Last month, we announced that Phorm, the company whose technology delivers targetted ads based on where you visit on the web, were planning to hold a public meeting to face their critics. Details of the meeting have now been announced.

When: Tuesday, 15 April, 1830 - 2030
Where: The Lecture Theatre, Brunei Gallery, School of Oriental & African Studies, London (map)

The meeting is being hosted by 80/20 Thinking Ltd, and you can read more details about it on their website. Although the meeting is free for all to attend, 80/20 Thinking are asking that you send them an email to info@8020thinking.com to let them know you’re coming along. From the 80/20 Thinking website:

80/20 Thinking, with the full cooperation of Phorm, has decided to organise a public meeting as part of the PIA (privacy impact assessment) process. We intend to use feedback from this event to inform the PIA. A final version of the PIA will be published by the end of April 2008.

Attendees are encouraged to read the technical analysis produced by Richard Clayton [pdf] in advance of the meeting.

The Information Commissioner’s Office have today released a further statement on Phorm, making clear their belief that any systems using Phorm (such as BT’s webwise) need to seek the consent of their customers on an opt-in (and not an opt-out) basis.

I’ll be going to the public meeting next Tuesday, so if you’d like to ask a question, but you can’t make it yourself, please leave it in the comments.

The Open Rights Group is proud to be one of the 43 civil liberties NGOs and professional associations based in 11 European countries today submitting a brief to the European Court of Justice (PDF).The amicus brief asks the Court to annul an EU directive ordering the blanket registration of telecommunications and location data of 494 million Europeans.

As the document lays out, data retention violates the right to respect for private life and correspondence, freedom of expression and the right of providers to the protection of their property:

“While it threatens to inflict great damage on society, its potential benefit appears, overall, to be little. Data retention can support the protection of individual rights only in few and generally less important cases. A permanent, negative effect on crime levels is not to be expected… [With data retention in place] citizens constantly need to fear that their communications data may at some point lead to false incrimination or governmental or private abuse of the data. Because of this, traffic data retention endangers open communication in the whole of society.”

Richard Clayton has now published his technical analysis of Phorm. There’s a good introduction to it on his Light Blue Touchpaper blog.

Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.

Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic — however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.

Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.

Read the rest here, or go straight to the technical analysis.

By coincidence, the Information Commisioner has released an updated statement on Phorm. From the looks of things, they have declined FIPR’s invitation to consider the lawfulness of Phorm’s data processing under legislation other than the Data Protection Act (such as RIPA). They have also failed to address the news that BT trialled Phorm without seeking consent from its users in 2006.

Update: An interim Privacy Impact Assessment (PIA) has now been published by Phorm. You can read it here [pdf]. The PIA, produced by 80/20 Thinking Ltd, predicts the media and public backlash against Phorm, and leaves several questions unanswered, including “Can an external attacker gain access to the required information to re-link [an] individual [with their] unique identifier?”. This document, which is dated 10 February 2008, anticipates the publication of a full PIA “in March 2008″. As yet none has been forthcoming.

Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial a new technology called Phorm, which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet.

Here’s what we’ve been told about the workings of Phorm so far. Phorm assigns a user’s browser a unique identifying number, which, it is claimed, nobody can associate with your IP address, not even your ISP. It then uses information about your surfing habits, gathered by searching the URLs you request and the websites you visit for key words, to assign that unique number to various “channels” (for example “golf”, “travel” or “handbags”). When you visit a website which has a “Phorm please put an ad in here” tag, Phorm serves an ad from a channel where your unique number appears.

Phorm says that it does not write data about the content you are viewing to disc in “the production system”, getting rid of it as soon as the operation to assign your unique number to a channel is complete. In a separate system (used for “research and debugging”) that data is stored for 14 days, then deleted.

