A friend of mine received an interesting piece of snail mail the other day. It was one of those inheritance scam letters that usually arrive in E-Mail.

An image of the letter is shown below:

privacy compromising letter

In summary, the author, a high-ranking bank official, has an unclaimed inheritance that he is willing to split with the letter’s recipient if the recipient will accept the responsibility of being appointed as the heir to the deceased’s money, etcetera, etcetera.

As you can see, it bears all the earmarks of the traditional scam message. Fortunately, my friend knows a bit about scam recognition, and he sent it off to me so I could enjoy it. He also noted that he was alarmed that this arrived in the mail to his house in the United Kingdom.

From a security perspective, this is quite distressing. The question of how the scammers received his address is not the troubling part, as he has ordered items from Chinese suppliers in the past. Before we get all “judgy,” there are plenty of legitimate items besides phony ID cards that one can order from China. For instance, I am one to enjoy a fine green tea from China, so it is not as if he was doing anything wrong.

The problem that arises is that his information was sold, or perhaps stolen, and has now fallen into the wrong hands. Along with that, he was never given the option to opt into any such data sharing. Nor was he notified if his information took flight due to a breach.

Does this violate GDPR? Of course it does. In fact, it also violates China’s Privacy Standard regulation of 2018, which is supposed to be stricter than GDPR.

Most troubling of all is, what is a person to do in this case? He could report the incident to the “Supervisory Authority,” as described in Article 51 of GDPR, but should he seriously expect the United Kingdom to pursue such a complaint with an unknown entity in China? Does this rise to the level of an international incident? I think not. It should also be noted that China’s Privacy Standard has no clause for the establishment of a similar data protection or governing authority. One can only throw up one’s hands in frustration about how powerless we are when we order items from a country that may not honor our regulations.

The easiest solution, of course, is to not order anything outside of a cooperating jurisdiction; however, in the case of my love of green tea, that is impractical. An alternative is to own a post office box so that your home address is protected. But then all your transactions must be conducted without the use of a credit card or else your billing address will reveal your home address. Also, some merchants will not ship to a post office box.

It seems that while we have reached an era where privacy protections are honored within our individual nations, we have not seen how these can truly operate on an international scale.

I am usually optimistic, but in this case, I am uncertain when the world will bridge that gap.