Phun times ahead for Phorm

The European commission has decided to go ahead with taking action against the UK for failing toproper;y regulate the targeted advertising system Phorm. Their press release notes:

"The Commission has opened an infringement proceeding against the United Kingdom after a series of complaints by UK internet users, and extensive communication of the Commission with UK authorities, about the use of a behavioural advertising technology known as ‘Phorm' by internet service providers. The proceeding addresses several problems with the UK's implementation of EU ePrivacy and personal data protection rules, under which EU countries must ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user's consent. These problems emerged during the Commission’s inquiry into the UK authorities’ action in response to complaints from internet users concerning Phorm."

Vivianne Reding, the EU telecommunications commisioner adds:

“We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of EU rules on the confidentiality of communications. I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications. This should allow the UK to respond more vigorously to new challenges to ePrivacy and personal data protection such as those that have arisen in the Phorm case. It should also help reassure UK consumers about their privacy and data protection while surfing the internet.”

This is excellent news for anyone who has followed the Phorm story. First, the EC action will be based on problems with the legality of the general way Phorm works, not the one off blunder of starting trials without getting proper consents last year. In essence the charge - which was explained in a clear memorandum from FIPR by Nicholas Bohm over a year ago - is that Phorm intercept communications between users and websites on the basis of consent from the user, but not from the website. This is wiretapping and/or spyware by any other name, which is why the EU objection is based on Art 5(3) of the ePrivacy Directive, which deals with the confidentiality of electronic communications.

Secondly the EC action clearly contemplates not just the UK's misinterpretation of Art 5(3) but also its failure to provide a proper institution to supervise unauthorised interception by the private sector. The Interception Tribunal established under RIPA 2000 is empowered only to look at police and public sector interception of communications. Responsibility should fall to the UK Information Commisioner, but he has seemed unwilling to take up that role vis a vis Phorm to date.

All in all this is excellent news. See more on Phorm in my chapter on targeted advertising in the upcoming (really) Edwards and Waelde eds Law and the Internet (3rd edn) but for the moment see ORG blog on the issue.

All this is ironic as only a week ago, Phorm announced they were really finally about to go live in the UK. With proceedings for illegality from the Commision hovering on the horizon, it will be a brave ISP who launches Phorm right now on their worried customers.

More on 3 Strikes & Phorm: the ISP Strikes Back, but still true to Phorm

3 Strikes, semper passim :)

Technollama has a good post on Carphone Warehouse's opposition (in its guise as ISP TalkTalk) to the idea of "3 strikes and you're out", and the BPI's response of threatening court action. According to the Telegraph, CW received the following warning by fax from the BPI:

""... unless we receive your agreement in writing that within 14 days Carphone Warehouse will implement procedures set out above [bold added], we reserve our right to apply to court for injunctions and other relief without further notice to protect our members' rights."

Which leaves one wondering: WHAT procedures? Last Pangloss heard, negotiations were going on between the ISPA and the MPA as to a protocol for "progressive" discouragement of filesharing by eventual disconnection, but no agreement had been struck; certainly if the BPI has fomed a binding contract or even voluntary code of practice on similar lines with some or all UK ISPs, this is something the public should know about surely?

If, as seems more likely, no agreement exists, the BPI seem to be making some wrong assumptions about the remedies available to them. As it stand the common consensus is that ISPs are protected from liability for the actionable or illegal activity of their users unless they are shown to have actual or constructive knowledge of material they host fo rnusers (E Commerce Directive, Art 14). If the liability relates to the ISP's role as a mere conduit (Art 12) then ISP's are immune whether or not they receive notice. In all other circumstances, the BPI are limited merely to seeking an injunction against the ISP; although they are of course free to sue the actual users. "Other relief" - which can surely only be construed as implying either the imposotion of a filtering obligation or damages - does not prima facie seem to be available.

Of course in Ireland, also in apparent contradiction to both Arts 14 and 15 of the ECD, the music industry are currently attempting to impose an obligation to filter out pirate tracks on Ireland's biggest ISP, Eircom.Various Irish legal commentators notably TJ Macintyre and the unpronounceable Daithi McSigh have already pointed out the major policy and legal objections to such a claim. But it appears to be saber rattling season on both sides of the Irish Sea, presumably in anticipation of the consultation paper on 3 Strikes we are promised by BERR sometime between now and the autumn.

Phorm

Talk Talk/CW themselves should not be regarded too quickly as heroes of the hour though. Remember Talk Talk is one of the ISPs already signed up for the currently rather controversial Phorm system. Since it seems unlikely UK ISPs are going to go down the 3 Strikes route without legislation, CW/TT have good PR to gain, and nothing much to lose, by speaking out against the BPI :)

On Phorm, matters currently appear to be running against the pioneering or invasive new ISP-level adware system (depending on your side of the fence.) The ICO amended their postition on Phorm yesterday after considerable pressure by inter alia, ORG and FIPR:

"Ad-targeting system Phorm must be "opt in" when it is rolled out, says the Information Commissioner Office (ICO)

European data protection laws demand that users must choose to enrol in the controversial system, said the ICO in an amended statement.

