Hands Up! Who Wants to be Phorm Monitor?

March 18, 2008

Phorm describes itself as ‘an innovative digital technology company … focused on creating a new “gold standard” for user privacy, a more relevant Internet experience, and more value for advertisers, publishers, Internet Service Providers and others in the online ecosystem’. In February it announced exclusive agreements with three leading UK ISPs – BT, TalkTalk and Virgin Media. By using Phorm’s technology, it was claimed that those ISPs will be able ‘to offer a new online advertising platform, the Open Internet Exchange (OIX), and a free consumer internet feature, Webwise, which ensures fewer irrelevant adverts and additional protection against malicious websites’.

This story has been twice updated. Click here (although you might want to skip that one) and here for the later developments.

The reaction to the deal has been marked by some alarm. A petition has been created on the 10 Downing Street Web site to ask the PM  ‘to Stop ISP’s from breaching customers privacy via advertising technologies’ and has gathered more than 4,000 signatures. The ICO showed an interest, announcing on 4 March that it has spoken with Phorm regarding its agreement with the ISPs. The ICO stated that Phorm had provided it with information about the product and how it works to provide targeted online advertising content: ‘at our request, Phorm has provided written information to us about the way in which the company intends to meet privacy standards. We are currently reviewing this information. We are also in contact with the ISPs who are working with Phorm and we are discussing this issue with them’.

A number of privacy campaigners have no doubt about the Phorm system – they see it is a A Bad Thing. By way of example, a blog called BadPhorm has been created. It is pretty clear about its position:
Simply put, three of the UK’s largest ISPs (Virgin Media, BT and TalkTalk) have decided to sell your private browsing history to an advertising broker. Yes, the entire list of every web page you visit gets sent to Phorm (the broker) in real time, as you click, so they can send you ‘targeted advertising’. Naturally the ISP’s are not too keen on telling their users this, they’d much rather feed us all platitudes about how it’ll help combat phishing and how the targeted adverts will be so much better than the random ones we see today. In fact, they didn’t even announce it to the UK press, we had to find out about it from the New York Times!

Phorm has been quite impressively forthcoming in responding to questions raised by those who are so concerned about the deal. They have engaged in Q&A sessions (see, for example, http://news.bbc.co.uk/1/hi/technology/7283333.stm and http://www.badphorm.co.uk/page.php?10). Nevertheless, real doubts remain and, by way of a prominent example, the Open Rights Group continue to express concern.

One wild card is that it has been suggested that the Phorm system involves an interception of data and that this amounts to a breach of the Regulation of Investigatory Powers Act 2000, s. 2. Professor Peter Sommer of LSE said: ‘Whatever the parties involved say, this appears to be an interception under RIPA. The real issue will be about how consent is obtained’.

The main thrust of the campaign has been to ensure that the contracting ISPs make the use of Phorm technology opt-in. TalkTalk have already said that they will ensure that it is opt-in; Virgin and BT are yet to decide. If nobody implements the Phorm technology without a user’s consent, it is hard to see what the ICO’s data protection concerns might be, but it does seem likely that the move to opt-in is a reaction to the level of protest. But the Phorm storm has not blown itself out – it seems to some observers to be bigger than the issue itself and to signify a deeper concern. Tim Berners-Lee was recently quoted by the BBC as saying that he would not use an ISP that was using Phorm or similar technology. In an open letter of 17 March 2008, the Foundation for Information Policy Research (FIPR) wrote to the Information Commissioner expressing its concern. Excerpts from the report of 80/20, the company paid by Phorm to carry out a privacy audit, have also recently been published – although they give Phorm a clean bill of health in general terms, elements have been seized on to raise greater concern.

