Privacy implications of US court ordering handover of YouTube viewers' data to Viacom
There has been a lot of comment on the blogphere today about the US court order requiring Google to hand to Viacom the records of every viewing of You Tube videos
This means ViaCom will get your IP address, your You Tube user name and a list of the videos you viewed from that IP address.
I went to http://www.ipaddresslocation.org/ this morning to check what someone knowing my IP address would be able to tell about me. In my case the IP address of the computer I am using tells you the name of the company I work for. Put that together with my video viewing history and my YouTube user name and you know an awful lot about me.
The case is ringing alarm bells. When I use a web 2 application such as You Tube I assume (perhaps naively!) that the company that operates the application isn't going to do anything reckless with my data on the basis that they need to keep their users happy in order for the application to stay viable. But here a competitor of a web 2 application has been granted access to all the personal data of the users of that application. Viacom would not suffer a jot (indeed could gain) if everyone decided to stop watching You Tube from tomorrow.
Their has been a lot of criticism in the US of the judgement on the grounds that it doesn't take into account the protection given to users of video by the Video Privacy Protection Act (VPPA). The VPPA was passed after a newspaper disclosed the video rental history of Robert Bork, who was a nominee for the Supreme Court. Even allowing for the possibility that the judge's decision was flawed, it does seem to indicate a significantly reduced protection for personal privacy in the US as compared to Europe.
Under British and European law the third data protection principle prevents the processing of data that is excessive in relation to the purpose for which it was obtained. I am no lawyer, but I think the provision of the viewing history of all users of You Tube is excessive in relation to the purpose of Viacom in identifying breaches of its copyright by people posting its material onto You Tube.
In the UK the HM Revenue and Customs were strongly criticised for breaching that same third data protection principle by the recent Poynter Report. They had providing the National Audit Office with a complete scan of every person on the child benefits database, when NAO only needed records of children who had started or stopped receiving benefits in the previous year. Of course that breach of the 3rd principle was compounded when the discs containing the data went missing.
The Information Commissioner regards companies like Google as being subject to the UK Data Protection Act in so far as they are collecting personal data within the UK by leaving cookies on UK based PCs. It will be very interesting to see over the next few days whether the Information Commissioner (and his equivalents around Europe) makes any representations to the US about this case.
James Lappin
Comments