RedZone and Personal Data

1 02 2011

1. Are IP addresses Personal Data[0] in English Law?

In brief: IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual’s name is unknown. This is the position of the EU Data Protection Working Party and the Information Commissioners Office in the UK[1].

2. Does zfRedZone storage and processing of IP addresses meet the definition of profiling?

Only the courts can take a view on this, and to date there is no applicable case law. However, there is a prima facie argument that zfRedZone is using IP addresses, and especially static IP addresses to build profiles of users of the Second Life service. zfRedZone does not have easy access to the names of the individuals using the service, but does collate and profile users of the service, including the locations visited by their Second Life Avatars, their universal unique identifiers, and their alternate accounts. The zfRedZone neighbourhood watch website also allows customers of its service to make reports against profiled users, and these reports together with the profiles certainly constute personal data under the Data Protection Act (1998).

3. What principles of the data Protection Act apply to processing of this personal data?

All eight principles of the Data Protection Act apply. These can be found here:

http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx

4. What requirements of The Act are not being met by the zfRedZone service?

The first principle of the Data Protection Act states that: “Personal data shall be processed fairly and lawfully”. In practice this means that you must:

  • have legitimate grounds for collecting and using the personal data;not use the data in ways that have unjustified adverse effects on the individuals concerned;
  • be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
  • handle people’s personal data only in ways they would reasonably expect; and
  • make sure you do not do anything unlawful with the data.

The zfRedZone service does not meet the requirement for fair and lawful processing because the data is often inaccurate and clearly can have unjustified effects on individuals concerned. A simulator ban given to a user because the service determines incorrectly that they are a banned user’s alternate account (alt) constitutes an unjustified denial of service for an individual. This can commonly happen because a web proxy service is being used by a user accessing the service such that the reported IP address of the user is that of the shared proxy. An example of such a case would occur in a university, where web proxies are widely used to reduce bandwidth costs and improve service performance, and where many of the students and staff at the university could potentially be users of the service.

Redzone also fails to provide users appropriate privacy notices, or indeed any notice that their data is being collected. This is a clear breach of the first principle of the Data Protection Act, and the Information Commissioner has made it clear that any service that secretly harvests personal data without providing an opt out mechanism for the users of that service will be in breach of the first principle of the Data Protection Act.

If a service is not complaint with the first principle of the act, the act states that the data SHALL NOT be processed. That is to say, it is a breach of English Law to process such data about British nationals. Similar laws apply in all other European jurisdictions.
Other principles of the Data Protection Act are not being met by the zfRedZone service, including principle 4. Data collected is not accurate (see above), neither is there a suitable means to ensure that inaccurate data can be corrected or removed – in particular because users are not notified of the data collection.

5. Will the maker of zfRedZone be prosecuted under the Data Protection Act?

The short answer is almost certainly no.

However, this does not mean that the product is lawful. Rather there is an issue of cost considered against potential and actual harm caused. Because some of the legal issues around IP addresses being personal data have no attendant case law, the legal effort required to file a case against the maker of zfRedZone is substantial, and the cost is likely to be excessive.

This must be weighed against potential for harm. Whilst zfRedZone almost certainly is in breach of the Data Protection Act in English law and equivalent laws in other European jurisdictions, the actual harm caused amounts to a partial denial of service for some users, and a loss of privacy for some others. Quantifiable damages based on this harm would likely be small, and would not justify the costs of litigation.
A similar principle protects the content creators on the Second Life service who use images for which they do not hold the copyright or logos for which they are not the trademark holder when creating content on the service. Whilst such abuse of the intellectual property of companies and individuals in this way is widespread on the Second Life service, it is unlikely – except in a very few high profile cases – that rights owners will bring litigation against those using their intellectual property in this way.

If it is unlikely the maker of the zfRedZone service will be prosecuted, it is impossible that individual users of the service will be prosecuted, as the Data Controller under the terms of The Act is the zfRedZone author and not the customer base.
Thus users of zfRedZone need not fear legal redress for their use of the service, but they should be in no doubt that it is unlawful.

