It seems Phorm is continuing to have a rocky ride to being a live product in the UK, the European Commission has sent a formal notice starting an infringement proceeding, concerned mainly with how the UK has implemented European data protection laws and how these relate to Phorm and potentially other behavioural advertising systems.
"The Commission has written several letters to the UK authorities since July 2008, asking how they have implemented relevant EU laws in the context of the Phorm case. Following an analysis of the answers received the Commission has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications.
Under UK law, which is enforced by the UK police, it is an offence to unlawfully intercept communications. However, the scope of this offence is limited to ‘intentional’ interception only. Moreover, according to this law, interception is also considered to be lawful when the interceptor has ‘reasonable grounds for believing’ that consent to interception has been given. The Commission is also concerned that the UK does not have an independent national supervisory authority dealing with such interceptions.
The UK has two months to reply to this first stage of an infringement proceeding, the letter of formal notice sent today. If the Commission receives no reply, or if the observations presented by the UK are not satisfactory, the Commission may decide to issue a reasoned opinion (the second stage in an infringement proceeding). If the UK still fails to fulfil its obligations under EU law after that, the Commission will refer the case to the European Court of Justice."Extract from press release
The emphasis is on ensuring that customers of an ISP whose browsing habits are being tracked have given clear informed consent to the system being used on their connection. Under current UK law there only needs to be "reasonable grounds for believing" someone has consented.
This does not mean that this is the end for Phorm, there is nothing it seems stopping it deploying the system under an opt-in system that exceeds UK law requirements and satisfies European law. What it does mean is that we may see this case drag on depending on the UK response, with the final stage being appearing at the European Court of Justice. A win for the EU in the European Court would force changes to UK law.
The BBC amongst other websites has covered the news, and Nicholas Bohm from FIPR appears to back an additional requirement that would require sites to give consent so that they can be trawled. In theory this can be accomplished easily with websites utilising a robots.txt file, however that could exclude them from search engines which is a price they wouldn't want to pay.
I can't wait to see the government try to spin this as EU interference.
As to robots.txt, there's no reason at all sites couldn't tell phorm to refrain from scanning pages but allow legit search engines. All phorm have to do is specify a unique user agent as any SE would. However robots.txt is purely advisory and I doubt many would trust phorm to honour their commitment to it. It would in any case (unlike proper SEs) almost certainly be impossible to verify compliance as phorms kit would be invisible to the site, except as the users BT IP. BT users might be in for a lot of 403s.