p2pnet news | Advertising:- DPI is short for Deep Packet Inspection, an almost harmless seeming term which in Canada is being forcefully thrust into public attention by the Bell Canada throttling scandal.

DPI (and filtering), “enables advanced security functions as well as internet data mining, eavesdropping, censorship, etc,” says the Wikipedia >>>

Advocates of net neutrality fear that DPI technology will be used to privatize the Internet.

It’s also cited by CAIP (Canadian Association of Internet Providers) which, in its attempts to have Bell’s activities curtailed, said in a submission to Canadian regulators, “Bell is using DPI to sequester or ‘hijack’ certain data packets as they pass through the network, and hold these packets hostage until certain pre-conditions are met …”

CIPPIC (Canadian Internet Policy and Public Interest Clinic) wants the Canadian privacy commissioner to launch an investigation saying Bell has not only, “failed to obtain the consent of its retail and wholesale internet customers in applying its deep-packet inspection technology, which tells the company what subscribers are using their connections for,” it’s using Deep Packet Inspection to, “find and limit the use of peer-to-peer applications such as BitTorrent, which it says are congesting its network,” says the story.

And DPI is also a favourite of the people behind British advertising company Phorm, the subject of a highly critical open letter sent by the Foundation for Information Policy Research to Britain’s information commissioner.

Plans by ISPs to use Phorm, a company with “roots in the murky world of spyware,” as The Register summed it up, and which these days tracks people online to create ‘personalised’ adverts, were also sharply attacked by Sir Tim Berners-Lee, the man who invented the World Wide Web,” p2pnet posted in March, going on to quote him as saying:

“I want to know if I look up a whole lot of books about some form of cancer that that’s not going to get to my insurance company and I’m going to find my insurance premium is going to go up by 5% because they’ve figured I’m looking at those books.”

The story goes on >>>

His data and web history belong to him, he states.

‘It’s mine – you can’t have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I’m getting in return.’

Phorm is trotting out the transparently false claim, also often used by Google, Facebook, MySpace and others, to whom the same argument applies, that offering ‘personalised’ advertisements by tracking users would improve their online experiences.

BT PLC, TalkTalk and Virgin Media are among that companies which have bought into Phorm’s Open Internet Exchange (OIX) ’service’ it says, also touting OIX as offering ‘additional protection against malicious websites’.

Publishers and advertising agencies have ‘partnered with Phorm for the launch of OIX’ include; FT.com; iVillage; Universal McCann; MGM OMD and Unanimis, it boasts.

Your rights

Alex Hanff is a name that’ll be familiar to regular p2pnet readers.

He was targeted by Hollywood for special attention back in 2005, and more recently, criticised the BBC for locking up content on its iPlayer even though Britons have to pay for TV licences.

He’s also an expert on Phorm. Click here to see a BBC video of Hanff (right) discussing Phorm with its creator, Kent Ertugrul. And click here to add your name to the ‘Stop ISP’s from breaching customers privacy via advertising technologies’ petition.

Meanwhile, “In 2008 BT PLC made public statements admitting to running covert trials of Deep Packet Inspection technologies for the purpose of behavioural profiling,” he says.

“The trials included more than one hundred thousand of their customers during 2006 and 2007. Key public authorities, privacy experts, the press and the public have voiced concerns over whether or not the trials were legal. The controversy rests in whether or not the trials constituted unlawful interception of communications as a result of not obtaining informed consent from relevant parties.”

Hanff has now published a paper analysing a wide range of legislation including but not limited to: Regulation of Investigatory Powers Act 2000, Fraud Act 2006, Privacy and Electronic Communications (EC Directive) Regulations 2003 and Data Protection Act 1998 to investigate the requirements with regards to consent, the core issue of this debate.

“After careful analysis of relevant EU and UK laws, statutes and directives it can be interpreted that fundamental legal requirements were not met, making the covert trials illegal under criminal law and unlawful under common law,” he states.

Here’s the full paper >>>

Introduction

“Everyone has the right to respect for his private and family life, his home and his correspondence.” (Council of Europe, 1950)

Above is the text which appears in Article 8.1 in the European Convention on Human Rights (ECHR) signed in Rome in 1950 but what does it mean? Well it means exactly what it says, there is no hidden context, no complex words or legal ambiguity; it is a comprehensive statement relating to the right for every single human being within Europe to have their privacy protected and respected.

The ECHR is very important in that it protects us from unlawful investigation and monitoring by public authorities; it allows us to live in our home with the comfort that it is our private domain and it allows our families the same reassurances.

However, the ECHR includes a key word at the end of Section 8.1; ” correspondence”. This essential inclusion also protects the privacy of our private communications, whether those communications are by letter, by telephone, by digital technologies such as the Internet or any other systems of communication we choose to use. This means people cannot open our mail, they cannot attach listening devices to our telephones and they cannot use any other technologies which intercept our private communications.

There are exceptions to these rules in cases relating to preventing a crime, in times of war or matters of national security but under most circumstances it is accepted and ratified by the various member states of Europe that these rights must and will be upheld. Human Rights are the most fundamental rights we have as a society and they exist to protect people and make the world a more civil place.

Human Rights Act 1998

The Human Rights Act 1998 (HRA) is an Act of Parliament in the UK written to extend ECHR protocols into UK Law. HRA is applied to public authorities and bodies making it unlawful for them to act in any way which contravenes ECHR.

Despite HRA explicitly being designed for use with public authorities, some have argued that it can also be used with private bodies because courts are included in the list of relevant public authorities and therefore their judgements must be compatible with the Act; this is known as the Horizontal Effect:

“Private bodies can also be indirectly bound by the 1998 Act since section 6(3)(a) defines a ‘public authority’ as including courts and tribunals. Therefore, in an action against a private body (for example, an employee suing for unfair dismissal) a human rights claim can be attached. The main cause of action is not the rights issue since these cannot be directly enforced against the private body (since section 6 only requires public authorities to act compatibly). Nevertheless, the court or tribunal is obliged to consider the human rights issue and must resolve it, through the application and interpretation of common law, equity or legislation, in a manner compatible with the Convention.” (Best, K. and McCukser, R., 2002)

BT PLC

The purpose of this article is to outline and evaluate the legal issues raised by the secret trials of Phorm Inc. technologies by BT PLC in 2006/2007.