[0] On the redzone site, zFire Xue gets rather confused between “personal data” and “private data”. He seems to think the definitions are co-extensive, which is not the case. Personal data in law is data about living individuals, and may or may not be in the public domain. An IP address can be thought of much like a real world address. My real world address is not privated data. I can be found using electoral records and other such means. However, if someone collects my real world address, and collates that with information about me such as “this person is nasty” or “this person is gay” or “this person is a jew”, then this becomes collated personal data, and is controlled for reasons that ought to be obvious. Notice it is also not necessarily a secret if I am the above things. It is the collation of the profiled information that makes this personal data.

Thus whether IP addresses are “secret” or not is quite irrelevant. The issue here is that the redzone software collates IP addresses along with personal profiles about individuals based on other personal information and then distributes those profiles to customers. This is what is illegal.

[1] The more detailed explanation for the above summary is as follows.

The Data Protection Act (1998) regulates the collection and use of personal data. If data is not personal data it is not caught by the Act – but it is not always obvious whether data is personal data or not. An IP address in isolation is not personal data because it is focused on a computer and not an individual. This reasoning was applied by the Hong Kong Privacy Commissioner in a complaint about Yahoo!’s disclosure of information about a journalist to Chinese authorities. The Commissioner wrote in his report: “an IP address per se does not meet the definition of ‘personal data'”. However the commisioner went on to say that in the hands of a website operator, it can become personal data through user profiling. The website operator need not know the individual’s name for the IP address to constitute personal data. The identifying nature of the IP address combined with the personal nature of the profile data makes the IP address personal data under the Data Protection Act.

In 2001, the then Information Commissioner, Elizabeth France, acknowledged the difficulty of using IP addresses to build up personalised profiles. “It is hard to see how the collection of dynamic IP addresses without other identifying information would bring a website operator within the scope of the Data Protection Act 1998,” she wrote.”Static IP addresses are different. As with cookies they can be linked to a particular computer which may actually or by assumption be linked to an individual user. If static IP addresses were to form the basis for profiles that are used to deliver targeted marketing messages to particular individuals they, and the profiles, would be personal data subject to the Data Protection Act 1998.”

Similar guidance came from an independent EU advisory body called the Article 29 Data Protection Working Party. It wrote in November 2000: “The possibility exists in many cases, however, of linking the user’s IP address to other personal data (which is publicly available or not) that identify him/her, especially if use is made of invisible processing means to collect additional data on the user (for instance, use of a unique identifier) or modern data mining systems linked to large databases containing personally-identifiable data on internet users.”

Peter Scharr (the German Federal Data Protection Commissioner and Chairman of the Article 29 Working Party) confirmed the position in the UK in relation to IP addresses remains as per the Information Commissioner’s guidance above (subject to the Courts taking a different view). He also stated that ALL IP addresses should be treated, by companies using them, as personal data as ultimately only the Courts can decide for certain whether they amount to personal data and therefore, companies should exercise caution.

Advertisements

Actions

Information

12 responses

4 02 2011
Unya Tigerfish

Excellent analysis, *by far* exceeds my own layman one. Wonderful!

6 02 2011
Azure Twine

There is legal precedence whihc has been set.
https://www.privacyassociation.org/publications/2011_01_12_regulators_using_analytics_may_mean_legal_action/

Germany is very specific that the tracking of IP addresses violates their privacy laws. Also, there are RL examples of how revealing information about someone on the internet has cost them more than the ability to shop in SL. Consider a person who uses their main AV for business. they have RL info revealed on that Avatar. On the weekends maybe they like to use SL as an alt to enjoy the more recreational aspects of SL. Now this alt and their main is linked and they could lose their RL job, be stalked, harassed, etc.

7 02 2011
Joanne Furlough

I hear you talking about UK law, and German law. IANAL but does that matter? if zFire, or whatever his name is, is in Iran, or in Nigeria, or on Sealand, would there be a legal leg to support these claims? sure, you may be able to file suit in absentia, but that won’t do anything but prevent them from going where they aren’t going already. you could try filing suit in the country they are located in, but I don’t know how successful the case would be, it would be entirely dependent on the laws where the case was filed

7 02 2011
no2redzone

Thanks Joanne. zFire is in the USA. The point of this article is not that I intend to file suit – I specifically point out that prosecution would be extremely hard and it is unlikely anyone will consider it worthwhile to do because the issue is somewhat limited in scope. The point of the article is to say that prosecution or otherwise, this data collection is illegal in Europe, which it is.

