pdpc_decisions_version: 10
This data as json
| _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 10 | 10 | 1 | 1016 | A warning was issued to an individual for using dictionary attack methods to generate telephone numbers which were then used for telemarketing purposes, thereby breaching section 48B of the PDPA. | [
"Do Not Call Provision(s)",
"Warning",
"Others",
"Telemarketing"
] |
2023-04-17 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TaiShinFatt_140223.pdf | Do Not Call Provision(s) | Breach of Section 48B of the PDPA (Prohibition on Use of Dictionary Attacks) by an individual | https://www.pdpc.gov.sg/all-commissions-decisions/2023/04/breach-of-section-48b-of-the-pdpa-prohibition-on-use-of-dictionary-attacks-by-an-individual | 2023-04-17 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 2 Case No. ENF-DNC-210826-0015 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tai Shin Fatt … Individual DECISION Tai Shin Fatt Lee Ti-Ting, Assistant Commissioner - Case No. ENF-DNC-210826-0015 14 February 2023 Introduction 1 On 2 July 2021, the Personal Data Protection Commission (“the Commission”) was notified by the Singapore Police Force that the Singapore Civil Defence Force (“SCDF”) had received an influx of marketing calls between 25 and 28 June 2021 from telephone numbers registered to one LongSheng Consultancy Pte Ltd (“LongSheng”) on behalf of one Tai Shin Fatt (the “Individual”). The Commission commenced investigations to determine whether the circumstances relating to the calls disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Individual is an insurance director with a large and well-known insurance company managing a team of 25 insurance agents. In an effort to conduct marketing calls more efficiently, the Individual sought to engage the services of 2 companies hereinafter referred to as the “Call Automation Vendor” and the “Checker”. 3 The Call Automation Vendor provides software to facilitate the making of automated calls using customised scripts. The Checker’s service comprises the provision of telephone numbers (from which automated calls could be made), and the provision of software to check whether the telephone numbers of intended recipients were registered with the Do Not Call Registry (“DNCR”). The systems / software of the Call Automation Vendor and the Checker were intended to work in tandem as follows: (a) the telephone numbers of intended recipients would be uploaded onto the Call Automation Vendor’s software; (b) the Checker’s software would check the DNCR for such telephone numbers; and (c) the Call Automation Vendor’s software would then avoid making any calls to the telephone numbers which appeared in the DNCR. 4 As the Call Automation Vendor and the Checker do not contract directly with individuals, the Individual caused LongSheng to enter into contracts with the Call Automation Vendor and the Checker on 17 March 2021 and 20 May 2021 respectively, to provide the services outlined at paragraph 3 above. The Individual used LongSheng as a corporate vehicle by which to procure the services of the Call Automation Vendor and the Checker. 5 Following the engagement of the Call Automation Vendor and the Checker, and pursuant to instructions from the Individual, the Call Automation Vendor provided 10 channels in its software, while the Checker subscribed for 10 telephone numbers in the name of LongSheng from which to make the automated marketing calls. 6 The Individual wished to test the systems provided by the Call Automation Vendor and the Checker, for which recipient telephone numbers were required. One of the Individual’s staff suggested to generate recipient telephone numbers by: (a) using commonly seen telephone numbers for the first 4 digits of each telephone number; and (b) randomly generating the last 4 digits of the telephone number by automated means. 7 The Individual authorised this method of generating the telephone numbers, and his staff proceeded to use Microsoft Excel to do so. 8 The Individual’s staff generated a total of 18,809 telephone number (“Subject Numbers”), which included 400 telephone numbers beginning with the digits “995”. “995” is the SCDF emergency line. 9 The Subject Numbers were contained in 3 lists, which were uploaded onto the Call Automation Vendor’s software by a member of the Individual’s staff. The Individual then clicked “send/call” in the Call Automation Vendor’s software to commence the automated marketing calls. 10 Between 25 and 28 June 2021, a total of 22,268 automated marketing calls were made (the “Subject Calls”), of which 433 were to the SCDF emergency line (the “Incident”). Such calls were not blocked as the SCDF emergency line was not registered in the DNCR. 11 On 28 June 2021, while reviewing the call recordings, the Individual discovered the calls made to the SCDF emergency line and immediately instructed his staff to stop using the Call Automation Vendor’s software. He also contacted the Call Automation Vendor to stop making further automated marketing calls; and deleted the lists containing the Subject Numbers. Findings and Basis for Determination The prohibition under Section 48B of the PDPA 12 Based on the circumstances of the Incident as set out above, the Commission’s investigation focused on whether the Individual had breached section 48B(1) of the PDPA by sending, causing to be sent, or authorising the sending of “applicable messages” - namely, (i) messages with a Singapore link to (ii) telephone numbers generated by a dictionary attack or address harvesting software ("Section 48B Prohibition"). 