BT PLC are the privatised telecommunications provider in the UK formerly known as British Telecom and they provide telecommunications services to business, the public and public authorities. BT PLC own the vast majority of the UK’s telecommunications infrastructure and as such hold a large market share in the telecommunications industry including but not limited to the provision of traditional POTS (plain old telephone system) services, Internet services (primarily broadband services known as ADSL) as well as Voice Over IP services, IP TV services and corporate leased lines.

As a result of this market dominance BT PLC are entrusted with peering an immeasurable number of private communications in the UK every single day so it is essential that they adhere to relevant legislation in order to protect the privacy rights of their customers.

In March/April 2008 BT PLC admitted to using technologies developed by Phorm Inc. in secret trials involving an estimated 30 000 customers to the press and media.(Arthur, C., 2008. Waters, D., 2008. Williams, C., 2008a. Williams, C., 2008b)

As a result of these being secret trials, no consent was obtained from their customers and when customers noticed their computers behaving in a strange way and consulted BT on these issues, BT denied any knowledge:

“BT support stuck firmly to the line that the dns.sysip.net lookups were nothing to do with it, despite further tests Stephen had carried out with a brand new computer. The firm’s response, via emails, was: “sysip.net is a DNS hijacker, similar to a malware therefore your anti virus scan would not have picked this up.” After many calls and emails, finally it conceded “an issue which affected some users that week”.” (Williams, C., 2008c)

This means that not only did BT PLC engage in secret trials without the consent of their customers but they also deceived their customers when concerns were raised by them (either deliberately or inadvertently).

So we have now established that trials took place without consent and the rest of this article will concentrate on what this means with regards to current legislation in the UK.

Regulation of Investigatory Powers Act 2000 (RIPA)

RIPA is an Act of Parliament in the UK which outlines the legal framework regarding the interception of communications in the UK; in essence it extends ECHR into UK law and defines under what circumstances interception may and may not take place. This is important because as previously mentioned ECHR allows exceptions to Article 8.1 for the purpose of law enforcement and national security, so in order to ensure that these exceptions are not abused RIPA provides the aforementioned legal framework.

Section 1 of RIPA (Unlawful Interception) states the following:

“1. It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of—

(a) a public postal service; or

(b) a public telecommunication system.

2. It shall be an offence for a person—

(a) intentionally and without lawful authority, and

(b) otherwise than in circumstances in which his conduct is excluded by subsection (6) from criminal liability under this subsection, to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of a private telecommunication system.” (RIPA, 2000)

So the question is, can the technology be defined as interception and if so was the interception unlawful as defined by Section 1 of the Act? In order to understand and answer the question we need to take a closer look at the technology being used.

Deep Packet Inspection

“Deep Packet Inspection is a term used to describe the capabilities of a firewall or an Intrusion Detection System (IDS) to look within the application payload of a packet or traffic stream and make decisions on the significance of that data based on the content of that data.” (Dubrawsky, I., 2003) 1

Deep Packet Inspection is a technology implemented at the network level which has the ability to analyse and alter the contents of any network stream passing through it. By contents it is meant the actual contents of stream as opposed to just identifying the type of stream, destination/source etc. Richard Clayton from The Foundation for Information Policy Research describes the process as:

“it’s like the Post Office opening all my letters to see what I’m interested in, merely so that I can be sent a better class of junk mail.”(Clayton, R., 2008a)

The technology developed by Phorm Inc. is a piece of network hardware running their software which carries out Deep Packet Inspection. Through use of this technology Phorm Inc. are able to act on information within the content of the stream in a number of different ways.

Webwise

Webwise is the previously mentioned security service which is being used to promote Phorm Inc.’s technology. Through the use of Deep Packet Inspection it is able to detect when a stream is bound for a destination that is known to be a security risk for the user initiating the stream. It does this through the use of Blacklists, which can be described as a large list of Internet servers or web sites which are maintained either internally or through a third party. Blacklists are common on the Internet and are frequently used by email servers to help reduce unsolicited emails (known as Spam) as well as other software designed to improve security. In the case of Phorm Inc.’s technology they are using popular third party blacklists already used by many other user level software applications:

“We use commerical [sic] providers for our anti-phishing feeds. Some are the same as those used by Google and Microsoft, some are different and have different coverage.” (Political Penguin (alias), 2008)

This is an important point as there are many popular software applications available which use these same commercial blacklists. These include but are not limited to:

• Anti Virus Software
  
• Web Browser Software
  
• Anti Spyware, Anti Adware and Anti Malware Software
  
• Operating Systems

So in essence this type of technology is not new and is mostly redundant as there is already a very active segment of the security industry meeting these needs using the same tools (third party Blacklists). Furthermore the fact that Deep Packet Inspection is being used in order to provide a service which can be delivered with less intrusive methods (such as current end user software does) would seem to be over complex and inefficient use of network resources.

That said, had the technology been designed purely for the purpose of providing security features it would probably be a lot more acceptable in the eyes of the public, privacy experts and politicians and would probably fall under the following exception under RIPA (Section 3. Lawful interception without an interception warrant).

“(3) Conduct consisting in the interception of a communication is authorised by this section if -

(a) it is conduct by or on behalf of a person who provides a postal service or a telecommunications service; and

(b) it takes place for purposes connected with the provision or operation of that service or with the enforcement, in relation to that service, of any enactment relating to the use of postal services or telecommunications services.” (RIPA, 2000)

The fact that the Deep Packet Inspection technology is being used for other purposes is where the real problems arise.

