p2pnet - rss feed: Give users freedom of choice, ICO tells Phorm
p2pnet news | Advertising:- Britain’s Information Commissioner’s Office (ICO) apparently agrees with Sir Tim Berners-Lee, the man who founded the World Wide Web.
“It’s mine,” Berners-Lee recently stated, “you can’t have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I’m getting in return.”
Under discussion in both instances was, and still is, so-called ‘targeted’ advertising promoter Phorm.
Now, people must be able to exercise freedom of choice whereby they can voluntarily “opt in” to Phorm, or not, says the Information Commissioner Office (ICO)
“Phorm claims that its system does not allow the retention of individual profiles of sites visited and adverts presented, and that it holds no personally identifiable information on web users,” said a p2pnet post, quoting computing’s Data Watch.
It continued >>>
Last week it emerged that BT had trialled Phorm’s technology in 2007 without informing customers.
BT claimed that the trial was legal because individual users’ information remained anonymous - but privacy campaigners said it was a breach of the Regulation of Investigatory Powers Act (RIPA) 2000, which makes it an offence to intercept internet traffic without consent or a warrant.
The Foundation for Information Policy Research had earlier contacted the IOC in an open letter which said, in part >>>
It has been suggested that web-hosts impliedly consent to the download of their pages, and that it follows that they consent to the interception involved in scanning them for the purposes of classifying the user for targeted advertising services. But even where a web-host does consent to the downloading of his page by a user, we do not accept that this entails any consent to the scanning of that page by a third party.
Moreover, in many cases it is clear that any such consent is expressly or impliedly negatived. In the case of the many pages which are accessible only after registration of the user, access by an unregistered third party is plainly unauthorised (and sometimes expressly prohibited by the conditions under which access is permitted).
In the case of the unlinked web (those pages to which links are not published generally, being provided to closed groups by their host) there is no implied general consent to download, and consent for third party scanning is impliedly negatived by the context.
We therefore consider that even if third party scanning obtains the fully-informed and explicit consent of a user, it simply cannot hope to obtain all the consents necessary from others. It therefore involves unlawful interception; and it therefore cannot comply with either the first or the second of the data protection principles.
Says BadPhorm, launched to address the issues >>>
Simply put, three of the UK’s largest ISPs (Virgin Media, BT and TalkTalk) have decided to sell your private browsing history to an advertising broker. Yes, the entire list of every web page you visit gets sent to Phorm (the broker) in real time, as you click, so they can send you ‘targeted advertising’. Naturally the ISP’s are not too keen on telling their users this, they’d much rather feed us all platitudes about how it’ll help combat phishing and how the targeted adverts will be so much better than the random ones we see today. In fact, they didn’t even announce it to the UK press, we had to find out about it from the New York Times!
Over the past few days a PR company retained by Phorm and indeed Phorm themselves have repeatedly attempted to address the numerous questions raised by many concerned individuals.
In our opinion however, they have failed to adequately address some of the most important issues raised repeatedly and ultimately unsuccessfully by our users.
We therefore call on Phorm and all participating ISPs to state publicly and on the record that they will ensure all deployments of the Phorm system meet the following specific requirements :
The Phorm system must be fully opt-in. Opt-out systems are, in our opinion, not acceptable for such a potentially invasive piece of technology.
Such opt-in must be explicit and voluntary (requiring specific user action) for all subscribers, not simply a change in the ISPs terms and conditions.
The opt-in process must be managed at a network level, not reliant on cookies or any other type of client side mechanism.
Where a user has chosen not to participate in the Phorm system, that user’s traffic must not be passed through or be accessible by any equipment owned, operated or supplied in whole or in part by Phorm (including software operating on ISP owned equipment).
Many of our users have indicated they would far prefer ISPs did not install the Phorm system at all, citing privacy, security and reliability concerns over this unproven technology; a sentiment with which we agree.
We appreciate that some ISPs wish to offer their users the choice, and in our opinion those deploying the Phorm system can only offer genuine choice to their users and guarantee to protect the privacy of those subscribers who choose not to participate in the Phorm system by accepting the requirements above.
The IOC statement says in full >>>
The Information Commissioner has been approached by a number of individuals and organisations for a view on Phorm’s Webwise and Open Internet Exchange (OIX) products. Phorm also approached the Commissioner immediately prior to announcing a deal to work with 3 major UK internet service providers (ISP) and launch of the Webwise and OIX products to explain the nature of their products and in particular what they believe to be the privacy friendly elements of them. The Commissioner has also had contact with the ISP working with Phorm about the scope and nature of their roll out of the Phorm products.
The Commissioner is responsible for enforcing the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). Therefore the Commissioner is confining himself to the question of whether the use of the products offered by Phorm complies with the DPA and PECR. Furthermore the Commissioner’s views are based on the current understanding of the Phorm products before the upcoming trial or roll out by any of the ISP have taken place which should provide more information about their use in practice.
