Gov't mydata apps plan raises privacy concerns

Apps will chart people's lives under government consumer scheme...
Written by Nick Heath, Contributor on

Apps will chart people's lives under government consumer scheme...

mydata apps

Some of the examples provided by the government of what mydata information could be used forPhoto: Department for Business, Innovation and Skills/Cabinet Office

Want to know how much you spend on lunch during the week or whether you're getting your five fruit and veg a day?

The mydata project, launched by the government this week, aims to let consumers analyse their daily life in detail by throwing the spotlight on how much they spend, what's in their shopping basket, who they are calling and how much power they're using.

More than 20 companies - including major banks, retailers, phone and utility companies - are in talks about releasing customer data for the scheme.

The companies include Barclaycard, Centrica, Everything Everywhere - owner of the T-Mobile and Orange brands, Google, Groupe Aeroplan, HSBC, John Lewis Partnership, Lloyds TSB, MasterCard, Nectar and the Home Retail Group, RBS Group, and Southern and Scottish Energy.

Under the scheme, consumers will be able to ask businesses to release their personal information from records such as bank statements, energy and mobile phone bills and loyalty card records - so it can be passed on to third parties.

These third parties will aggregate the data and run it through online apps and services that will allow consumers to analyse their habits and compare themselves against other people's behaviour to identify ways of saving money, time or other benefits.

A Business, Innovation and Skills document Better Choices, Better Deals sets out what the government sees as the potential benefits of the scheme.

The document says mydata has numerous applications, ranging from choosing an appropriate mobile phone contract based on the past 12 months' usage, or assessing the average fat content in the food an individual buys from supermarkets.

"By helping you access your own data we believe a market in useful apps and websites will be stimulated - able to analyse your data for you, to make choosing the best deal easier," the document says.

Professor Nigel Shadbolt, co-creator of data.gov.uk will chair sub-groups made up of participating companies to agree how the data will be released and a timetable for doing so.

He said the mydata scheme will be "very well advanced by this time next year", adding that some of the companies involved with the scheme already had "ambitious programmes" in place.

However, the scheme has been criticised for...

...increasing the risk of customer data being stolen or compromised by placing sensitive personal information - such as financial data and telephone numbers - in the hands of a large number of third parties.

Graeme Stewart, public sector business development director with security firm Sophos, said: "By its very nature, pushing data towards the boundary of organisations so that it is accessible means it is more likely to be accidentally released, or more easily hacked by the bad guys.

"Legislation that forces companies to move even more data to the extremities of their control needs to be accompanied by coherent security policy.

"Repeated data breaches over the past few years have demonstrated that even inadvertently, companies and public bodies lose data."

The Information Commissioner's Office will help a privacy, security and legal sub-group design ways of protecting consumer information.

Shadbolt said the mydata sub-groups were still working out issues such as what data should be released, how much will be stored, how it will be transferred and how long it is held onto by third-party providers.

"The idea of building a massive portfolio of all your behaviours isn't what's in view at this point, and it wouldn't be held in one place," he said.

Shadbolt said the most useful insights would probably come from building up a picture of individual behaviours, such as spending habits or phone calls, over a long period of time.

"There's an argument that you get more power out of looking at a large-scale aggregate, and a pattern over a period of time," he said.

"There's already work underway to make sure you get a decent digest of credit cards for the whole year. Once you see it for the whole year you can say, 'I didn't realise I was using [my credit card] in this particular way'. This is where it is believed a lot of the win is, in behaviour averaged over time," he added.

However, protecting the data held by third parties may prove to be a difficult task.

Even if the steps are taken to try and anonymise data held by third parties as much as possible by removing identifying names and numbers, Ross Anderson, professor of security engineering at Cambridge University, said it was difficult to stop somebody from inferring who the data belongs to using statistical analysis.

"It's really, really hard [to stop] and this has been known to technical people for over 30 years," he said.

"They [the government] don't appear to have anybody who understands it."

Stewart also questioned the value of the entire scheme, asking how many consumers will bother to request access to the data that companies hold on them.

"The report itself comments that most people still do not understand their rights today as to what they can question over data held by organisations," he said.

"Extending these powers may offer a superficial boost to access but one has to question whether it will actually help."

Editorial standards