Phorm? What's the beef?

You may have noticed that the EU has started proceedings against the UK Government for failing to take action against adware company Phorm which it believes infringes EU (and in turn UK) privacy protection laws.

So why is this such a big deal? Well, the main difference is that ad tracking in the past has largely been focused on tracking the delivery of of adverts and users actions when they click on those ads. In terms of data gathering all fairly innocuous stuff.

But in the case of Phorm, it goes much beyond that - aided and abetted by ISPs like BT, the Phorm system doesn't track ads at all - it tracks YOU.

Using Deep Packet Inspection (DPI) technology installed on your ISP's servers, Phorm tracks you everywhere you go, and builds up a profile of your interests, likes, and dislikes. This allows them to sell advertising space to advertisers seeking advertising targets with your profile.

Some might argue that that's not a bad thing - after all it might be better that they deliver ads that are of interest to you rather than adverts that aren't. That seems to have been the argument that won the day when the City of London Police interviewed representatives of BT about a secret trial of debateable legality back in September 2008.

However, since then the detail of what Phorm are doing, and the nature of their "partners in [alleged] crime" has become clearer, and at the same time a little grubbier. Phorm's claims that their technology "is fully compliant with UK legislation and relevant EU directives" and that "This has been confirmed by BERR and by the UK regulatory authorities" has been somewhat diminished as the EU, the UK Data Commisioner and the UK Department for Business, Enterprise and Regulatory Reform (BERR) have all come out stating that in their view Phorm are in breach of data protection and privacy law. Heavyweight denial indeed.

Most worrying is the position of certain large UK ISPs including BT, Virgin Media, and Talk Talk. All of these have been collaborating with Phorm in the development of the system - BT having completed several illicit trials of the technology.

This adds a whole new dimension when it comes to choosing your ISP - not only do we have "how much", "how fast", but "are you going to spy on me?". To be fair to those ISPs, they have come out and explained their opt-in and opt out policies in relation to the Phorm service, although BT's persistant opt-out approach would seem to be in contradiction of the Information Commissioner's ruling in April 2008 that Phorm's proposed offering would only be legal if it were opt-in.

So should we be worried? As a marketing company, the idea of being able to target potential market segments is highly attractive. But as an internet user, it's a different thing altogether - do I want my ISP (that already knows exactly who I am, where I'm going and what I'm looking at at any given time) to have a vested interest in passing that information on to a 3rd party for profiling? Furthermore, can that 3rd party be trusted?

One has to question the integrity of any company (BT) that persists in an opt-out approach to such a system in full knowledge of the Information Commissioner's ruling, and in the face of police interest, and a system provider that has shown a certain disregard for accuracy in its recent public statements, and I for one am not convinced. I want my ISP to be providing ME with a service, keep my data secure and private, and not be selling it on. I opt OUT thank you.

Want to know more about the technology and issues?

See Wikipedia articles: PhormPhorm and Deep Packet InspectionDeep Packet Inspection