Request for withheld information on 3UK/Shine trials

The request was refused by Information Commissioner's Office.

Dear Information Commissioner’s Office,

I previously made a request last year in regards to the correspondence between the ICO, 3UK & Shine on the subject of the trials undertaken by Three of systems provided by Shine.

See: https://www.whatdotheyknow.com/request/r...

Now we learn that Shine has rebranded itself as Rainbow and 3UK will be going live with their services later on this year.

See: http://www.bbc.co.uk/news/technology-390...

IoCCO had this to say on the matter when I raised the matter with them:

'If the first three elements described above apply but consent as described in section 3(1) of the Regulation of Investigatory Powers Act 2000 (RIPA) is absent, then a criminal offence within the meaning of section 1(1) is likely to apply.

The intentional and unlawful interception of communications (whether communications transmitted by means of a public postal service or a public telecommunication system) remains a criminal offence. Where a person’s conduct amounts to or is considered to amount to intentional unlawful interception (the offence in section 1(1) RIPA), that conduct should continue to be referred to the police.'

See: https://patrick.seurre.com/wp-content/up...

The purpose of the interception seems to be just as questionable and the legal basis just as dodgy. Network traffic would still have to be shared with Shine/Rainbow for their system to work.

I would therefore like to have a copy of all correspondence that you chose to withhold in the previous request. The public interest argument is not something that can be ignored any longer in my opinion, as this has gone beyond a mere trial and the personal and private communications of all Three customers are at real risk of illegal interception.

Yours faithfully,

P Seurre

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

Information Commissioner's Office

22nd March 2017

 

Case Reference Number IRQ0669880

 

Dear Mr Seurre

Thank you for your correspondence of 27 September 2017 in which you
requested information held by the Information Commissioner's Office (ICO).
Your request was handled in line with your rights under section 1 of the
Freedom of Information Act (FOIA) and our response is below.
 
Your request of 27 September 17 read:
 
“I would therefore like to have a copy of all correspondence that you
chose to withhold in the previous request. The public interest argument is
not something that can be ignored any longer in my opinion, as this has
gone beyond a mere trial and the personal and private communications of
all Three customers are at real risk of illegal interception.”
 
 
We have considered the information we withheld from you in response to
your previous request. For clarity, this was personal data of staff at 3
UK, and information received from 3 UK concerning Shine. In our response,
we relied on the exemptions under s 40 and s44 of the FOIA by virtue of s
59 of the DPA in withholding this information.  
 
We’ve taken your views into consideration, reconsidered the information we
withheld and also consulted again with 3 UK. We confirm that we are
relying on the aforementioned exemptions again in withholding this
information.  

We have provided you with the explanation of why the exemptions apply to
the information you requested in our last response. While these have not
changed, I’ve included the explanation below again for ease of reference.
 
Finally, we’ve handled 3 requests and an internal review from you about
Shine and 3 UK. Two of the requests and the internal review were regarding
information that we previously withheld. The internal reviewer agreed that
the exemptions apply to the information you requested. As this is a repeat
request for the same information I would like to draw your attention to
our guidance on vexatious and repeated requests
[1]https://ico.org.uk/media/for-organisatio....
This explains that public authorities can refuse a repeat request in line
with section 14 of the FOIA.
 
We appreciate that you have concerns about this trial. It may be useful to
write to us at [2][email address] to detail those concerns. These can
be forwarded to the appropriate team in our Strategic Liaison department
who communicates with 3 UK about this trial.
 
 
Application of the exemptions
 

Section 44 of the FOIA by virtue of section 59 of the DPA exemption
 
Section 44(1) (a) of the FOIA states;
 
‘(1) Information is exempt information if its disclosure (otherwise than
under this Act) by the public authority holding it -
(a) is prohibited by or under any enactment’
The enactment in question is the Data Protection Act 1998 (DPA) and
specifically section 59 of the DPA. Section 59 states that neither the
Commissioner nor his staff shall disclose;
“any information which:
 
a. has been obtained by, or furnished to, the Commissioner under or for
the purposes of the information Acts.
b .relates to an identified or identifiable individual business, and
c. is not at the time of disclosure, and has not been available to the
public from other sources, unless the disclosure is made with lawful
authority.
 
