Your Privacy is an Illusion

WhitehatWhat would you do if your laundry-shop published your laundry bills online, along with your name, address and phone number, for the whole world to see?

 

A couple of months ago, while trying to understand Pakistan’s perpetual energy crisis situation, I entered the LESCO website hosted at http://www.lesco.info/. As soon as I clicked the Customer Service link, I was teleported to a consumer privacy and security hell. I closed my browser after going through a few pages, hoping that the website would disappear like a bad dream, and tried to forget about it. Two months later, the website is still online, so I think LESCO doesn’t have any plans to take it offline. Meanwhile, I have gone through the five stages of grief, laced with a few non-standard stages like ‘hilarity’ and ‘helplessness’ that Kubler-Ross probably hadn’t thought of, so now I can write about this joke without affecting my blood-pressure and general sanity.

When you enter the webite, you are rewarded with a pre-filled login form. You heard me right – the form is pre-filled with the username “Guest” and password “*******” (hehe) for your convenience. The links at the top are pointing to a certain firm called Clicksoft and are broken, but you can still visit the Clicksoft website to hear their amusing pitch:

ClickSoft is a groundbreaking software development organization providing high-end technical solutions. Our customers benefit from our vast experience of Enterprise Resource Planning (ERP) software solutions for demanding mission critical environments in, retail and wholesale, manufacturing, financial services.

I will not pass any judgement on their claims, but I do wish that their prospective clients do a little research on them before handing them any business.

 

After you “log on” to the LESCO /mc/ website homepage as a “Guest”, you are handed a search form, but not just any form – this one has the special power of letting you search the complete LESCO database!. You can search by any field, including customer name, their address and even their neighbor’s bill. By the way, from the search forms, it looks like many people are born with “through”, “Col” and “Officer” in their names.

I am a big proponent of transparency, but LESCO has taken it a bit too far! You can search in Applications and you can search for Consumers and even browse various LESCO locations. The real gem, though, is the Feedback Form. It allows you to “Change Password”! Yes, the same password that was embedded in the login page (*******)… A classic case of WTF!

If you think it ends here, you are wrong, LESCO has one more surprise for you. Visit the Reports section and you will come across URL masterpieceslike:http://www.lesco.info/mc/default.php?action=35&where=%20where%20c.app_date%3C=’2008-05-06′
%20%20and%20substring(c.loc_code,2,1)=’2’&circle=&desc=Demand%20Note%20Paid
All ten year old script kiddies and their pet parrots know the kind of malicious things that are possible with a little bit of SQL Injection, so I will not spell them out here, but apparently, the “Regional Training Centre LESCO”, who own the website, are still trying to figure out how to create websites. With employees like these, who needs corporate saboteurs?

So, coming back to the original question (“What would you do if your laundry-shop published your laundry bill, along with your name, address and phone number online, for the whole world to see?”), if your answer is “Nothing.”, I will understand. The rising oil and food prices have probably pushed things like data privacy towards the bottom of the list of things to worry about. Consider yourself lucky though, if a telemarketer discovers this treasure trove and a vaccum cleaner salesman comes aknocking at your door two days after you apply for an electricity connection. It would certainly be better than having your identity stolen. and a lot more entertaining if you are like me.

I did some research on consumer privacy and identify protection in Pakistan to see where the consumers (that’s you and me) stand, and discovered that Pakistan is yet to have a consumer rights protection law. Besides Babar Bhatti of telecompk, who writes about the topic frequently, and Dr. Awab, who urged me to write this post, I did not find any Pakistani bloggers who have shown serious concern about consumer data privacy in Pakistan on their blogs (though my google search session was brief). I did stumble upon websites for entities like Consumer Rights Commission of Pakistan and The Network, but have yet to read what they are all about.

On the bright side, incidents like this make one think that perhaps the lack of ecommerce in Pakistan is actually a blessing in disguise. What do you think?

PS. For those too busy to visit the actual website, I’ll try to upload some screenshots soon.

PPS. No bytes were harmed or abused in the writing of this post.

LESCO Please Give Me My Life Back

Dear LESCO,

You knew about the (then) impending power crisis of 2007 way back in 2004 and I was glad you didn’t do a thing about it, besides blaming rains, coal shortages and the crumbling infrastructure in the four years that followed. Not many people see the wisdom in that , but I am not one of those people. I realize very clearly that the 5 hours without power daily were just the training we Pakistani needed to evolve to a higher level – a person who can survive without electricity and gas for that much time can do pretty much anything, and feel superior when his (weak) American friends ask “How can you live like that?!” in awe and inspiration. Those load-shedding spells were just the thing I needed to learn get my work done in the 4 hours of continuous internet that you gave me, thereby increasing my productivity, and giving me the time to read a few hundred pages of a book daily by laptop-light, thereby increasing my quality of life. The one hour discharge and recharges increased my laptop’s battery life by 50%, and forced my RSI-prone wrists to get the much-needed rest that I would have ignored otherwise. We didn’t really need running steel mills either, all they give us is global warming and pollution, so I was happy when they were shut down. Your tag-teaming with the Gas company also allowed me to eat out every other day due to lack of any other options. Life was wonderful, I was constantly looking at the bright side of life in the daily darkness spells, and had become a fan of your greater wisdom.

Why, then, did you have to promise an end to load shedding by February 2008, and actually deliver on that promise?! I have been waiting for a power outage for two days straight now, please give me back my 5 hours of load-shedding per day. I miss them. 🙁

PTCL Triple Play Project

LESCO, teamed with my local ISP (who gives bandwidth on LAN, and therefore, dies with every one hour power failure) finally made me bite the bullet and move to the PTCL Triple Play Project aka Broadband Pakistan today. The PTCL techs just left after installing the connection (in 10 minutes) and the speed tests so far are not bad at all.

PTCL speed

Contrary to my expectations, I have had a very smooth customer service experience till now. One of the few good things about Broadband Pakistan is that you can get it upgraded and downgraded for free with one phone call, and you will be charged according to your usage. They didn't give me a wifi modem though (they save them for the 1Mbps lines, discriminating 8@$tards!), but told me to call their office after 4-5 days and they will change the modem (I hope they are true to their words). Now I just need to test the one dozen UPSes lying around to find a working one and I'll be a bit less dependent on LESCO.