We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
IP tracking against data protection act
2Jakes
Posts: 10 Forumite
Recently I have become aware of something that I find disconcerting.
For several days last week I couldn't get access to my account of the National Lottery Site that claimed that I was outside of UK.
On the last occasion I made sure that I was not using a proxy/VPN or anything else and when I got the same page I checked my IP's location which was located in UK although leased out of a BT centre in Scotland (I was in England).
So I called Camelot's customer service who were extremely rude and ignorant. Then when I tried to explain that I was getting the same thing on my Iphone on my WiFi that never had a proxy or VPN installed on it, they put the phone down on me.
So, I called BT and checked to see if they had placed an "annonymizer" on my account as Camelot claimed. As I expected they said no. So I complained to Camelot and after a lot of evasion they finally told me that Neustar whom they use to check the IPs' locations had recorded me as having been on TOR network at some previous date and therefore blacklisted the IP!!
I didn't think it was legal for people like Neustar to keep such records and even worse allow their clients to use them as filters to regulate people's access to web sites. I had been on TOR quite a while back but for nothing illegal & besides that should be no one's business except that of the police or intelligent services in possession of a court order and certainly not used by or disclosed to a third party in this manner.
This is exactly why such records shouldn't be kept as they get used for the wrong reasons and result in totally inaccurate conclusions.
Why should I be blacklisted for having been on TOR network anyway? Why should anyone know that I had been on TOR network specially a private company?
Furthermore Camelot is now trying to insinuate that I was doing something wrong instead of admitting to their mistake and changing the way they check IP locations or blacklists on top apologizing for having caused a breach of my privacy as well as having been rude, evasive and hiding behind deceptive technical jargon.
Where does the Data Protection Act 1988 stands on this issue. Are such practices lawful?
Thanks
For several days last week I couldn't get access to my account of the National Lottery Site that claimed that I was outside of UK.
On the last occasion I made sure that I was not using a proxy/VPN or anything else and when I got the same page I checked my IP's location which was located in UK although leased out of a BT centre in Scotland (I was in England).
So I called Camelot's customer service who were extremely rude and ignorant. Then when I tried to explain that I was getting the same thing on my Iphone on my WiFi that never had a proxy or VPN installed on it, they put the phone down on me.
So, I called BT and checked to see if they had placed an "annonymizer" on my account as Camelot claimed. As I expected they said no. So I complained to Camelot and after a lot of evasion they finally told me that Neustar whom they use to check the IPs' locations had recorded me as having been on TOR network at some previous date and therefore blacklisted the IP!!
I didn't think it was legal for people like Neustar to keep such records and even worse allow their clients to use them as filters to regulate people's access to web sites. I had been on TOR quite a while back but for nothing illegal & besides that should be no one's business except that of the police or intelligent services in possession of a court order and certainly not used by or disclosed to a third party in this manner.
This is exactly why such records shouldn't be kept as they get used for the wrong reasons and result in totally inaccurate conclusions.
Why should I be blacklisted for having been on TOR network anyway? Why should anyone know that I had been on TOR network specially a private company?
Furthermore Camelot is now trying to insinuate that I was doing something wrong instead of admitting to their mistake and changing the way they check IP locations or blacklists on top apologizing for having caused a breach of my privacy as well as having been rude, evasive and hiding behind deceptive technical jargon.
Where does the Data Protection Act 1988 stands on this issue. Are such practices lawful?
Thanks
0
Comments
-
I don't think your IP address is of any interest to the Data Protection Act. An individual cannot be identified from the IP address except with the co-operation of the ISP, and the ISP can refuse to supply the personal details without proper authority.
So we have a number of IP addresses that have been collected by Neustar. Some have been flagged as having used a TOR network.
Looks like Camelot has bought that list and decided that it doesn't want to do business with people who have an IP address that has used a TOR network.
Camelot are doing nothing wrong.
Are Neustar doing anything wrong?
I do not think they are. They have no way of relating those IP addresses with individuals, so that data does not need the protection of the Data Protection Act.
If it's any comfort, you are not the first: http://community.plus.net/forum/index.php?action=printpage;topic=113466.00 -
I don't think your IP address is of any interest to the Data Protection Act. An individual cannot be identified from the IP address except with the co-operation of the ISP, and the ISP can refuse to supply the personal details without proper authority.
So we have a number of IP addresses that have been collected by Neustar. Some have been flagged as having used a TOR network.
Looks like Camelot has bought that list and decided that it doesn't want to do business with people who have an IP address that has used a TOR network.
Camelot are doing nothing wrong.
Are Neustar doing anything wrong?
I do not think they are. They have no way of relating those IP addresses with individuals, so that data does not need the protection of the Data Protection Act.
If it's any comfort, you are not the first: http://community.plus.net/forum/index.php?action=printpage;topic=113466.0
Remember though, personal data is anything which could be used to single out an individual from a group either on its own or together with information either already in the possession of or likely to come into the possession of the data controller.
