back to article Information Commissioner: Phorm must be opt-in only

The Information Commissioner's Office (ICO) has issued a major revision to its statement on Phorm, insisting that the ad tracking system must be deployed on an opt-in basis to comply with the law. Of the three ISPs connected to the scheme, only Carphone Warehouse has committed to opt in when the system is finally rolled out. …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    WOOT YAY.

    Maybe just maybe phorm will vanish up their own ass.

  2. Steve

    Phantastic!

    The ICO's New Year's resolution seems to have been "grow a pair".

  3. Paul Buxton

    All well and good but

    The article makes no mention of the method of opt out. Will it require a cookie or won't it?

  4. Jonathan

    Victoly!

    First step in beating Phorm.

    Next we need to make sure that the average consumer is as informed as possible, so when BT spouts their "Free phishing protection!" with Phorm in the smallprint, consumers will know what they are really getting.

    Cos, if people are forced to choose, hopefully enough them choose to opt out to make Phorm a useless service.

  5. Chris
    Thumb Up

    Booyakasha!

    Excellent - good to hear the ICO actually deciding to do what they should be doing without a lot of prompting. Also very good to hear VM sound like they're trying to distance themselves from this bunch of crooks. I really can't be bothered having to move ISP/TV/Phone etc as I'm perfectly/reasonably happy with what I've got. The sooner VM announce they're not going ahead with it, the sooner I can stop pricing up alternatives...

  6. Paul Delaney
    Coat

    Opt-In Basis Only!!

    YES! YES! YES!

    See how many muppets they get to opt-in, their "adverisment targeting system" won't be worth a fuckin light now!

    Thank you Jeezus (and El Reg)

    Yeah, I know...

  7. Sam
    Happy

    better

    That's a bit more like the right direction..

  8. dervheid
    Pirate

    Well, I'm available to comment...

    And the message stays the same here too.

    ANY INTRUSION INTO MY PRIVACY IS NOT WANTED.

    PHUCK OFF!

    I forsee this being tested in the courts, re the RIPA implications, trouble is the damage will be done by then.

    I also forsee (yes, I do have a crystal ball. No, THEY'RE both normal and functional, thanks. Any more predictable 'ball' jokes? No? Good.) that sensible subscribers will depart said ISPs in droves (OK. That does not require a crystal ball, that's 'stating the bleedin' obvious')

    Am I rambling? (YES!!!!)

    Ah, but do I care? Not a jot!

    Much like BT et al.

  9. colin stone
    Happy

    SHOCK ... THE ICO finds a tooth

    "BT and Phorm were unavailable for comment."

    Thats a first anyway.

    Now the ICO has found a tooth, what about an explanation regarding the report last week from the ICO.

    Also a question to Phorm, and phormPRteam.

    Proof you are lying scum.. The ICO did not endorce your product did they?.

    Please visit all the message bords and blogs you posted on with this lie, and say sorry.

  10. Kieron McCann
    Paris Hilton

    And about time too!

    So basically what this is telling us is that the original statement by the ICO was written by a drone who didn't bother to ask any searching questions or to give a nanosecond of thought about what Phorm would mean. It looks like all of the pressure brought by El Reg and it's readers is finally bearing fruit!

    Paris - because she's now reformed, just like the ICO

  11. Anonymous Coward
    Alert

    Required Title..

    Only the first hurdle.. now the law verses BT trials...

  12. Mark
    Gates Horns

    Might just opt in..

    And be their only customer, just for a goof...

  13. Mark
    Gates Horns

    What will likely happen

    Is like spammers and other dubious internet scamsters, they just change their name, sell their product to the MD's brother, and startup a new company under a new name, and try the same shit again...

  14. Anonymous Coward
    Thumb Up

    No comment from Phorm?

    That's probably because they're in the toilet crapping themselves and realising that their shares will only be good as toilet paper after this

  15. Mike Crawshaw
    Unhappy

    Hmmmm.....

    I wonder if:

    a. Changing T&Cs (as BT have already indicated they will do) will act as an "explicit opt-in".

    b. Phorm / BT / etc will appeal against this and have it overturned. The ICO has already changed its stance, it can change it again.

