What BERR want from Phorm – and what we think they’re missing

Phorm, the targeted behavioural advertising technology company, has been back in the headlines this week. The Department for Business, Enterprise and Regulatory Reform (BERR) have finally responded to the European Commission’s demand for an explanation of how Phorm’s technology conforms with EU data protection and privacy laws. Information Society Commissioner Viviane Reding had asked the UK Government to respond to her enquiries by the end of August.

The Register has published BERR’s public statement in full. In it, BERR lay out the conditions they think Phorm needs to conform to in order for it to operate within the law:

After conducting its enquiries with Phorm the UK authorities consider that Phorm’s products are capable of being operated in this fashion on the following basis:

• The user profiling occurs with the knowledge and agreement of the customer.
• The profile is based on a unique ID allocated at random which means that there is no need to know the identity of the individual users.
• Phorm does not keep a record of the actual sites visited.
• Search terms used by the user and the advertising categories exclude certain sensitive terms and have been widely drawn so as not to reveal the identity of the user.
• Phorm does not have nor want information which would enable it to link a user ID and profile to a living individual.
• Users will be presented with an unavoidable statement about the product and asked to exercise a choice about whether to be involved.
• Users will be able to easily access information on how to change their mind at any point and are free to opt in or out of the scheme

.

The conditions either misunderstand or ignore a crucial stakeholder in the web-browsing process – website owners. As Nicholas Bohm (General Counsel to the Foundation for Information Policy Research and ORG Advisory Council member) made clear in his legal analysis [pdf], unless the ISPs employing Phorm’s technology to intercept the communications between their customers and the owners of the websites their customers are visiting have the explicit consent of both parties , they are likely to be committing an offence under the Regulation of Investigatory Powers Act (RIPA), the legislation that governs interception of communications in the UK. As Mr Bohm states:

“The inevitable conclusion is that an ISP who operates the Phorm system will commit offences under RIPA s1 on a large scale. Phorm is inciting the commission of those offences, which is itself an offence at common law (and will be an offence under section 44 of the Serious Crime Act 2007 when it is brought into force to replace the common law offence).”

What’s more, although Phorm may not have “information which would enable it to link a user ID and profile to a living individual”, website owners might. Bohm again:

“If parts of the visited site use the HTTPS protocol for secure browsing, the cookie containing the Phorm UID will be sent to the site, where the UID can be read; and if a webmaster wishes to do so, he can read the UID in any case using Javascript. The result is that any site which holds any personally identifying information about a user, and many do, can associate that information with the Phorm UID and indeed also with the user’s IP address visible to the site. In view of this, Phorm’s claims for the anonymity of its processes are, to put it no higher, a considerable exaggeration.”

Are the UK authorities under the misguided impression that ISPs provide the internet, the way that broadcasters provide television? Or do they understand that communications between internet users and website owners during web browsing are as legally private as communications between me and my grandmother when I write her a letter and post it using Royal Mail?

BERR have declined to publish the full text of the letter to Viviane Reding, which is also expected to contain an explanation of any action UK authorities propose to take over BT’s trials of the Phorm technology in 2006 and 2007, trials which did not seek the consent of users. These trials are the subject of an ongoing investigation by City of London police.

A variety of Freedom of Information requests have now been made to BERR which ask them to reveal details of meetings with BT, Phorm and other ISPs, and disclose the full text of the letter to the Commission.

Previous posts on Phorm:

• FIPR calls on Home Office to withdraw misleading advice on Phorm
• Phorm: public meeting announced for next Tuesday
• Phorm analysis out
• ORG and FIPR meet with Phorm
• Phorm update
• The Phorm storm