Thursday, October 23, 2008

Lib Dems, data protection and member profiling

In August, after yet another data loss scandal engulfed the Government, the leader of the Liberal Democrats, Nick Clegg said,
"I'm just gobsmacked, like everyone else is, that the government can be so systematically incompetent in failing to keep our data safe. Frankly the Keystone Cops would do a better job running the Home Office and keeping our data safe than this government, and if this government cannot keep the data of thousands of guilty people safe, why on earth should we give them the data of millions of innocent people in an ID card database?"
"Absolutely Cleggy!" you might think, but the important thing to remember here is that whilst the Government have been shown to be incompetent at protecting data on numerous occassions, the Liberal Democrats have instead actively breached privacy rules and data protection responsibilities.

Some may remember that back in September they were told they would face prosecution by the Information Commissioner after their decision to use so called "robocalling" to contact 250,000 people with unsolicted direct marketing and play a recorded message from Nick Clegg. I can also reveal that the Liberal Democrats are playing loose and fast with their own members data too.

The independent Lib Dem Voice blog has been given a form of access to the Liberal Democrats membership list in order to allow them to authenticate genuine Lib Dems for their "members only forum". To register for the forum the site requires full name, postcode and party membership number, and it then has query access to the Lib Dem membership list in order to confirm if the person registering is a member or not. The site says,

this information is passed into a piece of software provided by the Liberal Democrats that responds simply to say whether or not you are currently a member of the party, and this will be used to permit or deny you access to the forum. Lib Dem Voice is not given access to the party’s membership records and is not provided with any information from them other than “is a member” or “is not a member”.
Now you see, it doesn't matter whether Lib Dem Voice have or have not got "access to the party’s membership records" the key here is that they, as an independent third party, are given a response by the Liberal Democrats which discloses someone's personal information in the form of their membership. I ran this by the Information Commissioners office and there was little doubt from them that this would constitute a breach of data protection.

It's a bit like if I rang a bank and gave them someone's full name, postcode and their account number and asked them to confirm that the details were valid. They would not disclose that information and be quite clear that it ould breach the data protection laws for them to do so, and they would be quite right too. This not so with the Liberal Democrats it seems.

The only people the Liberal Democrats should be disclosing this information to are legitimate requesters, and legitimate requesters most certainly do not include an independent website with a discussion forum. A legitimate requester would be, according to the ICO, someone like the police carrying out an investigation.

It doesn't just end there though, once someone is a member of the LDV forum they are sent personalised surveys each month which ask questions such as "Who did you vote for in the leadership?", "do you regret your decision?" and "who do you intend to vote for as the next President of the Party?".

These are questions about what someone has done or intends to do in an "officially" secret ballot. Responses which can then be cross-referenced against membership IDs meaning that LDV is profiling its forum members in quite extensive detail. It's probably worth noting at this point as well that one of Lib Dem Voice's primary contributers is Mark Pack, Head of Innovations for the Liberal Democrats at Cowley Street.

So not only do we have the Liberal Democrats breaching data protection by disclosing whether someone is a member to an illegitimate third party. We also have a website that is profiling members of the Lib Dems on matters such as their secret ballot decisions and that information could quite easily be fed back into the Party HQ.

Such information could thus potentially be used for malign purposes like identifying the "bad eggs" for example, and/or helping to rig ballots etc etc. The Liberal Democrats and Lib Dem Voice have quite a lot of explaining because of these two information security issues I'd say.

Firstly, why is Cowley Street confirming to a third party whether someone is or is not a member (the other two main parties do not and would not do this (I checked))? Secondly, why is the independent Lib Dem Voice blog gathering secret ballot data that can be cross-referenced for profiling purposes and can so easily find its way on to a desk in Cowley Street?

Now I'm guessing that some may respond to this suggesting that this is not really that bad, they're not disclosing names and addresses after all. However, what one needs to remember is that by confirming a name, postcode and membership status (essentially reverse searching) they are in fact disclosing those three things and they should not be.

Data protection is not just about whether you give details out directly, it's also about whether you unwittingly confirm details when requested to do so. As I said above, a bank would not confirm if someone was a customer of theirs if you just happened to walk in and gave them a name, postcode and account number.

17 comments:

Anonymous said...

Excellent research Dizzy which would be very news worthy except, it's about the LibDems, so no one gives a fig.

Anonymous said...

Nice work, Dizzy. The Lib Dems remain the only party who have ever sent me spam/junk mail at home. I get all sorts of leaflets delivered by hand when elections are on, but at least twice a year I get junk mail from the local Lib Dem co-ordinator. What is particularly stupid is that I live in a solidly Tory area for the most part, and the elections he always wants to draw my attention to - County Council - have seen the LDs come a distant third for about 20 years. It's a complete waste of his money.

................................. said...

Lib Dem data protection? They're all at sea.

Anonymous said...

I'm flattered you thought our systems worth so much scrutiny Dizzy :-)

In brief: the answer as to whether or not someone is a party member is only given in response to the party member requesting that this question be answered.

In more detail:

The checking system only returns any information about whether or not someone is a current party member if all of several different pieces of information (including membership number) are present and correctly match up with each other.

Therefore, in order to check whether or not someone is a party member you have to know their membership number, along with other information about them. This protects against, for example, a journalist checking whether or not someone is a party member as they'd have to know several pieces of information about the person, including their party membership number, which is not a public piece of information.

(Party membership numbers are more like a bank account password rather than a bank account number in that respect. This isn't a perfect analogy, so I wouldn't get too hung up on the nuances, but the basic point is that it is a more secure and private piece of information than your bank account number as your bank account number ends up being provided to all sorts of different people and firms in order to make bank transactions, pay bills and so on.)

