Plans bythree of the UK's top internet service
providersto send
advertising to users based on their use of the
internetmay come unstuck following assertions
that the practice would contravene the
Data Protection Act.
BT, Virgin Media and TalkTalk, the Carphone Warehouse's ISP,
plan to use software from Phorm
to serve advertisements to their combined customer base of over 10
million based on what they search for, what transactions they
conduct, and their other online activity.
In an open
letter to the Information
Commissioner's Office (ICO), the Foundation for Information
Policy Research (FIPR) questioned the legality of targeting users
based on their internet usage patterns, even if the users were
"anonymised" or directly unrecognisable to an advertiser.
According to the independent IT research body, Phorm-based user
targeting would "involve the processing of sensitive personal data"
including political opinions, sexual proclivities, religious views
and health.
The FIPR said that unless users had signed an "opt-in" contract,
this would be illegal under European data protection law, adding
that some people would still be identifiable because of the nature
of their searches and site choices.
"The system will inevitably be looking at the content of some
people's e-mail, into chat rooms and at social networking
activity," the FIPR said. "Although well-known sites are said to be
excluded, there are tens or hundrends of thousands of other
low-volume or semi-private systems."
It said the Phorm system would be "intercepting" traffic as
defined in the
Regulation
of Investigatory Powers Act (RIPA). Traffic interception
requires permission from both the owner of the website and the
person accessing the website, and possibly the sender of web-mail
as well.
The ICO said that, at its request, it had received information
from Phorm, the company that will supply the software to track
users' online behaviour. It was still evaluating it two weeks after
receiving it. An ICO spokesman said, "They are clearly looking to
comply [with the DPA]."
The ICO said it was talking to the ISPs about how they would
meet privacy standards. "We will be in a position to comment in due
course," it said.
BCS unravels data privacy issues >>