    I hope not, in both cases. Hopefully, there will be a requirement for a user to explicitly agree to a statement along the lines of

    "I agree to my ISP and Phorm analysing my browsing habits and storing data regards these, using this data to serve me targetted advertising and other services to be determined in the future. I agree to this being entirely at my own risk, and that my ISP / Phorm cannot be held in any way accountable for the content of said advertising, loss of personal data, installation of malicious software on my computer and / or personal loss."

    Let's see how many agree to that?!

    (And see whether Phorm's share price can actually go into the negative!!)

  16. Chris Simmons

    After...

    ...the Bristol to Bath cyclepath was saved from having a chunk of it turned into a bus route a few weeks back I thought that would be the last time the power of people protest did any good in my lifetime; how wrong I was.

    What a way to cheer up a dull Wednesday afternoon.

    Power to the Geeks!!!

  17. James Whale
    Thumb Up

    Wicked

    This is excellent news - thanks El Reg and everyone else who's kept this issue at the forefront! Let's keep the pressure on and the awareness up, and make sure this nasty little company dies on its arse.

  18. Aristotles slow and dimwitted horse
    Stop

    This is...

    Very welcome news.

    IMHO though - we now need to keep an even more watchful eye on how Phorm/BT et al try to wriggle their way round this.

  19. Anonymous Coward
    Anonymous Coward

    Interception of Communications Commissioner

    20 March 2006

    The Prime Minister has approved the appointment of the Right Honourable Sir Paul Kennedy as Interception of Communications Commissioner under the terms of Section 57 of the Regulation of Investigatory Powers Act 2000. Sir Paul's appointment is from 11 April 2006 to 10 April 2009.

  20. A
    Stop

    Only half the issue has been addressed

    What about website owners who don't what their content to be used in this way?

    It is their content and their property that is being monetized by Phorm and the ISPs to provide these adverts.

    No website I run would allow such use and I would never opt in to such a scheme. If a visitor that happened to be a victim/customer of a Phorm ISP viewed my content (whether they opted in or not) and it was intercepted for analysis then that interception would be unlawful IMHO.

    Will Phorm be obeying any form of robots.txt or other search-engine control mechanism?

  21. Parax
    Alert

    Interception of Communications Commissioner

    So who does the "Interception of Communications Commissioner" actually work for? is it the ICO or the home office??? and who is it these days??

  22. Rog69

    Re - What will likely happen

    And we'll all be here waiting.

  23. Anonymous Coward
    Anonymous Coward

    More on Interception of Communications Commissioner

    See here for description of Interception of Communications Commissioner:

    http://www.ipt-uk.com/default.asp?sectionID=8&chapter=2

  24. Anonymous Coward
    Dead Vulture

    A good start

    It's about time the ICO realised that a considerable part of this falls under their remit, rather than play the ostrich. It does however mean that some of the questions asked earlier (that as yet remain unanswered) are still relevent.

    Going by the ICO's new statement surely this would mean that the only 'legal' way to do this is to split up the ISP's network into Phorm / No Phorm and have the Opt-In/Out on an account level. I'm going by the previous reports published on The Reg and elswhere which seems to point towards the fact (as it stands) that even if opted out of the Phorm system the data is still digested but not profiled.

    Surely under ICO's revised statement if you opt-out and your data is still 'digested' regardless surely this is illegal going by what they have said? or am I missing something?

    I'd also like the ICO's findings on BT's secret trials and the trials that are about to go ahead to be made public.

  25. Dam

    Illegal even with opt in

    Even if it's opt-in it remains illegal.

    A user can't give consent for *my* articles on a *private* section of *my* website to be intercepted.

    My own consent is still required, the lawsuits WILL roll.

  26. Pete Burgess
    Pirate

    difference?

    I was under the impression that Phorm still profiled you even if you do opt out, it just discards that profiling and doesn't send it back to your browser...

    Surely this means that even an opt out doesn't satisfy the DPA?

    Or have I made this up?

    Skull & Cross Bones as that is all that will be left of Phorm...