The fact that zFire is outside Europe does not preclude the possibility of a prosecution, however. If any part of zFire’s operation processes data in the EU, then a European prosecution is possible. Furthermore, as zFire sells the illegally collected data to citizens of the EU, the law applies to him.

Specifically “The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU citizens would process some personal data and would be using equipment in the EU to process the data (i.e. the customer’s computer). As a consequence, the website operator would have to comply with the European data protection rules”

So yes, zfRedzone is illegal, and the maker is breaking EU law.

The EU and the US have a “Safe Harbour” agreement that allows a company in the US to agree to comply with the principles of EU data protection legislation (and the OECD definition from which it derives). Companies that register and comply in good faith with the safe harbour principles will be immune from prosecution in the EU over breaches of this legislation. Linden Labs, for instamce, have so registered.

zFire and his company are not registered with the Safe Harbour scheme and thus he remains liable to prosecution in the EU.

No, I do not intend to prosecute myself. That would be an expensive waste of money. Nevetheless I will be raising the issue again with the ICO, if the service has not collapsed or been banned by Linden Lab in the meantime. I don’t think the ICO will wish to act either for these reasons:

1. The scope of the offence is limited by the Second Life World size
2. In order to bring a prosecution, the ICO would need to work with Linden Labs to obtain records of zFire’s real life details and all financial records.
3. The extent of the harm, at this time, is not demonstrably sufficient to justify the very large costs of an investigation and international prosecution. If this was Linden Labs doing this, it might be different. But this is a spotty kid using his home Macintosh computer in his basement.

But who knows. Maybe the ICO will wish to take a firmer line. Just don’t hold your breath!

But once again, in summary: zFire is a committing a criminal act in harvesting personal data and selling to his customers.

8 02 2011
Draconian Hax

You should look at this from the technical point of a network administrator.
I will make short and simple about collecting visitors ip address.
Run for example a web server on your computer (lets say apache, lets say install lamp (http://en.wikipedia.org/wiki/LAMP_(software_bundle) and you will have it running very fast – databases and all.

Once you do and have people visiting your site, you will get access to the logs of what visits your computer YOUR computer. Weather that computer is yours or a rented server.
YOU have the whole right to see whats going on on your system or system that you pay for. Its called network system administration.

Same thing for any good firewall. It will collect all the logs and even give you the IP location.

Once again; the post is interesting reading but showing lack of specific knowledge regarding systems administration and not really educating the users about the real problem here. Most of this information does not directly apply to redzone.
This is not the correct approach to win the cause and if zF spends some time explaining how “things work online” he will win most of the arguments.

And by the way … everything online gets logged. Even those free proxies so called anonymizers.

For those so very concerned about data protection; maybe you should look at your own ISPs DATA retention policies. That will make SL look like tiny hairs.
Everything you download and upload gets saved there for a certain period of time (yes even cybersex) and this is data retention.

Another thing:
data protection, ip collection, ip tracking, data mining, traffic sniffing, network scanning, are not the same as building an IP database. building an ip database is only personal data for the creator that builds the database as the database will now become his personal data and you are only helping him with your own post.

Since you are a wordpress user you can also have access to all the ips that come here to post and if you cannot use that plug-in; simply host wordpress yourself. You can build your database and even use something like webalizer, Google Analytics or StatCounter etc (http://webalizer.bzhtec.com) and leave it accessible to visitors like many many sites do.

This post needs serious update and i recommend that the author talks to a network systems administrator.

redzone is a crappy tool that i will not defend in any way (quite the opposite) and that can be used in a devious manner, but these arguments will only help the red zone creator to prove his opposition is wrong.

This is a very messy comment:
“zFire is a committing a criminal act in harvesting personal data and selling to his customers”

Harvesting personal data by collecting ips ? Don’t use a firewall that logs everything because you will do the same. Is he doing DPI ? Collecting ips is not personal data, collecting ips is done by any web hosting service have you heard of alexa or google stats which will then after building a database; have their “personal data”.
Over 75% of the internet ips will change after the user reconnects its modem.

As for selling the “ips”. Well take a look at internet spam and blacklist IP databases. Many times and due to dynamic ips; what was once a used to spam ip is now a legit ip given to another person who will be blocked on many services due to it’s previous usage. These databases are free and always updated.

The problem has to be seen how the ip is collected and how can it be used against the residents by other residents.

