UK: Phorm targeted advertising practices – under pressure

By EDRi · March 26, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

A large controversy has been lately spurred in the UK by the new technology
Phorm, which can track users’ online surfing habits in order to better
target ads.

The Phorm system is apparently meant to assign a unique identifying number
to a user’s browser, which, according to the developing company, cannot be
associated with the user’s IP address, not even the ISP. Then, it uses
information on the user’s surfing habits obtained by searching for key words
on the requested URLs and visited websites and assigns that unique number to
various “channels”. When a website with a “Phorm please put an ad in here”
tag is visited, Phorm provides an ad from a channel where the user’s unique
number appears. It appears that some ISPs like BT, Talk Talk and Virgin have
signed up to use Phorm.

Several technical questions have been raised. The EDRI-member Foundation for
Information Policy Research (FIPR) letter says: “Users are apparently to be
allocated pseudonyms for some of the processing, but at various processing
stages the personal data can be linked to the pseudonym, the pseudonym can
be linked to the IP address used, and the IP address can be linked to the
user. Although we understand that this linkage will not be standard
operating practice, it can nevertheless be performed.”

Phorm assures that it does not write in “the production system” the data on
the content viewed, getting rid of this information as soon as the assigning
of the unique number to a channel is complete. The data is stored for 14
days in a separate system used for “research and debugging” and then
deleted.

Concerns were also related to the legality of the system. It is not yet
clear whether the use of Phorm by ISPs is in compliance with the Data
Protection Act. In the opinion of the FIPR, Phorm is illegal according to UK
law and the Foundation has sent an open letter in this sense to the
Information Commissioner Richard Thomas claiming Phorm contravenes the
Regulation of Investigatory Powers Act 2000 (RIPA), which protects users
from unlawful interception of information.

The UK Home Office has drawn up guidance suggesting that ISPs will conform
with the law if customers have given consent. FIPR argues that Phorm must
not only ask the consent of web users but also of website operators.
Nicholas Bohm, general counsel at FIPR, said: “The need for both parties to
consent to interception in order for it to be lawful is an extremely basic
principle within the legislation, and it cannot be lightly ignored or
treated as a technicality.”

But a spokesman for BT told BBC News: “Provided the customer has consented,
we consider that there will generally be an implied consent from website
owners”. Ertugrul, chief executive of Phorm Kent, stated: “With
regards to a website that is published openly and fairly, we are not
breaching any laws in using information that is published on it” . He also
added that websites which discouraged web crawling from search engines would
not be subject to Phorm’s tools.

In its open letter FIPR pointed out that many websites required registration
giving access to their content only to some people adding that many websites
or part of websites belonged to an “unconnected web” with a limited number
of people.

But Phorm has argued that its system gave users more privacy because of an
opt out possibility. “Phorm has an on-off switch and does not store any
personal data at all,” said Mr Ertugrul.

One of the opponents of Phorm is Sir Tim Berners-Lee, inventor of World Wide
Web who stated he did not want his ISP to track which websites
he visited. “I want to know if I look up a whole lot of books about some
form of cancer that that’s not going to get to my insurance company and I’m
going to find my insurance premium is going to go up by 5% because they’ve
figured I’m looking at those books,” he said.

Phorm has said its system offers security benefits warning users about
potential phishing sites.

A petition submitted by Mark Antony Thompson addressed to the Prime Minister
to “stop ISP’s from breaching customers privacy via advertising technologies” has gathered more than 8500 signatures. The petition
considers “the opt out system for this technology is vague and unproven,
even when opting out your every move on the Internet might be recorded.
Surely this must be a breach of privacy laws, if not then the privacy laws
need to be changed to cover such invasive technology.”

Foundation for information policy research – Open Letter to the Information
Commissioner (17.03.2008)
http://www.fipr.org/080317icoletter.html

Phorm ‘illegal’ says policy group (17.03.2008)
http://news.bbc.co.uk/2/hi/technology/7301379.stm

The Phorm storm (12.03.2008)
http://www.openrightsgroup.org/2008/03/12/the-phorm-storm/

Web creator rejects net tracking (17.03.2008)
http://news.bbc.co.uk/2/hi/technology/7299875.stm

Petition to the Prime Minister to Stop ISP’s from breaching customers
privacy via advertising technologies
http://petitions.pm.gov.uk/ispphorm/