Targeted Online Advertising
Nicholas Bohm
ukcrypto at chiark.greenend.org.uk
Wed, 12 Mar 2008 11:09:59 +0000
Watkin Simon wrote:
>> On Behalf Of Nicholas Bohm
>> Sent: 11 March 2008 4:58 PM
>>
>> I now have a copy of a Home Office note dated January 2008. My source
>> reports that Simon Watkin said that
>> it could be distributed to whomever the source thought would like to see
>> it. It is not uninteresting.
>>
>> It is, however, in the form of a pdf of a scanned image, and is 1 MB, so
>> I don't propose to circulate it. If someone would offer to host it
>> somewhere, and better still host a version converted to text, I'll
>> provide a copy.
Many thanks to John Young (http://cryptome.org/) and Kevin Townsend
(www.quantasecurity.com) for hosting; to the others who offered; and to
Simon W for the text.
I offer a few comments below.
> It says this:
>
> TARGETED ONLINE ADVERTISING: INTERCEPTION OF COMMUNICATIONS OR NOT? IF IT
> IS, IS IT LAWFUL INTERCEPTION?
>
> Targeted online advertising enables ISPs, web publishers and advertisers to
> target consumers with contextually and behaviourally relevant messages based
> upon real time analysis of users' browsing behaviour, and done anonymously
> without reference to any personally identifiable information. Equally it
> offers ISPs' users an enhanced user experience in terms of the advertising
> and marketing they may be exposed to.
Notes such as this must of course set out the facts on which they are
based, but it seems odd to start off with something that sounds so like
a recycled press release.
...
> 9. Where the provision of a targeted online advertising service involves the
> content of a communication passing through a filter for analysis and held
> for a nominal period before being irretrievably deleted - there is an
> argument that the content of a communication has not been made available to
> a person.
At first I thought this was the venerable Housemaid's Baby Defence
("Please, Ma'am, it was only a little one!"), a well-known last resort
of the hopeless.
On reflection, perhaps we have here the first sighting of the
long-awaited Copenhagen Defence. The content in the box exists in a
super-position of states, both read and unread, until the Observer
intervenes to bring about decoherence. Meanwhile, the state of being
read does not attain sufficient probability to discharge the burden of
proof necessary for a conviction on a criminal charge.
Another difficulty with this argument is that s16 of the RIPA happens to
make it clear that material is to be regarded as having been intercepted
even before it has been read, looked at or listened to. It's more than
a little difficult to accept a claim that there was no interception in a
case where the material has been used in accordance with the purposes of
the person who arranged the process to place the sender or recipient of
the material in one of a number of categories according to the content
of the material.
...
> 12. Section 3, RIPA, where relevant to targeted online advertising, creates
> two situations in which interception without a warrant may be lawful:
> section 3(1), interception with consent and section 3(3), interception for
> purposes connected with the operation of the telecommunications service.
>
> 13. Section 3(1), RIPA, provides that: "conduct consisting in the
> interception of a communications is authorised if the communication is one
> which, or which that person has reasonable grounds for believing is,
> **both**: (a) a communication sent by a person who has consented to the
> interception; **and** (b) a communication the intended recipient of which
> has so consented."
>
> 14. The provision of a targeted online advertising service to an ISP user
> who has consented to receive the service should be able to satisfy section
> 3(1)(a). Each service will have its own relevant user agreements. Where
> consent to receive targeted advertising is included in the user's contract
> and the user should be alerted to the possibility of opting out of the
> targeted online advertising service at regular intervals, 3(1)(a) is
> arguably satisfied.
Entering into a contract is no doubt one way of signifying a consent.
But consent to something so intrusive that without that consent a
warrant by the Secretary of State would be necessary has got to be a
consent given explicitly in the knowledge that an interception is being
consented to. Such a consent cannot be constituted by one term among
many in a contract agreeing in general terms to the taking of such
services as an ISP may from time to time offer and the user may refrain
from contracting out of.
I would regard this guidance as a bit of an unexploded bomb. ISPs will
need to tread carefully.
