Phorm opens itself to independent scrutiny

Online advertising company Phorm has responded to its critics’ demands by allowing an inspection of its plans by a respected security expert. Unfortunately, he doesn’t like what he’s seen.

The debate over Phorm’s online advertising service – Webwise and OIX – continues to rage, and the two sides appear to be digging in for a protracted battle. Phorm offers a new advertising model for the Internet: its servers are installed at participating ISPs (in this case BT, VirginMedia and TalkTalk) and these monitor port 80 traffic for each user to build a profile of their browsing interests. When the user visits a website that is also part of the Phorm scheme, the site can target its advertising based upon that usage profile.

Phorm claims that the system does not collect or store personally-identifiable information; that its servers are secure; and that users have the ability to opt-out of the service at any time. They employed respected privacy experts to conduct a privacy impact assessment of the situation. When that approach came under fire, they published the document. Finally Phorm bowed to pressure and invited Dr Richard Clayton of Cambridge University to inspect their plans.

Richard is one of the most well-respected thinkers in this field, and his opinions matter. Unfortunately in this case, he remains of the opinion that Phorm’s system operates in breach of the Regulation of Investigatory Powers Act 2000, and there is also a case to argue that it breaches the Computer Misuse Act 1990. Richard also makes the wise point that there is a big difference between complying with the Data Protection Act and respecting privacy: the DPA provides a framework for managing personal information, but it’s perfectly possible to comply with the law and still misuse personal information (just as ISO9001 doesn’t stop mistakes from happening, but at least you can find out why they happened).

As I mentioned yesterday, Phorm have done themselves no favours by admitting to over-zealous editing of their Wikipedia entry.

In a new twist, the most influential voice in the identity space has now spoken out on the topic: Microsoft’s identity guru Kim Cameron agrees that ‘opt-out’ implementations of Webwise are in breach of the Laws of Identity. This is important – Kim is shaping the principles that will drive future privacy-protecting identity systems, and if Phorm is an inappropriate third-party in the online identity relationship then they have a real problem on their hands.

It’s very likely that attention will shift to BT and VirginMedia, who have both been very quiet indeed about their ‘opt-out’ approach to Phorm (TalkTalk are off the hook because they have taken a more privacy-friendly ‘opt-in’ approach). The real test will be whether those providers start to lose business over this, particularly in Croydon and Ealing, where further trials of OIX and Webwise are due soon. That will show whether the protesters are representative of the broader user community, of if this is a niche issue that most users either don’t understand or don’t care about. Watch this space.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

You say "Unfortunately in this case". Unfortunate for who? The customers whose privacy was illegally breached or for Phorm and BT who deserve to be bought to book for blatantly ignoring the law? First Sir Tim Berner-Lee, then Dr Richard Clayton and now Kim Cameron. Not to mention a whole load of very annoyed, informed customers. This is the issue here - your average home users don't have anything like the technical understanding. They glaze over when faced with anything remotely technical yet are happy to accept spin and PR. This, in my experience, is a niche issue that most users don't understand about. I've asked Virgin Media to issue the statement that was read to me in a phone call on Monday but they haven't done so. That's their mistake.
Phorm has hired a Chief Privacy Officer - well done them! It's a role we need to see more of in UK organisations.
The saying goes, inside of the specialist's head there are few choices, however for one with the rookie's mind, the entire world is open up.