What do you think this is?

Just thoughts of a restless mind...

Whom can you give your personal information to?

Posted on Thursday, 15th of October 2015 • privacy • permanent link •Read time: 5 minutes

Here is a short (or not) story, about my interactions with an organization, I decided to voluntarily give some of my personal information to.

In 2012 one of the three top Information Security Certificate organizations, released a new security certification under a grandfathering scheme. Being always envious of those who were grandfathering a certification, I considered applying, despite the hefty fee. When a discount was offered to one of the LinkedIn groups I was part of, I grabbed the opportunity. Little I knew about the wonderful journey that I would have with this organization.

In June of 2012, having collected all the paperwork, references and degrees as well as previous experience evidence, and having paid the fee, I applied.

Not surprisingly, the application was accepted in July 2012, and I received a nice letter and a nice welcome kit, including a plaque and a pin. I was certified through grandfathering, for a certification that I hoped, it would become prestigious.

In January 2013, I received an email that my application has been moved to the verification phase, and I should be patient for 2 weeks, waiting for approval. Troubled, I looked up my emails. Indeed, there was the welcome, approval email as I recalled, so I sent a mail back saying there must be a problem or confusion somewhere. The next day I received an apology email, saying that I probably received a duplicate created by a software glitch or upgrade. Despite my concerns about information security (integrity), and the fact that the signature of the sender did not match the sender name in the email, I went on to think that "things like that may happen", so did not pay any more attention.

Ten days later I get congratulated for the approval of my application, and I am informed that my welcome kit will be sent to me in the next 4 - 6 weeks. Having a "WTF" moment, and obviously not so happy about this whole situation, I decided to let my certification expire, and not worry about that any more.

As expected, in July of 2013, after being certified for a year, I receive an email that my certification will expire soon, unless I pay for the renewal. For a second time, the sender and the signature do not match. I even have a different sender now. Easy decision for me: do nothing, these people probably have significant problems, and I find no value in being certified by them any more. At that point, I consider my certification to have lapsed after one year.

Despite me not answering, not paying and not renewing, I receive an email, 3 months later, that a metal plate will be sent to me; I should place it over the end date of the Plaque. I am confused. Maybe I missed somewhere that my certification was renewed; as a present maybe? I never replied to that email and never received the plate. Early 2014, news are out that the company's websites (more than one) are defaced. "No surprises" I think. I verify that they do not have any (significant) personal information, even login and delete some generic information from the portal I had access to, and go on with my life.

In June of 2015 I receive another email that, I used a promotion last year (2014, which I did not), which waives my renewal fee (remember, I have never renewed), and that I should send my address for receiving my new Plaque. After my queries, I get the answer that based on my initial registration, and despite the fact that I have never renewed, I do not have to pay nothing until August of 2016, and I will remain certified.

Oh well, I think, it's free, let's get another plaque. I re-send my address (same one that should already be in their files. I had decided already not to give any newer or additional information) and of course, never received a plaque. I received though an e-mail one month later, that my certification is expiring and I should pay the renewal fee. The mail included a credit card authorization form this time! It also stated that if I do not want to renew, I should reply to it. Surely, I reply to the email, confirming that I do not plan on renewing. I even am copied in the email sent to the certification team, stating that I should be removed from the certification program. Finally, I think, this joke is over.

Here comes October 2015, and I get yet another email (with the credit card authorization form again), that my certification has expired; if I want to renew I can still do so, but if I do not want to do so I need to send an email, confirming that I do not plan on renewing. Total Deja vu. And the same email again, just 10 days later (after initial posting of this article).

I wish I could give some piece of advice here, like, avoid giving your information to every random organization. Then I re-read the first sentence of this article that states "...one of the three top Information Security Certificate organizations". If you cannot trust these people for proper Information management, who can you trust? The answer is, unfortunately, noone. In my profession, certifications matter, so there is actually no way out of this scheme; you end up giving your information (work experience, studies, references, personal identification details) to these organizations, just to find out that their usage and management of information is faulty.