UK.gov misses deadline on EU Phorm probe
Commission's data pimping quiz-o-gram leaked
Exclusive The government has failed to meet a deadline to respond to European Commission questions over the UK's handling of BT's allegedly illegal secret trials of Phorm's ISP-level adware and its planned rollout of the system to millions of subscribers, The Register has learned.
The Commission wrote to the UK government to quiz officials on why no action has been taken over the trials under the Privacy and Electronic Communications Regulations 2003 (PECR), which implement European Directives on wiretapping and communications data.
Contrary to reports last week, the letter was sent on 30 June, not mid-July. It required the UK to respond to the letter one month after it was sent, not by the end of August, as wrongly claimed by the BBC.
A spokeswoman for the Department for Business, Enterprise and Regulatory Reform (BERR) admitted today that the UK had not met the deadline. "We haven't responded yet," she said. The spokeswoman declined to comment further beyond saying that BERR is working on a reply with other departments.
We have obtained the EU's letter. It requests answers on how and why the UK government has acted over both the secret trials of Phorm in 2006 and 2007, and planned future deployments of the technology.
It sets out the context of the EU's interest in the controversy and asks detailed questions ahead of possible Commission intervention. Failure to implement a European Directive properly can land national governments in the European Court of Justice in Luxembourg.
"In order to provide the response that is expected from it, the Commission needs to base itself on a clear understanding of the position of the United Kingdom authorities," the letter says. "Several EU law provisions concerning privacy and electronic communications may be applicable."
It is signed by Fabio Colasanti, Director General of combative European Commissioner Viviane Reding's Information Society and Media Directorate. It is addressed to Kim Darroch, the UK's ambassador to the European Union. His office acts as a diplomatic conduit for contact between the UK government and the European Commission.
The letter concludes with five bullet-point questions for UK officials to answer. The majority focus on the uninvestigated trials revealed by The Register.
Campaigners and unwitting participants in those secret trials have been frustrated by the failure of any UK authority, including the Information Commissioner's Office (ICO), to investigate BT and Phorm for alleged lawbreaking. The ICO has stated that although it believes the data laws were breached when tens of thousands of BT customers' web browsing was co-opted into Phorm's systems, it does not intend to pursue the matter. BT has publicly insisted "it was not illegal".
But the Commission is also concerned about how Phorm's technology will behave once fully rolled out in ISP networks. In one passage, Colasanti queries the mismatch between the ICO's insistence on a positive opt-in for future deployments and Phorm's own line that consent will be obtained via "transparent meaningful user notice".
Phorm's language prompts Colasanti to ask: "What exactly will be the methodology followed by the ISPs in order to obtain their customers' consent for the deployment of Phorm technology in accordance with the relevant legal requirements and what is the United Kingdom authorities' assessment of this methodology?"
After the ICO toughened its stance on future Phorm deployments in April, the firm's CEO Kent Ertugrul has insisted that debate over opt-in versus opt-out is a "huge red herring".
Correspondence between Phorm and the ICO disclosed after a Freedom of Information Act (FOIA) request by a member of the public paints a different picture. The regulator's stance that only a positive opt-in would be allowed for any future deployment was not so readliy dismissed inside Phorm. A company representative wrote to the ICO: "[I] was a little surprised that in your latest statement you seem to have come down fairly firmly in favour of opt-in, but obviously I understand the issues. I'd very much welcome a quick chat on this point."
The ICO remains committed to a positive opt-in.
The EU's interrogative approach to the issue is in contrast to the secret liasons between the Home Office, BT and Phorm going back to November 2006. The government provided a legal opinion - which has since been heavily criticised by independent experts - on ISP-level adware that said it didn't think such systems would contravene the Regulation of Investigatory Powers Act 2000 (RIPA).
Colasanti wants to know which body would investigate a breach of RIPA.
BERR's spokeswoman said she was unable to explain why the government has not responded yet. ®
See the next page for the EU's letter in full.
Sponsored: Becoming a Pragmatic Security Leader