Feeds

Information Commissioner: Phorm must be opt-in only

Data protection probe into secret trials too

Intelligent flash storage arrays

Updated The Information Commissioner's Office (ICO) has issued a major revision to its statement on Phorm, insisting that the ad tracking system must be deployed on an opt-in basis to comply with the law.

Of the three ISPs connected to the scheme, only Carphone Warehouse has committed to opt in when the system is finally rolled out. BT has not commented on how its national deployment will obtain consent.

Virgin Media meanwhile says that despite Phorm's note to the contrary, it did not "confirm [an] exclusive agreement" (to implement Phorm) - merely a memorandum of understanding that if it does decide to track customers, Phorm will be the technology provider. A concerned customer claims that he was told by CEO Neil Berkett's office: "We haven't signed up with Phorm, we've expressed an interest."

The ICO's tougher stance also means that as far as the ICO is concerned, BT and Phorm's secret and allegedly illegal trials without consent conducted in 2006 and 2007 are subject to investigation under DPA.

A spokeswoman said more news on the probe will be forthcoming, but was unable to provide a timetable for when the tens of thousands who were tracked and profiled can expect to see those responsible held to account. BT has refused to answer questions on why it believes it acted within the law.

The ICO released a first version of its statement on Friday 4 April and was branded a "green light for law breaking" by legal experts at the Foundation for Information Policy Research (FIPR). The long-awaited document merely parroted assurances that web browsers will be anonymous.

The extensively-rewritten statement now however includes strongly-worded concerns about the system under the data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR), which grant the ICO's powers.

Today's statement, which only covers future deployments of Phorm technology, reads:

Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses in that profiling and is able to link its customers to an IP address although this may not be its intention.

To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA.

Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.

The PECR is an implementation of a 2003 European directive aimed at protecting personal privacy online.

Nicholas Bohm, FIPR's general counsel, welcomed the ICO's revised statement. "It's good news that he [Information Commissioner Richard Thomas] says that nothing less than an explicit opt-in will do. It's a strong and valuable conculsion to draw."

The Commissioner also used the statement to pass responsibility for enforcing the Regulation of Investigatory Powers Act to the Home Office. Bohm criticised the move, saying: "I'm sorry he has ducked the interception issue. In my opinion his hands are not tied, and he is perfectly entitled to investigate any general unlawfulness around personal data."

BT and Phorm were unavailable for comment. ®

Updates

80/20 Thinking, the consultancy firm that produced an interim privacy report for Phorm, has organised a "Town Hall meeting" on 15th April in London, where the public can address Phorm's CEO Kent Ertugrul and technical SVP Marc Burgess. Details here.

Phorm sent us another statement:

We've not yet had the opportunity to discuss PECR with the ICO but will do shortly. However, the law is quite clear stating that any system requires valid, informed consent. We believe the approach that we will take to user notice will not only provide for such consent, but will in fact exceed the level of notice provided by anyone else.

We're very confident, as has been the case with the DPA and RIPA, that closer scrutiny will demonstrate that the way in which we obtain consent will substantially exceed any legal requirement.

Still no mention of those trials, eh?

Internet Security Threat Report 2014

More from The Register

next story
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
YOU are the threat: True confessions of real-life sysadmins
Who will save the systems from the men and women who save the systems from you?
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.