The Information Commissioner has been approached by a number of individuals and organisations for a view on Phorm’s Webwise and Open Internet Exchange (OIX) products. Phorm also approached the Commissioner immediately prior to announcing a deal to work with 3 major UK internet service providers (ISP) and launch of the Webwise and OIX products to explain the nature of their products and in particular what they believe to be the privacy friendly elements of them. The Commissioner has also had contact with the ISPs working with Phorm about the scope and nature of their roll out of the Phorm products.
The Commissioner is responsible for enforcing the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). Therefore the Commissioner is confining himself to the question of whether the use of the products offered by Phorm complies with the DPA and PECR. Furthermore the Commissioner’s views are based on the current understanding of the Phorm products before the upcoming trial or roll out by any of the ISP have taken place which should provide more information about their use in practice.
Phorm has developed a system where, with the cooperation of an individual’s ISP they can profile the addresses and certain content of websites visited by users and then use that information to match that user against predefined broad advertising categories. Phorm assert that this targeted marketing takes place in a way that rigorously protects the privacy of web users.
Phorm has explained that the user profiling occurs with the knowledge and agreement of customer and within the technological infrastructure of the ISP. The profile is based on a unique ID allocated at random to each internet user which is held only on their computer and by Phorm so that the advertising and profiling can take place in such a way that there is no need to know the identity of the individual users. When a user visits a website that has an agreement with Phorm their user ID is recognised and Phorm will use the broad advertising categories associated with that ID to enable relevant advertising channel to be shown on the website. The advertising is displayed instead of non-targeted advertising that would be displayed to users regardless of the roll out of the Phorm products.
Phorm has provided assurances that the systems have been configured so that the company does not have a record of the actual sites visited and search terms used by the user and in addition the advertising categories exclude certain sensitive terms and have been drawn widely so that the profiles that they hold for users will not inadvertently reveal the identity of a user or return advertising of a sensitive nature. Phorm also assures us that the ISP does not hold or have access to either the advertising categories users have been matched against or the user ID and does not keep a lasting record of internet traffic for any reason other than it would have originally.
Whether the use of the products offered by Phorm complies with the DPA will depend, in the first instance, on the extent to which the company is processing personal data. Personal data is information that relates to a living individual who can be identified from that information or other information in the possession of or likely to come into the possession of the person holding it. Phorm has asserted that it does not have nor would it ever want or need access to any information held by the ISP which would enable it to link their user ID and profile to a living individual. If this is true the company is not processing personal data of the ISP’s customers in providing its product and the DPA will not apply. Further Phorm has also assured the Commissioner of an additional safeguard, in that it is not possible for an employee to interrogate its systems to reveal particular user ID profiles.
Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses and is able to link its customers to an IP address within its own systems although this may not be its intention. Phorm assert that the ISPs cannot make any such link using the Phorm products or infrastructure. To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA. When considering whether or not the processing in this context is fair the Commissioner takes into consideration the extent to which users are made aware that the processing will take place, any choice that they are able to exercise over whether or not the processing takes place, the ease with which they can object and the effect of the processing upon the individual.
Although the products have not yet been rolled out and the upcoming trial by one ISP has not yet taken place, from the information available at this point it appears that users will be presented with an unavoidable statement about the product and asked to exercise a choice about whether or not to be involved on that basis. In addition we are told that users will be able to easily access information on how to change their mind at any point and are free to opt into or out of the scheme at any point thereafter which should involve the same degree of transparency and choice.
On the basis of our understanding of the explanation provided to us there does not appear to be any detriment to users in the operation of the Phorm system as those who choose to be involved will only have the information used to match them against an advertising category and then present them with targeted advertising while browsing the internet. The ISP does not create lasting records of browsing habits in this context and do not seek to link living individuals to that information as it profiled and sent to Phorm. It also appears that users who opt out do not have their web browsing habits profiled and will be in the same position as regards the processing of their personal data as before the Phorm systems were introduced.
