Dodo Internet and your privacy

[GasoLane]

Quote:

Originally Posted by gozza

how many people do over the phone c/c transactions?
i have plenty of times and in my line of work i take down credit card details all the time....more to worry about there than email security...

Or the waiter that runs off to the back room with CC.

[Yaw]

Many people obviously think I am paranoid.

I have had sevral emails go missing from my inbox.

However I really don't care that much about myself, but what about buisness customers which could potentially have sensitive coporate info?

Your password is YOUR security! Much like a PIN number for a bank account.
Who is to say someone would not use your email or account to send viruses world wide? The ways it could be misused is endless.

For those of you who say well why don't you just swap?
Well yes that is one course of action, I myself though choose to stand up to these companies that think they are a law unto themselves. They are accountable. Besides the fact I am in a 36 month contract with them.

I might add the Telecommincation Ombudsman thinks the issue was important enough to take up with the Fedral Privacy Commisioner to investigate.

[XRchic]

What about:

All the people at the ATO who have your TFN, financial details, employer details, business records, annual income?
All the people at the bank who have your account and password details and details of your mortgage and other loans?
All the people at Telstra or whoever who have your phone number, and address?
All the people at your state motor registation dept who have your rego number, VIN/engine numbers, address?
All the people at the council who have your address, lands titles details, house value?
And last but not least, what about your boy/girlfriend who has your car keys, credit card and house keys???

LOL.

I wouldnt worry about it too much, its a commonly used security practice and plenty of people work in positions where they have access to sensitive client information and any kind of breach of that trust is treated VERY seriously, usually with sackings, fines or both. And often people who work in these positions are monitored, by people and by software to ensure they dont misuse information and they also have to go through security clearances to get the positions in many cases.

Jac

[DTFRMONT]

Quote:

Originally Posted by XRchic

What about:

All the people at the ATO who have your TFN, financial details, employer details, business records, annual income?
All the people at the bank who have your account and password details and details of your mortgage and other loans?
All the people at Telstra or whoever who have your phone number, and address?
All the people at your state motor registation dept who have your rego number, VIN/engine numbers, address?
All the people at the council who have your address, lands titles details, house value?
And last but not least, what about your boy/girlfriend who has your car keys, credit card and house keys???

LOL.

I wouldnt worry about it too much, its a commonly used security practice and plenty of people work in positions where they have access to sensitive client information and any kind of breach of that trust is treated VERY seriously, usually with sackings, fines or both. And often people who work in these positions are monitored, by people and by software to ensure they dont misuse information and they also have to go through security clearances to get the positions in many cases.

Jac

Being the first in the list, I can pretty much confirm what XRchic says. Our systems are monitored, with extensive audit trails. Not to mention the pre employment checks (police checks & security clearance in some cases) Any breach of privacy/trust is treated VERY seriously and any offenders are usually brought before the courts. If the only thing that happens to you is losing your job, that would be getting off lightly.

[EA2BA]

I would not have a clue what my internet provider would ask me, i never need to call them, i dont have any problems.

[Riksta]

Sorry to have resurrected this thread - I was looking through older threads reading, and forgot that voting in a poll bumped them to the top, if I had have remembered I wouldn't have done it. Since its up here now I may as well post the apology, and let it die again.

/me makes mental note NOT to vote in polls while browsing older threads.

[andrewts]

I'm with iiNet, and I rang them up about a problem I am having and she asked for the username and password, and she told me all sorts of stuff like how my modem kept disconnecting and that.

She was very helpful, so I don't mind. What is she going to do with my password? She could use my internet if she wanted to, but if I noticed that, I would change my password I guess.

[Falcon_Phill]

Dodo is the devil. They cancelled my contract because where I live now i cant get their internet through the telephone line, yet still took my money for that month and the 4 previous months when i had been trying to get it working, and they said they were 'fixing' it. *******s.

[Nickxb]

Quote:

Originally Posted by Yaw

I am currently having an argument with Dodo internet regarding privacy.

You see Dodo ask you as a way to identify yourself your account password.
Now the major problem with this is that this means each and every staff member of Dodo can see your password.

This creates a security problem with your privacy that one of thier employees could take your account name and password home (with dodo your account password and defualt email password are the same, if you change one they both change) So the potential problem is one of thier staff could malicously use your account and email or just read your private emails.

Now the Fedral privacy act states this :
An organization must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorized access, modification or disclosure.

My argument is they are breaching that section of the privacy act.

They argue that most other I.S.P's do this also. I want to know if your I.S.P does this.

