BT 2006 trials of Phorm

Richard Clayton ukcrypto at chiark.greenend.org.uk
Sat, 7 Jun 2008 15:41:27 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <298c5f970806061616p3844d39bi60510f04361a64c4@mail.gmail.com>
, Alexander Hanff <no2dpi@googlemail.com> writes

>    Mr Bohm and Dr Clayton,

I think you mistake the nature of the UKCrypto list if you think it is
for your personal inquiries to individuals :(  However, since I expect
others will be interested in the answer....

>    Can I ask if either of you have received legal threats from BT 

Not recently, though I seem to recall red coloured bills in the dim and
distant past before I discovered the joy of direct debit.

>    with 
>    regards your comments about the legality of the covert trials and 
>    future plans to deploy Phorm?

They've never talked to me about that.

>    I ask because Emma Sanderson has today accused me of defamation for 
>    the section of my blog post regarding whether or not BT may have 
>    misled ICO by stating no ads were served during the trial and that 
>    no IP data was shared with Phorm.

I don't think we're aware of what BT said to the ICO ... so it may be
difficult to comment upon that !

The only statement I can locate is one made by BT to The Register which
reads:

    http://www.theregister.co.uk/2008/04/03/bt_phorm_interview/

    BT can confirm that a small scale technical test of a prototype
    advertising platform took place for two weeks during September -
    October 2006. The purpose of the test was to evaluate the functional
    and technical performance of the platform. 

    It is important for BT to ensure that before any new technologies
    are deployed, they are robust and fit for purpose. No personally
    identifiable information was processed, stored or disclosed during
    this test.

ZDNet has obtained a confirmation from BT that the document is genuine

    http://news.zdnet.co.uk/communications/0,1000000085,39430496,00.htm

and having read the document, I cannot see that the statement "no
personally identifiable information was processed" is credible :(

However, it may be that BT thinks of "processing" in a different way
than I do, and it may be that they went into more detail with the ICO.
It's hard to say.

I do note that the ICO's statement:

    http://www.ico.gov.uk/about_us/news_and_views/current_topics/phorm_w
ebwise_and_oie.aspx

says:

    Personal data is information that relates to a living individual who
    can be identified from that information or other information in the
    possession of or likely to come into the possession of the person
    holding it.

which is to restate definitions from the Data Protection Act 1998 s1(1)

Now web pages can be full of, say, synagogue opening times [which would
be sensitive personal data] so if there can be identification, then
there would be personal data involved.

However, the ICO has mechanistically worried about whether the systems
could link this to an IP address and hence to an account holder and
hence you could locate someone to walk up and shake their hand....

They don't seem to have considered the extent to which the contents of
the clickstream itself can reveal identity (something which got people
quite excited a few years back when AOL unwisely released its search
terms database), nor have they -- in my view and IANAL! crucially --
considered that the data is being explicitly gathered so as to re-
identify the individual when they visit a site which serves up
advertisements.

Of course that re-identification is done using a pseudonym (the Phorm
UID), rather than by checking if this is the resident of 7 Acacia Avenue
or whether this is "Norman Stanley Fletcher" rather than some other
Norman (or some other Fletcher).

But I cannot see anything in the Act that says that if you re-identify
people using your numbering system rather than theirs that you are not
processing personal data.

>    Now on my blog I have asked it as a question and then given my 
>    opinion and thoughts on the issue, so I fail to see how this is 
>    defamation; 

My experience with defamation (that goes back some years now) has taught
me that common-sense naive understandings of its nature are helpfully
bolstered by expert advice.

>    but I am interested in the fact that BT seem to be 
>    concentrating legal efforts on me yet don't appear to using the 
>    same tactics with other commentators who have publicly stated in 
>    the press and elsewhere that they believe BT's actions were 
>    illegal.

Perhaps they don't read UKCrypto :)  Phorm didn't use to !

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSEqeF5oAxkTY1oPiEQL9JQCdFBPs2DHJKV3xiWT4TrQpV1j3+RYAoPOe
IsN49v8yfmVJJwfcmwpOG1/z
=cMKN
-----END PGP SIGNATURE-----