National Postcodes to be introduced

ukoda

plodder wrote: »

They won't have a clue about Eircodes, but they will know that postcodes generally refer to groups of addresses, so they are anonymous and they might apply the same reasoning to Irish postcodes, and they expect them to be anonymous too. But, they aren't.

There expectation is that the customers address is unique, they won't really have a reason to use a postcode in isolation? They can't market to anyone using it without consent

plodder

ukoda wrote: »

They can't market to anyone using it without consent

I'm afraid you're still missing the point. I'm talking about companies that probably know nothing about Eircodes or even Ireland for that matter. It could be some small online retailer based in Idaho or Hong Kong for example. Do you think they will take the trouble to read up on Irish data protection law and treat Irish postcodes any different from the postcodes of every other country? Of course not. Whatever uses that postcodes have currently will be exactly the same for Eircodes, with some exceptions for retailers who are based here, or are big enough to have a legal footprint here.

FYI, here are two articles relating to US ZIP codes and some of the things they are used for (apart from delivering mail).

This one explains how ZIP codes in the US are used for marketing purposes, but under a false guise of security. The practice is controversial and some states have banned it. I've noticed, it's increasingly the case here that some retailers ask for your address at the till, even when they don't need it. It will be a lot easier to just ask for an Eircode and it seems likely to me that these retailers will pay for the Eircode address database so they can convert that to your full address at the till. Of course, you can always decline to provide it. But, the "social engineering" aspect of the US experience is interesting.

This one is about where they are correctly used as an extra layer of security for credit card processing. It doesn't directly apply in this country because credit cards are somewhat more secure here. But, the technique might end up being used in other situations where you might need to prove your identity (in the absence of a national ID card). The unfortunate thing with Eircodes (as I've said before) is that you are forced to reveal your full address, because the three character routing key isn't really sufficient for identification purposes. If Eircodes had a 5 character prefix then the level of security would be high, but without having to reveal your exact address.

ukoda

plodder wrote: »

I'm afraid you're still missing the point. I'm talking about companies that probably know nothing about Eircodes or even Ireland for that matter. It could be some small online retailer based in Idaho or Hong Kong for example. Do you think they will take the trouble to read up on Irish data protection law and treat Irish postcodes any different from the postcodes of every other country? Of course not. Whatever uses that postcodes have currently will be exactly the same for Eircodes, with some exceptions for retailers who are based here, or are big enough to have a legal footprint here.

FYI, here are two articles relating to US ZIP codes and some of the things they are used for (apart from delivering mail).

This one explains how ZIP codes in the US are used for marketing purposes, but under a false guise of security. The practice is controversial and some states have banned it. I've noticed, it's increasingly the case here that some retailers ask for your address at the till, even when they don't need it. It will be a lot easier to just ask for an Eircode and it seems likely to me that these retailers will pay for the Eircode address database so they can convert that to your full address at the till. Of course, you can always decline to provide it. But, the "social engineering" aspect of the US experience is interesting.

This one is about where they are correctly used as an extra layer of security for credit card processing. It doesn't directly apply in this country because credit cards are somewhat more secure here. But, the technique might end up being used in other situations where you might need to prove your identity (in the absence of a national ID card). The unfortunate thing with Eircodes (as I've said before) is that you are forced to reveal your full address, because the three character routing key isn't really sufficient for identification purposes. If Eircodes had a 5 character prefix then the level of security would be high, but without having to reveal your exact address.

Ah come on now. Thats such a stretch its not even funny. What in gods name will an online retailer in Idaho do with an eircode that poses a privacy risk for a customer in Ireland? And seriously, have you ever bough anything online where you haven't given your full address.

The examples you quote are of physical stores in the US asking for zip codes to work out addressed. There are much much stricter laws over here on doing that. For one a data controller can only hold information on a customer that's relevent to to help them service that customer. If a retailer here starts asking for your eircode then they will also have to ask for your consent to market you.