The letter from FIPR mounts such a cogent argument that it is worth reading in full:

We understand that you are investigating the targeted advertising service offered by Phorm through co-operation agreements with BT, Talk Talk, Virgin Media and other Internet Service Providers.
The provision of this service depends on classifying Internet users to enable advertising to be targeted on their interests. Their interests are to be ascertained for this purpose by scanning and analysing the content of traffic between users and the websites they visit.
This activity involves the processing of personal data about Internet users. That data may include sensitive personal data, because it will include the search terms entered by users into search engines, and these can easily reveal information about such matters as political opinions, sexual proclivities, religious views, and health.
Users are apparently to be allocated pseudonyms for some of the processing, but at various processing stages the personal data can be linked to the pseudonym, the pseudonym can be linked to the IP address used, and the IP address can be linked to the user. Although we understand that this linkage will not be standard operating practice, it can nevertheless be performed.
Many users will also be identifiable from the content of the data scanned, since it will include email sent or retrieved by users of web-based email, and messages viewable by those authorised to gain access to individual pages of social networking sites.
Although some web-based email systems operate using “https:” end-to-end encryption, which would prevent interception, this is far from ubiquitous. It might be possible for Phorm to configure the service to exclude a handful of the more high-profile web-mail and social networking systems. But there are no available methods of detecting the tens or perhaps hundreds of thousands of other, low usage, often semi-private systems which currently provide web-mail or social networking in chat rooms or similar environments.
Classification by scanning in this way seems to us to be highly intrusive. We think that it should not be undertaken without explicit consent from users who have been given particularly clear information about what is liable to be scanned. Users should have to opt in to such a system, not merely be given an opportunity to opt out. We believe this is also required under European data protection law; failure to establish a clear and transparent “opt-in” system is likely to render the entire process illegal and open to challenge in UK and European courts.
It would be specially objectionable if opting out were to depend on the maintenance by the user of a cookie, since many reasonable users regularly clear all cookies; nor should users be expected to opt out by blocking one or more websites, since many may not understand how to do this or may make errors in trying to do so.
Classifying users by scanning the content of their communications involves interception in the sense of s1 and s2 of the Regulation of Investigatory Powers Act 2000. That is because classification cannot be done without the content being made available to the person doing the classifying. The fact that he does so by the application of machinery which avoids the need for him to read the content is irrelevant — it is clear, for example, from ss16(1) that material is to be treated as intercepted even before classification or examination and despite the fact that it may not be lawful to examine it.
Interception of communications without the consent of both sender and recipient is an offence under s1. (The exception under ss3(3) — for things done for purposes connected with the provision or operation of a telecommunications service, which may well permit filtering for viruses and unsolicited bulk email in order to protect the operation of the service — can have no application to filtering for the purposes of targeted advertising, which is not a telecommunications service offered by the ISPs.)
The explicit consent of a properly-informed user (i.e. one who has been told explicitly that the search terms he uses, and the content of his email and of the social-networking sites he visits, will be among what is used to classify his interests for the purpose of targeted advertising) is necessary but not sufficient to make interception lawful.
The consent of those who host the web pages visited by a user is also required, since they communicate their pages to the user, as is the consent of those who send email to the user, since those who host web-based email services have no authority to consent to interception on their users’ behalf.
The need for both parties to consent to interception in order for it to be lawful is an extremely basic principle under RIPA, and it cannot be lightly ignored or treated as a technicality. Even when the police are investigating as serious a crime as kidnapping, for example, and need to listen in to conversations between a family and the criminals, they must first obtain an authorisation under the Act: the consent of the family is not by itself sufficient to make their monitoring lawful.
It has been suggested that web-hosts impliedly consent to the download of their pages, and that it follows that they consent to the interception involved in scanning them for the purposes of classifying the user for targeted advertising services. But even where a web-host does consent to the downloading of his page by a user, we do not accept that this entails any consent to the scanning of that page by a third party.
Moreover, in many cases it is clear that any such consent is expressly or impliedly negatived. In the case of the many pages which are accessible only after registration of the user, access by an unregistered third party is plainly unauthorised (and sometimes expressly prohibited by the conditions under which access is permitted).
In the case of the unlinked web (those pages to which links are not published generally, being provided to closed groups by their host) there is no implied general consent to download, and consent for third party scanning is impliedly negatived by the context.
We therefore consider that even if third party scanning obtains the fully-informed and explicit consent of a user, it simply cannot hope to obtain all the consents necessary from others. It therefore involves unlawful interception; and it therefore cannot comply with either the first or the second of the data protection principles.
Finally, we should mention a note on this subject published by the Home Office in January 2008, of which we assume the Information Commissioner is aware. A senior official of the Home Office has said of this note:
“- the note is not advice, it doesn’t claim to be advice, legal or otherwise, it’s just a view
— the note wasn’t, and doesn’t purport to be, based upon a detailed technical examination of any particular technology.”
For the reasons explained above, it is our contention that the conclusions of the Home Office note are wrong so far as they may be thought to apply to Phorm. We hope that the Commissioner will not allow himself to be influenced by them.
Nicholas Bohm, General Counsel
Richard Clayton, Treasurer

