Data Protection Officer
Dear Sir or Madam
Information rights concern – Payforit API
I am concerned that you are not handling my personal information properly.
My concerns relate to the operation of the Payforit payment mechanism on your network. I have been helping numerous consumers who have been the victim of WAP Billing fraud through the Payforit mechanism which you operate. The system has a serious vulnerability which means that clickjacking and iFraming exploits embedded in a malicious webpage can result in consumers becoming unknowingly subscribed to Payforit subscription services. This vulnerability only applies when the consumer is accessing the internet via mobile data and results directly from the fact that GiffGaff supply the consumer’s phone number to the API.
In case you are unfamiliar with this, here is a link to the Payforit rules. If you refer to page 10 you will see that the processing includes a step where “At the same time, the mobile number of the consumer is transferred to the API by the consumer’s mobile network. “. This cannot happen if I access the same website using a WiFi connection.
I would like to know the basis on which this specific processing (the passing of my phone number to a third party via the Payforit API) is being carried out. I have never given explicit consent for this, so assume that it is being processed on a “legitimate interests” basis. I understand that this processing reduces the “friction” in purchasing certain phone paid services and that GiffGaff may seek to claim this is a “legitimate interest”. However it is not necessary, as it is quite possible for me to purchase those same services via a WiFi connection without GiffGaff compromising my phone number in this way.
We are not dealing with a few isolated cases here. If we were I would be less concerned. However it would appear that this mechanism is subject to widespread abuse and is being used as a method of defrauding consumers. To see the extent of the problem on the GiffGaff network, follow this link: https://community.giffgaff.com/t5/forums/searchpage/tab/message?q=payforit&sort_by=-topicPostDate&collapse_discussion=true
I think you’ll agree that the scale of the problem, on GiffGaff’s network at least, is quite shocking!
I’m sure that the regulator, the Phone-paid Services Authority will have logged many similar cases.
It might also be worth mentioning to you that EE had a problem with WAP billing fraud (including, but not limited to Payforit) prior to February 2018, when they introduced a requirement for additional verification of the consumer’s consent to charge. This has virtually eliminated Payforit fraud on the EE network. A request for GiffGaff to take similar measures has fallen on deaf ears! https://labs.giffgaff.com/idea/16712363/require-2-factor-authentication-to-sign-up-for-payforit-texts?c=1#c86719 It is largely as a result of your failure to protect members from harm that I am making this complaint.
Rogue code embedded in a web page can result in a consumers phone number being passed to a third party, via the Payforit API without them even being aware that this has happened. I believe that the disclosure of consumers phone numbers to third parties by the Payforit API does not fall under the legitimate interest basis for lawful processing. This disclosure is causing considerable consumer harm and is unnecessary. Indeed, I can see no valid reason for not allowing consumers to opt out of this disclosure. The effect would not be noticed by the vast majority of consumers but Payforit fraud could be virtually eliminated.
Please ensure that your response is specific to the Payforit API. I’m not making a general enquiry about disclosure to third parties or seeking to dispute your right to pass my phone number for other legitimate reasons.
The ICO says the following about the legitimate interests basis: (my comments in italics)
· It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
I do not believe that consumers would expect their phone number to be passed to a third party when they click a link on a website. Even when the Payforit mechanism is used legitimately it is not made clear that this is what will happen. Indeed there have been instances where your customer services staff don’t even realise that this is happening! There is a clear privacy impact which results in consumers receiving unexpected charges which are almost impossible to get refunded.
· If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
I would like to see evidence that you have properly balanced the interests of consumers against your business interests in your consideration of this particular mechanism. Note that I am talking solely about disclosure of phone numbers via the Payforit API and not any other mechanism.
· There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
I would like to see evidence that this three part test has been applied to the disclosure of phone numbers via the Payforit API.
· The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
· The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
I do not believe that this processing is necessary. The Payforit API provides for an alternative processing stream to be used when the consumers phone number is not provided by the network. Ceasing to compromise consumers phone numbers in this way would not prevent consumers from subscribing to legitimate services, but would dramatically reduce Payforit fraud.
· You must balance your commercial interests against those of the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
Consumers DO NOT expect their phone numbers to be compromised in this way. There IS evidence of considerable consumer harm resulting from this processing. The consumer harm is exacerbated by your company’s refusal to assist victims of Payforit fraud, leaving them to try to obtain refunds from companies often based in jurisdictions where legal action for small claims is almost impossible. I’d like some reassurance that in balancing individual interests against those of the company the widespread incidence of Payforit fraud was considered.
· Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
I would like to see a copy of your legitimate interests assessment of the disclosures involved in the operation of the Payforit API.
· You must include details of your legitimate interests in your privacy
In addition to asking you to consider this complaint and answer the points contained within it, I am objecting to you making my phone number available through the Payforit API and asking that you cease doing so.
I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me on the following number 07803 XXXXXX.
I’d appreciate confirmation that this email has been received, together with the name of the current Data Protection Officer.