[Portly_Giraffe]

Apologies for the length of this post. Please comment on this critique for accuracy, let me know if I've missed any points or am making any spurious points. Or indeed if anything could be expressed more effectively. And typos of course. Thanks. PG.

Quote:

CRITIQUE OF THE ICO’S 31st MAY 2008 RESPONSE TO COMPLAINTS
ABOUT THE BT PAGESENSE/WEBWISE/PHORM TRIALS

ICO: BT have explained that two technical tests of a prototype advertising platform were conducted in 2006 and 2007. They have informed us that these tests were designed to evaluate the functional and technical performance of the platform. BT have confirmed that they sought their own legal advice before both trials.

BT have never disclosed who provided this legal advice, whether it was bona fide or what was in it.

Question 1: Why has the ICO does not asked BT for this information?


ICO: Where a purely technical trial is conducted that, in BT's view, is likely to have little or no impact on customers, they have advised that they would not generally seek consent from customers.

The first success criterion of the trials indicates that their purpose was to determine whether the installation, integration, and use of Pagesense/Webwise/Phorm would be transparent to customers. (Leaked report page 10, section 3.1, requirement 1.1). The success criterion for this was “No customer calls to helpdesk related to installation, integration & use compatibility issues of PageSense application with other applications”. So BT clearly expected that problems could arise.

Question 2: Will the ICO explain why they agreed that BT could act without consent from their customers if such problems were possible, let alone the fact that without such consent (and probably even with it) the trials were illegal under RIPA?


ICO: As they did not anticipate the trials would cause customers problems they did not brief their customer service helpdesks about them (hence the problems you experienced in getting advice from them at the time).

Although BT claim they did not brief their helpdesks, they clearly did monitor calls. 15-20 trialists identified the presence of the system and had a negative reaction. (Leaked report page 4, Executive Summary, Point 1).

Question 3: Will the ICO ask BT to explain how they identified these 15-20 users?


ICO: BT have told us that they did not associate your enquiry with the 2007 trial and as they were not able to identify individual customers that had participated (because of the anonymity of the process) . . .

BT appear to have been aware of the IP addresses of the triallists. (Leaked report page 45, under the heading "IP addresses seen through the Proxy Servers – obscured in the leaked copy of the document but present in the original).

Question 4: Will the ICO explain how their statement that BT “were not able to identify individual customers that had participated” is consistent with the leaked report?


ICO: . . . they were unable to get back to you. They have advised that they attempted to contact you after you had expressed concerns online at 'The Register' however they were apparently not successful.

The complainant says that BT logged support, abuse, and customer service records in his name and was always available to be contacted. In his own words: “Was the line constantly engaged? Did they not know my phone number or address? I was a god damn BT customer! Of course they had my contact details.”

Question 5: Why has the ICO accepted BT’s assurances apparently without question when they appear to contradict the triallist’s experience?


ICO: Finally, BT have confirmed that no personally identifiable information was processed, stored or disclosed during either trial. We have no reason to doubt this assertion. Where no personal data is processed the Data Protection Act will not apply.

BT appear to have been aware of the IP addresses of the triallists (see above).

Data in the BT trials was processed at sysip.net, a domain operated outside the BT network, and indeed outside the EU, by adware company 121media, whose products were categorised as malware by at least three reputable anti-virus companies.

Question 6: Why does the ICO accept BT's assurances that no personally identifiable information was processed, stored or disclosed during either trial when it appears that they were and indeed the whole point of Phorm/ Webwise is to do just that?


ICO: As we discussed when we spoke the issues that we have considered in this case relate primarily to the requirements of Regulations 6 and 7 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Regulation 6 requires that where an organisation is using an electronic communications network to store information, or gain access to information stored, in the terminal equipment of a subscriber or user, the subscriber or user should (in most cases) be provided with 'clear and comprehensive' information about the purposes of the storage of, or access to, that information, and the opportunity to refuse the storage of or access to that information. In other words, if an organisation collects information using cookies they have to tell people about that, and advised them how to prevent operating.

… however it is our view that Regulation 6 would likely to apply. BT’s view is that as the 2007 trial was small scale and technical in nature and no adverts were served, it would have been difficult to frame any advice for customers about the operation of cookies, and obtain any relevant consents for the processing of traffic data, with a wording that they would have any resonance at all for their customers.

The leaked BT report states that the 2006 trials of Webwise/Phorm involved a userbase of approximately 18,000 customers with a maximum of 10,000 online concurrently. The document states that the planned userbase for their phase 2 testing (presumably the 2007 trials) was 350,000.

Question 7: How big does the level of interception have to be before the ICO will act?


ICO: Our view is that, whether or not there was a technical breach of the Regulation, there is no evidence that the trials generally involved significant detriment to individuals involved (although we acknowledge – as have BT – the problem you flagged) or privacy risks to individuals.

The trials involved interception, reading, recording and in some cases alteration of messages sent between internet users and the websites they accessed. Data in the BT trials was processed outside the EU, by a third party few technically aware users would have trusted had they known they were involved.

Privacy laws exist precisely because the detriment of intrusion is not always measurable in purely economic terms.

Question 8: Will the ICO explain whether they are now only interested in cases where economic loss can be demonstrated?


ICO: On this basis, and taking into account the difficulties involved in providing meaningful and clear information to customers (the vast majority of whom were likely to be completed unrelated to the anonymous technical trial) in this case, this is not an issue we intend to pursue further with BT.

In other words because it was difficult for their Webwise/Phorm trials to obey the law, the ICO says it will allow BT to break it in this case.

Question 9: Does that mean that the ICO will allow any ISP, telecoms provider or postal service to carry out a similar scheme if its operation is sufficiently opaque?


ICO: However, as we discussed when we spoke I understand you were considering the options available to you in terms of pursuing this matter further yourself. As I mentioned briefly on the telephone, Regulation 30 specifies that a person who suffers damage by reason of a contravention of any of the requirements of the Regulations by any other person can make a claim for compensation for that damage.

If you believe you have suffered quantifiable damage as a result of a breach of the Regulations and are considering pursuing this matter you should seek your own legal advice.

Question 10: What purpose does the ICO serve if it is unable or unwilling to uphold the criminal law?