‘We know where you surf’
27 Apr 09

phorm_logoAdvertising software company Phorm’s legality is being questioned by the European Commission. Bill Thompson explains.

The law obliging Internet service providers to keep records of email exchanges and website visits so that the police and other agencies can trawl through them in search of evidence went into effect this month, giving thousands of officials access to our personal communications.

If that wasn’t depressing enough, anyone who gets their Internet access from BT, Virgin Media or TalkTalk can look forward to another form of monitoring, this one in the interests of advertisers and the profits to be made from them.

The three Internet service providers (ISPs) have signed up to Phorm’s Open Internet Exchange (OIX), a service that takes information about which websites customers are visiting to create profiles that can then be used to deliver targeted adverts on participating websites. OIX relies on a technique called ‘deep packet inspection’, where an ISP looks at what is in the data that its customers send and receive instead of just reading the source and destination addresses on each small chunk, or ‘packet’, that is exchanged.

For example, if I am a BT customer who visits a lot of health-related websites because I’m concerned about swine flu or another potential pandemic, I can expect to see more adverts for health products when I visit sites that have joined Phorm’s advertising network, because BT is tracking my surfing habits to create a profile that Phorm’s OIX ad server can use to select which adverts to show me.

Phorm and its customers claim that the process respects my privacy and is completely anonymous. They say the profiling happens inside the ISP and all the advertisers get to see is a randomly generated profile number that indicates the broad categories of advertising I might be interested in.

Others disagree, and the proposals have led to a massive and ongoing debate about the limits of online privacy, the degree to which ISPs should be allowed to exploit the information they inevitably gather about their customers and the degree to which third-party companies should be trusted when they promise security, privacy and anonymity.

The debate has even involved Tim Berners-Lee, the inventor of the World Wide Web, who told the BBC ‘it is very important that my ISP supplies Internet to my house like the water company supplies water to my house. It supplies connectivity with no strings attached. My ISP doesn’t control which websites I go to, it doesn’t monitor which websites I go to.’

Despite many complaints and an attempted private prosecution of BT for breach of the Regulation of Investigatory Powers Act over revelations that it had run two secret trials of the Phorm technology in 2006 and 2007, UK authorities have said that OIX does not break the law, and although none of the three ISPs have announced a date when the service will go live it is likely to be soon.

Or at least, they will if they can, because the tale took an interesting turn on 14 April when the European Commission stepped into the fray and announced that it was opening proceedings against the UK over concerns about how UK law implements directives covering electronic privacy and data protection.

Under UK law, interception has to be ‘intentional’ to fall foul of the law, and it is legal if the interceptor has ‘reasonable grounds for believing’ that consent has been given. This apparently gives Phorm and its customers enough wriggle room to argue that what they are doing is permissible, even if it is technically a form of interception.

The Commission seems to disagree, so we now have a service that the UK government tells us is completely legal being challenged by Viviane Reding, the EU’s Commissioner for Information Society and Media, who argues that services like Phorm need to be very carefully controlled and users should explicitly consent to having their surfing habits profiled.

The mess could take a while to sort out, but the UK’s track record on data protection and privacy is so poor that it would be foolish to expect that any changes to the law will stop some form of profiling based around deep packet inspection rolling out in the near future. When that happens anyone concerned about having their ISP watching them as they surf will need to find out how to opt-out or find another provider. The Dephormation website is a good starting point.

In the longer term, however, this sort of technology is likely to be widespread and unavoidable. In February this year the main mobile broadband providers revealed that they have been monitoring the sites their users visit and plan to sell the data to advertisers, and ISPs are unlikely to turn down the potential revenue streams that could come from selling user data.

In the end those of us who do not want to be profiled may be forced to abandon the public Internet entirely, using anonymous technologies and encrypted communications protocols to move to a private, anonymous network created between co-operating computers and leaving the Internet to the Tesco Clubcard-yielding masses who think automatic number-plate recognition is a great idea.

Bill Thompson is technology writer for the BBC