Despite some significant investigative work, in particular from The Register and the Political Penguin blog, several technical questions remain unanswered. The confusion is compounded by a Privacy Impact Assessment of Phorm that was conducted by 80/20 Thinking Ltd, whose core staff includes the director of Privacy International, Simon Davies. Davies has gone on record stating that “Phorm does advance the whole sector of protecting personal information by two to three steps”. Yet despite the focus on Davies’ involvement, the privacy impact assessment conducted by 80/20 is yet to be published.

On top of this, question marks are beginning to appear over Phorm’s compliance with the law. Can ISPs’ employment of Phorm comply with the Data Protection Act? Is intercepting traffic in this manner an offence under section 1 of RIPA (the Regulation of Investigatory Powers Act)? The Information Commissioner has issued a statement (pdf) saying his office is making inquiries – but is this enough?

A petition asking the Government “to stop ISPs from breaching customers’ privacy via advertising technologies” has now collected over 2,500 signatures. Phorm could, as Simon Davies has claimed, represent an advance in online privacy. But because it is being applied to target ads at us, based on activity we have not asked and may not want to be tracked – the websites we visit – it is not surprising that people are shouting “keep your mitts off my bits!”.

Until we know exactly how Phorm works – and across whose networks our data will flow – speculation about the privacy implications of Phorm will only continue. The ISPs involved with Phorm, as well as the company itself, should take their lead from the Government, who last week published the controversial and critical Crosby Review of ID cards after much delay. They should publish 80/20’s impact assessment and full details of how Phorm will work now and let us see for ourselves the real privacy implications of Phorm.

Some resources:

• BBC Q&A on Phorm
• Register Interview with Phorm
• Phorm and privacy explained (by Phorm) - Flash video
• BadPhorm campaign
• Ernst and Young audit of Phorm - pdf
• BT help pages for “Webwise”, their proposed use of Phorm
• 80/20 Privacy Impact Assessment of Phorm - forthcoming?

On Monday next week Kieron Poynter of PricewaterhouseCoopers will publish his report into the failures that led to HM Revenue and Customs (HMRC) losing 25 million confidential records about UK citizens claiming child benefit. The HMRC fiasco, and privacy debacles before and since, demonstrate a public sector culture of complete disregard for the privacy and security of individuals in the UK.

There will be a Ministerial statement about the Poynter Review in the House of Commons on Monday afternoon. If you haven’t already, please write to your MP today and ask her or him to put your concerns to policy-makers during this session. This culture of disregard for personal privacy combined with the Government’s continued belief in the aggregation and sharing of vast amounts of personal data across agencies is a privacy timebomb.

If you’re unsure how to write an effective missive to your MP, then read the ORG wiki’s handy guide. What follow are some key points and requests to put to your MP for you to choose from - click on the links for further ideas and resources.

• How does Government propose to tackle what is clearly a culture of disregard for citizens’ personal and confidential data?
• Why does Government persist in telling the “fairytale of biometrics”
• Shouldn’t Government be ashamed that it has consistently brushed aside the advice of computer security experts?

You could also ask your MP to sign the Early Day Motion proposed by Annette Brooke MP which calls upon the Government to reconsider its decision to proceed with the children’s database ContactPoint.

A culture of disregard

Discgate was not an isolated incident. Seven months before the DVDs went missing, HMRC had already established a practice of recording sensitive data onto DVDs, secured only with a password and dispatched via internal mail. Emails sent back and forth about this debacle, the largest ever data breach to hit the UK, cite cost as the reason given for not filtering personal details out of the data. But how much is your privacy worth to you?

This is not just about the HMRC. The ORG wiki’s log of UK privacy debacles has been struggling to keep up with the public sector bodies who have been queuing up to admit data breaches since the HMRC announcement. The HMRC data breach may be the biggest but it was not the first and it will not be the last.

If you’re MP is wondering why a junior employee was able to download the information to CDs in the first place, then they’re in good company:

“I would question whether anybody should be allowed to download an entire database of this scale without going through the most rigorous pre-authorisation checks.”

