Feeds

Anonymous web data can be personal data, claims expert

Own it by owning up

High performance access to file storage

A data protection specialist claims that users can gain control of their browsing history and have it protected by the UK’s Data Protection Act just by contacting companies such as Google, Yahoo! and Microsoft and telling them their identities.

There is debate in privacy circles about when identifying information such as a computer user's internet protocol (IP) address counts as 'personal data'. Information which does count as personal data qualifies for legal protection under the Data Protection Act.

Companies and privacy regulators are agreed that IP addresses can be, and indeed often are, 'personal data' as defined in the UK law and the EU Directive on which it is based. But most observers stop short of saying that an IP address is always 'personal data'.

Now data protection specialist Dr Chris Pounder of Amberhawk Training has said that there is a way in which internet users can force companies to consider information held about them as 'personal data'.

"There is a current, lively debate as to whether data that contains no name but is linked to an internet user session via an IP address, URL or similar reference number is personal data or not," said Pounder. "If the individual user concerned provides the service provider (e.g. Google) with the necessary identifying information (easily obtainable as we show), then the data are personal data, unambiguously in relation to any future processing."

"In other words, any individual users can, at any time, seek the protection of a data protection regime by providing the necessary identifying details to any organisation that stores their IP address or URL," he said.

Pounder outlined his view that by connecting a person's actual identity with the IP address or other information stored in a company's systems, that person can ensure that all the information connected to that record must be classed as 'personal data'.

"The stakes are high: if the data are not personal data, then the person who controls the data has almost untrammelled power to decide the nature of the processing," he said. "By contrast, if the data are personal data, that controller would be constrained by the data protection obligations that serve to protect the privacy of the individual user concerned."

Pounder said that the practice, if widespread, could have implications for how companies that hold a lot of data about users treat that data.

"Service providers are processing personal data if they have data in their possession that relates the use of a service to an identified living user of that service. In such circumstances data protection legislation would apply," said the paper that Pounder has published. "This position is self evident from the definition of personal data."

"Service providers will also be processing personal data if they can anticipate that the information that identifies a living individual is likely to come into their possession (e.g. if staff are likely to look up details about an individual user from any source, or to obtain identifying information from a third party)," said the paper.

Pounder said that this means that if enough people send their personal details and their identifying IP addresses or URLs to a data controller, they will have to assume that everyone in their databases is identified.

"If sufficient individual users each provide the necessary identifying details, then all the data linked to any individual should be considered to be personal data".

Pounder said that where it is likely that individuals will provide such details the implications for service providers are clear. They should, he said, treat all identifying information as personal data.

"Data containing IP data, cookie related data or a Street View URL etc should be treated as personal data if individuals, if at any time, can provide the necessary identifying details in a complaint," said the Amberhawk report. "The more controversial the service, the more complaints will be generated, the more data will be transformed into personal data."

"That is why a prudent service provider could conclude that, depending on the nature of the service, they need consider treat data as if they were personal data at the outset and without the need for any individual to send a complaint," it said.

See: The report (26-page/288kb pdf)

Amberhawk blog

OUT-LAW Guide to IP addresses and the Data Protection Act

Copyright © 2009, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.