The Foundation for Information Policy Research (FIPR) has today sent the Home Office in-depth legal analysis [pdf] of the Phorm behavioural advertising system. The analysis has been produced by FIPR’s General Counsel (and ORG Advisory Council member) Nicholas Bohm, and complements the technical analysis produced by Richard Clayton earlier this month [pdf]. The analysis shows that Phorm’s systems involve interception of communications contrary to the Regulation of Investigatory Powers Act, fraud, contrary to the Fraud Act, and therefore unlawful processing of personal data, contrary to the Data Protection Act. It states that individual directors and managers of the Internet Service Providers involved could be criminally liable for these offences, if roll out of Phorm goes ahead.

FIPR want the Home Office to withdraw informal advice they issued in February, which FIPR say wrongly concluded the system is lawful, creating “an obstacle to the just enforcement of the law”. At the public meeting attended by Phorm and their critics last week, Simon Davies of 80/20 Thinking Ltd identified the legality of Phorm under RIPA as a legitimate issue, but urged participants not to get bogged down in a question which, in the end, can only be decided in a court of law. Hopefully, FIPR’s legal analysis will bring UK citizens one step closer to an answer to the question “Is Phorm legal?”. As Richard Clayton observes:

“The Home Office’s superficial analysis said that the system would be lawful. Given their batting average at the High Court, relying upon their opinion was always unwise - this new paper spells
out the errors they have made, and makes it essential that their report is withdrawn.”

Previous posts on Phorm:

• Phorm: public meeting announced for next Tuesday
• Phorm analysis out
• ORG and FIPR meet with Phorm
• Phorm update
• The Phorm storm

Last month, we announced that Phorm, the company whose technology delivers targetted ads based on where you visit on the web, were planning to hold a public meeting to face their critics. Details of the meeting have now been announced.

When: Tuesday, 15 April, 1830 - 2030
Where: The Lecture Theatre, Brunei Gallery, School of Oriental & African Studies, London (map)

The meeting is being hosted by 80/20 Thinking Ltd, and you can read more details about it on their website. Although the meeting is free for all to attend, 80/20 Thinking are asking that you send them an email to info@8020thinking.com to let them know you’re coming along. From the 80/20 Thinking website:

80/20 Thinking, with the full cooperation of Phorm, has decided to organise a public meeting as part of the PIA (privacy impact assessment) process. We intend to use feedback from this event to inform the PIA. A final version of the PIA will be published by the end of April 2008.

Attendees are encouraged to read the technical analysis produced by Richard Clayton [pdf] in advance of the meeting.

The Information Commissioner’s Office have today released a further statement on Phorm, making clear their belief that any systems using Phorm (such as BT’s webwise) need to seek the consent of their customers on an opt-in (and not an opt-out) basis.

I’ll be going to the public meeting next Tuesday, so if you’d like to ask a question, but you can’t make it yourself, please leave it in the comments.

Richard Clayton has now published his technical analysis of Phorm. There’s a good introduction to it on his Light Blue Touchpaper blog.

Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.

Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic — however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.

Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.

Read the rest here, or go straight to the technical analysis.

By coincidence, the Information Commisioner has released an updated statement on Phorm. From the looks of things, they have declined FIPR’s invitation to consider the lawfulness of Phorm’s data processing under legislation other than the Data Protection Act (such as RIPA). They have also failed to address the news that BT trialled Phorm without seeking consent from its users in 2006.

On Wednesday, at their invitation, I went to Phorm’s offices in Central London. I was accompanied by ORG Advisory Council member (and Foundation for Information Policy Research Treasurer) Richard Clayton. We were there, on Phorm’s invitation, to find out how the systems that they are selling to BT, Virgin and TalkTalk actually work. Over the last few weeks, the story that three of the UK’s major ISPs are signed up to trial Phorm, which tracks users’ online surfing habits in order to serve them targeted ads, has been met with significant public resistance.

We didn’t go to Phorm for “the layman’s view”. We wanted the real deal, and I’m delighted to say that that’s what we got. Over the coming days, Richard Clayton will be posting details of different aspects of the system on Light Blue Touchpaper, posts which I will report on here. Earlier this month, the Open Rights Group called on Phorm to publish full details of how the technology will work – Richard’s analysis will provide this information. Only when we know how Phorm actually works can we model exactly what the implications of the technology are for users’ privacy. Richard and I also encouraged Phorm representatives to join the UK-crypto mailing list, in order to engage further with the expert community.

In the meantime, I thought it would be useful if I noted one of the less technical discussions that took place at the meeting. Phorm remain convinced that their technology, in the words of Simon Davies “advance[s] the whole sector of protecting personal information by two to three steps“. This assertion is based on the significant measures they have taken to obscure identifying and sensitive information as they track web activity in order to serve targeted ads.

