call +44 20 7096 1079
September 19, 2008 | Becky Hogge

What BERR want from Phorm - and what we think they're missing

Phorm, the targeted behavioural advertising technology company, has been back in the headlines this week. The Department for Business, Enterprise and Regulatory Reform (BERR) have finally responded to the European Commission's demand for an explanation of how Phorm's technology conforms with EU data protection and privacy laws. Information Society Commissioner Viviane Reding had asked the UK Government to respond to her enquiries by the end of August.

The Register has published BERR's public statement in full. In it, BERR lay out the conditions they think Phorm needs to conform to in order for it to operate within the law:

After conducting its enquiries with Phorm the UK authorities consider that Phorm's products are capable of being operated in this fashion on the following basis:

  • The user profiling occurs with the knowledge and agreement of the customer.
  • The profile is based on a unique ID allocated at random which means that there is no need to know the identity of the individual users.
  • Phorm does not keep a record of the actual sites visited.
  • Search terms used by the user and the advertising categories exclude certain sensitive terms and have been widely drawn so as not to reveal the identity of the user.
  • Phorm does not have nor want information which would enable it to link a user ID and profile to a living individual.
  • Users will be presented with an unavoidable statement about the product and asked to exercise a choice about whether to be involved.
  • Users will be able to easily access information on how to change their mind at any point and are free to opt in or out of the scheme

.

The conditions either misunderstand or ignore a crucial stakeholder in the web-browsing process - website owners. As Nicholas Bohm (General Counsel to the Foundation for Information Policy Research and ORG Advisory Council member) made clear in his legal analysis [pdf], unless the ISPs employing Phorm's technology to intercept the communications between their customers and the owners of the websites their customers are visiting have the explicit consent of both parties , they are likely to be committing an offence under the Regulation of Investigatory Powers Act (RIPA), the legislation that governs interception of communications in the UK. As Mr Bohm states:

"The inevitable conclusion is that an ISP who operates the Phorm system will commit offences under RIPA s1 on a large scale. Phorm is inciting the commission of those offences, which is itself an offence at common law (and will be an offence under section 44 of the Serious Crime Act 2007 when it is brought into force to replace the common law offence)."

What's more, although Phorm may not have "information which would enable it to link a user ID and profile to a living individual", website owners might. Bohm again:

"If parts of the visited site use the HTTPS protocol for secure browsing, the cookie containing the Phorm UID will be sent to the site, where the UID can be read; and if a webmaster wishes to do so, he can read the UID in any case using Javascript. The result is that any site which holds any personally identifying information about a user, and many do, can associate that information with the Phorm UID and indeed also with the user's IP address visible to the site. In view of this, Phorm's claims for the anonymity of its processes are, to put it no higher, a considerable exaggeration."

Are the UK authorities under the misguided impression that ISPs provide the internet, the way that broadcasters provide television? Or do they understand that communications between internet users and website owners during web browsing are as legally private as communications between me and my grandmother when I write her a letter and post it using Royal Mail?

BERR have declined to publish the full text of the letter to Viviane Reding, which is also expected to contain an explanation of any action UK authorities propose to take over BT's trials of the Phorm technology in 2006 and 2007, trials which did not seek the consent of users. These trials are the subject of an ongoing investigation by City of London police.

A variety of Freedom of Information requests have now been made to BERR which ask them to reveal details of meetings with BT, Phorm and other ISPs, and disclose the full text of the letter to the Commission.

Previous posts on Phorm:

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail


Comments (3)

  1. Petty. Me. Uk. » Recent Links, 20080922:
    Sep 22, 2008 at 05:56 PM

    [...] What BERR want from Phorm - and what ORG think they’re missing Phorm is a targeted system of web advertising which has caused all sorts of hiccups just because of [...]

  2. The Open Rights Group : Blog Archive » 4 good reasons not to take part in the BT Webwise trial:
    Sep 30, 2008 at 10:21 AM

    [...] The Government have told BT that in order for Webwise to conform to UK data protection laws, BT must seek the consent of everyone who uses an internet connection where Webwise is enabled. To get around this, BT have devised new terms and conditions for people who agree to trial Webwise [...]

  3. Midnight_Voice:
    Sep 19, 2008 at 05:12 PM

    Here's the BERR view [•] with my comments added [*] after each:

    BERR's view on how to make Phorm conform

    • User profiling is done only with the knowledge and agreement of the customer
    * And of the website being visited - necessary under RIPA
    • The profile is based on a randomly allocated unique ID, so there is no need to know the identity of the individual users
    * Under the DPA, anything that allows an individual to be singled out from a group makes them identifiable, even though it is not a conventional identity item like name or IP address. As Phorm use the UID and profile as a basis to target the user with individually selected ads, it follows that they are keeping PII (personally identifiable information) about that person, and are therefore subject to all the considerations of the DPA, i.e. on supplying my UID to them, they must tell me all the information held under it. (Though how will they know it's my UID?)
    • Phorm does not keep a record of sites visited
    * I guess they have to leave something on the table for REVSCI and DoubleClick
    • Search terms entered by the user and the advertising categories exclude sensitive terms and are widely drawn so as not to reveal the identity of the user
    * Yes, and we saw how successfully AOL did that
    • Phorm neither has nor wants information that would let it link a user ID and profile to a living individual
    * and nor should it let that information fall into other hands. But the way Phorm propagate the UID in cookies that any visited website can read violates that principle. And Phorm's own privacy policy, as it happens.
    • Users are presented with an unavoidable statement about the product and asked to exercise a choice about whether to be involved
    * and if they do not actively and positively choose to be involved, their traffic does not pass through any equipment associated with the provision of the Phorm service, whether owned by Phorm, the ISP, or anyone else. The ISP service does not stop if you put Webwise in your hosts file. Processing but not profiling the data (pulling my pants down, looking, but promising not to remember what they saw) is neither sufficient nor acceptable.
    * and website owners have the right to the same choice, and Phorm must obtain and record an explicit informed permission before profiling any website anywhere in the world.
    • Users are able to easily access information on how to change their mind at any point and are free to opt in or out of the scheme.
    * and as above, website owners should have the same access to this information, and the explicit informed permission granted to Phorm as above must be reversible by the website owner at any time.



This thread has been closed from taking new comments.