Full Disclosure

Ian Batten ukcrypto at chiark.greenend.org.uk
Tue, 29 Apr 2008 18:04:14 +0100 

On 29 Apr 08, at 1434, Joel Harrison wrote:
> On 4/29/08, Nicholas Bohm <nbohm@ernest.net> wrote:
>>> ``Is the Phorm UUID personally identifiable data?''
>>
>> I think it depends who is in possession of it.  When in the  
>> possession of
>> someone who can link it to what is undoubtedly personally  
>> identifiable, then
>> so is the UUID.
>
> Certainly - one of the features of the DPA is that whether data
> constitutes personal data depends on whose hands it falls into and
> what other information that person has or is likely to have.  It is
> perfectly possible that the UUID is personal data in the hands of the
> ISP (because it can associate the UUID with an IP address and
> ultimately to a user account) and also in the hands of the website who
> gets hold of the cookie (and which has the user's payment details
> stored), but not in Phorm's hands.

But that's the whole ball game, isn't it?  The ISP operated (park your  
cynicism, and let's assume that the Phorm kit in the ISP network  
really is operated by the ISP) kit has access to the UUID and the IP  
number associated with that UUID at a specified time.  The ISP can  
read across from the (IP, Time) pair to get the username under which  
the connection was made to the BRAS, and from that username it can  
pull up the full account details.  It knows the URLs being browsed to  
and the contents of forms, and the contents of responses, because of  
the Phorm kit. So the ISP can immediately link any access to any web  
page which contains specified terms to the name and address of the  
account holder.

So the ISP is now actively processing (in order to extract keywords)  
material which, in combination with either the IP number or the UUID,  
is potentially sensitive personal information.  And it's allowing that  
do be done on a system at the edge of its network which passes data to  
and from a third party with whom the data subject has no contractual  
relationship, for the purpose of direct marketing.  So it's absolutely  
clear that a DPA S.11 notice is germane, and BT must have a mechanism  
to cease any of this processing on the receipt (and only the receipt)  
of such a notice.  Moreover, if the account holder is in a position to  
speak for other users --- parents and children, for example --- then  
the notice can be served on behalf of multiple users who must be opted- 
out without their consent, and without the ability for them to opt  
back in again.

ian