That's it. Stop trying to muddy the water with examples that don't apply

plodder

ukoda wrote: »

Ah come on now. Thats such a stretch its not even funny. What in gods name will an online retailer in Idaho do with an eircode that poses a privacy risk for a customer in Ireland?

They might sell their entire database of postcodes (including what was purchased) to people who want to buy it. Your postcode (with your full address in it) might end up in marketing databases, whether you know about it or consent to it, or not. Do you accept now that consent isn't really relevant? While you might not have ever bought anything from Idaho (that was an example), it's a lot more likely you've bought something from Hong Kong.

The examples you quote are of physical stores in the US asking for zip codes to work out addressed. There are much much stricter laws over here on doing that.

What laws are you referring to? I seriously doubt it will be illegal for stores to ask for Eircodes. Why should it even be illegal?

And seriously, have you ever bough anything online where you haven't given your full address.

I've tried my best here. We'll just have to accept that you don't get it ..

my3cents

plodder wrote: »

...

I've tried my best here. We'll just have to accept that you don't get it ..

He's not the only one.

plodder

my3cents wrote: »

He's not the only one.

There are none so blind ....

Look, I think people are fixated on this idea that because an address and an Eircode are equivalent and interchangeable, that there just couldn't possibly be any privacy implications because we've been handing out our address to people for years.

The point I am trying to make (and failing evidently) is that an address means the same thing everywhere, but "postcode" now has a different meaning in different parts of the world, which means they should be treated differently, and there could be privacy implications arising from that if they aren't.

Up to now, postcodes have not been personal information, subject to data protection law, and even if the law is changed here to ensure they are to be treated as personal information, there is no guarantee that anywhere else in the world your postcode ends up, that they will be treated as personal information. That is all.

my3cents

plodder wrote: »

There are none so blind ....

Look, I think people are fixated on this idea that because an address and an Eircode are equivalent and interchangeable, that there just couldn't possibly be any privacy implications because we've been handing out our address to people for years.

The point I am trying to make (and failing evidently) is that an address means the same thing everywhere, but "postcode" now has a different meaning in different parts of the world, which means they should be treated differently, and there could be privacy implications arising from that if they aren't.

Up to now, postcodes have not been personal information, subject to data protection law, and even if the law is changed here to ensure they are to be treated as personal information, there is no guarantee that anywhere else in the world your postcode ends up, that they will be treated as personal information. That is all.

So someone has my address and credit card details because I have bought from them how is also having my postcode going to make any difference?

ukoda

plodder wrote: »

There are none so blind ....

Look, I think people are fixated on this idea that because an address and an Eircode are equivalent and interchangeable, that there just couldn't possibly be any privacy implications because we've been handing out our address to people for years.

The point I am trying to make (and failing evidently) is that an address means the same thing everywhere, but "postcode" now has a different meaning in different parts of the world, which means they should be treated differently, and there could be privacy implications arising from that if they aren't.

Up to now, postcodes have not been personal information, subject to data protection law, and even if the law is changed here to ensure they are to be treated as personal information, there is no guarantee that anywhere else in the world your postcode ends up, that they will be treated as personal information. That is all.

This is where you are wrong. If you give your address to a company now as part of your account with them. It IS private data that they have an obligation to protect. If you opt out of marketing your account is flagged and when this company goes to pull a list to market to or sell your account is excluded, this means they don't have your address nor do they have your eircode to sell.


The example of the Hong Kong company is so far stretching it's a bit farcical. And I so far removed for what marketing companies are actually doing.

Even if we were to play this scenario out... The Hong Kong companies pulls all postcodes and sells them, what does ABC 123 mean to a company in say France that buys it? (Never mind the fact that they'd have no reason to buy it in the first place) does this foreign company now buy the ECAD so they can get your address? Let's say they do, then do they change their entire marketing strategy (because according to you they only want the postcode so they aren't interested in the full address apparently) so now what do they do with it? What is the risk now? Bare in mind if they wanted a list of actual customers addresses they would have bought full address lists from this Hong Kong company. Take my point above, that company can't sell it if you've opted out of marketing. So where is the extra risk from Eircode

You have no idea how marketing works. None.

plodder

ukoda wrote: »

The example of the Hong Kong company is so far stretching it's a bit farcical. And I so far removed for what marketing companies are actually doing.

