Wednesday, March 19, 2008

FIPR say Phorm is illegal

The Foundation for Information Policy Research has said that the Phorm wiretapping adware service is illegal under UK law. They have sent an open letter, penned by Richard Clayton and Nicholas Bohm, to the Information Commissioner, Richard Thomas, on the matter, as he is investigating the Phorm service. FIPR's associated press release states:

"The Foundation for Information Policy Research (FIPR) has today released the text of an open letter to Richard Thomas, the Information Commissioner (IC) on the legality of Phorm Inc's proposal to provide targeted advertising by snooping on Internet users' web browsing.

The controversial Phorm system is to be deployed by three of Britain's largest ISPs, BT, Talk Talk and Virgin Media. However, in FIPR's view the system will be processing data illegally:

  • It will involve the processing of sensitive personal data: political opinions, sexual proclivities, religious views, and health -- but it will not be operated by all of the ISPs on an "opt-in" basis, as is required by European Data Protection Law.
  • Despite the attempts at anonymisation within the system, some people will remain identifiable because of the nature of their searches and the sites they choose to visit.
  • The system will inevitably be looking at the content of some people's email, into chat rooms and at social networking activity. Although well-known sites are said to be excluded, there are tens or hundreds of thousands of other low volume or semi-private systems.

More significantly, the Phorm system will be "intercepting" traffic within the meaning of s1 of the Regulation of Investigatory Powers Act 2000 (RIPA). In order for this to be lawful then permission is needed from not only the person making the web request BUT ALSO from the operator of the web site involved (and if it is a web-mail system, the sender of the email as well).

FIPR believes that although in some cases this permission can be assumed, in many other cases, it is explicitly NOT given -- making the Phorm system illegal to operate in the UK:

  • Many websites require registration, and only make their contents available to specific people.
  • Many websites or particular pages within a website are part of the "unconnected web" -- their existence is only made known to a small number of trusted people.

The full text of the open letter can be viewed at:


Said Nicholas Bohm, General Counsel, FIPR:

"The need for both parties to consent to interception in order for it to be lawful is an extremely basic principle within the legislation, and it cannot be lightly ignored or treated as a technicality. Even when the police are investigating as serious a crime as kidnapping, for example, and need to listen in to conversations between a family and the criminals, they must first obtain an authorisation under the relevant Act of Parliament: the consent of the family is not by itself sufficient to make their monitoring lawful."

Said Richard Clayton, Treasurer, FIPR:

"The Phorm system is highly intrusive -- it's like the Post Office opening all my letters to see what I'm interested in, merely so that I can be sent a better class of junk mail. Not surprisingly, when you look closely, this activity turns out to be illegal. We hope that the Information Commissioner will take careful note of our analysis when he expresses his opinion upon the scheme.""
Update: BBC report on same.

No comments: