From the ICO’s February Newsletter

18 02 2011

This crossed my desk today. This is another EU privacy law that RedZone is now breaking (and yes, it applies to RedZone because his operation knowingly collects data on and sells to EU citizens):

New e-privacy directive will soon come into force

The revised e-privacy directive is due to come into force in May as part of the revised EU Telecoms Package.

The new laws will include the so-called ‘cookies rule’ which requires organisations to get consent from the user before deploying cookies or other similar files. The new rule is an attempt to give users more control and choice over how the information is stored or accessed on their computer.

Basically the new rules state that third party cookies must be provided on an opt in basis. I can hear Redzoneophiles squealing already abou “every e-commerce site using cookies”, but the commissioners thought of that:

This requirement does not apply equally to all types of cookies. Those used simply to enable the user to use a website properly (e.g. language settings or shopping cart functionality on are not subject to this consent requirement. The intention of the strengthened rules in the revised directive is to enforce users’ right to refuse “third party” cookies in particular.

So in short, RedZone’s use of cookies in the URLs he sends through the parcel media bug is now also specifically illegal in Europe.


RedZone and Personal Data

1 02 2011

1. Are IP addresses Personal Data[0] in English Law?

In brief: IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual’s name is unknown. This is the position of the EU Data Protection Working Party and the Information Commissioners Office in the UK[1].

2. Does zfRedZone storage and processing of IP addresses meet the definition of profiling?

Only the courts can take a view on this, and to date there is no applicable case law. However, there is a prima facie argument that zfRedZone is using IP addresses, and especially static IP addresses to build profiles of users of the Second Life service. zfRedZone does not have easy access to the names of the individuals using the service, but does collate and profile users of the service, including the locations visited by their Second Life Avatars, their universal unique identifiers, and their alternate accounts. The zfRedZone neighbourhood watch website also allows customers of its service to make reports against profiled users, and these reports together with the profiles certainly constute personal data under the Data Protection Act (1998).

3. What principles of the data Protection Act apply to processing of this personal data?

All eight principles of the Data Protection Act apply. These can be found here:

4. What requirements of The Act are not being met by the zfRedZone service?

The first principle of the Data Protection Act states that: “Personal data shall be processed fairly and lawfully”. In practice this means that you must:

  • have legitimate grounds for collecting and using the personal data;not use the data in ways that have unjustified adverse effects on the individuals concerned;
  • be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
  • handle people’s personal data only in ways they would reasonably expect; and
  • make sure you do not do anything unlawful with the data.

The zfRedZone service does not meet the requirement for fair and lawful processing because the data is often inaccurate and clearly can have unjustified effects on individuals concerned. A simulator ban given to a user because the service determines incorrectly that they are a banned user’s alternate account (alt) constitutes an unjustified denial of service for an individual. This can commonly happen because a web proxy service is being used by a user accessing the service such that the reported IP address of the user is that of the shared proxy. An example of such a case would occur in a university, where web proxies are widely used to reduce bandwidth costs and improve service performance, and where many of the students and staff at the university could potentially be users of the service.

Redzone also fails to provide users appropriate privacy notices, or indeed any notice that their data is being collected. This is a clear breach of the first principle of the Data Protection Act, and the Information Commissioner has made it clear that any service that secretly harvests personal data without providing an opt out mechanism for the users of that service will be in breach of the first principle of the Data Protection Act.

If a service is not complaint with the first principle of the act, the act states that the data SHALL NOT be processed. That is to say, it is a breach of English Law to process such data about British nationals. Similar laws apply in all other European jurisdictions.
Other principles of the Data Protection Act are not being met by the zfRedZone service, including principle 4. Data collected is not accurate (see above), neither is there a suitable means to ensure that inaccurate data can be corrected or removed – in particular because users are not notified of the data collection.

5. Will the maker of zfRedZone be prosecuted under the Data Protection Act?

The short answer is almost certainly no.

However, this does not mean that the product is lawful. Rather there is an issue of cost considered against potential and actual harm caused. Because some of the legal issues around IP addresses being personal data have no attendant case law, the legal effort required to file a case against the maker of zfRedZone is substantial, and the cost is likely to be excessive.

