Phorm Raises Questions About U.K. E-Privacy, Data Protection Measures, EC Says
U.K. law on interception of communications jeopardizes user privacy, the European Commission said Tuesday. Citing numerous complaints by Internet users -- and “extensive” discussion with U.K. authorities -- over online behavioral advertising technology “Phorm,” the EC launched the first stage of proceedings aimed at forcing Britain to align its law with EU e-privacy and data protection legislation. Meanwhile, Information Society and Media Commissioner Viviane Reding warned the EC will act whenever countries fail to ensure that new technologies such as behavioral advertising and radio frequency identification (RFID) don’t respect privacy rights.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Protests over Phorm began in the U.K. early last year. The EC began hearing from British citizens and lawmakers last April, when British Telecom admitted that it had tested the system in 2006 and 2007 without informing its customers, the EC said. BT ran a new, invitation-based trial of the technology -- which analyzes customers’ Web-surfing in order to target advertisements to them -- from October to December 2008, the EC said. The trials prompted complaints to the Information Commissioner’s Office and the police, it said.
After reviewing the U.K. versions of EU directives on privacy and electronic communications and data protection, the EC said it’s concerned they don’t adequately ensure confidentiality of communications. U.K. law criminalizes unlawful interception of communications, but only when it’s “intentional,” the EC said. The act, moreover, considers interception legitimate when the interceptor has “reasonable grounds for believing” that there is consent, the EC said. In addition, Britain lacks an independent national body to deal with interceptions, it said.
The EC appears to have concluded that Phorm amounts to unlawful interception because permission isn’t obtained from the user and the Web site owner, something the Foundation for Information Policy Research pointed out nearly a year ago, said FIPR Treasurer Richard Clayton. The U.K. government now can either agree with FIPR and admit it doesn’t understand its own legislation, or stick to its guns and be forced by the EC to enact a new statute, he said.
The lack of an independent supervisory authority dealing with intercepts makes it “remarkably difficult” to get Phorm investigated, Clayton said. The Investigatory Powers Tribunal created by the Regulation of Investigatory Powers Act can only look into misuse of interception by police and security services, he said. Because the Phorm system is privately operated, the police aren’t interested in probing it, he said. FIPR is happy that the EC is as interested in the process failures as in the actual wrongdoing, he said.
The Open Rights Group in March urged leading Web sites to opt out of Phorm to protect user privacy and their own reputations. In an open letter to Microsoft, Google/YouTube, Facebook, AOL/Bebo, Yahoo, Amazon and eBay, ORG said the Phorm system has drawn flak from many Internet customers as well as World Wide Web inventor Tim Berners-Lee.
Even those using Phorm ISPs will likely not receive enough information to give informed consent to the processing of all the data they send to and receive from an ISP’s Web site, ORG said. Moreover, ISPs themselves should worry about third parties processing the content of their sites, without their permission, in order to construct profiles of their customers, ORG sad. The system will also make copies of copyrighted content without permission, and create extra tracking cookies in ISPs’ names, bringing their systems into disrepute, ORG wrote.
In response, LiveJournal, Netmums and mySociety decided to block Phorm, ORG said Tuesday. Their condemnation of the system puts more pressure on bigger players to follow suit, it said.
BT is reviewing the findings of its recent customer trials and has made no further plans, a spokesman told us. There is talk of a “network level opt-out” at BT to place those refusing Phorm on a part of the system where their traffic is kept away from the behavioral advertising scheme, Clayton said, but he’s heard “this is proving complex to implement,” he added. Moreover, it will not make the system opt-in, as required by the Information Commissioner, and it doesn’t address the issues of interception, copyright infringement and defamation raised by FIPR, he said.
Europeans must have the right to control how their personal information is used, Reding said Tuesday. New technologies such as RFID, behavioural advertising and social networking make it easier to misuse personal data, she said. EU privacy rules require consent for use of such information, she said. “I will not shy away from taking action” where an EU state falls short of that duty, she said.
The U.K. has two months to respond to the EC letter. If the response is inadequate, the process moves to the second ("reasoned opinion") stage and could ultimately end up in the European Court of Justice, the EC said. A spokeswoman for the Department for Business, Enterprise and Regulatory Reform confirmed receipt of the letter but said it’s too early to discuss the reply.