RedZoneophiles do get a bit repetitive. In the hope that they can prove black is white through repeated assertion, they tell anyone who dares disagree that RedZone is allowed by Linden Labs TOS (see elsewhere on this site – that is false), that it is legal, that IP addresses are not private information (an example of the logical fallacy of equivocation), and so on. In this forum, this weekend, zFire accused me of not knowing that websites gather IP addresses! and the latest mantra seems to be that if we object to RedZone, why don’t we object to the information gathering by Google?
So here is the answer. In short, the answer is that Google comp plies with the law, and RedZone does not.
But that is not the whole story. First, it is only fair to say that Google does not always comply with the law. In November Google were taken to task by the Information Commissioner in the UK over its data gathering activities when building Streetview. As a result of this breach of Data Protection Law, Google are now under audit over their data protection practices in the UK.
What happened was this: Streetview cars took photos of streets, as they do, linked to GPS for use on their street view service. There is nothing wrong with doing this. Where Google fell foul of the law was in the activity of one of their engineers who also collected data of Wireless Access Points as the cars travelled the country.
Note that what the engineer collected was the SSID of the access points. For those unfamiliar with the protocol, the SSID includes network name and a MAC address of the access point which is transmitted in the WiFi beacon frame.
To be clear, these beacon frames are broadcast in the clear precisely because they announce service set information to anyone in range of the access point. No one would be foolish enough to suggest the information is “private”.
But the collation of the data breached the Data Protection Act because it was done secretly, with no opt outs, was linked to other data allowing profiling (the GPS location) and was also not collated for a stated purpose. The ICO was quite clear that this was a serious breach of the data protection act.
Notice the similarities with RedZone (not in scope – Google’s breach is orders of magnitude larger – but in the principles that they are in breach of).
So, yes, I do object to Google’s data collation activities when they breach the law, just as I object to RedZone’s activities.
But the people comparing RedZone with Google are not, in fact, thinking of this incident (or some related incidents in other countries). They are thinking of the profiling Google does on its own website.
Why are RedZone not like Google? Because unlike Google, RedZone do not have a legally compliant data protection policy, nor could they – as if they did, their business model would be destroyed.
1. Google are up front about data collection. It is right here – what they collect and why:
We may collect the following types of information:
Information that you provide – When you sign up for a Google Account, we ask you for personal information. We may combine the information that you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services.
2. They state the purpose of data collection:
In addition to the above, we may use the information that we collect to:
Provide, maintain, protect and improve our services (including advertising services) and develop new services; and
Protect the rights or property of Google or our users.
If we use this information in a manner different to the purpose for which it was collected, then we will ask for your consent prior to such use.
Note carefully: Google will ask your consent before using data for a purpose other than that for which it is collected. They MUST do this as it is a principle of law in EU countries and many other localities. Thus, if you gather IP log data and you wish to use it for some purpose other than the systems administration purposes for which such logs are intended, you MUST ask consent. No consent = no legal use.
Next, principles of fair collection:
You can use the Google Dashboard to review and control the information stored in your Google Account.
Big snip. But in essence, Google explain to you how to avoid providing them personal information if you do not wish to do so. RedZone offers no such choice.
Then this is a key principle:
Google only shares personal information with other companies or individuals outside Google in the following limited circumstances:
We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
We take appropriate security measures to protect against unauthorised access to or unauthorised alteration, disclosure or destruction of data.
zFire makes our information available for free, so fails on this point. He does offer to hide the actual IP addresses used, but his information security measures are frankly not appropriate for a serious business. I have audited his security and there are some significant failings.
Another key principle of the law is our right to access information about ourselves. Google has this here:
Accessing and updating personal information
When you use Google services, we make good faith efforts to provide you with access to your personal information and either to correct this data if it is inaccurate or to delete such data at your request, if it is not otherwise required to be retained by law or for legitimate business purposes.
For Redzoneophiles saying alt detection is a legitimate business purpose: no it is not, because it is not proportionate. You could argue for the retention of personal information about customer transactions, certainly. Also account information about people who have been verified as copybotting (as long as the subject retains the right to inspect the data and have inaccuracies corrected). What you cannot hold onto is all information about everyone – even if you had fairly collected the data. And, of course, the data is not collected fairly and thus none of it may be held.
Google provide a clear process for data subjects to access their information, and verify it, correct it or have it deleted. RedZone has nothing but an “appeal” to the person who illegally harvested it in the first place and tells you that you will be muted if you kick up a fuss!
So we come to:
Google adheres to the US Safe Harbour Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the US Department of Commerce’s Safe Harbour Programme.
I have mentioned this in previous messages. The Safe Harbour Programme allows companies to register and audit their privacy policies and data protection policies with a body in the US, and as long as they comply with this in good faith they will be immune from prosecution in EU jurisdictions. zfRedZone does not participate in this programme, but does collect data on EU citizens and sells to other EU citizens. It is thus liable to EU data protection law, as well as similar sanction in its own jurisdiction.
So in summary, Google collects and handles data legally. RedZone does not. That is the reason we object to RedZone spyware and the lawbreakers who operate it.