Phorm advert targeting system challenged by UK information policy think tank

The Phorm advert targeting system has come under further fire. Deals with BT, Virgin Media and TalkTalk were announced in February, allowing Phorm to scan web content in transit between web sites and browsers for the purpose of targeting advertisements to web users. Apart from some possibly BT-specific documentation recently leaked to the Register, little technical information about the system and its operation has yet been publicised. Nevertheless it has aroused considerable controversy, not least because it was announced that the browsing public would have to take explicit action to opt-out of a service that primarily benefits advertisers and ISPs rather than the public itself. So far, over 5,000 people have signed a petition asking the government to ban the service, and web pioneer Tim Berners-Lee believes that the browsing user and not the ISP should have rights over the data collected, so the consent of the user should be sought.

BT, one of the big three ISPs to sign up to the service, apparently conducted a secret trial last year, and some of its customers have threatened legal action. Nevertheless, BT plans a trial rollout to 10,000 customers this month. TalkTalk also recently announced that it too is going ahead, but it will make the service opt-in.

Even as these plans progress, the matter has been put before the Information Commissioner. The Foundation for Information Policy Research (FIPR) has published an open letter to the Commissioner, in which it argues that the basic principle on which Phorm operates breaches UK law. This is a case where the much-maligned Regulation of Investigatory Powers Act 2000 (RIPA) could come to the aid of personal privacy. The Foundation argues that Phorm's behaviour constitutes interception without the consent of both sender and recipient, which is an offence under Section 1 of the Act. The system could also be in breach of European Data Protection law unless explicit consent is obtained. The open letter points out that the widely argued implicit consent by a web page provider can be negated: "In the case of the many pages which are accessible only after registration of the user, access by an unregistered third party is plainly unauthorised (and sometimes expressly prohibited by the conditions under which access is permitted)". Such access could be unauthorised access under the Computer Misuse Act as well.

Phorm deny that the system breaches the law and contend that FIPR have misdescribed the system and its operation. However, FIPR is no lightweight technically. It is chaired by Professor Ross Anderson of the Cambridge University Computer Laboratory, well known for revealing uncomfortable security truths.

(mba)