Robert M Jones wrote:
Here's some of the 80/20 report on Phorm published in the last day or so.
There is some interesting stuff here that ISP's in particular need to
take note of, in relation to keeping customers fully informed,
implementing "opt-IN" policies, and also having regular reminders and
regular repeated consent about opt-in/opt-out because of the number of
computers/users in households.
Questions asked about monitoring of less common, less secure email sites
(not using https.)
Some disagreement between Home Office and 80/20 about basic position
under RIPA!
A reminder - the 14 page report is available in full here:
http://blogs.guardian.co.uk/technolo...20final%20.pdf
Some extracts:-
despite our positive findings regarding Phorm’s
approach to privacy protection we are disappointed that the
company has not benefited from an earlier implementation of a
PIA. While we are encouraged that Ernst & Young were engaged
to perform a privacy examination, the full scope and influence of
an “early intervention” PIA has not been possible. At this late stage
of product development it will not be possible to fully exploit the
value of a PIA.
We broadly agree with the positive findings of the 2007 Ernst &
Young privacy examination, but remain concerned that the scope
of that report was based almost exclusively on conditions applying
to the US privacy environment. Public sensitivities, regulatory
conditions and other factors vary substantially according to
geographical location.
We believe it will be crucial to devise a system based on both
transparency and embedded technological safeguards to provide
assurance that Phorm Technology does not fall victim to the level
of function creep evident in other technologies.
In our view, Phorm should ensure that ISPs clearly communicate
with their users about the issues involved in Phorm Technology
surveillance, and actively and regularly pursue users' consent. We
believe this approach may be crucial to mitigating potential
concerns about surveillance.
Communications surveillance laws at the very least require consent
to be re-affirmed at regular intervals, particularly as multiple users
may make use of a single Internet connection and machine.
Phorm's privacy policy responsibly notes that Phorm may disclose
information to third parties under 'legal requirements'. Considering
how legal protections vary by country, far more information is
required for users to ensure their confidence in the data processing.
Although the PIA process takes the Data Protection Act and other
relevant laws into account, it does not focus exclusively on them. A
complementary audit process is needed to ensure that the project is
legally compliant. That process can begin early, but cannot be finalised
until late in the project lifecycle, when the design is complete.
Phorm liaised with the Home Office to assess whether its system could
infringe the UK law that regulates communications surveillance. The
Home Office concluded that Phorm's system is consistent with the
Regulation of Investigatory Powers Act and does not intercept
communications. While this conclusion is a fair interpretation of Phorm
and the system's capabilities, communications monitoring still takes
place. Even if the Home Office's conclusions were appropriate and
relevant, it would mean that if an ISP or any government wished to
conduct similar monitoring of communications for segmentation
purposes, albeit with consent of the user, then they may indeed do so and
yet still be compliant with UK law. This could indeed give rise to a
worrying situation.
In its assessment, the Home Office compares targeted online advertising
with email/spam filtering. This was a similar line of argument pursued
by Google in its Gmail advertising service: the content of messages are
already being processed by ISPs to assess whether they are spam,
therefore analysing content for advertising purposes is no different. The
key difference, as argued by many privacy experts, is that processing
communications to remove inconveniences (e.g. spam) is not invasive
because it is intentionally not passing judgment on the user. Processing
communications to categorise individuals, or to pass judgment on the
consumer, is a privacy interference.
Phorm must ensure that ISPs clearly communicate with their users about
the issues involved in this 'surveillance', and actively and regularly
pursue
users' consent. This is the only way to mitigate concerns about
surveillance.
Ideally some form of black-list of sites should be included, or a
white-list
with clear exclusion processing. For instance, even though Phorm's
system excludes forms, and therefore would exclude content from sites
where an individual is drafting an email, and also excludes https traffic
which therefore excludes many webmail service providers, users would
need strong assurance that the process through which they read emails
(on less-secure platforms) is not also being monitored.
Can user-sensitive URLs be excluded?
