The Register® — Biting the hand that feeds IT

Feeds

Brussels to sue UK over Phorm failures

ICO and Phorm respond

By Christopher Williams, 14th April 2009
  • print
  • alert

Magic Quadrant for Enterprise Backup/Recovery

Updated The European Commission has revealed plans to sue the UK government over its failure to take any action against BT and Phorm for their secret broadband interception and profiling trials.

Last year The Register revealed the pair had run covert wiretaps on tens of thousands of broadband lines in two trials in 2006 and 2007, to profile web use on behalf of advertisers.

In a statement released today, EU telecoms Commissioner Viviane Reding said the Phorm case showed UK laws needed to be tightened to protect consumers and comply with the ePrivacy Directive. New Labour signed the UK up to the ePrivacy Directive in 2002 and it came into force in October 2003.

"I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications," Reding said.

"This should allow the UK to respond more vigorously to new challenges to ePrivacy and personal data protection such as those that have arisen in the Phorm case."

Under UK legislation, responsibility for enforcing the ePrivacy Directive lies with the Information Commissioner's Office (ICO). It had discussions with BT and Phorm about the secret trials but declined to take any action. The ICO accepted BT's argument that it would have been hard to explain Phorm's interception and profiling system to internet users whose communications it was being tested on.

The ICO did not immediately respond to a request for comment today; we'll update this story when it does.

Announcing the infringement action, the Commission also said it was concerned that the UK does not have an authority to regulate interception of communications by private companies.

The ICO does not have responsibility for enforcing the Regulation of Investigatory Powers Act (RIPA), which governs interception, and the Office of the Surveillance Commissioners is mandated only to investigate interceptions by public authorities. The police meanwhile declined to act over BT and Phorm's trials, saying there was "implied consent" and a lack of criminal intent.

The Commission said: "Under UK law, which is enforced by the UK police, it is an offence to unlawfully intercept communications. However, the scope of this offence is limited to 'intentional' interception only.

"Moreover, according to this law, interception is also considered to be lawful when the interceptor has 'reasonable grounds for believing' that consent to interception has been given. The Commission is also concerned that the UK does not have an independent national supervisory authority dealing with such interceptions."

After it had carried out the two trials, Phorm sought advice from the Home Office on whether its technology complied with RIPA. An official replied that he believed it could be if consent was sought from each broadband customer. Outside legal experts have since disputed that advice, arguing consent would also be needed from every website whose data was intercepted.

The Commission's action follows several months of letter-writing back and forth between Brussels and Whitehall. It has sent the Department for Business, Enterprise and Regulatory Reform (BERR), which handles UK government communications with the Commission, two months' notice of formal action. If it receives no reply or an unsatisfactory reply, it may decide to issue "a reasoned opinion", which is the next stage of the infringement process.

If following that the government does not bring UK law into line with European obligations, the Commission could sue in the European Court of Justice in Luxembourg. It has powers to heavily fine member states who infringe EU law.

A BERR spokeswoman confirmed officials had received the Commission's notice. "We will be considering the issues raised and will respond within the required timeframe. It would be inappropriate to comment further at this time," she said.

At time of publication spokespeople for BT and Phorm had not returned our calls. Again, we'll update this story when they do. Previously both have claimed they took legal advice prior to the trials, but refused to reveal what it said.

We've reproduced the Commission statement in full on the next page. ®

Update

Phorm returned our call via email just after 4pm. It sought to soothe investors, saying it does not expect the Commission's action to have any impact on its plans. It did not address the legal status of its previous secret trials.

Here's the statement in full:

The EU Commission has announced today that it is starting infringement proceedings against the UK Government concerning the alleged failure of UK legislation to conform in certain respects with EU e-privacy and personal data protection rules. This is obviously a matter for the Commission and the UK Government.

However, in so far as the Commission's announcement references Phorm's technology, we should like to make the following points clear. Phorm's technology is fully compliant with UK legislation and relevant EU directives. This has been confirmed by BERR and by the UK regulatory authorities and we note that there is no suggestion to the contrary in the Commission's statement today. We do not envisage the Commission’s proceedings will have any impact on the company's plans going forwards.

Furthermore, Phorm's system stands out from other online advertising systems in that it does not store personal data, or browsing histories. Finally, consistent with UK and EU legislation, and in anticipation of any changes that may be made to the law in the future, our system offers un-missable notice and clear and persistent choice to consumers.

This release clarifies any misunderstandings that may have arisen following the Commission's announcement.

Update 2

The ICO returned our call via email at about 4.30pm. It argued that the Commission was referring to intercept law and so implied it was not directly involved.

In assessing the ICO's argument, note that PECR is the set of regulations implementing the ePrivacy Directive (as referred to by the European Commission) in the UK. Here's the statement in full:

The ICO regulates and enforces the Data Protection Act, Freedom of Information Act and Privacy and Electronic Communications Regulations. These infringement proceedings from the EU appear to relate to the interception of communications, which is not part of the ICO's remit. Interception of communications is covered by the Regulation of Investigatory Powers Act, which is separate to the Data Protection Act and not regulated by the ICO.

