An interesting technical analysis of the controversial Phorm technology has been released recently. It offers an informative look into the technology that is currently being rolled out for ISPs.
Imagine every bit of information you receive being analyzed before it even reached it’s intended destination. It’s a thought that helped caused an uproar in the United States with the debates over telecom warrentless wiretapping. Mix advertising from the Internet Service Provider and you may be moving towards the debates the British are having to deal with.
The Open Rights Group points us to new information being released. Various groups including ORG and the foundation for information policy research were invited by Phorm and the Information Commissioner’s Office to take a look at the system that has caused an uproar in Britain.
Clayton then blogged about his findings, offering an introduction to what he found:
Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.
Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.
Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.
The full analysis of the controversial technology can be found here (PDF)
“We now know that BT have already conducted secret trials of this technology, testing the effectiveness of snooping on their customers’ Internet activities. They claim to have received extensive legal and other advice beforehand, but have failed to give the reasoning on which this advice is based.” Nicholas Bohm, General Counsel for the Foundation for Information Policy Research, said in a FIPR press release, “As we pointed out in our letter, the illegality stems not from breaching the Data Protection Act directly, but arises from the fact that the system intercepts Internet traffic. Interception is a serious offence, punishable by up to two years in prison. Almost incidentally, because the system is unlawful to operate, it cannot comply with Data Protection principles.”
Meanwhile, Open Rights Group points out, “By coincidence, the Information Commisioner has released an updated statement on Phorm. From the looks of things, they have declined FIPR’s invitation to consider the lawfulness of Phorm’s data processing under legislation other than the Data Protection Act (such as RIPA). They have also failed to address the news that BT trialled Phorm without seeking consent from its users in 2006.”
In spite of the concerns surrounding the technology, the Information Commissioner issued the following statement (PDF)
The ICO has received a number of queries concerning the recent announcement by Phorm that 3 major UK Internet Service Providers have agreed to allow them to use technology, developed by Phorm, to present adverts to their customers based on the nature of the websites they visit.
Understandably, this has provoked considerable public concern. We have had detailed discussions with Phorm. They assure us that their system does not allow the retention of individual profiles of sites visited and adverts presented, and that they hold no personally identifiable information on web users. Indeed, Phorm assert that their system has been designed specifically to allow the appropriate targeting of adverts whilst rigorously protecting the privacy of web users. They clearly recognise the need to address the concerns raised by a number of individuals and organisations including the Open Rights Group. We welcome the efforts they are making to engage with sceptical technical experts
and believe that it is only by allowing their technology to be subject to detailed scrutiny by independent technical experts that they will be able to prove their assertions regarding privacy. The ICO strongly supports the use of technology in ways which enhance rather than intrude upon privacy, and plans to produce a report on “Privacy by Design” later this year.
It may lead one to wonder if the opposition to this technology is currently falling onto regulatory deaf ears.