Out-Law / Your Daily Need-To-Know

EDITORIAL: Critics have branded Phorm a regulatory rogue. Its targeted advertising technology will bend our laws and even break them. But these will be hairline fractures – even if Phorm's operation makes you wince.

At a public meeting in London in April, Phorm CEO Kent Ertugrul explained why he considers Phorm a revolution in privacy. Dr Richard Clayton of Cambridge University told the audience why he thinks that Phorm's revolution is about to overthrow privacy.

Phorm piggybacks on your ISP's network to monitor your online activity. When you read a page on the web, Phorm reads it too. Phorm then categorises you based on its understanding of your reading choices and search engine searches.

The AIM-listed company has deals with online publishers to help them display adverts that match each visitor's interests. If you read a lot of pages about photography, you'll see ads for cameras when you visit a partner site like FT.com.

An advertiser can be very specific about what will be displayed at a site like FT.com. For instance, Canon could instruct Phorm to deliver adverts for its latest digital camera to anyone who visited a web page identified by Canon as giving a glowing review the previous week. It can narrow that request even further: Canon can tell Phorm only to deliver the ad to anyone who read that review and also visited more than two other pages that mentioned the model name, e.g. IXUS 970, within the past three days.

I put this hypothetical to Phorm. It stressed that Canon would have to provide at least 10 URLs in its targeting instructions, not just one review page. This, said Phorm, is part of its privacy protection; though it seems to me that there is nothing to stop Canon providing nine URLs that it knows nobody will ever visit.

Exactly how Phorm does all of this profiling is hard to understand. As Ertugrul said when he took to the floor, "It's difficult to convey in a sound-bite what it does and doesn't do." Dr Richard Clayton wrote an excellent analysis (11-page / 83KB PDF) of what it does and doesn't do. But if you don't know your Layer 7 switches from your 307 redirects, some of it may be lost on you.

After reading Dr Clayton's paper and other reports, attending last month's meeting and talking to Ertugrul, I think I understand most of what Phorm does and doesn't do. I am confident that I do not understand all of it.

There are certainly good things about Phorm. First and foremost, it never knows who you are, it can't find out and it has no record of where you've been. Further, its profiling is unlikely to reveal private secrets on shared computers. "We do not do anything sensitive," said Ertugrul. "We do not deal with drugs, we do not do medical, we do not do alcohol – this is PG-rated."

"Before you say 'do we target children?' – no, we do not do that either," he said. The company also says that participation is always a choice.

Notwithstanding, while Dr Clayton's paper focused on how the Phorm technology operates, his response to Ertugrul on Tuesday night made clear his feelings on the legal and social aspects. He loathes it.

"As the system is currently proposed I think it is just downright illegal," he said, making reference to various laws. However, it might not break the spirit of any of them. Dr Clayton was citing technical breaches and technical breaches are common.

Arguably Google breaks copyright laws when it indexes the web; Arguably Microsoft breaks anti-spam laws when it attaches tiny ads to the foot of Hotmail emails. But nobody cares about such minor transgressions. After all, where's the harm?

Legal risks and new technology are inextricably linked. Typically, upon being identified, some risks will be avoided, some will be mitigated and some will be ignored. Phorm has to look at all the legal risks and decide which ones to address, which ones to mitigate and which ones it can afford to ignore.

In my view there are two main laws that have to be addressed by Phorm. One is the Regulation of Investigatory Powers Act (RIPA), the other is the Privacy and Electronic Communications Regulations (PECR). Phorm passes or fails each law in its roll-out and the test is straightforward: whether or not there is consent on the part of users. Phorm insists that there is consent.

Phorm and RIPA

RIPA is the UK's wire-tap law. Its primary relevance to Phorm is a provision that makes interception of communications between two parties illegal unless both parties consent to that interception. If Phorm does not have the consent of the person being profiled, Phorm is illegal. That would be a clear and serious breach of RIPA. Phorm and/or its ISP partners would be at risk of prosecution. If it has the consent of that party, though, there is no problem under RIPA in my view.

The Foundation for Information Policy Research (FIPR) and Dr Clayton, the FIPR's treasurer, have argued that only one party to the communication has given consent. That's not good enough, they say. They rightly point out that the law demands permission from both parties. This is explained in full in the FIPR's legal analysis (16-page / 231KB PDF).

In most cases, the other party involved is a website, not an individual. Can you imply the permission of websites? In most cases I think you can.

