Third Phorm trials started, but privacy concerns remained

By EDRi · October 8, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Following a complaint placed in July 2008 by campaigners against the British
companies BT and Phorm for their allegedly illegal secret ISP-level adware
trials, the London Police decided not to investigate the case arguing there
had been implied consent of their customers. BT started its third trial of
Phorm technology on 30 September, this time asking the consumers to opt-in.

Phorm is used to monitor a user’s web browsing history, taking a copy of the
places the user goes to and search terms he (she) looks for. Then, adverts
related to that history are placed on websites that have signed up to use
Phorm, such as BT, Talk Talk and Virgin.

Phorm has been criticised being considered to break laws on unwarranted
interception of data. Privacy advocates are also concerned by the
information that the technology gathers about a user’s web browsing habits.

“The matter will not be investigated by the City of London Police as it has
been decided that no Criminal Offence has been committed. One of the main
reasons for this decision is the lack of Criminal Intent on behalf of BT and
Phorm Inc in relation to the tests. It is also believed that there would
have been a level of implied consent from BT’s customers in relation to the
tests, as the aim was to enhance their products” wrote detective sergeant
Barry Murray in an email to Alex Hanff, the anti-Phorm campaigner having
compiled the dossier against the two companies.

In the police’s opinion, the matter is considered a civil dispute and “there
is no suggestion that Criminal Intent exists.” Nicholas Bohm, lead counsel
of the Foundation for Information Policy Research, considers the police’s
explanation “pathetic” and argues that Phorm breaks several criminal laws,
especially if there is no consent. “City of London Police’s response
expresses massive disinterest in what occurred. Saying that BT customers
gave implied consent is absurd. There was never any behaviour by BT
customers that could be interpreted as implied consent because they were
deliberately kept in the dark. As for the issue of whether there was
criminal intent, well, they intended to intercept communications. That was
the purpose of what they were doing. To say that there was no criminal
intent is to misunderstand the legal requirements for criminal intent” he

In February, after the first two trials of the technology used to intercept
and profile subscribers’ Internet usage, BT and Phorm were advised by the
Home Office that the technology was covered by the Regulation of
Investigatory Powers Act (RIPA), governing wiretapping. The system could be
legal if consent was obtained but it appears that no consent had been asked
during those trials.

The Information Commissioner Office (ICO) asked in April 2008 that Phorm
ad-targeting system should be “opt in” and stated it would monitor Phorm
trials and commercial rollout to ensure the observation of the data
protection laws. ICO said that after its discussions with Phorm, there
appeared to be no infringement of the laws regarding personal data.

Information Society Commissioner Viviane Reding had asked the UK Government
to give, by the end of August, an explanation of how Phorm’s technology
conformed with EU data protection and privacy laws. The Department for
Business, Enterprise and Regulatory Reform (BERR) responded in
September, basically considering that Phorm’s products are capable of being
operated with the users’ knowledge and consent, and if the users are
“presented with an unavoidable statement about the product and asked to
exercise a choice about whether to be involved.”

But, as Nicholas Bohm has shown, unless the ISPs have the explicit consent
of both the customers whose profile is used as well as the advertising
websites using it, they are likely to commit an offence under the Regulation
of Investigatory Powers Act (RIPA). “The inevitable conclusion is that an
ISP who operates the Phorm system will commit offences under RIPA s1 on a
large scale. Phorm is inciting the commission of those offences, which is
itself an offence at common law (and will be an offence under section 44 of
the Serious Crime Act 2007 when it is brought into force to replace the
common law offence)” said Bohm.

The question is whether UK authorities are aware that communications between
Internet users and website owners during web browsing are legally private
just like the communications between any two private people. They think
future Phorm deployments can be legal. On the other hand, they refused to
make public their answer to the European Commission about the first two
secret trials.

Without having a clear answer on these issues, BT started on 30 September a
new trial of the Phorm technology, this time by asking consent to its users
for the participation in the trial. The company has even envisaged
incentives such as offering to donate to charities if its users opt to let
their Internet use profile for advertisers, an upgrade to a faster broadband
package at no extra cost, a reduction in the bill, free music or anti-virus
software download vouchers or others.

Digital rights campaigners have fought against Phorm for some time now and
have shown that there is no protection for UK citizens from corporations
wanting to illegally intercept private communications.

The European Commission lawyers are analysing the UK government’s
explanation of why no action has been taken.

Police drop BT-Phorm probe (22.09.2008)

Phorm mulls incentives for ad targeting wiretaps (26.09.2008)

4 good reasons not to take part in the BT Webwise trial (30.09.2008)

What BERR want from Phorm – and what we think they’re missing (19.09.2008)

The Phorm “Webwise” System (18.05.2008)

EDRi-gram: UK: Phorm targeted advertising practices – under pressure