In researching the sci-fi thriller film Minority Report,[1] director Steven Spielberg commissioned a think-tank of futurist experts at MIT to visualize amongst other things what kind of technology would be available in the year 2054. The result was a city in which moving digital ink advertisements call your name from billboards and product packaging and holographic shop assistants recommend you products based on previous purchases. Both of these would be backed by iris-scan technology which would match your name on a centralised identification database. In a particularly memorable scene, the main character walks into Gap, is greeted by a cheerful shop assistant with “Welcome, Mr. Yakamoto” and asked “How’d those assorted tank tops work out for you?”, as a hologram image of a Japanese man appears and the shop assistant continues “Come on in and see how good you look in one of our new winter sweaters”. The holographic Mr. Yakamoto is now wearing a sweater that flashes in changing colours.
Although somewhat extreme, these adverts bring to the celluloid some of our greatest privacy fears about the potential use of new technology. But how far are we from this? Our personal information is increasingly being collected and stored on large databases. In a society where governments are introducing national identity cards, requiring fingerprinting of foreign nationals and air passenger identification data, supermarkets reward loyalty by tracking what customers buy and iris scanning, biometric identification and digital ink are becoming more available and now your e-mail is scanned to create “relevant” advertisements, are we really that far off from having friendly hologram shop assistants? This is great news for those who appreciate the efficiency of new technology and want these kinds of service, but privacy law may need to be reviewed in the light of technological changes to ensure that individuals are protected from the privacy-threatening aspects of such new services.
The New Services
Gmail[2] is arguably one of the most controversial of the recent new services, demonstrating the challenge in reconciling principles of data protection law with the privacy threatening aspects of new technology. Gmail is a free e-mail service currently in testing by Google, which enables a user to Google search their inbox for relevant keywords and to create a permanent centralised archive of messages because of its unprecedented 1000MB storage capacity. Furthermore, Google places targeted banner advertisements next to users’ e-mail by scanning e-mail text for keywords and matching them with advertisements on their database. The personalised nature of the new advertisements and the longevity of e-mail retained by Gmail means that more personal data is collected and stored than before.
Amazon recently launched A9.com,[3] a new search engine which provides “a unique set of features to find information, organize it, and remember it – all in one place”. A9 provides Google Web and image search results, Amazon Search Inside the Book results (shows relevant books and, where permitted, excerpts from those books), GuruNet reference results (definitions and encyclopaedia), Internet Movie Database results and more. A9 is a personalised search which remembers users’ searches and makes search history available, including when a Web search was last conducted and a Web site was last visited. The benefits of such personalisation are that searches become more relevant and focused on the user’s previous activity. The privacy concern is that more information which may be linked to an individual is collected and stored than before.
A further development is the Blinkx[4] software programme which, once downloaded onto a PC, indexes documents on a PC hard drive including e-mails, attachments, Word, Excel and PowerPoint files. As a companion programme, Blinkx sits on the PC and “watches” what the user is doing and finds Web pages, news articles, products, blogs, video clips, JPEGs, MP3s and documents on the user PC which are related to the user’s active window. “Whether you are browsing the Web, reading a document or writing an e-mail, you are always linked to the information you need!”[5] Information stored is accessible to the user by entering a query, and Blinkx presents the user with both the hard drive content and all the relevant narrowed down Blinkx search results. The privacy concern is that, although Blinkx may not technically be collecting personal data, it revolutionises the way a PC hard drive and relevant Web links are organised, stored and, more worryingly, made more accessible than ever before.
The Legal Position
Where personal data is collected, each Data Controller (entities which determine the purpose for which data is collected and processed) must ensure that its new service complies with the Data Protection Act 1998[6] and the Privacy and Electronic Communications (EC Directive) Regulations 2003.[7] The DPA requires, amongst other things, that personal data (any information which identifies the individual) must be collected fairly, for specified, explicit and legitimate purposes, and processed in a fair and lawful manner in accordance with those stated purposes. Processing must take place on one of the legitimate grounds such as consent, contract, legal necessity or on a balance of interest.[8] The individual must be informed about any intended transfer of data to third parties and given the right to object to their data being used for direct marketing purposes, and have a right to access, rectify, erase or block the data related to them.[9] Web-based Data Controllers can meet these legal requirements by providing the required information in a clear and accessible privacy policy and obtaining the user’s blanket consent as a precondition to use of the service.
