* Posts by Nic

2 publicly visible posts • joined 27 Nov 2007

BT's secret Phorm trials open door to corporate eavesdropping

Nic

Profiling

In the Data Protection Act, personal data is defined as meaning "data which relate to a living individual who can be identified(a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

They key point to note is (b). If there is a means by which supposedly anonymised data can, with other data likely to come into the possession of the data controller, be traced back to an individual, then that supposedly anonymised data is personal data and therefore subject to the provisions of the DPA, which requires the consent of the individuals to whom the personal data relates.

Since IP addresses and user account details are certain to be "in the possession of" BT, they can hardly claim that their actions do not contravene the DPA.

Biometrics won't fix data loss problems

Nic

Biometric data should not be treated as confidential

Biometric data cannot be confidential - anyone can capture someone else's fingerprints or iris or facial image. Biometric data could only be of value on the assumption that risk-holders will rely on unsupervised capture of biometric data - which would be thoroughly unsound. If that is what the scheme is proposing then it is flawed, however well protected the data in the register itself may be.

For remote or unsupervised access, other means - e.g. dedicated devices not unlike those some banks are issuing - could be used to provide two-factor authentication. This may not be quite as strong in theory as biometric verification (especially with match on chip) but it will cover most day-to-day risks. The larger risks will probably need additional measures anyway.