Personal information being sent abroad
November 9, 2003 5:28 PM   Subscribe

We need an "Information Technology Disclosure Act." The Programmer's Guild is pushing for the creation of legislation to require companies which outsource abroad to tell consumers when their sensitive personal information is being sent to companies in other countries. This aspect of outsourcing has gotten little attention, but the SF Chronicle's David Lazarus has reported on it being done by hospitals (like UCSF, which is being threatened over back pay by a transcriber in Pakistan), accountants, banks (BofA), telecom companies (SBC), and perhaps most alarmingly, two of the three major credit-reporting agencies.
posted by homunculus (24 comments total)

 
Lazarus is looking at this from an American perspective, but since Britain is also outsourcing more and more, I wonder if it's facing a similar quandry. Anybody know?
posted by homunculus at 5:34 PM on November 9, 2003


This sounds like protectionism to me.

-- A "serviced in" label be affixed to every statement or document processed overseas, just as manufactured goods must state a country of origin;
-- Overseas customer-service workers, who often take pains to mask their location, identify their whereabouts at the outset of any conversation;
-- Calls be rerouted to domestic facilities if the consumer so chooses.


Why? These have nothing to do with security.
posted by donth at 5:44 PM on November 9, 2003


Why does an organization that claims to be a guild of programmers have such an ugly, broken site?
posted by bshort at 5:46 PM on November 9, 2003


perhaps because HTML, CSS and web design in general are not programming, per se.
posted by quonsar at 5:52 PM on November 9, 2003


oh, and i dream of the day some courageous consumer dispatches the databases of these societal vultures into the universal bitbucket, hopefully accompanied by lots of smoke, fire and rubble. let the employees get McJobs.
posted by quonsar at 5:55 PM on November 9, 2003


I'd like to add a requirement that all overseas customer-service workers recite the pledge of allegiance at the outset of any conversation.

I just won't be able to trust them otherwise.

Come to think of it, I'd like American customer-service workers to hum the first few bars of the national anthem, just so I can be sure.
posted by whatnotever at 5:56 PM on November 9, 2003


Feinstein says it all:

"The application of American law in a foreign country is difficult, if not impossible," said Sen. Dianne Feinstein. "Therefore, the more companies move overseas, the less American law can control the uses for which personal data is put. And this can only represent an increasing threat to the privacy of our citizens."

This is not about protectionism, folks. This is about jurisdiction. You want your social security number to stay in a place where your government can effectively make and enforce laws to keep it as safe as possible.
posted by PrinceValium at 6:01 PM on November 9, 2003


There are already laws in place in many European countries that cover data protection. We run worldwide aps, and there are recurring issues with maintaining appropriate in country controls over what data can be shipped overseas - and that's shipping overseas to the parent company, it's not like we're outsourcing it.
posted by jacquilynne at 6:15 PM on November 9, 2003


Hmmm.

Isn't this a major security risk? Couldn't an Al Qaeda operative working out of Bangalore or Pune gather everything they need for a successful identity theft? Or even create a new identity out of nothing?

The jurisdiction objection is handwaving. If the company is completely overseas, go after their customers. Eg make BoA liable for bad things done by their outsourced vendor. Easy-peasy.
posted by i_am_joe's_spleen at 6:31 PM on November 9, 2003


You want your social security number to stay in a place where your government can effectively make and enforce laws to keep it as safe as possible.

wrong. i don't want a social security number at all. my government lied about it, and continues to lie about it, while standing silently aside for over 50 years as private, commercial concerns have made the social security number the primary key in billions of databases. i am sick of lies, sick of commerce, sick of lying liars in government, and any moron with a lick of sense can see that the entire credit 'industry' exists only to entice and ultimately enslave the so called middle class, and can see that borrowing money 'costs' about 3 times as much as it should. just listen to the arrogance of that TransUnion VP! and the Equifax guy! lying through his teeth until he figures out the reporter knows better! then the story changes! now he has a facility in jamaica, mon! how nice that the overseas workers will be "closely supervised" by the atlanta office! lying cocksucker. wipe the shit out of your eyes and you can plainly see that outsourcing is this 'industry's answer to the requirment to share the dirt they collect on you with you at no cost.

"let me get this straight: you want us to send copies to any citizen who asks for it, so that said citizens can protect themselves from our sloppy compilations and erroneous data entry, and our foot-slogging reluctance to remove falsehoods and correct mistakes, proven to be sloppy and erroneous and reluctant time and time again since the mid sixties? well, fuck you then, we'll route that shit through bumfuck, egypt. see how ya like that!"

hey fuck it, i hear the matrix episode 27 really sucks, lets go waste good money on that. star theater just started accepting credit cards.
posted by quonsar at 6:33 PM on November 9, 2003


Hospitals? You mean the last 3-and-a-half weeks of my life are in a database in Bangladesh?

Then just so you don't hear it from somebody else:
Yes, I did get punched out for changing the TV during "The Jerry Springer Show".
Yes, I knew the 'woman' with the uncanny resemblance to Penn Jillette was actually a failed transsexual.
Yes, I met a guy who talks just like quonsar writes, and he didn't wear pants either.
And NO, the little old lady who kept talking about "my friend Lucifer" is NO friend of mine.