I think you should open your mind to things that even if not happening now, could happen in the future. Location in online retailing is increasingly irrelevant.

Even if we were to play this scenario out... The Hong Kong companies pulls all postcodes and sells them, what does ABC 123 mean to a company in say France that buys it? (Never mind the fact that they'd have no reason to buy it in the first place) does this foreign company now buy the ECAD so they can get your address? Let's say they do, then do they change their entire marketing strategy (because according to you they only want the postcode so they aren't interested in the full address apparently) so now what do they do with it? What is the risk now? Bare in mind if they wanted a list of actual customers addresses they would have bought full address lists from this Hong Kong company. Take my point above, that company can't sell it if you've opted out of marketing. So where is the extra risk from Eircode

They don't need your full address. With the UK postcode, it's possible to do a mailshot to all addresses at particular postcode(s) without knowing who the original customer was or who the recipients are. So, no personal information was involved. Your Eircode could end up on one of these lists, except that it is personal information in our case.

ukoda

plodder wrote: »

I think you should open your mind to things that even if not happening now, could happen in the future. Location in online retailing is increasingly irrelevant.

They don't need your full address. With the UK postcode, it's possible to do a mailshot to all addresses at particular postcode(s) without knowing who the original customer was or who the recipients are. So, no personal information was involved. Your Eircode could end up on one of these lists, except that it is personal information in our case.

They can do mailshots now by buying address data from multiple sources and doing mailshos to areas they know are interested in product A, they can even buy the geo directory now and do it.

They can take street name and look up all the addresses in that street and adjacent streets using geo directory and mailshot them.

What you have failed to do is prove any EXTRA risk from having an eircode.

Sam Russell

ukoda wrote: »

What you have failed to do is prove any EXTRA risk from having an eircode.

The extra risk comes from the brevity of the address in the form of Eircode. It makes it an ideal key into a database. If I type a mobile number into google, I will get useful hits on some numbers. I would get similar results with an post code like Eircode, which I could use to invade privacy.

I cannot do that with an address in the form of
96, Main St, Ballygobackeards, Co Mustdobetter.
I will get hits for Main St, Ballybobackwards, and Mustdobetter. If I search on A01 BX32, I will only get hits on that particular address.

Now do you get it?

ukoda

Sam Russell wrote: »

The extra risk comes from the brevity of the address in the form of Eircode. It makes it an ideal key into a database. If I type a mobile number into google, I will get useful hits on some numbers. I would get similar results with an post code like Eircode, which I could use to invade privacy.

I cannot do that with an address in the form of
96, Main St, Ballygobackeards, Co Mustdobetter.
I will get hits for Main St, Ballybobackwards, and Mustdobetter. If I search on A01 BX32, I will only get hits on that particular address.

Now do you get it?

So we have the same risk from a phone number? One unquie key assigned to a customer in a database.

Now do you get it? EXTRA risk?

Alan_P

Sam Russell wrote: »

The extra risk comes from the brevity of the address in the form of Eircode. It makes it an ideal key into a database. If I type a mobile number into google, I will get useful hits on some numbers. I would get similar results with an post code like Eircode, which I could use to invade privacy.

I cannot do that with an address in the form of
96, Main St, Ballygobackeards, Co Mustdobetter.
I will get hits for Main St, Ballybobackwards, and Mustdobetter. If I search on A01 BX32, I will only get hits on that particular address.

Now do you get it?

You can of course use an address as a database key :- you can use it directly, you can use phonetic matching, you can use partial matching, you can use a hash of it.

