Is Phorm Legal? You decide.

Webwise (from the company Phorm) is an advertising technology based upon eavesdropping on all of your internet activity. Major Internet Service Providers (ISPs) such as BT, Virgin and Talk Talk have been persuaded to partner with Phorm, spying on your web browsing with the barest minimum of your consent.

Phorm and the ISPs claim that what they are doing is completely legal, and does not contravene any data protection or wiretapping laws. Many other people disagree.

This website aims to provide you with a balanced view of the facts, to help you make up your own mind.

What they say... (click to view original source)		What independent experts say... (click items in [ ] for citations)
The Phorm technology is legal. It complies with all the appropriate UK laws - and we've consulted a range of experts on this from lawyers to the Information Commissioner's Office (ICO) and the Home Office. However, Phorm's technology represents a big change to the status quo in online advertising, and it's taken a while for people to understand how it works. As a result, there has been some speculation that the Phorm system could be illegal and breach UK law including the Data Protection Act (DPA) and the Regulation of Investigatory Powers Act (RIPA).		There is a strong conviction that the Phorm technology is illegal, but so far the authorities have comprehensively failed to pursue any form of transparent investigation that would decide things either way [1], [2]. It is believed to contravene RIPA and copyright legislation, and there are also data protection concerns [3]. Moreover, its insertion into the data stream of forged data claiming to be from the web sites you are viewing is believed by experts on the UKCrypto discussion group to be in contravention of the Fraud Act 2006 and the Computer Misuse Act 1990. [4] The ICO has expressed the opinion [5] that the secret (and for a long time denied) trials of Webwise at BT were in technical breach of the law. The Home Office has never released an official comment on Phorm's legality, and (along with other relevant government departments) consistently dodges Freedom Of Information requests asking for details of its conversations with Phorm [6].
This inaccurate opinion was originally formed by FIPR (the Foundation for Internet Policy Research) without first having the technology explained to them by the company. Furthermore, no other organisation has supported this view and Phorm has spent considerable time meeting with technology experts, MPs and others. In April this year, the UK's privacy watchdog, the ICO said in a statement on its website that: "We welcome the efforts [Phorm] are making to engage with sceptical technical experts and believe that it is only by allowing their technology to be subject to detailed scrutiny by independent technical experts that they will be able to prove their assertions regarding privacy."		FIPR's analysis that Phorm is illegal [7] has been backed up by many other respected individuals and organisations, such as LSE Professor Peter Sommer [8] and inventor of the worldwide web, Sir Tim Berners-Lee [9]. Security expert Dr. Richard Clayton of Cambridge University has received extensive explanation of the Phorm technology from the company, and has concluded that Phorm is illegal interception of communications as defined in section 1 of RIPA [10]. Even the Home Office's own advice [11] requires that informed consent is obtained from end users, and it's argued that the page that BT uses to induce users into Webwise [12] is in no way clear about the implications (and doesn't offer equal weight to the 'no thanks' option). Phorm have held a number of public Q & A sessions, but don't appear willing to publicise transcripts or recordings, presumably due to wanting to suppress the opinions expressed. [13]
In June 2008, the influential House of Commons Home Affairs Select Committee published a report on entitled, "A Surveillance Society?', which covered a range of privacy topics. It included this paragraph: "... the Information Commissioner took the view that Phorm could operate Webwise and Open Internet Exchange (OIX) in a way which is in compliance with the Data Protection Act and Privacy and Electronic Communications Regulations but must be sensitive to the concerns of users."		The ICO's view is that Phorm could be made legal, not that it currently is. It lays out a number of essential criteria that would be required, such as fully-informed consent and opt-in (rather than opt-out) that are not currently implemented satisfactorily by Phorm [14]. The EU's Information Commissioner Vivian Reding has expressed serious concerns about the legality of Phorm, and has pressed the UK government to explain why it has not taken action to protect its citizens' rights under EU law governing privacy and data protection. To date, the UK government has failed to adequately respond [15]. Incidentally, the Parliamentary Internet Security Team apparently isn't quite so confident in the safety of Phorm, and is believed to have blocked it from the Parliamentary network. [16]

What they say...

