Feeds

Information Commissioner: Phorm must be opt-in only

Data protection probe into secret trials too

Boost IT visibility and business value

Updated The Information Commissioner's Office (ICO) has issued a major revision to its statement on Phorm, insisting that the ad tracking system must be deployed on an opt-in basis to comply with the law.

Of the three ISPs connected to the scheme, only Carphone Warehouse has committed to opt in when the system is finally rolled out. BT has not commented on how its national deployment will obtain consent.

Virgin Media meanwhile says that despite Phorm's note to the contrary, it did not "confirm [an] exclusive agreement" (to implement Phorm) - merely a memorandum of understanding that if it does decide to track customers, Phorm will be the technology provider. A concerned customer claims that he was told by CEO Neil Berkett's office: "We haven't signed up with Phorm, we've expressed an interest."

The ICO's tougher stance also means that as far as the ICO is concerned, BT and Phorm's secret and allegedly illegal trials without consent conducted in 2006 and 2007 are subject to investigation under DPA.

A spokeswoman said more news on the probe will be forthcoming, but was unable to provide a timetable for when the tens of thousands who were tracked and profiled can expect to see those responsible held to account. BT has refused to answer questions on why it believes it acted within the law.

The ICO released a first version of its statement on Friday 4 April and was branded a "green light for law breaking" by legal experts at the Foundation for Information Policy Research (FIPR). The long-awaited document merely parroted assurances that web browsers will be anonymous.

The extensively-rewritten statement now however includes strongly-worded concerns about the system under the data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR), which grant the ICO's powers.

Today's statement, which only covers future deployments of Phorm technology, reads:

Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses in that profiling and is able to link its customers to an IP address although this may not be its intention.

To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA.

Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.

The PECR is an implementation of a 2003 European directive aimed at protecting personal privacy online.

Nicholas Bohm, FIPR's general counsel, welcomed the ICO's revised statement. "It's good news that he [Information Commissioner Richard Thomas] says that nothing less than an explicit opt-in will do. It's a strong and valuable conculsion to draw."

The Commissioner also used the statement to pass responsibility for enforcing the Regulation of Investigatory Powers Act to the Home Office. Bohm criticised the move, saying: "I'm sorry he has ducked the interception issue. In my opinion his hands are not tied, and he is perfectly entitled to investigate any general unlawfulness around personal data."

BT and Phorm were unavailable for comment. ®

Updates

80/20 Thinking, the consultancy firm that produced an interim privacy report for Phorm, has organised a "Town Hall meeting" on 15th April in London, where the public can address Phorm's CEO Kent Ertugrul and technical SVP Marc Burgess. Details here.

Phorm sent us another statement:

We've not yet had the opportunity to discuss PECR with the ICO but will do shortly. However, the law is quite clear stating that any system requires valid, informed consent. We believe the approach that we will take to user notice will not only provide for such consent, but will in fact exceed the level of notice provided by anyone else.

We're very confident, as has been the case with the DPA and RIPA, that closer scrutiny will demonstrate that the way in which we obtain consent will substantially exceed any legal requirement.

Still no mention of those trials, eh?

Seven Steps to Software Security

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
Google Nest, ARM, Samsung pull out Thread to strangle ZigBee
But there's a flaw in Google's IP-based IoT system
Microsoft unsheathes cheap Android-killer: Behold, the Lumia 530
Say it with us: I'm King of the Landfill-ill-ill-ill
US freemium mobile network eyes up Europe
FreedomPop touts 'free' calls, texts and data
'Two-speed internet' storm turns FCC.gov into zero-speed website
Deadline for comments on net neutrality shake-up extended to Friday
Oh girl, you jus' didn't: Level 3 slaps Verizon in Netflix throttle blowup
Just hook us up to more 10Gbps ports, backbone biz yells in tit-for-tat spat
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.