There is no privacy breech, i work for a large insurance company and I used to work in Customer Relations (complaints). As long as the passwords are only viewable by staff who need to see them to do there job then there is no breech. However in saying that a Dodo staff member can not access your file on their system without your permission.

I would speak to their customer relation departement and voice your concerns about the lost emails.

As others have said there are companies out there who see more private information than your ISP address.

[Yaw]

Quote:

Originally Posted by Nickxb

As long as the passwords are only viewable by staff who need to see them to do there job then there is no breech.

I have spoken to their customer relations department and I too work in the insurance industry and it is through that training that i realise how major an issue this is. The statement quoted above speaks for itself, They DO NOT NEED my password to do thier job.

As previously stated I have taken the matter up with the Fedral Privacy Commisioner and they have sent me a letter saying they find that my complaint does warrant investigation but as they have a large case load it will be approx 12 months to get around to it, but if you care to check thier website out you will see if they do not think it is a complaint that actually breaches the privacy laws they would have declined to investigate, So I am still waiting and will let you all know the outcome when it happens.

[Quasi]

The only thing I like about DODO is I enjoy perving on Tara Reid.....apart from that I wouldn't bother with them.

[Perana]

Do you realise that they probably also have access to your address, phone number, bank account details etc etc.. But oh noes them having access to your internet password is the worst privacy issue ever.....

BTW from experience Ozemail (before the takeover by iinet) and iinet ask for internet passwords for identification. I see no issue with it really. I'd only be worried if I was doing something illegal.

[Yaw]

Quote:

Originally Posted by Perana XR8

Do you realise that they probably also have access to your address, phone number, bank account details etc etc.. But oh noes them having access to your internet password is the worst privacy issue ever.....

BTW from experience Ozemail (before the takeover by iinet) and iinet ask for internet passwords for identification. I see no issue with it really. I'd only be worried if I was doing something illegal.

Would you feel the same way if your bank teller could see your PIN number on the screen in front of them rather than you having the privacy to input it into a key pad so the staff themselves never know what it is?

This is the exact same issue.

And just because another company does the same thing that just shows the industry as a whole is disregarding these laws.

[Nickxb]

Quote:

Originally Posted by Yaw

Would you feel the same way if your bank teller could see your PIN number on the screen in front of them rather than you having the privacy to input it into a key pad so the staff themselves never know what it is?

This is the exact same issue.

And just because another company does the same thing that just shows the industry as a whole is disregarding these laws.

Most bank tellers can see your phone banking password and if they wanted to they could easily trasfer money from your account to theirs...... however if they did there would a huge investigation done by that bank.

you say they dont need it for their job but how do you know that? If they relase your password to anyone outside of the company (apart from you) then there is a breech.

Anyway 12 months for your case to be heard is a bit rough....

[Perana]

Quote:

Originally Posted by Yaw

Would you feel the same way if your bank teller could see your PIN number on the screen in front of them rather than you having the privacy to input it into a key pad so the staff themselves never know what it is?

This is the exact same issue.

And just because another company does the same thing that just shows the industry as a whole is disregarding these laws.

You mean those camera's they have at the ATM's can't see you put in your PIN.. damn...

Anyway thats beside the point. If they don't need your Internet password to do their job how do you suppose they confirm that you are actually who you say you are when calling. Would you rather that they just take your word for it that you are who you say you are.. I know what I would rather.

[Yaw]

Quote:

Originally Posted by Perana XR8

You mean those camera's they have at the ATM's can't see you put in your PIN.. damn...

Anyway thats beside the point. If they don't need your Internet password to do their job how do you suppose they confirm that you are actually who you say you are when calling. Would you rather that they just take your word for it that you are who you say you are.. I know what I would rather.

The same way I do when a customer calls at the insurance comapny I work at, there are lots of other idetifiers they can use, Full name, DOB, Address, account number, account name, last transaction date for payment, etc, etc, etc. a combination of any of those 3 is sufficent to satisfy privacy.

As for using an ATM, I also cover my hand so camera's cannot see that as it is widely advised on ATM machines to do so.

[Perana]

Quote:

Full name, DOB, Address, account number, account name, last transaction date for payment

You could argue that using any of these the call centre worker could access your private information without your permission as well..

With your Internet connection even without knowing your password most if not all ISP's offer a password reset feature, which a CSR could use to get a password anyway. If you are that worried about it i suggest that each time after you have called the call centre you change your password using the on-line password changer tool that most if not all ISP's offer.

