The problem there is (and it’s huge) is that Phorm and BT did not comply with privacy law in my opinion and BT specifically allowed Phorm to assign a cookie to personally identifiable information. This in essence is why the EU is taking them to court.

If however I am tracking you via website code and see your IP it means nothing. Even if I found out which company, network or ISP your IP is assigned to it still means nothing. It is unidentifiable. I don’t know who “you” are. I only know what your IP address has done on the website I’m tracking. It’s impossible for me to identify you as a person unless you give me permission.

Now this in my view is where people get confused about what is tracking marketing activity and what is or should be illegal.

Ethical web marketers aren’t interested in what you as an individual do, they’re interested in what behavior everyone who visits their site exhibits. The only time “you” become interesting is when “you” through your own actions give us permission to market to you specifically.

The big difference is that Phorm have assigned an ID to IP addresses that BT has given Phorm permission to become identifiable WITHOUT your permission. In my view this is illegal, wrong and prosecutable.

Please also read the follow up to this post linked to in comment 19.

Take a look at this article

Well have you considered that the Phorm kit makes use of redirects as an integral part of it’s operation? In order to read and manipulate cookies accross domains, the Phorm system redirects users up to three times per request.

Would it not be a rich target for cyber criminals to hack the phorm system so that non-encrypted requests to online banks are quietly diverted to phishing sites? These could then provide a link to the “secure” online banking that would of course have a valid certificate but would not be the right domain. Rich pickings for cyber criminals.

I have spent nearly 7 months researching Phorm, from before launch was announced, liaised with many people regarding the technology and I find it worrying you are making these statements when to all the technologists I’ve met agree that the system is intrusive and open to abuse in several ways.

Firstly on the DPA point. If BT have not acted transparently and did not seek permission for the trials or trial with folks who were opted in to Webwise already then they have clearly broken the law and as I already commented should be prosecuted to the full extent of the law. I agree on that and find it incredibly stupid of BT to undertake an operation like this after seeking legal advice as they stated.

I defer to the legal analysis of Nicholas Bohm and retract (though I’ll leave the full original post here for the record) my previous comments. I now agree that a full investigation should be carried out.

If laws have been broken then I agree with you that BT should be prosecuted on your second point for all the reasons you mentioned.

My understanding without any evidence to the contrary (indeed the Home Office/ICO seemed satisfied) was that section 18 of Nicholas Bohms’ document was satisfied. I refer to this section:

“RIPA s3 is relevant to whether that interception can be lawful. RIPA s3(1) makes it lawful if the interception has the consent of both sender and recipient (or if the interceptor has reasonable grounds for believing
that it does).”

My understanding based on your document was that this was satisfied by getting consent from both the consumer and the advertising network.

You then suggest that the secret trials in 2006 didn’t break the law because BT are nice chaps really. Unfortunately despite their inherently sunny disposition, they quite clearly broke the law on interception back then, exactly as they will in future trials. Furthermore, because they didn’t seek any permission, then even on your analysis, they infringed the Data Protection Act.

You say it will be a waste of money to prosecute BT. I disagree. We generally expect large companies to obey the law, and generally they do. However, when they so obviously flout multiple laws in search of financial gain, then as a simple matter of public policy it is important to ensure they are taken to court. The punishment is not the relevant issue: it’s the “to encourage the others” aspect that makes it essential to make an example of them.

You’re also mistaken about the way the police tackle child molestors. Furthermore,the DPA has limited relevance and it’s the Regulation of Investigatory Powers Act that applies.

Finally, you’ve clearly read my technical material on Phorm. You should also read FIPR’s legal analysis:
http://www.fipr.org/press/080423phorm.html

https certificates are issued by 3rd parties such as Verisign.

You should read this :-

http://www.theregister.co.uk/2008/06/13/security_giants_xssed/

The manner in which they [b] have used the information is different [/b],
they aren’t using it to specifically serve ads to people, they use it to show Internet demographical and behavioral patterns but their panel sizes are similar and similar data is aggregated.”

ohh yes, “Hitwise” now owned by the No1 Uk Credit Reference Agency (CRA)
[b]Experian [/b]
( the largest of the 3 main ones) used for every single check any company in the world makes on YOUR Credit and related scores.

the very same CRA that all the Banks, BS’s and Broadband companys use, the so called 3B’s that keep the UK’s data flowing and feed YOUR *private* data , (note thats Provate NOT just personal) data into the corporate money making machine….

you might not have know this but “Experian” the CRA also use Deep Packet Interception devices, and hope to also install this same DPI in the ISPs internal UK wide networks (if they havent already..)

so YOU can look forword to having all your most interesting intercepted internet datastreams and their “derivative works” appearing in your Credit Reference file’s sooner than you might think.

http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article3688387.ece
Experian to track net users.

yes you have an interesting POV, you as an industry person know, and can sense a good thing when you see it OC, and again , if no case has come up in the courts to be challenged that too makes it fine, its legal.

stanford too has that same keen sense , you know of him i assume ?, a well respected high ranking Uk Top Executive that couldnt be touched as he had the gift

‘Stanford was the founder of the ISP Demon Internet in 1992 but sold it to Scottish Telecom for £66
million in 1998.

It is reported that Stanford made £30 million from the acquisition. Shortly afterwards Stanford was a co-founder of the co-location and data centre company Redbus Interhouse…..”

http://www.lawdit.co.uk/reading_room/room/view_article.asp?name=../articles/Cliff%20Stanford.htm