@benatipsosmori Ben Page, Chief Exec of Ipsos MORI, market research and opinion polling company is denying this front page Sunday Times story and second illistrated article, but " he would say that, wouldn't he"
The Sunday Times claims that Ipsos Mori were offering to sell snoopers charter style personal data to the Metropolitan Police Service obtained commercially from mobile phone network EE.
They appear to have tested their scheme in secret, last summer, without any indivual, informed consent from the EE customers being snooped on.
They appear to be offering not just Communications Data such as might be proportionately obtained by the Metropolitan Police, which is supposed to proportionate and restricted to suspects in actual criminal or national security investigations, but also bulk trawling of the personal data if millions of innocent people.
They also appear to be offering extra "profile" data e.g. age and gender, which is not part of Communications Data.
The Sunday Times
12 May 2013
Secrets of 27m mobile phones offered to police
Richard Kerbai and Jon Ungoed-Thomas
THE data of 27 m mobile phone users has been offered for sale to the Metropolitan police, private companies and other bodies, enabling them to track users' movements.
Ipsos Mori, one of Britain's biggest research firms, has been caught offering text and call records for sale.
The company has claimed in meetings that every movement by users can be tracked to within 100 metres. This weekend the Met, which has been in talks with Ipsos Mori about paying for some of the controversial data, shelved any deal after being contacted by The Sunday Times.
Documents to promote the data reveal that it includes "gender, age, postcode, websites visited, time of day text is sent [and] location of customer when call is made".
They state that people's mobile phone use and location can be tracked in real time with records of movements, calls and texts also available for the previous six months.
Why only the last 6 months of data ?
Why is EE not selling the Communications Data from 6 months to a year old, which they are legally obliged to keep, regardless of any business use under the The Data Retention (EC Directive) Regulations 2009 Regulation 5, which specifies 12 months ?
A commercial partnership with Ipsos Mori or other companies would give them the "business use case" to retain such data indefinitely if they wished (and paid for the storage systems)
The data, obtained by Ipsos Mori in an exclusive deal with EB, Britain's biggest phone operator, goes beyond anything that the police can get without an application order under the Regulation of Invetigatory Powers Act 2000.
Experts said that it offered a similar level of data access as the government's proposed "snoopers' charter", which
Continued on page 2
Police ditch snooper deal
Continued from page 1
ministers shelved after an outcry over privacy invasion.
Police forces, councils, big businesses and Google are among potential clients for the data. Bernard Hogan-Howe, the police commissioner, is understood to have met representatives from Ipsos Mori on March 22 to discuss the data.
Another meeting was held last Thursday at Scotland Yard and was attended by Mark Rowley, the assistant commissioner in charge of public order and major events for the force.
Who from Ipsos Mori and / or EE attended these meetings with these very senior Metropolitan Police officers ?
However, within hours of being contacted by The Sunday Times the Met said it was abandoning the proposal, even though sources said officers had been enthusiastic about the potential for tracking users of pay-as-you- go phones.
They are also understood to have been interested in overlaying the EE data with home addresses and personal details of possible suspects.
Yet another reason for investigative journalists (or police or intelligence agency investigators) and their confidential sources (whether whistleblowers or informants) to keep the anonymous mobile phones switched off at or near home or usual work places, so that they are not linked with identifiable ones, simply through plotting where thety have been switched on, regardless of any voice or SMS text or internet data calls made.
Ben Page, chief executive of Ipsos Mori, admitted in a tweet last month that the deal between Ipsos Mori and EE might sound "creepy", but said it had safeguards to protect anonymity.
Documents circulated to the Met and seen by The Sunday Times, however, show the data offers clients:
* Gender, age and postcode of users as well as friendship networks, plus calling circles, customer interests (eg sport, film, news) and activity at work or at home
"Gender, age and postcode of users" is data which the Police cannot normally see from Communications Data for prepaid mobile phones.
* Calls data, including time of day call is made, number called, duration of call and customer location to a 100-metre radius
* Data on texts, including time of day it is sent and location of customer
* Mobile web and app usage, including domain name of sites visited, session length, duration on site, previous and next sites visited and amount of data uploaded and downloaded during session
Data on "App usage" is not part of Communications Data under RIPA, but is the sort of thing that the Home Office was fishing for with the Draft Communications Data Bill.