Open Internet Exchange (OIX)

As stated in the previous section, Deep Packet Inspection can be used to analyse and alter the actual contents of a network stream and this is exactly what happens with regards to Open Internet Exchange (OIX). OIX is the revenue factor of Phorm Inc.’s technology. Through the use of Deep Packet Inspection Phorm Inc.’s systems (the same ones being used to provide Webwise) read the contents of all web based (HTTP) streams which are not sent using the Secure Socket Layer (SSL or in the case of HTTP it is known as HTTPS) protocol (which uses end to end encryption).

Most web sites on the Internet do not use SSL for communicating with their users because it usually involves extra costs (in order to purchase an industry recognised security certificate from one of the proprietary vendors) and on busy web sites it would cause a noticeable performance hit as the computer’s processor needs to decrypt all the requests coming in from the end user which could require more expensive server hardware.

SSL is generally reserved for authentication purposes (where a user needs to send a password over the Internet in order to authenticate with a server) or situations where sensitive data needs to be acquired such as credit card details on an e-commerce website like Amazon.com in order to place a purchase order.

Therefore it stands to reason that since most web sites do not communicate over encrypted channels, that Phorm Inc.’s technology will literally read the contents of most web sites customers visit. This is reiterated by Virasb Vahidi, the chief operating officer of Phorm Inc. who explained the scope of their technology to the New York Times:

“As you browse, we’re able to categorize [sic] all of your Internet actions. We actually can see the entire Internet.” (Vahidi, V., 2008)

How is Deep Packet Inspection explained in relation to the 2006/2007 trials?

In the case of the secret trials carried by BT PLC in 2006 and 2007 Deep Packet Inspection went one step further in that it altered the contents of the network stream. In order to test the effectiveness of the targeted advertising system (OIX), software source code called JavaScript was injected into the network stream to alter the web page the end user was delivered on their screen, in order to display advertising banners which had not been placed there by the content owner and download a cookie file onto the end user’s computer. (Morelli, F.S., 2007)

It is also worth mentioning that during both the trials in 2006 and 2007, it is believed that only the Deep Packet Inspection procedures which were relevant for the purpose of OIX were tested; there has never been any statement or evidence to suggest that Webwise was ever part of these trials.

The trials and RIPA

In order to analyse the network stream using Deep Packet Inspection the stream needs to be intercepted by the technology and therefore RIPA outlines whether or not this type of interception of communications is lawful as defined by the Act.

In the case of the trials in 2006 and 2007 neither the end user nor the web site publishers whose sites were visited by the unknowing trial customers, gave their consent to the interception. Consent is required from all parties with authority involved in the communication. In the case of a customer visiting a web site that would mean that consent is required by law from both parties and if consent is not obtained the result is a criminal breach of the Act. This is supported on many fronts, for example a representative of the Home Office issued a statement regarding Phorm’s Technology:

“Where targeted online advertising is determined and delivered to a user’s browser as a consequence of a proxy server monitoring a communication to download a web page, there may be monitoring of a communication in the course of its transmission. Consent of the ISPs’ user and web page host would make that interception clearly lawful.” (Watkins, S. 2008) (emphasis added)

This illustrates that consent is required from all parties and whereas the Home Office statement touches on implied consent with regards to whether or not a published web site can be assumed to be consenting it adds “in the absence of any specific express consent” (Watkins, S. 2008)

Which brings us to yet another issue; what if a web site has explicit terms denying consent for this activity? It has been pointed out that in fact many popular web sites have explicit terms denying the right for 3rd parties to use any of their published data for commercial purposes as outlined below:

“Amazon.co.uk grants you a limited licence to access and make personal use of this website, but not to download (other than page caching) or modify it, or any portion of it, except with express written consent of Amazon.co.uk. This licence does not include any resale or commercial use of this website or its contents; any collection and use of any product listings, descriptions, or prices; any derivative use of this website or its contents; any downloading or copying of account information for the benefit of another merchant; or any use of data mining, robots, or similar data gathering and extraction tools.

This website or any portion of this website may not be reproduced, duplicated, copied, sold, resold, visited, or otherwise exploited for any commercial purpose without our express written consent.” (Amazon Inc. 2007)

It would seem that these do not satisfy the conditions for implied consent as they explicitly deny that consent. This point is supported by The Foundation for Information Policy Research who sent the Information Commissioner an Open Letter expressing their concerns over Phorm Inc.’s technology. In it they state:

“It has been suggested that web-hosts impliedly consent to the download of their pages, and that it follows that they consent to the interception involved in scanning them for the purposes of classifying the user for targeted advertising services. But even where a web-host does consent to the downloading of his page by a user, we do not accept that this entails any consent to the scanning of that page by a third party.

Moreover, in many cases it is clear that any such consent is expressly or impliedly negatived. In the case of the many pages which are accessible only after registration of the user, access by an unregistered third party is plainly unauthorised (and sometimes expressly prohibited by the conditions under which access is permitted).

In the case of the unlinked web (those pages to which links are not published generally, being provided to closed groups by their host) there is no implied general consent to download, and consent for third party scanning is impliedly negatived by the context.” (Clayton, R. and Bohm, N. 2008)

FIPR also stated:

“The need for both parties to consent to interception in order for it to be lawful is an extremely basic principle under RIPA, and it cannot be lightly ignored or treated as a technicality. Even when the police are investigating as serious a crime as kidnapping, for example, and need to listen in to conversations between a family and the criminals, they must first obtain an authorisation under the Act: the consent of the family is not by itself sufficient to make their monitoring lawful.” (Clayton, R. and Bohm, N. 2008)

Based on this analysis from the Home Office and FIPR (policy advisers) one can only conclude that the trials from 2006 and 2007 failed to meet the consent requirements of RIPA thus making the interceptions unlawful as defined by the Act.

