O2 GDPR Letter


Telefónica UK Limited
 Correspondence Department
 PO BOX 694
 Winchester
 SO23 5AP

DPO@O2.com

 Dear Sir or Madam

Information rights concern – Payforit API


I am concerned that you are not handling my personal information properly.

My concerns relate to the operation of the Payforit payment mechanism on your network. I have recently been the victim WAP Billing fraud through the Payforit mechanism which you operate. The system has a serious vulnerability which means that clickjacking and iFraming exploits embedded in a malicious webpage can result in consumers becoming unknowingly subscribed to Payforit subscription services. This vulnerability only applies when the consumer is accessing the internet via mobile data and results directly from the fact that O2 supply the consumer’s phone number to the API.

In case you are unfamiliar with this, here is a link to the Payforit rules. If you refer to page 10 you will see that the processing includes a step where “At the same time, the mobile number of the consumer is transferred to the API by the consumer’s mobile network. “. This cannot happen if I access the same website using a WiFi connection.

In my own case I became subscribed to ..

[Give details of your own case. Include the name of the company, the name of the service, the amount you lost, and any problems you had obtaining a refund.]

I would like to know the basis on which this specific processing (the passing of my phone number to a third party via the Payforit API) is being carried out. I have never given explicit consent for this, so assume that it is being processed on a “legitimate interests” basis. I understand that this processing reduces the “friction” in purchasing certain phone paid services and that O2 may seek to claim this is a “legitimate interest”. However it is not necessary, as it is quite possible for me to purchase those same services via a WiFi connection without O2 compromising my phone number in this way.

If mine was an isolated case I would be less concerned. However it would appear that this mechanism is subject to widespread abuse and is being used as a method of defrauding consumers. To see the extent of the problem take a look at these links:

https://uk.trustpilot.com/review/lasevia.com

https://uk.trustpilot.com/review/www.ferdamia.com

https://uk.trustpilot.com/review/sb7mobile.com

https://uk.trustpilot.com/review/nuyoo.co

https://uk.trustpilot.com/review/fitguru.tv

https://community.o2.co.uk/t5/Pay-Monthly/Nexgen-Ltd/m-p/1197558

https://community.o2.co.uk/t5/forums/searchpage/tab/message?q=payforitsucks&sort_by=-topicPostDate&collapse_discussion=true

I’m sure that the regulator, the Phone-paid Services Authority will have logged many similar cases.

I think you’ll agree that the scale of the problem is quite shocking and that something needs to be done.

It might also be worth mentioning to you that EE had a problem with WAP billing fraud (including, but not limited to Payforit) prior to February 2018, when they introduced a requirement for additional verification of the consumer’s consent to charge. This has virtually eliminated Payforit fraud on the EE network. A request on the O2 forum for a similar measure has so far fallen on deaf ears. https://community.o2.co.uk/t5/Discussions-and-Feedback/Premium-rate-services-petition-to-O2/td-p/1188385/highlight/false

It is largely as a result of your failure to protect customers from harm that I am making this complaint.

It is largely as a result of your failure to protect customers from harm that I am making this complaint. Under the Payforit rules, customers are supposed to be able to “escalate” Payforit disputes to you in the event that they are unable to get a satisfactory resolution for the “service provider”. This method of redress is being routinely denied by your Customer Services staff.

Payforit is a method of charge to mobile. The words of reassurance on your website ring rather hollow.

Rogue code embedded in a web page can result in a consumers phone number being passed to a third party, via the Payforit API without them even being aware that this has happened. I believe that the disclosure of consumers phone numbers to third parties by the Payforit API does not fall under the legitimate interest basis for lawful processing. This disclosure is causing considerable consumer harm and is unnecessary. Indeed, I can see no valid reason for not allowing consumers to opt out of this disclosure. The effect would not be noticed by the vast majority of consumers but Payforit fraud could be virtually eliminated.

Please ensure that your response is specific to the Payforit API. I’m not making a general enquiry about disclosure to third parties or seeking to dispute your right to pass my phone number for other legitimate reasons.

The ICO says the following about the legitimate interests basis: (my comments in italics)

·  It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

I do not believe that consumers would expect their phone number to be passed to a third party when they click a link on a website. Even when the Payforit mechanism is used legitimately it is not made clear that this is what will happen. Indeed there have been instances where your customer services staff don’t even realise that this is happening!

There is a clear privacy impact which results in consumers receiving unexpected charges which are almost impossible to get refunded.

·  If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

I would like to see evidence that you have properly balanced the interests of consumers against your business interests in your consideration of this particular mechanism. Note that I am talking solely about disclosure of phone numbers via the Payforit API and not any other mechanism.

·  There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

I would like to see evidence that this three part test has been applied to the disclosure of phone numbers via the Payforit API.