“It was a really shocking example of loss of security.”

Information Commissioner Richard Thomas

“How you can have a system which allows you to copy a whole database onto a disk is of concern,”

“Clearly there are issues about when the data was accessed and by whom. They should have had access controls and authorisation levels to make it physically impossible to burn a disc off the database without the say-so of the chairman of HMRC. Why isn’t the technology there to do that? It isn’t rocket science.”

Assistant Information Commissioner Jonathan Bamford

The Information Commissioner described the HMRC breach as “the worst the ICO has encountered” and said it called into question the security of the entire system of data sharing in government. He called for a review of the national identity register, a call which echoes a marked shift in public opinion on ID cards, and a recommendation for more debate about ID cards from thinktank Demos, who concluded a year-long study of data-sharing last week. The Government’s data minister, Michael Wills MP, has said that plans for the national ID register need looking at again. Ask that your MP pressures the government to re-examine the flawed National Identity Register.

On 27 November, children’s Minister Kevin Brennan announced an independent assessment of the security procedures surrounding ContactPoint, to be conducted by Deloitte. An Early Day Motion asking Government to go further, and consider recommendations to scrap the idea, is currently collecting signatures: please encourage your MP to sign.

The fairytale of biometrics

For people in technology, one of the most worrying developments since this crisis has been ministers’ using it as an excuse to push for solutions based around biometrics, solutions that would actually increase the privacy risks we are exposed to. Six leading academics (including two Open Rights Group Advisory Council members) recently wrote to the Parliamentary Joint Committee on Human Rights to express their dismay at how biometrics are seen as a magic fix for improving security:

“These assertions are based on a fairy-tale view of the capabilities of the technology and in addition, only deal with one aspect of the problems that this type of data breach causes. … Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.”

Professor Ross Anderson, Security Engineering, University of Cambridge
Dr Richard Clayton, University of Cambridge Computer Laboratory
Dr Ian Brown, Oxford Internet Institute, University of Oxford
Dr Brian Gladman, Ministry of Defence and NATO (retired)
Professor Angela Sasse, Department of Computer Science, University College London
Professor Martyn Thomas, CBE FREng, Software Engineering, University of Oxford

These technologies are unproven and will not be ready for commercial deployment for another 15 years. Ask your MP to encourage the Government to listen to the facts on biometrics.

Brushing aside expert advice

Unfortunately, the skills and knowledge necessary for successfully procuring, managing and securing computer systems are not commonly possessed by Government Ministers or senior managers in the civil service. This might not be such a problem, were the Government to listen to the advice that has been readily offered by expert groups during the quest towards Transformational Government, and their warnings about giving thousands of people access to large, centralised databases. But then, why should it, when apparently it doesn’t even listen to warnings from its own internal auditors?

“Again and again and again these warnings have been made in different contexts by expert groups and the Government has not been interested.”

Professor Ross Anderson

We are living in an age where systems dealing with our identity must be designed from the bottom up not to leak information in spite of being breached. Perhaps I should say, “redesigned from the bottom up”, because today’s systems rarely meet the bar. … There is no need to store all of society’s dynamite in one place, and no need to run the risk of the collosal explosion that an error in procedure might produce.

Britain’s HMRC Identity Chernobyl - Kim Cameron (Microsoft’s Chief Architect of Identity)

Ask your MP to encourage the Government to heed the warnings of these and other experts.

Together, we can stop the Government’s privacy timebomb. If you haven’t got time to write to your MP today, please write on the weekend. The more missives MPs receive on Monday morning, the more they will recognise the public mood on this issue, and the more likely they will be to raise their objections in Parliament on Monday afternoon.

ORG is just back from a weekend in Berlin planning digital rights campaigns with groups from across Europe.

European Digital Rights (EDRI) is an umbrella body for 25 groups (including ORG) from 16 countries that coordinate their work on European legislation affecting privacy, copyright and related issues. EDRI just held its general assembly and also co-organised a meeting of activists fighting data retention laws.

