The Saga of OpinionPanel - Malice or Incompetence?
-
This is gonna be a long one, I'm afraid.
I signed up to Opinion Panel some years ago. They do market research (I am aware that I am the product) and theoretically pay participants in Amazon vouchers - in practice, they only pay out at multiples of £25, which makes it really easy to do a lot of work for them and get nothing. I have had a payout in the past though.
I always thought that the results were sent to Opinion Panel's clients directly, although I'm now being led to believe that they write the surveys to the client's specifications and collect the results themselves and send clients the data.
Last Tuesday I got a £3 survey (they generally offer £1 per ten minutes it's expected to take you, with £4 being the maximum. Most surveys are £1-2) which asked for information on personal finances. The questions were sufficiently specific and detailed to give me pause, but since it was assured to be anonymous I didn't think there was any likelihood of harm.
Until the end of the survey when they asked me for my full name and street address.
Naturally I didn't complete the survey, and proceeded to compose
a stroppy email to their support address:
Hello,I spent a considerable amount of time today completing the survey referenced in the subject line, only to reach the end and be presented with questions asking for my name and address.
As there is no plausible legitimate reason for market research surveys to require personal identifying information of this type, I can only presume this survey is a scam of some description, most likely an attempt at identity theft, in which Opinion Panel has been - perhaps unwittingly - made complicit.
I have occasionally found surveys to which Opinion Panel has referred me to ask questions which I considered unnecessarily intrusive but I have never before been asked to personally identify myself.
Needless to say I did not continue with the survey or submit my responses - although I cannot be certain that the answers I had already entered were not transmitted - and I would like to deactivate my account with Opinion Panel as I no longer trust your vetting of the surveys you promote. (Your website directs me to contact this address for that purpose.)
In relation to that, as I have over £16 worth of current points I would like to know whether there is any possibility of actually receiving the rewards I was promised for all the surveys I have completed since I last received a voucher. However that is a secondary concern by far compared with protecting my personal data and identity. Additionally I wish to alert you so that, if you do indeed have honest intentions and are unaware of the nature of some of the surveys you promote, you can take steps to protect your users.
Regards,
Carrie
At this point I supposed their client to be criminal and Opinion Panel simply incompetent.It took them until Monday to respond with
this reply:
Hi Carrie,Thank you for your email and apologies for the delayed response.
We apologise for any grievances we have caused and we would like to resolve this issue as efficiently as possible.
Would it be possible for you to indicate which survey you had taken part in , as we would like to have as great an understanding of the issue at hand as possible to deal with any concerns you may have as best as we can.
I would also like to assure you our intentions are pure, we care greatly about the protection of our panelists personal information as we abide by the MRS' Code of Conduct, Data Protection Act and Fair Data's Ten principles. We display this on our website to assure individuals that we are a trustworthy company.
Lastly, in relation to the cashing out of your points, you would unfortunately not be able to cash out at 1600 points as we have a cash out threshold of 2500 points, this is due to the denomination of rewards code that we provide to panellists.
We sincerely apologise for any inconveniences caused and we hope this issue can be resolved.
Kind regards,
George
It seems I'd made a mistake in assuming that the reference number which was automatically added to the subject line of my email by clicking on the "contact support" link from the email about the survey was correct.
And it appears I've been remiss in blaming them: I should have simply looked on their website and seen their claim to be the good guys, which obviously proves both their intentions and competence.
My response:
HiThe survey in question is PM2004W16 - my apologies, I assumed that the reference automatically added to the subject of my email when I used the link included in the survey invitation was correct.
This survey asked for very detailed information on personal finances including providers of financial products and precise names of products held, before requesting the personal identifying information I described in my previous email.
I would appreciate it if you would take the time to tell me whether this survey had been vetted and you (not personally, of course) thought this was appropriate, or whether Opinion Panel will allow anyone to ask their users anything.
I must say I am disappointed by the time it has taken you to respond to my original email, given the seriousness of the issue. I would have expected investigating an incident where you may have exposed your users to identity theft to be a priority. I would imagine that most users who are going to will have already completed the survey in question and it would therefore be too late to take action to mitigate this incident.
I'm sorry to hear that, after exposing me to potential identity theft, you are going to withhold the rewards I had already earned, but £16 is certainly not worth the risk of completing any more of your surveys. One must pick ones battles.
I would like you to deactivate my account, please. I expect to receive no more emails from Opinion Panel, except in regards to following up this incident - which as I have already mentioned I would like to hear about.
