Category Archives: Privacy

The legality of Phorm

Posted on by

From BBC NEWS

Technical analysis of the Phorm online advertising system has reinforced an expert’s view that it is “illegal”.

The analysis was done by Dr Richard Clayton, a computer security researcher at the University of Cambridge.

What Dr Clayton learned while quizzing Phorm about its system only convinced him that it breaks laws designed to limit unwarranted interception of data…

Richard says, in part:

Phorm assumes that their system “anonymises” and therefore cannot possibly do anyone any harm; they assume that their processing is generic and so it cannot be interception; they assume that their business processes gives them the right to impersonate trusted websites and add tracking cookies under an assumed name; and they assume that if only people understood all the technical details they’d be happy.

Well now’s your chance to see all these technical details for yourself — I have, and I’m still not happy at all.

More here on the BT spokeswoman’s attempt to defend on TV the company’s covert experiment with Phorm.

So did BT break the law?

Posted on by

From The Register

BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year.

BT Retail ran the “stealth” pilot without customer consent between 23 September and 6 October 2006. The technology was approved, pending a further trial*.

Documents seen by The Register show that the companies used the secret profiles to target advertising at broadband customers when they visited certain popular websites.

Phorm had purchased commercial space on these websites, although their URLs are not included in the documents. The groups targeted included people interested in finance (for an Egg credit card campaign), weight loss (a Weight Watchers campaign), and jobs (a Monster.com campaign).

The technical report drawn up by BT in the wake of the 2006 trial states: “The validation was made within BT’s live broadband environment and involved a user base of approximately 18,000 customers, with a maximum of 10,000 online concurrently.

“The customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience.”

The cant implicit in that last sentence is breathtaking. But the more important question is whether BT has committed a criminal offence. Effectively all 18,000 test subjects were ‘opted-in’ without their knowledge.

BT has not answered The Register’s question, posed on Friday morning, over whether it believes intercepting and profiling the web traffic of 18,000 customers without telling them was a lawful act.

BT also refused to reveal where in the national broadband network the thousands of guinea pigs were sourced from.

One senior source in the broadband industry we spoke to was appalled by BT’s actions. “This is extremely serious,” he said. “Data protection errors are generally viewed as a potentially bad thing by the industry, but not a real threat to an ISP’s reputation. This seems like a breach of criminal law, which is much, much worse.”

Meanwhile, Don Foster, the Liberal Democrat shadow secretary of state for culture, media and sport, has written to the chairman of BT asking him to explain his firm’s secret trial of Phorm’s advertising technology last summer. And William Hague, the Conservative’s shadow foreign secretary, has written to the Department for Business, Employment and Regulatory Reform, voicing constituents’ opposition to the deals signed by BT, Virgin Media and Carphone Warehouse to spy on the web browsing of millions. It’ll be interesting to see what happens next.

If you’re thinking of signing up to a new ISP, you know which ones to avoid.

Facebook refines its privacy policy

Posted on by

From Rory Cellan-Jones

Facebook has unveiled what it says is a new policy on privacy. The press release says the aim is to give users more control over the information they choose to share. It goes on to explain that the two main features are “a standardized privacy interface across the site and new privacy options.”

Is that perfectly clear? Well, not entirely. What is a “standardized privacy interface” when it’s at home? The 75% of users who never bother to change their default privacy settings probably won’t care. But read on, and it seems the main change is the ability to differentiate between different groups of friends – and give them different levels of access to your information….

Tim Berners-Lee on Phorm

Posted on by

From BBC NEWS

The creator of the web has said consumers need to be protected against systems which can track their activity on the internet.

Sir Tim Berners-Lee told BBC News he would change his internet provider if it introduced such a system.

Plans by leading internet providers to use Phorm, a company which tracks web activity to create personalised adverts, have sparked controversy.

Sir Tim said he did not want his ISP to track which websites he visited.

“I want to know if I look up a whole lot of books about some form of cancer that that’s not going to get to my insurance company and I’m going to find my insurance premium is going to go up by 5% because they’ve figured I’m looking at those books,” he said.

Sir Tim said he did not want his ISP to track which websites he visited.

He said: “It’s mine – you can’t have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I’m getting in return.”

The Phorm letter

Posted on by

The Foundation for Information Policy Research has written an Open Letter to the Information Commissioner on the legality of Phorm’s advertising system. FIPR has also issued a Press Release which says, in part:

The controversial Phorm system is to be deployed by three of Britain’s largest ISPs, BT, Talk Talk and Virgin Media. However, in FIPR’s view the system will be processing data illegally:

* It will involve the processing of sensitive personal data: political opinions, sexual proclivities, religious views, and health — but it will not be operated by all of the ISPs on an “opt-in” basis, as is required by European Data Protection Law.
* Despite the attempts at anonymisation within the system, some people will remain identifiable because of the nature of their searches and the sites they choose to visit.
* The system will inevitably be looking at the content of some people’s email, into chat rooms and at social networking activity. Although well-known sites are said to be excluded, there are tens or hundreds of thousands of other low volume or semi-private systems.