This must be weighed against potential for harm. Whilst zfRedZone almost certainly is in breach of the Data Protection Act in English law and equivalent laws in other European jurisdictions, the actual harm caused amounts to a partial denial of service for some users, and a loss of privacy for some others. Quantifiable damages based on this harm would likely be small, and would not justify the costs of litigation.
A similar principle protects the content creators on the Second Life service who use images for which they do not hold the copyright or logos for which they are not the trademark holder when creating content on the service. Whilst such abuse of the intellectual property of companies and individuals in this way is widespread on the Second Life service, it is unlikely – except in a very few high profile cases – that rights owners will bring litigation against those using their intellectual property in this way.

If it is unlikely the maker of the zfRedZone service will be prosecuted, it is impossible that individual users of the service will be prosecuted, as the Data Controller under the terms of The Act is the zfRedZone author and not the customer base.
Thus users of zfRedZone need not fear legal redress for their use of the service, but they should be in no doubt that it is unlawful.

[0] On the redzone site, zFire Xue gets rather confused between “personal data” and “private data”. He seems to think the definitions are co-extensive, which is not the case. Personal data in law is data about living individuals, and may or may not be in the public domain. An IP address can be thought of much like a real world address. My real world address is not privated data. I can be found using electoral records and other such means. However, if someone collects my real world address, and collates that with information about me such as “this person is nasty” or “this person is gay” or “this person is a jew”, then this becomes collated personal data, and is controlled for reasons that ought to be obvious. Notice it is also not necessarily a secret if I am the above things. It is the collation of the profiled information that makes this personal data.

Thus whether IP addresses are “secret” or not is quite irrelevant. The issue here is that the redzone software collates IP addresses along with personal profiles about individuals based on other personal information and then distributes those profiles to customers. This is what is illegal.

[1] The more detailed explanation for the above summary is as follows.

The Data Protection Act (1998) regulates the collection and use of personal data. If data is not personal data it is not caught by the Act – but it is not always obvious whether data is personal data or not. An IP address in isolation is not personal data because it is focused on a computer and not an individual. This reasoning was applied by the Hong Kong Privacy Commissioner in a complaint about Yahoo!’s disclosure of information about a journalist to Chinese authorities. The Commissioner wrote in his report: “an IP address per se does not meet the definition of ‘personal data'”. However the commisioner went on to say that in the hands of a website operator, it can become personal data through user profiling. The website operator need not know the individual’s name for the IP address to constitute personal data. The identifying nature of the IP address combined with the personal nature of the profile data makes the IP address personal data under the Data Protection Act.

In 2001, the then Information Commissioner, Elizabeth France, acknowledged the difficulty of using IP addresses to build up personalised profiles. “It is hard to see how the collection of dynamic IP addresses without other identifying information would bring a website operator within the scope of the Data Protection Act 1998,” she wrote.”Static IP addresses are different. As with cookies they can be linked to a particular computer which may actually or by assumption be linked to an individual user. If static IP addresses were to form the basis for profiles that are used to deliver targeted marketing messages to particular individuals they, and the profiles, would be personal data subject to the Data Protection Act 1998.”

Similar guidance came from an independent EU advisory body called the Article 29 Data Protection Working Party. It wrote in November 2000: “The possibility exists in many cases, however, of linking the user’s IP address to other personal data (which is publicly available or not) that identify him/her, especially if use is made of invisible processing means to collect additional data on the user (for instance, use of a unique identifier) or modern data mining systems linked to large databases containing personally-identifiable data on internet users.”

Peter Scharr (the German Federal Data Protection Commissioner and Chairman of the Article 29 Working Party) confirmed the position in the UK in relation to IP addresses remains as per the Information Commissioner’s guidance above (subject to the Courts taking a different view). He also stated that ALL IP addresses should be treated, by companies using them, as personal data as ultimately only the Courts can decide for certain whether they amount to personal data and therefore, companies should exercise caution.