Google’s use of scanning technology on the e-mail texts in Gmail is controversial, but does not appear to be in breach of the DPA. The Information Commissioner’s Office has informally stated that, provided Google makes it clear to Gmail users how their e-mail will be scanned, it would not be in breach of the DPA but “until Gmail is up and running, though, we can’t be certain“.[10] Google would still have to comply with the other principles of the DPA, such as ensuring adequate security measures, restrictions on third-party and international transfers and notification to the Information Commissioner.
The same rule would appear to apply to A9. So long as A9 has made the purpose of their processing unambiguously clear to the user (as discussed later) and complies with the rest of the DPA, A9’s processing is not in breach of
Gmail, Google, A9 and Amazon all use cookies in order to make their Web sites work efficiently. Cookies are the small pieces of information transmitted along with a Web page that may be temporarily or persistently stored by the browser. The browser will send the cookie back to the Web server during subsequent browsing. This helps identify a particular user or browsing session, and the Web site operator can collect an extensive amount of personal information which may be necessary to provide a user with certain services.
In the case of a search engine, this includes search term, IP address, unique cookie id number, computer and connection information such as browser type and version, operating system and platform, and time-date stamp. In relation to Gmail, this would include additional information generated from use of the Gmail account such as how much storage is used, how often the user logs on, advertisements, links and other information displayed or clicked on in the Gmail account. In relation to an e-commerce Web site such as Amazon, the additional information would include password, purchase history, the full Uniform Resource Locators (URL) clickstream to, through and from Amazon.com (including date and time), products viewed or searched for, related shops visited, any auction history, credit card number, and any phone number used to call Amazon’s customer services number.
The Privacy Regulations require that, where cookies are used by Web site operators, certain information must be provided to the individual. Web site operators generally comply with this requirement by providing information relating to their cookies in their privacy policy or terms and conditions of use, which forms part of the contract with the user. G-mail, Google, A9 and Amazon comply with the Privacy Regulations and may legally use cookies, but the question remains as to what the Data Controllers intend to do with the personal data which is harvested.
The concern is that Google may correlate information collected by the Google cookie with the information collected by the Gmail cookie. When an individual signs up to Gmail, they must submit their personal information. Gmail then assigns a cookie ID to the individual’s e-mail address. Where the individual already uses Google, their cookie ID and IP address will already be known to Google, the creation of the Gmail account therefore provides the missing link between the individual’s search history and their personal e-mail address. That’s a lot of personal information. Google has not declared that it does not intend to correlate such information for any advertising or marketing purposes. However, if Google did choose to do so, it appears that under current legal requirements and practice, Google may simply need to state this in their privacy policy to bring the processing to the users’ attention and obtain consent. Unless the data protection authorities intervene, such practice may contradict some of the “fundamental rights” provided by the original EU Directive 95/46.[12]
Furthermore, if Google proceeds with its launch of Orkut[13], a Friendster type social networking site, Google may amass an even greater database of personal information for targeted advertising. This has led privacy advocates to express concern that Gmail may set a precedent which is “likely to lead to a global trend to greater US based centralisation and storage of personal e-mails and a more comprehensive linkage between content and advertising.[14]“
In contrast, A9’s privacy policy is unambiguous about such correlation, stating in CAPITALS that it is a wholly owned subsidiary of Amazon.com Inc, and that “If you have an account on amazon.com and an amazon.com cookie, information gathered by a9.com.may be correlated with any personally identifiable information that amazon.com has and used by a9.com and amazon.com to improve the services we offer.”[15] Amazon has personally identifiable information including shipping address, purchase and viewing preferences. In combining Amazon and A9 databases, new ground in e-commerce is made by creating an overlap between an individual’s shopping preferences and their Web search history. However, unlike Gmail, this is openly stated and a user has an option not to use the personalised version of A9 by not signing into the A9 personalised search option and activating the Gmail cookie. If you de-activate a Gmail cookie, the service ceases to function properly.
