Sunday, October 05, 2008

Phorm Storm

Slightly delayed post on this issue. The title of this post is "Phorm Storm" primarily because there has been a lot written on the latest saga of Phorm, which is likely to deliver targeted advertising based on user browsing habits by using deep packet inspection. For those who want to read up further, Wikipedia provides a detailed account. Whilst BT has already started trials of Phorm, the ICO has already indicated that Phorm would only be legal, if users OPT-IN (based on Privacy and Electronic Communications Regulations).

The service, which will be marketed to end-users as "Webwise", would work by categorising user interests and matching them with advertisers who wish to target that type of user. "As you browse we're able to categorise all of your Internet actions", said Phorm COO Virasb Vahidi. "We actually can see the entire Internet."

It is claimed that data collected would be completely anonymous, and that Phorm will never be aware of the identity of the user or what they have browsed.
Some queries at this stage, what is there to guarantee the anonymity of data collected? Take a different approach or query: why would you want to anonymise the data, when this could be valuable "commodity" for any other company for marketing purposes? After all, we are dealing with user's surfing habits. It is also working towards the build-up of online profiling of individuals (apologies for the scepticism). Online profiling discussion will have to be another topic in its own right. Imagine the following hypothetical scenario:
Fred Blogs, a regular shopper decides to use his laptop to go online and visits Widgets Bookshop and checks his gmail account before switching over to read his regular dose of The Times . He also decides to pay a few bills online. His son, Joe Blogs, 12 years of age, asks his father whether he can use his laptop. Happily, Fred Blogs allows his son to do so. Joe Blogs logs onto his MySpace account then decides to go onto another website, let's say, KaZAA filesharing website and downloads his favourite music. Joe Blogs then emails his friends on his MySpace account to arrange a party do. Probably a good case discussion.
Whilst this is a hypothetical scenario, assuming that Fred Blogs naively subscribes to this Phorm program, so that it can deliver targetted ads. What is there to guarantee that it will be completely anonymous? If Joe Blogs logged onto a filesharing website on his father's user account, then questions may arise as to his surfing habits and whether it would land him into trouble with the law? It should be remembered that the General Data Protection Directive 95/46/EC is applicable (including Member States that implement this: ie. UK's Data Protection Act 1998). Given that Phorm is providing the software to the ISPs, it appears that the ISPs would be regarded as a "data controller" and thus, be required to comply with the UK's Data Protection Act 1998. Questions have arisen about whether Phorm could be the "data controller". There has been some discussion from the Art. 29 Working Party, which has indicated in its recent opinion, that the notion of personal data is defined broadly, and would include IP addresses (as held by several Data Protection Authorities including Germany and Sweden) that identify individuals. There is a strong argument that if there is any possibility of identifying individual's through their surfing habits, then the Data Protection Directive or the EU Member States that have implemented the Data Protection Directive 95/46/EC would take the view clearly that we are dealing with personal information. For an indepth analysis on the EU Member State's implementation of the Data Protection, visit here for more information.

If one were to subscribe to the Phorm program, it would simply be to test how robust the system and identify fundamental flaws in this technical system that claims to anonymise surfer habits. However, a report has already been written on this.

Putting on a sceptical hat, given that the arguments in favour of stronger rights for the privacy of personal information (in particular, the DPA 1998) is relatively weak in the UK (other than recent changes to strengthen the UK Data Protection Act 1998), this is a further step towards a gradual erosion towards privacy in the UK.

Final point: Warren and Brandeis seminal article on the right to privacy was written out of concerns of press intrusion, however, the privacy discussion here is not so much about the protection of privacy as the willing acceptance or acknowledgment by individuals that there is simply nothing that can be done to protect privacy. Switching ISPs is only one solution. Opting out of the system is another way. Targetting advertising is certainly unwelcome for the privacy conscious. Yet, one can foresee that the only route may have to be litigation! Discuss...

1 comment:

samflutch said...

Phorm is one of a few technology companies that came under scrutiny last year for using ISP technology to monitor Internet behavior without customer knowledge. But British firm Phorm, which provides a similar service abroad, has so far managed to steer through the death-inducing scrutiny and negative press that has enveloped NebuAd.