RePhormed ICO Statement

April 14, 2008

The ICO has issued a new statement about Phorm. See here and here for the background – essentially the story is that Phorm uses access to a user’s Web browsing history to target advertisements that are relevant to that use – and the concern centres around the breach of privacy which may arises from access to that web history. The new and improved ICO statement covers questions relating to the Privacy and Electronic Communications (EC Directive) Regulations 2003. The new statement reads as follows.

The Information Commissioner has been approached by a number of individuals and organisations for a view on Phorm’s Webwise and Open Internet Exchange (OIX) products. Phorm also approached the Commissioner immediately prior to announcing a deal to work with 3 major UK internet service providers (ISP) and launch of the Webwise and OIX products to explain the nature of their products and in particular what they believe to be the privacy friendly elements of them. The Commissioner has also had contact with the ISP working with Phorm about the scope and nature of their roll out of the Phorm products.

The Commissioner is responsible for enforcing the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). Therefore the Commissioner is confining himself to the question of whether the use of the products offered by Phorm complies with the DPA and PECR. Furthermore the Commissioner’s views are based on the current understanding of the Phorm products before the upcoming trial or roll out by any of the ISP have taken place which should provide more information about their use in practice.

Phorm has developed a system where, with the cooperation of an individual’s ISP they can profile the addresses and certain content of websites visited by users and then use that information to match that user against predefined broad advertising categories. Phorm assert that this targeted marketing takes place in a way that rigorously protects the privacy of web users.

Phorm has explained that the user profiling occurs with the knowledge and agreement of customer and within the technological infrastructure of the ISP. The profile is based on a unique ID allocated at random to each internet user which is held only on their computer and by Phorm so that the advertising and profiling can take place without needing to know the identity of the individual users. When a user visits a website that has an agreement with Phorm their user ID is recognised and Phorm will use the broad advertising categories associated with that ID to enable relevant advertising channel to be shown on the website. The advertising is displayed instead of non-targeted advertising that would be displayed to users regardless of the roll out of the Phorm products.

Phorm has provided assurances that the systems have been configured so that the company does not have a record of the actual sites visited and search terms used by the user and in addition the advertising categories exclude certain sensitive terms and have been drawn widely so that the profiles that they hold for users will not inadvertently reveal the identity of a user or return advertising of a sensitive nature. Phorm also assures us that the ISP does not hold or have access to either the advertising categories users have been matched against or the user ID and does not keep a lasting record of internet traffic for any reason other than it would have originally.

Whether the use of the products offered by Phorm complies with the DPA will depend, in the first instance, on the extent to which the company is processing personal data. Personal data is information that relates to a living individual who can be identified from that information or other information in the possession of or likely to come into the possession of the person holding it. Phorm has asserted that it does not have nor would it ever want or need access to any information held by the ISP which would enable it to link their user ID and profile to a living individual. If this is true the company is not processing personal data of the ISP’s customers in providing its product and the DPA will not apply. Further Phorm has also assured the Commissioner of an additional safeguard, in that it is not possible for an employee to interrogate its systems to reveal particular user ID profiles.

Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses in that profiling and is able to link its customers to an IP address although this may not be its intention. To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA. When considering whether or not the processing in this context is fair the Commissioner takes into consideration the extent to which users are made aware that the processing will take place, any choice that they are able to exercise over whether or not the processing takes place, the ease with which they can object and the affect of the processing upon the individual.

Although the products have not yet been rolled out and the upcoming trial by one ISP has not yet taken place, from the information available at this point it appears that users will be presented with an unavoidable statement about the product and asked to exercise a choice about whether or not to be involved on that basis. In addition we are told that users will be able to easily access information on how to change their mind at any point and free to opt into or out of the scheme at any point thereafter which should involve the same degree of transparency and choice.
On the basis of our understanding of the explanation provided to us there does not appear to be any detriment to users in the operation of the Phorm system as those who choose to be involved will only have the information used to match them against an advertising category and then present them with targeted advertising while browsing the internet. The ISP does not create lasting records of browsing habits in this context and do not seek to link living individuals to that information as it profiled and sent to Phorm. It also appears that users who opt out do not have their web browsing habits profiled and will be in the same position as regards the processing of their personal data as before the Phorm systems were introduced.

A question has been raised by the some individuals about whether or not the Phorm products entails an unlawful interception of communications under the Regulation of Investigatory Powers Act 2000 (RIPA). The Home Office is responsible for compliance with RIPA and Phorm has approached the office directly and had a written response. Some organisations have stressed an alternative view that the scanning of the content of websites by the ISP on route to the user will entail an interception of communication during transmission. This is a matter that the Home Office takes the lead on and the Commissioner will not be taking any further action.

Phorm and the ISP will also have to comply with the PECR even where they do not process personal data. Under Regulation 6 of PECR a user must be informed when a cookie placed on their computer, given clear and comprehensive information about the purpose of the storage and given the ability to refuse it being placed on the system. The information we have seen so far indicates that users will be informed by the ISP about the use of cookies as part of the process of being told about the service and given a choice about whether or not to participate. Users will also be able to configure their internet browser to block all cookies from Phorm and therefore prevent any profiling without a cookie being loaded. How this operates in practice will not be apparent until the trials by the ISP get underway or the product is rolled out but it should be possible for Phorm to achieve compliance with Regulation 6.

Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.
Whether or not the Phorm products are a concern for the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns. The Commissioner welcomes the efforts Phorm is making to engage with concerned technical experts and believes that it is only by allowing its technology to be subject to detailed scrutiny by independent technical experts that it will be able to prove their assertions regarding privacy which will be important for the commercial success of the product.

In the view of the Commissioner Phorm can operate Webwise and OIX in a way which is in compliance with the DPA and PECR but must be sensitive to the concerns of users. The Commissioner will keep the Phorm products under review as they are rolled out and his view will be strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision. The Commissioner will also continue to be interested in the dialogue between technical experts and Phorm about the way in which the system operates.

It has been suggested that the ICO is still not considering the point that analysis of all web traffic may be a disproportionate measure to achieve the aim of targeting advertising when, with consent, information as to advertising preferences can be gathered overtly and less intrusively. The ISP could, for example, simply ask users to tick categories of advertisement in which they might be interested. Moreover, it is also suggested that the ICO is not considering that the ISP will not only be storing users’ Internet traffic (as it does now) but that, unless users can opt out of the interception (not just the transmission of adverts) the ISP will be processing for the purpose of adverts every single part of its users’ internet traffic, however private and sensitive – something which it does not do now (at least not without a warrant). The ICO does not seem to say that users should be able to opt out of the blanket processing.  Interesting issues arise too about the rights of content providers (whether commercial enterprises or private individuals). There are not just RIPA issues of consent to the interception (many web pages expressly forbid use of their content by third parties) but also issues of copyright infringement, breach of confidence  and the further ethical and legal issues raised by the ISP’s impersonation of the Web site the ISP customer is trying to access (the scheme anticipates the use of look-a-like cookies).

Phorm issued a statement which reads:
We have not yet had the opportunity to discuss PECR with the ICO but will do shortly. However, the law is quite clear stating that any system requires valid, informed consent. We believe the approach that we will take to user notice will not only provide for such consent, but will in fact exceed the level of notice provided by anyone else.
We’re very confident, as has been the case with the DPA and RIPA, that closer scrutiny will demonstrate that the way in which we obtain consent will substantially exceed any legal requirement.
Industry gossip, and it has little status beyond that, suggests that the ISPs who appear to have signed up for Phorm may well run for cover and not be quite so keen on the idea now.