  27. Graham Wood

    ICO

    No comment about whether (without opt in) the data has to be kept away from the system.

    Probably too technical for an "open statement", but the issue for me has always been the data flow rather than the advertising.

    I did email the ICO a few days back about the earlier trial (from the point of view of a webhost accessed by BT, rather than as a BT customer) but haven't got an answer yet. I've got password protected (but not SSL'd) sections on the website, and U certainly didn't give BT permission to spy on people using it.

  28. Anonymous Coward
    Alert

    I'm still worried

    This *should* be f**king fantastic news, but I'm still worried that the ISPs will see this statement as more justification for simply mangling their terms and conditions in such a way that the opt-in/opt-out choice basically becomes one of accepting their terms or not. Which means leaving them if you don't.

  29. AndyC
    Black Helicopters

    @Paul Buxton

    Doesn't matter about the opt-out cookies now, if it is strictly opt-in, then phorm/bt/vm etc will have to have something stored against your profile either on the isp end or your pc end to say that you opt-in.

    That is assuming that they follow the

    "humm, check cookie/profile, no opt in, must have opted out, ignore traffic route via unmonitored route"

    and not the

    "humm, check traffic, check key words, profile, humm, no opt in, better not send adverts to them, monitor traffic regardless"

  30. Jonathan

    Just sent this to Ian Livingstone

    Dear Mr Livingston,

    As I'm sure you are aware about the issue surrounding Phorm, I will be brief. Please note, before I begin, that I am not a BT customer, and thus was unaffected, but as a concerned member of the public, I am interested in the Phorm case because for me it represents the erosion of consumer rights to allow for greater corporate profits.

    I wish to ask you two questions.

    Firstly, why did you not inform those who participated in the trial last summer what the reason was for the various problems they encountered? I'm sure I'm not alone when I say I wish that BT had been more forthcoming about this technology, as a leader in the UK broadband industry. I think it sets a dangerous precedent, and am perhaps more concerned that you lied to your customers than the fact that the trial was conducted at all.

    The second question I wish to ask is, what is BT planning on doing for those affected customers? In case you are not aware, the Information Commissioners Office has recently declared that Phorm must be opt-in for it to be legal. Thus, last years trial as not legal, as it was not opt-in. I would like to hear your views on this. What plan of action will BT take to mitigate the risk of lawsuits and more negative publicity resulting from the trial being in danger of beign declared outright illegal?

    I would appreciate any correspondence.

    Thank you,

    **********

  31. Graham Wood
    Unhappy

    RIPA rather than PECR or DPA

    Reading that statement, it appears that the ICO is distancing itself from the RIPA issues - and telling people to talk to the home office. Which makes the response I got from the home office quite interesting...

    The best source of information to guide you further on the issue you raise

    would be the Information Commissioners Office, whose website can be found at

    http://www.ico.gov.uk/. The site covers a wide range of matters on access to

    business information and the protection of personal information.

    In all respects , it is not for the Home Office to determine wether BT has

    acted illegally or not.

    (I've just emailed them again to ask them to explain the fact that they say talk to the ICO, and the ICO says talk to them...)

    (apologies for double comment, assuming both get through, I hadn't read all the statement before posting before)

  32. Kane
    Stop

    Hold on, hold on....

    Yes, a small victory, I grant you. But the problem still remains with the nature of the opt-in arrangement. If Phorm and BT are so closely tied together (as I imagine they would be, as well as other ISP's that have a tight profit margin), wouldn't it seem advantageous for the ISP's to tie the opt-in with their Terms and Conditions? Like, maybe, if you don't want Phorm to monitor your online activities, then you can Phuck off to another ISP. You don't have to agree to use our service, but if you do, this is how it's gonna work. (might not work for current customers, as they would have to agree to a new contract with new T&C's, but for new customers...)

    Do we have any protection against something like that? I know that Phorm is a separate company in it's own right and it would be them who have to seek your permission to opt-in, but wouldn't they do it through the ISP to save themselves the time and effort?

  33. Kevin Johnston

    re: Only half the issue has been addressed

    Strangely enough I have had no response from the ICO about that very subject. I asked them to explain how BT/Phorm planned to ask permission to intercept communications between my website and my customers.

