Phorm Warned by British Govt. Over Webwise Ad System, Must Use Opt-In Scheme

A firestorm has erupted over the Phorm company's highly sophisticated and invasive Webwise ad selling system that actually intrudes into the  user's personal web history to better link sellers with the supposed likes of net surfers. Analysts and security experts had pointed out the company's study of online user habits may well break the English Fraud Act 2006 and/or the Computer Misuse Act 1990, because it ignored privacy concerns. Now, the UK Information Commissioner's Office (ICO) has issued a major revision to its previous comments on Phorm, ruling the ad tracking system must be released on an opt-in basis to comply with British law. The ICO will closely observe the trials and commercial release of Phorm's products “to ensure data protection laws are observed.”

The Government admitted the Information Commissioner was “approached by a number of individuals and organisations for a view on Phorm’s Webwise and Open Internet Exchange (OIX) products.” In constructing their ad scheme, the company ran afoul not only of UK legislation but also European data protection laws that also insist that such invasive programs must use an enrollment plan. The ruling could  cause huge problems for Phorm's business model because this is exactly the type of negative publicity any company dreads before releasing a new product. Phorm had already announced their annual losses had doubled in an April press release.

After the latest controversy erupted, the Information Commissioner was approached by Phorm,

prior to announcing its deal with 3 major UK internet service providers (ISP's). Phorm explained its  Webwise and OIX products and described how they considered their products “privacy friendly.” As well, the Commissioner contacted the ISP's engaged with Phorm about the actual scope and nature of the Phorm products in practice.

The Commissioner is charged with enforcing the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). The Commissioner is now investigating more fully“whether the use of the products offered by Phorm complies with the DPA and PECR.” As well, the ICO would like to gather more information about the total Webwise system to gauge the legal implications.

The real issue is privacy. The ICO said that Phorm must be quite careful to receive support from the Government, stating:  “Phorm and the ISP will also have to comply with the PECR even where they do not process personal data. Under Regulation 6 of PECR a user must be informed when a cookie placed on their computer, given clear and comprehensive information about the purpose of the storage and given the ability to refuse it being placed on the system....Users will also be able to configure their internet browser to block all cookies from Phorm and therefore prevent any profiling without a cookie being loaded. How this operates in practice will not be apparent until the trials by the ISP get underway or the product is rolled out but it should be possible for Phorm to achieve compliance with Regulation 6.”

While Phorm is working overtime to mollify the concerns raised by the Government, privacy advocates, and alarmed consumers, the issue refuses to go away. According to critics, some of the company's previous trials have already pushed the privacy envelope too far. For example, last April it came to light that Phorm and British Telecom had eavesdropped on 36,000 customers in 2006 and 2007.

The continued efforts by Phorm to plumb the Internet site-visiting habits and sell the information has stirred up strong criticism from various analysts, rights advocates and institutions. Sir Tim Berners-Lee, the British inventor and creative father of the Internet has weighed in, saying a person's web history and user data are private property. Stated  Berners-Lee, “It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return.” As well, Nicholas Bohm, fellow of the Foundation for Information Policy Research, claims Phorm & BT's testing caused illegal data interception. Bohm told the BBC, “It seems a clear-cut case of illegal interception of communication.”

The Phorm ad system, in conjunction with ISP's, uses a method whereby they profile the addresses and then niche the content of websites visited by Internet users by type. Then they offer for sale this information to to sellers by advertising categories. Phorm asserts that this targeted marketing takes place in a way that rigorously protects the privacy of web users.

In dealing with the understandable fear consumers have that Big Brother is spying on their activities and selling the results for profit, the Commission has a solution. They said, “Although the products have not yet been rolled out and the upcoming trial by one ISP has not yet taken place, from the information available at this point it appears that users will be presented with an unavoidable statement about the product and asked to exercise a choice about whether or not to be involved on that basis. In addition we are told that users will be able to easily access information on how to change their mind at any point and free to opt into or out of the scheme at any point thereafter which should involve the same degree of transparency and choice. ”

While the controversy will continue as long as Phorm offers its invasive products, one headline summed up what is certain to be the reaction of many typical UK Internet users, from the British newspaper the Guardian: “No amount of PR will convince us to swallow Phorm.”