Everything Everywhere, IpsosMori and the mystery of 27m peoples data

phoneYesterday’s Sunday Times carried an alarming story on its front page about the mobile phone data of 27 million EE customers being sold to IpsosMori, and in turn onto third parties including the Met Police.

The paper would clearly have not published without a sufficiently high standard of evidence and the Met police’s reaction – to suddenly announce it was abandoning the plans, despite high-level meetings in recent weeks – suggests a nerve has been touched.

The paper’s evidence is clearly damming.  “Documents to promote the data reveal that it includes “gender, age, postcode, websites visited, time of day text is sent [and] location of customer when call is made”. They state that people’s mobile phone use and location can be tracked in real time with records of movements, calls and texts also available for the previous six months.”

We have already made Freedom of Information Act requests for these documents, and urge IpsosMori to publish them urgently to allay public concerns.

Everything Everywhere needs to come clean on what data it is releasing, and why it is storing this data where there is no business purpose.

Earlier this year, the two companies signed an agreement that will allow Ipsos MORI to analyse anonymised mobile phone usage data from the telco, which has 27 million customers, and offer insights to businesses and local authorities. However, as we have previously warned, the UK’s definition of “anonymised” is far from meaning that data cannot ever be re-identified.

This loophole in the definition of “personal data” stems from the Data Protection Act 1998, which failed to fully implement the Data Protection Directive. (EC95/46) By omitting the caveat that if data could be reasonably likely to be identifiable by “any other person” then it was not anonymised.

The data that Ipsos MORI would be able to analyse includes individuals user’s location to the nearest 100 metres. By removing user and account details we expect the company’s lawyers would argue this is “anonymised” – however, anonymity in large datasets is only as good as the other data it can be combined with, as this paper from the University of Texas warns. This follows from a paper last year highlighting how 80% of mobile users could be “precisely identified” by comparing their location data with their social graph – i.e. their Facebook friends. Cambridge Computer Lab also produced this excellent poster for an event on re-identification last year, while Natutre published a scientific report on how with the right data, 95% of people can be re-identified from a data set of 1.5m “anonymous” people.

This smacks of a shameless attempt to turn customers into cash-cows by selling of data about how they use the services is an affront to privacy and the principle that when people pay for a service, they should control the data about them. IpsosMori stated that “Ipsos MORI only receives anonymised data without any personally identifiable information on an individual customer. We do not have access to any names, personal address information, nor postcodes or phone numbers”

This data can paint an incredibly detailed picture of your life, and the idea that because names were omitted it is somehow acceptable to cash in is frankly offensive to EE customers whose privacy has been sold out on a spectacular scale.

This case highlights the huge amounts of data already held about us by companies, often with scant justification for it to be retained after the initial technical need. Customers are kept in the dark about how much information is collected, how long it is stored and how it can be used and the law needs urgently strengthening to give consumers proper control over this data and to ensure companies are not prepared to do shady deals like this.

We suspect EE is not the only company looking to cash in on our our private lives like this and are very concerned that were it not for the Sunday Times uncovering these plans customers may never have known what was going on.


  1. Jamie Dowling
    13th May 2013

    This sounds a lot like the discredited & illegal Phorm system but for phones. Phorm made similar claims about legality and anonymisation but refused to provide proof. Were the EE customers who were monitored told about it and given the opportunity to take part or refuse to take part?

    Ethics takes a back seat when money can be made from such schemes. Only by highlighting these schemes will we educate people how their data can be misused and educate the businesses to behave ethically, openly and honestly.

  2. Phorm For Phones 2: EE & Ipsos Mori Updated | View From Planet Jamie
    13th May 2013

    […] Big Brother Watch has reported on this story and includes links to more papers casting doubt on claims of anonymisation being effective, including this graphic from the University of Cambridge Computer Lab. […]

  3. sadoldrocker
    13th May 2013

    I’ve been flannelled by Ben Page of MORI on Twitter but have raised a formal compaint with the Market Research Society’s compliance arm. Trying to make contact with EE is proving very difficult…

    • ivandenisovich
      13th May 2013

      This is a storm in a teacup. All the mobile companies are talking to the information industry about this process (the supermarkets all do it right now with loyalty card data) and it would be ILLEGAL for either supermarkets or mobile operators to share identifiable customer data with other organisations. This is just about anonymised and aggregate data. The Daily Fail and Sunday Times have created a moral panic story out of lies and half truths. Unwise to quote anything from either newspaper in your “formal complaint” or you may end up with a lot of egg on your face.

  4. Ruth O'Hare
    13th May 2013

    All very well, but how do you KNOW which providers those are? At least having been caught EE might be better behaved in future.

    • Guest
      16th May 2013

      I wouldn’t be so sure, once a sellout always a sellout.

      • Ruth O'Hare
        26th May 2013

        True, but as far as I can see they’re all pretty much the same. Take BT, can you trust them after they were ready to sell us out to Phorm?

  5. Alastair McGowan
    13th May 2013

    I can make a fingerprint from this ‘anonymised’ data, especially location patterns, and the patterns I can correlate with other ‘anonymised’ data in order to find people who have changed phone. And as the article arrgues – reidentification can also be done with statistical confidence.The techniques are becoming far more powerful and invasive than marketing usage. I don’t believe these phone companies should be holding any of this data after the reason for recording it is fulfilled and the bill is paid. Crime rates have been falling and the police always managed without this Orwellian mechanism in the past.

  6. KrisKuz62
    15th May 2013

    Hubby purchased an Orange Pay as You Go Sim Card last week. New number, not given to anyone but he has already had PPI calls to it. Spoke to Customer Services on another matter and then asked about the selling of data and was told that Orange do not sell ANY data. Clearly lied to him then.

  7. HELP WANTED: CAN YOU TUTOR 2 YOUNG MUSLIMS FOR FREE (1-HR PER WEEK)? | Jerusalem Group [est. 1432]
    26th May 2013

    […] Everything Everywhere, IpsosMori and the mystery of 27m peoples data […]