More significantly, the Phorm system will be “intercepting” traffic within the meaning of s1 of the Regulation of Investigatory Powers Act 2000 (RIPA). In order for this to be lawful then permission is needed from not only the person making the web request BUT ALSO from the operator of the web site involved (and if it is a web-mail system, the sender of the email as well).

FIPR believes that although in some cases this permission can be assumed, in many other cases, it is explicitly NOT given — making the Phorm system illegal to operate in the UK:

* Many websites require registration, and only make their contents available to specific people.
* Many websites or particular pages within a website are part of the “unconnected web” — their existence is only made known to a small number of trusted people.

The full text of the open letter is here.

VOIP baffles spooks

Posted on by

From The Register

The head of the UK government’s secret electronic spying and codebreaking agency, GCHQ, has said that his organisation’s ability to intercept conversations and messages is seriously undermined by internet-protocol (IP) communications. The digital spook’s comments may come as a blow to British and European politicians who have sworn to eradicate terrorism from the internet.

The revelations came as part of the annual parliamentary oversight report into the doings of the UK intelligence community, which was released today. The report is compiled by the specially-vetted MPs and lords of the Intelligence and Security Committee (ISC), who are allowed to review secret data and grill important mandarins from the shadowier parts of Whitehall…

Don’t expect UK privacy law reform

Posted on by

Just because the government has been shown to be disgracefully casual in its handling of confidential personal data doesn’t mean that the Brown administration is proposing to do anything radical about it. That’s not just an uninformed, cynical take on what’s happening. It’s also the view
of Rosemary Jay, Head of the Information Law team at Pinsent Masons (the law firm that publishes OUT-LAW.COM)

Are IP addresses personal data?

Posted on by

The EU appears to think so — according to Tech Review:

BRUSSELS, Belgium (AP) — IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union’s group of data privacy regulators said Monday.

Germany’s data protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law.

He told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address ”then it has to be regarded as personal data.”

His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is — something strictly true but which does not recognize that many people regularly use the same computer terminal and IP address.

Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people.

But these exceptions have not stopped the emergence of a host of ”whois” Internet sites that apply the general rule that typing in an IP address will generate a name for the person or company linked to it.

Treating IP addresses as personal information would have implications for how search engines record data.

Google led the pack by being the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years.

But a privacy advocate at the nonprofit Electronic Privacy Information Center, or EPIC, said it was ”absurd” for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations.

”It’s one of the things that make computer people giggle,” EPIC executive director Marc Rotenberg told The Associated Press. ”The more the companies know about you, the more commercial value is obtained.”

Would you trust the government with your data?

Posted on by

Fascinating post by James Cridland, who asked to see what data the Driving Standards Agency (the outfit which lost the most recent batch of confidential information) holds on him.

There’s an interesting sting in the tail.

Let’s return to “Trading/Sharing in Personal Information”. The register says who can receive this information – which specifically includes “personal details, financial details, offences, criminal proceedings”. Here’s a few…

Police forces, central government, local government, employees and agents of the data controller, department of health, department for education and employment, the media…

The MEDIA?!?!!!

It seems that the Department of Transport can, if they wish, let any media organisation in the UK or the EEA know my driving licence details, including my financial information. Anyone in the media can know whether I got a speeding fine in 1997 for doing 42 in a non-built-up, badly-signed 30-zone. (I did. But I have a clean licence now.)

This is big stuff. And I wonder what the definition of “the media” is, in this context. Am *I* the media, running a blog that has more readers than many small magazines? Am I able to request this data on someone I know?

Controlling the default

Posted on by

Good piece by Christopher Caldwell in the New York Times, meditating on the implications of Facebook’s Beacon fiasco.

Facebook designed Beacon so that members would be able to “opt out” by clicking in a pop-up window. But these windows were hard to see and disappeared very fast. If you weren’t quick on the draw, your purchases were broadcast to the world, or at least to your network. Since people, too, sometimes want to be free, privacy advocates urged that Beacon be made an “opt in” program, which members would have to explicitly consent to join. In early December, Facebook agreed to this approach.

The Beacon fiasco gives a good outline of what future conflicts over the Internet will look like. Whether a system is opt-in or opt-out has an enormous influence on how people use it. He who controls the “default option” — the way a program runs if you don’t modify it — writes the rules. Online, it can be tempting to dodge the need to get assent for things that used to require it. This temptation is particularly strong in matters of privacy. For instance, the “default option” of the pre-Internet age was that it was wrong to read others’ mail. But Google now skims the letters of its Gmail subscribers, in hopes of better targeting them with ads, and the N.S.A. looks for terrorists not only in the traditional manner — getting warrants for individual wiretaps — but also by mining large telecommunications databases.

So it is with Facebook’s Beacon. We used to live in a world where if someone secretly followed you from store to store, recording your purchases, it would be considered impolite and even weird. Today, such an option can be redefined as “default” behavior. The question is: Why would it be? The price in reputation for overturning this part of the social contract is bound to be prohibitively high…