Google implies the consent of every site that it visits, examines, indexes and copies to its cache. That has been challenged in a US court – and Google won the case by running the implied consent argument. There is a simple means of telling Google to stay away. Phorm will find that instruction, which is hidden in the code of a site, and respect it as the search engine would. If you're a site that wants Google's attention but not Phorm's, though, you will need to contact Phorm and ask it to keep away.

Dr Clayton observed that Google itself might object. Its cash cow is in serving ads relevant to search queries. Will Google consent to someone else scanning those searches and selling the data to third parties?

"I suggest the answer is no," said Dr Clayton. I think he's right. Surely Google will see Phorm as a parasite. Should Phorm refuse to stay away (there is surely no better venue than Google's at which to survey users' interests), a court battle is possible. The outcome of that will have no impact on most other sites, though. Google's slice of the UK search market has left only crumbs for the rest.

A few site operators will object to the scanning and page analysis; but most won't care. Will there be a RIPA prosecution? I can't see it. The Crown Prosecution Service (CPS) is more likely to say that there is no harm caused to anyone.

What about Phorm scanning your Hotmail account? Surely that's more personal? Except that it won't scan Hotmail – Phorm has a blacklist of sites that won't be monitored and Hotmail is on it. That list, according to Phorm, runs to 500 sites and counting. Dr Clayton pointed out that there are far more than 500 webmail services; but again the CPS will more likely focus on the harm. There isn't any harm of a nature that courts are familiar with.

The Home Office has already said that targeted online advertising like Phorm's can comply with RIPA, provided there is consent. (FIPR says the advice is misleading and should be withdrawn.)

Phorm and PECR

PECR deals with cookies and Phorm's use of cookies is highly unusual. PECR says that internet users must be "provided with clear and comprehensive information about the purposes of the storage of, or access to" cookies. That's a notification requirement. In most cases, it's addressed in a website privacy policy. But where there is an unusual use of cookies – and Phorm's is the strangest I've ever seen – I'd say that a mention in a privacy policy is insufficient. It must be up-front, part of a mandatory screen. PECR also says that people must be "given the opportunity to refuse the storage of or access to" cookies. Ertugrul says that's what will happen. Everyone will have that opportunity.

There is another provision of PECR that the Information Commissioner considered in relation to Phorm. It provides that "traffic data" relating to an ISP's customer may be used by that ISP for marketing purposes provided the customer consents to such use. PECR defines traffic data narrowly – and Phorm claims its uses escape that definition.

This point is academic, though: Phorm plans to get consent to comply with RIPA – the law that carries stiffer penalties for non-compliance.

The Information Commissioner's Office (ICO) has given Phorm its qualified approval.

"Although the products have not yet been rolled out and the upcoming trial by one ISP has not yet taken place, from the information available at this point it appears that users will be presented with an unavoidable statement about the product and asked to exercise a choice about whether or not to be involved on that basis," said a statement from the ICO. "In addition we are told that users will be able to easily access information how to change their mind at any point and free to opt into or out of the scheme at any point thereafter which should involve the same degree of transparency and choice."

It concluded that Phorm can operate in a way that is compliant with the Data Protection Act and PECR; but it "must be sensitive to the concerns of users," said the statement. "The Commissioner will keep the Phorm products under review as they are rolled out and his view will be strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision."

Opting-out

A major concern with Phorm had been what would happen when people say 'no thanks' because they dislike the idea of Phorm; or if they tire of seeing adverts for cameras and want to switch it off. According to reports, saying 'no' to Phorm puts a cookie on your computer that would remind its system to ignore you.

That gave me a concern. Sometimes people delete all of their cookies at once. Internet Explorer and Firefox make that easy to do with a single click. If you do that when your ISP uses Phorm, you delete that opt-out cookie and, I had assumed, switch on the profiling without notification. That is not the case, according to Phorm.

A spokesperson told me yesterday that if the user deletes the opted-out cookie, perhaps by mistake, that user is returned to the welcome screen and asked to exercise the choice again: do you want Phorm or not? Alternatively, a user who knows his way around Firefox or Internet Explorer can set his browser to block all cookies in the webwise.net domain and thereby remain Phorm-free.

There is another variant of Phorm's system that does not rely on cookies at all. This is a network-based opt-out and it was not available in the original design. With the network-based approach, no means no: opting-out keeps you out unless you change your mind. BT and Carphone Warehouse are looking to offer their customers a network-based solution, according to reports.

I also put to Phorm a quote by Phorm's Senior Vice President of Technology, Marc Burgess.

The Register asked: "So if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?"

Burgess replied: "What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us."

