Full Disclosure
Charles Lindsey
ukcrypto at chiark.greenend.org.uk
Tue, 29 Apr 2008 11:16:30 +0100
On Mon, 28 Apr 2008 23:28:49 +0100, Joel Harrison
<joeldharrison@googlemail.com> wrote:
> On Mon, Apr 28, 2008 at 7:16 PM, Ian Batten <igb@batten.eu.org> wrote:
>>
>> On 28 Apr 2008, at 16:06, Joel Harrison wrote:
>>
>> >
>> > I realise that. By "retrieve", I mean "retrieve the value of" - what
>> > I'm getting at is the action taken by the web server to determine and
>> > process the value of the webwise cookie in its domain. Whilst the
>> > webwise cookie is sent to the web server automatically, I understood
>> > that it would require a deliberate step in the website code to
>> > determine the value of the webwise cookie and then do something with
>> > it - without that step, the webwise cookie would be sent to the web
>> > server but no action would be taken on it.
>> >
>>
>> Not if I'm just dumping the contents of all the cookies associated
>> with my
>> domain. Or should all websites keep careful track of all the cookies
>> they
>> might potentially have placed, on the offchance that five years later
>> an ISP
>> may be so deranged as to forge additional cookies for no readily
>> apparent
>> reason? Phorm and the ISP have together forged the cookie; no-one else
>> is
>> under any obligation to help them keep secret what they have placed in
>> plain
>> sight.
>
> Can we assume for the purposes of this question that the web server is
> located in the UK? Otherwise, a number of different issues get
> conflated, and the discussion isn't terribly helpful.
No we can't, because that is not the interesting case.
> If I (as data controller) make a permitted controller-to-processor
> transfer outside the EEA then, again, I'm responsible for whatever the
> processor does. But that's no different from a transfer to a
> processor in another EEA member state, or indeed if the data remains
> within the same EEA member state....
But here we are talking about a cookie that resides on Joe User's machine
and which he transfers to a website (possibly in Peru). So Joe User is the
data conmtroller here (though he might be able to claim in court that
Phorm had incited him to make that unlawful transfer).
> What a magnificent question!
>
> For starters, nobody is responsible here under Article 29 - that's
> just the provision of the DP Directive under which the Working Party
> is established. But that really is beside the point.
>
> Strictly speaking, on the Article 29 Working Party's view Phorm and
> the ISP are making the Peruvian rug-seller an unwitting data
> controller .... Now, this may be harmless enough in
> practice if the Peruvian rug-seller is, as you say, no fan of cookies.
> But what if he is an habitual examiner of cookies, who delights in
> reading the values of whatever cookies he can get his hands on
> (augmenting this with information about the ads that the UID
> generates, just for good measure), safe in the knowledge that, whilst
> he may technically fall within the scope of the DPA, the chances of a
> visit from the ICO are pretty slim? Will I now receive little flyers
> for books on Peruvian privacy law together with my rugs?
And indeed that is the problem. The Bad Guys who want to steal personal
data (for assorted nefarious purposes) are not going to set up their base
within the EU. They are going to enlist Andean Peasants and suchlike to
gather this data in return for a few pennies (which, in the impoverished
Andean economy, will seem like a godsend). Even if the DPA seeks to
extradite the Andean Peasant, that will not get him much nearer to the Bad
Guy who is the real culprit.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5