If he has done his “homework” properly i wonder if he can sue you or not for damaging his business. I would recommend you spending sometime with a network administrator.

“The first principle of the Data Protection Act states that: “Personal data shall be processed fairly and lawfully”.
His database is his data. You are helping him. Receiving the ips is like googlestats receives them from “your site”.

You intention is good but need to look at this from a different angle.

8 02 2011
no2redzone

Thanks for taking the time to comment, Draconian. However I am sorry to say you are quite wrong. If you actually read the post this time, you will see that:

1. I am perfectly aware that we systems administrators collect IP logs for systems administration purposes, and that this use is not illegal.

2. That it is not the IP data collection alone that makes this personal data in law but the linking to a web profile.

3. That the issue here is that the usage does not comply with data protection law. There is no consent express or implied. The data is inaccurate and it is not being used for the purpose for which IP data may be collected in law. For these reasons, yes the data collection is certainly illegal in Europe.

To be clear on this point, if I use the logs of this website for security purposes (detecting attempts at HTML or SQL injection attacks for instance), or if I use the logs of this site to create an aggregated profile of the visitors by, say, country – based on the IP data (still not very accurate of course), then I am not in breach of the data protection principles because the data is not personal data in law. That is the view of the Information Commissioner’s Office and is found in case law. Nevertheless, if I aggregate my logs with the logs of other website owners to build a profile based on the user of your IP address, then (and in particular if your IP address is a static IP) that profile constitutes personal data in law and I am in breach of the act.

His database is not his data. It is just data. He is the Data Controller in law, and as I have explained, he has a legal duty to EU citizens that he has not complied with.

And no he cannot sue me for damaging his business because:

1. I have no contract with him.
2. His business is illegal.

Thank you for taking the time to comment, but please read up if you wish to reply again. I think you missed the nub of the argument. Maybe I expressed it poorly. If so, please ask what is unclear and I will try to reword it.

8 02 2011
Azure Twine

no2redzone was faster at replying than I was 🙂

I log IP addresses, I have done so for years. All quite legal. You are using the tired old strawman argument of IP addresses being public information and regularly logged.

Yes, web browsers log IPs, my security program on my server logs IPs, Google tracks your IP…all perfectly legal. Where it becomes an invasion of privacy is when that information is linked to personal data about you that can then be used to triangulate and track you.

Most websites have published privacy policies. Even Linden Lab does. I never agreed to allow redzone dude to scan and store data on me. He uses a flaw in the media protocol of second Life in order to do so. When I arrive at a site that has redzone active, they don’t tell me. He links avatars based on IP address which has the potential of revealing Real Life information about an avatar that was not revealed by the avatar’s owner.

Ask yourself this, if it was perfectly legal, why hide behind an LLC and a Christmas Island domain? Why not get a real domain? If he wasn;t breaking any laws or was not afraid of being sued, why have an LLC?

I have been a network administrator so your argument does not fly with me. I never linked an IP address to a login. I used my logs for statistical analysis only. Everyone has the right to have the Second Life of their choosing as long as they do not break and of the TOS or Community Standards. And that includes being able to have an alt for whatever reason. Not all alts are created for nefarious purposes and not all people who are standing up for our right to privacy are copybotters. The whole copybot thing is a smokescreen for publishing alts and using that informaiton to stalk people, harass them and grief them.

10 02 2011
22 02 2011
Amelia

I read through the privacy acts of some other countries (Australia and New Zealand), and RedZone’s information collecting and storage activities would appear to be in violation of those too. Here is a link to the Australian ‘National Privacy Principles’ website if anyone is interested in reading the privacy laws of that country:

http://www.privacy.gov.au/index.php?option=com_icedoc&view=types&element=infosheets&fullsummary=6583&Itemid=1021

The way I read it, in Australia, you can’t collect personal information the way RZ is doing, you can’t share it with others, you must get the person’s consent to your collecting their information, and by law you must allow the person you have collected the information about to access that information…and it does not matter if the person who collected the information is from another country, the laws still apply. And New Zealand’s laws, if anything, appear even stricter. So, this seems to be very much in line with policies from America and the EU regarding privacy. RedZone violates laws in all these countries. Australia and New Zealand also have very comprehensive laws about disabled people being able to access all the same things that able people are, so if anyone starts banning the deaf simply because they don’t have volume switched on to their viewers…well, that’s a definite violation of the discrimmination laws of these countries.