13 The Section 48B Prohibition and other provisions of the PDPA setting out relevant definitions are reproduced below: Term and definition (…) a person must not send, cause to be sent or PDPA provision s48B(1) authorise the sending of an applicable message. “applicable message” means a message with a s48A(1) Singapore link that is sent to any applicable telephone number; “message” means any message, whether in sound, text, s36(1) visual or other form; (2) In this Part, an applicable message has a Singapore link in any of the following circumstances: s48A(2) (a) the message originates in Singapore; (b) the sender of the message — (i) where the sender is an individual — is physically present in Singapore when the message is sent; or (ii) in any other case — (A) is formed or recognised under the law of Singapore; or (B) has an office or a place of business in Singapore; (c) the telephone, mobile telephone or other device that is used to access the message is located in Singapore; (d) the recipient of the message — (i) where the recipient is an individual — is physically present in Singapore when the message is accessed; or (ii) in any other case — carries on business or activities in Singapore when the message is accessed; (e) if the message cannot be delivered because the telephone number to which the message is sent has ceased to exist (assuming that the telephone number existed), it is reasonably likely that the message would have been accessed using a telephone, mobile telephone or other device located in Singapore. “applicable telephone number” means a telephone s48A(1) number that is generated or obtained through the use of — (a) a dictionary attack; or (b) address‑harvesting software; “dictionary attack” means the method by which the s48A(1) telephone number of a recipient is obtained using an automated means that generates possible telephone numbers by combining numbers into numerous permutations; “address‑harvesting software” means software that is s48A(1) specifically designed or marketed for use for — (a) searching the Internet for telephone numbers; and (b) collecting, compiling, capturing or otherwise harvesting those telephone numbers 14 The Section 48B Prohibition was introduced as part of the 2020 amendments to the PDPA and came into effect on 1 February 2021. It was intended to supplement the existing “Do Not Call” provisions in Part 9 of the PDPA in striking the correct balance between safeguarding consumer interest and permitting legitimate business interests in direct marketing by: (a) establishing clear guardrails for sending unsolicited commercial messages; 1 and (b) addressing consumer annoyance and deterring spammers who use technologies that make it easier to indiscriminately send unsolicited commercial messages (including robocalls) to a large number of recipients.2 15 The Section 48B Prohibition operates by targeting the indiscriminate manner by which recipient telephone numbers may be generated and targeted, usually by automated means. It does not serve as a blanket prohibition on the sending of unsolicited commercial messages, and leaves room for legitimate direct marketing. Whether the Individual had contravened the s48B Prohibition 16 For the Individual to have breached the Section 48B Prohibition, he must have: (a) sent, cause to be sent or authorized the sending of; (b) a message; (c) with a Singapore link; (d) to telephone numbers generated or obtained through use of: 17 (i) a dictionary attack; or (ii) address harvesting software. Based on the facts of the Incident as set out above, the elements for breach of the Section 48B Prohibition are made out: 1 Singapore Parliamentary Debates (2 November 2020) vol 95, at page 36 (S Iswaran, Minister for Communications and Information) 2 Public Consultation Paper issued by the Ministry of Communications and Information and the Personal Data Protection Commission dated 14 May 2020, at paragraphs 53 54(b) (a) The Individual specifically authorised and caused the making of the Subject Calls to the Subject Numbers. (b) The Subject Calls were automated calls based on a customised script provided by the Call Automation Vendor. The Subject Calls were therefore messages in sound form, and “messages” as defined by s36(1) of the PDPA. (c) The Subject Calls were made in Singapore. As such, the Subject Calls had a “Singapore link” within the meaning of s48A(2) of the PDPA. (d) The Subject Numbers were generated by using commonly seen telephone numbers for the first 4 digits, then randomising the remaining 4 digits. Strings of numbers were combined and resulted in the creation of 18,809 different permutations – i.e. unique telephone numbers – and the process was performed using automated means via Microsoft Excel. This was therefore a “dictionary attack” within the meaning of s48A(1) of the PDPA. 18 Accordingly, the Individual is determined to have contravened the Section 48B Prohibition. The Commission’s Decision 19 By using a “dictionary attack” to generate the Subject Numbers and then causing and/or authorising the Subject Calls to be made to the Subject Numbers, the Individual failed to stay within the “clear guardrails” of the PDPA to safeguard consumer interests. 20 To make matters worse, numerous calls were made to the SCDF emergency line. The importance of keeping the SCDF emergency line open and unobstructed for genuine emergencies cannot be over-emphasised. That said, the fact that automated marketing calls were made to the SCDF is not itself relevant to the Individual’s breach of the Section 48B Prohibition. The issue is with the method used to generate the Subject Numbers, and the Individual’s role in authorising the Subject Calls. 21 The Commission recognises that: (a) the Individual was cooperative with the Commission’s investigations; (b) the Individual has not previously contravened the PDPA; (c) the Individual had made efforts to ensure that he complied with his obligations under Part 9 of the PDPA relating to the DNCR when making the Subject Calls; and (d) the Individual voluntarily took action to cease the Subject Calls upon discovery that the SCDF had been called. 22 Having considered all the relevant factors in this case, the Commission hereby administers a warning to the Individual in respect of his breach of the Section 48B Prohibition. No other directions are necessary in view of the remedial actions already taken by the Individual. LEE TI-TING ASSISTANT COMMISSIONER FOR PERSONAL DATA PROTECTION | Warning | 065914363a4287df302d4869dbb9b671721521e1 |
Links from other tables
- 10 rows from item_version in pdpc_decisions_changed