Phorm and consent

Nicholas Bohm ukcrypto at chiark.greenend.org.uk
Sun, 09 Mar 2008 14:36:02 +0000 

Peter Fairbrother wrote:

> I think it is generally agreed that what BT and Phorm propose involves 
> looking at the content of communications, ie what they are doing is 
> interception.
> 
> Is it lawful interception? People have suggested that it may be, based 
> on consent. Let's look at RIPA. s3(1):
> 
> "Conduct by any person consisting in the interception of a communication 
> is authorised by this section if the communication is one which, or 
> which that person has reasonable grounds for believing, is both—
> 
> (a) a communication sent by a person who has consented to the 
> interception; and
> 
> (b) a communication the intended recipient of which has so consented."
> 
> 
> So the interceptor has to have reasonable grounds to believe that both 
> the sender and the intended recipient have consented. For HTTP traffic 
> this will be the user and a server, each taking on both roles.
> 
> First. from the user's side, can any opt-out scheme cover this? I doubt 
> it very much, failing to opt-out is not the same as having consented. It 
> doesn't say "hasn't objected", it says "has consented".
> 
> The Phorm scheme, which relies on the user who wants to opt-out storing 
> a cookie, doesn't even work in many cases - for example, my browser 
> deletes any cookies every time it is shut down, for security and privacy 
> reasons. I don't keep long-term cookies. It's a standard option in 
> Firefox, and probably most other browsers too. Not having a cookie 
> stored doesn't mean I have consented.
> 
> How about opt-in schemes?  Where two people may share a browser, even an 
> opt-in cookie does not give them reasonable cause to believe the action 
> of granting consent, as opposed to not objecting, has occurred - and 
> they won't normally know when that happens, so an opt-in cookie, or even 
>  expressed permission from the account holder to the ISP, is 
> insufficient - the account holder may not be the sender or intended 
> recipient of the communication.
> 
> And what about the server side of things? For example, I run several 
> websites, and I do not, and never will, give Phorm permission to 
> intercept the communications from these websites. It would be possible 
> for Phorm to get permission from a subset of websites, but not all - do 
> they only look at traffic coming from those websites (remembering that 
> the user has to give permission too)?
> 
> I can't see how lawful interception based on consent could be made to 
> work on any substantial scale.
> 
> Not to mention the interception issues raised by how they decide whether 
> consent has been granted - they will need some information for that, and 
> it seems likely that they will need to intercept in order to get the 
> information needed to make the decisions.

I don't think there's any answer to Peter's argument, if his facts are 
right.  There seems to be some doubt whether the facts have emerged 
fully, and of course until this "service" starts, no offence has been 
committed.

So it may be sensible to wait until something happens (if I am right in 
thinking it hasn't yet) before trying to push anyone into taking action 
against it.

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF