BT to push ahead with Phorm

BT Retail has the bit between its teeth, and is determined to go ahead with its rollout of the controversial OIX technology from Phorm. My earlier post describes what the Phorm solution is all about.

The company is going ahead despite vocal protests from the privacy community, including widely-publicised plans by privacy advocate Alex Hanff to organise a protest at BT’s AGM on 16th July, to be accompanied by a trip to Charing Cross police station to hand over what he describes as evidence of BT’s alleged illegal actions in trialling the Phorm software in a covert manner, and a petition demanding a criminal investigation. Hanff’s campaign website, nodpi.org, shows all kinds of other activity planned to bring the issue into the public eye. The Register is seemingly helping Hanff with his publicity.

The introduction of the service, which will be opt-in for BT’s subscribers, is due to begin at an unspecified time in the near future. Or at least, that’s the plan for now.

Possibly the most stupid Government proposal ever

The UK government has made a few gaffes in its time in the area of electronic privacy, but this takes the biscuit. The Times online and BBC News report a proposal by Home Office officials to create a database of all phone calls and emails sent in the UK, to be used for “protecting national security and preventing crime”.

I’ve lost count of the number of reasons this is a ridiculous idea, Here’s a few:

– Its pretty near impossible to make happen, given the diverse nature of the billing/rating and mediation systems in use by telcos, and the non-existant systems in use by ISPs to record email traffic.

– It’s a privacy nightmare. No matter what rules are put in place at the outset to control access to the information gathered, there can be no guarantee that these rules won’t be changed in the future.

– Consider the government’s track record recently with respect to protection of personal data.

The Times quotes a Home Office spokesman thus:

The Bill was needed to reflect changes in communication that would “increasingly undermine our current capabilities to obtain communications data and use it to protect the public”.

Now, the authorities already have powers under the Regulation of Investigatory Powers Act (RIPA) to procure various records from telcos and ISPs – designated statutory agencies can require an ISP to install Government-specified monitoring equipment, for example, and give up information about the traffic generated by a specific user on demand. While this is clearly still intrusive, it does require legal process to insitigate monitoring and is done on an as-needed basis. What’s different about the new proposals is that the Government would receive data on all traffic without establishing a specific need – and can then use the information gathered at its leisure for any purpose.

The privacy implications make this a classic Governement sledgehammer to crack a nut. It’s in the same vein as the recent fuss about extending the police’s right to detain suspected terrorists for longer and longer periods, even when it can be demonstrated that the police have never used the powers they already have to their fullest extent. It’s a disproportionate solution, and should be stomped on if it ever sees light of day in a Bill before Parliament.

Update: Imran has some more insight in his blog on the same subject.

Phorm by any other name

It seems that Phorm, who have created a huge rumpus in the UK and Europe with their system for tracking a user’s browsing habits and allowing partner websites to serve up relevant ads, are not the only people in the game.

A recap… Phorm’s WebWise product relies on installing a device in an ISP’s network that ‘sniffs’ individual user’s browsing activity (albeit anonymously), and then when the user visits one of Phorm’s partner publisher sites, uses the accumulated history to select an appropriate ad to show. For example, if the user had been looking at motoring websites recently, they might see an ad for cars when another user who looks at sports sites might see an ad for sports coverage on pay TV.

The benefits claimed for various parties are thus:

• This ad will be more relevant to the user than a default ad would be, thus enhancing the user’s experience and annoying them less – peoples’ tolerance for relevant ads is higher than their tolerance for irrelevant ones
• An anti-phishing filter is built-in (not sure how this integrates with the rest of the service)
• A more relevant ad should provide a better click-through and conversion rate for the advertiser, increasing their ROI
• As a result the publishers of the website on which the ad was shown should get a better return on their ad inventory.
• The ISP, normally not party to the advertising model, can start to share in ad revenue
• Phorm invented it and make money at all stages.

This all seems like a win-win until the P-word is mentioned… Privacy, of course. The whole thing only works when a user’s ISP collects data about them and allowing other parties to access this data. Depending on your sensitivity to online privacy issues, this is somewhere on the scale from innocuous to the work of the devil. Phorm’s initial ISP customers in the UK (BT Retail, CPW and Virgin Media) have indicated that they’ll provide the ability for a user to opt-out of using Phorm, but since many won’t even notice it’s there, privacy campaigners have suggested that the whole thing should be opt-in instead… this would mean a significantly lower penetration for all parties and perhaps make the whole thing unviable. The ISPs will be very sensitive to anything that might cause their users to consider churning to a rival service.

Phorm’s response to the privacy issue is robust; they’re confident they don’t breach any privacy legislation and are pushing ahead.

So, back to the plot… Phorm are not the only players in this area, and not the only ones causing controversy, either. In a Wired article, Ryan Singel writes about a plan by Charter Communications, one of the largest US broadband providers, to roll out technology from NebuAd. This appears to be similar to Phorm’s product. Charter’s plans have already come to the attention of 2 high-profile Congressmen as reported elswhere on Wired, who are not going to  be fobbed off with anything less that cast-iron guarantees of user privacy and compliance with relevant US legislation. The Congressmens’ question centres around the nature of a user’s consent to the service – just like Phorm, the Charter/NebuAd scheme offers an opt-out to each individual user, although there appears to be confusion about the technical nature of this – NebuAd’s opt-out page tells the user that they have to accept an ‘opt-out cookie’ – and by the nature of cookies, some part of the user’s traffic has to have hit a NebuAd server before they can act on it. So what is the user opting out of? Certainly the display of targetted ads, but the privacy issue is around the collection and sharing of data, and the jury’s out on that part.

Users have been shown targetted ads for years – a large site selects ads based on its own knowledge of the user’s behaviour on that site. A site which is a member of one of the large ad networks allows the network to track users with cookies to help target ads. Google shows ads related to the search terms you typed, and AdWords ads based on the content of the page you’re looking at. Gmail shows you ads based on the content of your email inbox. None of this is new. But what’s different here is the collection of data within the ISP network, without the explicit consent of the user, and sharing with unknown parties. It’s probably the way of the future – it’s not going to get un-invented, but it’s not going to be deployed without a fight.