Privacy and Electronic Communications (EC Directive) Regulations 2003

Confidentiality of Communications (Regulation 6) states:

“1. Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

2. The requirements are that the subscriber or user of that terminal equipment -

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (emphasis added)

(b) is given the opportunity to refuse the storage of or access to that information. ” (PECR 2003)

Given that it has already been established that the 2006/2007 trials were conducted in secret without consent from the parties involved in the communications which were being intercepted; the trials have failed to meet requirements of Regulation 6.2.b of the directive.

Regulation 7.3.b of the directive gives us some information with regards to the requirements allowing the storage of data for the purpose of marketing and value added services:

“the subscriber or user to whom the traffic data relate has given his consent to such processing or storage;” (PECR 2003)

Again this indicates that the trials in 2006/2007 did not meet the requirements of the directive for the same reasons given for the Regulation 6 analysis above. Further to this Regulation 8.1 of the directive goes on to reiterate the importance of consent:

“Processing of traffic data in accordance with regulation 7(2) or (3) shall not be undertaken by a public communications provider unless the subscriber or user to whom the data relate has been provided with information regarding the types of traffic data which are to be processed and the duration of such processing and, in the case of processing in accordance with regulation 7(3), he has been provided with that information before his consent has been obtained.” (PECR 2003)

Therefore even if the customers involved in the 2006/2007 trials were now given this information after the fact in order to attempt to obtain post dated consent, Regulation 8.1 requirements of the directive have not been met since it explicitly states that consent must be obtained before any processing occurs. This effectively leaves no track for BT PLC to circumvent the requirements of consent now that the secret trials have been reported in the public domain; even if a customer has no problem with BT having carried out these trials they are not authoritative in a decision as to whether or not BT PLC should have action enforced against them by the Information Commissioner. In fact the Information Commissioner should enforce action simply on the principle that BT PLC failed to meet the requirements of the directive irrespective of whether there is any perceived harm or damage as a result.

Regulation 27 of the directive talks about the modification of contracts and states:

“To the extent that any term in a contract between a subscriber to and the provider of a public electronic communications service or such a provider and the provider of an electronic communications network would be inconsistent with a requirement of these Regulations, that term shall be void.” (PECR 2003)

This statement is difficult to interpret but the most comprehensive interpretation appears to be that a telecommunications service provider is not permitted to assume consent through terms and conditions of service (contract). It might also be determined that (given the title for the Regulation) modifying a contract after it has been initiated (a common practice in the telecommunications industry is to issue terms which include a right to change their terms and conditions at will without renegotiating the contract with the consumer first) to allow data interception to take place, would be void.

If this is the case, plans by BT PLC to change their terms and conditions in order to deploy this technology network wide in 2008 may fail to meet the requirements of the directive. BT PLC are reported to be planning to deploy this technology in 2008 and their consent policy revolves around customers being required to explicitly opt out of this service. In a technical analysis of the technology (which was reportedly edited and verified by Phorm Inc. before publishing) by Dr Richard Clayton of FIPR, it is explained how the opt out system works:

“If the user has set a cookie within the webwise.net domain indicating that they do not wish to be tracked, then this preference is passed to the Layer 7 switch during the process in paragraph 16 above.” (Clayton, R. 2008b)

This appears to fail to meet the requirements of Regulation 8.1 of the directive with regards to consent being obtained prior to any processing or interception; since the interception and processing of the stream in order to detect whether or not an opt out cookie is present is required. Even with a strictly opt in system using the cookie method, Section 8.1 requirements would still not be met given that the interception still takes place before consent is obtained in order to determine whether or not consent has already been obtained or denied.

Furthermore, whereas a subscriber may well give consent, the possibility of other users who are not the contracted subscriber exists. For example, many family members may share a single account on the same home computer to access the Internet, including children and friends of those children. It is unlikely that these users would have given their consent to be profiled by this technology.

In assessment of the above points it would seem that the trials of 2006/2007 fail to meet the requirements of this European Directive on multiple counts.

Computer Misuse Act 1990 (Scotland)

As referenced in section 3.1.1 of this article, the trials of 2006/2007 altered the network stream in order to insert advertising banners and install cookies onto their customer’s web browsers without consent. Under the Scottish version of the Computer Misuse Act Section 3 states:

“1. A person is guilty of an offence if

(a) he does any unauthorised act in relation to a computer;

(b) at the time when he does the act he knows that it is unauthorised; and

(c) either subsection (2) or subsection (3) below applies.

2. This subsection applies if the person intends by doing the act

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data; or

(d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done.

3. This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (d) of subsection (2) above.” (PJA 2006)

Under the Scottish regulations it would appear that s3.1 is applicable since the trials were conducted without consent. With regards the satisfaction of s3.1.c, s3.2 needs to be evaluated.

It can be argued that s3.2.a is satisfied because the networking operations of the computer are being impaired in that the networking logic believes it is communicating with the intended destination whereas it is communicating with an impostor:

“Turning now to the Phorm system. Consider the first web request made by a user, for, let us say, http://www.cnn.com/index.html. This will take the form of a GET request for index.html with a HOST header of www.cnn.com.

The Layer 7 switch will see that the request does not contain a Phorm “cookie” and will direct the request to a machine located within the ISP network that will pretend to be www.cnn.com and will return a “307″ response which says, in effect, “you want that page over there”. The page that will be directed to is webwise.net/bind/?<parameters> where the parameters record the original URL that was wanted.

The user’s browser will now wish to visit the webwise.net page it has been redirected to, and will issue an appropriate GET request for this page. If the user already has a cookie for webwise.net then this will, as is standard, accompany the request.

The Layer 7 switch will again direct the request to a special machine (within the ISP’s network for performance reasons if nothing else). This special machine, which is now acting as webwise.net, will inspect any existing cookie to establish the current UID associated with the user. If there is no cookie then a new UID will be issued instead.

The response from webwise.net will be a 307 response redirecting the user to a special URL on www.cnn.com. The response will also contain a cookie (in the webwise.net domain) which contains the UID that is used to track the user. The special URL will also contain a copy of this UID, along with the original request that the user made.

