My father in law and I often have a debate around the issue of home safety. He is the typical 70 year old Indian man – ultra conservative, extremely value conscious and highly risk averse. He banks with Mattress Bank Pvt. Ltd. (and has definitely out-performed the market for the past few years). To give you some idea, he not only locks all the doors and windows, but then he puts wooden sticks behind them so that even if the thief were to somehow unlock the sliding doors and windows, the windows would still not open.
My in-laws live in a small house where everything they have bought in the last thirty years still resides in that house, and life the dubbawallas, have an intricate algorithm in their head to figure out where the blank video tape from the 1991 July 4th sale is stashed (and don’t get them in a discussion that VCRs are a thing of the past). So, if the thief were to break into their self-proclaimed Fort Knox, he would immediately either be intimidated by the sheer quantity of stuff, or simply trip over something and end up falling down and hurting himself. As an aside, that recently happened, when a burglar cut himself trying to sneak into the basement of a Boston home, and called 911. The police and ambulance came. He got treated on the spot and subsequently arrested. The aforementioned is indeed a true story.
Back to my father in law…Recently he got himself an industrial size paper shredder. The reason is fairly straightforward. He believes there is too much paperwork with very personal data that we tend to toss in trash, and someone could go through our garbage and find out personal information that could then be misused. I end up tearing up my personal mail that has any amount of personal data by hand into enough pieces so that someone has to truly struggle and dig through to try and make sense of that piece of paper.
But recently, I asked my father in law a simple question – “do you know how many people in this world actually know everything about you”. He was surprised by the question, and said “very few”. At that point, I told him that I would bet my year’s salary that there are easily hundreds of people, mostly in India (Gurgaon, Bangalore and Pune to be more specific), who know more about him (or me or anyone else for that matter), that he himself does. Let me pause and ask the reader to read the previous line one more time…
Think about it. Every financial services company including banks, credit card companies, mortgage companies, credit rating agencies, escrow agents, auto credit (Toyota motor credit, GMAC finance etc.), and Ganesh party supplies guy in Whitefield knows everything about me. So chances are that there are tens, if not hundreds of current and former BPO employees in India who at one time or another were providing customer support services for my bank, credit card etc and have jumped on average every 12-18 months to a new job over the last 10-15 years who could easily have all my personal data. If I think about that day in and day out, I would simply cry and eventually go insane.
Hence, I resort to a grin and a thought that I often have in India in different context – “I am hosed. It’s completely out of my hands, so let nature take its course.” I would advise all in this conundrum to sing the Marley song, “Don’t worry, be happy”, or my own version “don’t worry, be jolly”. By the way, my seven year old, is fascinated with my phone numbers and passwords, and is more than happy to simply blurt it out to anyone and everyone. As if I didn’t have enough to worry about with the hackers, I have a child who feels that sharing personal data is charitable giving.
Recently I received two emails in the same week, one from my bank and another from a doctor’s office informing me of data theft, and that my personal information might have been compromised (in one case it was theft, in another case an employee lost a laptop with data on it). Although initially somewhat perturbed, I reminded myself of the first paragraph scenario and the Marley song, after which I calmed down.
Let me throw in yet another very typical India scenario. I happened to be at a fairly reputable hospital in Bangalore earlier this week (by the way, a hospital is an amazing place for a sociological study. It is one of only three places where people from every strata of life come together. The other two are a place of worship, and the railway station platform). Back at the hospital, as I stood in the cashier line, of course another 3-4 people came right on top of me to try and cut in queue and one of them was very carefully looking at the paperwork I was holding in my hand, effectively wanting to know everything about me. At one point, I simply looked back and handed him my paperwork and said, “here, you can find out everything about me, and my health issues, diagnosis and treatment”, at which time he backed off…but only slightly. The situation is no different at a bank where chances are that the person behind you is technically on top of you as and when you are going through a transaction. I think people generally in India want to be in each other’s business, perhaps under the pretense of wanting to help, or more likely, simply like snooping around and looking for free entertainment. I can just imagine doing something similar at a US bank, and being taken away in handcuffs by bank security.
In my 2.5 years in India, the privacy issue that still “takes the cake” is my experience within the first week of being in India and spending a day at CONCOR, which is basically a warehouse for all expat containers being shipped to Bangalore. I might have written about this in the past, but if one really wanted to get access to all private data for senior executives moving to Bangalore, all one needs to do is go to CONCOR, and spend some time in the waiting room.
From what I recall, there were virtually hundreds of folders of previous unsuspecting victims (who had to survive Concor), with their entire life history in folders stacked from floor to ceiling, and several that had fallen on the floor with papers strewn all over. I remember glancing at some of those pieces of paper (I couldn’t help it since they were “right there”) that had fallen out. It happened to be for a senior IBM executive. Those pieces of paper included his name, title, social security number, US address, passport copies, a swipe of his credit card used to pay the moving company and several other interesting bits of data. There was no vault, no physical security, and absolutely no sense of privacy. I am actually not sure where those folders go after the waiting room. The guys next door were more concerned of making sure they got the appropriate under-the-table payment for every shipment rather than making sure that either the crucial personal information was stored securely or disposed off appropriately.
My intent here with the above scenarios is not to scare, but to simply say that everyone needs to wake up to the reality of the current, digital (and perhaps not so digital world as in the Concor example) and truly interconnected world that we live in. The paradox is that as people get more paranoid about personal information and privacy, that same information is making its way to more and more people through formal channels, not to mention the flourishing eastern European, Chinese, Indian and African hacking communities getting access to all sorts of personal data, some of which makes the news but most in my opinion simply doesn’t.
In a bank’s case, often the very personal data will reside with the bank, their customer support organization which could be captive or outsourced, their key partners and potentially others to whom the data is sold, often through a quick trick of having the customer opt out rather than opt in to sharing that information with others. A rogue employee in any one of the institutions that I mentioned earlier could create absolutely havoc for many many people the world over.
Bottom line: like it or not, we are living in interesting times where information about anyone and everyone is available to anyone. I am all for vigilance, care and striving for data security and privacy (btw, I change my passwords frequently), but I would argue in this cat and mouse game, we need to be congnizant of the fact that no amount of anti-spyware, anti-phishing, n-factor authentication, key fobs, tokens, bodyguards, mercenaries, or god him or herself (to be politically correct) can provide even close to 100% protection that many people feel they have