Open Letter to the Information Commissioner

Richard Thomas
Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

17 March 2008

Dear Sir,

We understand that you are investigating the targeted advertising service offered by Phorm through co-operation agreements with BT, Talk Talk, Virgin Media and other Internet Service Providers.

The provision of this service depends on classifying Internet users to enable advertising to be targeted on their interests. Their interests are to be ascertained for this purpose by scanning and analysing the content of traffic between users and the websites they visit.

This activity involves the processing of personal data about Internet users. That data may include sensitive personal data, because it will include the search terms entered by users into search engines, and these can easily reveal information about such matters as political opinions, sexual proclivities, religious views, and health.

Users are apparently to be allocated pseudonyms for some of the processing, but at various processing stages the personal data can be linked to the pseudonym, the pseudonym can be linked to the IP address used, and the IP address can be linked to the user. Although we understand that this linkage will not be standard operating practice, it can nevertheless be performed.

Many users will also be identifiable from the content of the data scanned, since it will include email sent or retrieved by users of web-based email, and messages viewable by those authorised to gain access to individual pages of social networking sites.

Although some web-based email systems operate using "https:" end-to-end encryption, which would prevent interception, this is far from ubiquitous. It might be possible for Phorm to configure the service to exclude a handful of the more high-profile web-mail and social networking systems. But there are no available methods of detecting the tens or perhaps hundreds of thousands of other, low usage, often semi-private systems which currently provide web-mail or social networking in chat rooms or similar environments.

Classification by scanning in this way seems to us to be highly intrusive. We think that it should not be undertaken without explicit consent from users who have been given particularly clear information about what is liable to be scanned. Users should have to opt in to such a system, not merely be given an opportunity to opt out. We believe this is also required under European data protection law; failure to establish a clear and transparent "opt-in" system is likely to render the entire process illegal and open to challenge in UK and European courts.

It would be specially objectionable if opting out were to depend on the maintenance by the user of a cookie, since many reasonable users regularly clear all cookies; nor should users be expected to opt out by blocking one or more websites, since many may not understand how to do this or may make errors in trying to do so.

Classifying users by scanning the content of their communications involves interception in the sense of s1 and s2 of the Regulation of Investigatory Powers Act 2000. That is because classification cannot be done without the content being made available to the person doing the classifying. The fact that he does so by the application of machinery which avoids the need for him to read the content is irrelevant -- it is clear, for example, from ss16(1) that material is to be treated as intercepted even before classification or examination and despite the fact that it may not be lawful to examine it.

Interception of communications without the consent of both sender and recipient is an offence under s1. (The exception under ss3(3) -- for things done for purposes connected with the provision or operation of a telecommunications service, which may well permit filtering for viruses and unsolicited bulk email in order to protect the operation of the service -- can have no application to filtering for the purposes of targeted advertising, which is not a telecommunications service offered by the ISPs.)

The explicit consent of a properly-informed user (i.e. one who has been told explicitly that the search terms he uses, and the content of his email and of the social-networking sites he visits, will be among what is used to classify his interests for the purpose of targeted advertising) is necessary but not sufficient to make interception lawful.

The consent of those who host the web pages visited by a user is also required, since they communicate their pages to the user, as is the consent of those who send email to the user, since those who host web-based email services have no authority to consent to interception on their users' behalf.

The need for both parties to consent to interception in order for it to be lawful is an extremely basic principle under RIPA, and it cannot be lightly ignored or treated as a technicality. Even when the police are investigating as serious a crime as kidnapping, for example, and need to listen in to conversations between a family and the criminals, they must first obtain an authorisation under the Act: the consent of the family is not by itself sufficient to make their monitoring lawful.

It has been suggested that web-hosts impliedly consent to the download of their pages, and that it follows that they consent to the interception involved in scanning them for the purposes of classifying the user for targeted advertising services. But even where a web-host does consent to the downloading of his page by a user, we do not accept that this entails any consent to the scanning of that page by a third party.

Moreover, in many cases it is clear that any such consent is expressly or impliedly negatived. In the case of the many pages which are accessible only after registration of the user, access by an unregistered third party is plainly unauthorised (and sometimes expressly prohibited by the conditions under which access is permitted).

In the case of the unlinked web (those pages to which links are not published generally, being provided to closed groups by their host) there is no implied general consent to download, and consent for third party scanning is impliedly negatived by the context.

We therefore consider that even if third party scanning obtains the fully-informed and explicit consent of a user, it simply cannot hope to obtain all the consents necessary from others. It therefore involves unlawful interception; and it therefore cannot comply with either the first or the second of the data protection principles.

Finally, we should mention a note on this subject published by the Home Office in January 2008, of which we assume the Information Commissioner is aware. A senior official of the Home Office has said of this note:

"- the note is not advice, it doesn't claim to be advice, legal or otherwise, it's just a view

-- the note wasn't, and doesn't purport to be, based upon a detailed technical examination of any particular technology."

For the reasons explained above, it is our contention that the conclusions of the Home Office note are wrong so far as they may be thought to apply to Phorm. We hope that the Commissioner will not allow himself to be influenced by them.

Nicholas Bohm, General Counsel
Richard Clayton, Treasurer

Foundation for Information Policy Research