Regards,
Carrie
I should point out here that there was no indication that the name and address questions were in any way different to the others. There was no notice along the lines of "this information will not be given to Opinion Panel's clients and is only for $supposedInnocuousPurposes".
Here's what my dear friend George had to say about that
Hi Carrie,Thank you for providing us with the survey in question and no need to apologise.
We understand that the questions asked were fairly intrusive and alarming, the questions regarding your personal finances we're asked as part of the information we had been asked to gather by our client. The personal information we had asked for at the end of the survey was to be used with harmless intentions, as we needed this information to categorise the responses into different groups.
So to explain this in more detail, if you had provided us with a London address we would have ten put you into the south eastern category, and then from there we would be able to compile the responses you and others in this category had gave us and from there we would be able to provide our client with the necessary statistics and data they had asked us for. We had also asked for your name to simply be able to go back and check over the data that you had gave us while compiling research.
We had vetted the survey and we had deemed the questions to be appropriate as we maintain compliance with MRS code of conduct, so all information gathered through our surveys are safe. By abiding by MRS Code of Conduct, Data Protection Act and Fair Data's Ten principles, we are strictly prohibited from sharing personal data such as your name and address ETC to third party's. So if you was to have completed the survey the client would have never been provided any personal information that would have put yourself at risk.
We also apologise for the delayed reply, but our support system works on a first come first serve basis, so we would not have seen your email or the subject of your email until we had cleared up the emails that had been sent to us before yours.
We are also sad to hear you wish to leave the panel, i have since unsubscribed your account.
I hope this response is satisfactory and we apologise for the issues caused and we also apologise for the grievances caused.
Kind regards,
George
Again, how utterly remiss of me not to realise that the MRS logo on their site proves conclusively that they're neither crooks nor fools. And he's kindly unsubscribed my account - missed a trick here, I should have asked for it to be deleted, but I was following the wording on their website.
My next shot
Hi,Would you kindly explain what benefit is gained by asking for address, over (for instance) region, for the purpose of grouping responses by region?
Would you also please explain in what way asking for a full name allows you to "check over the data that [a participant] had gave (sic)" that would not be possible using a less sensitive identifier - for instance email address which has the advantage of being unique, unlike name, or a simple generated ID number which you would not have to rely on participants to provide.
Regards,
Carrie
Keeping it short and to the point this time. Admittedly it was formatted quite badly, which I was not aware of until after I'd sent it, because I still haven't figured out how to use an iPhone properly (my beloved Blackberry finally gave up the ghost a month ago).
George, fine fellow that he is, was not dismayed by that bold sally
Hi Carrie,By asking for addresses we are able to provide clients with data specific to that region, so as an example if we was to do a survey based on sports brands we would be able to narrow down which brands are most popular in which regions. (sic)
Through using a names it allows easier integration into our the system that we use to compile the research we gather, as the use of systems often results in exports into different platforms not functioning properly.
I am not going to be in till next Monday as i am on leave, but i will be able to reply to any of your emails then.
Kind regards,
George
Were you born yesterday, George, or do you just think I was?
I know you claim that you need my street address to tell what region I'm from, and that my name is your preferred identifier - even though it's never been asked in any other survey, if he means that they use it to link responses from different surveys. This tells me nothing you didn't tell me last time. I asked two very specific questions which you have not answered.
I also don't recall having signed up to have my data kept by them or used for any other purposes than being sent to their clients for the specific surveys I complete, so even if name was a good identifier for that purpose (how many John Smiths do they have in their userbase?) I'm still dubious about that.
Since I have to wait until Monday to hear back from good old George anyway, I haven't yet composed another response, and since this initial post is getting tolerably epic, and not in a good way, I'll update after I do.
In the meantime, I open the floor for comments.
-
I don't take too many surveys, but when I do, they usually go as specific as postal code for the region, and for finances the most specific they get into is annual income and maybe stuff about home ownership. When it gets into some more detailed stuff, it's either because they want to know whether they want you to sign up for a platinum credit card or a debt consolidation program.
Either way, I don't know what the laws are like in the UK, but in the US, you have to be careful about some of the questions you ask, especially if it starts getting into what specific bank accounts you are signed up with.
-
@the_quiet_one I don't particularly like being asked for my full postcode - first half is more than sufficient to determine region, but I accept that they do generally ask for the whole thing.
Edit: And George specifically claimed that their categories were as broad as "South East," so at most town or even county would be sufficient.That had actually been asked for early on in this particular survey, and the question at the end was just asking for the first line - street name and number. Not only is that information they have no legitimate use for, but it wouldn't even tell them what they claim to want to know.
