credited to my account yet, but more on that later). Now I may just be pushed far enough to make the complaint…

Tony BT, DPA

The Register is reporting that BT have shut down the SMS service due to Data Protection fears.

However, BT’s own website for the service shows that they haven’t actually stopped the service at all – just added an extra level of “security” to it. Now, instead of requesting the information justing by texting the service with a phone number, you now need to include the phone number and the account number.

This will presumably cut out a large percentage of the “poor man’s credit check”-type lookups, but it seems to miss the point that they’re still willing to supply this information without customers’ consent.

I don’t recall every receiving anything from BT telling me to treat my account number with utmost confidentiality, as anyone who gets access to it will be able to access my information …

Tony BT, DPA

Tim Trent has written an article about the BT SMS fiasco: Anatomy of a Marketing Disaster.

In it he describes some of the responses that people have been given when they have tried to talk to BT about this service.

This morning, on the Data Protection list, an even better one was unveiled. After sending a s10 Notice, asking BT to stop processing their details in this manner (the official way to say, “Don’t allow anyone to get my details through this service), one customer received a reply saying that BT have now changed their telephone number to be ex-directory, and they are thus no longer accessible through Directory Enquiries!

When the internet bubble collapsed a few years back, there was a trend for some of the surviving ecommerce companies, in a bid to cut costs to ensure they continued to survive, to switch a lot of their customer service to automated software which would extract key words from customer emails and respond with a suitable stock answer. Of course everyone made fun of these, as, for the most part, they were universally useless – often hilariously so. You certainly didn’t want to send an email saying anything like “I have already checked with my bank and they say it’s not a problem with my credit card”, as their software would only see the phrase “problem with my credit card”, and reply accordingly.

So, most organisations stepped this back a level. They still built up a database of pre-approved stock answers, but a human had to select the relevant one based on the content of your email. But, even when this approach works well, it still doesn’t really work well. (There are lots of organisations who will get really confused if you ask more than one question in an email.) Unfortunately, a lot of the time, it doesn’t seem to work much better than the original software.

Whichever theory you subscribe to (management pressure to handle 10,000 emails per day, or customer service being offshored to people who don’t speak English well, or just that 90% of call centre staff are just incompetent, or whatever), dealing with many companies these days is a very painful experience. And, as you often only have to contact them when something has gone wrong in the first place, this level of incompetence usually just pours oil on the flames.

As the person who received the above response from BT suggested, many of these sorts of companies should look very carefully at their customer defection rates and reasons. Some might be surprised to see how much they’re spending on marketing just to generate as many new customers as they’re losing through poor service.

Tony BT, Customer Service, DPA

I called BT back after an hour to ask why I hadn’t yet received the promised phone call from a manager.

They managed to reconnect me to the person I was talking to earlier, who seemed surprised that I hadn’t been called as the manager had left a note on my account saying that they had agreed a credit of £25 to my account to compensate me for my inconvenience!

The note also said they’d opened an internal investigation into how the system had gone wrong on this occassion, which makes me think they didn’t really understand my complaint.

I’m happy enough to take their £25, and I also look forward to the report on their investigation (which they say I should get in 7-10 days), but in the meantime, if anyone else is upset that BT would give out their details like this, I’d suggest ringing 150 (pressing 9 at the menu gets you straight through to Customer Service), and raising a complaint.

Asking for details on whether or not your information has been requested in this manner could be quite interesting…

According to the conversation sparked by this on the Data Protection mailing list, I think that Oftel and the Information Commissioner are going to get a few complaints about this too.

Tony BT, DPA

This afternoon, I, along with presumably many millions of other BT customers, received an email announcing their wonderful new SMS Self Service system.

Due to the marvels of modern technology, BT now allow me to use SMS to discover information about my phone line, such as when there was last a fault on the line, and when the bill was last paid.

All I have to do is send an SMS to 64364 asking “Paid [phonenumber]“, and they’ll reply with the information.

This would all be fine and dandy, except for the fact that that is, literally, all I have to do. Nothing to register my mobile phone number as being connected in any way with my home phone. Nothing to say that it’s OK to send this information to anyone with an SMS compatible phone who happens to know my home phone number. Nothing, in fact, to stop anyone getting access to such information about anyone else’s BT line.

And it’s not just restricted to ‘home’ phones either. It works with business too. Think that one of your clients might be late in paying other people’s bills too? Well, you can now explore your theory by checking when they last paid their BT bills.

For extra doses of incredulity, the “terms and conditions” of this service (which, of course, you don’t actually have to agree to before you can either access this information, or have your information accessed) say that:

17. You [i.e. *me*] are responsible for taking all reasonable steps to prevent unauthorised persons gaining access to the Services. [I'm really not sure how I'm meant to do that. Does saying here "Please don't access my details unless I've given you explicit permission" count? Somehow I doubt it ...]

and

24. We exclude all liability of any kind (including negligence) in respect of any third party information or other material made available on, or which can be accessed using SMS text services.

So far neither of the two people I’ve spoken to at BT have even been aware of the service, and seemed at a complete loss to know what to do with my complaint other than to escalate it. Now I’m waiting for a manager to call me back. This will supposedly happen within “15 to 20 minutes”, but I’m not going to hold my breath …

Tony BT, DPA