Triangulation And Butter

Supermarket butterWhy should we care about protecting small items of personal data, such as our date of birth, parents’ names, post code and so on? Why does it matter when we’re asked for them by someone with no need to know them? What does it have to do with delicious butter?

The reason is those small piece of personal information can be used for triangulation. What does that mean? Here’s a (currently completely fictional) example to explain, taken from my presentation about the Communications Data Bill.

At some time in the near future, you are at the checkout in Safeway. They scan the stick of butter you want to buy, and then you hand over your Club Card and payment. The assistant looks at the screen, then reaches for the voucher printer and pulls a form from it.  He places it on the counter and gives you a pen. “Here, sign this.” You look at it in surprise. It is a liability waiver, with your name at the top. The text says “as someone potentially at risk from cholesterol issues, I absolve Safeway of all responsibility for my butter purchase”.

How did this happen? Safeway don’t know your health status; they just know it’s in their interested to get that waiver signed. Their insurance company has used your name and address from your Club Card account like a “shared key” to identify your health records, past purchases at other stores and other information about you. As a result of the data it discovered, a heuristic that’s been trained to identify people who might pose a risk of litigation against the company has flagged you to Safeway as waiver candidate. They get a discount on their liability insurance if they get waivers from all flagged customers, hence the waiver form. It’s not to protect me; it’s to protect them.

This is triangulation. No individual data item discloses private information I care about, but gathered together it can be used without my consent and against my interests. This is why the least authority principle should inform us everywhere in our lives, why we should support data protection laws and especially why we should resist the Communications Data Bill.

%d bloggers like this: