What's this all about?
In 2006 and again in 2007, UK internet service provider BT tested a system which secretly intercepted and read communications between tens of thousands of their broadband customers and the websites they visited. They did not ask their customers or the websites they visited for permission to use their private communication data in this way.
The purpose of this system was to profile users in order to customise advertisements for them. This would be like the Post Office opening and reading your letters to decide which junk mail they should send you.
In 2008 they ran a third trial, branded as 'Webwise'. This time they asked their broadband customers whether they wanted to participate. But they didn't tell them that if they did, all their web activity would be read. Nor did they ask the permission of the websites they were visiting.
Who else was involved?
The technology was provided by a company called Phorm. Phorm planned to provide both the equipment to read online activity and the exchange to present advertising to users based on the websites they visited.
As well as BT two other UK internet service providers, Virgin Media and TalkTalk, signed exclusive agreements with Phorm.
Was it lawful?
To work, Phorm has to carry out an interception, and under UK wiretapping law the consent of both parties has to be obtained unless the interception takes place for purposes connected with the provision or operation of that service. In this case, the two parties are the user and the website, which may have customised a page specifically for that user. Phorm has to process the data it has intercepted, which may also require specific user consent. And Phorm's use of the data may infringe the copyright of the websites whose pages have been intercepted - not everything on the Web is free for reuse.
So what was done about it?
The UK's Information Commissioner ruled that a "technical" breach of the law occurred in BT's 2006 and 2007 trials. They also stated that they had strong reservations about the nature of the explanation provided for participating in BT's 2008 trial, largely because it concentrated on security advantages rather than on the targeted advertising. However, they took no action.
In August 2008, the City of London Police started an investigation. In November 2008, the case was moved to the Crown Prosecution Service Complex Casework Centre. Some 900 days later, on 8th April 2011, the Crown Prosecution Service announced that they would not be prosecuting BT or Phorm. However, on the same day, the UK Government announced changes to the relevant legislation (RIPA, the Regulation of Investigatory Power Act) to come into force on 29th April 2011. These repealed the condition that conduct could be lawful if the interceptor had 'reasonable grounds for believing' that consent had been granted. They also provided that the Interception of Communications Commissioner could levy fines of up to £50,000 on those unlawfully intercepting communications.
In April 2009, after a series of complaints by UK internet users and extensive communication between the European Commission and UK authorities, the Commission opened an infringement proceeding against the United Kingdom about the use of Phorm by internet service providers. At the end of September 2010 the Commission initiated legal action against the UK Government contesting that the UK was failing to meet its obligations under the Data Protection Directive and the ePrivacy Directive.
Surely people wouldn't accept it?
A widespread campaign developed initially driven by the Open Rights Group and the Foundation for Information Policy Research. A new movement, NoDPI (No Deep Packet Inspection), sprang up to draw together opposition to Phorm and systems like it.
- Ran a Downing Street petition which reached well over 20,000 signatures.
- Sought prosecution against BT and Phorm for illegal interception, computer misuse, fraud, data protection offences and copyright abuse.
- Organised a House of Lords Round Table chaired by Baroness Miller of Chilthorne Domer, with Sir Tim Berners Lee and Dame Wendy Hall speaking, which gained widespread media coverage.
- Persuaded major websites to ban Phorm - such as Amazon, Nationwide and Wikipedia.
- Lobbied successfully for the EU to take legal action against the UK Government for their failure to implement data protection laws adequately.
- Achieved a change in the relevant UK law (RIPA) removing the excuse that consent can be implied for interceptions of communications and providing further redress for interceptions carried out by companies and other non-government organisations.
So what is happening now?
Congressional hearings in July 2008 also prevented deployment of technologies like Phorm's in the USA. With North America and Europe no longer available to them, Phorm focussed on Korea and Brazil. However, in both countries they have faced delays through ongoing parliamentary hearings.
As of 31st May 2010, Phorm had net assets of $7.8M, and although they raised up to a further $3M by a share placement on 13th July, their operating cash costs - at least in the first five months 2010 - were approximately $2.2M/month, leaving them little time to develop these markets. With their reserves dwindling and no firm prospect of a deployment anywhere, time is running out for them.
Is that all then?
Even if Phorm is never deployed, commercial threats to the privacy and integrity of your use of the Web are likely to increase. Here are some examples.
In November 2009 Virgin Media proposed to use a product called CView to monitor unlawful file sharing, and specifically identify which tracks were being shared. This monitoring would have intercepted and analysed lawful as much as unlawful communications. In January 2010 the EU's Commission for Information Society and Media started reviewing it. In September 2010, Virgin Media confirmed to ZDNet that their plans to deploy CView (or similar technologies) were on hold.
In Summer 2010 for a period of approximately two months TalkTalk covertly monitored web pages requested by their customers, moments later replaying exactly the same requests to obtain the same page content for themselves. Requests for web pages often include personal information, and websites often personalise pages based on this information. The purpose of this 'stalking' appeared to be to identify instances of malware infested sites or sites which should be blocked using parental controls. It is not clear why Talk Talk was unable to use generally available lists of such sites. The Information Commissioner has reprimanded Talk Talk and is continuing to investigate this case. Controversially, the equipment used was from Chinese manufacturer Huawei who themselves refer to Phorm as an element of their interception-based behaviourally targeted advertising solution.
Kindsight offers protection from malware and other attacks but its commercial model includes using deep packet inspection to profile users for advertising. Although they specify a user 'opt-in' for this interception the commercial webistes whose communications are intercepted are not given a choice. As far as we are aware, Kindsight does not yet operate in the UK.
Feeva intercepts communications between users and websites, and inserts information about the user's location. This is then used to customise advertising and services for them. Users of Internet Service Providers where Feeva is active will disclose exactly where they are every time they browse the web. As far as we know Feeva hasn't been deployed in the UK, but Juniper Networks is planning to start selling this technology to Internet Service Providers in the US in 2010.
What should be done?
It's essential that existing UK laws are enforced in respect of all unwarranted Web and Internet interceptions in the UK, otherwise there will be no incentive for companies to obey these laws in the future.
Currently UK data protection lags behind other major European countries, such as Germany. UK laws need to be made clearer, with less fragmentation of responsibility and increased powers of enforcement.
Most importantly, the Information Commissioner's Office, which enforces privacy laws, must become more willing to enforce existing laws using its current powers. Its mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals, and it needs to live up to that mission with much more vigour.
What can I do?
If you value the privacy and integrity of the data you send and receive while using the Web, please join the campaign at No DPI. NoDPI is a grass roots movement of internet users opposed to the use of Deep Packet Inspection equipment by Internet Service Providers, and its forums provide the best view on current issues affecting the privacy and integrity of communication on the Web.
The Open Rights Group defends freedom of expression, privacy, innovation, consumer rights and creativity on the internet. It campaigns to change public policy whenever citizens' or consumers' rights are threatened. You can join the Open Rights Group here.
The Foundation for Information Policy Research is the UK's leading think tank for Internet policy. Amongst other activities, it provides an email alerting service publicising events, announcements, consultations and news stories relating to the policy arenas where FIPR operates. The service is available to those who have signed up as friends of FIPR.