The main topics of discussion were the EU Data Retention Directive and how far it had been implemented in member states; EU progress on a new privacy framework for European law enforcement agencies; Internet filtering; and the current status of European attempts to criminalise intellectual property rights infringement. The UK is not alone in strong-arming Internet Service Providers into retaining information about their customers’ communications, and blocking access to sites alleged to contain child pornography. Denmark and Italy are also leading government efforts in these areas.

The campaigners at the meetings discussed possible ways to fight back against Internet censorship and surveillance. One plan under consideration is to develop an ISP code of best practice on customer privacy, based on EDRI-member GreenNet’s Privacy and Data Retention policy. EDRI plans to conduct a survey of ISP practices, national legislation and policies.

EDRI also welcomed the Electronic Frontier Foundation as a new member. EFF European Affairs Coordinator Erik Josefsson attended the meeting on EFF’s behalf.

A fuller report on these meetings will be included in the next EDRI-gram, which is always a useful resource for news of developments in Brussels and across the Council of Europe.

The Home Office is holding a consultation into the initial transposition of the EC ‘Data Retention’ Directive on the retention of communications data’. They have published a set of draft regulations, and a shiny PDF detailing the process by which they arrived at these regulations, as well as 6 questions into the application of these regulations. This document is summarised for your use on our wiki.

Will you be affected by these regulations? Do you have concerns regarding the associated costs to businesses, or implications for privacy? If so, please record your perspective on our wiki in order that we can express your concerns. Alternatively, email your testimony to michael[at]openrightsgroup.org. We will gather evidence for the next month or so, before producing a document for submission ahead of the June 11th deadline.

NB These regulations will not be applied to internet access, internet telephony and internet e-mails, as the Directive will not be applied to these services until 2009, following further consultation.

Trustguide reports on our views, beliefs and needs regarding trust, security and privacy in relation to new technologies. We like it very much - It should be required reading for politicians! Over the last 15 months HP and BT, in conjunction with the DTI, hosted workshops across the UK on a broad range of topics (detailed below). The document is full of participant-responses and is a treasure trove of quotes for journalists.

Topics under consideration:

• Trust versus risk
• E-Commerce: Risk and Responsibility
• Factors that impact on risk taking
• Mitigated risk
• ID cards: An aid to security?
• Use of Biometric data
• Privacy and health information
• E-Government and Public Sector IT
• Awareness and education
• Use of public access terminals

Read the rest of this entry >

Digital Rights Ireland has started a High Court action against the Irish Government challenging new European and Irish laws requiring the retention of telecoms and internet traffic data retention.

ORG campaigned strongly against the Data Retention Directive, particularly when the music industry said they wanted a piece of the action, but once the Directive was passed, there’s been little to do here in the UK but sit and wait for government implementation. Although Germany’s Bundestag have voiced serious doubts that the Directive could be implemented “in a constitutional manner”, it has already been established that their constitution is subordinate to European Law. It’s therefore unlikely we’ll see a challenge from that direction.

This means that DRI’s action is profoundly important for everyone who values their privacy, because if they win, it will mean an end to data retention in the UK and Europe.

You can read more on the DRI blog, and press release.

We have seen attempts to add more legislation to voice over IP in America so I guess it was only a matter of time.

“The Guardian has learned that police and security agencies have been lobbying ministers and senior officials, expressing fears about the potential for voice-over-internet-protocol technologies to hide a caller’s identity. Their aim? To get VoIP providers to monitor calls and find ways to identify who is calling whom - and even record them.”

Lifting the veil on internet voices - The Guardian

The proposed requirement for all VoIP services to have to provide 999 services would kill any free VoIP service, unless the government is offering to cover the costs. If they want to log and trace VoIP why not Instant Messages? If they want to log and trace IM then what about email… (You get the idea)