As for how detailed it was, this purported to be market research into financial products, so although the detail requested gave me pause I figured they could have a legitimate use for the data and I elected to go ahead since (I thought) it was anonymous.
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
@the_quiet_one I don't particularly like being asked for my full postcode - first half is more than sufficient to determine region, but I accept that they do generally ask for the whole thing.
First half meaning, say, SE21?
I'm from the US, so when we say "postal code" (zipcode) we usually mean the first five digits of it which is more or less as granular as SE21 above. When you get to the last four digits, which hardly anyone uses besides official mail, that's more parallel to the rest of the UK postcode. Nobody ever asks for it except, maybe, the IRS and even then it's usually optional. Hell, I don't even know what the last four digits are of my zipcode. :)
-
@the_quiet_one said in The Saga of OpinionPanel - Malice or Incompetence?:
First half meaning, say, SE21?
Yes
-
@the_quiet_one said in The Saga of OpinionPanel - Malice or Incompetence?:
First half meaning, say, SE21?
Yeah, that's quite common in surveys. It can identify your area to the level of area in a large city or a larger area further out. The first half of my postcode covers it few villages on this side of my closest city.
My experience of online surveys is that they usually start off asking for your area to the specificity George apparently needed: south east, south west etc. In terms of breaking the country up into parts, this is far less specific than state in America since there are only around 10 options
-
@jaloopa said in The Saga of OpinionPanel - Malice or Incompetence?:
this is far less specific than state in America since there are only around 10 options
It's fairly equivalent in terms of the sort of range of population.
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
I know you claim that you need my street address to tell what region I'm from, and that my name is your preferred identifier - even though it's never been asked in any other survey, if he means that they use it to link responses from different surveys. This tells me nothing you didn't tell me last time. I asked two very specific questions which you have not answered.
I think it sounds like time to drop them squarely in it.
Make a complaint
If you have a concern about the way an organisation has handled your personal information or you have an issue accessing information from a public body, you can report it to the ICO. You can report nuisance calls and spam texts to the ICO using this reporting tool. Report spam texts and cold...
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
I don't particularly like being asked for my full postcode - first half is more than sufficient to determine region, but I accept that they do generally ask for the whole thing.
American postal codes don't land you on the person's doorstep, so our postal codes are equivalent to the first half of yours.
-
@the_quiet_one said in The Saga of OpinionPanel - Malice or Incompetence?:
Hell, I don't even know what the last four digits are of my zipcode.
It's been my street number before.
-
@dkf said in The Saga of OpinionPanel - Malice or Incompetence?:
I think it sounds like time to drop them squarely in it.
I may do that. I wanna keep going with this though - I'm finding it equal parts infuriating and amusing at this point. I try and laugh, thus to keep from wailing and gnashing of teeth.
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
Through using a names it allows easier integration into our the system that we use to compile the research we gather, as the use of systems often results in exports into different platforms not functioning properly.
wat.
The explanation of address seems relatively reasonable, but I don't read that as saying they use names as a record identifier, I just read it as nonsense gibberish.
-
@carrievs I don't see a point to wasting more of George's time. You've already unsubscribed, you didn't submit the personal information, and he has zero incentive to answer your questions. (Which is probably why he didn't.)
Just move on to a new company.
-
@heterodox said in The Saga of OpinionPanel - Malice or Incompetence?:
The explanation of address seems relatively reasonable
But stupid. Any information security standard will require you to take only the least necessary identifiable information.
Not only that, they likely violated their supposed standards simply by not reporting publicly what they do with your name and address.
@heterodox said in The Saga of OpinionPanel - Malice or Incompetence?:
nonsense gibberish.
Yeah, he started spamming jargon after that.
I would demand to go up the ladder, and file a complaint on BBB.
-
@heterodox Well there's a couple of obvious editing mistakes there (I copied wholesale to let you have the full experience). If you delete "a" and "our," and add "different" or "multiple" into "the use of systems" it may make a little more sense.
'Twould be uncharitable to attribute it to an attempt to mislead, when it can be attributed to carelessness and poor communication.
It was actually George's previous email that led me to suppose it was used as a record identifier - at least that's the only way I can make sense of it. This one, I read as meaning that they have data in different systems, each with its own record ID system, so to aggregate them they need some other identifier.
I doubt it's impossible, it may not even be difficult, to include a consistent surrogate key as a pre-populated (hopefully hidden) data item in a survey, but I'm willing to allow that they haven't thought of it or are using third party software that makes it difficult. But name is both personal identifying information, and highly non-unique. Unless they want to aggregate responses from all participants named John Smith...