    Should I ever get a reply...

  34. Sceptical Bastard

    Premature jubilation

    Obviously I am pleased to read this story. It is, indeed, another step in the right direction. It's delightful to imagine the cussing and ranting coming from behind K(u)nt Etrugul's office door.

    What's more, Vulture Central deserves a night down the boozer for its campaigning journalism on this issue.

    But the battle is far from won. Even if Phorm's shares nosedive further or the firm simply gives up the ghost (neither likely) someone someday will step into the breach because too many vested interests - from ISPs and Telcos to security services and governments - will find mass "anonymised" interception and analysis of all port 80 traffic too tempting to resist.

    If, in the light of the Information Commissioner's statement, Phorm and its ISP partners have to make the product opt-in they will disguise it as an anti-phishing or anti-advertising feature (as, of course, they already are). That alone should entrap enough tech-illiterate non-Reg readers to make the scheme financially viable. Alternatively they will bury opt-in in their Service T&Cs - and who reads T&Cs carefully in every particular? So the need for widespread publicity is even greater than ever.

    We're on the right course to phuck the current Phorm scheme but we aint there yet.

    Let the fight continue, comrades - but with even greater vigour!

    Aux armes, citoyens!

  35. Ian Chard
    Thumb Up

    Share price...

    ...hit a low today of £14.25, and it looks like it's going to have its lowest closing price in 52 weeks... currently trading at £14.85, off 10%, with the FTSE up about 4%.

    Tragic really. No, really.

  36. Craig

    Is it worth anyone left with BT opting into the trial?

    Just a thought, but if everyone with technical nouse or half a clue opts out of the BT trial, all that will be left are those who believe BT are good and can do no wrong, the BT plants and those who wouldn't know the difference between dialup and ADSL2+

    What about some readers here, with that precious half a clue, recording genuine experiences such as failed redirects, pre and intra-trial latencies and speed, etc.

    Also, if you opt-out midway through the trial, what happens when your anti-spyware software deletes your Phorm cookie as part of a regular cleanup? Are you re-profiled and do you get any notice that you've been re-profiled?

    This is in regard to the ICO's statement's last para:

    "In the view of the Commissioner Phorm can operate Webwise and OIX in a way which is in compliance with the DPA and PECR but must be sensitive to the concerns of users. The Commissioner will keep the Phorm products under review as they are rolled out and his view will be strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision. The Commissioner will also continue to be interested in the dialogue between technical experts and Phorm about the way in which the system operates."

    If all they get are Phorm/BT success stories from the trial, they'll probably lose their spine again and can legitimately ignore the techy responses from those who haven't any real experience of the nasty bit of stuff.

    just my 2p...

  37. Anonymous Coward
    Anonymous Coward

    Opt-in or .....

    I assume the next step for BT is to make the opt-in tick box a requirement in the contract to access the service (or maybe they will just put you a higher price if you don't opt-in). BT is just beyond shame.

  38. Paul Buxton

    @AC

    "Which means leaving them if you don't."

    They need your custom more than we need their spyware and they damn well know it.

    They're not implementing Phorm to spy on you, that's just a side-effect. The reason for the implementation is the same reason they do anything and everything - profit. Hit them where it hurts - if the ISP does something you don't like then just find another ISP.

    With this in mind, can anybody who has more than a passing interest in law tell me: If BT change the T&Cs to something I can't or won't agree to can I simply end the contract? I'm tied into this contract for another 12 months and would like to know my legal standpoint if BT do decide to implement Phorm.

  39. Anonymous Coward
    Anonymous Coward

    @All well and good but...

    >>The article makes no mention of the method of opt out. Will it require a cookie or won't it?

    No, the fact the ICO has stated it is an opt-in, then by default you won't be included; you'll have to specifically 'ask' to be included in the scheme. It could well be that you'll now need a cookie to be included.

  40. Matt Hawkins
    Flame

    What out for false endings ...

    I wouldn't call victory yet. They can still hassle you for your opt-in or your ISP could opt-in for you via small print.

