The Foundation for Information Policy Research, an influential UK think-tank, has sent an open letter to the Information Commissioner, Richard Thomas, stating that the online advertising system Phorm is illegal in Britain. Hoorah, yippee and drinkies all round!
Phorm's pervasive, insidious and extremely controversial snooping system provides so-called "targeted" advertising by spying on an Internet user's web-browsing activities.
It works by trawling silently through websites visited by individual consumers and then matches keywords from the content of any given page to a "profile". Users are then "targeted" (bombarded is a more aptly descriptive word) with advertising allegedly relating directly to their "interests" – interests that have been identified by a surveillance program running in the background on websites that have signed-up to use Phorm's snooping technology.
It is to be deployed by three of the UK's biggest ISPs. BT, Talk Talk and Virgin Media, while others said to be "evaluating" the system include Orange, Sky and Tiscali. However, they (and others) may well have to reconsider their proposed deployment of a system that users have to "opt-out" of.
The system is a nasty agglomeration of covert surveillance and corporate greed. It has absolutely nothing to do with respecting the customer's rights to privacy and the confidentiality of data.
It is the view of the Foundation for Information Policy Research that Phorm's system would leave the ISPs open to class action suits and charges of processing data illegally. Furthermore, under Europe's comprehensive data protection laws, the use of such a system requires the explicit permission of individual customers using an "opt-in".
Even more significantly, the Foundation for Information Policy Research says "the Phorm system will be "intercepting" traffic within the meaning of Section 1 of the Regulation of Investigatory Powers Act 2000. In order for this to be lawful then permission is needed from not only the person making the web request BUT ALSO from the operator of the web site involved (and if it is a web-mail system, the sender of the email as well)."
The open letter a says that "although in some cases this permission can be assumed, in many other cases, it is explicitly NOT given -- making the Phorm system illegal to operate in the UK."
In a press release, Nicholas Bohm, the General Counsel of the Foundation for Information Policy Research writes, "The need for both parties to consent to interception in order for it to be lawful is an extremely basic principle within the legislation, and it cannot be lightly ignored or treated as a technicality. Even when the police are investigating as serious a crime as kidnapping, for example, and need to listen in to conversations between a family and the criminals, they must first obtain an authorisation under the relevant Act of Parliament: the consent of the family is not by itself sufficient to make their monitoring lawful."
Richard Clayton, the organisation's Treasurer, adds, "The Phorm system is highly intrusive – it's like the Post Office opening all my letters to see what I'm interested in, merely so that I can be sent a better class of junk mail. Not surprisingly, when you look closely, this activity turns out to be illegal. We hope that the Information Commissioner will take careful note of our analysis when he expresses his opinion upon the scheme."
The open letter also says, "The provision of this service depends on classifying Internet users to enable advertising to be targeted on their interests. Their interests are to be ascertained for this purpose by scanning and analysing the content of traffic between users and the websites they visit.
This activity involves the processing of personal data about Internet users. That data may include sensitive personal data, because it will include the search terms entered by users into search engines, and these can easily reveal information about such matters as political opinions, sexual proclivities, religious views, and health."
For it's part, Phorm says that everything's alright really and people are kicking up a fuss for no real reason given that Internet users are "allocated pseudonyms" for some of the processing.
However, the fact is that at various stages in the processing of data, personal information relating to an identifiable private citizen can be linked directly to the "pseudonym" and the pseudonym can be linked to the IP address used, and the IP address can be linked to the user.
In other words some people will remain identifiable because of sites they choose to visit and the types of searches they make. The Phorm system also places unseen surveillance on email and users visits to chat rooms and social networking sites.
The Foundation for Information Policy Research open letter also says, "Users should have to opt-in to such a system, not merely be given an opportunity to opt-out. We believe this is also required under European data protection law; failure to establish a clear and transparent "opt-in" system is likely to render the entire process illegal and open to challenge in UK and European courts.
It continues, "It would be specially objectionable if opting out were to depend on the maintenance by the user of a cookie, since many reasonable users regularly clear all cookies; nor should users be expected to opt out by blocking one or more websites, since many may not understand how to do this or may make errors in trying to do so".
In response, Kent Ertugrul, the CEO of Phorm ,says he is "very, very comfortable" that his company is not in breach of data protection legislation and even goes so far as to tack on the sophistry that the system actually provides users with enhanced privacy because they are able to opt-out of the technology!! Utterly incredible.
Mr. Ertugrul insists, "We are willing for our opinion to be tested in law." With any luck he'll soon get the chance. And with a bit more luck we'll all be cheering when his system is declared illegal and ISPs have to stop using it.
Subscribers pay their ISPs for Internet access. Advertising on the Web is already pernicious and pervasive, but ISPs want to make more money from their customers and they are going to do it by snooping on user behaviour without that user's knowledge or consent. That is morally reprehensible and, as we shall find out in due course, probably illegal.
Now is the time to take a determined stance against this cynical surveillance. Do not take up a service contract with any organisation that will sell your personal information (whether is is "identifiable" or not) to an advertising company or any other third party without having given your express consent for it in writing.
Also take a look at your contract with your ISP and check that the devious so-and-so haven't just added a new clause to their terms and conditions (as some have), thus giving themselves the "right" to include you in to their obnoxious systems unless you very specifically opt out of it.
This grubby and sneaky little system, whose only purpose is enrich others by worming its silent, slimy and invisible way though your personal data, should be stamped-on and wiped out forthwith.
please sign in to rate this article