Originally Posted by James_Firth
Hi everyone. I'm a consultant been following the data profiling debate for a long time.
This is in my view a pretty serious misunderstanding. An IP address in itself *could* possibly be treated as personally identifiable information, because it could be traced to a living person.
But this is not the issue here. IP addresses are pretty much irrelevant as far as Phorm is concerned because Phorm scan the CONTENT of the IP stream to build a profile of an end user.
In my view the content of an IP stream potentially carries a large quantity of personally identifiable information, irrespective of whether the connection is rented by a Limited Company entity or a private individual.
The IP address itself is a red herring.
For example, a small news agent subscribes to a business broadband service. The owner of the news agent uses an unencrypted web-based email service set up and run by a third party. In the course of their business, the news agent will send and receive emails which may contain personal information about their employees or customers. E.g. employees providing an update on medical absences, customers ordering newspapers and magazines, which could belie religious, sexual and political preferences (e.g. specialist Christian magazines, right-wing newspapers, trades magazines).
One could argue that perhaps the business has been negligent in the protection of their customer and employees information by not using encryption, but this would be harsh since in my guesstimation many millions of emails are sent every year by businesses containing low-grade PII for various reasons.
And since even if the web interface was encrypted, the email itself would still be transmitted unencrypted to the recipient mail server, I think this point can safely be dismissed. After all, most people would happily telephone their employer and explain an embarrassing medical ailment, or phone their newsagent to order a magazine, and phone lines aren't encrypted. Nearly every UK ISP also runs a telephone service so I would argue parity here between email and telephone security, although I accept this is far from a simple comparison.
The issue here is that the IP stream itself contains PII, and that, in my opinion, it is not possible to accurately pre-filter all PII from the stream before profiling. Especially considering that there are a wide range of web-based message-passing communication services (social networking, professional discussion groups, religious groups, trades unions, etc), not all communications are in English, that there are an undeterminable number of methods of restricting access to web pages (non-standard authentication mechanisms), and the internet is used to communicate all manner of personal issues, including victim support groups, medical support groups, etc etc.
James Firth
Dalton Firth Ltd
EDIT
Forgot to mention that the other side of the coin is whether a profile of information can be linked to a living person. In the residential case, this is easy enough to argue, there is one user ID per individual. So long as there is some method of linking the ID to an account, e.g. network monitor within the ISP to link ID to account, or ID leaking as described by Richard Clayton, then the profile can if necessary be linked back to an individual. For a business this is harder to prove, however I can see an example where the person has a very strange name, and the profiler stores this name along with the other keywords from an email. It may, and this is a contentious point, be possible to link back. I think another way of looking at it would be to ask the ISP or software vendor (Phorm) to prove that it will NOT, under any circumstances, be possible to do this. And by prove I don't mean say: we've looked at this and it won't happen.
EDIT 2
In a business a user could be allowed to use the internet for personal use, e.g. lunch times and after work. They may also sit at the same desk each day and use the same computer. In this case the Phorm ID would be linked to that computer, and hence that employee, although to actually make this link one would need to either rely on Phorm leaking the ID as described by Richard Clayton or have a network sniffer in the company itself, to deduce the IP address of the machine. Either way it's a thin argument from the ICO to claim that a business subscriber has no claim to protection because the users of the connection would still be people and the data could still relate to individuals.
|