Google and Amazon have clearly examined the legality of Gmail and A9, made reasonable efforts to inform users of the purposes of the processing, and obtained consents for the processing and storage. Provided the Data Controllers’ actual activities and intentions do not contradict the express purpose stated in their policies (eg by selling the personal data to any third parties), there is no illegality. However, because privacy policies and terms of use may be changed unilaterally, users have to trust the Data Controller’s good intentions. The DPA does not seem to require more than the safeguarding of personal data in storage and informing data subjects about the purpose and type of processing. This seems to be more of an informational requirement rather any substantive obligation and the current balance appears to be tipped in favour of commerce, recognising the legitimate business use of new technology but perhaps not the extent to which new technology can undermine the individual’s right to information and self determination as envisaged in the original EU Directive.[16]
Final Thoughts
Sometimes there is little the law can do to protect personal data. Inevitably, there are third parties whose malevolent intentions cannot be halted. As Gmail, A9 and Blinkx allow more retained personal data on a database, they are also responsible for the increased risk of abuse. The DPA requires that data controllers ensure that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against unauthorised accidental loss or destruction of, or damage to, personal data.[17].
Google provides the Gmail service for a number of security protections such as the use of encrypted access and an encrypted password login; it blocks the transmission of executable files which may contain viruses or spyware; and does not load external images by default to prevent “Web bugs”. Google promises to reduce the transfer of “referrer” information in Gmail, preventing other Web sites from knowing that the individual was referred by clicking on a link in Gmail. But despite achieving this high level of technology to prevent a breach of security, nothing is 100% secure. Even big players like Google and Amazon, are still susceptible to security breaches, whether they be by hacking, viral attack, government-backed intrusion, or just a dishonest employee stealing information.
Data Controllers are also required to disclose personal information on request by an adequate search warrant or court order.[18] Although, users are made aware that their stored personal data is subject to government intrusion, many people would take the approach that “an innocent mind has nothing to hide”. However there is good reason to suspect that even government agencies are not infallible and there is a risk of personal data being misused.
New technology can improve and facilitate our modern lifestyles, but the personalisation of e-mail and search services inherently requires personal data in order to function. The crucial question is how this personal data is dealt with. The current law imposes an obligation of transparency and fairness on the processing of personal data but this may not be sufficient given the increasingly intrusive capability of new technology.
Eva Wong is an Associate in the Corporate Department of Coudert Bros LLP.
Postscript
Since the article above was written, the latest news is that on 14 October Google launched a free beta version of Google Desktop Search, a desktop program similar to, but much more powerful than Blinkx, using Google technology to match hard drive searches with a Google-powered Web search. See http://desktop.google.com/. A spokesperson at Google describes the Google Desktop Search as being “like photographic memory for your computer – if you’ve seen it before you should be able to find it“. Although Google claims that it will not access personal data from the user’s hard drive, and does not collect any personally identifiable information, the same privacy implications raised by Blinx are applicable but multiplied because the provider is Google which is more powerful as a search engine, and already collects information on Google search and Gmail users by cookie. Whilst there may be advantages for a user to find things on their hard drive, users need to be aware that if they download the Google Desktop Search, an easily accessible record of everything they touch on their desktop will exist and, unless the user opts out, “non-personal information” will be sent to Google “to make Google services work better by associating this information with other Google services you use and vice versa“. Furthermore, there may be problems associated with the Google Desktop Search being downloaded on public computers such as libraries or Internet cafes, as all use on those computers will be subject to being tracked by the Google Desktop Search. There are options to exclude certain items or categories of items from being included in a Google Desktop Search, but it is uncertain how practical these options will be.
EW
[6] Implementing Directive 95/46/EEC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[7] Implementing Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector.
[8] The First and Second Data Protection Principle.
[9] The Sixth Data Protection Principle.
[12] See footnote 6 above
[16] See footnote 6 above
[17] The Seventh Data Protection Principle.
[18] Sections 28, 29 and 31 in relation to safe guarding national security, dealing with crime and taxation and in relation to certain regulatory activities.