Improper user data management policy can create threats to the privacy of your users. A leading laptop manufacturer and vendor has inadvertently provided an example of how not to manage your users' data.
Someone close to me recently purchased a new ThinkPad laptop from Lenovo. She made her order through the Lenovo Website. In the process, she had to fill out some information in a Web form, of course, including email address, shipping address, name, and a daytime telephone number.
All of this information was specific to her, with one exception: the daytime telephone number. That number was her work number. It is the same as the work number for all of her coworkers and her boss — the company's owner. The way to reach one person in particular at her place of employment is via an extension number.
In the process of completing the order, she was informed she would receive a confirmation email, and she was provided with a tracking number so she could check up on her package's progress on its way to her hands. She checked on it a couple of times a day, impatient for it to arrive. When it finally came, she was excited, of course — but she still had not received a confirmation email.
Then . . . at work one day, her boss told her he had received some confusing emails about a laptop purchase.
It seems that her boss had used that telephone number to make an order before, and had of course used his own email address at the time. When she ordered using the same telephone number, Lenovo used the shipping address she provided, but ignored the email address she used to complete the order process and sent the confirmation emails to the address already on file for that telephone number.
This turned out to be inconvenient in her case, but hardly damaging. That was just a matter of luck, however. For others, it could very well be far more problematic. If your telephone number is recent, and the previous user of that telephone number is still using the same email address he or she used before giving up that telephone number, he or she could get the details of your order. That would include your name, address, order number, and more.
Information like that could be used for a number of nefarious purposes, most of which involve being able to effectively steal your shipment by any of several different tactics. Worse yet, there may be times that you don't want your boss knowing about your private purchases. Some people really like to keep their private and professional lives separate, and Lenovo's user data management policies shouldn't violate that privacy.
It could be even worse. Have you ever noticed that when you order a pizza by telephone in the US, the pizza place might ask whether you live at an address they have on file? Like Lenovo, apparently, they keep track of user data based on telephone numbers.
If you know someone's cellular telephone number, though, and have the necessary skills, you can clone the cellphone and call local pizza places in the hopes of getting lucky and learning the person's address as well. This could be a significant security issue for people who are trying to avoid stalkers, abusive ex-husbands, and other dangerous people with an unhealthy interest in finding them. The same could be true of Lenovo's user data management policy.
In some cases, legitimately ordering from Lenovo could conceivably lead someone from which you're hiding directly to you, if you used to live with that person.
The lesson to take from this is at least two-fold:
- You might want to consider changing contact information when you end relationships — be they romantic, professional, or otherwise — on a bad note, to ensure your privacy when dealing with organizations that manage user data the same way Lenovo and your local pizza delivery store do.
- You should think very, very hard before you decide to base your entire user data management system off a single piece of contact information. You may be inadvertently violating your users' privacy. Depending on the consequences of such a violation, you may even open yourself up to liability lawsuits as a result of that kind of poor security design.
In the case of the Lenovo order, the problem could easily have been avoided by associating a password with the prior contact information, and require that password to be entered before revealing it to the user. If such a password could not be provided, default to using the contact information provided with the telephone number this time, instead.
The fact an unwarranted assumption was made that a single telephone number means a single email address for a single person was, frankly, an inexcusable lapse. Don't make the same mistake. In short, you should always verify identity before assuming it.