If I type my address (house number, street name, town) into Google, I immediately get my wife's name, home phone number, and a Google maps link pinpointing exactly where my house is. A few links down, there are documents that identify me,my wife and my son.

So what are the additional privacy risks from Eircode ?

ukoda

My address now is 100% unique. If you type that into Google and it exposes other info about me from a database. Then that's the fault of the database not my unique address. The same thing applies to eircode. If you google it and a database exposes other info about me then that's still that websites fault.

You can't blame it on me having a unique address and you can't blame it on eircode when we have them.

plodder

Alan_P wrote: »

You can of course use an address as a database key :- you can use it directly, you can use phonetic matching, you can use partial matching, you can use a hash of it.

But addresses aren't unique. They are a lot less useful as a database key than an Eircode. Phonetic matching, partial matching etc. are all problematic from that point of view. Hashing addresses would be completely futile as even a single character variation would return a completley different hash. This is part of the reason why we are getting Eircodes. We want a unique identifier that is less troublesome.

If I type my address (house number, street name, town) into Google, I immediately get my wife's name, home phone number, and a Google maps link pinpointing exactly where my house is. A few links down, there are documents that identify me,my wife and my son.

That wouldn't be the same for everyone and it requires a bit of manual work to make use of information like that.

So what are the additional privacy risks from Eircode ?

I've outlined some of it. eg that up to now postcodes are not personal information and we will be relying on everyone (including organisations outside of this jurisdiction) to know that Irish postcodes are in fact personal information and need to be protected as such. There is a risk that that won't happen.

Sam Russell

The point I was making was that Eircode is unique for every address. If my name is Mary Murphy I will have greater anonymity than if my name was Cronhite Ballousky or some other very rare name.

Unique keys are priceless for searching.

ukoda

plodder wrote: »

But addresses aren't unique.

Yes they are. Mine is and so are the majority of Ireland's and the rest of the world. There's a minority of rural addresses that aren't unique in Ireland 35%. But the norm in the world is that yes. Your address IS unique.

Alan_P

Sam Russell wrote: »

The point I was making was that Eircode is unique for every address. If my name is Mary Murphy I will have greater anonymity than if my name was Cronhite Ballousky or some other very rare name.

Unique keys are priceless for searching.

If I Google search my address in quotes, every result is actually related to my house or a family member. That seems pretty unique to me.

Alan_P

plodder wrote: »

But addresses aren't unique. They are a lot less useful as a database key than an Eircode. Phonetic matching, partial matching etc. are all problematic from that point of view. Hashing addresses would be completely futile as even a single character variation would return a completley different hash. .

Nevertheless, indexing by address is essentially a solved problem.For practically every utility company, their support people can retrieve your account if given your address.

plodder wrote: »

That wouldn't be the same for everyone and it requires a bit of manual work to make use of information like that.

I suspect it would be the same for a large majority of people. And it wouldn't require manual intervention,if you want to go data mining you just script web scrapers to extract the critical information from the HTML.

plodder wrote: »

I've outlined some of it. eg that up to now postcodes are not personal information and we will be relying on everyone (including organisations outside of this jurisdiction) to know that Irish postcodes are in fact personal information and need to be protected as such. There is a risk that that won't happen.

Eircodes are a condensed version of my address. My address isn't actually personal information. It's available in the electoral register,in the phone book, and in CRO records for various directorships I've held or hold. These are all publicly available.

clewbays

Interesting article by Evelyn Ring in the Irish Examiner from late 2014 - eircodes will repay the investment in 2015 alone!

An increasing number of companies are seeking professional help to combat address fraud, according to Data Ireland.

The company — wholly owned by An Post — says that Ireland’s “tricky” address system is part of the problem.

Data Ireland account executive, Morgan Nolan, said “big ticket” items were being purchased using a fake address.

The legitimate delivery person, who cannot find the address, calls the buyer, and an arrangement is made to meet and hand over the goods.

