Freedom to communicate is at risk

BT and two other ISPs are planning to partner with a former malware company
to intercept, read and analyse nearly everything you do on the internet

For more than a century and a half we have relied on the Royal Mail to carry our letters and parcels without interfering with them.

Imagine if Royal Mail installed machines at every sorting office to open mail and read its contents in order to decide what junk mail to send the senders or recipients.

Suppose people were told that this was a good way to improve the relevance of the junk mail they received and that this would also virtually eliminate fraudulent letters, but were not told that all their letters were going to be read or that there were other equally good ways of preventing mail scams.

Suppose people were allowed to opt out, but nevertheless letters to and from them passed through the machines anyway.

Sounds far-fetched? This is exactly what BT and Phorm did with tens of thousands of home computer users in 2006 and 2007. They are now proposing to do this with nearly every word of nearly every website every user visits as well as nearly all the data users send to websites. Phorm plans to use this information to enable companies which are also signed up to the scheme to target their advertising.

BT is spinning this as a benefit, calling it Webwise. Two other Internet Service Providers, Virgin Media and Carphone Warehouse (Talk Talk) are also proposing to offer their own versions of this scheme. Yet Phorm was formerly adware company 121media. Its software was identified as malware by major anti-virus companies: F-Secure and Symantec (Norton) categorised it as spyware and Computer Associates categorised it as a hijacker.

The Information Commissioner's Office has ruled that BT must get express consent from users. The ICO has told BT and Phorm that if the scheme goes ahead, users should have to expressly opt in to be part of it. The ICO is also keeping the scheme under review.

However, current proposals indicate that users will have to take action to avoid opting in. They will have to expressly place a 'cookie' on their computer or alternatively block traffic to specific websites. This sounds much more like an 'opt out' than 'opt in'.

Moreover, users who consent to the scheme may not be fully informed about its full implications. BT will promote Webwise as improving the quality of the advertising received and providing warnings when fraudulent websites are accessed. For consent to be fully informed, BT should also disclose with equal emphasis that nearly everything an opted-in user sends to and from websites will be intercepted, read and processed. And BT should also highlight that the function to provide warnings about fraudulent websites is already provided by the latest versions of the free web browsing software used by more than 90% of UK computer owners.

Web traffic for opted-out users would still be intercepted, just not read. This presents opportunities for abuse from within the Internet Service Providers and Phorm itself, and more alarmingly from external hackers and fraudsters. For this reason, if the scheme goes ahead many technically-aware people are considering moving to Internet Service Providers which have committed to not intercepting web traffic.

The right for 'opt in' applies equally to website owners. Website owners have a right to communicate with their users without interception unless they expressly give their permission. For example:

• A bank should have confidence that sensitive financial information will not be intercepted on its way to a customer.
• A retailer should not have to worry that orders from its customers will result in them receiving advertisements from competitors.
• Government agencies, such as the Passport Office and DVLA, should know that their web-based communications with citizens are kept confidential.

Laws are in place but they must be enforced

The proposed scheme is almost certainly illegal under existing UK and European Legislation. The main laws are the Regulation of Investigatory Powers Act 2000 and the Data Protection Act 1998, but several other UK and European laws and directives may apply. In addition the scheme increases online risks and is unpleasantly intrusive.

So join us in making sure that:

1. The Internet Service Providers who are considerting this scheme are made aware that their customers object to it and may take their business elsewhere if it goes ahead.
2. BT is brought to account for its trials of the scheme in 2006 and 2007 in which the consent of tens of thousands of users was neither requested nor given.
3. The lawfulness of every aspect of the scheme is fully reviewed by the Home Office and the Information Commissioner's Office before it is piloted and certainly before it is rolled out.

In the event of any trials going ahead or a full rollout of the scheme, then fully informed consent must be obtained from users who opt in; web traffic for opted-out users must not pass through any equipment used for intercepting communications; traffic to and from websites must not be intercepted unless website owners have expressly opted in to this scheme.