    Phorm will be looking for ways to regroup and represent their technology.

    This is the bit in the movie where the heroes think the monster/robot is dead and drop their guard.

    It has just blinked. What are we going to do? Stand around cheering while it slowly gets up behind us or keep kicking, blogging, spreading the word and signing petitions?

    They have taken a blow and are on the floor but I don't want Phorm beaten ... I want it dead, sliced, diced, burnt and buried under a motorway bridge (or airport terminal).

  41. Anonymous Coward
    Anonymous Coward

    datatheft

    Datatheft is supposedly a criminal offence - but not yet something you could be put in jail for - so BT managers may only risk looking forward to a possibility to be fined.

    To me there appears to be quite obvious instances of datatheft when intercepting peoples communication data and trawling for data. Not all data in this communication is owned by the customer of a BT account even if it may be included in their communication praxis. As mentioned earlier some of this data belongs to third party. So I would expect that there is much more than meets the eye that might be coming up later. Not only privacy issues and interception as phenomena. Data theft as phenomena arising from Phorm practice has so far as I know not been targeted as a serious issue in this case.

  42. Anonymous Coward
    Happy

    1st Strike for The People VS The Man... errr I mean... Phorm

    Still a long road ahead but first blood to us!

    Keeping this sucker on refresh too just for the shits and giggles:

    http://finance.google.co.uk/finance?q=PHRM

  43. Jimbo Gunn
    Flame

    BOLLOCKS

    I am not a lawyer and I don't have much of a phucking clue about this but...

    Hasn't the ICO totally missed the point about Phorm?

    "Even if Phorm is not processing personal data..."

    They're watching your whole internet connection. "We can see everything" is their sales pitch. I throw down a challenge - send me a month's worth of browsing history and I'll tell you:

    1.) Who you are

    2.) The town you live in

    3.) The type or pron you like

    4.) Which banks you use

    5.) The newspapers you read and your political persuasion

    6.) Your religious interests, if any

    7.) The names of your best online friends

    8.) Your best friends partners names

    9.) If you have any pets

    10.) Everything you buy online

    11.) Your employer

    12.) Your next employer

    13.) Your proficiany in spelling

    14.) The state of your physical and mental health

    15.) If you're over weight

    16.) What your foot size is

  44. sotar

    One small step.

    Well this seems like a good first step but there is some way to go yet.

    First in relation to Richard Buxton's comment about whether opt-out cookies will be required. Surely if the ICO declares that the system must be 'opt-in' then Phorm & ISPs must use 'opt-in' cookies (if using them at all).

    The ICO ruling is a complete reversal of how the opt-in/out should be managed and this needs to be reflected in the Phorm/ISP process so that it explicitly checks that someone has ticked a box to say "yes I opt in to Phorm", rather than imply it simply because they didn't opt-out.

    If a cookie is to be used then it must only be there if a person has opted in to Phorm. We can't have a situation where someone who hasn't opted-in finds that Phorm is tracking them because for-what-ever reason the webwise cookie has been deleted.

    This would also seem to be a legal failsafe from the point of view of Phorm and the ISPs: if an opt-in cookie is absent then they won't track a persons activity so no problem, but if an opt-out cookie is absent then they would be tracking activity and if that person hadn't explicitly opted-in then presumably it would be illegal.

    Second, as has been mentioned before, there are two parties involved in web-browsing; the person requesting the information and the website that serves it. The ICO is now saying:

    "This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users."

    it is websites that will be providing this 'traffic data'. There is very little mentioned about how 'opt-in' consent from website owners is going to be handled? I see no reason why my websites should be used to make money for somebody else.

  45. Alexander Hanff
    Thumb Down

    Haven't discussed PECR with ICO yet?

    Funny, I seem to recall statements from both Phorm and BT that they had fully investigated the law with regards this technology and after receiving professional advice (from a QC none the less) they were confident they were well within the bounds of the law.

    So we have an unnamed QC who doesn't understand what PECR is or what it means with regards Phorm. Furthermore it shows yet again that Phorm and BT have failed dramatically with regards to due diligence on this technology given they have not even discussed PECR (an EC Directive) with ICO.

