Thursday, 29 August 2013

Helpscout: Data Protection questions

There are a lot of aspects of the Data Protection Act, or more specifically the way it gets used, with which I disagree. It is very much like the Health & Safety laws, conceived to tackle factory accidents, and turned in to a crazy industry protecting you from paper cuts in offices. The DPA was there to tackle the new usage of computer based databases of people's details which were being collected and sold - mainly around credit reference agencies. Now the DPA gets applied to all sorts of things, and get used as an excuse for much more.

On one of my mailing lists I came across a slightly worrying story which is where DPA usage and ICO views may make sense, perhaps. So, all of this post is based on what I have seen reported on the mailing list and not first hand. However, it does raise a few questions.

The issue is around a product called Helpscout. It appears to be a customer support system for handling incoming emails to a support desk and tracking them properly. As with many such system there are a lot of features and a lot of bloat, as I understand it. One of the clever features is that it looks up email addresses on various social networks, e.g. facebook, twitter, and so on, and collects publicly available personal information and associates it with the ticket. It means people handling the ticket get a wealth of information about the originator automatically. You can see how they think it is a good idea. For some people it could be very useful, I am sure.

There are, immediately, some issues. It means users of this system are collecting and processing a load of data which they don't actually need. That goes against one of the Data Protection Principles. In this particular case the user did not want the data either. So first question revolves around the collection and use of such data which is public information (published on the likes of facebook). Is that valid? To be honest, I don't know, after all, at any time, you could go and look up details on facebook yourself, so how is copying it to your own database any different? From a DPA point of view it may be valid or may not be, no idea. The suppliers of the system are adamant that it is valid to do this in the UK. They even said "In the end, neither you, nor I, nor the IC's office (probably not the person you talked to) would be considered legally qualified to make a judgement on the matter."

But the far bigger issue is that, in checking with facebook, etc, the system sends the end user's email address for the search. So it means facebook, etc, are told a new email address, one they may not even have seen before.

So this raises the issue of whether an email address, on its own, is personal information. I believe this is one of those grey areas even for the ICO. Of course, the very fact that it can be used to extract all of this useful data from social media kind of proves it is! I think the general view is an email address like adrian.kennard@whatever is personal information, because it has my name, but as Paul in my office points out, if he was to use adrian.kennard@hisdomain then that would not be personal information as it is not his name!

The problem, as ever, is that one bit of information is often not personal information on its own, as it is not able to identify an individual. E.g. "Eyes: blue" on its own is not personal information. But associate it with an name and address and now it is. It is all about linking things together that makes the collection of information and associations in to personal information. So protecting something which, on its own, is not personal information may be important.

Of course it is not that simple, in this case it could become sensitive personal data if the social media sites work out where the requests are coming from. It sounds like the system pipes the request through yet another third party so they don't, but all that means is that another third party can tell instead of facebook. The particular support system is being run for a gay website. Now, associating an email address with visiting a gay web site surely must count as personal information? It could easily lead to targeted adverts to friends of the person. I know many people are quite open about their sexual preferences, but they have the right not to be if they want.

Sadly the providers of Helpscout seem oblivious to this issue. They refuse to allow the feature to be turned off and are adamant that it is 100% legal in the UK. Apparently lots of other companies use it.

It seems the site will be dropping them because of this, and their intransigent attitude.


  1. Years ago, when working at a now closed printing company building a customer management system, I did propose adding additional fields for things such as "Customer spouse's name, Customer's childrens names/ages" etc. Sounds intrusive, but this was the information that individual sales people knew (and had written down/recorded in Excel) for "small talk" and which helped tie a customer to a sales person (which we wanted to get away from by making all sales people on an "equal footing"). In the end, we decided not to go for it as the sales people (like many of them), don't like the idea of sharing their clients.

    I've got no idea what the ICO would think about it ("the information was given to a representative of the company and the DPA registration states we hold customer details electronically, so technically we are allowed to"), but it's another of those "grey areas".

  2. Given I use email addresses like alan+viagrasupplier@ there is certainly a potential for embarrassment if email addresses are leaked to social networks.

  3. Not only that but in that specific example that is probably not just personal data but likely fall under the definition of being sensitive personal data in the DPA. To quote the ICO website

    Sensitive personal data means personal data consisting of information as to -
    (a) the racial or ethnic origin of the data subject,
    (b) his political opinions,
    (c ) his religious beliefs or other beliefs of a similar nature,
    (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
    (e) his physical or mental health or condition,
    (f) his sexual life,
    (g) the commission or alleged commission by him of any offence, or
    (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

    The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. In particular, if you are processing sensitive personal data you must satisfy one or more of the conditions for processing which apply specifically to such data, as well as one of the general conditions which apply in every case. The nature of the data is also a factor in deciding what security is appropriate.

  4. "To be honest, I don't know, after all, at any time, you could go and look up details on facebook yourself, so how is copying it to your own database any different?"

    Normally the user should have the possibility of deleting older posts/images/entries on Facebook (Facebook might not be the best example of compliance with the European idea of privacy), but once copied to your own CRM, the user has absolutely no (easy) control/edit possibility (beside formal procedure). But as you said most users are unlikely to think that sending a single email to a company would be enough to have an entry created in the CRM and the company going NSA on you and dumping Gb of embarrassing drunken pictures taken of facebook....

    Obviously valuating my privacy I don't have a Facebook account, but if I know a company doing that, I might just create a few random emails and facebook accounts and dump very large random pictures database.
    Sounds like a possible DDOS vector, not a facebook specialist but I suspect you could tag/copy large amount of pics accross account. From a few hundred bytes email to a few Gb downloads looks like an impressive multiplication factor.

  5. Surely it can only pull the data if your Facebook.etc preferences are set to make the data publicly viewable.

    When you posted the data you had the option of deciding who it was shared to if you've chosen to make it public then isn't that essentially consent for anyone to look at it.

    You *might* have a Case against them for copying that data, but then it Depends on what rights are assigned to that data when you post it, do Facebook claim ownership of it or is it still yours?

    I'm no expert on these things, it's questionable sure, but illegal maybe not.

    1. You are missing the point a bit. The whole point of the DPA is very much that you don't lose control of your personal data just because you have given it to one person (e.g. facebook). It does not suddenly become forever "public domain" with your having no say in it any more. But you are also missing the bigger point, as do helpscout, that the act of searching for this data means giving an email address to facebook, one which may not be for a facebook customer, but not then have it. Sending a support ticket to someone is not saying "give my email address to a load of third parties".

    2. Ah Yes, not sure how I missed that last night, I'm going to blame being over tired. ;-)