[CaptJamieHunter]

OK, here is the final version. Please feel free to use as a base for letters to educate MPs, MEPs, regulatory bodies, businesspeople and anyone with influence about what Phorm really is and how they and BT have acted.

Dear Mr Davis,

I should like to bring to your attention a number of worrying recent developments in the field of internet privacy and of the failure of the Office of the Information Commissioner to investigate what appear to be two clear breaches of the Data Protection Act and Regulation of Investigatory Powers Act by a major communications provider working with an advertising company.

You may already be aware that three major internet service providers (ISPs) have signed agreements with a company known as Phorm to sell to them the internet browsing data of their users as part of a "targeted advertising" scheme.

Computer news site The Register has uncovered a number of disturbing facts about Phorm including its previous involvement in spyware under a different name. Phorm prefer to spin this fact saying they were involved in adware. A cursory look at http://blogs.zdnet.com/Spyware/index.php?p=820, http://www.f-secure.com/sw-desc/peopleonpage.shtml and http://www.f-secure.com/sw-desc/apropos.shtml suggests differently, however.

Phorm make a number of claims about their "product" being "a gold standard in user privacy" but despite being present on The Register, CableForum and a number of weblogs they have failed to openly and honestly answer detailed technical questions and concerns put in the public domain.

The technology which causes greatest concern is that of Deep Packet Inspection and its use by this advertising company. This unit is installed by Phorm - the ISP has no access to it so cannot test, check or verify anything about the unit - and it inspects every packet of data which passes through it.

Everyone who works at home, be they home workers, members of Parliament, judges, would find their data being subjected to the kind of inspection only intended for law enforcement activities and which normally would only ever be available to a judge following due legal process but here will be available to a company with a very questionable history. Confidential Crown material worked on by
yourself or your Right Honourable colleagues, critically confidential business, personal or even security information could well be tapped under such a scheme.

A simple analogy is your daily post. Imagine if every piece of post was opened, read, its contents noted and then resealed before being given to you. But you don't know who the person reading your post is. You don't know where that information could reappear or how it could be used. You don't know how many confidences will be betrayed. Every piece of post. Letters from constituents, Parliamentary colleagues, business colleagues, friends, family, others raising issues with you as I am.

That is what Phorm is about. Financial gain from your personal activities and information.

You will understand now why I refer to the growing belief that Phorm is illegal under RIPA. Government advisors The Foundation for Information Policy Research has published an open letter to Richard Thomas, the Information Commissioner, stating this belief. This letter is at http://www.fipr.org/080317icoletter.html

Soon after this open letter appeared The Guardian newspaper recently rejected Phorm, saying that their "decision was in no small part down to the conversations we had internally about how this product sits with the values of our company." As polite yet devastating a put down as I have ever seen.

More recently The Register obtained proof that BT not only secretly tested this "product" in June 2007 but lied to cover up this fact. Customers were given various excuses for their concerns, but no customer was told the truth. The report is at http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/

This issue took an even more serious turn when The Register revealed that it had seen documentary evidence confirming that "BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year. BT Retail ran the "stealth" pilot without customer consent between 23 September and 6 October 2006."

This in addition to the secret 2007 tests. The Regulation of Investigatory Powers Act 2000 makes intercepting internet traffic without a warrant or consent an offence. It seems to me that illegally intercepting 18,000 customers' internet traffic is in breach of that legislation. As was the first secret test. I contend that BT must also be in breach of the Data Protection Act as the data was collected without customers' consent.

Please read the full report at http://www.theregister.co.uk/2008/04...rm_2006_trial/

BT claimed that there was nothing illegal about the trials but refused to answer a number of direct questions asked by The Register about Stratis Scleparis, the BT Retail CTO who became Phorm CTO after the first successful secret trial. BT preferred to hide behind a bland statement and refused to apologise to customers or acknowledge anything illegal took place.

The report is at http://www.theregister.co.uk/2008/04...orm_interview/

A number of people have already complained to the ICO but had little back in response.

Today I and others became aware that despite these facts coming to light, the ICO have said that there is definitely no official investigation by ICO with regards to Phorm. Neither is there any investigation with regards to the BT secret trials of 2006 and 2007.

I am led to believe the ICO are claiming that RIPA falls under the remit of the Home Office. The ICO seem unwilling to accept there should be an investigation into the activities of BT and Phorm. I should also add that the ICO were also extremely reluctant to divulge this information to a colleague and refused permission to quote them.

This cannot be acceptable from a public servant organisation.

This cannot be acceptable from the organisation created to "protect personal information" "provide information to individuals and organisations" and "take appropriate action when the law is broken."

If the ICO cannot or will not take responsibility for an investigation, why is this the case? Who has the legislative power to investigate this breach of 18,000 customers' privacy?

A major telcommunications company in the UK has betrayed the trust placed in it by its users. It and its accomplice, Phorm, should surely be brought to book for this flagrant violation of privacy legislation.

Is this really going to be allowed to pass by unchallenged?

One cannot help but wonder if the lack of action by the government and ICO is influenced in any way by the presence of former Labour minister Patricia Hewitt on the board of BT.

I am sure you appreciate that I and many others cannot understand why BT and Phorm are being allowed to breach internet users' privacy with complete disregard for their customers or the law.

I urge you to take up this issue with your colleagues in both Houses, the House Of Commons Select Committee on Science and Technology and the House Of Lords Science and Technology Committee.

Thank you for your time. If I may be of any further assistance to you please do not hesitate to get in touch.

Yours sincerely