"This quotation referred to a generic Webwise implementation," Phorm' spokesperson told me yesterday. "In most implementations, the traffic of opted-out users is not even mirrored to the Profiler."

Phorm says it gives ISPs the choice. "ISPs can choose network-based methods that route traffic away from Webwise servers, but their ability to do this depends on their infrastructure and support systems," it said.

If these protections were part of Phorm's design from the start, I suspect the company would have had fewer critics. In any case, they should improve Phorm's standing in the event of complaints to the Information Commissioner. 

On a purely commercial level I have some doubt about whether Phorm is offering enough of an incentive to users to sign up in the first place. As a consumer, the incentive of a discount on broadband subscriptions will tempt me; but offers of anti-phishing protection and more-relevant advertising leave me cold.

I asked Ertugrul if I could see sample wording for the screen that ISP customers will see when they're offered Phorm's service. "We don't have samples," he replied. Phorm will guide the ISP on what to put in the message, he explained, but Phorm won't write the message for them. I asked if the basic message would reveal who was behind the technology and what the technology does. "Yes, absolutely," he replied. All that would be clear without having to click a link, he said, and further details will be one click away.

The wording on that screen is critical to Phorm's success: it has to encourage sufficient users to give consent. But that message is also critical to RIPA and PECR compliance: it must be transparent.

Other laws

Dr Clayton cited other legal concerns. Phorm impersonates the domains of other sites that you visit in order to put cookies on your machine. Dr Clayton said he thinks this is illegal under the Fraud Act, which outlaws dishonestly making a false representation. Doing that for gain, even if nobody suffers harm, is an offence. But once again, I can't see the CPS getting involved.

He also raised the issue of defamation. The Bank of England says in its privacy policy: "We do not use cookies to collect information about you." Dr Clayton said that people who visit that site may then examine their hard disks and find cookies that appear to come from the Bank of England. "So right-thinking people will think less of the Bank of England as a result," he said. "That is what in law we call defamation."

Courts set a threshold for defamation actions that blocks trivial cases. Phorm's cookie activity won't cross that threshold. In any case, Phorm points out that close inspection will reveal its cookies' true progeny.

There might be even more legal issues that Dr Clayton didn't mention. For example, our copyright laws allow temporary copies of a page – but not where there's an "independent economic significance" to the copying. Phorm copies web pages and examines the words. That's possibly an infringement – but once again, the breach is trivial.

Dr Clayton's biggest concern appears to be the invasion of his privacy.

"They [Phorm] have really addressed the issues of data protection," he said. "But privacy and data protection are not the same thing at all."

For the Data Protection Act, Dr Clayton said, anonymity "fixes everything". But Dr Clayton said privacy is about "whether you're prepared to disclose information that's important to you." Which makes it a personal choice – and one that Phorm says it will give.

"This is a bit like the Post Office looking through all of your letters so they can send you a better class of junk mail," he said. "It's a bit like Tesco collating your shopping list so that when you go over to McDonald's they can give you the vegetarian menu." The analogies are valid and the Post Office and Tesco could do these things – but if there's informed consent, which is what Phorm is promising there will be, that's perfectly legal. Whether you like the idea or not is a different thing.

It all boils down to consent. Ertugrul said there will be a screen presented to people to ask them if they consent to Phorm and they will get periodic reminders that Phorm is switched on. I asked, "will they be given the choice of yes or no?" Ertugrul replied "Yes." I asked, "Always?" Ertugral said "yes".

If it is operated with consent and transparency, Phorm's privacy revolution looks like it may happen quietly without waking the Home Office, the CPS or the ICO. Others may want to run for their private lives. But Phorm could be the future, a future in which targeted advertising is essential to the business model of an ISP.

By Struan Robertson, Editor of OUT-LAW.COM. These are the personal views of the author and do not necessarily represent the views of Pinsent Masons LLP.


UPDATE, 02/05/2008: Some readers have asked for my opinion on BT's trial of Phorm, a trial that ran without user consent. Did it breach RIPA? Personally, I think that it probably did. But I doubt the question will ever come before a court. The Home Office has already indicated that it does not intend to take action. I expect that is because it views the trial as an isolated incident. It would only take action if it believed that Phorm would normally operate without consent. Some have compared BT's trial to the actions that led to the conviction under RIPA of Demon and Redbus founder Cliff Stanford. I think a court would consider the circumstances quite different, though.

Three readers have also noted that Pinsent Masons is one of the firms on BT's legal panel and asked me to disclose that relationship on this page. The firm is on BT's legal panel though we didn't advise on Phorm. As a large commercial law firm we are on lots of companies' legal panels.
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.