After being criticized for being illegal by many including FIPR, now there is growing calls by others to make Phorm opt-in instead of opt-out to conform with British privacy laws.
Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes
ZeroPaid has learned that two entities have joined calls to make technologies like Phorm opt-in instead of opt-out. Phorm is an Internet Service Provider side technology that intercepts users data while surfing the internet and inserting advertisements over top of existing data. Many have criticized the software by breaking privacy laws because, among other things, the technology monitors users behavior through a unique identifying cookie that could be controlled by a person even though Phorm insists that the process is automated and wouldn’t in practice be monitored by a person.
In a press release earlier this month, the Information Commissioners Office (ICO) says that, “Even if Phorm is not processing personal data, the ISP undertaking the profiling may be to the extent that it uses IP addresses and is able to link its customers to an IP address within its own systems although this may not be its intention. Phorm assert that the ISPs cannot make any such link using the Phorm products or infrastructure. To the extent that personal data is processed that processing must be fair and lawful in order to comply with the First Principle of the DPA. When considering whether or not the processing in this context is fair the Commissioner takes into consideration the extent to which users are made aware that the processing will take place, any choice that they are able to exercise over whether or not the processing takes place, the ease with which they can object and the effect of the processing upon the individual.”
The ICO concludes, “Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.”
It seems that the ICO isn’t alone. The British Computer Society too joined calls to make Phorm an ‘opt-in’ system instead of an ‘opt-out’ system. The press release states, “The British Computer Society (BCS) is urging Phorm and other profile-based internet advertising systems, to adopt an ‘opt-in’ approach to help build consumer trust.”
The press release continues:
“For a long-term and beneficial model, it is vital that the public trust advertisers and their ISPs to protect them and their privacy,” says David Clarke, BCS chief executive. “Part of gaining that trust has to be using good practice on consent, and that means asking people to opt-in to use the system.”
“Phorm’s willingness to engage in open public debate on the impacts of their system is to be commended,” continues David Clarke. “Rather than retreating to the bunker, Phorm has faced their critics, and this has helped focus on the real issues rather than the imagined ones. This is an approach we would like to see companies take more regularly.”
In conclusion, David Clarke added, “BCS members involved in work of this kind should think very carefully about the implications of these systems and the BCS professional code of conduct they have agreed to. Failure to abide by that code could lead to expulsion. Members should always be mindful of current good practice such as opt-in, and their duty to the public, as they implement systems like this.”
People including the Open Rights Group concern over the technology last month – a move that was supported by the BCS.
ZDNet reports that Phorm said that the process was always going to be an opt-in system. Further reading on the report:
The telecoms giant has been investigating methods of recording opt-in or opt-out status that do not require a cookie to be linked to a user’s computer, said the spokesperson.
“We have been exploring a technical solution for opt-out which will not require a cookie to be placed on a customer’s machine,” said the spokesperson. “It will be recognised at a network level.”
Servers that mirror and profile traffic that has been opted-in will be configured so they will not mirror or profile traffic that has been opted-out, said the spokesperson, who declined to give any details before the trial of exactly how the user’s computer would be identified and added that BT had yet to implement the technology.
[Via Open Rights Group]
Drew Wilson on Twitter: @icecube85 and Google+.