Critique of the ICO's 31st May 2008 response
to complaints about the BT Pagesense/ Webwise/ Phorm Trials

 
At the end of May 2008, the Information Commissioner's Office told Stephen Mainwaring , whose web browsing was tapped and profiled during the 2007 trial, that it would not pursue BT over alleged breaches of the European Privacy and Electronic Communications Regulations (PECR).

The following week, the BT Paper describing the 2006 Pagesense/ Webwise/ Phorm Trial was leaked to activist Alexander Hanff.

Here is a critique of the Information Commissioner's response in the light of the leaked document and other publicly available material.

 

ICO: BT have explained that two technical tests of a prototype advertising platform were conducted in 2006 and 2007. They have informed us that these tests were designed to evaluate the functional and technical performance of the platform. BT have confirmed that they sought their own legal advice before both trials.

Question 1: Has the ICO asked BT who provided this legal advice, asked what was in it and determined whether it was bona fide?

 

ICO: Where a purely technical trial is conducted that, in BT's view, is likely to have little or no impact on customers, they have advised that they would not generally seek consent from customers.

The first success criterion of the 2006 trials indicated that their purpose was to determine whether the installation, integration, and use of Pagesense/Webwise/Phorm would be transparent to customers. (Leaked report page 10, section 3.1, requirement 1.1). The success criterion for this was "No customer calls to helpdesk related to installation, integration & use compatibility issues of PageSense application with other applications".

So it appeared that at least in the 2006 trial BT expected that problems could arise, and were preparing to measure them in their trial which was set up for that purpose.

Question 2: Will the ICO explain why they agreed that BT could act without consent from their customers if such problems were possible, let alone the fact that without such consent (and probably even with it) the trials were illegal under the Regulation of Investigatory Powers Act 2000?

 

ICO: As they did not anticipate the trials would cause customers problems they did not brief their customer service helpdesks about them (hence the problems you experienced in getting advice from them at the time).

Although BT claim they did not brief their helpdesks, they clearly did monitor calls for the 2006 trials. 15-20 trialists identified the presence of the system and had a negative reaction. (Leaked report page 4, Executive Summary, Point 1).

Question 3: Will the ICO ask BT to explain how they identified these 15-20 users in the 2006 trials?

 

ICO: BT have told us that they did not associate your enquiry with the 2007 trial and as they were not able to identify individual customers that had participated (because of the anonymity of the process) . . .

Pagesense / Webwise /Phorm must be able to identify users to serve advertisements to them. It cannot operate without awareness of this basic information. BT appear to have been aware of the IP addresses of the triallists in the 2006 trial. (Leaked report page 45, under the heading "IP addresses seen through the Proxy Servers" obscured in the leaked copy of the document but present in the original). For the 2007 trial, IP addresses could have been collected as advertisements were served had it been decided to do this.

Question 4: Will the ICO explain how their statement that BT "were not able to identify individual customers that had participated" in the 2007 trial when Pagesense / Webwise /Phorm cannot serve advertisements without knowing who to serve them to?

 

ICO: . . . they were unable to get back to you. They have advised that they attempted to contact you after you had expressed concerns online at 'The Register' however they were apparently not successful.

Stephen Mainwaring says that BT logged support, abuse, and customer service records in his name and was always available to be contacted. In his own words: "Was the line constantly engaged? Did they not know my phone number or address? I was a god damn BT customer! Of course they had my contact details."

Question 5: Why has the ICO accepted BT's assurances apparently without question when they appear to contradict the triallist's experience?

 

ICO: Finally, BT have confirmed that no personally identifiable information was processed, stored or disclosed during either trial. We have no reason to doubt this assertion. Where no personal data is processed the Data Protection Act will not apply.

Data in the 2006 BT trials was processed at sysip.net, a domain operated outside the BT network, and indeed outside the EU, by adware company 121media, who were not at the time listed in the US Safe Harbor agreement, and who were not registered with the UK Information Commissioner.

We have only BT's assurance that no personally identifiable information was processed.

Question 6: Why does the ICO accept BT's assurances that no personally identifiable information was processed, stored or disclosed during either trial when there would have been no point in carrying out the Pagesense/ Webwise/ Phorm trial without doing just that?

 

ICO: As we discussed when we spoke the issues that we have considered in this case relate primarily to the requirements of Regulations 6 and 7 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Regulation 6 requires that where an organisation is using an electronic communications network to store information, or gain access to information stored, in the terminal equipment of a subscriber or user, the subscriber or user should (in most cases) be provided with 'clear and comprehensive' information about the purposes of the storage of, or access to, that information, and the opportunity to refuse the storage of or access to that information. In other words, if an organisation collects information using cookies they have to tell people about that, and advised them how to prevent operating.

. . . however it is our view that Regulation 6 would likely to apply. BT's view is that as the 2007 trial was small scale and technical in nature and no adverts were served, it would have been difficult to frame any advice for customers about the operation of cookies, and obtain any relevant consents for the processing of traffic data, with a wording that they would have any resonance at all for their customers.

The leaked BT report states that the 2006 trials of Pagesense/ Webwise/ Phorm involved a userbase of approximately 18,000 customers with a maximum of 10,000 online concurrently. The document states that the planned userbase for their phase 2 testing (presumably the 2007 trials) was 350,000.

Question 7: How big does the level of interception have to be before the ICO will act?

The leaked BT report lists 18 third party websites on which advertisements were purchased for the two week ad serving phase of the 2006 trial (Leaked report page 7, section 1.2).

Question 8: Given that adverts were served in the 2006 trials, will the ICO now change their opinion on the lack of advice from BT to its customers?

 

ICO: Our view is that, whether or not there was a technical breach of the Regulation, there is no evidence that the trials generally involved significant detriment to individuals involved (although we acknowledge - as have BT - the problem you flagged) or privacy risks to individuals.

Question 9: Given that Stephen Mainwaring could demonstrate loss of business time, distress and anxiety, loss of income and also extra expenditure for his business, why did the ICO dismiss his complaint?

The trials involved interception, reading, recording and in some cases alteration of messages sent between internet users and the websites they accessed. Data in the BT trials was processed outside the EU, by a third party, 121media, whose products were categorised as malware by at least three reputable anti-virus companies.

Privacy laws exist precisely because the detriment of intrusion is not always measurable in purely economic terms.

Question 10: Will the ICO explain whether they are now only interested in cases where economic loss can be demonstrated?

 

ICO: On this basis, and taking into account the difficulties involved in providing meaningful and clear information to customers (the vast majority of whom were likely to be completed unrelated to the anonymous technical trial) in this case, this is not an issue we intend to pursue further with BT.

Question 11: Does that mean that the ICO will allow any ISP, telecoms provider or postal service to carry out a similar scheme if its operation is sufficiently opaque?

 

ICO: However, as we discussed when we spoke I understand you were considering the options available to you in terms of pursuing this matter further yourself. As I mentioned briefly on the telephone, Regulation 30 specifies that a person who suffers damage by reason of a contravention of any of the requirements of the Regulations by any other person can make a claim for compensation for that damage.

If you believe you have suffered quantifiable damage as a result of a breach of the Regulations and are considering pursuing this matter you should seek your own legal advice.

The Information Commissioner's Office is the main body identified by the Home Office for the monitoring and enforcement of the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Question 12: Why is the ICO unwilling to uphold the these two laws for which it has responsibility?