THEY KNOW, YOU KNOW — AND SO SOON MAY OTHERS
When we reported the forthcoming roll-out of free Wi-fi across the city centre in Issue 152, we foresaw mixed consequences – most of them welcome.
However, a sceptical reader has been delving into the small print since, and finds reasons to be cautious.
Alexander Frei enquired about the privacy policy of City of Edinburgh Council’s partner intechnologyWiFi back in May, when news of the deal between the two was first made public.
It took them two weeks to reply – surprising given that there were already online promises that this could be obtained on request.
Someone from the intechnologyWiFi team eventually emailed with a copy of the document (see pdf at foot of page) and this chummy response:
Many thanks for your enquiries and apologies for the delay coming back to you.
As I am sure you will understand, since announcing the contract last month we have and are extremely busy installing and rolling-out the WiFi network in advance of the service going live. The finalisation of our privacy policy has been part and parcel of this.
Frei does not completely understand. In fact, he speculates whether there may have been ongoing discussions about the terms of the policy over those two weeks between intechnologyWifi and the Council.
He finds this odd because the company already supplies a similar service elsewhere and states that it is registered with the Information Commissioner’s Office.
Rather than using an existing company-wide privacy or user data usage policy, it looks as though what we have here is a policy specifically tailored for the Edinburgh service.
One issue of particular note in the document, says Frei, is the statement in relation to personal data storage:
You further agree that we and our authorised agents and representatives may from time to time transfer your details to recipients outside the European Economic Area (which may offer lower standards of data protection) to be used for the purposes set out in this privacy policy.
To put it another way, the standard of data protection you would expect may not exist.
This is all the more interesting, says Frei, given the European Union’s current concerns following the European Court of Justice’s decision on data transfer from the EU to the USA. ‘Hasty efforts to progress the so-called “privacy shield” arrangements to enable that data transfer (effectively to US corporations and Government agencies) are causing a great deal of angst and disagreement over the solution.
‘Many other countries have poor or non-existent standards in this respect. In other words your “personal” data could end up anywhere.’
The intechnologyWifi policy also states that:
We may disclose your information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in Section 1159 of the Companies Act 2006.
The group company is intechnology PLC. Frei is puzzled as to why these other companies should have any interest in the personal data of Edinburgh WiFi use. ‘This appears to be a catch-all statement, but frankly I cannot see why it necessary for the data to be shared across these other entities.’
Within the policy’s ‘Disclosing Data’ section, it’s stated that, among other reasons (wholly legitimate), intechnologyWifi will also disclose personal data if they determine it is an issue of public importance.
No indication is given of what this actually means. In other words, it is a get-out clause which appears to let them alone set the terms. Additionally, says Frei, they also state that if the company is sold etc., they may then transfer all data to the ‘relevant third party’.
There appears to be no mechanism for not agreeing to this.
One item of particular concern appears within the section titled ‘Where we store your personal data’. This mentions that they will store certain information on server logs, including ‘clickstream data’.
That innocuous-sounding phrase actually means that the virtual trail that the user leaves behind whilst using the service will be recorded and kept. This is a record of the user’s activity, including every website and every page of every website the user visits, how long the user was on a page or site, in what order the the pages were visited and any interactions the user engages in, probably including even the email addresses of mail the user sends and receives.
Clickstream data is enormously valuable to internet marketers and advertisers, and this is the currency that pays for the service. It is free use in financial terms, but your data is being traded to enable the service to be operated and a profit made.
These issues are not confined to Edinburgh, or this particular deal, but for many people they will reinforce a queasy unease about who knows what about us, and what they're doing with that knowledge.
We have no reason to believe anything sinister is going on, but we think users of the service should go in with their eyes open and we share Frei’s assertion that intechnologyWiFi could improve the clarity of its commercial operation.
‘A better way for intechnologyWiFi to appear straightforward on this,’ he says, ‘would be simply to state that: There is no monetary cost to using the service, but we use users’ data to provide marketing and advertising to those users.
‘At least, then, everyone would clearly understand the business model without having to try and understand the terms and conditions.’
[WiFi symbol courtesy of icons8.com, Creative Commons.]
Got a view? Tell us at spurtle@hotmail.co.uk and @theSpurtle and Facebook
----------------------
Kate Kelly Thanks Alexander Frei for looking into this, it reveals a predictably cavalier approach from City of Edinburgh Council. Personally I wouldn't touch their 'free' Wi-Fi..
Paul Foley Not worth risking your liberties for. Free my bahookey.