The special URL on www.cnn.com will now be fetched by the user’s browser, and the Layer 7 switch will recognise the request (from its form) as once again to be redirected to the special machine, which will once again pretend to be www.cnn.com.

The special machine will return a third and final 307 redirection, and this time the destination URL will be the www.cnn.com/index.html page that the user has been waiting to visit all along.” (Clayton, R. 2008b)

That is a lot to digest for non-technical readers but in summary we are seeing references to a “special machine” which is posing as the intended destination multiple times for a single web request by the user, which this author believes is an impairment of the networking processes.

The same explanation can be used for evaluating s3.2.b given that the Layer 7 technology is hindering access to the web server software at the intended destination by diverting the network stream back and forth between the Layer 7 technology and the ” special machine” multiple times before the stream is finally permitted to continue to the intended destination.

There is also the possibility that s3.2.d might be satisfied given that it appears the cookie methodology being used to determine consent, is vulnerable to Cross Site Request Forgery (CSRF).(Mel (alias) 2008). If it is the case (which the evidence seems to suggest) that a user can be opted in to the technology as a result of this security flaw, then s3.2.a and s3.2.b might become applicable as outlined above.

Upon evaluation of the Act the logical conclusion is that if any of the trials took place in territories under Scottish jurisdiction they may have fallen foul of Computer Misuse Act 1990. At the very least there is strong evidence to argue that the trials may have been illegal under Scottish Law.

Computer Misuse Act 1990 (England)

The difference between the Scottish version of the Computer Misuse Act 1990 and the English version is that the English version requires proof that the entity committing the illegal act has knowledge and intent, so it is often difficult to use the Act in England and Wales. However, on this occasion it should be possible to use the English version based on the following information from Section 3 of the Act:

“3. Unauthorised modification of computer material

1. A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.

2. For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data.” (CMA (UK) 1990)

As we can see ss1.b specifies the need to prove intent and knowledge and if both can be proved then ss2.a and ss2.b become applicable (and possibly even ss2.c). Using the same arguments as discussed with regards the Scottish version of the Act, it is clear that the Layer 7 technology is being used to “hinder” access and the process is impairing the network processes of the computer initiating the request (customer).

The very fact that the Layer 7 technology exists on the network purely for the purpose of Deep Packet Inspection and re-routing the communication to the impostor server, should be enough to satisfy both intent and knowledge. The Layer 7 technology is intended to intercept and BT installed it with the knowledge that this is exactly what it does.

So in the case of the 2006/2007 trials, which we have already established were unauthorised (thus satisfying ss1.a) and with the information above satisfying ss1.b and ss2.a/ss2.b it would seem likely that the trials were in breach of the Act.

Fraud Act 2006

If we take another look at Dr Richard Clayton’s technical analysis of the technology with regards to how the Layer 7 technology is responsible for multiple reroutes of the communication to a “special machine”, we can see that this ” special machine” masquerades as the intended destination on multiple counts for each web page request. Firstly it pretends to be webwise.net and then it pretends to be the web site the customer is trying to access.

Section 2 of the Fraud Act 2006 describes the conditions regarding Fraud by false representation:

“1. A person is in breach of this section if he—

(a) dishonestly makes a false representation, and

(b) intends, by making the representation -

i. to make a gain for himself or another, or

ii. to cause loss to another or to expose another to a risk of loss.” (FA 2006)

It is impossible to deny that the technology is in place in order to “make a gain” as it specifically exists as a process of building a profile in order to sell advertising and the masquerading of the “special machine” is making a false representation of what it is in order to make the networking processes of the customer’s machine believe that it is talking to the intended destination when it is not; therefore ss1.a and ss1.b.i are satisfied.

Furthermore, ss5 of section 2 states: “For the purposes of this section a representation may be regarded as made if it (or anything implying it) is submitted in any form to any system or device designed to receive, convey or respond to communications (with or without human intervention).” (FA 2006).

So ss5 qualifies the “special machine” and the Layer 7 technology for the purpose of the Act and as such it would seem that the trials in 2006/2007 do satisfy the requirements of a breach under the Fraud Act 2006.

Torts (Interference with Goods) Act 1977

Section 1b of the Act defines “trespass to goods” as ” wrongful interference of goods”. (TA 1977) To this author’s knowledge there is presently no case law in the UK with regards to altering the behaviour of a computer without the consent of the owner. However, the issue of Cyber-Trespass is a debate which has grown over recent years with the biggest break throughs being in the US.

Michael Simkins LLP writes about Cyber-Trespass as follows:

“If a person, without permission, interferes with another persons possessions this may amount to trespass to goods. Traditionally trespass cases have dealt with interference with physical goods but a number of US cases have suggested that accessing a computer hard drive can amount to trespass. The barrier preventing the use of trespass as a means of legal complaint about Adware, Spyware or DRM in the US has been the need to prove that the complainant has suffered actual damage. However, last month a Californian District Court ruled that allegations that Adware had damaged existing software and reduced the efficiency of the complainants computer were sufficient to amount to damage for the purposes of trespass. This was not a final ruling in this case but it is the second Adware trespass case known to the author to get past the first hurdle in US court procedure no doubt other cases are pending or will soon be launched.

In the UK it is not necessary to prove that the trespass has caused damage but a complainant must show that the interference with his property has gone beyond generally acceptable standards of conduct. The surreptitious downloading of software which impairs the function of the users computer and is only of benefit to the commercial entity causing it to be installed is likely to fall foul of this UK test and amount to trespass.” (Simkins, M. 2006) (emphasis added).

In the case of the trials in 2006/2007, given the evidence issued earlier in this paper with regards to the insertion of JavaScript programs into the web pages delivered to the user, it is likely that BT PLC may be vulnerable to litigation under the Act. Based on the above commentary the JavaScript programs require computer resources to be processed; specifically they require the use of the Central Processing Unit (CPU), Random Access Memory (RAM), Graphics Processing Unit (GPU) (to render and display the advertisement).

As previously stated, there appears to be no case law in the UK revolving around these issues, however we can lean on US case law for support.

In May 2000 Judge Ronald M. Whyte issued an injunction against Bidder’s Edge preventing them from scraping auction listing from the eBay web site with the use of software robots. It is reported that Bidder’s Edge visited the eBay auction web site as many as 100 000 times per day in order to retrieve details of auction listings which were then presented to visitors of their own website. Judge Whyte in his summary of the case stated:

“If BE’s activity is allowed to continue unchecked, it would encourage other auction aggregators [sic] to engage in similar recursive searching of the eBay system, such that eBay would suffer irreparable harm from reduced system performance, system unavailability, or data losses,” (Caplan, C. 2000)

As stated earlier in this section, US law requires evidence of damage for trespass to goods complaints, which eBay was able to convince Judge Whyte of during the hearing. The importance of the ruling with regards to the BT trials in 2006/2007 of Phorm Inc.’s technology, comes from the argument of “reduced system performance” as a result of the eBay web site computer servers needing to process hundreds of thousands of these software robot requests per day.

As already outlined, the insertion of JavaScript into the web pages requested by BT customers in the 2006/2007 trials required the use of computer resources to process which can only logically lead to “reduced system performance”.

Furthermore, with regards to the multiple re-routing of the users web requests using HTTP 307 responses as outlined in Dr Richard Clayton’s technical analysis, it could also be argued that this has “reduced system performance” as the user’s computer must send multiple requests to access a single web site which requires three times as much CPU resources (three requests instead of one) and uses more networking bandwidth. Whereas the network stream is not physically on the computer, it should be seen as belonging to the computer and therefore should qualify as goods.

So it would appear that under the Act the trials of 2006/2007 may be vulnerable to litigation for Trespass to Goods.

In the case of eBay vs Bidder’s Edge, Bidder’s Edge eventually settled the case with eBay and discontinued both the scraping of the eBay web site and their own web site (due to market conditions). (Wolverton, T. 2001)

Data Protection Act 1998

The Data Protection Act 1998 is described by the Government as follows:

“The Data Protection Act regulates how your personal information is used and protects you from misuse of your personal details.

It provides a common-sense set of rules which prohibit the misuse of your personal information without stopping it being used for legitimate or beneficial purposes.” (DirectGov, Unknown Date)

The Department for Constitutional Affairs have a Frequently Asked Questions (FAQ) web site regarding the Data Protection Act and with regards to consent, it states that consent must be obtained from a data subject before processing is permitted with the exception of situations revolving around crime and national security. (DCA, Unknown Date)

There are other exceptions covered under the Act such as journalistic purposes but there is no such exception for direct marketing or advertising.

Furthermore the definition of processing is included under Section 1 of the Act as follows:

“in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data” (DPA 1998)

Based on the technical analysis by Dr Richard Clayton it would seem that personal data is processed by the technology in several ways:

1. The data is intercepted by the Layer 7 technology and Deep Packet Inspection is used to check for a cookie. This process requires the data to be recorded and a operation is carried out on the data in order to reroute it to the “special machine”.

2. Once all the cookie manipulation and re-routing is completed the technology through a combination of the Layer 7 technology and the Profiling technology will carry out a set of operations for the purpose of making the data anonymous. This activity is defined as processing by the Act.

3. At all points of the technology from the Layer 7 technology onwards, the data is stored in the Random Access Memory (RAM) of the hardware operating on the data. It is also likely that for at least a short period of time this data will be paged to a disk either for the purpose of queueing subsequent data ready for processing or to enable the RAM of the system to be used for higher priority purposes. This is common practice in the world of technology and is often referred to as a Swap Drive or Virtual Memory.

Given all of the above information coupled with the previously established fact that consent was not obtained due to the covert nature of the trials; it would seem reasonable to conclude that the trials failed to meet the requirements of the Data Protection Act 1998.

It would also seem that even if BT PLC obtain consent when they deploy this technology in 2008, as with the Computer Misuse Act 1990, they are likely to still fall on the wrong side of the law; given that in order to determine whether or not consent has been obtained, the processing of the data needs to take place first. This would suggest that anyone who has denied consent for their data to be processed in this way would be subject to their rights being violated under the Act regardless.

It is important to remember that the Act states operations on data are defined as processing, this includes all operations from the point the Layer 7 technology intercepts and inspects the data in the network stream.

Copyright, Designs and Patents Act 1988

One of the issues raised with regards to this technology is the rights of the people who own the copyright for the web sites being copied for commercial purposes. As explained by Dr Richard Clayton (Clayton, R. 2008b) a copy of the web page requested by the user is intercepted by the Layer 7 technology and is operated on by the Profiler in order to create categories with keywords and update the cookie stored on the user’s computer.

As mentioned earlier in the paper, many popular web sites have existing terms to prevent the processing and copying of the web site content for the purpose of commercial activity; this goes even further when we look at the issue from a copyright perspective.

It is safe to say that the vast majority of web sites on the Internet (both commercial and non commercial) contain a copyright notice. This notice appears in the footer of most web sites currently available and may reference various common licenses such as Creative Commons (CC) and General Public License (GPL) or may just rely on the traditional implied license based on the copyright laws in the territory of the author or copyright owner.

In the case of the Amazon example earlier in this article, which is typical of commercial web sites in general, some web sites even define this license more comprehensively in the terms and conditions one must accept in order to use the web site.

Since Phorm Inc.’s technology exists purely for the purpose of building and sustaining an advertising business model, it can not be argued that the copying of the web site content is not for commercial purposes. Even under implied license from existing copyright law, this would be enough to satisfy a complaint of infringement.

