Phorm Contracts with ISPs

Nicholas Bohm ukcrypto at chiark.greenend.org.uk
Sat, 15 Mar 2008 10:27:43 +0000 

Joel Harrison wrote:

> I haven't seen any of these contracts, but they may very well not have
> an object that is illegal per se, even though they might end up being
> performed in a manner that is illegal.  The parties may have intended
> that this would all be done with the consent of the user.  Given that,
> of the two parties, it is the ISP that has the existing relationship
> with the user, the contracts may well provide that the ISP is required
> to obtain the user's consent to the interception - and the ISP may
> even give a representation that its Ts & Cs already provide for this.
> 
> If this were the case, it would put the ISP in an equally difficult
> position - and perhaps a more difficult position, since it would be
> its omissions that rendered the interception unlawful - than Phorm.
> 
> Of course, this assumes the parties even contemplated the matter
> before it was raised with them.  But, even though the RIPA issue may
> not have been something they considered, the privacy issue does appear
> to be - and it may have been tackled in the contracts in a similar
> way.

This is fine as far as it goes; but how is the consent of webhosts 
supposed to be obtained for the interception of pages fetched from them 
by users?

The best the Home Office guidance can offer on this is that webhosts 
impliedly consent to downloading.  Mostly they do, but this doesn't seem 
to me to mean they consent to interception.  And it's an argument that 
fails to touch webhosts who don't consent to downloading without 
registration.  Among the latter are of course providers of web-based 
email services, who cannot be assumed to consent to interception of 
their users' email.

Indeed, one might wonder whether users who give their consent to 
interception of their browsing do so in the realisation that the 
scanning extends to their web-based email - certainly I think the point 
would deserve bringing to their attention when consent is sought to 
ensure that it is fully informed.

(If Phorm somehow excludes email, or other pages requiring registration, 
I've missed that - no doubt someone will put me right.  And those email 
sites that use https would presumably be immune from effective scanning, 
though not all do.)

(I am indebted to a pseudonymous correspondent for the point about email.)

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF

> On Fri, Mar 14, 2008 at 3:23 PM, Nicholas Bohm <nbohm@ernest.net> wrote:
>> Peter Fairbrother wrote:
>>  > Am I right in thinking that, as the main part of the contract is
>>  > illegal, any contracts the IPSs have with Phorm are void?
>>
>>  Not  _void_, but unenforceable.
>>
>>  > So if eg TalkTalk or VirginMedia wanted to rip out any equipment they
>>  > have installed they could charge Phorm for ripping it out, and any
>>  > consequential costs or losses?
>>
>>  It might be unenforceable by either party, unless Phorm have made some
>>  misrepresentation on which the ISP has reasonably relied.