In my previous post about this subject I went down the precarious route of agreeing with the UK Home Office and the ICO who can’t seem to be able to make up their mind whether Phorm is an illegal invasion of privacy or who should deal with it if it is. Initially they both seemed to side with BT and Phorm (WikiPedia Link) that their software wasn’t doing anything wrong. I read Dr Richard Claytons technical document and figured that both the UK government, the regulators and the lawyers at BT couldn’t be wrong. Technically the system seemed fine and I didn’t fully appreciate Dr Claytons reservations.
After considering the reaction to the post I made and the legal evidence provided by Dr Richard Clayton I have changed my original position. Particularly read section 18, 19 and 20 of the legal document which convinced me beyond doubt that what Phorm are proposing for major ISPs worldwide puts too much temptation in the hands of Phorm/BT.
Technically the Phorm system is not illegal if all parties are aware and give full consent of the practice. Opt-in in other words. This was something that I argued seemed to be the case. The webmasters of various sites gave BT their consent to serve ads based on the behavioral data and Phorm/BT ask all users of their WebWise system to opt-in to the service from their end. Technically, personally identifiable information (PII) is not “supposedly” passed – a simple IP address is what the phorm cookie is tied too. Seems simple enough and this I feel is why the Home office and ICO was fooled (as well I have to say as myself).
Unfortunately it became clear in my discussions with a number of folks who have gone to great lengths to figure out how it works that Phorm is not disclosing what it can do to the general public. Personal information which is passed in a non https way (adding your email to a form, adding a product to a cart, writing a web based email) could also be passed to the Phorm system and tie back to your cookie meaning your UID now has a name, perhaps even address attached. It is then conceivable that if unscrupulous employees of BT/Phorm wanted to, they could extract that individual data for profit.
This is something that no-one has the ability to opt out of if the Phorm system is implemented because you can only opt out of the behavioral ad system.
Additionally BT sought no permission whatsoever for the initial trial run of the service across 16,000 recipients. This is totally illegal (I had difficulty believing this) and has to be punished for the sole reason that Dr Clayton suggests to make an example to others, Google, Yahoo, MS, Any Other Large Enterprise, that people are watching and if they mess with the Data Protection Act (DPA) they will be punished.
Regards the whole discussion.
I now agree with the folks who argued their case with me here and over at CableForum. Many of the problems around privacy are compounded by the complexity of the situation. This particular case requires you know about ISP networks, public based routing, deep packet inspection, cookies, website mirroring, http requests, https requests, SSL certificates as well as a more than average knowledge about the various laws designed to protect data.
I think an opt-in method for Phorm is perfectly Ok, but it will be a very tough sell to consumers.
I said at CableForum that I don’t condone and don’t think any of my peers or colleagues would condone deception and if the online industry is to prosper, consumer privacy has to be the holy grail.
Not only have BT committed PR suicide by first trying to deceive their customers instead of being transparent, they have broken the law and those responsible should face criminal trials. Phorm software deployed in its present state should be banned. Take note my friends in the USA. They’re trying the same with your ISPs.