Full Disclosure

Ian Batten ukcrypto at chiark.greenend.org.uk
Tue, 29 Apr 2008 13:29:14 +0100 

On 29 Apr 08, at 1136, Joel Harrison wrote:
> On 4/29/08, Charles Lindsey <chl@clerew.man.ac.uk> wrote:
>>> If I (as data controller) make a permitted controller-to-processor
>>> transfer outside the EEA then, again, I'm responsible for whatever  
>>> the
>>> processor does.  But that's no different from a transfer to a
>>> processor in another EEA member state, or indeed if the data remains
>>> within the same EEA member state....
>>>
>>
>> But here we are talking about a cookie that resides on Joe User's  
>> machine
>> and which he transfers to a website (possibly in Peru). So Joe User  
>> is the
>> data conmtroller here (though he might be able to claim in court  
>> that Phorm
>> had incited him to make that unlawful transfer).
>>
>
> Joe User is the data subject, because the data relates to him.  He's
> not ending up in court, except possibly as a claimant.

The contradiction I'm worrying away at is ``Is the Phorm UUID  
personally identifiable data?''

I'd argue it is.

Firstly, anyone who has user-level access to a machine that's been  
Phorm'd can trivially obtain the UUID and relate it to name and  
address (from, for example, stored email receipts for on-line  
purchases).  Secondly, it is trivial for a website which has  
legitimate reasons to know a name and address (because of the  
aforementioned on-line purchases) to obtain the Phorm UUID by  
embedding at https image.

So a wide range of websites can derive the association between UUIDs  
and physical names and addresses, and that association can leak by all  
the weaknesses to which computer systems are heir.  And if the  
association and later release is done in a foreign jurisdiction, there  
is little practically that can be done about it.

And the association can in turn be used by any other website to obtain  
the names and addresses of visitors who believe themselves to be  
anonymous.  V. Bad indeed.  Those websites might be concerned with  
union, religion, sexuality etc, so in fact the UUID can be trivially  
correlated with sensitive personally identifiable information.

BT, of course, can even more trivially associate UUIDs with physical  
names and addresses, because they are intercepting the flow of data  
and can look for names and addresses with fairly simple regular  
expressions and, of course, the fairly stereotyped field names in  
submitted forms.  BT say they aren't doing this, but then they said  
they weren't conducting trials in 2006 and 2007, didn't they?

Therefore because of the ease with which a UUID can be do-anonymised  
(in principle, if not in fact) people need to be able to control the  
release of the UUID, and anyone who processes it needs to treat it as  
sensitive personally identifiable information.    Which will come as a  
surprise to people who don't currently believe their website falls  
under the aegis of the DPA when they find they are being sent  
sensitive personally identifiable information unbidden.

ian