Gallery

What companies know about you

Posted on 15 Dec 2008 at 11:01

How much personal data are companies prepared to admit they hold on you? PC Pro puts the squeeze on a selection of IT-related firms.

Under the UK's Data Protection Act, we have a right to access the personal data organisations hold on us. Whether companies actually choose to obey or comply with the spirit of the law is another matter altogether.

To find out just how much data companies were prepared to admit they hold on us, PC Pro's staff have made formal Subject Access Requests to a wide range of IT-related companies, including ISPs, mobile phone networks and search engines. By law, companies have 40 days to comply, and can levy a fee of £10 to fulfil searches. The results were very mixed indeed. Below we reveal exactly what they told us.

ISPs

In theory, ISPs could hold vast swathes of personal data about their subscribers, including the times they logged on and the sites they visited. But would any be prepared to divulge what details they're actually holding?

Zen Internet, which recently won our Best ISP Award for the fifth consecutive year, was both prompt and comprehensive in its reply, and didn't demand payment. It emailed our Zen customer a full list of notes from his account, detailing orders placed, conversations with customer support staff, and technical details of his line.

The company also sent our man a spreadsheet of authentication logs dating back to January 2007, which detailed the time and date of each internet session, its duration, the assigned IP address.

The email that accompanied this data claimed that Zen does "not log websites visited or data content downloaded", nor keep records of emails sent to or from the account. The email also stated that the company doesn't pass on customers' details unless required to by law, adding reassuringly: "This has not happened on your account, as we have not received any notices along these lines." Valuable information to have if a copyright holder came asking for money.

Other ISPs were less forthcoming. Virgin Media demanded a payment to carry out the request, but at the time of going to press had failed to deliver the goods - or bank the cheque - even though it was past the 40-day deadline.

Mobile phone networks

The mobile networks were a mixed bag. O2 failed even to acknowledge one emailed request, but was far more forthcoming when another member of staff wrote to the company. The network phoned the customer back and asked for a fee to undertake the search, which was duly sent, and he received a full dossier within a matter of days.

This contained full details of activity on his account since he joined the network in 2002, including details of tariffs, handset upgrades, payment history, and transcripts of email correspondence with O2 staff. The dossier included details of adjustments to "loyalty points" after each upgrade, and O2's assessment of how high risk different handsets were, presumably for insurance purposes. It didn't include any details of calls made to or from our man's phone, however.

Although O2 did send the package by a Recorded Delivery that had to be signed for, the dossier included printed details of our man's address, date of birth, security question and answer (which happened to be his mother's maiden name), and full bank sort code and account number - a full house of information required for ID theft, if that envelope had fallen into the wrong hands.

Orange had failed to reply to two requests made using its dedicated online form for Subject Access Requests at the time of going to press.

Search engines

Our staff practically bombarded Google with requests and the search monolith gave full responses to six of them. That's far more impressive than the actual content of the reports, which merely provided a list of Google services they belonged to and the different IP addresses they've used to access their Google account. There's no search history, details of email correspondence or any other trace of personal data.