The Register ®

Biting the hand that feeds IT

The Register » Comms » Networks »

Original URL: http://www.theregister.co.uk/2008/04/17/ripa_phorm_shambles/

BT's secret Phorm trials open door to corporate eavesdropping

By Chris Williams
Published Thursday 17th April 2008 09:54 GMT

The government has refused to investigate BT's covert wiretapping of thousands of its customers in 2006 and 2007, despite its own expert's view that without consent Phorm's advertising targeting technology is a breach of criminal law.

Whitehall's willingness to turn a blind eye to the fact that tens of thousands of people were spied on by big business in order to serve up targeted marketing has angered web users. "I'm absolutely sickened and appalled," Pete John, who has tried to interest authorities, told The Register this week.

BT customers who have attempted to report the secret listening and profiling experiments to the police have been told to approach the Home Office. One was subsequently told over email by an official: "It is important to remember that private companies such as ISPs are allowed to do certain things under section 3 of [the Regulation of Investigatory Powers Act] that Law Enforcement Agencies cannot do without permission."

The Home Office advice to BT and Phorm meanwhile, written by civil servant Simon Watkin (http://cryptome.org/ho-phorm.htm), says a proposed Phorm deployment may be legal under RIPA only if consent is obtained.

BT and Phorm did not obtain any consent for either the autumn 2006 or the summer 2007 trial. The technical report on the earlier secret wiretap states: "The customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience."

The pair claim the two trials were legal under UK law, but refuse to provide any explanation as to why. BT says it doesn't know which of its customers it co-opted into the system.

A Home Office spokesman told The Register yesterday that responsibility for infringements of the Regulation of Investigatory Powers Act 2000 (RIPA) lies with the the Investigatory Powers Tribunal (http://www.ipt-uk.com/default.asp).

However, the tribunal only has powers to investigate eavesdropping carried out on behalf of law enforcement, not commerce. Its website states (http://www.ipt-uk.com/default.asp?sectionID=2): "The tribunal has no jurisdiction to investigate complaints about private individuals or companies unless you believe they are acting on behalf of an intelligence agency, law enforcement body or other public authority covered by RIPA."

Liberal Democrat shadow culture, media and sport secretary Don Foster blasted the Home Office's brick wall stance today. "It is clear the government is completely confused over who has responsibility for this matter. The Information Commissioner's Office and the public have expressed considerable concerns and it is time for the Government to stop passing the buck and deal with the matter immediately," he said.

"The Home Office needs to step up to the plate and decide whether BT's secret technical tests were legal and, if not, decide what will be done about them."

Foster is meeting BT executives next week to question them on the trials.

The Information Commissioner's Office (ICO) is meanwhile investigating the tests for alleged breaches of the Data Protection Act and Privacy and Electronic Communications Regulations, but not the alleged criminal wiretap under RIPA. The ICO's work is based on a complaint from Stephen Mainwaring, the BT Business customer in Weston-super-Mare that we revealed (http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/) was misled by his ISP over its involvement with Phorm last summer.

In its broad public statement on Phorm (http://www.ico.gov.uk/about_us/news_and_views/current_topics/phorm_webwise_and_oie.aspx), the ICO also referred the question of an illegal interception under RIPA to the Home Office. It wrote: "The Home Office is responsible for compliance with RIPA, and Phorm has approached the office directly and had a written response."

But as we've seen, that response referred to a proposed deployment, not historical secret interceptions. The internet legal think tank FIPR has described the RIPA case against the trials as "clear cut".

The Home Office's spokesman, however, disavowed any responsibility for holding the pair to account for eavesdropping on what is now known (http://www.theregister.co.uk/2008/04/14/bt_phorm_2007/) to be between 38,000 and 108,000 customers. "The tribunal is there for people who have a complaint," he said. We pointed out that the interception tribunal only has jurisdiction over law enforcement. The Home Office refused to say where people can go to report that they believe they have been illegally eavesdropped upon by a company.

The spokesman repeatedly said the Home Office "has made a statement and won't be adding to it".

Pete John raged: "BT and Phorm seem to be above the law. No one wants responsibility for enforcing complaints against ISPs. ICO say the Home Office. The Police say the Home Office. The Home Office say they have no investigative role." ®

© Copyright 2008