Earlier this year, we had some trouble with an Office 365 setup, but I can think of a dozen companies a similar experience could have happened with...
On this day, and as often happens with the site, actions seem to lag (ie. you create an account or a service, but it does take time to provision). This lead to an error where we had too many accounts added. Rather than risk someone being billed the wrong amount we attempted to contact them. That's where things got a bit murky.
The call went in through the normal toll free number, but we had trouble connecting. Eventually after some phone tag, we were contacted by a person we had great difficulty understanding. Not only was the call quality poor, but I am not sure the person had adequate English ability.
At the end of the call I was asked to do a survey.
Considering that the call was rather difficult, and involved much confusion where the agent wanted to control my screen(WHY?), I decided to take the survey.
In particular I was frustrated with 3 things:
- that the agent wanted to control my screen to make changes to my account
- a language issue
- a call quality issue
At any rate, I completed the survey fairly and with detail in my comments - I thought perhaps the issue was related to the agent being assigned to the wrong queue. I wouldn't do very well myself if I was in any queue other than English so I was careful to point out the specifics of my concern - likely it wasn't the agent's fault.
What happened next though scared me a bit. I got a phone call from an out of country (non-Canadian) cell phone minutes after I ended the call. I answered, and it was the agent , and they were quite upset with my survey results.
This seemed like another failure of the internal systems in place. I don't believe my survey results should be shared with the agent in a way that identifies me / that could have them contact me directly - especially on their own cell phone!
While I understand and sympathize they might have been upset I didn't give them a positive rating, again the issue was one of process, and control and possibly access to private information within Microsoft's system.
There are ways to attempt to ensure your data is stored in your desired country. But if their own internal processes allow agents in other countries to access your personal information - can / should we feel comfortable?
People in tech say security by obscurity is no security at all, so perhaps this is a reminder to us all? Big clouds can make our data a tiny dropin a massive pool. But if that system doesn't protect us from people within that system, are we really secure?
Proper audits, access controls, oversites. There does have to be a trust between the client and the provider and I have to admit this broke my trust.
There was an investigation of course. But no results obvious to us.
Could it be that the obscurity cuts both ways? An agent or a tech in a massive multi-national company with subsidiaries and complex structures. Who is really helping you and how do you know? Are they held to the same contracts and laws as the people you signed up with?
With a smaller company, perhaps the obligation to keep a high standard is re-inforced by the personal accountability of knowing whom you are dealing with?
It is interesting to consider the risks in a global economy where many companies outsource large parts of their operations to others often in other jurisdictions.
Accountabilty and trust is a terrible thing to lose, eh?