Ad-targeting system Phorm must be “opt in” when it is rolled out, says the Information Commissioner Office (ICO)
European data protection laws demand that users must choose to enrol in the controversial system, said the ICO in an amended statement.
The decision could be a blow to Phorm which before now has said it would operate on an “opt out” basis. The ICO will monitor the trials and commercial rollout of Phorm to ensure data protection laws are observed.
Phorm serves up adverts related to a user’s web browsing history that it monitors by taking a copy of the places they go and search terms they look for. Adverts related to that history are put on any websites that have signed up to use Phorm.
So far BT, Talk Talk and Virgin have signed up to use the system.
Critics of Phorm say it breaks laws on unwarranted interception of data. Also privacy advocates have objected to the information it gathers about a user’s web browsing habits.
The statement from the ICO was issued to clarify its position on the way Phorm works. The ICO only commented on whether Phorm complied with UK and European data protection laws. It said a decision about whether Phorm broke laws on interception was a matter for the Home Office.
From its discussions with Phorm, the ICO said it appeared the company did not break laws regarding “personal data” ie information which can be used to identify a living individual.
However, the ICO said European laws demand that users must consent to their traffic data being used for “value added services”.
The ICO wrote: “This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.”
Before now Phorm has been expecting to operate on an “opt out” basis where every customer of ISPs that have signed up is enrolled unless they explicitly refuse to use it.
Responding to the ICO statement, Kent Ertugrul, chief executive of Phorm, said “We now have a statement from the Home Office and the Information Commissioner saying not only is there no privacy issue but there is no interception issue either.”
He said that the warnings Phorm will give to those enrolled in it would “exceed substantially” the “valid and informed consent” demanded by European regulations.
“The more people understand what we are doing the more comfortable they get with it,” he said.
The ICO stressed its opinion was based on discussions with the company rather than information coming out of trials or commercial use of the technology.
It said its opinion could change depending on how Phorm worked once the system was in use.
The ICO pledged to keep Phorm “under review” and any change in opinion would be “strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision.”
Responding to the ICO statement, Nicholas Bohm, general counsel for the Foundation for Information Policy Research, said: “The ICO has set a floor below Phorm-like activities by saying it has at least to be opt in and that’s better than before.”
Mr Bohm said Phorm had consistently “ducked” questions about whether its system was “opt in”. He said: “If the user does nothing will they end up being Phormed? That’s not what opt in means.” “Being opt in faces them with a much more difficult business model,” he added. Mr Bohm said he was disappointed that the ICO had avoided the question of whether Phorm broke interception laws. “This is not the end of the road. We will be taking it further. We are not satisfied with the ICO response on interception,” he said.
- See the BadPhorm website for further details on this controversy.
- Note also The Register article, Home Office defends ‘dangerously misleading’ Phorm thumbs-up, 24.04.2008
I believe the private sector will continue to try and develop similar tools despite strong opposition from the civil society. Such technologies can only be developed by respecting the privacy of online users, and they need to be based on a system of informed consent in compliance with the Data Protection laws. Some people may like to receive targeted ads, others like me don’t, and by default we should be left out of such a system.