[Yaw]

Quote:

Originally Posted by Perana XR8

You could argue that using any of these the call centre worker could access your private information without your permission as well..

With your Internet connection even without knowing your password most if not all ISP's offer a password reset feature, which a CSR could use to get a password anyway. If you are that worried about it i suggest that each time after you have called the call centre you change your password using the on-line password changer tool that most if not all ISP's offer.

Tell me, would you buy a car from a dealer or someone else that insisited they kept a set of keys for car you just purchased?
The whole point of the privacy laws is to protect you against the sort of things I am talking about.
Now Hypothetically if an customer service operator can look up an account as I am sure they must be able to do much I like I can search for a policy in the data base because the customer has lost or misplaced thier info it means these random searches could be used by any operator employed there. Now if as you suggest I change my password after each time i talk to them, they could just look it up again in a random search, or even if i had not contacted them, they may just search for a surname that starts with y and first name that starts with b, and bring up your account to find a random persons password. Or even worse could bring up one of thier buisness clients accounts and may potentially have access to internal memo's that may have massive legal ramifications to that company. So yes I would much rather they asked me a series of 3 or 4 other identifers that are available to them to use. Just because they sell and administrate the product does not give them the right to breach your privacy by making it available to thier staff that could potentially missue use it.
At least by doing it using the method I suggest thier staff would have to just guess at what other places you do buisness with to make it of any use to them.

[honer]

I've been in the ISP industry nearly all my working life and I can tell you that asking for password is generally the primary form of identification. The only ISP I know that doesn't do this is Telstra, due to their account system being hacked a couple times a while back and having their entire username/password list posted on a website.

You had a couple E-Mails go missing from your Inbox (I hope your referring to Webmail type system here as well, your ISP can't delete stuff from your Outlook/Outlook Express type programs even if they wanted) And you automatically think Dodo went in and deleted a few random ones ?

So stop being a typical Internet 'luser' that rings up ISP's telling them they are going to the TIO. If you don't like the way its done, go to Telstra.

Hell, even if you didn't tell them your password, they'll probably still have access to it !

[Nickxb]

Quote:

Originally Posted by Yaw

Tell me, would you buy a car from a dealer or someone else that insisited they kept a set of keys for car you just purchased?
The whole point of the privacy laws is to protect you against the sort of things I am talking about.
Now Hypothetically if an customer service operator can look up an account as I am sure they must be able to do much I like I can search for a policy in the data base because the customer has lost or misplaced thier info it means these random searches could be used by any operator employed there. Now if as you suggest I change my password after each time i talk to them, they could just look it up again in a random search, or even if i had not contacted them, they may just search for a surname that starts with y and first name that starts with b, and bring up your account to find a random persons password. Or even worse could bring up one of thier buisness clients accounts and may potentially have access to internal memo's that may have massive legal ramifications to that company. So yes I would much rather they asked me a series of 3 or 4 other identifers that are available to them to use. Just because they sell and administrate the product does not give them the right to breach your privacy by making it available to thier staff that could potentially missue use it.
At least by doing it using the method I suggest thier staff would have to just guess at what other places you do buisness with to make it of any use to them.

Its not a privacy breech if it doesn't breech the privacy laws...... Just because you dont like that they can access it doesn't mean that its illegal.

[Unco]

optus have never asked me for my password. when staff members have to ask for clients passwords, it reflects somebody's lack of attention to detail at the time the policies were implemented.

yes, every ISP has access to their client's passwords. but it's about making people feel secure. having someone from an ISP call center located either in Australia or overseas asking me for my email password is definitely something to be concerned about.

[Perana]

Optus doesn't do it either. Reason being is their current system doesnt support doing so.

[Rodp]

Quote:

Originally Posted by Yaw

Tell me, would you buy a car from a dealer or someone else that insisited they kept a set of keys for car you just purchased?
The whole point of the privacy laws is to protect you against the sort of things I am talking about.

Your analogy's seem a little too extreme. Pin numbers to banking accounts and keys to your car are a hell of a lot different to the password of my ISP account.

The identifiers used other than a password could easily be collected for my account (for instance) and used to gain access by someone outside of the ISP loop and I'd consider that a lot more dangerous than those within the organisation.

If you're worried about e-mail being read, you'll find that it can be read without your password on most commercial e-mail systems.

Sounds like a storm in a tea-cup to me.

[sgt_doofey]

Quote:

Originally Posted by Rodp

Sounds like a storm in a tea-cup to me.

