Comments on: What BERR want from Phorm - and what we think they’re missing http://www.openrightsgroup.org/2008/09/what-berr-want-from-phorm-and-what-we-think-theyre-missing/ Protecting your rights in the digital age Sat, 20 Mar 2010 01:11:38 +0000 http://wordpress.org/?v=2.5.1 By: The Open Rights Group : Blog Archive » 4 good reasons not to take part in the BT Webwise trial http://www.openrightsgroup.org/2008/09/what-berr-want-from-phorm-and-what-we-think-theyre-missing/#comment-165062 The Open Rights Group : Blog Archive » 4 good reasons not to take part in the BT Webwise trial Tue, 30 Sep 2008 09:21:09 +0000 http://www.openrightsgroup.org/?p=636#comment-165062 [...] The Government have told BT that in order for Webwise to conform to UK data protection laws, BT must seek the consent of everyone who uses an internet connection where Webwise is enabled. To get around this, BT have devised new terms and conditions for people who agree to trial Webwise [...] [...] The Government have told BT that in order for Webwise to conform to UK data protection laws, BT must seek the consent of everyone who uses an internet connection where Webwise is enabled. To get around this, BT have devised new terms and conditions for people who agree to trial Webwise [...]

]]> By: Petty. Me. Uk. » Recent Links, 20080922 http://www.openrightsgroup.org/2008/09/what-berr-want-from-phorm-and-what-we-think-theyre-missing/#comment-164818 Petty. Me. Uk. » Recent Links, 20080922 Mon, 22 Sep 2008 16:56:57 +0000 http://www.openrightsgroup.org/?p=636#comment-164818 [...] What BERR want from Phorm - and what ORG think they’re missing Phorm is a targeted system of web advertising which has caused all sorts of hiccups just because of [...] [...] What BERR want from Phorm - and what ORG think they’re missing Phorm is a targeted system of web advertising which has caused all sorts of hiccups just because of [...]

]]> By: Midnight_Voice http://www.openrightsgroup.org/2008/09/what-berr-want-from-phorm-and-what-we-think-theyre-missing/#comment-164750 Midnight_Voice Fri, 19 Sep 2008 16:12:47 +0000 http://www.openrightsgroup.org/?p=636#comment-164750 Here's the BERR view [•] with my comments added [*] after each: BERR's view on how to make Phorm conform • User profiling is done only with the knowledge and agreement of the customer * And of the website being visited - necessary under RIPA • The profile is based on a randomly allocated unique ID, so there is no need to know the identity of the individual users * Under the DPA, anything that allows an individual to be singled out from a group makes them identifiable, even though it is not a conventional identity item like name or IP address. As Phorm use the UID and profile as a basis to target the user with individually selected ads, it follows that they are keeping PII (personally identifiable information) about that person, and are therefore subject to all the considerations of the DPA, i.e. on supplying my UID to them, they must tell me all the information held under it. (Though how will they know it's my UID?) • Phorm does not keep a record of sites visited * I guess they have to leave something on the table for REVSCI and DoubleClick • Search terms entered by the user and the advertising categories exclude sensitive terms and are widely drawn so as not to reveal the identity of the user * Yes, and we saw how successfully AOL did that • Phorm neither has nor wants information that would let it link a user ID and profile to a living individual * and nor should it let that information fall into other hands. But the way Phorm propagate the UID in cookies that any visited website can read violates that principle. And Phorm's own privacy policy, as it happens. • Users are presented with an unavoidable statement about the product and asked to exercise a choice about whether to be involved * and if they do not actively and positively choose to be involved, their traffic does not pass through any equipment associated with the provision of the Phorm service, whether owned by Phorm, the ISP, or anyone else. The ISP service does not stop if you put Webwise in your hosts file. Processing but not profiling the data (pulling my pants down, looking, but promising not to remember what they saw) is neither sufficient nor acceptable. * and website owners have the right to the same choice, and Phorm must obtain and record an explicit informed permission before profiling any website anywhere in the world. • Users are able to easily access information on how to change their mind at any point and are free to opt in or out of the scheme. * and as above, website owners should have the same access to this information, and the explicit informed permission granted to Phorm as above must be reversible by the website owner at any time. Here’s the BERR view [•] with my comments added [*] after each:

BERR’s view on how to make Phorm conform

• User profiling is done only with the knowledge and agreement of the customer
* And of the website being visited - necessary under RIPA
• The profile is based on a randomly allocated unique ID, so there is no need to know the identity of the individual users
* Under the DPA, anything that allows an individual to be singled out from a group makes them identifiable, even though it is not a conventional identity item like name or IP address. As Phorm use the UID and profile as a basis to target the user with individually selected ads, it follows that they are keeping PII (personally identifiable information) about that person, and are therefore subject to all the considerations of the DPA, i.e. on supplying my UID to them, they must tell me all the information held under it. (Though how will they know it’s my UID?)
• Phorm does not keep a record of sites visited
* I guess they have to leave something on the table for REVSCI and DoubleClick
• Search terms entered by the user and the advertising categories exclude sensitive terms and are widely drawn so as not to reveal the identity of the user
* Yes, and we saw how successfully AOL did that
• Phorm neither has nor wants information that would let it link a user ID and profile to a living individual
* and nor should it let that information fall into other hands. But the way Phorm propagate the UID in cookies that any visited website can read violates that principle. And Phorm’s own privacy policy, as it happens.
• Users are presented with an unavoidable statement about the product and asked to exercise a choice about whether to be involved
* and if they do not actively and positively choose to be involved, their traffic does not pass through any equipment associated with the provision of the Phorm service, whether owned by Phorm, the ISP, or anyone else. The ISP service does not stop if you put Webwise in your hosts file. Processing but not profiling the data (pulling my pants down, looking, but promising not to remember what they saw) is neither sufficient nor acceptable.
* and website owners have the right to the same choice, and Phorm must obtain and record an explicit informed permission before profiling any website anywhere in the world.
• Users are able to easily access information on how to change their mind at any point and are free to opt in or out of the scheme.
* and as above, website owners should have the same access to this information, and the explicit informed permission granted to Phorm as above must be reversible by the website owner at any time.

]]>