2)For the purposes of subsection (1) a disclosure of information is made
with lawful authority only if, and to the extent that—
(a)the disclosure is made with the consent of the individual or of the
person for the time being carrying on the business,
(b)the information was provided for the purpose of its being made
available to the public (in whatever manner) under any provision of the
information Acts],
(c)the disclosure is made for the purposes of, and is necessary for, the
discharge of—
(i)any functions under [the information Acts], or
(ii)any  EU] obligation,
(d)the disclosure is made for the purposes of any proceedings, whether
criminal or civil and whether arising under, or by virtue of, [the
information Acts] or otherwise, or
(e)having regard to the rights and freedoms or legitimate interests of any
person, the disclosure is necessary in the public interest.
(3)Any person who knowingly or recklessly discloses information in
contravention of subsection (1) is guilty of an offence.
 
 
Section 59(1) (a) is satisfied because the information was furnished to
the ICO for the purposes of the information Acts. Data controllers and the
representatives are identifiable businesses and section 59 (1) (b) is
satisfied.
 
In relation to section 59 (1) (c), the information has not been disclosed
to the public and therefore this does not provide a route to disclosure.
Section 59 (2) (b) provides circumstances where lawful authority could be
achieved. We can say that in relation to (a) we do not have consent from
the data controllers to disclose this information and in relation to (b)
the information was not provided to the ICO for the purpose of being made
public. 

In relation to (c) - we do not consider that the ICO must disclose this
information in order to discharge a function under the information Acts or
a Community obligation.

Further, in relation to (d) a disclosure would not be for the purposes of
proceedings.

Finally, we turn to (e). We should clarify that the public interest
threshold here is very high, not least because disclosure in contravention
of section 59 by the Information Commissioner or his staff may constitute
a criminal offence (s.59 (3)). 
 
  
Section 40 (2) by virtue of section 40 (3) (a) (i):
 
We have also withheld the name and contact details of members of staff at
3 UK under section 40 (2) by virtue of section 40 (3) (a) (i) which
relates to personal information.
 
Section 40(2) allows a public authority to withhold information from a
response to a request when the information requested is personal data
relating to someone other than the requestor and either the first or
second condition in section 40(3) is satisfied.  In this instance the
disclosure would satisfy section 40(3) (a) (i) as to disclose such
information would contravene one of the Data Protection principles.
 
We consider that such a disclosure would be unfair to the individuals in
question and in breach of the first Data Protection principle which states
that – “Personal data shall be processed fairly and lawfully.

I realise that this response is disappointing to you but hope the above
explains our position. 
 
 
Yours sincerely
 
 
Iman Elmehdawy
Information Access Service Manager
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF

Review Procedure
 
However, if you are dissatisfied with this response and wish to request a
review of our decision or make a complaint about how your request has been
handled you should write to the Information Access Team at the address
below or e-mail [3][ICO request email].
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to our Customer Contact Team at the address given or visit our website if
you wish to make a complaint under either the Freedom of Information Act
or Environmental Information Regulations.
 
A copy of our review procedure can be accessed from our website [4]here.
 
 

 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. https://ico.org.uk/media/for-organisatio...
2. mailto:[email address]
3. mailto:[ICO request email]
4. https://ico.org.uk/media/about-the-ico/p...

Leigh Park Initiative left an annotation ()

This is beginning to look very like the Phorm story.

The story is: a UK ISP and a marketing company with a Deep Packet Inspection based model for intercepting communications, do a deal to intercept internet data stream using DPI for value added purposes, without the prior bilateral consent of both the sender and recipient of the communications, and use the personal data of the internet customers, and those they communicate with, for their own commercial value-added purposes. They do unlawful trials which the affected users (third party recipients of communications from participating ISP customers) aren't aware of, and the enforcement agencies either turn a blind eye or decide to stay silent.

Neither the IoCC, the ICO, nor the police take any enforcement action despite repeated requests from those affected, and any discussions that ARE had, are confidential. Eventually several years later, we realise that the whole thing was grossly illegal and even involved "collusion" between government and the commercial organisations concerned, as well as the worrying aspect of hospitality paid for by potential suspect interviewees for investigating police officers, but prosecuting the alleged offenders is felt by the CPS not to be in the public interest.

Eventually the UK government is hauled over the coals by the EU Commission and domestic legislation is changed under duress from Brussels to make it absolutely clear that this sort of thing is unlawful. But in practice, nothing changes, and the whole thing starts all over again with a different CSP and a different DPI partner.

Until Shine/Rainbow and ThreeUK explain their tech and transparently demonstrate its legality, consumers are going to assume that Rainbow is "Son of Phorm" and that ThreeUK are "daughter of BT". Rainbow have already admitted that the tech used in the early ThreeUK trials involved Deep Packet Inspection technology https://www.youtube.com/watch?v=aaEdXQy3... - 2hrs 15m 10secs into the video.

It is in everyone's interest, particularly the "public interest" that this matter is dealt with transparently so we, the users of internet and mobile telco services, know exactly what is happening to our confidential private data.