In addition, this checking system is only available to sites which the party approves, so we have an extra level of protection in that we only authorise sites which are making appropriate use of the system. For example, to give an extreme but clear example, we wouldn't approve a site that takes these three bits of information from someone and puts them on a public web page. We also require all sites using the system to make clear why they are asking for this information and how it is going to be used.

As a result, this means the system is only returning information to a site such as Liberal Democrat Voice if a party member has supplied information in the knowledge that it is going to be used to check their membership and that the yes/no answer to this question is going to be given to the site. The only disclosure of information that happens is therefore at the request of the party member, and so with their permission.

As Stephen runs the LDV polls, I'll leave it to him to answer on that point, but my understanding is that all the data is kept confidential and no matching up of individual results is done. Certainly none is passed to the party. Participants in surveys know this, though of course it's always open to them not to take part if they don't trust the software or the terms.

Anonymous said...

Dizzy ... Mark Pack says it's OK so you should just jolly well stop listening to silly people like the Information Commissioner - what a fool he must be - 'cos Mark and his LibDem chums NEVER do anything wrong/ near the knuckle/ underhand/ decietful or plain naughty.

Meantime, please kick Mark Pack and his kind hard in the b**locks -just as a matter of principle.

Anonymous said...

Mark,

You are wrong.

You do not know if the person making the request is a party member until after the search is executed.

Example:

I have several Lib Dem councilors. It is a safe bet that they are members of the party. They will also probably have their own house registered in their interests which is on the net these days. I now have 2 out of the 3 bits of info. If I have a mate who is a Lib Dem (long shot I know but go with me) I will know the format of the number. If his wife is also a member I could figure out how the number is generated.

Now I can just brute force the number. Again like Dizzy said it would be like me using this info, calling up the cllr's bank and calling out random bank numbers until they say "yes, that is the one".

And besides, the point is the commission has already indicated this is a breach so no amount of justification can hide that.

Anonymous said...

Nicely spotted!

Clearly the only thing that is Liberal about them is their Liberal approach to the law.

Oh. Like who donates money to them?

Anonymous said...

Sorry, Anonymous there's (deliberately) rather more to how our membership numbers are generated than that.

Re the Commissioner: we only disclose information when the member has requested it to be disclosed, so what Dizzy was asking about isn't actually what we do.

dizzy said...

Correction Mark. You _assume_ that it is a member making the request.

Stephen Tall said...

I run the Lib Dem Voice members' polls, and can confirm what Mark Pack said above: "all the data is kept confidential and no matching up of individual results is done. Certainly none is passed to the party. Participants in surveys know this, though of course it's always open to them not to take part if they don't trust the software or the terms."

The polls are run through Liberty Research - individual emails are sent out to Forum members (so we know that those who complete them are party members), but there is no way, certainly that I know of, of tracing the individual answers back to those who fill in the survey questions. I am the only one who accesses the results, and I do not, will not, would never pass any information onto the party about any individual response.

And as Mark says, there's an easy option for those LDV-reading party members who don't trust what I say above: don't fill in the survey.

Anonymous said...

He's assuming that it is human being making the request too.

The registration form looks quite easy to fill in automatically. If I didn't have better things to do, I'd have a go at a brute force approach.

But I notice: the data submitted is not encrypted as it goes across the Internet. All those membership numbers are visible to someone monitoring the connection.

Anonymous said...

Actually your bank example is probably wrong for most people because for about the last 20 years or so you have explicitly agreed that your personal data can be used in that way as part of obtaining a bank account.

Anonymous said...

Mark makes an interesting point about the disclosure being requested by the member. By recollection though, this request for disclosure is made to LDV not to the Lib Dem party itself.

This may be a techicality, but it does seem to me that the request should be made to the party. If, by way of analogy, I tell my bank that they can check whether I'm a party member with HQ, presumably the party would refuse to disclose anything unless I'd made the request to the party itself.

Anonymous said...

So does that mean any scheme that confirms you're a member of a political party is illegal? Seems a but daft to me.

Insurance companies have access to my DLVA records, is that illegal as well?

In fact I recently used my shareholder discount with a third party who checked if I owned shares that must me illegal as well then.

To be honest, it's an opt in scheme that makes it clear what you're doing why does it matter?

Anonymous said...

MARK PACK

I had never thought about this -call me an idiot but it never occured to me that my comments and survey responses could be "monitored" by head office.

This has to STOP. NOW.

MARK PACK : you must
1. State the precise nature of the relationship between LDV and the Party on the LDV website .... now

2. State, here or in Lib dem news or somewhere public ...Which other Lib Dem blogs/sites enjoy the same access to "check" membership ?

3. State clearly on LDV how lines of control work and what - other than you personal pleas - stop any one at head office checking up on who is saying what,.

Hywel said...

"It's a bit like if I rang a bank and gave them someone's full name, postcode and their account number and asked them to confirm that the details were valid. They would not disclose that information and be quite clear that it ould breach the data protection laws for them to do so, and they would be quite right too."

If you had the person's consent to get that information, it wouldn't breach data protection laws. Effectively checks as to whether that sort of information is correct are made every day. For example when a company sets up a new direct debit you get a report within a couple of days if the account number, sort code, account name don't match each other.

Anthony said...

Hywel is right. If Dizzy is so sure of himself, we'll look forward to the Commissioner's decision (and I think he'll have a rather hard time proving that something that confirms party membership and nothing more with the consent of the member, is in breach of the DPA).