Imagine the postal service steaming open your letters so that they could scan the content, work out your interests, and then deliver a better class of junk mail. Most people would be horrified, yet some of the UK’s largest ISPs are planning to do something even more intrusive. They will capture the details of all the online searches you make, all of the web pages you visit – solely to serve up targeted online adverts. This isn’t happening for some altruistic aim of making adverts more relevant, but because the ISPs will get a cut from the advertising revenue, and Phorm, the technology vendor involved, will charge advertisers extra for delivering up an especially receptive audience.

You might think that “there ought to be a law against it” – and you’d be right. Analysis by the Foundation for Information Policy Research (FIPR) shows that the complicated way in which the Phorm system works means that the ISPs will commit criminal offences, and could also face civil litigation for the unauthorised processing of copyrighted material.

The Phorm system snoops on all web page requests, and in particular it picks out the search terms used on Google and other search engines. The system also monitors the contents of any web pages visited, looks for the commonest words, and tries to discern what the pages are about. This works up to a point – early search engines used similar schemes – but isn’t especially accurate. Accurate or not, a distillation of this information is matched against advertiser word lists, for example, if “flight” and “hotel” appear, then perhaps you’ll be a sucker for a travel advert. If so, then when you next visit a participating website, the adverts won’t be random but will have a travel theme to them – with the highest bidder getting to put their message in front of you, and the ISP getting a back-hander for participating.

However, UK criminal law calls snooping on web traffic “interception” and can send you to prison for it. There are statutory defences for the ISP (or indeed the postal service) looking at traffic for operational purposes (so your mailman can look at the address on the envelope), but this is irrelevant because it isn’t an ISP operational matter to deduce whether or not you’re a travel junkie.

The ISPs involved with Phorm will obtain the permission of their customers to be snooped upon (albeit this permission is rather an afterthought, and early trials didn’t bother with such niceties). Unfortunately for the ISPs, in the UK this is necessary but not sufficient, because interception is illegal unless BOTH ends of the communication give permission. This is a fundamental (and clearly intentional) change made by Parliament in 2000 from the previous one-sided regime. What’s more, the 2002 EU “Directive on Privacy and Electronic Communications” also makes it clear that both ends’ permission is needed.

As it happens, the two-sided requirement gave the legislators several headaches, and so there are special provisions to permit the police to listen in to a kidnapper’s ransom demand and secondary legislation sets out “Lawful Business Practice” to permit stockbrokers to record their instructions, and call centres to perform quality monitoring. None of what the ISPs intend will come under Lawful Business Practice.

Readers may be surprised to have got this far without any mention of the UK’s Data Protection Act 1998 (DPA). It is relevant, in that the Phorm system will regularly be processing “sensitive” personal data and must therefore arrange for an informed opt-in. However, not much more of the DPA will apply because Phorm has carefully designed its systems to evade the provisions of the Act – and providing pseudonyms for users in the form of unique identifiers gets them an awfully long way.

But the real reason the DPA is scarcely relevant is that people’s outrage at the system is expressed in the language of privacy, and there is a significant difference between “privacy” and “data protection”.

When the taxman looks at your financial affairs, they trample all over your privacy, but their systems are completely DPA compliant. Likewise, the Phorm system may learn that someone they know of by an opaque identifier is fascinated by the prospect of travelling to Israel, and they will stay with the letter of the DPA law. However, they’ve learnt something very private about that user’s opinions. If they were a Saudi Arabian student studying in the UK, subsequent serving of targeted adverts, and the information thereby revealed, could lead to embarrassment or much worse.

The bottom line for me, when I consider the Phorm system, is that having ISPs snoop into the personal lives of their customers for a trivial financial gain is inherently objectionable. It is simply not what ISPs should be doing. That the system turns out to infringe a number of laws should simplify blocking its deployment; it’s not the reason that it has to be stopped.

For the past few years, StopBadware has been leading a community-based effort to develop and update guidelines that define badware and to hold software producers publicly accountable when their applications violate these guidelines. As the definition has evolved, it has come to include a superset of software that includes traditional malware (viruses, Trojans, etc.), certain types of adware and spyware, and even some mainstream applications. The common thread that binds all of this badware together is a failure to give the user control. This lack of control—over a user’s computer, his personal information, and/or his online experience—threatens the user’s privacy and security.

Unlike the software that we typically review at StopBadware, the new breed of deep packet inspection (DPI) advertising products are not applications that are installed on a user’s personal computer. Instead, they are elaborate systems set up by the product’s creator in collaboration with an ISP. All of the software and hardware exist “in the cloud.” That said, the system has a direct impact on the user, her computer, and her personal information, so it seems reasonable that the same basic principles of user control—even if implemented differently—should apply.

Using an analysis of Phorm^[]
, one such system, as an example, let’s look at how these DPI advertising systems can affect the user:

1. Advertisements displayed to a user by participating websites are targeted to the user based upon the user’s browsing history.
2. The history of web pages the user visits and the content she sees on those web pages are logged by the ISP and connected to a unique identifier associated with that user’s computer/browser.
3. That same information about the user is sent, semi-anonymized, by the ISP to the advertising system provider.
4. Some of the user’s web browsing sessions are intercepted and diverted to the advertising system’s servers without the user’s knowledge.
5. The cookies stored on the user’s computer by websites that she visited are modified by the advertising system, which pretends to be the website that the user was actually trying to visit.

Where are the points at which it is reasonable for a user to have control? It is probably reasonable to discount the first point, regarding the user’s experience of seeing targeted advertisements. While the method of targeting (see points two through five) may be of concern, the typical user is unlikely to care how a website decides which ads to display when the user visits the site.
Points two and three involve the disclosure of information a user might consider personal—what sites am I visiting and what am I reading about on those sites—to parties the user might not expect to be receiving that information. That the system is designed to keep the data anonymous (when the system is functioning properly and not being abused by staff of the ISP or the advertising company) is not sufficient. A user should know about the data being collected and shared and decide for herself whether the companies in question can be trusted to keep their commitment to anonymity.

The fourth and fifth points raise a different type of trust question: can you trust your ISP to deliver traffic between your computer and another computer on the Internet unimpeded? It seems like a reasonable expectation that, while an ISP may route traffic in various ways, it always delivers that traffic to its intended destination. One can argue about whether such interference by the ISP should be permissible even with user consent, but it at least seems clear that users should have control over a decision that fundamentally changes the ISP’s role.

It should now be clear that the same principles of user control that apply to local applications should also apply to DPI advertising systems, given the significant impact these systems have on the user. At a minimum, this would require ISPs implementing such a system to provide full, accurate, clear, and conspicuous notice to the user in plain language and to receive affirmative consent from the user prior to the system’s use. The challenge, albeit a necessary one for ISPs considering such a system, will be to make the disclosure clear enough that it sets the user’s expectations accurately while still being understandable to a typical user. The vast majority of reputable software producers have risen to this challenge for their products, and we expect the same respect for user control from ISPs.