Online profiling and advertising exchange Phorm has started its next trial with partner BT. This stage of Phorm’s rollout was enabled after City Police confirmed that they are taking no further action in their investigation into previous trials, and the Information Commissioner’s Office ruled that Phorm’s service complies with the UK Data Protection Act, subject to ensuring that users opt-in rather than opting out.
Opinions about the trial are mixed: clearly Phorm are delighted at this next stage, although protesters are incensed that it has been allowed to proceed. The trial will involve 10,000 volunteers from BT’s customers. As an aside, Phorm reported increased losses of £13.8m in the first half of 2008 – which sounds enormous, but is not so scary in the context of the sort of burn rates we saw during the dot-com boom.
The most important issue here is whether an IP address can be considered to be Personally Identifiable Information (PII). Much of Europe takes the opinion that IP does count as PII – after all, an ADSL connection can maintain a consistent IP address over a long period, which would permit detailed profiling of the user(s) on that address. The influential Article 29 Working Party thinks IP addresses are PII. The UK, on the other hand, does not treat them as PII.
My concern here is that we will build an ecosystem of influential commercial enterprises that rely on being able to profile IP data without having to worry about the Data Protection Act. Once sufficient companies are involved, they will carry far greater parliamentary influence than protesters and privacy advocates, and it’s going to be very hard indeed to turn back the clock to bring us in line with Europe. The sooner that Parliament faces facts and reviews this situation, the less trouble we will store up for the future.