Full Disclosure

Ian Batten ukcrypto at chiark.greenend.org.uk
Mon, 28 Apr 2008 10:52:21 +0100 

>
> I understand that, but it doesn't change the analysis, in particular
> in relation to PECR reg. 6, if the webserver is deliberately accessing
> the value of the webwise cookie, which is the scenario that Ian
> described.  I realise that the webserver receives the webwise cookie
> in any event; by "accessing", I mean that the webserver performs some
> kind of processing in relation to the webwise cookie that it receives,
> rather than just ignoring it.
>
> Nobody is ever going to be liable for inadvertently reading the value
> of a webwise cookie in walking through all the cookies in his own
> domain.  Whether that is what is going on is a question of fact in
> each case.

It's a variation on `be liberal in what you accept, strict in what you  
generate'.

You can't send data, unbidden, that you're supposed to keep  
confidential, and then impose on the recipient of that data a  
responsibility that you may have towards it.

That's why I laugh at all those stupid ``you may not act on this if  
you are not the intended recipient'' notices: you can't impose such a  
duty on me, and aside from some incredibly narrow cases involving  
share dealing and official secrets there's no legal basis to even try.

If you hold personally identifiable information, or better sensitive  
personally identifiable information, as a data controller, and you  
give it to random individuals, it's unclear to me if they've committed  
any offence if they treat it casually.  Even if they have, you have as  
well.

And if you are a DPA data controller within the UK, and you pass data  
unbidden to a company outside the UK, at the very best they are due to  
treat it according to their jurisdiction's data protection law, and  
possibly not even that.  And even if you transfer it unbidden to  
companies who then treat it with absolute discretion, you're still  
guilty of not handling it correctly.

All this relies, of course, on the Phorm cookies being personally  
identifiable.  My defence would be ``ah, but they're not personally  
identifiable, the vendor says so''.  And then the legal dance would  
begin.

ian