The Phorm storm in Britain has made the headlines a couple of times. The question on whether the system is even legal has gotten FIPR demanding the Home Office to retract certain comments they made where they suggest Phorm is actually legal.
Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes
FIPR has made a detailed legal analysis that suggests quite the contrary.
Last month, we here at ZeroPaid reported on the developments over Phorm. We followed up the report with another report earlier this month which points to Richard Clayton saying that Phorm is illegal, yet despite the comments, Phorm continued to be tested in the market. The, what seemed to be, cold shoulder from regulators didn’t deter an additional commentary and call from the Foundation for Information Policy Research (FIPR) which suggests that the Home Office is misleadingly suggesting that Phorm is legal and didn’t violate the Regulation of Investigatory Powers Act of 2000 (or RIPA).
The Open Rights Group points us to a copy of the in-depth legal analysis sent to the Home Office recently. Among other things, the analysis states that such technology could develope quite a rap sheet in Britain:
“This paper concludes that deployment by an ISP of the Phorm architecture will
involve the following illegalities (for which ISPs will be primarily liable and for
which Phorm Inc will be liable as an inciter):
– interception of communications, an offence contrary to section 1 of the
Regulation of Investigatory Powers Act 2000
– fraud, an offence contrary to section 1 of the Fraud Act 2006
– unlawful processing of sensitive personal data, contrary to the Data
Protection Act 1998
– risks of committing civil wrongs actionable at the suit of website owners
such as the Bank of England.”
It might be quite obvious, but probably one of the last things any company wants to do is open oneself up to litigation by a major bank – especially when the whole issue revolves around privacy. Here’s some more highlights:
Phorm’s public announcements go to great length to emphasise the anonymity it claims for its processes. These processes are embodied in software which is not open to inspection, either by the public or by the ISPs who will run the software, and
Phorm can in any case change the software whenever it wishes without anyone’s knowledge. Phorm’s claims cannot therefore be verified, and rest entirely on placing trust in Phorm.
Common sense apart, RIPA s16 happens to put the matter beyond doubt. It
deals with bulk interception authorised by the Secretary of State by warrant. In such cases, for the protection of those whose communications are caught up in bulk interception, it is laid down that only part of the material, as specified by a separate certificate, may actually be inspected. (It is assumed to be filtered from the bulk by technical means.) RIPA s16 deals with this by requiring that “the intercepted material is read, looked at or listened to by the persons to whom it becomes available by virtue of the warrant to the extent only that” certain conditions are satisfied. Material is thus treated as having been intercepted, and as having been made available to its interceptors, before any processing is applied to
determine whether it is in fact to be inspected by any individual. From this it is perfectly clear that in the Phorm system, the pages that it scans have been made available, and have been intercepted, before they are subsequently discarded.
The process in all cases is as described in Clayton at 46 onwards. In the case of searches, the search terms sent by the user to a search engine are intercepted and analysed by the ISP using the Phorm system. This requires the consent of the provider of the search engine. Search engine providers derive revenue from advertisements based on their users’ searches and on their users’ selection from among search results, and they are in competition with Phorm for advertising revenues based on their customers’ activities. There is not the slightest basis for supposing that they consent to the interception of their customers’ communications with them, expressly or by implication, nor has any such basis
been suggested. (The HO Note entirely overlooks this significant point.)
There are a number of other significant points being made in this piece including a case where there was actually a complaint against Phorm. When the matter was referred to the Home Office, the Home Office actually responded saying that the matter wasn’t their responsibility (paragraph 9). Basically, the entire paper shoots down Home Office’s insinuation that Phorm is legal on just about every front. One might find the Home Office to be funny by the time they are done reading the analysis.
The original note by the Home Office was posted in full last month. Among other things, the Home Office said:
18. It is arguable that a targeted online advertising service can be “connected with the provision or operation of [the ISP] service”. The RIPA explanatory notes for section 3(3) state: “Subsection (3) authorises interception where it takes place for the purposes of providing or operating a postal or telecommunications service, or where any enactment relating to the use of a service is to be enforced. This might occur, for example, where the postal provider needs to open a postal item to determine the address of the sender because the recipient’s address is unknown.”
19. Examples of section 3(3) interception, very relevant to the provision of internet services, would include the examination of e-mail messages for the purposes of filtering or blocking spam, or filtering web pages which provide a service tailored to a specific cultural or religious market, and which takes place with user’s consent whereby the user consents not to receive the filtered or blocked spam or consents (actively seeks) a service blocking
culturally inappropriate material. The provision of targeted online advertising with the user’s consent where the user is seeking an enhanced experience and the targeted advertising service provides that.
Of course, anyone would consider an extra layer of ads sent from their ISP that they pay in the first place to be an “enhanced experience” much like e-mail filters. This is just like anti-spam filters which, if our memory serves us correctly, blocks unsolicited advertisements in the first place. Sarcasm aside, here’s a few more highlights from the Home Office e-mail:
21. Where targeted online advertising is determined and delivered to a user’s browser as a consequence of a proxy server monitoring a communication to download a web page, there may be monitoring of a communication in the course of its transmission. Consent of the ISPs’ user and web page host would make that interception clearly lawful. The ISPs’ users’ consent can be obtained expressly by acceptance of suitable terms and conditions for the ISP service. The implied consent of a web page host (as indicated in paragraph 15 above) may stand in the absence of any specific express
consent.
22. Targeted online advertising undertaken with the highest regard to the respect for the privacy of ISPs’ users and the protection of their personal data, and with the ISPs’ users consent, expressed appropriately, is a legitimate business activity. The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. Where advertising services meet those high
standards, it would not be in the public interest to criminalise such services or for their provision to be interpreted as criminal conduct. The section 1 offence is not something that should inhibit the development and provision of legitimate business activity to provide targeted online advertising to the users of ISP services.
One may wonder how scary this can be when an organization like this says right on their home page, “Working together to protect the public”
The original Richard Clayton analysis can be found here. The Open Rights Group notes:
FIPR want the Home Office to withdraw informal advice they issued in February, which FIPR say wrongly concluded the system is lawful, creating “an obstacle to the just enforcement of the law”. At the public meeting attended by Phorm and their critics last week, Simon Davies of 80/20 Thinking Ltd identified the legality of Phorm under RIPA as a legitimate issue, but urged participants not to get bogged down in a question which, in the end, can only be decided in a court of law. Hopefully, FIPR’s legal analysis will bring UK citizens one step closer to an answer to the question “Is Phorm legal?”. As Richard Clayton observes:
The Home Office’s superficial analysis said that the system would be lawful. Given their batting average at the High Court, relying upon their opinion was always unwise.
Drew Wilson on Twitter: @icecube85 and Google+.
