The ICO has its Data Protection Priorities Wrong
It’s very difficult writing a ‘let’s get things in perspective’ blog post, when half your country has been rioting, hence I’ve waited a bit before putting this together. I’ve been quite vociferous on the cookie legislation that has been introduced here in the UK and I’ve been keeping myself up to date on the other blogs on the subject. Whilst I agree with many of their sentiments, I thought maybe it would be useful to bring in a comparison with wider legislation around privacy.
For a bit of history – you can read a description of what cookies are and why they affect your privacy and other ways that you can track users. You can read about the reaction in the popular press to the new laws and you can read about my proposed solution.
If you want to see the impact of asking users to opt in to cookies, then the ICO has quite a good case study themselves. The ICO introduced an option to opt in to cookies at the top of their pages.Vicky Brock asked them to tell us about their visits using their analytics tool through an FOI request (the freedom of information act is a useful British law that allows you to ask the Government for some of their data for a modest fee – as long as it is anonymous). The result was stark – they had a 90% drop in traffic. Clearly this isn’t representative of their user base any more – it’ll be so biased that it will be unusable, especially for long tail keyword analysis.
Following on from this, I’ve been reading some articles by other bloggers. Notably Thomas Baekdal who wrote a post entitled ‘Privacy Smivacy‘ in which he states that Tracking is not a privacy issue, because:
Your privacy is being violated when other people decide to share what they know about you. It is not a privacy issue that people know something about you to begin with.
I think this is a fair point. And he highlights it by using a couple of examples in a follow up post. Although I think his examples are a little bit limited because whilst there should be no reason to worry about someone noticing what I do when I’m on their lawn, a better example might be having a party on someone else’s lawn. You know the person, but you don’t know who they have invited to the party and they’re all watching what you do. Not only do you not know who they are, you don’t know when they are next going to turn at a party on someone else’s lawn.
However, this would be fine if it wasn’t for very loud accusations of wrong doing by some organisations. Kissmetrics have been in the press because they were using ‘etags’ as the unique identifier for users. Kissmetrics of course were very vociferous in their response to this claiming that whilst they collected this information, they didn’t share it across customers or share it with third parties. In fact there was nothing that you could do with the information. Spotify and Hulu, two of the biggest clients subsequently stopped using KissMetrics. It brings an interesting case for the ‘analytics code of ethics‘ and I’m not sure that Kissmetrics passed this test. Users should always have the option of opting out if they don’t want to participate.
But Thomas has a very good point – your privacy is being violated when other people decide to share what they know about you, so lets look at some of those situations when this has happened and the general reaction.
In case you’re not familiar with this case – a council contractor copied a load of data on to an unencrypted USB stick which was subsequently ‘lost’ in a pub. This is clearly against ICO’s privacy guidelines – any personal information that is transported should always be encrypted. It’s part of the ICO’s guidelines.
What is the end result of this case? Well the ICO haven’t fined anyone because they think that no harm was done as the USB was returned.
Earlier this year Sony closed down their much used playstation network for several weeks. The rumour was that a beta version of the network ‘accidentally’ allowed subscribers to have access to all 77 million users details in an unecrypted format. 77 million users had their personal data breached and copied, including bank account details. Users were requested to change their passwords for logging into the network, but also told to check with their banks to ensure that they hadn’t been charged.
What is the result of this case? Well it’s still being investigated, but it would appear to be an open and shut case. Sony have even admitted that it was their fault. Will they get the maximum £500k fine?
Lush, over a five month period, managed to lose 5000 customer’s bank account details. There was some code that was added to the website of the company that allowed a third party to access their bank account details as users bought stuff on their site.
What was the result of the case? Well Lush have said that they’ll add extra security to their site. The ICO have said that this is sufficient (obviously the 5000 who had their bank account details stolen will agree).
In fact, rather than looking at all the times that the ICO hasn’t issued fines, it is easier to look at the situations where it has. In fact it has only issued six fines so far, since it has been allowed to do so. Four have been to councils and one of them was to an organisation that no longer exists.
So what we have here is a number of companies that have lost customer data and they haven’t been fined. What we are going to have when they start instigating the cookie ban is an organisation that is going to fine people who collect information which isn’t personally identifiable.
The ICO should be given more power to prosecute those organisations (however big they may be) through larger fines or prison sentences for those responsible through corporate liability if they do not store personal data in a secure way. They should not be looking at handing out fines to those who collect data which is not personal and which will never be shared with third parties. The priorities here are wrong.