Feeds

UK.gov misses deadline on EU Phorm probe

Commission's data pimping quiz-o-gram leaked

Intelligent flash storage arrays

This is the full text of the letter sent by Fabio Colasanti to Kim Darroch on 30 June.

Dear Sir,

I am writing to you in relation to certain issues arising from the past and future deployment by some major United Kingdom Internet Service providers of the technology provided by a company called 'Phorm' to serve their customers with targeted advertisements based on prior analysis of these customers' internet usage.

In March 2008, a number of news items appeared in the media concerning the planned use by United Kingdom ISPs of the Phorm technology. Many of these publications raised issues concerning the impact of this technology on the privacy of Internet users. The information published on the web also included an e-petition submitted to the Prime Minister and a complaint made to the Information Commissioner's Office (ICO). In addition, in early April 2008, BT published a briefing according to which it had performed trials of the Phorm technology in autumn 2006 and summer 2007. In a TV interview, a BT representative confirmed that these trials had been performed without informing the customers affected and obtaining their consent.

The European Commission has already been contacted by Members of the European Parliament from the United Kingdom who communicated the concerns of their constituents regarding the deployment of Phorm technology. The issue has also been the subject of several written parliamentary questions addressed to the Commission by MEPs asking the Commission to comment on the applicability of WU legislation and also to set out its intended action in relation to the previous trials. Finally, a number of individuals have also written to the Commission directly to express their concerns and invite it to intervene in the matter.

In order to provide the response that is expected from it, the Commission needs to base itself on a clear understanding of the position of the United Kingdom authorities. Several EU law provisions concerning privacy and electronic communications may be applicable to other activities involved in the deploment of Phorm technology by ISPs.

In particular, Directive 2002/58/EC on privacy and electronic communications, which particularises and complements for the electronic communications sector the general personal data protection principles defined in the directive 94/45/EC (Data Protection Directive), obliges Member States to ensure the confidentiality of communications and related traffic through national legislation. They are required to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than the users without their consent (Article 5(1)). The consent must be freely given, specific and an informed indication of the user's wishes (Article 2(h) of Directive 95/46/EC). Traffic data may only be processed for certain defined purposes and for a limited period. The subscriber must be informed about the processing of traffic data and, depending on the purpose of processing, prior consent of the subscriber or user must be obtained (Article 6 of Directive 2002/58/EC).

In the light of the above, we would highly appreciate it if the United Kingdom authorities could provide us with information on (1) the current handling by the United Kingdom authorities of the issues arising from the past trials of the Phorm technology by BT and on (2) the position of the United Kingdom authorities regarding the planned deployment of the Phorm technology by ISPs.

As regards the first issue, according to applicable EU law the responsibility for investigating complaints concerning such trials and determining whether the national legal provisions implementing the requirements of the relevant EU legislation have been complied with lies with the competent national authority(-ies) in the United Kingdom. The Information Commissioner's Office (ICO), which is responsible for enforcing the United Kingdom Data Protection Act 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR), has made a number of statements on Phorm. In its latest published statement of 18 April 2008, the ICO analyses the conformity of the deployment of the Phorm technology with the DPA and the PECR. At the same time, the ICO indicates that it does not have responsibility for enforcing the Regulation of Investigatory Powers Act 2000 (RIPA), which has been invoked by some individuals who question whether the use of Phorm entails an unlawful interception of communications under this Regulation. In this respect, the ICO refers to a statement by the Home Office, which says that it is questionable whether the use of Phorm's technology involves an interception within the meaning of RIPA and that it does not consider that RIPA was intended to cover such situations. The ICO concludes on the issue of RIPA by stating that it will not be pursuing this matter. At the same time, the ICO statement does not include any indication as regards the intentions of the ICO in relation to the investigation of possible breaches of other relevant legal provisions* in the past trials of the Phorm technology.

Second, as regards the issues arising with regard to the planned future deployment of the Phorm technology, there appears to be a certain discrepancy between how it is envisaged by the ICO, the ISPs and Phorm itself. One of the most significant issues in this regard is the way in which customers will express their consent to the application of Phorm technology in their case. While the ICO seems to suggest that the consent of users for the Phorm technology should be on an opt-in basis and also BT seems to confirm this approach, Phorm has indicated that it intends to tackle user consent through providing 'transparent meaningful user notice'.

I would therefore be grateful to receive the response of the United Kingdom authorities on the following questions:

1. What are the United Kingdom laws and other legal acts which govern activities falling within the scope of Articles 5(1) and 6 of Directive 2002/58/EC on privacy and electronic communications and Articles 6, 7 and 17(1) of Directive 95/46/EC?

2. Which United Kingdom authority(-ies) is (are) competent (i) to investigate whether there have been any breaches of the national law transposing each of the above-mentioned provisions of Community law arising from the past trials of Phorm technology carried out by BT and (ii) to impose any penalties for infringement of those provisions where appropriate?

3. Have there been any investigations about the past trials of Phorm technology by BT and what were their results and the conclusions of the competent authority(-ies)? Are there ongoing investigations about possible similar activities by other ISPs?

4. What remedies, liability and sanctions are provided for by United Kingdom law in accordance with Article 15(2) of the Directive on privacy and electronic communications, which may be sought by users affected by the past trials of the Phorm technology and may be imposed by the competent United Kingdom authority(-ies) including the courts?

5. According to the information available to the United Kingdom authorities, what exactly will be the methodology followed by the ISPs in order to obtain their customers' consent for the deployment of Phorm technology in accordance with the relevant legal requirements and what is the United Kingdom authorities' assessment of this methodology?

Given the urgency of this matter I would highly appreciate receiving your reply within one month of receipt of this letter.

Yours sincerely,

Fabio Colasanti

*We might be able to help on this point.

Another letter to BT from the ICO (part of the same FOIA request as correspondence between the ICO and Phorm) said:

Whilst it does appear likely that a technical breach of the [PECR] Regulations occured in the 2006 and 2007 trials, there is no evidence to suggest significant detriment to the individuals involved. We acknowledge the difficulties that you have highlighted in providing meaningful information to customers about small scale, technical trials in cicumstances like this.

So to summarise, BT told the ICO it decided you were too stupid to understand Phorm in 2006 and 2007. The regulator agreed and decided not to investigate the secret trials under PECR.

However, public intelligence is now apparently at a level able to comprehend why a "more relevant" web is something worth consenting to a wiretap for, so the third trial will seek consent from its 10,000 subjects.

Beginner's guide to SSL certificates

More from The Register

next story
YOU are the threat: True confessions of real-life sysadmins
Who will save the systems from the men and women who save the systems from you?
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Ofcom snatches 700MHz off digital telly, hands it to mobile data providers
Hungry mobe'n'slab-waving Blighty swallows spectrum
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.