Some individuals have questioned whether or not the use of Phorm products entails an unlawful interception of communications under the Regulation of Investigatory Powers Act 2000 (RIPA). The Information Commissioner does not have responsibility for enforcing RIPA and has no expertise in determining whether an interception subject to RIPA has taken place. Though they do not have responsibility for enforcing RIPA the Home Office do provide guidance on its provisions. Phorm has approached the Home Office directly about compliance with RIPA and had a written response. The gist of the response was that it was questionable whether the use of Phorm’s technology involves an interception within the meaning of RIPA and that even if it did that there would be an argument that such a interception was not unlawful. The Home Office went on to state that they did not consider that RIPA was intended to cover such situations. Some organisations have stressed an alternative view that the scanning of the content of websites by the ISP on route to the user will entail an interception of communication during transmission. Given that the Commissioner does not have responsibility for enforcing RIPA, and in the absence of any evidence that the alleged breaches are likely to cause detriment to individuals the Commissioner will not be pursuing this matter.
Phorm and the ISP will also have to comply with the PECR even where they do not process personal data. Under Regulation 6 of PECR a user must be informed when a cookie is placed on their computer, given clear and comprehensive information about the purpose of the storage and given the ability to refuse it being placed on the system. The information we have seen so far indicates that users will be informed by the ISP about the use of cookies as part of the process of being told about the service and given a choice about whether or not to participate. Users will also be able to configure their internet browser to block all cookies from Phorm and therefore prevent any profiling without a cookie being loaded. How this operates in practice will not be apparent until the trials by the ISP get underway or the product is rolled out but it should be possible for the ISPs and Phorm to achieve compliance with Regulation 6.
Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.
Whether or not the deployment of the Phorm products raise matters of concern to the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns. The Commissioner welcomes the efforts Phorm is making to engage with concerned technical experts and believes that it is only by allowing its technology to be subject to detailed scrutiny by independent technical experts that it will be able to prove their assertions regarding privacy which will be important for the commercial success of the product.
In the view of the Commissioner Phorm can operate Webwise and OIX in a way which is in compliance with the DPA and PECR but must be sensitive to the concerns of users. The Commissioner will keep the Phorm products under review as they are rolled out and his view will be strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision. The Commissioner will also continue to be interested in the dialogue between technical experts and Phorm about the way in which the system operates.
v1.3 18/04/08
The Commissioner is responsible for enforcing the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). Therefore the Commissioner is confining himself to the question of whether the use of the products offered by Phorm complies with the DPA and PECR. Furthermore the Commissioner’s views are based on the current understanding of the Phorm products before the upcoming trial or roll out by any of the ISP have taken place which should provide more information about their use in practice.
Phorm has developed a system where, with the cooperation of an individual’s ISP they can profile the addresses and certain content of websites visited by users and then use that information to match that user against predefined broad advertising categories. Phorm assert that this targeted marketing takes place in a way that rigorously protects the privacy of web users.
Phorm has explained that the user profiling occurs with the knowledge and agreement of customer and within the technological infrastructure of the ISP. The profile is based on a unique ID allocated at random to each internet user which is held only on their computer and by Phorm so that the advertising and profiling can take place in such a way that there is no need to know the identity of the individual users. When a user visits a website that has an agreement with Phorm their user ID is recognised and Phorm will use the broad advertising categories associated with that ID to enable relevant advertising channel to be shown on the website. The advertising is displayed instead of non-targeted advertising that would be displayed to users regardless of the roll out of the Phorm products.
Phorm has provided assurances that the systems have been configured so that the company does not have a record of the actual sites visited and search terms used by the user and in addition the advertising categories exclude certain sensitive terms and have been drawn widely so that the profiles that they hold for users will not inadvertently reveal the identity of a user or return advertising of a sensitive nature. Phorm also assures us that the ISP does not hold or have access to either the advertising categories users have been matched against or the user ID and does not keep a lasting record of internet traffic for any reason other than it would have originally.