Whereas infringement in the UK is normally a tort and subject to complaints in the civil courts through litigation; Section 107 of the Act includes criminal infringement with regards commercial activities (CDPA 1988). As outlined above, it can not be argued that the purpose of the copy is not for commercial gain and therefore, the trials of 2006/2007 and indeed any future deployment of this technology would seem to be infringement as defined by the Act; furthermore they would seem to qualify as criminal infringement.

This is a very important point as the route to enforcing copyright through the civil courts is often costly and outside the resource capabilities of non commercial copyright holders. But in the case of criminal infringement, the cost of action becomes much less significant as criminal cases are presented in the UK by the Crown Prosecution Service, not the individual who’s rights have been violated.

Furthermore, given the evidence that in the 2006/2007 trials the data was being altered in order to insert JavaScript programs to display advertising images; BT PLC could be seen as distributing derivative works since they were distributing a web page to the user which was derived from the original web page, without license.

Conclusion

Analysis of the relevant legislation, statutes and directives as illustrated throughout this paper, paints a sinister picture with regards the legality of the covert trials carried out by BT PLC during 2006 and 2007. It is important to remember that the right to privacy is an inalienable right that cannot be brushed aside and ignored, informed consent must be obtained before processing personal data or intercepting communications.

Each of the relevant regulations studied make clear the requirements regarding consent and due to the fact that the trials were covert the requirements could never have been met. RIPA, Fraud Act, Computer Misuse Act and Copyright, Designs and Patents Act in the case of the trials, all fall under criminal law, whereas Privacy and Electronic Communications (EC Directive) Regulations, Torts (Interference with Goods) Act and Data Protection Act apply under common law and statutes.

Given that BT PLC have issued statements admitting to these trials and also the evidence available from “victims” of the trials as well as Dr Richard Clayton’s technical analysis (Clayton, R. 2008b), it is likely that the count of violations as a result of these trials amounts to millions. Even moderate web use generates vast quantities of data packets and it is these data packets which have been intercepted; each interception, manipulation or alteration of these packets is a single instance of multiple offences. With the number of customers involved now estimated to have been in excess of one hundred thousand it is inevitable that tens or even hundreds of millions of offences have occurred.

Nicholas Bohm – general council for FIPR, member of the Law Society’s Electronic Law Committee and lecturer of Law at Cambridge University, who recently published his own legal analysis of the technology model presented by Phorm states:

“My legal analysis shows that the operation of Phorm’s system involves illegal interception, fraud and breach of the data protection principles.”(Bohm, N. 2008)

In a recent open letter to the Home Secretary, Mr Bohm has requested that the Home Office withdraw their statement on this matter on the grounds that it “can now be seen to be significantly incomplete and dangerously misleading.” (Bohm, N. and Clayton, R. 2008) and have called for the relevant public authorities to initiate official investigations of both the trials from 2006/2007 and the upcoming deployment of the technology following more trials in the near future.

Corporations should never be placed above the law, irrespective of how much power and influence they may have. As such, when situations such as this issue arise it is essential that public authorities make a clear decision to investigate, especially given the number of potential victims and gravity of the offences involved.

In a time where more and more people are becoming aware of their rights in part due to technologies and resources like the Internet but also due to the constant stream of media and press coverage on data protection issues; the public need to have confidence in their public authorities, if that trust and confidence is not present it undermines the very rights these authorities are supposed to protect.

It is the role of the Information Commissioner’s Office to investigate breaches under Privacy and Electronic Communications (EC Directive) Regulations 2003 and Data Protection Act 1998. As illustrated in this paper, the covert trials of 2006/2007 failed to meet the requirements of both, therefore the ICO must investigate any complaints made to them.

It is the role of the police to investigate offences under Regulation of Investigatory Powers Act 2000, Fraud Act 2006, Computer Misuse Act 1990 and Copyright, Designs and Patents Act 1998 and the role of the Crown Prosecution Service (CPS) to prosecute any such offences to the full letter of the law. This paper has shown that the covert trials in 2006 and 2007 constitute violations of all these laws, therefore it is paramount that the police initiate a criminal investigation on this issue in the interests of public justice.

Failure by any of the public authorities discussed above to meet their responsibilities could result in complaints to the Parliamentary Ombudsman or Judicial Reviews being made, but perhaps more dangerous is how the public are going to react should their concerns continue to be ignored.

Whereas this paper has focused on the covert trials in 2006/2007 it is important to note that the issue extends beyond past events. Many of the laws, statutes and directives discussed are also relevant to the ongoing debate with regards to whether this technology can ever be deployed legally in the future. Phorm Inc. and their partners are moving forward with plans to deploy this technology in the second quarter of 2008 yet to date they have still failed to address issues regarding informed consent; despite statements by both the Home Office and the Information Commissioner’s Office that informed consent must be obtained before the system can be legal. The trials of 2006/2007 may be over but the trials this issue faces in the future in the court of public opinion are unlikely to disappear until the interests of public justice have been maintained.

Bibliography

Amazon, (2007). Conditions of Use & Sale. Available at: http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=1040616#use (Accessed: 4th April 2008)

Arthur, C. (2008). BT admits tracking 18,000 users with Phorm systems in 2006. Available at: http://www.guardian.co.uk/technology/2008/apr/03/privacy.telecoms (Accessed: 3rd April 2008)

Best, K. and McCusker, R. (2002). The Scrutiny of the Electronic Communications of Businesses: Striking the Balance Between the Power to Intercept and the Right to Privacy? Available at: http://webjcli.ncl.ac.uk/2002/issue1/kb-rm1.html (Accessed: 3rd April 2008)

Bohm, N., (2008a). The Phorm “Webwise” System – a Legal Analysis. Available at: http://www.fipr.org/080423phormlegal.pdf (Accessed: 1st May 2008)

Bohm, N., (2008b). “Home Office guidance misleading” says FIPR. Available at: http://www.fipr.org/press/080423phorm.html (Accessed: 1st May 2008)

Bohm, N. and Clayton, R., (2008). The Phorm “Webwise” system. Interception of Communications. Available at: http://www.fipr.org/080423holetter.pdf (Accessed: 1st May 2008)

