An article in today’s Sunday Times, highlighted by SpyBlog and Ben Goldacre has revealed what the Sunday Times describes as the “discreet monitoring” or “snoop(ing) on the habits of millions of EE phone customers” as they came out of London’s Oxford Circus station. In other words, EE were monitoring and recording the actions of their customers and giving the data to Ipsos Mori in what is, no doubt a potentially very profitable enterprise.
Ipsos Mori was delighted with the results. In a deal with EE — Britain’s biggest mobile phone company, formed in 2010 from a merger between Orange and T-Mobile — the polling firm had purchased the exclusive use of the phone data and the test run in central London had shown its potential.
There are some serious echoes of Phorm here.
After SpyBlog and Ben Goldacre mentioned this on Twitter more people became aware of this and started asking questions of Ben Page, CEO of Ipsos Mori. There are many valid points and questions raised on Spyblog’s Twitter thread and Ben Goldacre’s Twitter thread. Of particular importance are the points about anonymised data and if the data is sold to anyone who has the ability to cross reference it with other data (one example being the Police).
The idea of “anonymising data” has been shown to be ineffective by Arvind Narayanan and Dr Vitaly Shmatikov of the University Of Texas at Austin, who also wrote an article called Myths And Fallacies Of “Personally Identifiable Information” (PDF file) that is well worth reading (thanks to Caspar Bowden for tweeting the link). We also have the Golle and Partidge paper “Deanonymising Social Networks”.
Ipsos Mori have issued a statement denying that they are selling personal data and Ben Page has tried to answer some of the questions put to him via Twitter. Mr Page has also suggested that he would be happy to publish the “anonymised” data for peer review.
A few questions for EE and Ipsos Mori come to mind:
- Was the Information Commissioner’s Office informed of this scheme? If not, why not?
- Do the EE terms and conditions specify that monitoring activity for marketing purposes may be undertaken? Are EE customers given the option to opt-in to or out of such schemes?
- Were the EE customers who were monitored told about the monitoring and given the option to opt-in to it?
- Do Ipsos Mori get the raw data from EE or do they get the anonymised data from EE?
- Do Ipsos Mori perform any operations on the data themselves?
- What information is finally used, how is it used and to whom is it passed on?
As more information comes to light I am sure there will be more questions.
Until we see the full process and the data before and after the “anonymisation” process it is very difficult to be reassured that there is no privacy invasion or potential for that data to be misused. The experience of dealing with Phorm has left me (and I’m sure many others) very cynical about claims of compliance with laws, anonymity of data and ethics.
I borrow from one of my earliest posts when I say this to Mr Page and EE:
The discussion ongoing in the public domain involves people who are more knowledgeable and eminent than I. Given the comments and concerns already mentioned I respectfully suggest that openly and honestly answering the issues and concerns raised in the public domain would be a good approach. And do it sooner rather than later.
Kent Ertugrul didn’t do that and look where Phorm are – shunned, discredited and hanging on for dear life.
This page from MarketWatch makes interesting reading, in particular this part (my highlighting):
the recent announcement of an agreement between Ipsos MORI – Ipsos’ UK subsidiary – and Everything Everywhere – the joint venture bringing together Orange UK and T-Mobile UK – is symbolic. It will give Ipsos MORI the ability to access EE’s entire database and thus to analyse the behaviour of groups of people in real time. EE supplies mobile phone and data services to 27 million clients. Ipsos will at last be able to understand their behaviour and thus help our clients make the best use of the immense potential of mobile handsets.
Big Brother Watch has reported on this story and includes links to more papers casting doubt on claims of anonymisation being effective, including this graphic from the University of Cambridge Computer Lab.
This quote from the Big Brother Watch report sums up what Everything Everywhere and IpsosMori needs to do, and quickly:
We have already made Freedom of Information Act requests for these documents, and urge IpsosMori to publish them urgently to allay public concerns.
Everything Everywhere needs to come clean on what data it is releasing, and why it is storing this data where there is no business purpose.
The Open Rights Group have posted their view on this issue and provided more detail for those who aren’t Sunday Times subscribers and reminds us
The Sunday Times’ evidence is that employees are making such claims: this must be investigated by the ICO, or a police force other than the Met. After all, T-Mobile’s employees (now part of the EE group) got into trouble in 2009 by selling customer data – thus we do not have confidence that official positions are without doubt representative of practice on the ground.
Will the ICO undertake a proper investigation given their spineless performance during the BT & Phorm issue?
Predictably pathetic, the ICO has said it is satisfied with what EE and IpsosMori has told them and will not be investigating.
Sounds just like what they did about Phorm as well.