Over the weekend, the Data Protection Commissioner announced that they were considering asking mobile phone companies to suspend the ability of mobile phone subscribers to access their voicemail remotely by dialling in to it from other phones.
[clarification: the DPC has issued a clarification to this which we have detailed in this subsequent post]
This is in response to the News of the World scandals which have highlighted the risks associated with remote access to voice mail and the requirements under Regulation 4(4) of the new Electronic Privacy regulations which came into effect on the 1st of July. Regulation 4(4) requires telecommunications service providers to notify their users as to any risks to security in the network and the steps to be taken to mitigate those risks, along with details of any costs associated with those steps.
Given that mobile phone contracts are currently provided with voice mail systems which can be accessed remotely by dialling into a variant of the mobile phone number and keying in a default pin code, which is generic to ALL users, and given the high profile security risks highlighted by the News of the World scandal, there is a clear risk to the security of personal data (voicemail messages) in the way the system currently works.
However, the Commissioner’s stance may be somewhat draconian and dogmatic. In the face of a clear security risk they are asking for the service to be suspended. In the words of Gary Davis, Deputy Data Protection Commissioner:
“Who does it serve to be able to access the messages left on your mobile phone?
Individuals need to take responsibility for the security of their own data and take steps to protect it, in the same way as they secure other items of value that they own like their car, their home, or their credit cards. Failure to do so will result in the facility to access voicemail being taken away from them. So,
- If you lose your phone you won’t be able to access your voice mails until you get a replacement phone
- If you leave your phone at home you won’t be able to access your voice mails until you get home and get your phone.
- If your battery dies you won’t be able to access your voice mails until you get the phone charged
Having both had my phone stolen once and having left my phone behind me at home or in the office on countless occasions, and having had my phone battery die while out and about, I’ve often made use of the ability to dial in and change my outgoing message and listen to the messages that have been left to me from a payphone or a colleagues mobile.
While these are conveniences, they do answer the Deputy Commissioner’s question as to who would need to access messages remotely. The real question is how, when remote access is required in certain circumstances, how can that be achieved in a secure and user-friendly manner?
- Can operators do more to encourage and educate people on how to change their voicemail pass codes?
- Can operators assign random pass codes to accounts rather than relying on a default?
- Could the remote access system be made “on request”, so that if you lose your phone you can request remote access to be permitted, at which point a pin code could be generated for the individual?
- Could remote access be switched to being a requested value added service which people would need to pay (a little) extra to have?
Ultimately, the Commissioner’s response to the situation highlights the need for individuals to take responsibility for their own personal data security in a way that suits their personal needs or have phone operators or the Commissioner take a “one-size fits all” response to identified weaknesses. This is in keeping with the balance that is at the core of Data Protection – the need to balance the rights to privacy of the individual against the interests of companies and the capability of technology.