* Customer location, which is determined by Call records or mobile phone ID, to an approximate accuracy of 100 metres, and profiles of customers, potentially including spending patterns.
" profiles of customers, potentially including spending patterns" is data which the Police cannot see from Communications Data for any sort of phones.
Page initially said Ipsos Mori had access to individual data, although it would not pass this to police. He later said the firm could get only aggregate, anonymised data. He said: "This is purely trying to look at mass movement in aggregate."
Page admitted some of the information was similar to the data proposed to be stored under the Communications Data Bill. EE said it had authorised data to be released only in an aggregated, anonymised form to protect its customers. Details would be released only for groups of 50 people or more.
This claim about "aggregate" data "anonymity" is nonsense.
If a snooper e.g. the Metropolitan Police has access to other databases which can be cross referenced, this will, in many cases then allow the EE / Ipsos Mori supplied datasets to be de-anonymised.
Switch on and you become a goldmine, page 14
Inside, on page 14, there are some more details and a graphical illustration.
(credited to Joel Goodman / Peter Alvey)
Switch on and you become a goldmine
Market researchers snooping on mobile phones tried to sell personal data to police to track criminals and protestors
Richard Kerbaj and Jon Ungogd-Thomas
LAST summer, as shoppers streamed out of a Tube station in Oxford Street in central London, they were put under discreet electronic surveillance.
As they emerged into daylight and pulled out their smartphones, the websites they visited were being monitored en masse.
The surveillance was part of a trial by Ipsos Mori, the pollster and opinion research company, to snoop on the habits of millions of EE phone customers. They could monitor how many of the phone users checked their Facebook accounts, or the website of their favourite shop.
Ipsos Mori was delighted with the results. In a deal with EE --"Britain's biggest mobile phone company, formed in 2010 from a merger between Orange and T-Mobile -- the polling firm had purchased the exclusive use of the phone data and the test run in central London had shown its potential.
In a tweet last month, Ben Page, chief executive of Ipsos Mori, admitted the EE geolocation deal mightsound "creepy" to customers, but insisted it was based on anonymised data with "safeguards on all sides".
What safeguards exactly, for the EE customers who had not given their prior, informed consent ?
It was certainly; dramatic project: Ipsos Mori had found a way to unlock the intimate secrets of the modern mobile phone and was sitting on a potential goldmine.
Initially, the company considered uses of the data for private sector clients and sporting events. It looked at the It looked at the websites Olympic spectators checked on their mobile phones and the phone habits of concert goers and shoppers.
Visitors to shopping centres, such as the Metrocentre in Newcastle upon Tyne and Bluewater in Kent, were monitored and the details of the websites they visited on their phones quietly harvested.
The movements of phone users were also tracked. An Ipsos Mori document stated: "We can understand not only where people are going, but what have been doing before, during and after they visited these various locations.
So these secret data snooping /matching trials were conducted without the prior, informed consent of the mobile phone customers ?
Will the Information Commissioner and the Interception of Communications Commissioner and OfComm investigate as they should ?
There was, however, another potentially lucrative application: crime detection. Bernard Hogan-Howe, the police commissioner, is understood to have met representatives from Ipsos Mori on March 23 to discuss the possabilities available to the Metropolitan police, using the EE data.
In public, Ipsos Mori insists all data it obtains is aggregated and protects customer privacy. In private, it claims it could get access to the data from individual phones. The documents circulated to the Met stated that the gender, age and postcodes of users was available, as well as friendship networks, time of calls, mobile web usage and customer location within 100 metres.
The police were understandably interested. Theresa May, the Home Secretary, last year failed to push though the Communications Data Bill, nicknamed "the snoopers' charter". Its terms would have required internet service providers to store for a year all details on online communications in the UK.
The bill stalled after a joint committee of peers and MPs found that it paid "insufficient attention to the duty to respect the right to privacy" and went too far in providing access to communications data.
The talks over the EE data appeared to offer another way of tracking people's phones and web usage. Another meeting to discuss the data was held last Thursday at Scotland Yard's headquarters, attended by Mark Rowley, the assistant commissioner in charge of public order and major evénts.