While an IP on its own cant identify an individual, the information required to open an account on national lottery website is - and due to OP's IP being linked with his account, there is a very strong possibility imo that the IP is personal data.You keep using that word. I do not think it means what you think it means - Inigo Montoya, The Princess Bride0 -
Something isn't right, unless you're on a static IP how is banning the IP given via DHCP going to help them?
They can't prove you were the user of that IP that had the activity on TOR or not.
To be honest...the national lottery website is fine when it works, get it wrong and their support is a waste of space.0 -
People who hide their location are seen as suspicious by some companies and can choose not to deal with them. This has nothing to do with data protection and to suggest otherwise is just stupid, it's about location not identities.0
-
unholyangel wrote: »Remember though, personal data is anything which could be used to single out an individual from a group either on its own or together with information either already in the possession of or likely to come into the possession of the data controller.
While an IP on its own cant identify an individual, the information required to open an account on national lottery website is - and due to OP's IP being linked with his account, there is a very strong possibility imo that the IP is personal data.
I can see how the IP address should be treated as sensitive data by the lottery company, but are you saying that because someone (Camelot) can match the IP address with an individual, then Neustar should not have a list of IP addresses with flags on it?
But maybe I've misunderstood.0 -
Maybe I'm misreading your post or meaning, but you seem to be suggesting Neustar has generated a list of people who've used TOR and then connected that somehow to the IP all these people are using today to allow companies to block people on the lfy? That would seem quite hard to do. The whole point of TOR is the end party wouldn't know who's visiting their site. So they would have no way to link it back to an IP address at that time - let alone months down the line when the IP address has likely changed.
It would seem Neustar provide software to Camelot which lets them detect TOR and other risky traffic as it happens, judging the IP addresses as they hit so they can judge the riskiness of that transaction. (See: http://www.neustar.biz/services/ip-intelligence ) Somebody visiting a gambling site through TOR does scream high risk. So Camelot them know not to serve that person then and, if there's cookies on the computer or they sign in, they can link that to an account. So you visit the National Lottery in TOR, it puts a flag on your account. then whenever you visit your account it won't work. That seems more plausible.
If it's the latter case as I would suspect, Camelot would be well able, in my view, to argue it's necessary and appropriate and not a violation of the DPA. Camelot would have good reason to analyse the IP addresses of people visiting them and make a judgement, with the aid of Neustar, of the risks involved. Then should a high risk IP link itself, by cookies or signing in to an account, it would also seem relevant and not excessive to place a flag against that account. The information isn't excessive and serves a valid purpose for Camelot.
Considering it's a TOR IP address that's being judged, could an anonymized IP address even count as personal information?This is everybody's fault but mine.0 -
I can see how the IP address should be treated as sensitive data by the lottery company, but are you saying that because someone (Camelot) can match the IP address with an individual, then Neustar should not have a list of IP addresses with flags on it?
But maybe I've misunderstood.
Not that they shouldnt have a list - rather just that such a list would likely be personal data.You keep using that word. I do not think it means what you think it means - Inigo Montoya, The Princess Bride0 -
unholyangel wrote: »Not that they shouldnt have a list - rather just that such a list would likely be personal data.
It might well be classed as personal data, but unless Camelot release that data to an unauthorised third party (and Neustar were acting on behalf of Camelot), then surely no DPA breach has taken place.
Being able to identify the OP from their IP address couldn't be a breach because as soon as they logged on to the Camelot system, their identity would be known anyway and they probably log all incoming IP addresses due to possible fraud concerns.0 -
shaun_from_Africa wrote: »It might well be classed as personal data, but unless Camelot release that data to an unauthorised third party (and Neustar were acting on behalf of Camelot), then surely no DPA breach has taken place.
Being able to identify the OP from their IP address couldn't be a breach because as soon as they logged on to the Camelot system, their identity would be known anyway and they probably log all incoming IP addresses due to possible fraud concerns.
I did say in the first part of the post you quoted that I wasnt saying they shouldnt have such a list
However now that you've brought it up, there is more to the DPA than just unlawful disclosure.
For example, the first principle of the DPA is fair and lawful processing, on which the ICO say:Why and how personal data is collected and used will be relevant in assessing fairness. Fairness requires you to:
be open and honest about your identity;
tell people how you intend to use any personal data you collect about them (unless this is obvious);
usually handle their personal data only in ways they would reasonably expect; and
above all, not use their information in ways that unjustifiably have a negative effect on them.
And also:If processing personal data involves committing a criminal offence, the processing will obviously be unlawful. However, processing may also be unlawful if it results in:
a breach of a duty of confidence. Such a duty may be stated, or it may be implied by the content of the information or because it was collected in circumstances where confidentiality is expected – medical or banking information, for example;
your organisation exceeding its legal powers or exercising those powers improperly;
an infringement of copyright;
a breach of an enforceable contractual agreement;
a breach of industry-specific legislation or regulations;
a breach of the Human Rights Act 1998. The Act implements the European Convention on Human Rights which, among other things, gives individuals the right to respect for private and family life, home and correspondence.You keep using that word. I do not think it means what you think it means - Inigo Montoya, The Princess Bride0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.9K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards