Feeds

BT's secret Phorm trials open door to corporate eavesdropping

Government bumbling exposes oversight gap

Combat fraud and increase customer satisfaction

The government has refused to investigate BT's covert wiretapping of thousands of its customers in 2006 and 2007, despite its own expert's view that without consent Phorm's advertising targeting technology is a breach of criminal law.

Whitehall's willingness to turn a blind eye to the fact that tens of thousands of people were spied on by big business in order to serve up targeted marketing has angered web users. "I'm absolutely sickened and appalled," Pete John, who has tried to interest authorities, told The Register this week.

BT customers who have attempted to report the secret listening and profiling experiments to the police have been told to approach the Home Office. One was subsequently told over email by an official: "It is important to remember that private companies such as ISPs are allowed to do certain things under section 3 of [the Regulation of Investigatory Powers Act] that Law Enforcement Agencies cannot do without permission."

The Home Office advice to BT and Phorm meanwhile, written by civil servant Simon Watkin, says a proposed Phorm deployment may be legal under RIPA only if consent is obtained.

BT and Phorm did not obtain any consent for either the autumn 2006 or the summer 2007 trial. The technical report on the earlier secret wiretap states: "The customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience."

The pair claim the two trials were legal under UK law, but refuse to provide any explanation as to why. BT says it doesn't know which of its customers it co-opted into the system.

A Home Office spokesman told The Register yesterday that responsibility for infringements of the Regulation of Investigatory Powers Act 2000 (RIPA) lies with the the Investigatory Powers Tribunal.

However, the tribunal only has powers to investigate eavesdropping carried out on behalf of law enforcement, not commerce. Its website states: "The tribunal has no jurisdiction to investigate complaints about private individuals or companies unless you believe they are acting on behalf of an intelligence agency, law enforcement body or other public authority covered by RIPA."

Liberal Democrat shadow culture, media and sport secretary Don Foster blasted the Home Office's brick wall stance today. "It is clear the government is completely confused over who has responsibility for this matter. The Information Commissioner's Office and the public have expressed considerable concerns and it is time for the Government to stop passing the buck and deal with the matter immediately," he said.

"The Home Office needs to step up to the plate and decide whether BT's secret technical tests were legal and, if not, decide what will be done about them."

Foster is meeting BT executives next week to question them on the trials.

The Information Commissioner's Office (ICO) is meanwhile investigating the tests for alleged breaches of the Data Protection Act and Privacy and Electronic Communications Regulations, but not the alleged criminal wiretap under RIPA. The ICO's work is based on a complaint from Stephen Mainwaring, the BT Business customer in Weston-super-Mare that we revealed was misled by his ISP over its involvement with Phorm last summer.

In its broad public statement on Phorm, the ICO also referred the question of an illegal interception under RIPA to the Home Office. It wrote: "The Home Office is responsible for compliance with RIPA, and Phorm has approached the office directly and had a written response."

But as we've seen, that response referred to a proposed deployment, not historical secret interceptions. The internet legal think tank FIPR has described the RIPA case against the trials as "clear cut".

The Home Office's spokesman, however, disavowed any responsibility for holding the pair to account for eavesdropping on what is now known to be between 38,000 and 108,000 customers. "The tribunal is there for people who have a complaint," he said. We pointed out that the interception tribunal only has jurisdiction over law enforcement. The Home Office refused to say where people can go to report that they believe they have been illegally eavesdropped upon by a company.

The spokesman repeatedly said the Home Office "has made a statement and won't be adding to it".

Pete John raged: "BT and Phorm seem to be above the law. No one wants responsibility for enforcing complaints against ISPs. ICO say the Home Office. The Police say the Home Office. The Home Office say they have no investigative role." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Virgin Media so, so SORRY for turning spam fire-hose on its punters
Hundreds of emails flood inboxes thanks to gaffe
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
AT&T threatens to pull out of FCC wireless auctions over purchase limits
Company wants ability to buy more spectrum space in auction
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
Google looks to LTE and Wi-Fi to help it lube YouTube tubes
Bandwidth hogger needs tube embiggenment if it's to succeed
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.