Foundation for Information Policy Research

Andrew Katz of Moorcrofts commented in detail about the issues:

From the DPA perspective, the problem is complex.
Much as I would love to be proved wrong, I think that BT et. al., and Phorm may be in the clear here, provided they set up their system, and the relationship between them, carefully enough.
Looking at it from Phorm’s perspective (and assuming that they are running the servers which serve the adverts), they are receiving an anonymised token through which they can track the destinations of the user associated with that token. The DPA provides that this activity will only be processing personal data if a living individual can be identified from the data Phorm possesses or which is likely to come into Phorm’s possession.
Given that Phorm will, if it has good advice, be extremely careful to put a positive obligation on BT et. al. not to let them have any data which may link the token with any living individual, then neither does Phorm have that information, nor is it likely to come into its possession.
The fact that it is possible to link the user to the ip, the ip to the token, and the token to sensitive personal data (as suggested in the FIPR letter) is not relevant, if the chain is broken because it involves two parties, and one holds anonymised information which can only be linked to a living individual by using data which is not in its possession, or is not likely to come into its possession.
Admittedly, it is not necessarily quite as simple as that: if the Phorm servers can see that a web page has got ‘welcome Richard Thomas’ on it, for example, then they will have in their possession data which can link Richard Thomas with a particular token.
The FIPR letter implies that BT and Phorm are a sort of combined entity: if they were the same entity, then FIPR’s arguments are valid, but if, as I suspect, they have taken steps to segregate the data on the non-anonymous/anonymous sides of the Chinese wall, then there is no issue under the DPA for Phorm.
From the ISP’s side, there may be an argument that since the ISP has details linking the user to the IP, and since they can (presumably) see which ads are served to the user by Phorm, they would be able to reconstruct information about the types of sites visited, in breach of the DPA. However, I think this is a specious argument, because the ISP doesn’t need to know what the Phorm ad is to reconstruct possible site visits: as ISP, it has access to which sites have been visited, in any event (for which appropriate consent under the DPA will be required, but the issue is no different where Phorm is involved).
One neglected issue which has to be considered from the RIPA perspective is this.  BT et. al. do not know who is actually surfing using a particular connection. For a particular household, it could be any member of the family, or a guest, or even someone who is using an open wifi connection. Phorm itself acknowledges that ISPs must obtain informed consent from users accessing their system. The fact is, even if they do obtain informed consent from one member of the household, they will not know whether it is that member of the household who is actually online. Even if consent were to be obtained at the commencement of every session, it is entirely possible for different members to be online at the same time (although NAT analysis might obviate this), or may switch during a session.

And what of the question in the title of this piece: Who is going to be Phorm Monitor? By the looks of it, it seems to the Editor of this web site that the answer is practically everybody.


For the Phorm blog, click here.

For the Open Rights Group, click here

SCL members with a view on Phorm and the issues raised are invited to submit their views for inclusion on the site. E-mail lseastham@aol.com.