The use of Phorm surfaces privacy law flaws in the UK

Some interesting conflict. The EU is taking the UK to court for not taking appropriate measures to protect their citizens’s privacy i.e. the UK law does not protect personal privacy as strongly as EU laws demand. Most of this has come about because of the use of Phorm in the UK. Phorm invented a technology for ISPs to use to track users’ web use in order to serve them ads that were related to the recorded internet activity. ISP BT used this technology without telling users, which led to complaints to UK regulators and the Commission that this broke privacy laws.

It is interesting because it highlights some flaws in the UK privacy laws. Read more at out-law.com

Background on Phorm follows (an extract from Virtual Shadows book):
“During 2008 there was growing controversy about interception of people’s web traffic in the UK. At the centre of the storm is the ‘patent-pending’ technology of a new company called Phorm. The drivers behind this are not government authorities but three of the main players in the telecommunications space. BT, TalkTalk and Virgin all signed up to use Phorm, which targets adverts to users based on users’ web browsing habits. Phorm’s proprietary ad serving technology claims to use anonymised ISP data to deliver the right ad to the right person at the right time, the right number of times. This means that end-users will receive advertising that is tailored to their interests in real time. Keywords in websites visited by a user are scanned and connected to advertising categories and then matched to particular adverts. That data may include sensitive personal data, because it will include the search terms entered by users into search engines and these can easily reveal information about such matters as political opinions, sexual proclivities, religious views and health.

Phorm anonymises identities: each user is given a persistent random ID, so that each time they browse, the same ID is used to collect information on their habits over a period of time, but Phorm cannot see the link between this ID and the natural identity. Phorm uses the ID to deliver tailored advertisements in their browser. This ID is used to distinguish the user from the millions of others on the internet and it does not contain any information about the user themselves or their computer. Users will have the choice to opt-in or opt-out of this service. TalkTalk has said it intends to make Phorm an opt-in system, whilst as of Spring 2008 the two other ISPs had not yet decided.

If a user is given a persistent ID, this means that whenever the user accesses the ISP, the ISP can see the link between the assigned ID and the user’s natural identity. The persistent ID is not encrypted as it is in the form of a cookie. To ensure ‘separation of duty’ the system will enable the ISPs to prevent Phorm from knowing the user’s natural identity. This means that the ISPs will hold the persistent ID assigned to natural users and Phorm will receive the browsing habits attached to the persistent ID. If this is the case one could argue that the Phorm system is not based on anonymity, but it is in reality based on controlling the release of information.

According to an open letter sent to the UK Information Commissioner on 17 March 2008 (Fipr 2008), the Foundation for Information Policy Research4 have claimed that the online advert system Phorm is illegal and contravenes RIPA.

Fipr believes Phorm contravenes the Data Protection Act, in that users have to opt-out rather than opt-in, and RIPA, which makes the interception of any transmission across a public telecommunication system illegal without the explicit consent of users. (Exceptions are when police are investigating a serious crime such as kidnapping and need to listen in to conversations between a family and the criminals, although even they must first obtain an authorisation under RIPA.)”