Objecting to Phorm

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Richard Clayton

March 2009

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Note: This essay was contributed by the author to the Office of the Privacy Commissioner of Canada's Deep Packet Inspection Project


Imagine the postal service steaming open your letters so that they could scan the content, work out your interests, and then deliver a better class of junk mail. Most people would be horrified, yet some of the UK’s largest ISPs are planning to do something even more intrusive. They will capture the details of all the online searches you make, all of the web pages you visit – solely to serve up targeted online adverts. This isn’t happening for some altruistic aim of making adverts more relevant, but because the ISPs will get a cut from the advertising revenue, and Phorm, the technology vendor involved, will charge advertisers extra for delivering up an especially receptive audience.

You might think that “there ought to be a law against it” – and you’d be right. Analysis by the Foundation for Information Policy Research (FIPR) shows that the complicated way in which the Phorm system works means that the ISPs will commit criminal offences, and could also face civil litigation for the unauthorised processing of copyrighted material.

The Phorm system snoops on all web page requests, and in particular it picks out the search terms used on Google and other search engines. The system also monitors the contents of any web pages visited, looks for the commonest words, and tries to discern what the pages are about. This works up to a point – early search engines used similar schemes – but isn’t especially accurate. Accurate or not, a distillation of this information is matched against advertiser word lists, for example, if “flight” and “hotel” appear, then perhaps you’ll be a sucker for a travel advert. If so, then when you next visit a participating website, the adverts won’t be random but will have a travel theme to them – with the highest bidder getting to put their message in front of you, and the ISP getting a back-hander for participating.

However, UK criminal law calls snooping on web traffic “interception” and can send you to prison for it. There are statutory defences for the ISP (or indeed the postal service) looking at traffic for operational purposes (so your mailman can look at the address on the envelope), but this is irrelevant because it isn’t an ISP operational matter to deduce whether or not you’re a travel junkie.

The ISPs involved with Phorm will obtain the permission of their customers to be snooped upon (albeit this permission is rather an afterthought, and early trials didn’t bother with such niceties). Unfortunately for the ISPs, in the UK this is necessary but not sufficient, because interception is illegal unless BOTH ends of the communication give permission. This is a fundamental (and clearly intentional) change made by Parliament in 2000 from the previous one-sided regime. What’s more, the 2002 EU “Directive on Privacy and Electronic Communications” also makes it clear that both ends’ permission is needed.

As it happens, the two-sided requirement gave the legislators several headaches, and so there are special provisions to permit the police to listen in to a kidnapper’s ransom demand and secondary legislation sets out “Lawful Business Practice” to permit stockbrokers to record their instructions, and call centres to perform quality monitoring. None of what the ISPs intend will come under Lawful Business Practice.

Readers may be surprised to have got this far without any mention of the UK’s Data Protection Act 1998 (DPA). It is relevant, in that the Phorm system will regularly be processing “sensitive” personal data and must therefore arrange for an informed opt-in. However, not much more of the DPA will apply because Phorm has carefully designed its systems to evade the provisions of the Act – and providing pseudonyms for users in the form of unique identifiers gets them an awfully long way.

But the real reason the DPA is scarcely relevant is that people’s outrage at the system is expressed in the language of privacy, and there is a significant difference between “privacy” and “data protection”.

When the taxman looks at your financial affairs, they trample all over your privacy, but their systems are completely DPA compliant. Likewise, the Phorm system may learn that someone they know of by an opaque identifier is fascinated by the prospect of travelling to Israel, and they will stay with the letter of the DPA law. However, they’ve learnt something very private about that user’s opinions. If they were a Saudi Arabian student studying in the UK, subsequent serving of targeted adverts, and the information thereby revealed, could lead to embarrassment or much worse.

The bottom line for me, when I consider the Phorm system, is that having ISPs snoop into the personal lives of their customers for a trivial financial gain is inherently objectionable. It is simply not what ISPs should be doing. That the system turns out to infringe a number of laws should simplify blocking its deployment; it’s not the reason that it has to be stopped.

Date modified: