Lenovo Not Serious About Privacy from David Chadwick on 2011-11-11 (public-privacy@w3.org from October to December 2011)

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Fri, 11 Nov 2011 11:32:37 +0000
To: public-privacy@w3.org
Message-ID: <4EBD07D5.2010408@kent.ac.uk>

Dear All

I received an email today from Lenovo (Ivan Poliak
Manager of Sales Support, Lenovo Western Europe) saying that, as an 
owner of a Lenovo PC, my details had been transferred to a central 
computer system in China. If I wanted my details to remain in Europe and 
not be transferred elsewhere, I could opt out of this transfer and have 
my details removed from the Chinese computer. The letter provided a URL 
for me to go to, to have my details removed, and ended with the phrase 
"reassurance that Lenovo takes your privacy seriously".

So I went to the URL, only to find that the method they provided was 
impossible to follow, since besides my name, address, company name and 
Email address, they also required some unique reference number sent long 
ago on some previously discarded letter, in order to complete the 
operation. When the user no longer has this number, the page fails to 
execute the request (as the field is mandatory to complete), and when a 
dummy number is inserted, which I did, I managed to crash their system 
with the following error message:

Internal Server Error

The server encountered an internal error or misconfiguration and was 
unable to complete your request.

Please contact the server administrator, psgiroot@raleigh.ibm.com and 
inform them of the time the error occurred, and anything you might have 
done that may have caused the error.

More information about this error may be available in the server error log.
-- ---------

I then sent a copy of the above to the stated email address at IBM, only 
to immediately receive the following email in reply

    ----- The following addresses had permanent fatal errors -----
<psgiroot@raleigh.ibm.com>
     (reason: 550 5.7.1 <psgiroot@raleigh.ibm.com>... Cannot mail 
directly to files)


It is clear that Lenovo are either not taking data protection seriously 
enough, or are not very good at debugging their systems

regards

David



*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

Received on Friday, 11 November 2011 11:33:06 UTC