    The sad thing is, I as an undergraduate and limited experience in law, not to mention even more limited resources; was able to interpret the implications under PECR almost an entire week before our well resourced IC picked up on the same arguments.

    Maybe I should apply for a job as IC as I clearly have more knowledge and understanding of the Directive the current IC is supposed to enforce. I would be happy to take up the role should Mr Brown wish to contact me with a proposal.

  46. Sam

    @Ian Chard

    What was the share high? I want to gloat at the difference, and you want to post it, admit it!

  47. Dangermouse

    PhormPRTechPRTeam here...

    Hi, PhormPRTechPRTeam here...

    We still believe that we conform to the highest possible data protection standards because we have still got our heads so far up our own arses that we have no comprehension of the real world anymore. I mean, the normal versions of the DPA and RIPA are for other people, surely?

    We wish that you would all stop being so mean to us - we had a really good idea to make shitloads of cash. OK, so it's illegal, unethical and underhanded but BT _really_ like the idea, presumably because they have the same ethics as us! And BT are a really caring, sharing company. No, honestly they are. You all know that.

    Now, about those BT trials that we haven't talked about yet.

    They were not illegal because at the time we didn't think anyone would mind that we were intercepting data transmissions without permission - and also, as we have stated many, many times, the versions of the DPA and RIPA that everyone else abides to do _not_ apply to either us or BT. (By the way, thanks for that, Patricia! Your new boat is on the way!)

    Now, lets address the issues from the ICO and opt-in.

    We will be working closely with BT's legal department to ensure that the changes to your Terms and Conditions will be clearly stated on page 935 of your updated Conditions and Terms. And, of course, there is the cookie.

    So no problem there.

    Any more questions, please feel free to email me at fuckwit.phormPRTechPRTeam@phorm.com

    Cheers!

  48. Jeff
    Thumb Up

    Phank phuck for phat

    This is great news for the technically literate. Unfortunately it's pretty obvious that BT will now market this to the other 99% of its customers as an anti-phishing device unless it is compelled by the ICO to make very clear that it works via data interception... and this is bloody unlikely.

    So it's probably up to the informed media (so that's the techno-illiterati at the BBC out) and competing ISPs to publicise this behaviour.

  49. Alexander Hanff
    Coat

    Other relevations of PECR

    Section 6 is also relevant:

    "1. Subject to paragraph (4), a person shall not use an electronic communica-

    tions network to store information, or to gain access to information stored,

    in the terminal equipment of a subscriber or user unless the requirements of

    paragraph (2) are met.

    2. The requirements are that the subscriber or user of that terminal equipment

    -

    (a) is provided with clear and comprehensive information about the purposes

    of the storage of, or access to, that information; and (emphasis added)

    (b) is given the opportunity to refuse the storage of or access to that infor-

    mation."

    Also Section 8 adds weight to the requirements of consent:

    "Processing of traffic data in accordance with regulation 7(2) or (3)

    shall not be undertaken by a public communications provider unless the

    subscriber or user to whom the data relate has been provided with infor-

    mation regarding the types of traffic data which are to be processed and

    the duration of such processing and, in the case of processing in accor-

    dance with regulation 7(3), he has been provided with that information

    before his consent has been obtained."

    And Section 27 would seem to address the issue of whether or not BT can circumvent the requirement for explicit consent by simply changing their terms and conditions:

    "To the extent that any term in a contract between a subscriber to

    and the provider of a public electronic communications service or such

    a provider and the provider of an electronic communications network

    would be inconsistent with a requirement of these Regulations, that

    term shall be void."

    Looks like the BT Trials of 2006/2007 are going to get shafted by the PECR...

    I'll get my coat ;)

  50. Spleen

    @Sam

    June last year Phorm traded as high as £35.80.

    Google Finance is pretty good for share price charts, and Interactive Investor (www.iii.co.uk) is pretty good if you want to laugh at the amateur traders who bought in not knowing a thing about the technology and assuming that tech + currently increasing share price = profit forever.

Page:

This topic is closed for new posts.

Other stories you might like