EDIT: and the explanation of address is not reasonable at all. Not only is full address far too specific for their professed purposes (and therefore may be illegal under the Data Protection Act) but the actual question only asked for street name and house number - which are in general not nationally unique. They did ask for postcode in an earlier question, meaning the sum of those questions is the person's full address, but the second question is entirely useless for the purpose for which they claim to have asked it.
-
@blakeyrat said in The Saga of OpinionPanel - Malice or Incompetence?:
@carrievs I don't see a point to wasting more of George's time. You've already unsubscribed, you didn't submit the personal information, and he has zero incentive to answer your questions. (Which is probably why he didn't.)
Just move on to a new company.Well I've answered a number of other surveys from them, and George's answers lead me to believe that they're still holding and perhaps using or selling that data.
I want to get to the bottom of this and/or get them to admit that it's bullshit. And it's amusing. I don't care if I'm wasting their time: they're bullshitting me and they can take the consequences.
Additionally, I have a right - legally - to know what data they hold about me and what they're trying to do with it. And "unsubscribed" doesn't sound like they've deleted it. George's incentive to answer - if the fact that I have no intention of leaving him alone unless and until he does - should be that if he doesn't satisfactorily answer my questions, I can make a Subject Access Request which will doubtless waste even more time of Opinion Panel's employees.
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
Well I've answered a number of other surveys from them, and George's answers lead me to believe that they're still holding and perhaps using or selling that data.
So?
It's not your problem, and you don't have any power to make it George's problem.
Talk to a regulator if you think you need to, but there's no point in nagging George.
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
Additionally, I have a right - legally - to know what data they hold about me and what they're trying to do with it.
Then ask him that, and reference the relevant bits of law.
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
if the fact that I have no intention of leaving him alone unless and until he does - should be that if he doesn't satisfactorily answer my questions, I can make a Subject Access Request which will doubtless waste even more time of Opinion Panel's employees.
Mention that too. I would try to not make it look like a threat though.
-
@xaade said in The Saga of OpinionPanel - Malice or Incompetence?:
American postal codes don't land you on the person's doorstep
5+4 can.
-
@blakeyrat said in The Saga of OpinionPanel - Malice or Incompetence?:
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
Well I've answered a number of other surveys from them, and George's answers lead me to believe that they're still holding and perhaps using or selling that data.
So?
It's not your problem, and you don't have any power to make it George's problem.
In what way is it not my problem?
It's George's problem because he is a customer support representative and so my problem with their company is his job to resolve.Talk to a regulator if you think you need to, but there's no point in nagging George.
I will take it to a regulator if it comes to that but a reasonable first step is to try and resolve the issue directly with the company. I don't consider sufficient attempts to have been made to deem that to have failed, yet.
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
Additionally, I have a right - legally - to know what data they hold about me and what they're trying to do with it.
Then ask him that, and reference the relevant bits of law.
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
if the fact that I have no intention of leaving him alone unless and until he does - should be that if he doesn't satisfactorily answer my questions, I can make a Subject Access Request which will doubtless waste even more time of Opinion Panel's employees.
Mention that too. I would try to not make it look like a threat though.
If I feel I need to do either of those I will. He's already mentioned the most relevant law - the Data Protection Act - himself.
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
In what way is it not my problem?
Because you didn't give your name and address, or did I misread the OP?
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
It's George's problem because he is a customer support representative and so my problem with their company is his job to resolve.
Right; but you're no longer his customer. That was my point.
-
@blakeyrat said in The Saga of OpinionPanel - Malice or Incompetence?:
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
In what way is it not my problem?
Because you didn't give your name and address, or did I misread the OP?
But I've given them data in the past and they may still be (mis)using it.
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
It's George's problem because he is a customer support representative and so my problem with their company is his job to resolve.
Right; but you're no longer his customer. That was my point.
But they still have my data. Also if he can satisfy me that nothing nefarious is being done with my data I may stop telling everyone who'll listen to stay as far away as possible from Opinion Panel.
Why does it matter to you so much that I stop troubling my dear friend George? Are you George? Is he a friend of yours? Can you ask him to please stop trying to give me the run-around?
-
@carrievs Fine. Whatever. Sorry for trying to have a discussion on a forum I guess.
-
@blakeyrat dude, you're the one who started sniping at me. You're the one acting like I'm in the wrong for caring about dubious collection and use of personal data.
And it's not just my data, incidentally. There are a lot of other people potentially at risk if they are doing naughty things. I want to satisfy myself whether this is something I should take to a regulator.
