Full Disclosure

Joel Harrison ukcrypto at chiark.greenend.org.uk
Tue, 29 Apr 2008 19:07:31 +0100 

On 4/29/08, Ian Batten <igb@batten.eu.org> wrote:
>
> On 29 Apr 08, at 1434, Joel Harrison wrote:
> > On 4/29/08, Nicholas Bohm <nbohm@ernest.net> wrote:
> >
> > >
> > > > ``Is the Phorm UUID personally identifiable data?''
> > > >
> > >
> > > I think it depends who is in possession of it.  When in the possession
> of
> > > someone who can link it to what is undoubtedly personally identifiable,
> then
> > > so is the UUID.
> > >
> >
> > Certainly - one of the features of the DPA is that whether data
> > constitutes personal data depends on whose hands it falls into and
> > what other information that person has or is likely to have.  It is
> > perfectly possible that the UUID is personal data in the hands of the
> > ISP (because it can associate the UUID with an IP address and
> > ultimately to a user account) and also in the hands of the website who
> > gets hold of the cookie (and which has the user's payment details
> > stored), but not in Phorm's hands.
> >
>
> But that's the whole ball game, isn't it?  The ISP operated (park your
> cynicism, and let's assume that the Phorm kit in the ISP network really is
> operated by the ISP) kit has access to the UUID and the IP number associated
> with that UUID at a specified time.  The ISP can read across from the (IP,
> Time) pair to get the username under which the connection was made to the
> BRAS, and from that username it can pull up the full account details.  It
> knows the URLs being browsed to and the contents of forms, and the contents
> of responses, because of the Phorm kit. So the ISP can immediately link any
> access to any web page which contains specified terms to the name and
> address of the account holder.
>
> So the ISP is now actively processing (in order to extract keywords)
> material which, in combination with either the IP number or the UUID, is
> potentially sensitive personal information.  And it's allowing that do be
> done on a system at the edge of its network which passes data to and from a
> third party with whom the data subject has no contractual relationship, for
> the purpose of direct marketing.  So it's absolutely clear that a DPA S.11
> notice is germane, and BT must have a mechanism to cease any of this
> processing on the receipt (and only the receipt) of such a notice.
> Moreover, if the account holder is in a position to speak for other users
> --- parents and children, for example --- then the notice can be served on
> behalf of multiple users who must be opted-out without their consent, and
> without the ability for them to opt back in again.

Yes!  But I've been saying that for some time - the ISP may well be
processing personal data even though Phorm may not.  And Nicholas has
made the same point in his legal paper to the Home Office.

The threshold for "processing" personal data is deliberately
incredibly low under the DPA.  For practical purposes, anything that
is done with the data is processing.  So, even taking a web page
containing personal data and "anonymising" it is a form of processing
which, as I've said (see e-mails passim) needs to comply with the DP
Principles - and if the page contains sensitive personal data then, in
practice, explicit consent will be required.

And bear in mind that it is the explicit consent of the data subject
-- the person who can be identified from the data -- that is required,
and this is not necessarily the user.  (For example: if I log on to a
web-based e-mail system that isn't on Phorm's blacklist, and read an
e-mail from a friend about his medical condition, that page contains
sensitive personal data about my friend; and his consent, not mine, is
required for the processing.)

I'm adopting a pretty strict approach to the DPA here, and it may be
that the ICO is more relaxed in view of the assurances that it has
been given about who knows what and when.  But, strictly, processing
will take place even if it is only for a scintilla of time and if the
first act of processing is to strip out any data that might be used to
identify the individual.  And if Phorm tries to roll this out to
continental Europe, it will find itself confronted with a bunch of
privacy regulators whose approach to enforcement is very much more
rigorous than our own.

Joel