The Foundation for Information Policy Research (FIPR) has today sent the Home Office in-depth legal analysis [pdf] of the Phorm behavioural advertising system. The analysis has been produced by FIPR’s General Counsel (and ORG Advisory Council member) Nicholas Bohm, and complements the technical analysis produced by Richard Clayton earlier this month [pdf]. The analysis shows that Phorm’s systems involve interception of communications contrary to the Regulation of Investigatory Powers Act, fraud, contrary to the Fraud Act, and therefore unlawful processing of personal data, contrary to the Data Protection Act. It states that individual directors and managers of the Internet Service Providers involved could be criminally liable for these offences, if roll out of Phorm goes ahead.

FIPR want the Home Office to withdraw informal advice they issued in February, which FIPR say wrongly concluded the system is lawful, creating “an obstacle to the just enforcement of the law”. At the public meeting attended by Phorm and their critics last week, Simon Davies of 80/20 Thinking Ltd identified the legality of Phorm under RIPA as a legitimate issue, but urged participants not to get bogged down in a question which, in the end, can only be decided in a court of law. Hopefully, FIPR’s legal analysis will bring UK citizens one step closer to an answer to the question “Is Phorm legal?”. As Richard Clayton observes:

“The Home Office’s superficial analysis said that the system would be lawful. Given their batting average at the High Court, relying upon their opinion was always unwise - this new paper spells
out the errors they have made, and makes it essential that their report is withdrawn.”

Previous posts on Phorm:

• Phorm: public meeting announced for next Tuesday
• Phorm analysis out
• ORG and FIPR meet with Phorm
• Phorm update
• The Phorm storm

This morning, the European Parliament has voted to condemn member state plans to disconnect suspected illicit filesharers from the internet. In a fairly narrow vote, MEPs adopted an amendment to the so-called Bono Report on the Cultural Industries, which

“Calls on the Commission and the Member States to recognise that the Internet is a vast platform for cultural expression, access to knowledge, and democratic participation in European creativity, bringing generations together through the information society; calls on the Commission and the Member States, therefore, to avoid adopting measures conflicting with civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness, such as the interruption of Internet access.”

The report is not legally binding, but it does signifiy resistance among MEPs to measures currently being implemented in France to disconnect suspected illicit filesharers. This is especially relevant as France will take over the European presidency in July, and many fear that President Sarkozy would use the opportunity to push the so-called “Oliviennes” strategy Europe-wide.

The UK government will consult UK citizens on their plans to tackle illicit filesharing this Spring. We’ve already blogged about ORG’s objections to UK proposals here. In short, and as the European Parliament have recognised today, they are disproportionate, they lack consumer safeguards and they won’t stop illicit filesharing.

Richard Clayton has now published his technical analysis of Phorm. There’s a good introduction to it on his Light Blue Touchpaper blog.

Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.

Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic — however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.

Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.

Read the rest here, or go straight to the technical analysis.

By coincidence, the Information Commisioner has released an updated statement on Phorm. From the looks of things, they have declined FIPR’s invitation to consider the lawfulness of Phorm’s data processing under legislation other than the Data Protection Act (such as RIPA). They have also failed to address the news that BT trialled Phorm without seeking consent from its users in 2006.

On Wednesday, at their invitation, I went to Phorm’s offices in Central London. I was accompanied by ORG Advisory Council member (and Foundation for Information Policy Research Treasurer) Richard Clayton. We were there, on Phorm’s invitation, to find out how the systems that they are selling to BT, Virgin and TalkTalk actually work. Over the last few weeks, the story that three of the UK’s major ISPs are signed up to trial Phorm, which tracks users’ online surfing habits in order to serve them targeted ads, has been met with significant public resistance.

We didn’t go to Phorm for “the layman’s view”. We wanted the real deal, and I’m delighted to say that that’s what we got. Over the coming days, Richard Clayton will be posting details of different aspects of the system on Light Blue Touchpaper, posts which I will report on here. Earlier this month, the Open Rights Group called on Phorm to publish full details of how the technology will work – Richard’s analysis will provide this information. Only when we know how Phorm actually works can we model exactly what the implications of the technology are for users’ privacy. Richard and I also encouraged Phorm representatives to join the UK-crypto mailing list, in order to engage further with the expert community.