One of the proposals was for possible live tracking of events that would allow officers to monitor groups through their phones. If there was an incident, data on the subsequent movements of those at the scene could be harvested.
Officers were told they would be able to monitor protesters at demonstrations, to see where they had come from, where they were going and their phone usage during the event. The Met was also interested in getting a map of all pay-as-you-go phones, which could then be overlaid with the home addresses of "people of interest".
There were clearly concerns about data protection. One option considered by Ipsos Mori was to circulate a survey to EE users offering incentives in return for more information about themselves. They would then be asked for permission to share their data with third parties, which could include the Met.
Would they really have made it explicitly clear that your data is being sold to the Police, or would they just have used weasel words like "commercial partners" ?
In the event, the deal was scuppered after details of the talks were leaked to The Sunday Times.
The whistleblower seems likely to be from the Metropolitan Police despite the #Leveson clampdwown on contacts with the press or perhaps from Ipsos Mori.
If the EE spokesman is to to be believed, it is less likely that the leak came from the mobile phone network operator EE.
A spokesman for the Met admitted there had been an initial discussion, but "the [Met] has made no offer to purchase data from Ipsos Mori nor has any intention of doing so".
No intention now that the story is public, but why then were there at least two meetings with at the level of Commissioner of Police for the Metropolis and Assistant Commissioner to discuss, such this supposed non-starter of a scheme ?
Will the Mayor of London investigate the Metropolitan Police's complicity in this scandal ?
EE said it had not even been aware of the Met talks. When told the documents seen by
The Sunday Times indicated that customers would be tagged with reference numbers, postcodes and could be tracked to within 100 yards, an EE spokesman said: "This is not coming from us and it is the first I have heard of it. We are not providing this type of data."
EE said it would provide anonymised data only in groups of 50 people or more. There was, however, some confusion last week at Ipsos Mori about the exact data to which they had access.
Page initially told The Sunday Times that Ipsos Mori could obtain data on individual phones. However, he later said it would gather only aggregate data. This confusion exposes one of the biggest problems of personal data: the lack of transparency about exactly what is held on individuals, to Whom it is being sold and how it is being used.
Ipsos Mori is to launch its tie-up with EE this month. The huge database offers vast potential for market research.
The firms will, however, now face questions about the talks with police over the use of the data and scale of the information it is offering to other potential clients. The Information Commissioner's Office said last week there were specific rules concerning telephone data and the sale of any data "must be done in compliance with the Data Protection Act".
Page said The Sunday Times had raised legitimate questions about the sale of data. "We may have to decide policing is not something we are going to do on this," he said. -
Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch, said: "Customers are kept in the dark about how much information is collected, how long it is stored and how it can be used and the law needs urgently strengthening to give consumers proper control."
Do any other market research companies have similar "exclusive deals" with the other main mobile phone networks Vodafone, 3, O2 or with their Virtual Mobile Phone Operators partners like Tesco or Virgin ?
Any new Communications Data Bill must include Criminal Penalties for abuse of Communications Data (there are none under the current Regulation of investigatory Powers Act 2000)
See the Digital Surveillance report reccommendations published by the Open Rights Group:
- Hold an overarching review, potentially through a Royal Commission, to properly study surveillance in the digital age.
- Judicial oversight of requests for intrusive communications data, in particular for all traffic data requests.
- Choose 'data preservation' rather than blanket data retention. Include quick response and emergency processes, and means to intelligently and accountably identify targets.
- Create a unified Surveillance Commissioner capable of carrying out a strong, independent audit with "multi-skilled investigators including human rights and computer experts."
- Reject vague proposals, such as those in the draft Communications Data Bill, for automated, pervasive analytics tools designed to trawl through and across datasets.
- Provide stringent penalties for misuse of either powers or data.
- Individuals should be notified by default of a decision authorising the request for their communications data.
- Invest in law enforcement's capacity to use and analyse the data already available to them.
- Lift the ban on the use of intercept evidence in court.
- Use the International Principles on Communications Surveillance and Human Rights developed by Privacy International and other groups as a template for future laws.