However, what this assertion fails to take into account is that BT, Virgin and TalkTalk are proposing to apply the Phorm system to a layer of the web stack that has previously been free of any such tracking and targeting activity. It is this aspect of the story which has caused so much public disquiet. As Sir Tim Berners-Lee put it last week:

“I myself feel that it is very important that my ISP supplies internet to my house like the water company supplies water to my house. It supplies connectivity with no strings attached. My ISP doesn’t control which websites I go to, it doesn’t monitor which websites I go to.”

If you don’t like the way a web application is protecting your privacy, you can use another one, and if you can’t find one you want to use then you can build your own. But you can’t build your own connectivity. If the UK’s major ISPs all sign up to Phorm, then UK citizens will find it increasingly difficult to find connectivity that doesn’t come with “strings attached”. Internet users can opt out, as, it turns out, can server operators (but I’ll let Richard provide details of that). TalkTalk have even indicated that they will make their Phorm system opt in. But is this enough? How long until we are asked to pay a premium for connectivity which comes “snoop-free”?

Nothing Richard Clayton and I saw yesterday appeared to contradict the legal analysis issued by FIPR last week, analysis that raised questions as to Phorm’s legality under section 1 of the Regulation of Investigatory Powers Act. But the Phorm issue is far more likely to be decided upon in the court of public opinion than in a court of law.

At the meeting, I encouraged Phorm to engage further with its critics. They are now planning an open, public meeting to hear people’s concerns about their technology. As soon as I have details of this meeting I will publish them here. If you’ve seen expert comment on Phorm, or think that the debate would benefit if others (for example the ISPs themselves) were specifically invited, please leave your suggestions in the comments. Thanks to everyone who left comments to my previous two posts on Phorm, many of them were tremendously helpful in preparing for the meeting.

Earlier this month, ORG also called for 80/20 Thinking Ltd’s privacy impact assessment to be made public. An interim assessment [pdf], dated 10 February 2008, was published last week. It predicts the media and public backlash against Phorm, and leaves several questions unanswered, including “Can an external attacker gain access to the required information to re-link [an] individual [with their] unique identifier?” Phorm let us know yesterday that the full privacy impact assessment (which was due this month) has not yet been completed, and that they will publish it as soon as they can after it is complete.

It’s difficult to tell which of today’s developments the UK’s major ISPs should be more worried about - the fact that Sir Tim Berners-Lee has publicly stated that he would change his ISP if it started employing systems, like Phorm, which could track his activity on the internet, or the news that UK digital rights gurus the Foundation for Information Policy Research (FIPR) have today written an open letter to the Information Commissioner, urging him to look at the legality of Phorm.

Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial Phorm, a system which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet. As Sir Tim tells the BBC’s Rory Cellan Jones today:

“I myself feel that it is very important that my ISP supplies internet to my house like the water company supplies water to my house. It supplies connectivity with no strings attached. My ISP doesn’t control which websites I go to, it doesn’t monitor which websites I go to.”

Or as ORG might paraphrase

“Keep your mitts off my bits”

Meanwhile, FIPR have written to the Information Commissioner’s Office with a detailed analysis of the legality (or otherwise) of Phorm. FIPR spokesperson (and Open Rights Group Advisory Council member) Richard Clayton puts it like this:

“The Phorm system is highly intrusive — it’s like the Post Office opening all my letters to see what I’m interested in, merely so that I can be sent a better class of junk mail. Not surprisingly, when you look closely, this activity turns out to be illegal. We hope that the Information Commissioner will take careful note of our analysis when he expresses his opinion upon the scheme.”

The ISPs which propose to use Phorm are yet to respond to ORG’s call to publish the privacy impact assessment they commissioned from 80/20 Ltd (whose Director, Simon Davies, is also Director of Privacy International), as well as full details of how Phorm will work. Until we can all see for ourselves exactly how Phorm works – and across whose networks our data will flow – speculation about the privacy implications of Phorm will only continue.

Update: An interim Privacy Impact Assessment (PIA) has now been published by Phorm. You can read it here [pdf]. The PIA, produced by 80/20 Thinking Ltd, predicts the media and public backlash against Phorm, and leaves several questions unanswered, including “Can an external attacker gain access to the required information to re-link [an] individual [with their] unique identifier?”. This document, which is dated 10 February 2008, anticipates the publication of a full PIA “in March 2008″. As yet none has been forthcoming.

Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial a new technology called Phorm, which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet.

Here’s what we’ve been told about the workings of Phorm so far. Phorm assigns a user’s browser a unique identifying number, which, it is claimed, nobody can associate with your IP address, not even your ISP. It then uses information about your surfing habits, gathered by searching the URLs you request and the websites you visit for key words, to assign that unique number to various “channels” (for example “golf”, “travel” or “handbags”). When you visit a website which has a “Phorm please put an ad in here” tag, Phorm serves an ad from a channel where your unique number appears.

