For a short while after the web chat by Phorm more people thought they knew what the system was all about, and the charm offensive from Phorm was in full swing. Today sees the Foundation for Information Policy Research (FIPR) publish an open letter to the Information Commissioner Richard Thomas.
The letter raises the issue of whether the targeted advertising system Phorm is to implement and BT Total are about to trial is effectively an interception of communications and as such under the Regulation of Investigatory Powers Act 2000 requires explicit consent from both the broadband customer and provider. Most interestingly FIPR believes that consent would be required by the host of the web pages, which with the myriad of websites around the world would be impossible to obtain. Exceptions exist that allow filtering for viruses and unsolicited bulk email but would not cover a targeted advertising system.
This latest twist in the Phorm tale may well see any provider deploying the system having to implement an opt-in system, which may undermine the amount of income the system will generate. How many consumers will sign-up is anyones guess, many may believe the phishing protection is worthwhile, but with the myriad of built-in and add-in phishing protection tools out there already, that aspect is hardly a unique feature.
The recent webchat had a few interesting Q&A items that are worth re-printing.
Q: It would seem that the biggest issue so far is with the opt out feature. Can you please tell us, if opted out, will ANY data pass through ANY server owned by Phorm either within the ISP network or not ? If it does then why if we have opted out ?
A: No, if you opt out, none of your data will pass through a Phorm-owned server.
Q: Having a system that provides a form of customised marketing is one thing. But do you understand the real concern shown here and on other sites for what browsing information (or interet connection info, MAC address, IP address, ISP account info) is used or stored in order to provide this service?
A: Yes, we do understand people's privacy concerns. That's why do NOT tie into the ISP authentication systems, don't use MAC addresses and don't store IP addresses.
It's important to understand that our system uses page information to make a real-time match against advertiser categories (e.g. sport). We only store the category, not the browsing information, so we can't tell where you've been on the internet, or what the page contained.Extracts from Phorm web chat
The key point appears to be that the Phorm system while it may initially see a fair amount of data that may identify someone, once it has been washed and then categorised it should contain nothing that identifies you or which exact sites you visited. Only once the final result is produced is anything stored on disk, in theory it seems if the server is rebooted any material queued up to be processed would vanish. The big concern is how this works in practice and whether mission creep could occur where more data is slowly stored over time, or some data is inadvertently logged to disk or exposed by error report logs.
The original BBC News item that brought this open letter out into the open has various comments from FIPR and BT.
"Provided the customer has consented, we consider that there will generally be an implied consent from website owners. Secure and password-protection content will not be scanned, profiled or stored."BT spokesperson
One area the FIPR does raise is web pages that would otherwise not be found by search engines as they are not linked to any other web page. In these cases the content may well not be secured with a password and people rely on it only being a transient page, for example pictures of a family event, new product pages waiting to be published or a company carrying out market research that it wants a group of individuals to view. In the same way that viewing your browser history could reveal a sudden interest in party venues if booking a surprise party for someone in the family, if adverts for party venues started to pop-up it could ruin a surprise. Now you can of course clear your browser history, but the Phorm database will have your interest now categorised.