The fraudster then pretends they never received the goods and asks for a charge-back on their credit card from the issuing bank.

The merchant is accountable, regardless of the measures they took to verify the transaction.
Mr Nolan said the problem was getting bigger with more people shopping online, and needed to be addressed.

The last consumer scoreboard published by the European Commission shows that 45% of consumers were making purchases online in 2012, compared to 20% in 2004.

Data Ireland says €20m was lost to fraud on Irish credit and debit cards in 2012.

In almost eight out of 10 (79%) cases criminals obtained genuine card numbers and used them to purchase goods over the internet, by mail order or over the phone.

Mr Nolan said address verification software allowed merchants to spot the fraud before it was too late and in a way that did not affect valid customers.

Apart from the fraud issue, however, the way the address system works was proving a nightmare for some companies.

“Ireland doesn’t have unique addresses. More than 30% are not unique,” Mr Nolan explained.
There were multiple versions of the same address, as well as Irish language versions. Companies needed to be able to rely on a quality address system, not only to combat fraud, but to get customer feedback and comply with regulations.

Mr Nolan said that the introduction of a national post code system planned for next year would make it easier for addresses to be checked at the point of purchase.

Individual addresses will be assigned their own seven-digit post code — an Eircode, that will identify them from all others in the State.

plodder

Insurance fraud is another problem where people take out multiple policies using variations of their address (irish, English etc). The town next to where I live has multiple commonly used spellings, and the locals rarely use the official spelling. Addresses are just not an effective unique identifier, even for addresses that are officially unique.

ukoda

plodder wrote: »

Insurance fraud is another problem where people take out multiple policies using variations of their address (irish, English etc). The town next to where I live has multiple commonly used spellings, and the locals rarely use the official spelling. Addresses are just not an effective unique identifier, even for addresses that are officially unique.

I believe eircode will help with this as the ECAD has alias addresses and the Irish version. So if I give my address in either English or Irish or a local variation - when it's looked up in the eircode database it will still only point to one eircode. So companies will know that

Supertownland, ballynice, co Dublin

Is the same as

super townland, Ballyverynice, co Dublin

This is what they mean when it can help with fraud

It will also stop people giving fake addresses they've made up, as they wont be verifiable in eircodes database

Now it's not going to be 100% effective and people will always find ways around it, but it will surely help I've no doubt

The J Stands for Jay

Sam Russell wrote: »

The extra risk comes from the brevity of the address in the form of Eircode. It makes it an ideal key into a database. If I type a mobile number into google, I will get useful hits on some numbers. I would get similar results with an post code like Eircode, which I could use to invade privacy.

I cannot do that with an address in the form of
96, Main St, Ballygobackeards, Co Mustdobetter.
I will get hits for Main St, Ballybobackwards, and Mustdobetter. If I search on A01 BX32, I will only get hits on that particular address.

Now do you get it?

You know that you can use inverted commas in Google searches which would mean the search would only return results for the address as you typed it. You don't need an eircode to be specific.

ukoda

Interesting quote from the Data protection Officer on Eircodes:

Ms Dixon said it was difficult to say as yet what kind of harms, if any, may derive from the use of a unique code to identify each individual home in the
state. “One struggles to come up with an absolutely riveting example of what will definitively happen the day it is introduced,” she said. “But it could give rise to issues.”

http://www.irishtimes.com/news/ireland/irish-news/data-concerns-remain-over-postcodes-and-primary-schools-1.2079095


so it doesnt look like the Data Protection Office has any intention of trying to stop Eircode and cant actually tell it there is even any issue with it?....

So even the DPO cant come up with an example of how eircode is a privacy concern!!! :rolleyes:

irishgeo

ukoda wrote: »

Interesting quote from the Data protection Officer on Eircodes:




http://www.irishtimes.com/news/ireland/irish-news/data-concerns-remain-over-postcodes-and-primary-schools-1.2079095


so it doesnt look like the Data Protection Office has any intention of trying to stop Eircode and cant actually tell it there is even any issue with it?....

