Some of you may recall the trials 3UK ran last year of systems provided by Shine. These trials were supposed to test systems aimed at blocking adverts at the network level. The problem though was that this required both the interception and sharing of personal and private communications of those using 3UK’s network. To do so without proper consent would be a criminal offence under s1(1) of RIPA as confirmed by IoCCO when I enquired about it.
I had previously asked the ICO about the nature of consent gained by 3UK during the trials. The response was far from reassuring, with the vast majority of communications withheld because of their commercially sensitive nature. This wasn’t entirely surprising, but it was nevertheless disappointing.
Now it seems that Shine have been rebranded as Rainbow and 3UK plan to go ahead with the use of their services, only now Rainbow seems to have dropped any pretence when it comes to their intentions: the service is no longer aimed at blocking adverts or helpers consumers but rather the exploitation (monetisation?) of their private communications passing over 3UK’s network.
The BBC article linked to in this post notes that the service is free for advertisers and consumers alike, but what about the networks? How much are they being paid by Rainbow to hand over the data?
More importantly what about consent?
Rainbow are providing systems that require data gained from the telecoms networks in order to function. This means that private communications still presumably need to be intercepted. Without said interception it’s likely their services simply would not work, nor would Rainbow gain all that valuable data.
3UK may try to argue that the data being provided to Rainbow has been anonymised or had identifiable details removed through other means. In my opinion this ought to be irrelevant; 3UK would still have presumably intercepted private communications, possibly without appropriate consent, and subsequently processed that private data for purposes that may well not have the consent of the customers. The systems provided by Rainbow are also not required to provide me with my phone and mobile internet services.
Given the response from IoCCO such interception without consent that would appear to be illegal, regardless of how that data was presented to 3rd parties or subsequently used. There is also the Data Protection Act to consider given that personal data is being processed for questionable purposes. Most worryingly of all there is currently no indication what consent 3UK will ask for from customers, how they will ask for it and certainly no guarantees that their communications won’t still be shared with Rainbow if they choose to deny consent.
I’ve asked the ICO to re-consider the refusal to release all correspondence between it and 3UK and/or Shine (now Rainbow) since their plans go beyond a mere trial and will affect their entire customer base. There is also a clear argument to be made that the public interest in releasing the information exceeds the commercial sensitivity of the responses previously provided to the ICO. I have also asked the ICO if they could look into this matter given the apparent threat to privacy that 3UKs plans represent.
This blog post will be updated if and when I get a response.