Full Disclosure

[Nicholas Bohm]

Ian Batten wrote:
> 
> On 29 Apr 08, at 1136, Joel Harrison wrote:
>> On 4/29/08, Charles Lindsey <chl@clerew.man.ac.uk> wrote:
>>>> If I (as data controller) make a permitted controller-to-processor
>>>> transfer outside the EEA then, again, I'm responsible for whatever the
>>>> processor does.  But that's no different from a transfer to a
>>>> processor in another EEA member state, or indeed if the data remains
>>>> within the same EEA member state....
>>>>
>>>
>>> But here we are talking about a cookie that resides on Joe User's 
>>> machine
>>> and which he transfers to a website (possibly in Peru). So Joe User 
>>> is the
>>> data conmtroller here (though he might be able to claim in court that 
>>> Phorm
>>> had incited him to make that unlawful transfer).
>>>
>>
>> Joe User is the data subject, because the data relates to him.  He's
>> not ending up in court, except possibly as a claimant.
> 
> The contradiction I'm worrying away at is ``Is the Phorm UUID personally 
> identifiable data?''
> 
> I'd argue it is.
> 
> Firstly, anyone who has user-level access to a machine that's been 
> Phorm'd can trivially obtain the UUID and relate it to name and address 
> (from, for example, stored email receipts for on-line purchases).  
> Secondly, it is trivial for a website which has legitimate reasons to 
> know a name and address (because of the aforementioned on-line 
> purchases) to obtain the Phorm UUID by embedding at https image.
> 
> So a wide range of websites can derive the association between UUIDs and 
> physical names and addresses, and that association can leak by all the 
> weaknesses to which computer systems are heir.  And if the association 
> and later release is done in a foreign jurisdiction, there is little 
> practically that can be done about it.
> 
> And the association can in turn be used by any other website to obtain 
> the names and addresses of visitors who believe themselves to be 
> anonymous.  V. Bad indeed.  Those websites might be concerned with 
> union, religion, sexuality etc, so in fact the UUID can be trivially 
> correlated with sensitive personally identifiable information.
> 
> BT, of course, can even more trivially associate UUIDs with physical 
> names and addresses, because they are intercepting the flow of data and 
> can look for names and addresses with fairly simple regular expressions 
> and, of course, the fairly stereotyped field names in submitted forms.  
> BT say they aren't doing this, but then they said they weren't 
> conducting trials in 2006 and 2007, didn't they?
> 
> Therefore because of the ease with which a UUID can be do-anonymised (in 
> principle, if not in fact) people need to be able to control the release 
> of the UUID, and anyone who processes it needs to treat it as sensitive 
> personally identifiable information.    Which will come as a surprise to 
> people who don't currently believe their website falls under the aegis 
> of the DPA when they find they are being sent sensitive personally 
> identifiable information unbidden.

``Is the Phorm UUID personally identifiable data?''

I think it depends who is in possession of it.  When in the possession 
of someone who can link it to what is undoubtedly personally 
identifiable, then so is the UUID.

I think you have identified a wide range of cases where exactly that is 
the case.  And a webhost who could make the link, but discards UUIDs, is 
in fact still processing them by discarding them.  But that won't put 
them high on the ICO's hitlist.

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF