The company behind an ISP-based web-advertising user-tracking system has denied claims that what it is doing is illegal.
Phorm — whose Webwise and Open Internet Exchange (OIX) technologies were used by BT in a secret trial on its customers — says the Foundation for Information Policy Research (FIPR) is wrong to say the use of Phorm's technologies constituted unlawful interception under the Regulation of Investigatory Powers Act (RIPA).
Nicholas Bohm, the FIPR's general counsel, said on Sunday that "the illegality stems… from the fact that the system intercepts internet traffic". "Interception is a serious offence, punishable by up to two years in prison," he added. "Almost incidentally, because the system is unlawful to operate, it cannot comply with data-protection principles."
On Wednesday, a statement from Phorm argued there was "no interception issue in the Phorm system".
"FIPR asserts — under a very narrow interpretation of RIPA — that although we obtain user consent, without the explicit consent of each website, there is an unlawful interception under RIPA," the statement read. "We would point to the many important and valuable consumer internet services such as Gmail or spam filters where data from one side of the 'communication' is analysed for the purpose of showing ads or blocking spam. Under FIPR's interpretation such services would be deemed illegal."
On Tuesday the Information Commissioner's Office (ICO) issued a statement on Phorm's activities, in which it said any allegations of RIPA non-compliance were a matter for the Home Office, rather than the ICO. The ICO also said Phorm had already approached the Home Office to check it was complying with RIPA — a point that Phorm reiterated in its Wednesday statement.
"Our extensive consultations have led to only one conclusion — that Phorm's systems are legal under any full interpretation of the law," Phorm's statement read. Also in the statement, Phorm's chief executive, Kent Ertugrul, pointed out that FIPR had campaigned against RIPA when it was drawn up eight years ago, but was now using it to attack Phorm.
"We're delighted to have a dialogue with FIPR but it has to be in the context of how today's online world actually works and how to improve it for the future," said Ertugrul. "Our objective is to ensure the internet continues to be a vibrant and thriving community, where new developments can contribute greatly to user experience and safety."
Read this
Corporate espionage: Not if, but when
When it comes to business-to-business theft of information, experts agree — it's best to assume it will happen to your company
Richard Clayton, FIPR's treasurer, told ZDNet.co.uk on Thursday that FIPR's issues with RIPA — such as the "way that police could self-authorise [interception]" — remained, but had nothing to do with the elements of RIPA forbidding the use of services such as Phorm.
"[Phorm's statement] is a wonderful piece of PR, but it had very little basis in reality," said Clayton. "[Phorm asked] the Home Office a rather general question about the way the things could be done," he added. "[The Home Office] gave an opinion, not a legal opinion, of their understanding of how the law was [to be applied] — it was essential to get opt-in permission from people whose outgoing traffic was being intercepted."
Clayton criticised the Home Office's view that incoming traffic from websites was publicly available, making it legal to intercept. "We agree to a large extent, but there are quite substantial areas of the internet which are not publicly available, but that Phorm will intercept," he said. "If, for example, you put up a webpage and publish the URL to your friends, asking them not to tell anyone else what the URL is, you have an expectation that no-one else will look at that page because you trust your friends. Phorm will be able to see your page, so we feel that for that reason they are intercepting traffic."
Clayton was also keen to point out that FIPR was not suggesting that Phorm itself was breaking the law. "What Phorm are doing is legal," he said. "It is the ISPs who are intercepting the traffic and giving it to Phorm — it is that that is illegal."
Intercepting traffic for spam-filtering purposes or for blocking denial-of-service attacks was a different matter, Clayton added, because RIPA contains an exemption for technologies that are needed to protect the functioning of an ISP's service.
Talkback
My initial response to this news item is 'Phorm over my dead body', so I will vote with my feet. Actually, I am suspicious that my ISP is already installing the additional hardware.
I have read a technical brief here
http://www.cl.cam.ac.uk/~rnc1/080404phorm.pdf
about how it works and, even if (and that's a big if) it's not objectionable now, it could easily be extended to be so. In addition, it seems we must take a great deal on trust, something that is in short supply these days. Furthermore I would object to any take it or leave it change to my agreement with my ISP's.
Surely Phorm can also be compromised, possibly without much difficulty.
Can anyone clarify, is Phorm really blocked if its cookie is blocked, as suggested in the above technical brief, or will Phorm still have a look but then just deliver random adverts rather than targetted ones.
For those interested there is a meeting in London University with Phorm next Wednesday, see here for details
http://www.8020thinking.com/events.html
The meeting is on Tuesday, not Wednesday. Details below.
The Phorm system: a Town Hall dialogue and briefing
Tuesday April 15th, 18.30-20.30
The Lecture Theatre, Brunei Gallery, School of Oriental & African Studies, University of London, Thornhaugh Street, Russell Square, WC1H 0XG