Google Health, Phorm, where next for your private data?

Let’s look at the fundamentals. Is an advertising company an appropriate place for sensitive personal data like health records? That’s easy to answer, no matter how many privacy assurances Google gives. Google is a specialist at mining personal data; and whenever I read its terms and conditions it is almost enough to stop me using its services. So Google Health? No thanks. Google, if you want to do this, split the company.

How about this idea: some of the UK’s largest ISP’s – Carphone Warehouse, BT and Virgin Media – intend to hand over their users Internet history to an advertising company called Phorm. The Reg has more details – read the comments to get fully spooked. Someone has setup a protest site here.

Phorm says it has strong privacy practices that safeguard user data, audited by Ernst and Young [PDF]. Safeguards include:

  • Deleting raw data after 14 days
  • Removing numbers longer than 3 digits
  • Not storing email addresses or IP numbers
  • Not storing form fields (thus no passwords)
  • Identifying users only by a random number
  • Analysing data only for predetermined keywords

Happy now? No. Some of these protections are weak. For example, the AOL search data debacle proved that replacing IP numbers with random identifiers is insufficient protection, because users can be identified solely by their activity. This applies even more strongly to an ISP’s data, which has everything you do on the Internet, not just your search history. Second, it is an opt-out system – it should be opt-in – and the opt-out on offer is weak; it merely stops you seeing the targeted ads, rather than preventing your data being sent to Phorm. Third, the data to be mined includes all your non-encrypted Internet activity, such as reading Google Mail, and not just URLs visited. While Phorm says it won’t read it, any additional use of this data makes it more vulnerable to interception and abuse.

What’s the answer? Change your ISP, of course; but also SSL, which encrypts your Internet traffic. Passwords themselves are inherently bad enough, without making it worse by sending them in plain text; further, we need to learn that anything we read or send in plain text over the Internet has been potentially been intercepted. This 2005 article spells out what that means. My hunch is that it is little better now. If we encrypt all the traffic that matters to us, then we won’t care so much that the ISP is selling it on.

[This post replaces an earlier draft].

Update: More details at the Reg today, complete with diagrams. Performance impact is also a concern.

Technorati tags: , , ,