(click to view original source)

What independent experts say...

(click items in [ ] for citations)

The Phorm technology is legal. It complies with all the appropriate UK laws - and we've consulted a range of experts on this from lawyers to the Information Commissioner's Office (ICO) and the Home Office.

However, Phorm's technology represents a big change to the status quo in online advertising, and it's taken a while for people to understand how it works. As a result, there has been some speculation that the Phorm system could be illegal and breach UK law including the Data Protection Act (DPA) and the Regulation of Investigatory Powers Act (RIPA).

There is a strong conviction that the Phorm technology is illegal, but so far the authorities have comprehensively failed to pursue any form of transparent investigation that would decide things either way [1], [2].

It is believed to contravene RIPA and copyright legislation, and there are also data protection concerns [3]. Moreover, its insertion into the data stream of forged data claiming to be from the web sites you are viewing is believed by experts on the UKCrypto discussion group to be in contravention of the Fraud Act 2006 and the Computer Misuse Act 1990. [4]

The ICO has expressed the opinion [5] that the secret (and for a long time denied) trials of Webwise at BT were in technical breach of the law.

The Home Office has never released an official comment on Phorm's legality, and (along with other relevant government departments) consistently dodges Freedom Of Information requests asking for details of its conversations with Phorm [6].

This inaccurate opinion was originally formed by FIPR (the Foundation for Internet Policy Research) without first having the technology explained to them by the company. Furthermore, no other organisation has supported this view and Phorm has spent considerable time meeting with technology experts, MPs and others. In April this year, the UK's privacy watchdog, the ICO said in a statement on its website that:

"We welcome the efforts [Phorm] are making to engage with sceptical technical experts and believe that it is only by allowing their technology to be subject to detailed scrutiny by independent technical experts that they will be able to prove their assertions regarding privacy."

FIPR's analysis that Phorm is illegal [7] has been backed up by many other respected individuals and organisations, such as LSE Professor Peter Sommer [8] and inventor of the worldwide web, Sir Tim Berners-Lee [9]. Security expert Dr. Richard Clayton of Cambridge University has received extensive explanation of the Phorm technology from the company, and has concluded that Phorm is illegal interception of communications as defined in section 1 of RIPA [10].

Even the Home Office's own advice [11] requires that informed consent is obtained from end users, and it's argued that the page that BT uses to induce users into Webwise [12] is in no way clear about the implications (and doesn't offer equal weight to the 'no thanks' option).

Phorm have held a number of public Q & A sessions, but don't appear willing to publicise transcripts or recordings, presumably due to wanting to suppress the opinions expressed. [13]

In June 2008, the influential House of Commons Home Affairs Select Committee published a report on entitled, "A Surveillance Society?', which covered a range of privacy topics. It included this paragraph:

"... the Information Commissioner took the view that Phorm could operate Webwise and Open Internet Exchange (OIX) in a way which is in compliance with the Data Protection Act and Privacy and Electronic Communications Regulations but must be sensitive to the concerns of users."

The ICO's view is that Phorm could be made legal, not that it currently is. It lays out a number of essential criteria that would be required, such as fully-informed consent and opt-in (rather than opt-out) that are not currently implemented satisfactorily by Phorm [14].

The EU's Information Commissioner Vivian Reding has expressed serious concerns about the legality of Phorm, and has pressed the UK government to explain why it has not taken action to protect its citizens' rights under EU law governing privacy and data protection. To date, the UK government has failed to adequately respond [15].

Incidentally, the Parliamentary Internet Security Team apparently isn't quite so confident in the safety of Phorm, and is believed to have blocked it from the Parliamentary network. [16]