Phorm needs 'better protection'

[kona]

Phorm needs 'better protection'

A system that matches users' web surfing habits to adverts must ensure sensitive sites are black-listed from tracking, a privacy report has said.

Phorm's online technology is set to be rolled out by three of the UK's biggest ISPs, BT, Virgin and Talk Talk.

The report commissioned by Phorm and carried out by two respected privacy campaigners said sensitive user data should not be collected by the tool.
Phorm has been widely criticised and one policy group argued it was illegal.
The system works by tracking keywords on websites visited by users of the participating ISPs and then matching those words to advertising "channels".

Secure websites

Users would then receive online advertising that matched their surfing habits on websites that had signed up with Phorm.

E-mails, credit card details and information on secure websites would not be tracked and analysed, Phorm has said.

But the interim privacy impact assessment report, written by Simon Davies and Gus Hosein, of 80/20 Thinking Ltd, said the company should go further.

It said: "Information from websites and queries regarding sexual content, political preferences, medical health, racial origin should be blocked from processing.


Of course it is merely a unique identifier but a unique identifier can still be linked to individuals
Interim privacy report

"Similarly, as profiles are developed Phorm should communicate openly whether profiles and channels will match information of this type, e.g. matching pharmaceuticals with web activity that searches for anti-depressants."
The report also called on the tool to disregard data collected from website addresses so that ISPs could not, in theory, learn about their customers' commercial preferences, such as which bank or insurance company they use.

It said: "If this information was to be logged by an ISP this would make users feel spied upon because their ISP would know which services he or she makes use of.

Praised firm

"Phorm must ensure that it is not using information about these sites in any way."

The report praised the firm's stance in protecting user identity by not collecting and storing data which could personally identify consumers.
Phorm places a cookie on a customer's computer with a unique identifier, but with no personal details stored.

The report asked Phorm: "Can cookies lead back to users in any way? Of course it is merely a unique identifier but a unique identifier can still be linked to individuals.

"Can an external attacker gain access to the required information to re-link the individual and the unique identifier?"
The report also urged the company and ISPs to make the system opt-in, so that users choose to use the service.

Talk Talk has said its system will be opt in while Virgin and BT have yet to make a decision.

Earlier this week, policy group the Foundation for Information Policy Research wrote an open letter to the Information Commissioner arguing that Phorm contravened the Regulation of Investigatory Powers Act 2000 (Ripa), which protects users from unlawful interception of information.

The creator of the web, Tim Berners-Lee, has also voiced his concern.

He told BBC News that he would change his ISP if it planned to track his web surfing habits in order to target adverts.

Mr Davies told the BBC that the full privacy report would be published after the authors had spoken to the ISPs using Phorm's technology.

Transparency

A Phorm spokesman said publication of the report reflects the company's commitment to transparency, a desire to consult widely about the system, and to communicate how it works.

"The report rightly praises our incorporation of privacy as a key design component, and is part of an ongoing process.

"Since this preliminary, initial report was written several weeks ago, we have addressed several claims in it.

"Among them, we have confirmed to 80/20 Thinking that Webwise does not track behaviours across sensitive sites including ones named in the report, that anonymous cookies it uses cannot be traced back to users, and that Webwise deliberately ignores https pages used by banks, and other personal data,” he said.


_http://news.bbc.co.uk/2/hi/technology/7303426.stm

[waynemooney]

As the founder of the internet said this week what happens if you are looking at medical sites for some specific disease and then that information is sold to your insurance company??

Just another bunch trying to make easy money.

The ISP's should just concentrate on speeding up our internet connections and stop *ucking about with crap like this. If my ISP puts it in, which it looks like it will, then I will be on the move. I also wonder if this is a breach of their terms and conditions?

[kona]

Ad-targeting system Phorm must be "opt in" when it is rolled out, says the Information Commissioner Office (ICO)

European data protection laws demand that users must choose to enrol in the controversial system, said the ICO in an amended statement.

The decision could be a blow to Phorm which before now has said it would operate on an "opt out" basis.

The ICO will monitor the trials and commercial rollout of Phorm to ensure data protection laws are observed.

