As reported here on 14 April, the Commission has thrown the book at the UK with its long anticipated infringement proceeding alleging that there are “structural problems” in the UK’s implementation of EU rules regarding the confidentiality of communications. As the two month period for the UK to respond to the proceeding now runs its course, participating ISPs using Phorm’s technnology may be thinking about re-evaluating their approach to consent in their terms and conditions.
As Datonomy has noted, Phorm’s “Webwise” technology performs deep packet inspection of web users’ browsing habits in order to deliver those users targeted advertising based on those habits. In essence, it uses equipment at the user’s internet service provider to monitor traffic, look inside each IP packet’s payload, and identify every URL visited by the household or machine browsing on the web.
The key distinction between this and some other forms of targeted advertising technology, the significance of which is often lost in technical discussions is, in other words, that this is happening at the “internet layer” rather than at the “online store layer”. If I visit an online store, it is usually helpful to have the store to serve me customised advertising based on knowledge of my preferences, (though I still expect to be informed about how and when it is monitoring those preferences). That is a different proposition than tracking my behaviour at the level of all of my internet interactions, when I may be engaged in intensely private activity, researching medical information for example, rather than simply indulging in a bit of retail therapy. I definitely want to be fully informed about that kind of monitoring and the potential adverse consequences for me.
As Datonomy noted on Tuesday, this is the heart of the Commission’s complaint about the UK’s current laws on interception. The Regulation of Investigatory Powers Act doesn’t seem to reflect the Directive on Privacy and Electronic Communications accurately when it stipulates that interception of a communication is authorised by as little as the interceptor having “reasonable grounds for believing” that the communication is sent by a person who has consented to the interception and by a recipient who has similarly consented.
The founder of the web, Tim Berners-Lee, provides an eloquent indication of the considerable risks that may arise if the kind of information that Phorm gathers is abused.
To be able to buy a profile of a person you are interested in;
To discriminate based on profiles of people when deciding whether [it is] suitable to employ them;
To discriminate in giving life insurance, and so on, against those that have looked up (say) cardiac symptoms on the web;
Criminal attacks on government officials at home;
Foreign attacks on the country made by targeting and analyzing key individuals;
Predators choosing, stalking, and targeting victims;…
to name a few”.
The Commission in essence considers that a user of the web would surely only wish to provide his or her consent to such monitoring where that consent fell squarely within the parameters for consent laid down in the Data Protection Directive. Namely that it is a “freely given, specific and informed indication of his wishes”.
The UK of course did not see the need to define consent when implementing the directive and Datonomy now awaits with interest the UK’s response to the Commission’s first stage of the infringement proceeding.