Phorm has developed a system where, with the cooperation of an individual’s ISP they can profile the addresses and certain content of websites visited by users and then use that information to match that user against predefined broad advertising categories. Phorm assert that this targeted marketing takes place in a way that rigorously protects the privacy of web users.
Phorm has explained that the user profiling occurs with the knowledge and agreement of customer and within the technological infrastructure of the ISP. The profile is based on a unique ID allocated at random to each internet user which is held only on their computer and by Phorm so that the advertising and profiling can take place without needing to know the identity of the individual users. When a user visits a website that has an agreement with Phorm their user ID is recognised and Phorm will use the broad advertising categories associated with that ID to enable relevant advertising channel to be shown on the website. The advertising is displayed instead of non-targeted advertising that would be displayed to users regardless of the roll out of the Phorm products.
Phorm has provided assurances that the systems have been configured so that the company does not have a record of the actual sites visited and search terms used by the user and in addition the advertising categories exclude certain sensitive terms and have been drawn widely so that the profiles that they hold for users will not inadvertently reveal the identity of a user or return advertising of a sensitive nature. Phorm also assures us that the ISP does not hold or have access to either the advertising categories users have been matched against or the user ID and does not keep a lasting record of internet traffic for any reason other than it would have originally.
Whether the use of the products offered by Phorm complies with the DPA will depend, in the first instance, on the extent to which the company is processing personal data. Personal data is information that relates to a living individual who can be identified from that information or other information in the possession of or likely to come into the possession of the person holding it. Phorm has asserted that it does not have nor would it ever want or need access to any information held by the ISP which would enable it to link their user ID and profile to a living individual. If this is true the company is not processing personal data of the ISP’s customers in providing its product and the DPA will not apply. Further Phorm has also assured the Commissioner of an additional safeguard, in that it is not possible for an employee to interrogate its systems to reveal particular user ID profiles.
Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses in that profiling and is able to link its customers to an IP address although this may not be its intention. To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA. When considering whether or not the processing in this context is fair the Commissioner takes into consideration the extent to which users are made aware that the processing will take place, any choice that they are able to exercise over whether or not the processing takes place, the ease with which they can object and the affect of the processing upon the individual.
Although the products have not yet been rolled out and the upcoming trial by one ISP has not yet taken place, from the information available at this point it appears that users will be presented with an unavoidable statement about the product and asked to exercise a choice about whether or not to be involved on that basis. In addition we are told that users will be able to easily access information on how to change their mind at any point and free to opt into or out of the scheme at any point thereafter which should involve the same degree of transparency and choice.
On the basis of our understanding of the explanation provided to us there does not appear to be any detriment to users in the operation of the Phorm system as those who choose to be involved will only have the information used to match them against an advertising category and then present them with targeted advertising while browsing the internet. The ISP does not create lasting records of browsing habits in this context and do not seek to link living individuals to that information as it profiled and sent to Phorm. It also appears that users who opt out do not have their web browsing habits profiled and will be in the same position as regards the processing of their personal data as before the Phorm systems were introduced.
A question has been raised by the some individuals about whether or not the Phorm products entails an unlawful interception of communications under the Regulation of Investigatory Powers Act 2000 (RIPA). The Home Office is responsible for compliance with RIPA and Phorm has approached the office directly and had a written response. Some organisations have stressed an alternative view that the scanning of the content of websites by the ISP on route to the user will entail an interception of communication during transmission. This is a matter that the Home Office takes the lead on and the Commissioner will not be taking any further action.
Phorm and the ISP will also have to comply with the PECR even where they do not process personal data. Under Regulation 6 of PECR a user must be informed when a cookie placed on their computer, given clear and comprehensive information about the purpose of the storage and given the ability to refuse it being placed on the system. The information we have seen so far indicates that users will be informed by the ISP about the use of cookies as part of the process of being told about the service and given a choice about whether or not to participate. Users will also be able to configure their internet browser to block all cookies from Phorm and therefore prevent any profiling without a cookie being loaded. How this operates in practice will not be apparent until the trials by the ISP get underway or the product is rolled out but it should be possible for Phorm to achieve compliance with Regulation 6.
Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.
Whether or not the Phorm products are a concern for the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns. The Commissioner welcomes the efforts Phorm is making to engage with concerned technical experts and believes that it is only by allowing its technology to be subject to detailed scrutiny by independent technical experts that it will be able to prove their assertions regarding privacy which will be important for the commercial success of the product.
In the view of the Commissioner Phorm can operate Webwise and OIX in a way which is in compliance with the DPA and PECR but must be sensitive to the concerns of users. The Commissioner will keep the Phorm products under review as they are rolled out and his view will be strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision. The Commissioner will also continue to be interested in the dialogue between technical experts and Phorm about the way in which the system operates.
Stay tuned.
ICO - Phorm - Webwise and Open Internet Exchange, April 8, 2008
p2pnet - UK watchdog to monitor Phorm, April 7, 2008
Data Watch - Data watchdog to keep an eye on BT’s Phorm trial, April 7, 2008
open letter - Phorm Pharce - FIPR open letter, march 17, 2008
Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile - http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details. Download here.