The decision could be a blow to Phorm which before now has said it would operate on an "opt out" basis.

The ICO will monitor the trials and commercial rollout of Phorm to ensure data protection laws are observed."

EDIT: there is a rather sensible comment on the Beeb site about the likely implications of opt-in for Phorm.

This statement, interestingly, still leaves untouched the question of whether Phorm is not only potentially in breach of DP law but an illegal interception of communications under RIPA. The ICO of course has an interest in surveillance, but does not oversee it; interception is technically supervised by the Interception of Communications Commissioner . Home Office communications have indicated they think Phorm legal in this respect, but other commentators such as Nicholas Bohm, differ.

Phorm an orderly queue

It might easily be said that the British just love creating problens with Phorms..

Here is the press release for the FIPR official letter to the ICO on the current Phorm controversy. It has my full support as a lucid and explanatory response to a pressingly potential worrying incursion into consumer privacy (disclaimer: I am member of FIPR advisory board.)

FIPR Press Release

For Immediate Release: Monday 17th March 2008

Open Letter to the IC on the legality of Phorm's advertising system
-------------------------------------------------------------------

The Foundation for Information Policy Research (FIPR) has today released
the text of an open letter to Richard Thomas, the Information
Commissioner (IC) on the legality of Phorm Inc's proposal to provide
targeted advertising by snooping on Internet users' web browsing.

The controversial Phorm system is to be deployed by three of Britain's
largest ISPs, BT, Talk Talk and Virgin Media. However, in FIPR's view
the system will be processing data illegally:

* It will involve the processing of sensitive personal data: political
opinions, sexual proclivities, religious views, and health -- but it
will not be operated by all of the ISPs on an "opt-in" basis, as is
required by European Data Protection Law.

* Despite the attempts at anonymisation within the system, some people
will remain identifiable because of the nature of their searches and
the sites they choose to visit.

* The system will inevitably be looking at the content of some
people's email, into chat rooms and at social networking activity.
Although well-known sites are said to be excluded, there are tens or
hundreds of thousands of other low volume or semi-private systems.

More significantly, the Phorm system will be "intercepting" traffic
within the meaning of s1 of the Regulation of Investigatory Powers Act
2000 (RIPA). In order for this to be lawful then permission is needed
from not only the person making the web request BUT ALSO from the
operator of the web site involved (and if it is a web-mail system, the
sender of the email as well).

FIPR believes that although in some cases this permission can be
assumed, in many other cases, it is explicitly NOT given -- making the
Phorm system illegal to operate in the UK:

* Many websites require registration, and only make their contents
available to specific people.

* Many websites or particular pages within a website are part of the
"unconnected web" -- their existence is only made known to a small
number of trusted people.

The full text of the open letter can be viewed at:

http://www.fipr.org/080317icoletter.html

QUOTES

Said Nicholas Bohm, General Counsel, FIPR:

"The need for both parties to consent to interception in order for
it to be lawful is an extremely basic principle within the
legislation, and it cannot be lightly ignored or treated as a
technicality. Even when the police are investigating as serious a
crime as kidnapping, for example, and need to listen in to
conversations between a family and the criminals, they must first
obtain an authorisation under the relevant Act of Parliament: the
consent of the family is not by itself sufficient to make their
monitoring lawful."

Said Richard Clayton, Treasurer, FIPR:

"The Phorm system is highly intrusive -- it's like the Post Office
opening all my letters to see what I'm interested in, merely so that
I can be sent a better class of junk mail. Not surprisingly, when
you look closely, this activity turns out to be illegal. We hope
that the Information Commissioner will take careful note of our
analysis when he expresses his opinion upon the scheme."

CONTACTS

Nicholas Bohm
General Counsel, FIPR
01279 870285
nbohm@ernest.net

Richard Clayton
Treasurer, FIPR
01223 763570
07887 794090

NOTES FOR EDITORS

1. The Foundation for Information Policy Research (http://www.fipr.org)
is an independent body that studies the interaction between
information technology and society. Its goal is to identify
technical developments with significant social impact, commission
and undertaken research into public policy alternatives, and promote
public understanding and dialogue between technologists and policy-
makers in the UK and Europe.

2. Phorm (http://www.phorm.com/) claims that their "proprietary,
patent-pending technology revolutionises both audience segmenting
techniques and online user data privacy" and has recently announced
that it has signed agreements with UK Internet service providers BT,
TalkTalk and Virgin Media to offer its new online advertising
platform Open Internet Exchange (OIX) and free consumer Internet
feature Webwise.

3. In a statement released on 3rd March the Information Commissioner's
Office (ICO) said:

"The Information Commissioner's Office has spoken with the
advertising technology company, Phorm, regarding its agreement
with some UK internet service providers. Phorm has informed us
about the product and how it works to provide targeted online
advertising content.

"At our request, Phorm has provided written information to us
about the way in which the company intends to meet privacy
standards. We are currently reviewing this information. We are
also in contact with the ISPs who are working with Phorm and we
are discussing this issue with them.

"We will be in a position to comment further in due course."

-