Caplan, C., (2000). Judge says a Spider Is Trespassing on EBay. Available at: http://partners.nytimes.com/library/tech/00/05/cyber/cyberlaw/26law.html (Accessed: 8th April 2008)

CDPA, (1988). Copyright, Designs and Patents Act 1988. Available at: http://www.opsi.gov.uk/acts/acts1988/ukpga_19880048_en_5#pt1-ch6-pb5-l1g107 (Accessed: 11th April 2008)

Clayton, R. (2008a). Open Letter to the IC on the legality of Phorm’s advertising system. Available at: http://www.fipr.org/press/080317phorm.html (Accessed: 4th April 2008)

Clayton, R., (2008b). The Phorm “Webwise” System. Available at: http://www.cl.cam.ac.uk/~rnc1/080404phorm.pdf (Accessed: 4th April 2008)

Clayton, R. and Bohm, N., (2008). Open Letter to the Information Commissioner. Available at: http://www.fipr.org/080317icoletter.html (Accessed: 4th April 2008)

Cohen, B. (2008). Data Pimping or just Bad Phorm? Available at: http://www.channel4.com/news/articles//data+pimping+or+just+bad+phorm/2023952 (Accessed: 30th April 2008)

Council of Europe (1950). European Convention on Human Rights (Article 8.1). Available at: http://www.hri.org/docs/ECHR50.html (Accessed: 3rd April 2008)

CPA (UK), (1990). Computer Misuse Act 1990. Available at: http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1#pb1-l1g3 (Accessed: 6th April 2008)

DCA, (unknown). Department of Constitutional Affairs. Data Protection – Frequently Asked Questions. Available at http://www.dca.gov.uk/ccpd/faqdp.htm#1i (Accessed: 10th April 2008)

DirectGov, (unknown). The Data Protection Act. Available at: http://www.direct.gov.uk/en/RightsAndResponsibilities/DG_10028507 (Accessed: 10th April 2008)

DPA, (1998). Office of Public Sector Information. Data Protection Act 1998. Available at: http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_2#pt1-l1g1 (Accessed: 10th April 2008)

Dubrawsky, I. (2003). Firewall Evolution – Deep Packet Inspection. Available at: http://www.securityfocus.com/infocus/1716 (Accessed: 4th April 2008)

FA, (2006). Fraud Act 2006. Available at: http://www.opsi.gov.uk/acts/acts2006/pdf/ukpga_20060035_en.pdf (Accessed 6th April 2008)

Mel (alias), (2008). Possible trivial Phorm opt-in “Exploit” discovered. Available at: http://www.ispreview.co.uk/talk/showthread.php?p=199729 (Accessed: 4th April 2008)

Morelli, F.S., (2007). To own, to be owned, or what else? BT and its proxies. Available at: http://www.spikelab.org/blog/btProxyHorror.html (Accessed: 4th April 2008)

PECR, (2003). Privacy and Electronic Communications (EC Directive) Regulations 2003. Available at: http://www.opsi.gov.uk/si/si2003/20032426.htm (Accessed: 4th April 2008)

PJA, (2006). Police and Justice Act 2006 (s36). Available at: http://www.opsi.gov.uk/acts/acts2006/ukpga_20060048_en_7 (Accessed: 8th April 2008)

Political Penguin. (alias) (2008). More Answers from Phorm. Available at: http://www.politicalpenguin.org.uk/blog/p,303/ (Accessed: 4th April 2008)

RIPA (2000). Regulation of Investigatory Powers Act 2000 (RIPA). Available at: http://www.opsi.gov.uk/acts/acts2000/ukpga_20000023_en_2 (Accessed: 4th April 2008)

Security Focus (2007). About Security Focus. Available at: http://www.securityfocus.com/about (Accessed: 4th April 2008)

Simkins, M., (2006). Cyber Trespass. Available at:

http://www.legalday.com/commentaries/Simkins/Cyber-Tresspass-050306.html (Accessed: 8th April 2008)

TA, (1977). Torts (Interference with Goods) Act 1977. Available at: http://www.uk-legislation.hmso.gov.uk/RevisedStatutes/Acts/ukpga/1977/cukpga_19770032_en_1 (Accessed: 8th April 2008)

Vahidi, V. (2008). New York Times. A Company Promises the Deepest Data Mining Yet. Available at: http://www.nytimes.com/2008/03/20/business/media/20adcoside.html_r=2&ref=busine&oref=slogin (Accessed: 4th April 2008 – Login Account Required)

Waters, D. (2008). BT advert trials were ‘illegal’. Available at: http://news.bbc.co.uk/1/hi/technology/7325451.stm (Accessed: 3rd April 2008)

Watkin, S., (2008)Targeted Online Advertising. Available at: http://cryptome.org/ho-phorm.htm (Accessed: 4th April 2008)

Williams, C. (2008a). BT admits misleading customers over Phorm experiments. Available at: http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/ (Accessed: 3rd April 2008)

Williams, C. (2008b). BT and Phorm secretly tracked 18,000 customers in 2006. Available at: http://www.theregister.co.uk/2008/04/01/bt_phorm_2006_trial/ (Accessed: 3rd April 2006)

Williams, C. (2008c). BT pimped customer web data to advertisers last summer. Available at: http://www.theregister.co.uk/2008/02/27/bt_phorm_121media_summer_2007/page2.html (Accessed: 3rd April 2008)

Wolverton, T., (2001). eBay, Bidder’s Edge end legal dispute. Available at: http://www.news.com/2100-1017-253443.html (Accessed: 8th April 2008)

(Cheers, Alex, and thanks)

. .Stumble It!

---

Use free p2pnet newsfeeds for your site. It’s really easy!

Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

---

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details. Download here.

This entry was posted on Tuesday, May 20th, 2008 at 12:13 pm and is filed under Advertising, Freedom, P2P. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 8833 times