ISPs' plans for behaviour-targeted ads could break law

Plans by three of the UK's top internet service providers to send advertising to users...

Plans by three of the UK's top internet service providers to send advertising to users based on their use of the internet may come unstuck following assertions that the practice would contravene the Data Protection Act.

BT, Virgin Media and TalkTalk, the Carphone Warehouse's ISP, plan to use software from Phorm to serve advertisements to their combined customer base of over 10 million based on what they search for, what transactions they conduct, and their other online activity.

In an open letter to the Information Commissioner's Office (ICO), the Foundation for Information Policy Research (FIPR) questioned the legality of targeting users based on their internet usage patterns, even if the users were "anonymised" or directly unrecognisable to an advertiser.

According to the independent IT research body, Phorm-based user targeting would "involve the processing of sensitive personal data" including political opinions, sexual proclivities, religious views and health.

The FIPR said that unless users had signed an "opt-in" contract, this would be illegal under European data protection law, adding that some people would still be identifiable because of the nature of their searches and site choices.

"The system will inevitably be looking at the content of some people's e-mail, into chat rooms and at social networking activity," the FIPR said. "Although well-known sites are said to be excluded, there are tens or hundrends of thousands of other low-volume or semi-private systems."

It said the Phorm system would be "intercepting" traffic as defined in the Regulation of Investigatory Powers Act (RIPA). Traffic interception requires permission from both the owner of the website and the person accessing the website, and possibly the sender of web-mail as well.

The ICO said that, at its request, it had received information from Phorm, the company that will supply the software to track users' online behaviour. It was still evaluating it two weeks after receiving it. An ICO spokesman said, "They are clearly looking to comply [with the DPA]."

The ICO said it was talking to the ISPs about how they would meet privacy standards. "We will be in a position to comment in due course," it said.

BCS unravels data privacy issues >>

Read more on Hackers and cybercrime prevention