Eighteen Questions for Phorm from a BT Customer
Dear Mr Ertugrul
I read in the press that you are willing to answer any questions that are asked of you.
Here are a few questions I have been seeking answers for over a period of many months, so far, with no success. Perhaps you could oblige me with a reply. I am also sending a similar letter to my ISP (which is BT) to see if they are willing to be more forthcoming as well. Your answers, or lack of them, will form a significant part of any representations I make to regulators and legislators, whom I shall be meeting with in coming weeks.
I would hope to publish your reply on the internet, unless you indicate to the contrary (with personal details removed) and will also forward it to the ICO and parliamentarians, as an indication of the willingness of Phorm and their partner ISPs, to engage with the public as you have indicated you are willing to do, and as the ICO has in fact requested you to do.
1. Are Phorm committed to an opt-IN model where ISP users who do nothing about Webwise/Smartweb, will not have any of their internet traffic intercepted or redirected, by Phorm-supplied, Phorm-programmed DPI kit, whether that kit be within the ISP network, or part of Phorm's own network equipment?
2. How do Phorm propose to obtain consent from 3rd party webmasters around the globe, for the commercial exploitation of website intellectual property, in compliance with copyright, database and trademark legislation in each country around the world? In default of obtaining such consent, what plans do Phorm have for informing webmasters around the world, in the various global languages that are represented on the web, about the proposed interception of the confidential unique and personal communications between them and their visitors? In particular, how will UK website owners, whose websites are visited by customers of Korea Telecom, be informed of Smartweb trials by Korea Telecom, prior to their website content being exploited for commercial gain (and similarly for any other global implementations of Phorm DPI technology with further global ISPs).
3. Have Phorm discussed with Google, and any other search engine, the Webwise insistence that webmasters must either block Google, or ALL search engines, with an appropriate robots.txt statement, if they want to use robots.txt to exclude Webwise/Smartweb?
4. On what interpretation of copyright law do Phorm base their understanding that they have a right to copy, profile, and make derivative works, from website content without consent? For example, from websites like Ryanair, and Associated Press?
5. What is Phorm's understanding of trademark law, with respect to the use of registered 3rd party trademarks as part of the name of Webwise/Smartweb cookies? Have Phorm discussed this matter with Trading Standards officers who are responsible for the enforcement of trademark legislation?
6. How do Phorm propose to recognise the private nature of web pages such as Facebook Friends pages, which use cookie based (rather than http RFC 1945) authentication to protect their content, given that Dr Clayton's technical analysis of Phorm technology makes it clear that Phorm currently have no method for recognising password protected pages that use cookie based authentication rather than http based authentication (Clayton report - paragraph 37, dated 18th May 2008).
7. Do Phorm accept that a Phorm UID is personal data which identifies an individual? (EU Consumer Affairs Commissioner Kuneva says: "The current work on privacy has concentrated on eliminating personally identifiable information such as name or IP addresses from the public domain," she said. "Consumer policy needs to go beyond that and address the fact that users have a profile and can be commercially targeted based on that profile, even if no one knows their actual name."
8. Will Phorm submit an anonymised Webwise/Smartweb/PageSense data set to independent researchers for testing and attempted de-anonymisation, according to the model recently researched by Narayanan and Shmatikov? (See De-anonymizing Social Networks and How To Break Anonymity of the Netflix Prize Dataset.
9. How will Phorm respond if an ISP customer submits evidence of their personal unique Phorm UID and makes a DPA subject access request for details of the information held against that UID?
10. How do Phorm propose to defend themselves against a charge that Webwise/Smartweb is guilty of diversion of trade as in the case Voyageurs du Monde, Terres d'Aventure v. Google, TGI Paris, 1/7/09, which case is currently headed towards the Paris Court of Appeal.
11. How do Phorm suggest enquirers obtain answers about DPI practice, when Phorm currently refers all such questions back to partner ISPs who are unwilling to discuss the matter?
12. How many ISP's are firmly committed to a commercial rollout of Webwise during 2009, and where are the most recent public statements from such ISPs, to that effect?
13. Do Phorm consider that they should engage directly with consumers as their larger competitors for advertising revenue do, (Eg: Facebook) and how do they feel about the ongoing refusal of any of their UK ISP partners to engage directly with their customers on the subject of Webwise/Smartweb?
14. Can Phorm describe the creative process that led to the design of the Phorm logo, and explain its similarity in both typeface and layout, to that of the logo of http://www.phormdesign.co.uk/ 'Phorm Design' of Sheffield, UK?
15. Why did Phorm never allow the publication of official video footage of the 2008 Town Hall meeting even though it indicated, via 80/20 Thinking, that such video footage would be made available? ("Please note: we have arranged for this meeting to be professionally filmed. The entire event will be placed unedited on the Web shortly.")
16. You have offered access to a DPI "Hans Blix" type inspector. Dr Richard Clayton has already examined your technology and found it wanting but you do not appear to accept his findings. Who else did you have in mind and when can they start, and what will they be given access to? Would you be willing to allow researchers Narayanan and Shmatikov to test the anonymity of your data? "They said they would gladly welcome a UN weapons 'Hans Blix'-type inspector who could verify their promise of anonymity".
17. Phorm have, prior to their registration with the ICO, received Personally Identifiable Information about BT customers from BT, due to their being involved in answering questions submitted by members of the public via the BT Webwise information pages. This was despite BT having given customers emphatic repeated reassurances that the BT Webwise process did not involve Phorm receiving ANY customer PII. The ICO have indicated that Phorm were acting in this respect merely as data processors for BT. What was the process of competitive tendering entered into by Phorm for this straightforward data processing contract, when did it take place, and was it completely separate from other contractual arrangements relating to Webwise? If BT were using Phorm merely as a data processor why were Phorm chosen, rather than the company who process other customer request forms (who subsequently took over the role once Phorm's covert involvement in answering BT Webwise customer enquiries had become public? When Phorm ceased the role of data processor for BT, following complaints by customers to the ICO, was any financial adjustment made between Phorm and BT, to reflect the loss of this entirely independent data processing contract?
18. Did Phorm, as 121Media, collect or control data relating to members of the public prior to 2008 as part of its commercial business activities, and was any of that data made available to 3rd parties in connection with targeted advertising or for any other commercial purpose?
I look forward to receiving answers to these questions, in fulfilment of the undertaking made by Mr Ertugrul at the 2nd Town Hall Meeting on April 7th 2009.
BT Customer
April 14th 2009