Phorm must be "Opt-In"

On 8th April 2008, the Information Commissioner advised that users should not be opted in to Phorm by default.
" . . . Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users."
"Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses in that profiling and is able to link its customers to an IP address although this may not be its intention. To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the Data Protection Act."

This statement is no longer available on the ICO website, and clarification has been sought over whether this represents an oversight or a change in the ICO's position.

ICO will not act on BT's Phorm Trials

On 30th May 2008, the Information Commissioner's Office wrote to BT (see page 8 of linked pdf):
"Whilst it does appear that a technical breach of the requirements of the [PECR] regulations occurred in the 2006 and 2007 trials, there is no evidence to suggest significant detriment to the individuals involved. We acknowledge the difficulties you have highlighted in providing meaningful information to customers about small scale, anonymous technical trials in circumstances like this. We do not envisage pursuing this matter further."

At around the same time, they wrote a corresponding letter to a user whose web browsing was tapped during the 2007 trial.

The ICO had strong reservations about BT's 2008 Phorm/Webwise Invitation Page

On 17th March 2009, the Information Commissioner replied to concerns raised by a member of the public about BT's trials of Phorm in 2008 (Case IRQ0235827).

"Shortly before this pilot began they sent us a copy of the 'invitation' page on the basis of which customers would choose whether or not to take part in the pilot.  We made clear to BT that we had strong reservations about the nature of the explanation provided, largely because it concentrated on security advantages rather than on the targeted advertising."

However, they would not be taking enforcement action.

The reply also referred to "a relatively small-scale pilot involving customers in the Kingston area". This is factually incorrect. The pilot involved BT's Kingston RAS which covers cities as far afield as Glasgow, Belfast, Cardiff and Penzance. It includes Weston-super-Mare, one of the areas where the 2007 trial was first detected by users. The full list of exchanges covered by the Kingston RAS is listed in a posting on the Think Broadband forum.

The ICO were not impressed with the Government's No 10 Petition response

In their response to the Home Office Consultation "Protecting the Public in a Changing Communications Environment" the ICO noted that: "the Government have struggled in fully understanding where the ICO regulatory competence begins and ends when it comes to communications data" (See the Government's petition response to the ISP Phorm petition).

In the same response the ICO set out unequivocably their opinion on the responsibilities of Communications Service Providers: "It is vital that individuals are protected by strict and specific provisions being included on the face of primary legislation to limit the purposes for which additional communications data is collected and further processed. There should not be any room for this data being used by CSPs themselves for any other commercial or internal business purposes. Limitations on access and use should be framed precisely and appropriate sanctions should be in place for CSPs who misuse personal data or for their employees where appropriate."