Whether the use of the products offered by Phorm complies with the DPA will depend, in the first instance, on the extent to which the company is processing personal data. Personal data is information that relates to a living individual who can be identified from that information or other information in the possession of or likely to come into the possession of the person holding it. Phorm has asserted that it does not have nor would it ever want or need access to any information held by the ISP which would enable it to link their user ID and profile to a living individual. If this is true the company is not processing personal data of the ISP’s customers in providing its product and the DPA will not apply. Further Phorm has also assured the Commissioner of an additional safeguard, in that it is not possible for an employee to interrogate its systems to reveal particular user ID profiles.
Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses and is able to link its customers to an IP address within its own systems although this may not be its intention. Phorm assert that the ISPs cannot make any such link using the Phorm products or infrastructure. To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA. When considering whether or not the processing in this context is fair the Commissioner takes into consideration the extent to which users are made aware that the processing will take place, any choice that they are able to exercise over whether or not the processing takes place, the ease with which they can object and the effect of the processing upon the individual.
Although the products have not yet been rolled out and the upcoming trial by one ISP has not yet taken place, from the information available at this point it appears that users will be presented with an unavoidable statement about the product and asked to exercise a choice about whether or not to be involved on that basis. In addition we are told that users will be able to easily access information on how to change their mind at any point and are free to opt into or out of the scheme at any point thereafter which should involve the same degree of transparency and choice.
On the basis of our understanding of the explanation provided to us there does not appear to be any detriment to users in the operation of the Phorm system as those who choose to be involved will only have the information used to match them against an advertising category and then present them with targeted advertising while browsing the internet. The ISP does not create lasting records of browsing habits in this context and do not seek to link living individuals to that information as it profiled and sent to Phorm. It also appears that users who opt out do not have their web browsing habits profiled and will be in the same position as regards the processing of their personal data as before the Phorm systems were introduced.
Some individuals have questioned whether or not the use of Phorm products entails an unlawful interception of communications under the Regulation of Investigatory Powers Act 2000 (RIPA). The Information Commissioner does not have responsibility for enforcing RIPA and has no expertise in determining whether an interception subject to RIPA has taken place. Though they do not have responsibility for enforcing RIPA the Home Office do provide guidance on its provisions. Phorm has approached the Home Office directly about compliance with RIPA and had a written response. The gist of the response was that it was questionable whether the use of Phorm’s technology involves an interception within the meaning of RIPA and that even if it did that there would be an argument that such a interception was not unlawful. The Home Office went on to state that they did not consider that RIPA was intended to cover such situations. Some organisations have stressed an alternative view that the scanning of the content of websites by the ISP on route to the user will entail an interception of communication during transmission. Given that the Commissioner does not have responsibility for enforcing RIPA, and in the absence of any evidence that the alleged breaches are likely to cause detriment to individuals the Commissioner will not be pursuing this matter.
Phorm and the ISP will also have to comply with the PECR even where they do not process personal data. Under Regulation 6 of PECR a user must be informed when a cookie is placed on their computer, given clear and comprehensive information about the purpose of the storage and given the ability to refuse it being placed on the system. The information we have seen so far indicates that users will be informed by the ISP about the use of cookies as part of the process of being told about the service and given a choice about whether or not to participate. Users will also be able to configure their internet browser to block all cookies from Phorm and therefore prevent any profiling without a cookie being loaded. How this operates in practice will not be apparent until the trials by the ISP get underway or the product is rolled out but it should be possible for the ISPs and Phorm to achieve compliance with Regulation 6.
Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.
Whether or not the deployment of the Phorm products raise matters of concern to the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns. The Commissioner welcomes the efforts Phorm is making to engage with concerned technical experts and believes that it is only by allowing its technology to be subject to detailed scrutiny by independent technical experts that it will be able to prove their assertions regarding privacy which will be important for the commercial success of the product.
In the view of the Commissioner Phorm can operate Webwise and OIX in a way which is in compliance with the DPA and PECR but must be sensitive to the concerns of users. The Commissioner will keep the Phorm products under review as they are rolled out and his view will be strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision. The Commissioner will also continue to be interested in the dialogue between technical experts and Phorm about the way in which the system operates.
v1.3 18/04/08
Comment