You're the one talking like George's workload is more important than getting to the bottom of this, when he's been bullshitting me and evading my questions - if he's going to make this harder and more protracted than it needs to be, he can deal with that.
What did I say to offend you so? I responded civilly to your comments, and made one joke.
-
@xaade said in The Saga of OpinionPanel - Malice or Incompetence?:
file a complaint on BBB.
This is where knowledge of relevant law helps: they're in a jurisdiction that strongly requires all organisations, private and public, to take proper care of data that identifies people (there are exceptions, but they wouldn't apply here) and to collect as little as possible. (I've done training on this; hated how it made plain common sense seem so difficult due to the horrible Flash app they were using. But online training systems… whatever. And I'm digressing.)
So it's not merely a matter of reporting that the business doesn't appear to be trading ethically, but rather starting the process of getting the authorities involved to stamp this stuff out. (Depending on the outcome of the investigation, etc.) At the very least, from what was said it seems deeply concerning and likely an abuse; the only safe thing in most circumstances is to not collect the sorts of things they're asking for in the first place, so that you can't get busted. The relevant route for reporting it is definitely the page I posted.
(Home address and financial information together? That's basically only for me, my employer, my bank and the taxman to know.)
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
I want to satisfy myself whether this is something I should take to a regulator.
On the basis of what you've said here, report it. Let them investigate.
-
@dcon said in The Saga of OpinionPanel - Malice or Incompetence?:
5+4 can.
How detailed do they go? (UK full codes go effectively to street and block, i.e., splitting longer roads into block-sized segments.)
-
@dkf Depends on how concentrated the area is.
Per https://en.wikipedia.org/wiki/ZIP_Code#ZIP+4, it's narrow enough to go down to blocks or an apartment complex or something similar. However, in a not very populated ZIP code coverage area, it's theoretically possible to identify a single residence from it (I think)
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
I don't consider sufficient attempts to have been made to deem that to have failed, yet.
I fully disagree.
-
@blakeyrat said in The Saga of OpinionPanel - Malice or Incompetence?:
@carrievs Fine. Whatever. Sorry for trying to have a discussion on a forum I guess.
Wasn't discussion there, you gave unsolicited advice in a non-help category.
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
They did ask for postcode in an earlier question, meaning the sum of those questions is the person's full address,
With either the address or the postal code, couldn't you look up the other? Canada Post can do it both ways, either the exact postal code for a given address, or an address or block of addresses for a given postal code. E.g. my apartment building is the unique result for my postal code, but my parents' one has some range of houses on each side of their street and another nearby street.
-
@xaade said in The Saga of OpinionPanel - Malice or Incompetence?:
American postal codes don't land you on the person's doorstep, so our postal codes are equivalent to the first half of yours.
ZIP+4 can get you really close. In one apartment complex I lived in, each +4 covered only four apartments in the complex. If the address is a PO Box, it will get you to the specific box (at least sometimes; I don't know for sure if it always does).
-
@e4tmyl33t said in The Saga of OpinionPanel - Malice or Incompetence?:
@dkf Depends on how concentrated the area is.
Per https://en.wikipedia.org/wiki/ZIP_Code#ZIP+4, it's narrow enough to go down to blocks or an apartment complex or something similar. However, in a not very populated ZIP code coverage area, it's theoretically possible to identify a single residence from it (I think)
For areas with smaller numbers of larger houses, a British post code might be one house. In the 70s, my postcode was six dwellings in three "semi-detached" houses (one building, two dwellings). Some kids in my secondary school lived at the posh end of town, where it was one house per post code.
-
@carrievs As well as the ICO, consider sending your concerns to the MRS. I've worked for Market Research companies, and the MRS do take fraudulent/unethical behaviour seriously.
How to complain | Market Research Society | Market Research Society
The Market Research Society (MRS) is the world's leading authority for the research, insight, marketing science and data analytics sectors.
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
What did I say to offend you so? I responded civilly to your comments, and made one joke.
He's a Grade A premium blend asshole. He's permanent offended by anyone who doesn't agree with him on everything.
-
@gwowen I used to think I got on fairly well with him. Maybe he's still sore over that time I linked a relevant XKCD a couple of weeks ago.
-
@carrievs said in The Saga of OpinionPanel - Malice or Incompetence?:
I will take it to a regulator if it comes to that but a reasonable first step is to try and resolve the issue directly with the company. I don't consider sufficient attempts to have been made to deem that to have failed, yet.
That's a waste of time, anything they say has a large chance of being bullshit. The only thing useful you could do is reporting it, if you think it's worth whatever bureaucracy you need for reporting it.