So even the DPO cant come up with an example of how eircode is a privacy concern!!! :rolleyes:

some people have loads of examples on here. maybe someone should point them in the direction of this thread.

ukoda

irishgeo wrote: »

some people have loads of examples on here. maybe someone should point them in the direction of this thread.

its mostly vague "its a concern" comments on here, but no credible examples have been provided really. And given its her job to think of examples, and assuming she's as intelligent as the average boards.ie poster... then id have to assume she's also thought of some of the stuff posted here but has drawn the conclusion they aren't "riveting" and not worth shouting about as she seems to confirm eircodes are launching with no road blocks from her office .

clewbays

ukoda wrote: »

Interesting quote from the Data protection Officer on Eircodes
[/URL]

Interesting article, getting 18 new staff should enable the DPO to implement its powers through a higher level of monitoring and enforcement which is the real challenge as it avoids any temptation to over-legislate to compensate for a lack of resources.

Bray Head

How exactly do An Post keep track of who lives where in areas where non-unique addresses predominate?

There are places in Ireland where there are hundreds of addresses in a townland. The same surname can predominate as well. Postal workers presumably have to ask people from time to time if post is actually for them or for a neighbour. Mis-delivery is more likely than in urban areas which have unique addresses.

Presumably the postal workers 'get to know' their customers in rural areas but I presume there are postal routes for which informal lists are generated matching names and locations. I could be wrong but I'm guessing data protection protocol around these lists is pretty poor.

You wouldn't have these data protection issues with postcodes in widespread use:
-Less chance of your post going to your neighbour
-No need to keep lists matching names and locations at the post office.

Sam Russell

Bray Head wrote: »

How exactly do An Post keep track of who lives where in areas where non-unique addresses predominate?

There are places in Ireland where there are hundreds of addresses in a townland. The same surname can predominate as well. Postal workers presumably have to ask people from time to time if post is actually for them or for a neighbour. Mis-delivery is more likely than in urban areas which have unique addresses.

Presumably the postal workers 'get to know' their customers in rural areas but I presume there are postal routes for which informal lists are generated matching names and locations. I could be wrong but I'm guessing data protection protocol around these lists is pretty poor.

You wouldn't have these data protection issues with postcodes in widespread use:
-Less chance of your post going to your neighbour
-No need to keep lists matching names and locations at the post office.

Ok, they send out 1.5 million letters of new postcodes, one addressed to John Murphy, Murphystown, Backwood, Co Killcommon. How does the John Murphy that gets one of the letters know it is actually his and not one of the other 19 neighbours with the same name and non-unique address if there are twenty John Murphys in the townland?

Maybe he gets all twenty of the postcode letters addressed to John Murphy in that townland. Even if he gets only one, who knows it is the right one for him?

Now there is a thought.

my3cents

Sam Russell wrote: »

Ok, they send out 1.5 million letters of new postcodes, one addressed to John Murphy, Murphystown, Backwood, Co Killcommon. How does the John Murphy that gets one of the letters know it is actually his and not one of the other 19 neighbours with the same name and non-unique address if there are twenty John Murphys in the townland?

Maybe he gets all twenty of the postcode letters addressed to John Murphy in that townland. Even if he gets only one, who knows it is the right one for him?

Now there is a thought.

Heaven forbid send it out with a map printed on it or some form of geo corordinates and give the postman a sat nav, second thoughts don't bother with the sat nav as I'm pretty sure the mobile device/phone they all carry has it built in anyway.

So routine is simple. Postman has letter, postman goes to door to deliver, postman scans letter, the device then checks the location is correct gives the go ahead to deliver the letter, registers the letter as delivered and of course the postman delivers the letter.

Sounds a lot of work but my postman delivering to an area with a lot of non unique addresses has a run of less than 500 address so if he did 50 a day the job would be done in fortnight.