In the meantime, I thought it would be useful if I noted one of the less technical discussions that took place at the meeting. Phorm remain convinced that their technology, in the words of Simon Davies “advance[s] the whole sector of protecting personal information by two to three steps“. This assertion is based on the significant measures they have taken to obscure identifying and sensitive information as they track web activity in order to serve targeted ads.

However, what this assertion fails to take into account is that BT, Virgin and TalkTalk are proposing to apply the Phorm system to a layer of the web stack that has previously been free of any such tracking and targeting activity. It is this aspect of the story which has caused so much public disquiet. As Sir Tim Berners-Lee put it last week:

“I myself feel that it is very important that my ISP supplies internet to my house like the water company supplies water to my house. It supplies connectivity with no strings attached. My ISP doesn’t control which websites I go to, it doesn’t monitor which websites I go to.”

If you don’t like the way a web application is protecting your privacy, you can use another one, and if you can’t find one you want to use then you can build your own. But you can’t build your own connectivity. If the UK’s major ISPs all sign up to Phorm, then UK citizens will find it increasingly difficult to find connectivity that doesn’t come with “strings attached”. Internet users can opt out, as, it turns out, can server operators (but I’ll let Richard provide details of that). TalkTalk have even indicated that they will make their Phorm system opt in. But is this enough? How long until we are asked to pay a premium for connectivity which comes “snoop-free”?

Nothing Richard Clayton and I saw yesterday appeared to contradict the legal analysis issued by FIPR last week, analysis that raised questions as to Phorm’s legality under section 1 of the Regulation of Investigatory Powers Act. But the Phorm issue is far more likely to be decided upon in the court of public opinion than in a court of law.

At the meeting, I encouraged Phorm to engage further with its critics. They are now planning an open, public meeting to hear people’s concerns about their technology. As soon as I have details of this meeting I will publish them here. If you’ve seen expert comment on Phorm, or think that the debate would benefit if others (for example the ISPs themselves) were specifically invited, please leave your suggestions in the comments. Thanks to everyone who left comments to my previous two posts on Phorm, many of them were tremendously helpful in preparing for the meeting.

Earlier this month, ORG also called for 80/20 Thinking Ltd’s privacy impact assessment to be made public. An interim assessment [pdf], dated 10 February 2008, was published last week. It predicts the media and public backlash against Phorm, and leaves several questions unanswered, including “Can an external attacker gain access to the required information to re-link [an] individual [with their] unique identifier?” Phorm let us know yesterday that the full privacy impact assessment (which was due this month) has not yet been completed, and that they will publish it as soon as they can after it is complete.

It’s difficult to tell which of today’s developments the UK’s major ISPs should be more worried about - the fact that Sir Tim Berners-Lee has publicly stated that he would change his ISP if it started employing systems, like Phorm, which could track his activity on the internet, or the news that UK digital rights gurus the Foundation for Information Policy Research (FIPR) have today written an open letter to the Information Commissioner, urging him to look at the legality of Phorm.

Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial Phorm, a system which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet. As Sir Tim tells the BBC’s Rory Cellan Jones today:

“I myself feel that it is very important that my ISP supplies internet to my house like the water company supplies water to my house. It supplies connectivity with no strings attached. My ISP doesn’t control which websites I go to, it doesn’t monitor which websites I go to.”

Or as ORG might paraphrase

“Keep your mitts off my bits”

Meanwhile, FIPR have written to the Information Commissioner’s Office with a detailed analysis of the legality (or otherwise) of Phorm. FIPR spokesperson (and Open Rights Group Advisory Council member) Richard Clayton puts it like this:

“The Phorm system is highly intrusive — it’s like the Post Office opening all my letters to see what I’m interested in, merely so that I can be sent a better class of junk mail. Not surprisingly, when you look closely, this activity turns out to be illegal. We hope that the Information Commissioner will take careful note of our analysis when he expresses his opinion upon the scheme.”