Phorm says that it does not write data about the content you are viewing to disc in “the production system”, getting rid of it as soon as the operation to assign your unique number to a channel is complete. In a separate system (used for “research and debugging”) that data is stored for 14 days, then deleted.

Despite some significant investigative work, in particular from The Register and the Political Penguin blog, several technical questions remain unanswered. The confusion is compounded by a Privacy Impact Assessment of Phorm that was conducted by 80/20 Thinking Ltd, whose core staff includes the director of Privacy International, Simon Davies. Davies has gone on record stating that “Phorm does advance the whole sector of protecting personal information by two to three steps”. Yet despite the focus on Davies’ involvement, the privacy impact assessment conducted by 80/20 is yet to be published.

On top of this, question marks are beginning to appear over Phorm’s compliance with the law. Can ISPs’ employment of Phorm comply with the Data Protection Act? Is intercepting traffic in this manner an offence under section 1 of RIPA (the Regulation of Investigatory Powers Act)? The Information Commissioner has issued a statement (pdf) saying his office is making inquiries – but is this enough?

A petition asking the Government “to stop ISPs from breaching customers’ privacy via advertising technologies” has now collected over 2,500 signatures. Phorm could, as Simon Davies has claimed, represent an advance in online privacy. But because it is being applied to target ads at us, based on activity we have not asked and may not want to be tracked – the websites we visit – it is not surprising that people are shouting “keep your mitts off my bits!”.

Until we know exactly how Phorm works – and across whose networks our data will flow – speculation about the privacy implications of Phorm will only continue. The ISPs involved with Phorm, as well as the company itself, should take their lead from the Government, who last week published the controversial and critical Crosby Review of ID cards after much delay. They should publish 80/20’s impact assessment and full details of how Phorm will work now and let us see for ourselves the real privacy implications of Phorm.

Some resources:

• BBC Q&A on Phorm
• Register Interview with Phorm
• Phorm and privacy explained (by Phorm) - Flash video
• BadPhorm campaign
• Ernst and Young audit of Phorm - pdf
• BT help pages for “Webwise”, their proposed use of Phorm
• 80/20 Privacy Impact Assessment of Phorm - forthcoming?

Trustguide reports on our views, beliefs and needs regarding trust, security and privacy in relation to new technologies. We like it very much - It should be required reading for politicians! Over the last 15 months HP and BT, in conjunction with the DTI, hosted workshops across the UK on a broad range of topics (detailed below). The document is full of participant-responses and is a treasure trove of quotes for journalists.

Topics under consideration:

• Trust versus risk
• E-Commerce: Risk and Responsibility
• Factors that impact on risk taking
• Mitigated risk
• ID cards: An aid to security?
• Use of Biometric data
• Privacy and health information
• E-Government and Public Sector IT
• Awareness and education
• Use of public access terminals

Read the rest of this entry >

Scrambling for Safety 8 is taking place on the 14th August at University College, London, where the focus will be on the Home Office’s access to keys and communications data code of practice consultations.

Those unable to make the main event are invited to the Jeremy Bentham pub on University St., WC1, to join attendees and speakers from the conference. We’ll have a room in the pub from 1730 til close.

Hope to see you there.

We have seen attempts to add more legislation to voice over IP in America so I guess it was only a matter of time.

“The Guardian has learned that police and security agencies have been lobbying ministers and senior officials, expressing fears about the potential for voice-over-internet-protocol technologies to hide a caller’s identity. Their aim? To get VoIP providers to monitor calls and find ways to identify who is calling whom - and even record them.”

Lifting the veil on internet voices - The Guardian

The proposed requirement for all VoIP services to have to provide 999 services would kill any free VoIP service, unless the government is offering to cover the costs. If they want to log and trace VoIP why not Instant Messages? If they want to log and trace IM then what about email… (You get the idea)

The Regulation of Investigatory Powers Act Part III gives law enforcement the power to serve notices requiring that encrypted material be “put into an intelligible form” (or as everyone else would say, decrypted). Under some circumstances the notices can require that encryption keys are handed over. At present Part III is not in force, but the Home Office are consulting on a Code of Practice for its operation and it must be expected to come into force in early 2007.

The eighth Scrambling for Safety meeting on the Home Office’s access to keys and communications data code of practice consultations is being held from 2-5pm on Monday 14 August 2006, at the Gustave Tuck Lecture Theatre, South Wing, UCL, Gower St, London WC1 [campus map].

Admission is free but space is limited, so if you wish to attend please subscribe to the meeting mailing list. Please e-mail sfs8@fipr.org with requests for any other information.

The agenda as follows:

Useful background information is at Privacy International’s wiretap page and FIPR’s “Surveillance and security” pages.