·  The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

·  The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

I do not believe that this processing is necessary. The Payforit API provides for an alternative processing stream to be used when the consumer’s phone number is not provided by the network. Ceasing to compromise consumers phone numbers in this way would not prevent consumers from subscribing to legitimate services, but would dramatically reduce Payforit fraud.

·  You must balance your commercial interests against those of the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Consumers DO NOT expect their phone numbers to be compromised in this way. There IS evidence of considerable consumer harm resulting from this processing. The consumer harm is exacerbated by your company’s refusal to assist victims of Payforit fraud, leaving them to try to obtain refunds from companies often based in jurisdictions where legal action for small claims is almost impossible. I’d like some reassurance that in balancing individual interests against those of the company the widespread incidence of Payforit fraud was considered.

·  Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

I would like to see a copy of your legitimate interests assessment of the disclosures involved in the operation of the Payforit API.

·  You must include details of your legitimate interests in your privacy

I can find no specific mention of this processing in your privacy policy.  It is disingenuous to lump this in with other disclosures to third parties, as the circumstances of the disclosure, and the harm resulting from it are entirely different.

In addition asking you to consider this complaint and answer the points contained within it, I am objecting to you making my phone number available through the Payforit API and asking that you cease doing so.

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [Your Phone No.].

I’d appreciate confirmation that this email has been received, together with the name of the current Data Protection Officer.

Yours sincerely

Paul XXXXXXX

paul@payforitsucks.co.uk

GDPR Template Letter for GiffGaff


Data Protection Officer
Giffgaff Ltd
Belmont House
Belmont Road
Uxbridge
UB8 1HE

Dear Sir or Madam

Information rights concern – Payforit API


I am concerned that you are not handling my personal information properly.

My concerns relate to the operation of the Payforit payment mechanism on your network. I have been helping numerous consumers who have been the victim of WAP Billing fraud through the Payforit mechanism which you operate. The system has a serious vulnerability which means that clickjacking and iFraming exploits embedded in a malicious webpage can result in consumers becoming unknowingly subscribed to Payforit subscription services. This vulnerability only applies when the consumer is accessing the internet via mobile data and results directly from the fact that GiffGaff supply the consumer’s phone number to the API.

In case you are unfamiliar with this, here is a link to the Payforit rules. If you refer to page 10 you will see that the processing includes a step where “At the same time, the mobile number of the consumer is transferred to the API by the consumer’s mobile network. “. This cannot happen if I access the same website using a WiFi connection.

I would like to know the basis on which this specific processing (the passing of my phone number to a third party via the Payforit API) is being carried out. I have never given explicit consent for this, so assume that it is being processed on a “legitimate interests” basis. I understand that this processing reduces the “friction” in purchasing certain phone paid services and that GiffGaff may seek to claim this is a “legitimate interest”. However it is not necessary, as it is quite possible for me to purchase those same services via a WiFi connection without GiffGaff compromising my phone number in this way.

We are not dealing with a few isolated cases here. If we were I would be less concerned. However it would appear that this mechanism is subject to widespread abuse and is being used as a method of defrauding consumers. To see the extent of the problem on the GiffGaff network, follow this link: https://community.giffgaff.com/t5/forums/searchpage/tab/message?q=payforit&sort_by=-topicPostDate&collapse_discussion=true

I think you’ll agree that the scale of the problem, on GiffGaff’s network  at least, is quite shocking!

I’m sure that the regulator, the Phone-paid Services Authority will have logged many similar cases.

It might also be worth mentioning to you that EE had a problem with WAP billing fraud (including, but not limited to Payforit) prior to February 2018, when they introduced a requirement for additional verification of the consumer’s consent to charge. This has virtually eliminated Payforit fraud on the EE network. A request for GiffGaff to take similar measures has fallen on deaf ears! https://labs.giffgaff.com/idea/16712363/require-2-factor-authentication-to-sign-up-for-payforit-texts?c=1#c86719 It is largely as a result of your failure to protect members from harm that I am making this complaint.

Rogue code embedded in a web page can result in a consumers phone number being passed to a third party, via the Payforit API without them even being aware that this has happened. I believe that the disclosure of consumers phone numbers to third parties by the Payforit API does not fall under the legitimate interest basis for lawful processing. This disclosure is causing considerable consumer harm and is unnecessary. Indeed, I can see no valid reason for not allowing consumers to opt out of this disclosure. The effect would not be noticed by the vast majority of consumers but Payforit fraud could be virtually eliminated.

Please ensure that your response is specific to the Payforit API. I’m not making a general enquiry about disclosure to third parties or seeking to dispute your right to pass my phone number for other legitimate reasons.