> 15. A question may also arise as to whether a targeted online advertising
> provider has reasonable grounds for believing the host or publisher of a web
> page consents to the interception for the purposes of section 3(1)(b). It
> may be argued that section 3(1)(b) is satisfied in such a case because the
> host or publisher who makes a web page available for download from a server
> impliedly consents to those pages being downloaded.
The host may well have consented to the download. I'm not clear why it
follows that the host has consented to a download to one user being
intercepted by another for the purpose of gaining knowledge about what
the downloader is downloading; indeed I don't think it follows at all.
> 16. Section 3(3), RIPA, provides that: "(3) Conduct consisting in the
> interception of a communication is authorised by this section if: (a) it is
> carried out by or on behalf of a person who provides a ...telecommunications
> service; and (b) it takes place for purposes connected with the provision or
> operation of that service ..."
>
> 17. The provision of a targeted online advertising service, contracted by an
> ISP as part of the service to the ISP's users, can probably be regarded as
> being carried out "on behalf of" the ISP for the purposes of section
> 3(3)(a).
>
> 18. It is arguable that a targeted online advertising service can be
> "connected with the provision or operation of [the ISP] service". The RIPA
> explanatory notes for section 3(3) state: "Subsection (3) authorises
> interception where it takes place for the purposes of providing or operating
> a postal or telecommunications service, or where any enactment relating to
> the use of a service is to be enforced. This might occur, for example, where
> the postal provider needs to open a postal item to determine the address of
> the sender because the recipient's address is unknown."
>
> 19. Examples of section 3(3) interception, very relevant to the provision of
> internet services, would include the examination of e-mail messages for the
> purposes of filtering or blocking spam, or filtering web pages which provide
> a service tailored to a specific cultural or religious market, and which
> takes place with user's consent whereby the user consents not to receive the
> filtered or blocked spam or consents (actively seeks) a service blocking
> culturally inappropriate material. The provision of targeted online
> advertising with the user's consent where the user is seeking an enhanced
> experience and the targeted advertising service provides that.
Others have rubbished the extraordinary stretch this argument
represents, and I say no more than that I agree with them.
> ** Conclusion **
>
> 20. Targeted online advertising services should be provided with the
> explicit consent of ISPs' users or by the acceptance of the ISP terms and
> conditions. The providers of targeted online advertising services, and ISPs
> contracting those services and making them available to their users, should
> then - to the extent interception is at issue - be able to argue that the
> end user has consented to the interception (or that there are reasonable
> grounds for so believing). Interception is not likely to be at issue where
> the user's browser is processing the UID and material informing the
> advertising criteria.
>
> 21. Where targeted online advertising is determined and delivered to a
> user's browser as a consequence of a proxy server monitoring a communication
> to download a web page, there may be monitoring of a communication in the
> course of its transmission. Consent of the ISPs' user and web page host
> would make that interception clearly lawful. The ISPs' users' consent can
> be obtained expressly by acceptance of suitable terms and conditions for the
> ISP service. The implied consent of a web page host (as indicated in
> paragraph 15 above) may stand in the absence of any specific express
> consent.
>
> 22. Targeted online advertising can be regarded as being provided in
> connection with the telecommunication service provided by the ISP in the
> same way as the provision of services that examine e-mails for the purposes
> of filtering or blocking spam or filtering web pages to provide a
> specifically tailored content service.
>
> 22. Targeted online advertising undertaken with the highest regard to the
> respect for the privacy of ISPs' users and the protection of their personal
> data, and with the ISPs' users consent, expressed appropriately, is a
> legitimate business activity. The purpose of Chapter 1 of Part 1 of RIPA is
> not to inhibit legitimate business practice particularly in the
> telecommunications sector. Where advertising services meet those high
> standards, it would not be in the public interest to criminalise such
> services or for their provision to be interpreted as criminal conduct. The
> section 1 offence is not something that should inhibit the development and
> provision of legitimate business activity to provide targeted online
> advertising to the users of ISP services.
Is this encomium really within the scope of the Home Office remit? I
thought we had BERR and DCMS for that sort of thing.
Nicholas
--
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK
Phone 01279 870285 (+44 1279 870285)
Mobile 07715 419728 (+44 7715 419728)
PGP public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF