Latest Phorm

April 5, 2008

The ICO has responded to queries from the IFPR and others about agreements made by Phorm with three leading UK ISPs – BT, TalkTalk and Virgin Media. The background to this development can be read here, but essentially the story is that Phorm uses access to a user’s Web browsing history to target advertisements that are relevant to that use – and the concern centres around the breach of privacy which may arises from access to that web history.

The original ICO statement, since updated,  reads as follows.

The ICO has received a number of queries concerning the recent announcement by Phorm that 3 major UK Internet Service Providers have agreed to allow them to use technology, developed by Phorm, to present adverts to their customers based on the nature of the websites they visit.
Understandably, this has provoked considerable public concern. We have had detailed discussions with Phorm. They assure us that their system does not allow the retention of individual profiles of sites visited and adverts presented, and that they hold no personally identifiable information on web users. Indeed, Phorm assert that their system has been designed specifically to allow the appropriate targeting of adverts whilst rigorously protecting the privacy of web users. They clearly recognise the need to address the concerns raised by a number of individuals and organisations including the Open Rights Group. We welcome the efforts they are making to engage with sceptical technical experts and believe that it is only by allowing their technology to be subject to detailed scrutiny by independent technical experts that they will be able to prove their assertions regarding privacy. The ICO strongly supports the use of technology in ways which enhance rather than intrude upon privacy, and plans to produce a report on “Privacy by Design” later this year.
We understand that the technology is not yet in use and that BT intends to run a trial involving around 10,000 broadband users later this month. We have spoken to BT about this trial and they have made clear that unless customers positively opt in to the trial their web browsing will not be monitored in order to deliver adverts. BT has also stated that the system does not store personally identifiable information, URLs, IP addresses or retain browsing histories and that search information is deleted almost immediately, and is not retrievable.
We will continue to maintain close contact with Phorm and BT throughout the trial. Clearly the trial should reveal whether this is a service that web users want, whether it is privacy friendly and that users are comfortable with the privacy safeguards put in place by Phorm

Criticism has not suddenly evaporated however. A recent contribution by Richard Clayton on Light the Blue Touchpaper, a blog from members of the Security Research Group at the University of Cambridge, is well worth reading.  Richard Clayton had been given generous access to the technical detail surrounding Phorm and publishes much of this on th site but his closing comment sums up his views:
Phorm says that of course I can opt out — and I will — but just because nothing bad happens to me doesn’t mean that the deploying the system is acceptable.
Phorm assumes that their system “anonymises” and therefore cannot possibly do anyone any harm; they assume that their processing is generic and so it cannot be interception; they assume that their business processes gives them the right to impersonate trusted websites and add tracking cookies under an assumed name; and they assume that if only people understood all the technical details they’d be happy.
Well now’s your chance to see all these technical details for yourself — I have, and I’m still not happy at all.