The ICO says the following about the legitimate interests basis: (my comments in italics)

·  It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

I do not believe that consumers would expect their phone number to be passed to a third party when they click a link on a website. Even when the Payforit mechanism is used legitimately it is not made clear that this is what will happen. Indeed there have been instances where your customer services staff don’t even realise that this is happening! There is a clear privacy impact which results in consumers receiving unexpected charges which are almost impossible to get refunded.

·  If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

I would like to see evidence that you have properly balanced the interests of consumers against your business interests in your consideration of this particular mechanism. Note that I am talking solely about disclosure of phone numbers via the Payforit API and not any other mechanism.

·  There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

I would like to see evidence that this three part test has been applied to the disclosure of phone numbers via the Payforit API.

·  The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

·  The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

I do not believe that this processing is necessary. The Payforit API provides for an alternative processing stream to be used when the consumers phone number is not provided by the network. Ceasing to compromise consumers phone numbers in this way would not prevent consumers from subscribing to legitimate services, but would dramatically reduce Payforit fraud.

·  You must balance your commercial interests against those of the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Consumers DO NOT expect their phone numbers to be compromised in this way. There IS evidence of considerable consumer harm resulting from this processing. The consumer harm is exacerbated by your company’s refusal to assist victims of Payforit fraud, leaving them to try to obtain refunds from companies often based in jurisdictions where legal action for small claims is almost impossible. I’d like some reassurance that in balancing individual interests against those of the company the widespread incidence of Payforit fraud was considered.

·  Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

I would like to see a copy of your legitimate interests assessment of the disclosures involved in the operation of the Payforit API.

·  You must include details of your legitimate interests in your privacy

I can find no specific mention of this processing in your privacy policy.  It is disingenuous to lump this in with other disclosures to third parties, as the circumstances of the disclosure, and the harm resulting from it are entirely different.

In addition to asking you to consider this complaint and answer the points contained within it, I am objecting to you making my phone number available through the Payforit API and asking that you cease doing so.

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number 07803 XXXXXX.

I’d appreciate confirmation that this email has been received, together with the name of the current Data Protection Officer.

Yours sincerely

Paul XXXXXXX

paul@payforitsucks.co.uk

GDPR issues

It has become apparent that the passing of phone numbers via the Payforit API could be considered a breach of GDPR. There is no guarantee that such a challenge will succeed, but I can see no good reason not to try. The regulations around this are complex and are often misunderstood. Victims of Payforit scams are often convinced that a breach of GDPR has occurred because they never gave explicit consent for their phone number to be given to third parties. If only it were so simple!

There are six bases on which personal data may be lawfully processed under GDPR. These are described as follows by the ICO:

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

The two bases most likely to apply are “Consent” and “Legitimate interests”. As explicit consent has not been sought, it seems inevitable that the networks will try to justify their processing using the “legitimate interests” basis.

This is where things get a bit complicated. The networks do have legitimate interests in passing your phone number to third parties when, for example, you use a directory enquiries service, or make a text donation donation to children in need, or even when you make an international call which is handled by a third party. This use is entirely legitimate. Our phone service would cease to function if data wasn’t transferred in this way.

The case of the Payforit API is different. The processing is not necessary, as it is quite possible to sign up for phone-paid service without your number being supplied by your network.

The ICO requires that for use of the “legitimate interests” basis a three part test is applied:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

The networks are likely to argue that reducing “friction” in the purchase of Phone-paid Services is a legitimate interest, so the Purpose test will be passed.

The Necessity test is more complex. It is NOT necessary for the networks to pass phone numbers to third parties through the API. They do it because it makes things a little simpler for the consumer. However it is not necessary.

The Balancing test is where I believe the networks will loe the argument. There is a great deal of evidence that the disclosure of consumers phone numbers through the Payforit API is causing consumer harm. This harm surely outweighs the minor incovenience of an extra step for consumers who really want to sign up for these services.

Indeed, it is hard to see any reason why consumers should not be allowed to opt-out of having their phone numbers passed to the API.

It is likely that the networks will try to confuse the issue by talking about the more general issue of passing data to third parties. In any complaint it will be necessary to be absolutely clear that we are talking about the Payforit API and nothing else.

GiffGaff Letter

I have drafted a letter which has been sent to GiffGaff’s Data Protection Officer, highlighting my concerns. They are currently considering their position. I expect to be able to post their response by the end of March.

This is a Microsoft Word document which you can download and adapt to your needs. The html version is here.

O2 Letter

This is a letter which you can use to make a GDPR complaint if you have been defrauded via Payforit. You will, of course need to amend it to suit your own situation, but it contains the essential framework to ensure your complaint is taken seriously.


This is a Microsoft Word document which you can download and adapt to your needs. The html version is here.