Gossip could be your undoing

By CHRIS DANIELS

Conspiracy theorists fear the huge computer mainframe - the state-owned database humming away, deep in the bowels of bureaucracy.

Their fears, may however, be misplaced, as your privacy is more likely to be threatened somewhat closer to home. The friendly corner store owner, staff at your gym and your hairdresser all probably have more information about you - and are more likely to blurt it out to anyone who asks.

The amount of information held about you at a number of different businesses - shops, video stores, takeaway bars - may be tiny, but privacy breaches at this local level can have a pernicious effect.

Large companies, Government departments and agencies have all been forced to address privacy concerns. Not so your neighbourhood shops - the place you rent videos, order hamburgers, buy flowers and milk.

When Herald reporters tried to gather as much information as they could about Auckland woman Lisa Barber, they were frustrated by many big corporations.

It was a different story at a local level, though, with smaller shops and businesses all too willing to divulge Lisa's private information. With minimal prompting, Lisa's local video store sent the Herald a fax listing the past 10 movies she had hired. Careless staff are not the only reason to fear privacy breaches from small companies. Electronic databases at this level are rarely, if ever, well protected from hackers.

An internet security expert and Otago University academic, Hank Wolfe, said the smaller the company, the less chance there was of it having a secure database.

"Probably 65 per cent of big businesses' databases are not secure and they've got the money to spend on it," he said. "They see it as an overhead item - what do you think the small shopkeeper is going to see it as? They're not even going to waste their time."

The local video store, for instance, keeps the titles of movies on a database, linked to the name of customers who have hired them. Obviously it needs to keep this information, to make sure customers bring back the tapes.

Ponsonby Civic Video owner Paul Keller said the company used database information to target lapsed renters but only occasionally to send advertising to customers - for instance if someone had not hired a movie for a long time.

Information on customers dating back to 1995 was stored on the shop's database.

While the information on these small databases is not shared with others, the growing popularity of customer loyalty schemes has added a new layer of personal information to that which is already gathered by corporate New Zealand.

Smaller companies can now combine under the umbrella of a loyalty scheme and, while promoting their business, gather valuable consumer data.

But those who run loyalty schemes are quick to defend their privacy policies.

AA Developments general manager Noel Rugg said the AA stored AA Rewards scheme information as numbers, not names.

And while the AA was often asked for access to its membership lists, these requests were refused, with many of the companies instead told to advertise in the AA's monthly magazine, which was sent to all the AA members.

"It is sold to no one, names and addresses are supplied to no one, including the partners," he said.

Rewards scheme partners had access only to their own data, Rugg said. This meant BP could not find out who had been buying Resene paint, or using the House of Travel, for instance.

Flybuys is another, more popular loyalty scheme, which has gained more than 1.6 million members since it began in 1996.

Loyalty New Zealand, which runs Flybuys, said it had "a strict privacy policy" that meant individual member's details were not passed on to any other organisation, including the companies that accepted the cards.

Wolfe said while small companies held small amounts of information and did not share it with other organisations, they were more likely to be "helpful" and pass the information on if asked.

Small businesses often saw no need to protect stored information. "If you start up a mom and pop store, all you're concerned about is selling milk," said Wolfe.

"You have to keep records to keep the IRD off your back and you have an accountant to do that.

"But when it comes to other issues, your focus is not there.

"[The attitude is] 'Why waste money on things that aren't going to help us? We don't need to have special encryption software to protect our clients'."

Wolfe said the risk the apparatus of the state posed to privacy should not be ignored.

But the small amount of knowledge gleaned from one small shop could be just as important, because such information gathered from five similar shops could produce a comprehensive - and very public - picture of you.

Herald Online feature: Privacy