In my view, banning alts simply for being alts is a form of griefing…and also a great way to get rid of half or more of your paying customers, thereby causing a loss in profits far greater than the copybotters could take from you, surely! Alts are people too…people with lindens.

22 02 2011
Amelia

I just read someone saying that RZ creator has a Christmas Island domain…Christmas Island is very close to Australia and reliant on Australia for much of its income. It’s kinda sorta a part of Australia. Australia uses the island to house and process its asylum seeking refugees, for instance, which is one of the big income streams for the country. I suspect the good folk on Christmas Island would be very obliging if the laws of Australia (such as privacy laws) were being violated on their soil, and might well rush to shut the domain down, if Australian legal authorities were to ask them to.

Australia is set to get an internet filter in the future. I have heard that internet filters can potentially wreak havoc with the way RedZone collects its IP data, and cause people in that country to register as having a tonne of alts. I am not sure if that is true, but if it is…I can’t imagine it would be a good thing to ban so many in a nation of that size!

6 03 2011
Merlin Leominster

Well there are several fallacies regarding greenzone as well, it lists spyware,maleware, or even a virus has been detected by, and no2redzone dont argue with me you know i am correct.

For starters: you would have to get machine encoded ips to get the real ip of the machine listed, secondly the ip’s he is gathering is merely a gateway ip and some are bounced all over the place if you have used a traceroute system.

Third: Secondlife protects its clients from such things as spyware,malware, and a virus, if thats the case then the client you are using is in fact compromised and I would no longer use it.

If you sat down and understood the the time that it takes for such programming then you would understand that greenzone works in much the same way redzone does. It looks for a redzone security system and when it finds it. Greenzone labels it as such listed above. This is not true, I have used redzone for a bit and, my computer is free of spyware,malware and viruses, so I do beg to differ with how greenzone is labeling the program.

Also I reserve the right to BAN anyone who I deem suspicious on my sim as I use it to protect my buildings that I build and my sculpts and creations. Redzone for me is just a mere aide in doing so.

you really need to sit and understand my point of view on things and this is coming from a person who has had his merchandise copied and put on xstreet for sale. This why someone would use redzone

my last indignation is the question that bares the thing what about the security systems that log you in an email entering a sim and leaving a sim with date and timestamp, the point here is you are focusing on one thing and there are several out there just like it and if not worse. Zfire has changed his website so it no longer displays the alternate accounts but if you go to look up an avatar listed it gives a “Neighborhood watch rating” to that particular avatar.

If that is the case then you have an even bigger fight with triple labs and hippo technologies because of the security set up in the sim basically you land and I know about it, and it is sent to e-mail, so you have more than one fish to fry or my biggest question, if you are against programs like this then you must be a person who copies others works and resells them.

7 03 2011
no2redzone

You seem to be making several points, which I will answer quickly.

1. You seem to say Greenzone is just like Redzone. If you want a full defence of Greenzone, go to the Greenzone forum. I am not connected with Greenzone, and have not contributed to it at all. However, I will argue with you because what you say is nonsense. Greenzone detects Redzone probes and alerts you. No data is stored. There is no database of personal data. It is just a clever sensor. You are confused about IP addresses. Traceroute does not bounce them around the Internet, and as we all knowm IP address is just the (flawed) mechanism for detecting alts.

2. zFire has changed his website because Linden Lab banned his project for being against TOS. He was forced to do so, but even now, his data collection remains illegal. (See the article above).

3. Other systems are not just as bad because they do not create databases of privacy invading personal data. If someone scans me in world and kicks me because I have an E in my name, that is their right. My privacy has not been enabled, and all that is lost is my access to a sim where I was apparently not welcome.

4. Redzone simply does not protect you from copybotters. zFire is a liar and Redzone gives you a false sense of security. You are paying for snake oil. The fool and his money are easily separated, and I will not stop you giving your cash to zFire – but don’t tell me the snake oil does anything. It verifiably and demonstrably does not.

5. Last is the wonderful old cannard. You say because I am against redzone I must be a copybotter who steals your stuff and resells it. I have answered this before: I pay for all my content (and most copybotters do not resell btw). But this is just silly in any case. You have swallowed zFire’s lie (and he lies a lot).




%d bloggers like this: