Earlier this week, I drew attention to the Driving Standards Agency’s massive data loss in May (but only just revealed), and asked people to sign a petition ensuring that people are promptly told about loss of their personal data. I also said I’d requested the Register Entry Report for the DSA.

I did this for two reasons: firstly, as a Data Controller myself, I wouldn’t mind seeing another example of a Register Entry; and secondly, because I was keen to discover what the DSA can do with my driving licence data (and whether, frankly, they’d broken the law).

So, register entry report for registration number Z7122992 appears through the post today. It’s actually the Register Entry for the Department of Transport (who run the Driving Standards Agency), which makes even more interesting reading.

First - was this data breach illegal?
By this I mean - did the Department of Transport specifically go outside the terms of data use laid down in their register entry?

Register entries are anything but clear, as I found doing the entry for Not At All Bad Ltd (which hosts this website, as well as Media UK). The Department of Transport’s entry has an entry (entry 9) for “Trading/Sharing in Personal Information”, which has a purpose description of “the sale, hire or exchange of personal information”. Transfers of this data are explicitly set as “None Outside The European Economic Area”. So, according to this register entry, they are not allowed to transfer personal information (names, addresses, phone numbers) outside of the EEA.

Let’s remind ourselves of the original story (at least, the details reported by the BBC):
Names, addresses and phone numbers - but no financial information - were among details on a computer hard drive which went missing in the US in May. It belonged to a contractor working for the Driving Standards Agency, she [Ruth Kelly] said.

So, is this a clear breach of their own requested use of data? It turns out it’s not quite that simple. “Information and Databank Administration” is section 8 of their register entry: for the purpose of “maintenance of information or databanks as a reference tool or general resource, including catalogues, lists, directories and bibliographic data”, and data subjects being, amongst others, “Customers and clients” - i.e. you and me. Data transfer for this is set as Worldwide.

I’m not a lawyer; and I don’t know which of these two sections is supposed to take precedence. Was the deliberate release of personal information outside the EEA a breach, or not? I’d welcome your views.

Second - anything else turn up in here which is a concern?

Let’s return to “Trading/Sharing in Personal Information”. The register says who can receive this information - which specifically includes “personal details, financial details, offences, criminal proceedings”. Here’s a few…

Police forces, central government, local government, employees and agents of the data controller, department of health, department for education and employment, the media…

The MEDIA?!?!!!

It seems that the Department of Transport can, if they wish, let any media organisation in the UK or the EEA know my driving licence details, including my financial information. Anyone in the media can know whether I got a speeding fine in 1997 for doing 42 in a non-built-up, badly-signed 30-zone. (I did. But I have a clean licence now.)

This is big stuff. And I wonder what the definition of “the media” is, in this context. Am *I* the media, running a blog that has more readers than many small magazines? Am I able to request this data on someone I know? The possibilities, the possibilities…

Photo: Ken Banks. Used under licence. An additional disclosure appears at the bottom of my original post on this subject.

Photo by Christian Guthier on Flickr; used under cc licence

A long and massively point-missing piece on Facebook this morning on BBC Radio 4’s Broadcasting House (available to listen-again).

In it was a “fat librarian boy” who was most upset to discover a Facebook group entitled “We hate the fat librarian boy”; and a couple who’d split up but are still being kept in touch with their exes by friends via Facebook. With any internet story, you need to ask the question whether the internet is to blame, or whether this kind of thing would have happened anyway without the internet. The answer’s clearly the latter, of course.

One bloke came on, a little concerned about the etiquette of refusing friend requests. The good news (and something Facebook should be clearer on) is that if you hit the ‘ignore’ button, nobody knows: it doesn’t send back any message to the person who asked. I use it all the time - having a “must have met at least twice” rule. Nobody knows you’ve refused the request. It works just fine.

Perhaps the most interesting part of all this was someone coming on at the end and saying that if you want something private, don’t stick it on the internet. At all. Ever.

In order to underline that point, I thought I’d go and look for how much updating information I could find on the internet about my activities online. And it turns out that there’s quite a lot. You can view my stalkerfeed, as I’ve christened it, on my website.

Through publicly-available RSS feeds, you appear to be able to view a large amount of information about me. This kind of information is available for many of us; if we use last.fm, or Facebook, or Twitter, or many other systems, it’s quite possible to piece a ton of information together about us all. Particularly if we use the same username on all of these systems.

When at Virgin, I had the real benefit of having student placements embedded in my department. The interesting thing is watching their normal internet use; because you learn a lot from it. My practice of using the same username on everything appears to be completely alien to ‘the youth of today’; not only do they use a dazzling amount of different usernames, they’re also using names that seemingly don’t tie back at all to their identities, or are suffixed with seemingly random numbers. I don’t know enough about whether they do this on purpose, but the net result is that you cannot easily do the same ’stalkerfeed’ exercise on them. My enjoyment on getting my ‘real name’ on Gmail, for example, clearly isn’t shared by them - apparently preferring random and weird names on their own Gmail accounts, for example, instead of their own names - even when their names are still available.

Those concerned about internet privacy should perhaps learn something from those students; where you don’t want to leave a trail of data, don’t use the same username on everything. Simple, innit? (If only we all thought that way…)

If you pay 99p instead of 79p for your EMI download from iTunes, you get something special.

You get the music in double the quality - 256k instead of 128k. The music apparently sounds cleaner and more vibrant.

You also get the music without any Digital Rights Management. So you can copy it, move it around, play it on one of those nice new thin Sony Walkman nano-a-likes, etc.

And, as the Electronic Freedom Foundation have discovered, you also get those tracks embedded with your name, your email address, and possibly many other things too.

This, to me, makes perfect sense. They’ve stripped the DRM so that you can, for example, burn the tracks onto CD, or move them to your other player, play them on your mobile phone - a wealth of possibilities denied to us with DRM-protected files. However, they’ve not stripped the DRM to allow people to stick them on the internet for everyone to download or to share around the office; hence the embedded user information.

ArsTechnica appears to be fuming about this.

I don’t understand why.