The ISPs which propose to use Phorm are yet to respond to ORG’s call to publish the privacy impact assessment they commissioned from 80/20 Ltd (whose Director, Simon Davies, is also Director of Privacy International), as well as full details of how Phorm will work. Until we can all see for ourselves exactly how Phorm works – and across whose networks our data will flow – speculation about the privacy implications of Phorm will only continue.

Last weekend, international divisions over how to deal with those who illicitly share copyrighted material online began to appear. It was announced on Saturday that Japanese internet service providers (ISPs) have agreed to cut off the internet connection of anyone who illegally downloads files, in plans that mirror France’s Olivennes Bill. Meanwhile Sweden’s Minister of Justice and Minister of Culture have rejected similar plans to disconnect filesharers, stating in an article for the Svenska Dagbladet daily that such an approach is not practical in modern society where Internet access is a prerequisite for so much else. Instead, Sweden will favour a process where rightsholders must prosecute suspected filesharers in court.

The UK government will consult UK citizens on their plans to tackle illicit filesharing this Spring. If you need to brush up on the arguments ahead of time, there are still a few places left at Musicians, fans and online copyright. This event, which takes place on Wednesday, will gather representatives from the recording industry, ISPs and consumer welfare groups together with academic and legal experts to discuss whether ISPs should monitor customers to try and spot copyright infringement, and disconnect downloaders. It promises to be a lively and informed afternoon, so do come along if you can. The event is being held from 1400 at the London School of Economics. It is free to attend, but you must register here.

The House of Lords Science and Technology Committee have published their fifth report today, which makes a variety of recommendations to legislators, the police, businesses and citizens to improve personal security on the internet. The full report is now available to download.

Much of this morning’s media coverage is focussing on recommendations to create a dedicated e-crime unit, or to develop BSI kitemarks for security in internet services. But the report makes other recommendations too. For example, the Committee recommends introducing some kind of liability regime for software vendors, although it recognises the potential side effects this might have on innovation, or on open source software. The report sets up an interesting debate on this issue between some of the Committee’s expert witnesses - including Bruce Schneier, Jonathan Zittrain and Alan Cox - which is well worth reading (go to para 4.25).

The report also makes some radical recommendations for network level security, suggesting that Internet Service Providers’ traditional defence against liability for bad traffic on their networks - that they are “mere conduits” - should be looked at again. But any re-examination of ISP liability needs to be handled very carefully. As notice and takedown practices tied to suspected copyright infringement have shown, ISPs are not best placed to police the network, and can be expected to react to this kind of pressure by knocking users off the network without appropriate levels of investigation into those users’ actions.

Other recommendations include more research funding for computer security groups and a re-examination of the Computer Misuse Act. The Committee also adds its voice to the chorus of people calling for greater powers for the Information Commissioner’s Office. While such a detailed, considered and well-informed report should be welcomed, the digital rights community needs to pay close attention to how policy makers choose to interpret its recommendations.

More analysis of the report here and here.

The European Union’s plan to regulate the net as if it were TV - Television Without Frontiers - picked up a lot of attention in blogs this week, after the Times covered it.

The basic idea is flawed - TV involves handing a monopoly over spectrum to organisations, so regulating how they use it makes some sense, but there is no spectrum scarcity online, as all you need is a webserver. So the EU limits on local content, advertising intervals and content labelling don’t fit at all.

I spoke about this on the Technorati videoblog last week, and the BBC’s Pods and Blogs show last night. You can hear me about 30 minutes into this show recording.

So I’m here at the Parliament and the Internet Conference, which is being held at Portcullis House and which has been put together by the All Party Parliamentary Internet Group (APIG). There are some 200 delegates here, and the day looks like a very intensive examination of a whole number of issues around the internet.