I'm back, MetaFilter, leaner, meaner, alone, penniless and certifiably semi-sane. Anybody miss me? I didn't think so.
posted by wendell at 6:45 PM on November 9, 2003


As a 'senior' developer, I've worked with all sorts of outsourcing shops. India, Russia and Ireland are several huge sources of cheap labour. This is nothing new. For the projects I've been involved with, the cost ratio is typically around 5:1 for outsourced:domestic developers.

Domestic developers whine that outsourced work typically stinks, but even if 3 of the 5 foreign resources stink, it's still 2:1. This doesn't even bring into account stuff like VCs/shareholders loving offshore development for the perceived savings (money and time). I personally don't care for distributed development; especially across timezones.

Oh well. It's a good thing Bush's tax cuts are saving all of our jobs. *cough*
posted by denbot at 9:31 PM on November 9, 2003


I don't get this. What's so worrisome about personal data crossing a geopolitical border that the act of offshore data processing and customer service (as opposed to development, since very little "personal information" is used in the course of software development -- conflating offshore DP/call center operations with offshore development is a mistake) needs a scarlet letter? Is this some bizarre effort to keep all the shitty typing and phone jockey jobs from going overseas?
posted by majick at 10:35 PM on November 9, 2003


Wendell - next time have (or fake) a nervous breakdown. The doctor signs off on a private room for medical reasons and BAM! you're living off the fat of the land!

(welcome back, hope you are feeling better!)
posted by PrinceValium at 11:04 PM on November 9, 2003


Is this some bizarre effort to keep all the shitty typing and phone jockey jobs from going overseas?

No, it's not really the jobs that are the issue so much as the spread of personal information which can be abused. Personally I don't have a problem with most outsourcing; I actually think it's pretty cool and I would love to have a candid conversation with a customer service rep in India, if only they were allowed to admit where they are. But we have enough problems with identity theft already and I don't like the idea of my SSN floating around the globe. Read the "hospitals" link in the FPP and consider the possibilities.

Of course, if the banks, credit card companies and credit-reporting agencies were held accountable for making identity theft possible, this wouldn't even be an issue. The very idea of "identity theft" is absurd, and I'm surprised that there hasn't been a class action lawsuit against any of them yet.

And what quonsar said.
posted by homunculus at 11:20 PM on November 9, 2003


But maybe I'm just too paranoid.

I would actually love to work in India, especially if I could live in Mysore and commute to Bangalore, except that apparently they don't hire Americans. Darn it.
posted by homunculus at 11:44 PM on November 9, 2003


"But we have enough problems with identity theft already and I don't like the idea of my SSN floating around the globe."

I don't want to belabor the point too much, but what's the bad thing that happens because a database row with your SSN in it (admittedly already a bad thing) is updated by someone on the other side of a national border? The hospital transcription problem could, really, happen anywhere.
posted by majick at 12:13 AM on November 10, 2003


majick, a person who commits identity theft in the U.S. faces criminal sanctions and jail time. If the sanctions in India are even nearly as harsh, they are likely much less enforceable. It's really bad to let personal data out of a jurisdiction where it is protected by law.
posted by PrinceValium at 1:13 AM on November 10, 2003


eu libero por este meio os seguintes dados médicos confidential pessoais ao public domain: o prego em meu dedo do pé grande direito cresce mais rapidamente do que esse na esquerda.

ich gebe hiermit die folgenden persönlichen vertraulichen medizinischen Daten zum public domain frei: der Nagel auf meiner rechten grossen Zehe wächst schneller als die auf dem links.

je libère par ceci les données médicales confidentielles personnelles suivantes au public domain: l'ongle sur mon grand orteil droit se développe plus rapidement que celui du côté gauche.
posted by quonsar at 2:36 AM on November 10, 2003


Who is "The Programmer's Guild"? I've spent most of my career as a computer programmer and this is the first I've ever heard of them. The web site does not inspire a great deal of confidence.
posted by Mars Saxman at 8:24 AM on November 10, 2003


Pakistani threatened UCSF to get paid, she says
posted by homunculus at 11:14 AM on November 12, 2003


Information Technology (IT) Disclosure Act

Supporting Documents and links
posted by homunculus at 11:18 AM on November 12, 2003


Oh meu deus!

Oh mein Gott!

Oh mon Dieu!
posted by moonbiter at 1:17 PM on November 12, 2003


in regards to health care anyway, HIPAA (healthcare information portability and accountability act). If you are concerned about your health information you can call your provider and request who has your data. the punishments for misuse are pretty severe, and include criminal charges for individuals as well as institutions.

"Civil and Criminal Penalties. Congress provided civil and criminal penalties for covered entities that misuse personal health information. For civil violations of the standards, OCR may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal penalties apply for certain actions such as knowingly obtaining protected health information in violation of the law. Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under "false pretenses"; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm."

and remember a violation usually means a test, like a blood test, like hospitals do thousands of a day...
posted by rhyax at 11:27 PM on November 24, 2003


« Older The Snow Show!...  |  That's What Friends Are For:... Newer »


This thread has been archived and is closed to new comments