Online advertising company Phorm has responded to its critics’ demands by allowing an inspection of its plans by a respected security expert. Unfortunately, he doesn’t like what he’s seen.
The debate over Phorm’s online advertising service – Webwise and OIX – continues to rage, and the two sides appear to be digging in for a protracted battle. Phorm offers a new advertising model for the Internet: its servers are installed at participating ISPs (in this case BT, VirginMedia and TalkTalk) and these monitor port 80 traffic for each user to build a profile of their browsing interests. When the user visits a website that is also part of the Phorm scheme, the site can target its advertising based upon that usage profile.
Phorm claims that the system does not collect or store personally-identifiable information; that its servers are secure; and that users have the ability to opt-out of the service at any time. They employed respected privacy experts to conduct a privacy impact assessment of the situation. When that approach came under fire, they published the document. Finally Phorm bowed to pressure and invited Dr Richard Clayton of Cambridge University to inspect their plans.
Richard is one of the most well-respected thinkers in this field, and his opinions matter. Unfortunately in this case, he remains of the opinion that Phorm’s system operates in breach of the Regulation of Investigatory Powers Act 2000, and there is also a case to argue that it breaches the Computer Misuse Act 1990. Richard also makes the wise point that there is a big difference between complying with the Data Protection Act and respecting privacy: the DPA provides a framework for managing personal information, but it’s perfectly possible to comply with the law and still misuse personal information (just as ISO9001 doesn’t stop mistakes from happening, but at least you can find out why they happened).
As I mentioned yesterday, Phorm have done themselves no favours by admitting to over-zealous editing of their Wikipedia entry.
In a new twist, the most influential voice in the identity space has now spoken out on the topic: Microsoft’s identity guru Kim Cameron agrees that ‘opt-out’ implementations of Webwise are in breach of the Laws of Identity. This is important – Kim is shaping the principles that will drive future privacy-protecting identity systems, and if Phorm is an inappropriate third-party in the online identity relationship then they have a real problem on their hands.
It’s very likely that attention will shift to BT and VirginMedia, who have both been very quiet indeed about their ‘opt-out’ approach to Phorm (TalkTalk are off the hook because they have taken a more privacy-friendly ‘opt-in’ approach). The real test will be whether those providers start to lose business over this, particularly in Croydon and Ealing, where further trials of OIX and Webwise are due soon. That will show whether the protesters are representative of the broader user community, of if this is a niche issue that most users either don’t understand or don’t care about. Watch this space.