Is RedZone Just Like Google?

14 02 2011

RedZoneophiles do get a bit repetitive. In the hope that they can prove black is white through repeated assertion, they tell anyone who dares disagree that RedZone is allowed by Linden Labs TOS (see elsewhere on this site – that is false), that it is legal, that IP addresses are not private information (an example of the logical fallacy of equivocation), and so on. In this forum, this weekend, zFire accused me of not knowing that websites gather IP addresses! and the latest mantra seems to be that if we object to RedZone, why don’t we object to the information gathering by Google?

So here is the answer. In short, the answer is that Google comp plies with the law, and RedZone does not.

But that is not the whole story. First, it is only fair to say that Google does not always comply with the law. In November Google were taken to task by the Information Commissioner in the UK over its data gathering activities when building Streetview. As a result of this breach of Data Protection Law, Google are now under audit over their data protection practices in the UK.

What happened was this: Streetview cars took photos of streets, as they do, linked to GPS for use on their street view service. There is nothing wrong with doing this. Where Google fell foul of the law was in the activity of one of their engineers who also collected data of Wireless Access Points as the cars travelled the country.

Note that what the engineer collected was the SSID of the access points. For those unfamiliar with the protocol, the SSID includes network name and a MAC address of the access point which is transmitted in the WiFi beacon frame.

To be clear, these beacon frames are broadcast in the clear precisely because they announce service set information to anyone in range of the access point. No one would be foolish enough to suggest the information is “private”.

But the collation of the data breached the Data Protection Act because it was done secretly, with no opt outs, was linked to other data allowing profiling (the GPS location) and was also not collated for a stated purpose. The ICO was quite clear that this was a serious breach of the data protection act.

Notice the similarities with RedZone (not in scope – Google’s breach is orders of magnitude larger – but in the principles that they are in breach of).

So, yes, I do object to Google’s data collation activities when they breach the law, just as I object to RedZone’s activities.

But the people comparing RedZone with Google are not, in fact, thinking of this incident (or some related incidents in other countries). They are thinking of the profiling Google does on its own website.

Why are RedZone not like Google? Because unlike Google, RedZone do not have a legally compliant data protection policy, nor could they – as if they did, their business model would be destroyed.

Let’s look at some paragraphs of Google’s privacy policy to see why:

1. Google are up front about data collection. It is right here – what they collect and why:

We may collect the following types of information:

Information that you provide – When you sign up for a Google Account, we ask you for personal information. We may combine the information that you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services.

I snip here for brevity in this message, but feel free to take a look at the full list of data they collect on the privacy policy on their website.

2. They state the purpose of data collection:

In addition to the above, we may use the information that we collect to:

Provide, maintain, protect and improve our services (including advertising services) and develop new services; and
Protect the rights or property of Google or our users.
If we use this information in a manner different to the purpose for which it was collected, then we will ask for your consent prior to such use.

Note carefully: Google will ask your consent before using data for a purpose other than that for which it is collected. They MUST do this as it is a principle of law in EU countries and many other localities. Thus, if you gather IP log data and you wish to use it for some purpose other than the systems administration purposes for which such logs are intended, you MUST ask consent. No consent = no legal use.

Next, principles of fair collection:

Choices

You can use the Google Dashboard to review and control the information stored in your Google Account.

Big snip. But in essence, Google explain to you how to avoid providing them personal information if you do not wish to do so. RedZone offers no such choice.

Then this is a key principle:

Information sharing

Google only shares personal information with other companies or individuals outside Google in the following limited circumstances:

We have your consent. We require opt-in consent for the sharing of any sensitive personal information.

Snipping here – Redzoneophiles thinking I snipped something pertinent, go read the privacy policy. In essence though, Google will only share your information with users or customers of their service with your consent. Again, this is a principle of data protection law that RedZone is in breach of. The selling of personal data gathered by RedZone without our consent or opt out is a clear breach of data protection law.

Next:

Information security

We take appropriate security measures to protect against unauthorised access to or unauthorised alteration, disclosure or destruction of data.

zFire makes our information available for free, so fails on this point. He does offer to hide the actual IP addresses used, but his information security measures are frankly not appropriate for a serious business. I have audited his security and there are some significant failings.

Another key principle of the law is our right to access information about ourselves. Google has this here:

Accessing and updating personal information

When you use Google services, we make good faith efforts to provide you with access to your personal information and either to correct this data if it is inaccurate or to delete such data at your request, if it is not otherwise required to be retained by law or for legitimate business purposes.

For Redzoneophiles saying alt detection is a legitimate business purpose: no it is not, because it is not proportionate. You could argue for the retention of personal information about customer transactions, certainly. Also account information about people who have been verified as copybotting (as long as the subject retains the right to inspect the data and have inaccuracies corrected). What you cannot hold onto is all information about everyone – even if you had fairly collected the data. And, of course, the data is not collected fairly and thus none of it may be held.

Google provide a clear process for data subjects to access their information, and verify it, correct it or have it deleted. RedZone has nothing but an “appeal” to the person who illegally harvested it in the first place and tells you that you will be muted if you kick up a fuss!

So we come to:

Enforcement

Google adheres to the US Safe Harbour Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the US Department of Commerce’s Safe Harbour Programme.

I have mentioned this in previous messages. The Safe Harbour Programme allows companies to register and audit their privacy policies and data protection policies with a body in the US, and as long as they comply with this in good faith they will be immune from prosecution in EU jurisdictions. zfRedZone does not participate in this programme, but does collect data on EU citizens and sells to other EU citizens. It is thus liable to EU data protection law, as well as similar sanction in its own jurisdiction.

So in summary, Google collects and handles data legally. RedZone does not. That is the reason we object to RedZone spyware and the lawbreakers who operate it.

About these ads

Actions

Information

10 responses

14 02 2011
15 02 2011
Bazil

Question, what about the fact that WordPress logs the IP address of people who comment, allowing you to ban comments based on the IP address? not to mention that this RedZone thing apparently does not show people the IP addy, but WP does.

15 02 2011
no2redzone

As I have said elsewhere on this site, that use is permitted – particularly as you are asked to volunteer your personal information, but not required to do so. What would be illegal would be a system where I share your IP address with lots of other Worpdress sites to try to identify or profile you.

Please go and look at the post about RedZone and personal data on this site. After reading that, hopefully you will understand the issue of personal data.

15 02 2011
Unya Tigerfish

Makes you wonder if Scott Adams is on SL right now…

15 02 2011
Unya Tigerfish

(Killed my link)

15 02 2011
no2redzone

Oh that is excellent! I want to make that a header image or something!

15 02 2011
Unya Tigerfish

It’s today’s strip at http://www.dilbert.com – there is a link to “buy” the strip, maybe you purchase the right with that use it on your page? No idea honestly.

15 02 2011
no2redzone

Hmm $100 for the license based on current vistor numbers. I like it, but maybe not that much. I will think on that some more.

Thanks again

16 02 2011
Unya Tigerfish

… if you use it corporately/commercially. I think to understand for a non-profit there is no licencing fee? There is an HTML embed link given, so there must be a reason for it?

16 02 2011
no2redzone

You are right, thanks. Permission is given to embed the strip on a web site “provided that it’s for your personal, non-commercial use”. I will embed it :)




Follow

Get every new post delivered to your Inbox.

%d bloggers like this: