Is it bad Phorm?

We’ve probably all heard recent reports about Phorm’s “Webwise and Open Internet Exchange” products. These employ a technology which utilizes ISP data to target users with tailored advertising; ISPs with whom Phorm has done a deal so far include Virgin, TalkTalk and BT. As Virgin is my provider, my immediate reaction to hearing the news was indignation at the thought of being snooped on in this way, not to mention misery at the thought of my screen being flooded with still more unwanted ads.

The Foundation for Information Policy Research, in an open letter to the Information Commissioner’s Office (“ICO”), gave voice to some of the same fears. It argued, in particular, that the use of the software would entail breach of the Data Protection Act 1998 because it would involve “sensitive personal data” such as search terms used (which would reveal details of things like political, religious, sexual preferences and health issues). If the Phorm software does indeed entail the “processing” of sensitive personal data, it would find itself having to comply with the data protection regime of notification and consent.

There are two other potential legal angles for Phorm to worry about; The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“Privacy Regulations”) and the Regulation of Investigatory Powers Act 2000 ("RIPA 2000").

The Privacy Regulations apply to commercial communications made by email, fax or phone. They require users to be informed if cookies are stored on their computers and to be given the opportunity to stop the storage. They also require ISPs to get customer consent before they use their traffic data to market their services. RIPA 2000 regulates the interception of communications without prior informed consent; for these purposes, web-hosts are deemed to be “communicating” their web pages to the end user.

In response to these concerns, the ICO last month issued a press statement analyzing whether the technology Phorm proposes complies with the data protection and privacy laws; it declined to comment on RIPA 2000 since the Home Office has responsibility for enforcement of that law.

On the data protection point, the ICO said that the Phorm technology did not involve the processing by Phorm of personal data. This is because each user profile built by the software is based on a randomly allocated identification number which is held only on the user's terminal and by Phorm itself and it is impossible for its employees to locate particular user ID profiles on its system. However, the ICO acknowledged the possibility that the ISP itself, which undertakes the actual profiling of users, might be able to link particular user profiles with their IP addresses leading to the creation of a data trail by which it might be possible to identify individuals. If so, ISPs who handle Phorm profiles may be processing personal data. However, Phorm intends to ensure compliance with data protection act rules by presenting users with an unavoidable statement about the software and asking whether they wish to be involved in its use; that users will have easy access to information on how to change their mind about opting in; and that they will be free to opt in or out of Phorm at any point. This statement will also contain the required information about cookies as is required by the Privacy Regulations.

So far, it was looking good for Phorm, until that part of the ICO statement which states that, in order to comply with the Privacy Regulations' rules on obtaining user consent to use of their internet traffic data, Phorm will probably have to operate its system on an "opt-in" basis, so as to ensure that it has users' consent to the use of their traffic data to provide value-added services and profile-driven marketing. This was not what Phorm wanted, having hoped to get the ICO's blessing for a mere "opt-out" clause (which would deem all users to have given consent unless they expressly withheld it).

This is obviously a commercial disincentive which is likely to much reduce the number of users whose usage can legally be tracked in order to target advertising. If required to actively sign up to “targeted marketing” then users are instinctively likely to decline the offer, unless Phorm can really persuade us all that opting in would replace the irrelevant advertising we have to submit to already rather than adding even more advertising to the web page than there is at the moment.

One also wonders why websites would want to sign up for the software which is quite likely to more accurately push their competitors’ sites in front of their customers? For example, if I mainly look at the BBC news website, wouldn’t Phorm “understand” this and so push adverts for other news and current affairs sites at me, to the BBC’s detriment? We’ll have to wait and see how it works in practice, I guess.

Comments

With regard to RIPA and informed consent. Would I be correct that consent is required from both parties to a communication? Wouldn't this require consent to be obtained from the website owners too?

It has also been suggested that they could fall fowl of the Computer Misuse Act as well as Copyright and Fraud legislation.

Posted by: Ross R | June 17, 2008 at 12:26 PM

And then there's the copyright issue ISPs simply can't avoid;

See
http://www.youtube.com/watch?v=w08568bkQK0
or
http://www.dephormation.org.uk/video/copyright.wmv

Particularly, bearing in mind, s107/110 of the copyright act make commercial exploitation of infringing articles a criminal offence.

Interesting to see BT's own T&Cs also specifically prohibit commercial copying and use of their pages.

Oops.

Posted by: Pete | June 17, 2008 at 01:09 PM