The first session is about ISPs’ ‘mere conduit’ status as set out in the EU ECommerce Directive and affected by the Terrorism Act, and what their role and responsibilities should be in what they are calling a ‘content driven era’. Note: There are many speakers and I have not indicated who said what as it’s just a bit too difficult to keep track.

‘Mere conduit’ status means that ISPs are not responsible for the traffic going over their network when they are not aware of the content.

Copyright material, for example - if an ISP is hosting infringing material then they can be put on notice and must remove that material. The ECommerce Directive doesn’t go into what the methodology for notice and take down should be.

Another example is P2P. ISPs act as intermediaries between user and content, they don’t host it. They are ‘mere conduit’s.

Arguments: rights holders need to be able to pursue infringement, and as the ISP ‘has the power’ to pull the plug on hosting and traffic, then they should do more. We’ve seen lawsuits against P2P infringers, and different ISPs react differently to notices.

Issues around how copyright is affected on the internet. Broadband take-up is being driven by illegal downloading of movies and music etc., and the content industry is pushing for action on this.

But issues around losing ‘mere conduit’ status, it could be damaging as people will route round the problem as if ISPs start blocking content then there will be other ways round it.

Without ‘mere conduit’, ISPs face legal action over traffic that’s outside of their control. Could drive ISPs out of business or drive customers out of the EU to ISPs based elsewhere.

The issue of justifying the status: it’s great for ISPs to have mere conduit, but why should society grant that status. Key reason is the innovation argument. ‘Mere conduit’ says that ISPs are not liable for traffic that goes over their network. If ISP did have liability, they would have to ensure they were protected through some means? How would ISPs implement that? They would have to make judgements about whether traffic is good or bad (or unknown). Unknown traffic is all the innovation, all the stuff the ISP hasn’t seen yet, some guy’s knew project, that would be seen as ‘bad’ because you can’t judge what it is. The protocols that make up the traffic were created after the basic internet protocol, in 1980. Email was then invented… then the web, IM, voip… lots of new things that have been invented which could never have been predicted.

Do we want to freeze innovation where we are now, and say ‘everything that can be invented has been invented’ and stop development. Or do we want to support innovation?

The original rationale for mere conduit was linked to the notion of the internet as a common carrier. The idea of a platform lie the Post Office who create an opportunity for any-to-any communication. Once you start interfering with the mere conduit principle, you end up on a slippery slope that moves towards a walled garden approach where any-to-any doesn’t exist and you undermine the whole social and economic value of the platform.

A bit more about complaints. The originators of the complaints only have the internet address of where the content is, and only the ISP can match that address to a physical name and address. There is a data protection issue here too - ISPs will not give out that name and address without a court order. They have a duty to protect their customer’s data.

At an EC level it’s difficult - attitudes are different from country to country. The challenge is obvious, it’s the balance between this concept of mere conduit, which in a way is intuitive, with the genuine concern of IP rights holders. Or if we look at security matters, and want to make the internet safer, what responsibility shoudl ISPs have? That balance is key for policy makers.

Internet is still new, so we shouldn’t jump to conclusions. It’s still developing rapidly. DTI might say that we should try and find solutions that all parties agree with. [But this speaker, Jean-Jacque Sahel from the DTI ignores the public and rules out 'those people who infringe copyright'.]

I brought up the issue that the public/consumers aren’t being involved in this conversation. Mr Sahel challenged me to say ’should the infringers be part of the conversation’ to which I would argue, yes, absolutely. If you don’t know why they infringe, how can you tell if you are moving towards the right policy? The aim, after all, is to bring everyone into the fold, and ignoring those who infringe does nothing to help create a climate in which it becomes easy for them to change their behaviours to more law abiding ones.

Also need more of a dialogue between the public and ISPs about what the public expects. In many ways, we have to ask what the ISPs should be doing, and what should be done. It’s more ’something should be done’, and we have to ask who should do it? Society at large should also be involved.

Businesses, in a matter of self-interest will find ways around problems, but with the TV Without Frontiers Directive, it will undermine their ability to do that. Better to have a self-regulatory regime that allows companies to publicise their conformity with a set of objective standards than to have a set of legal rules that apply in principle to all providers but can’t be effectively enforced.

