Privacy: British Government Refuses To Investigate Phorm

By Tom Espiner |

The Prime Minister’s Office has rebuffed a public call for a government investigation into Phorm, saying that the independent Information Commissioner’s Office is responsible for ensuring that the behavioural ad-serving technology does not contravene privacy laws.

On Tuesday, Number 10 published a response to an e-petition that had called for an investigation of Phorm’s technology by the government, and a ban on its adoption by internet service providers if it was found to breach European or British privacy laws. Phorm intercepts user data traffic to anonymously profile people and serve them adverts based on their web-browsing behaviour.

In its response, Number 10 said privacy legislation was enforced by the Information Commissioner’s Office (ICO), adding that the ICO “is an independent body, and it would not be appropriate for the government to second-guess [ICO] decisions”.

“ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology,” the Prime Minister’s Office stated. “They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected.”

However, the ICO told ZDNet UK on Tuesday that while it could enforce the Data Protection Act, it had no remit to enforce other privacy laws, such as the Regulation of Investigatory Powers Act (Ripa).

“The [intercept] issues that have been raised around Phorm are not a matter for the ICO,” assistant information commissioner Jonathon Bamford told ZDNet UK. “We have no statutory role in relation to Ripa.”

Various organisations, including the Foundation for Information Policy Research, have asserted that Phorm’s interception of user traffic, prior to anonymising the data, contravenes Ripa.

The regulatory body which oversees Ripa is the Office of Surveillance Commissioners (OSC). However, that office only oversees Ripa in relation to public authorities such as the police and intelligence services, and does not look at possible Ripa contravention by private companies. However, Bamford suggested that regulators such as OSC should monitor the private sector too.

“There’s a gap there,” said Bamford. “No-one performs the same role [as the ICO does with data protection] in relation to Ripa.”

‘Passing the buck’
Jim Killock, director of digital-rights organisation the Open Rights Group, told ZDNet UK that Number 10 was dodging the issue of scrutinising the legality of Phorm. “Clearly, the ICO doesn’t have a role in intercept,” said Killock. “Number 10 is passing the buck to an organisation which doesn’t have that responsibility, which is at best obfuscation.”

Killock added that the legality of Phorm’s service under Ripa should be examined. “You shouldn’t be intercepting data traffic without the clear consent of all users involved,” said Killock. “If you intercept a communication, everyone involved should give clear, informed consent.”

Privacy legal expert Vanessa Barnett, a partner at Berwin Leighton Paisner LLP, told ZDNet UK on Tuesday that “ultimately only a judge can decide” the legality of Phorm’s service.

“Under Ripa, interceptions are lawful if the interceptor has reasonable grounds for believing that consent has been given. That consent must be freely given, specific and informed,” said Barnett. “And that’s the rub: have the individuals been made sufficiently aware of what is being intercepted, and have nonetheless decided it’s OK to be monitored and profiled in this way?”

However, Marc Burgess, senior vice president of technology at Phorm, told ZDNet UK on Tuesday that Phorm’s interception of user traffic, prior to anonymisation, was legal.

“[Phorm] is definitely legal under Ripa,” said Burgess. “Users must give their consent before they can use the service.”

Burgess added that the definition of ‘intercept’ in Ripa means making the contents of a communication available to other people or organisations, but that Phorm’s intercept devices sat on service provider networks and performed filtering before making any data available for scrutiny.

“This information is passing through [sealed] black boxes,” he said. “It’s a filtering and whitelisting process.”

An inquiry into possible regulation of the ISP industry was launched by the All Party Parliamentary Group on Communications (apComms) in April. The government committee is to examine issues including behavioural advertising and deep packet inspection.