+1.

Personally, having access to information of a more sensitive nature than ISP passwords and personal e-mails, at work, I agree. Anybody want some Tax File Numbers, Bank account details or people's addresses?
TFN's are probably the most highly guarded piece of information when it comes to the privacy laws. When we receive a TFN from a client, it is recorded in the system, which it then doesn't show it to the user. The piece of paper with the TFN on it then has to be modified so that the TFN is unreadable before being filed away.
And you're worried about your password for your internet connection and e-mail in case a staff member decides to read your best jokes before you do?... Sigh.

[Yaw]

Quote:

Originally Posted by sgt_doofey

+1.

Personally, having access to information of a more sensitive nature than ISP passwords and personal e-mails, at work, I agree. Anybody want some Tax File Numbers, Bank account details or people's addresses?
TFN's are probably the most highly guarded piece of information when it comes to the privacy laws. When we receive a TFN from a client, it is recorded in the system, which it then doesn't show it to the user. The piece of paper with the TFN on it then has to be modified so that the TFN is unreadable before being filed away.
And you're worried about your password for your internet connection and e-mail in case a staff member decides to read your best jokes before you do?... Sigh.

It seems everyone is missing the big picture, i have said this before. I really do not care as there is nothing sensitive in my emails for someone looking at them. FACT is NO ONE but me should be able to see them. Weather it be an email to a friend saying hey great party last night or a personal email to a lover, THEY ARE NO ONE elses buisness, I pay for a service and just because they administrate it does not give them the right to have access or even give that situation a potential for it to happen.

What I will say is this, I am not going to reply to this again until I have an out come from the Investigation from the Privacy Commisioner. I will then reply and if like I I think I am correct about my interpretation of the privacy laws you will see I.S.P's with this approach have to change thier ways.

If however I am not correct I will also publish the result of the investigation and write DODO a public appology and publish that in the Australian Newspaper.
I expect the investigation to be approx Feb 2008 as I was told about 12 months time.

[sgt_doofey]

So, you are more worried about the e-mails than say the credit card details they have for paying for your connection?

[naddis01]

They wouldnt even need your password to look up your account anyway would they?

[robbo_yobbo]

chances are they are probably already looking at your pasword on the screen before they ask, and already know it, they are only asking to make sure you are you, and that YOU know the pasword.

They're not breaching the privacy act by asking, unless that info is missused.
They have to take REASONABLE steps. "reasonable steps" is not a quantifyable guidline and there is therefore no right or wrong, just a big grey area. If thier not having any problems with the info ending up where it shouldnt be or being misused, then there is no reason it cannot be argued that the steps they are taking are anything short of reasonable

in a similar situation, I had a video ezy staff member tell my mate my pasword so he could hire a dvd on my card a few years back.
I told him not to bother returning the dvd's, and when blockbuster got to the point of debt collection and marked my creit rating, I threatened legal action because they missused my info and gave it to the public.
They swiftly fixed the credit mark with baycorp and I earned a handy $4k sympathy cash and 2yrs free movie hire to avoid a fuss! thats an example of privacy breech!

[Rodp]

Quote:

Originally Posted by Yaw

It seems everyone is missing the big picture, i have said this before. I really do not care as there is nothing sensitive in my emails for someone looking at them. FACT is NO ONE but me should be able to see them. Weather it be an email to a friend saying hey great party last night or a personal email to a lover, THEY ARE NO ONE elses buisness, I pay for a service and just because they administrate it does not give them the right to have access or even give that situation a potential for it to happen.

You have at least a couple of alternatives.

- Don't send email.
- Use a PGP key or some other form of encryption.

Your password isn't required to read email in your inbox, through an ISP or most likely through an email account you hold at work. The fact that they administer a system requires the system to be transparent to them.

Given the amount of emails that come into Dodo, the chances of them focusing on reading yours is infinitely small. Do they run a filter over it? More than likely. Are they entitled to? Absolutely.

If the investigation finds that the ability of Dodo to read email is against the Privacy act then it may well be a landmark finding since there's more than likely no ISP on the planet where email can't be read by an administrator without the even the need for your password. Email software will have to be re-written so that it can only be read by the recipient, not going to happen.

[DivHunter]

Yaw is not paranoid nor in any system not just ISPs should a helpdesk require an account password. If they do to supposedly do their job the system has been set-up poorly and it IS a major security issue to that system no matter how unimportant you believe the information to be.

'She'll be right' shouldn't really apply to personal information that makes identity theft that much easier.