Investigation into 3UKs use of Shine

Roedd y cais yn rhannol lwyddiannus.

Dear Information Commissioner’s Office,

It would appear that the mobile operator Three has decided to proceed with trials of the ad-blocking systems provided by Shine. These trials are scheduled for June.

I have previously asked what conclusions you have come to, but you responded at the time with nothing concrete, choosing instead to insist that your inquiries were continuing.

https://twitter.com/ICOnews/status/71768...

If the trials are proceeding then I believe I can assume any investigation started by the ICO has been completed. As a Three customer myself I am extremely concerned to think that my own private and personal communications might be interfered with when I have not given my consent for that interference and there is no immediate need for it. As a website owner I'm equally concerned that the way I communicate with users might also be interfered with illegitimately.

Please provide me with the following information:

- A copy of any correspondence between Three and the ICO on the subject of Shine.
- A copy of any correspondence between the ICO and Shine on the subject of their systems by Three.
- Any internal emails sent within the ICO relating to Threes proposed use of systems created by Shine and/or the legality of the system more generally.
- Any conclusions reached by the ICO with regards to:
--- the general legality of the proposed ad blocking system.
--- also the type of consent required from the recipient of the communication for this to be legal
--- also the type of consent required from the sender of the communication for this to be legal

Yours faithfully,

Patrick Seurre

AccessICOinformation, Swyddfa'r Comisiynydd Gwybodaeth

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

dangos adrannau a ddyfynnir

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

Gadawodd Leigh Park Initiative anodiad ()

If the technology includes the interception of communications using Deep Packet Inspection, and a complaint to the service provider has not resolved the issue to the customer's satisfaction, then the customer could consider a complaint to the local police (best of luck with that one - you will need evidence), and if as expected, the customer is rebuffed by local police, they should approach the Interception of Communications Commissioner with a complaint of illegal interception of communications. However - unless the customer knows and has proof that their communications HAVE been intercepted (ie they were included in the trial) the IOCC may not accept the complaint.

Swyddfa'r Comisiynydd Gwybodaeth

2 Atodiad

24th June 2016

 

Case Reference Number IRQ0631684

 

Dear Mr Seurre

Thank you for your correspondence of 31 May 2016 in which you made a
request for information to the Information Commissioner's Office (ICO).
Your request was handled in line with your rights under section 1 (1) of
the Freedom of Information Act (FOIA).
 
Your request read:
 
“Please provide me with the following information:
 -A copy of any correspondence between Three and the ICO on the subject of
Shine.
- A copy of any correspondence between the ICO and Shine on the subject of
their systems by Three.
- Any internal emails sent within the ICO relating to Threes proposed use
of systems created by Shine and/or the legality of the system more
generally.
- Any conclusions reached by the ICO with regards to:
- the general legality of the proposed ad blocking system.
- also the type of consent required from the recipient of the
communication for this to be legal
- also the type of consent required from the sender of the communication
for this to be legal.”
 
 
Our response:
 
We confirm that we hold information falling within the scope of your
request. A copy of the information we are able to disclose to you is
attached.
 
We confirm that we do not hold correspondence between the ICO and Shine on
the use of their systems by Three.
 
The attached documents include the internal information we hold regarding
the proposed ad blocking system. No information is held regarding
conclusions reached by the ICO on the general legality of the proposed ad
blocking system or the type of consent required from the recipient or the
sender.
 
You will see from the attached that we have redacted the correspondence we
received from Three UK regarding the subject of Shine. Where information
supplied by Three is reflected in our correspondence/documents, this has
also been redacted. These redactions were made in accordance with section
44 of the FOIA by virtue of section 59 of the DPA. We have also redacted
personal data of Three UK employees’. A full explanation of the redactions
we relied on is provided below.
 
Section 44 of the FOIA by virtue of section 59 of the DPA exemption
 
Section 44(1) (a) of the FOIA states;
‘(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it -
(a) is prohibited by or under any enactment’
 
The enactment in question is the Data Protection Act 1998 (DPA) and
specifically section 59 of the DPA. Section 59 states that neither the
Commissioner nor his staff shall disclose;
“any information which:
 
a.has been obtained by, or furnished to, the Commissioner under or for the
purposes of the information Acts.
b.relates to an identified or identifiable individual business, and
c.is not at the time of disclosure, and has not been available to the
public from other sources,
unless the disclosure is made with lawful authority.”
Section 59(1) (a) is satisfied because the information was furnished to
the ICO for the purposes of the information Acts. Data controllers are
identifiable businesses and section 59 (1) (b) is satisfied.
 
In relation to section 59 (1) (c), the information has not been disclosed
to the public and therefore this does not provide a route to disclosure.
 
 
Section 40 (2) by virtue of section 40 (3) (a) (i):
 
We have also withheld the name and contact details of members of staff at
Three UK under section 40 (2) by virtue of section 40 (3) (a) (i) which
relates to personal information.
 
Section 40(2) allows a public authority to withhold information from a
response to a request when the information requested is personal data
relating to someone other than the requestor and either the first or
second condition in section 40(3) is satisfied.  In this instance the
disclosure would satisfy section 40(3) (a) (i) as to disclose such
information would contravene one of the Data Protection principles.
 
We consider that such a disclosure would be unfair to the individuals in
question and in breach of the first Data Protection principle which states
that – “Personal data shall be processed fairly and lawfully.
 
 
We hope our response is of assistance
 
Yours sincerely
Iman Elmehdawy
Information Access Service Manager
 
 
Review procedure
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or e-mail [1][ICO request email].

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please visit
the ‘Concerns’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [2]here
 
 

 

dangos adrannau a ddyfynnir

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Contact us: 0303 123 1113, www.ico.org.uk, livechat and twitter @ICOnews

References

Visible links
1. mailto:[ICO request email]
2. https://ico.org.uk/media/about-the-ico/p...

Gadawodd Leigh Park Initiative anodiad ()

The non-redacted portions of the material disclosed suggest a serious printer malfunction. Does ALL ico correspondence have so many gaps/missing letters in emails? Parts of the non-redacted material are so badly printed that they make no sense whatsoever because of the amount of missing words/letters. I'm not sure that material that is so badly printed/scanned is FOI compliant. Perhaps ico could try again?

Participants in this case may wish to revisit ico experience on previous network level interceptions of communications involving BT/Phorm and TalkTalk/Huawei, bearing in mind the consequent modifications to RIPA required from UK by EU Commission, namely the Monetary Penalty Regulations, and subsequent legislation, as well as existing DPA/PECRE legislation. It's all in the files!

A key question will be whether personal data in intercepted material is being processed and disclosed by the network operator to third parties with appropriate prior consent from sender and recipient.