Personal data

Phorm serves up adverts related to a user's web browsing history that it monitors by taking a copy of the places they go and search terms they look for. Adverts related to that history are put on any websites that have signed up to use Phorm.

So far BT, Talk Talk and Virgin have signed up to use the system.

Critics of Phorm say it breaks laws on unwarranted interception of data. Also privacy advocates have objected to the information it gathers about a user's web browsing habits.

The statement from the ICO was issued to clarify its position on the way Phorm works.

The ICO only commented on whether Phorm complied with UK and European data protection laws. It said a decision about whether Phorm broke laws on interception was a matter for the Home Office.

From its discussions with Phorm, the ICO said it appeared the company did not break laws regarding "personal data" ie information which can be used to identify a living individual.

Fingerprint scan, AP
Data protection laws cover information that can identify individuals

The warnings that Phorm will give to customers of the ISPs that have signed up to use it also means it complies with European regulations governing what must be done when text files called "cookies" are placed on a user's computer. Phorm uses cookies to identify those enrolled in the system.

However, the ICO said European laws demand that users must consent to their traffic data being used for "value added services".

The ICO wrote: "This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users."

Before now Phorm has been expecting to operate on an "opt out" basis where every customer of ISPs that have signed up is enrolled unless they explicitly refuse to use it.

Responding to the ICO statement, Kent Ertugrul, chief executive of Phorm, said "We now have a statement from the Home Office and the Information Commissioner saying not only is there no privacy issue but there is no interception issue either."

He said that the warnings Phorm will give to those enrolled in it would "exceed substantially" the "valid and informed consent" demanded by European regulations.

"The more people understand what we are doing the more comfortable they get with it," he said.

More investigation

The ICO stressed its opinion was based on discussions with the company rather than information coming out of trials or commercial use of the technology.

It said its opinion could change depending on how Phorm worked once the system was in use.

The ICO pledged to keep Phorm "under review" and any change in opinion would be "strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision."

Responding to the ICO statement, Nicholas Bohm, general counsel for the Foundation for Information Policy Research, said: "The ICO has set a floor below Phorm-like activities by saying it has at least to be opt in and that's better than before."

Mr Bohm said Phorm had consistently "ducked" questions about whether its system was "opt in".

He said: "If the user does nothing will they end up being Phormed? That's not what opt in means."

"Being opt in faces them with a much more difficult business model," he added.

Mr Bohm said he was disappointed that the ICO had avoided the question of whether Phorm broke interception laws.

"This is not the end of the road. We will be taking it further. We are not satisfied with the ICO response on interception," he said.

Phorm admits 'over zealous' editing of Wikipedia article

Phorm has admitted that it deleted key factual parts of the Wikipedia article about the huge controversy fired by its advertising profiling deals with BT, Virgin Media and Carphone Warehouse.

The tracking and ad targeting firm said in an email: "We wanted to clarify a number of inaccuracies in the Wikipedia entry on Phorm."

As we reported yesterday, a number of Phorm-friendly edits were made to the page on Friday. The revisions were quickly reverted by a Wikipedian who argued that they made Phorm out to be "awesome and perfect".

In a telephone conversation, a spokesman for Phorm refused to comment on why it had tried to censor a quotation from The Guardian's commercial executives describing the ethical stance they took against its tracking system. He also refused to talk about the deletion of a passage explaining how BT admitted it misled customers over the 2007 secret trial.

Phorm also deleted a link to the The Register's report on the 2006 trial, and accompanying reference to BT's own document. It said that the aim of the trial was to validate that users were unaware of the presence of the tracking system.

The spokesman said Phorm's PR team had not been aware of Wikipedia's policy on conflicts of interest. Among many other rules they violated, it states: "Producing promotional articles for Wikipedia on behalf of clients is strictly prohibited."

A BT representative meanwhile wrote in an email: "I don't see anything wrong with correcting Wikipedia articles about your own company or services."

However, the edits made by Phorm included silencing factual primary information, that has been acknowledged as correct by the parties involved. ®
_http://www.theregister.co.uk/2008/04/08/phorm_cen sors_wikipedia/