The ICO has been involved in discussions with Phorm regarding the technology's compliance with the DPA and PECR only. A system such as Phorm can operate in a way which is in compliance with both these acts but must be sensitive to the concerns of users. Information must be provided to individuals that enables them to make a meaningful choice about whether or not to be involved in the use of the technology. The ICO will keep this technology under review as it develops.

Agentless Backup is Not a Myth

Next page: Telecoms: Commission launches case against UK over privacy and personal data protection

Page:

COMMENTS

House Rules Send Corrections
All Reader Comments (122)
Latest Comments
Andy Watt

Phorm "fights back"? nyah nyah nyah

Phorm are trying to fight back but apparently their stroppy-sounding site is not winning them any plaudits -

http://www.guardian.co.uk/media/pda/2009/apr/28/phorm-startups

"The decision to publish this site feels to me like a sign that Phorm is dying, and this is one of its final throes." (quote from the guardian article)

This is truly a victory for people power. Let's keep it up and "smear" these bastards into a greasy stain - and any others who seek to try to use the same technology. It's not smearing; if the public does not want something then they DO NOT WANT IT - and you cannot blind them with science in an attempt to foist the tech on them.

Recent revelations through FOI regarding Phorm's collusion with the home office over the legislation for behavioural advertising show the government simply can't be trusted to know what this technology is about - we, the tech-literati people MUST keep dogging Phorm and their ilk out of existence.

0
0
John Smith

AC@13:21

"It seems the only people who will benefit from Phorm's business model are Phorm themselves, the ISPs using the service and the paying advertisers."

Correct.

AFAIK Phorm's target customers are all the *other* online book stores who would want a slice of Amazon's business. Amazon seems to have a pretty big slice of the on-line buying business, not just in books.

Phorm *can* be sold (with my Marketing hat on) as a tool to level the internet playing field with the big boys in e-commerce. NB Do *not* read that last sentence as approval.

The impression I get of Phorm is they think "Year, we'll steal their business and they cannot retaliate. Besides, it's not us, it's the ISP's we license to." They seem to forget that big players can hire big lawyers and good techs. If Amazon feel threatened they will find a way to make being one of the Phorm gang a very expensive proposition.

A word to any AC's who might protest my use of the word "gang." Lets see Russian offices (sited in the capital for malware authorship and phishing and CP site hosting ?), history of malware as 121 media, forged ID cookies, claims of code inserted into pages returned from non affiliated websites (is that for real?). A number of people working together to carry out organised criminal activity. That's a conspiracy is it not? I don't think we have a UK version of the RICO statutes but we can recover assets acquired as the result of criminal activity.

I'm off to take a long hot shower now. Just that superficial defending of Phorm's business model has made me feel quite dirty.

0
0
Anonymous Coward
Anonymous Coward

@Tony Paulazzo - Way off topic

"Score 1 for democracy, finally."

Out of interest where does democracy come into this?

The EC are the ones taking action against our government, our government are democratically elected the EC are not. So I'm affraid it's Score 1 AGAINST parliamentary democracy.

Gordo has an interesting attitude to politicians appointed rather than elected to posts. He likes the EC when it's on his side and thinks he can ignore it when it isn't. He doesn't like the control the house of lords has, but OTOH like to stuff his cabinet with unelected lords.

As more and more elected members fall out with the PM he will appoint more and more labour appointed lords to his cabinet until we have a postion where the only elected member in the cabinet is the prime minister and nobody elected him to that position. I'm so glad this is a democratic nation. Oh... hang on.

0
0

More from The Register

1,000 O2 staff chose redundancy over Capita
Betrayal, or just decent terms?
48
breaking news
Pttow! Ofcom kicks hams out of MoD bands
Geet off my land, you, you ... 'secondary user'
30
breaking news
Now you can use your phone instead of your wallet at the ATM, too
Blimey, these little paper towels out of the vending machine are really expensive
47
breaking news
UK.gov's £530m bumpkin broadband rollout: 'Train crash waiting to happen'
Whitehall whispers of damning watchdog report next month
30
Google launches broadband balloons, radio astronomy frets
A careless Loon could blind the square kilometre array
46
breaking news
MySpace zaps millions of teens' tearful rants, causes wave of angst
'Your crappy redesign SUCKS, I wanna read my blogs' screech users
53
breaking news
Microsoft Office 365 on iPhone NOW: No, we're not making this up
Word, Excel, Powerpoint for your pocket-stroker
83
Vodafone Oz launches '100 Mbps' 4G service
Nice speed if you can get it
7
breaking news
Clearwire board to shareholders: Go on, grab that Dish cash
Sprint looks on in dismay
3
EU signs off on eCall emergency-phone-in-every-car plan
GPS and a mobe in every car - do you suppose the NSA would fancy that?
100