By EDRi

This article is also available in:
Deutsch: [Phorm zurück auf dem europäischen Parkett | www.unwatched.org/EDRigram_9.20_Phorm_zurueck_auf_dem_europaeischen_Parkett?pk_campaign=edri&pk_kwd=20111028]

After its implementation in UK failed, Phorm wants a fresh start by
placing its foot in the European market through a partnership deal with
Romtelecom in Romania.

With no public debate before the launch at the end of September, Romtelecom
has presented a new service called MyClicknet, which basically
implements the Phorm behavioural advertising solution with an opt-in
approach.

In practice, that means that almost all traffic (browsing and searches) on
port 80 from Internet users that opt-in for such a system will be scanned in
order to create a profile that can be sold to interested advertising
companies. Romtelecom insists that no personal data is recorded or kept and
the user is identified in the ad network based on an anonymous string of
characters.

Romtelecom also claims that the system will not scan any type of “delicate
subjects”, such as content related to smoking, pornography, alcohol, drugs,
health issues or related to children under 14 years old. This would mean in
practice that they will be actively using Deep Packet Inspection (DPI) in
order to see if the content fits in one accepted category or not.

Complaints against the system arose when Internet users saw their
traffic redirecting to the Romtelecom opt-in page for its new service
or, after joining the service, saw that traffic was being redirected to
oix.net (the Phorm service).

Romtelecom’s reply was that the service is 100% anonymous and free and you
need to opt-in (by clicking “Continue” on their redirect page) to get
access to the service. Also, they say the system was checked with the
Romanian DPA (Data Protection Authority) and they have implemented all the
suggestions of the DPA.

However, if the data protection law is fuzzy enough to be interpreted in
such a way a similar service might be accepted by the DPA, the Romanian
eprivacy law (no. 506/2004) is very clear regarding the obligation of
confidentiality of the electronic communication providers. Article 4 states
that the confidentiality of communications is guaranteed and any form of
tapping or surveillance of the communication can be made only with the
“prior written consent” of the users that are taking part in such
communication. And if we think of the users of an Internet communication,
there should be both the subscriber and the website.

After receiving several complaints, the Romanian DPA announced that it will
launch an investigation to see how personal data are protected in the
MyClicknet service, but only after 28 October 2011. In the meantime, all its
public relations are being temporarily suspended, because they need to move
to a new location.

Romanian re-Phorm-ation? (30.09.2011)
http://symbioticweb.blogspot.com/2011/09/romanian-re-phorm-ation.html

Romtelecom and their illeagal practices – Myclicknet traffic being
intercepeted and analsed (only in Romanian, 6.10.2011)
http://forum.softpedia.com/index.php?showtopic=810348&st=0

Clicknet from Romtelecom – adverstising, redirecting, spam (only in
Romanian, 4.10.2011)
http://m1ha1.blogspot.com/2011/10/clicknet-de-la-romtelecom-reclame.html

MyClicknet – the wiretapping service of Romtelecom (only in Romanian, 17.10.2011)
http://legi-internet.ro/blogs/index.php/2011/10/17/myclicknet-serviciul-de-interceptare-a-traficului-de-la-romtelecom

EDRi-gram: Phorm given up by UK ISPs (15.07.2009)
http://www.edri.org/edri-gram/number7.14/phorm-out-uk