Last Friday ORG met with representatives of EE to discuss the details of their mobile data analytics operation. The discussion was triggered by a Sunday Times article apparently claiming that Ipsos Mori was trying to sell highly personal information about EE customers to the Met Police, and our campaign following it.
This is in the lead up to our public panel discussion on Wednesday 5 June. The meeting with EE was very helpful for us to get a better idea of how the Sunday Times article came about. We have asked the journalists to give their side of events, but so far we haven’t had much luck getting a reply. Clearing up any doubts about the most serious accusations of breaching privacy laws should be the top priority for everyone here.
CC BY-SA 3.0 photo by Victorgrigas
According to EE, someone apparently mixed up some slides given at a sales presentation by Ipsos Mori to the Metropolitan Police. The two companies have entered a partnership to develop analytics services. These slides referred to the data EE holds on customers, but this was not meant to be in the analytics package. How this ended up in a newspaper story about Ipsos Mori and EE selling highly personal information to the police is still unclear.We are asking EE to make those slides public on Wednesday.
Our next question then concerns what data EE uses for their analytics. Mobile companies like EE hold a lot of information on us, their customers. They are in the unique position of being able to combine several domains of your life, including your personal details (name, address, date of birth, etc.), communications, location and internet habits.
For example, internet marketeers are able to track your web browsing via cookies, but they generally cannot match that data with your postcode or age. EE tells us that the data they hold and use for this service is simply what is mandated by data retention legislation, for example, top level URLs without details of actual pages. This means they keep pornhub.com but not pornhub.com/page. EE keep this kind of data as long as required by law, but we would like more clarity on the exact terms.
ORG is concerned that as companies convert this big data into an economic asset, rather than a liability, there will be pressure to collect more data for longer periods. The law sets a minimum, but companies may be tempted to go way beyond requirements. ORG opposes data retention legislation as blanket surveillance. These laws have been found to conflict with fundamental rights in other European countries.
We are particularly keen to understand how EE are able to connect individual users and web activities at a specific time. The service they provide via Ipsos Mori appears to be able to tell you how many people were reading, say, ViolentJihad.com on mobiles and tablets in Piccadilly Circus this morning.
This kind of insight has been a key discussion in relation to the Snooper’s Charter. We have been told repeatedly that new laws are needed because mobile networks make this impossible, as many users share the same internet connection. EE representatives weren't able to explain, but said that it may be a matter of granularity and have promised more information on this
The other issue we wanted to examine was what data does Ipsos Mori get, and makes accessible to clients. According to EE, Ipsos Mori never access their databases, but make requests and get “anonymised” and vetted insights on groups of at least 50, never on individuals.
Queries mainly combine location data (users connected to a cell mast) with demographics (age cohort, gender or first half of postcode) and behaviour. So far apparently this is mainly web browsing, but we are not sure what else has been tested. Our concerns here centre on the risks of anonymisation.
There is a wealth of research on how hard it is to protect identities, particularly with location data. And this is not an academic debate. Only last week AOL finally settled a multi-million dollar lawsuit over its failure to anonymise customer records shared for research purposes.
EE assure us that they comply with the Code of Practice on Anonymisation from the Information Commissioner, which takes a light touch approach. But even in relation to this minimal protection there seem to be a few things that could be improved.
Joss Wright provided an initial check up recommending formal Privacy Impact Assessments and independent review and statistical validation of their protection mechanisms. A particular problem is that if queries are assessed individually, without reference to other queries, they might be combined to single out individuals. ORG will be happy to work towards a sector code of best practice.
We use your personal information for the following purposes:
• to provide aggregated statistics about our sales, customers, traffic patterns to third parties, but these statistics will not include any information that is likely to identify you
• to carry out research and analysis and monitor customer use of our network and products and services on an anonymous or personalised basis to identify general consumer trends and to understand better our customers’ behaviours and partner with other businesses to create new services… We may use information about your location for research and analytics purposes but we will only retain this information in an anonymised form to ensure that you cannot be identified as an individual.
While this seems to comply with existing data protection legislation in UK, we think that companies may need to go beyond the law in order to win the trust of their customers. We remain concerned about the amount of information that mobile companies are able to collect and believe that their unique position may require an specific sector code of practice. This would also involve stronger processes on data handling, anonymisation and sharing with third parties than asked for in the minimal requirements typically set by the UK ICO.
Please join us on Wednesday as we continue this discussion in person.