Thursday, 26 May 2011

I’m sick of spam aimed at corporate subscribers, too

If you’ve got a corporate mobile phone, you may recently have received an unsolicited text message from some really dodgy outfit. I don’t know who they are, but they use the number +447821142591 to send me their spam from. The first text, which I received a couple of weeks ago, advised me that: According to our records you may entitled to £3750 for the accident you had. For more info reply CLAIM to this message. To opt out text STOP.

I have not had an accident, nor have I ever told anyone that I have had an accident. However, I decided to play along by replying CLAIM to see what happened next. Within a few minutes an advisor phoned me to take my details. It was clear that the advisor did not know who he was calling, and when pressed he explained that he had been provided with my details from a third party. I told him that I was really unhappy about having received the text, I wanted future texts to stop, I wanted to know who had supplied him with my number, and that I would be complaining to his manager about the unsolicited call. Unsurprisingly, he immediately ended the call. I never got to speak to his manager. Nor did he tell me what outfit he worked for.

Today’s text was a bit blunter: You still have not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOP.

What can corporate subscribers do to stop this stuff being sent in the first place?

Well, I could log onto the Information Commissioner’s website, read and click on the stuff that’s on the banner at top of the page telling me something about cookies, and then navigate my way to their guidance. The ICO’s banner reads: On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.

And then there’s a tick box which, once ticked, indicates that: I accept cookies from this site.

Phil Lee from Field Fisher Waterhouse has generously explained to a number of LinkedIn readers that : (i) if you don't consent to the ICO's banner, then it only drops a 'strictly necessary' session cookie (no other cookie); (ii) if you do consent, then it also drops a first party cookie to remember your consent and a third party analytics cookie; and (iii) if you later want to opt out, then I suppose you have to delete the first party consent cookie by clearing your browser cache.

I have not heard Phil comment on whether this is the best way of doing things - but full marks to the ICO for having possibly the first (and only) website in the European Union which tries to comply with the new cookie rules. That takes some courage.

Anyway, back to the plot.

The Commissioner’s guidance on such spam makes it clear that the relevant regulations are themselves defective, in that they only prohibit the sensing of unsolicited text messages to individuals, not to corporate subscribers. Some bitter irony this has turned out to be. I remember being one of those who were asked by the DTI (as it then was) to comment on what became The Privacy and Electronic Communications Regulations 2003. I pointed out this anomaly and explained that I was sure that all Service Providers would really prefer the regulations to prohibit the sending of unsolicited text messages to all subscribers, not just individual subscribers. However, the DTI disagreed. They weren’t in a goldplating mood, and probably didn’t think that business people needed to be protected like this. I do remember that the bright civil servant who was tasked with this issue didn’t have a corporate phone herself.

In terms of what can be done to reduce the likelihood of corporate phones receiving future unsolicited messages, there’s probably not much that can be done. We could try instructing staff to register their phone numbers with the Telephone Preference Service, but I’m not really sure how much good that would do.

I suspect that the telephone managers of some of the larger corporate subscribers would want their service provider to register corporate devices with the TPS as a matter of procedure rather than requesting their corporate to do it on an individual basis. But I’m not sure how easy this currently is. There must be a way though, if there’s a sufficient demand.

What I am sure of is that it’s not the service providers themselves who are providing the numbers to these grubby spam merchants. I just wish I knew who they were buying their databases from.