The advantage of a self-regulatory regime is that it would allow consumers to make informed choices.

More than price and business model. The Adelphi Charter makes the point that extending IP law does no one any favours. But is data protection a bigger problem than extension of IP law?

Yes, Data Protection Act is currently more important to ISPs than the ECommerce Directive.

Public has an expectation that ISPs will take action about security, abuse, spam, etc. One of the problems of this IP debate is that it detracts us from working on more important issues that feel into this debate, such as detecting zombie computers. Is attempting to locate zombies going beyond the mere conduit? These are things we want to do but fear opening the floodgates. The Government expects ISPs more and more to do things that are not in ‘mere conduit’ status.

With abuse, customers are increasingly expecting ISPs to be involved in their own computer security which requires inspecting traffic. Just looking at copyright root is restricting us from looking at other issues and their implications.

Need to do a better job of telling people about the good work ISPs are doing, but in some areas if we are not doing good work politicians will want to act. We can achieve more without punitive regulation. Self-regulation is important, and child-saftey is at the top of that. We have a good story to tell about that and we should. Need to ensure that people understand parent control and how to use it. It’s a challenge we have to rise to, and we need to talk about it more so that we can avoid regulation first. Have to think about how we present our position to politician.

Unfortunate that we aren’t talking more about content. ISPs use mere conduit to hide behind for illegal content, whether it’s pornography or infringed copyright. Illegal content does us no good. I was hoping we’d have a discussion about what ISPs could to to help.

In response, have to review the point about business models. There’s limits to what you can achieve with legal action. Just to be a bit controversial, I remember a discussion with music industry representatives and I was told ‘there guys are breaking the letter of the law and destroying your business, why don’t you sue their arses off?’, but no business model has a divine right to exist forever. The reflex is always to try to use the law rather than develop new business models that work with the grain of reality, and that’s a problem.

There is perplexity in the current policy debate, between ISPs status of mere conduit and their ability to actually manage traffic. Some would argue their ability to manage traffic should be constrained by some sort of net neutrality legislation. In the US at least, it is the ISPs who say they need to be able to actively manage traffic, and the activists say that’s inappropriate. So is there a tension between ISPs saying they need to give priority to some traffic and not others, but at the same time saying they are mere conduits.

Rights holders say ISPs have the technical ability to pick out, say, P2P traffic and x% is infringing so why not block it. But if that was a bill in front of Parliament there’d be a vigourous debate. Copyright is important, but at the same time blocking of innovation or outlawing of technologies which have uses which are illegal - P2P is not *inherently* illegal. So which considerations outweight the others? But it’s not for BT or other IPSs to unilaterally block P2P traffic. The damage to us would be huge, it’s nothing to do with the money we make out of P2P traffic - we actually don’t make any money out of it. That’s a claim that’s made, that we have a duty to do something because we make money. But the minority heavy users cost us money, they don’t make us money.

Also, you can’t directly import the discussion from the US to the UK of net neutrality. It arose in the US out of the specifics of the marketplace. That gave rise to specific legislative proposals which caused concern, so I don’t think there’s a direct comparison.

No conflict between differential pricing, say, and mere conduit. So long as you have a possibility for any-to-any communication then there’s compromise of mere conduit status.

Murmurs around the table afterwards were that the discussion had been oversimplified. It’s not just about rights holders and ISPs. It’s important to remember, after all, that law is here to protect the public good, not to protect business models, and this discussion appears to be mainly between those parties with the biggest sticks.

The European Commission have launched a consultation titled “Content Online”. Topics that are asked about include DRM, network neutrality, privacy online, lack of interoperability, protection of public interests, competitiveness, P2P and piracy. Input to this consultation will help shape a Commission Communication on Content Online, due to be adopted at the end of the year. The deadline for replies is 13 October 2006.

As always ORG has a wiki page that we are encouraging people to edit Public Consultation on Content Online in the Single Market.