While Phorm is careful to note that HTTPs pages are processed this is
perhaps more a matter of an inability to gain access to the content of
these pages because they are encrypted. Are https-requests not logged at
all? That is, 1080-requests tend to be from servers where users have an
existing relationship, e.g. their banks, travel agents, mail providers, and
places where the user shops. If this information was to be logged by an
ISP this would make users feel spied upon because their ISP would know
which services he or she makes use of. Phorm must ensure that it is not
using information about these sites in any way, e.g. URL data.
We are aware that only widely-viewed pages will be used, possibly to
limit profiling to highly specific user data. This is certainly a positive
development. Phorm must communicate this fact to end-users.
Similarly, users need to be informed explicitly about the constitution of
channel information. If not carefully explained, users may worry that
channel information, depending on the level of data granularity, is in
itself personal or sensitive information. For instance, if a channel is
able
to discern that a user banks online, uses a non-online insurance company,
this could be seen as personal information particularly where the user's
bank and insurance company could be known to the profiler. Therefore
clearer information is required about how the profile is developed and
how this information is combined with the channels.
Consent and Participation
To adhere to the highest principles of data protection, any system that
processes personal information must require consent on an opt-in basis.
As Phorm's system involves a form of communications surveillance then
optimal protections would involve opting-in.
The market default for cookie-based consent systems is opt-out however.
Phorm's chosen implementation matches market practices. Phorm goes
some way to mitigate this concern by creating a website for opting-out
and encourages partners to remind users about opt-out rights.
We would like to hear more about this form of 'encouragement' to clarify
the role of Partners in ensuring privacy practices are pushed to the
highest
level possible. Communications surveillance laws at the very least
require consent to be re-affirmed at regular intervals particularly as
multiple users may make use of a single Internet connection and machine.
Further challenges exist and clarifications are required.
- If a user blocks all cookies (or manages cookies on an opt-in basis),
these users will have to be informed about how their traffic is managed
by the Phorm system. That is, if there is no cookie present does the
traffic still get processed? It is important to be clear to users that
if they
choose not to participate in the system at all then their traffic is not
being
processed.
- If a user regularly deletes cookies then this would result in that user
being monitored again. Ideally a user would be able to notify his or her
ISP that he or she is uninterested in participating in the advertising
scheme altogether and this would result in a permanent non-processing of
Internet traffic. Is such an implementation possible?
- With limited information about the channels and profiles, a user may be
concerned about seeing which 'channel' they have been linked to and the
means through which this decision was made. Phorm must develop
educational materials for users to understand this process. Similarly,
Phorm must explain how many possible channels there are in case users
are worried about being segmented in great detail.
dentity, Traceability, and Security
Phorm is very careful in the design of its system and in its public
information avoid processing personally identifiable information.
Phorm's system itself does not process IP addresses and promises that it
does not link back to ISP's subscriber databases.
Concerns remain, however:
- Can cookies lead back to users in any way? Of course it is merely a
unique identifier but a unique identifier can still be linked to
individuals.
Can an external attacker gain access to the required information to re-link
the individual and the UID? Even if this was possible, what potential
gain could there be for an attacker?
- Phorm's privacy policy responsibly notes that Phorm may disclose
information to third parties under 'legal requirements'. Considering how
legal protections vary by country, far more information is required for
users to ensure their confidence in the data processing. We would be
interested to know what kind of information Phorm and its system
actually holds that may be of interest to third parties. This of course
refers
back to the linkability issue: if the profile nor the advertising
information
not linkable to the individual then of what use would such data serve to
third parties such as law enforcement authorities?
- Linked to the above two point, if there was a malicious insider, with
complete access to all the traffic and transactions, could
re-identification
take place? Or could any level of traffic analysis generate persona data
about the user, the types of advertisements served, and the user's IP
address?
Although the security statement in the privacy policy is a responsible
statement, Phorm's security policy and security processes should be
audited regularly.
--
Rev Robert M Jones, Wimborne Baptist Church, UK
Hub forums here: http://hubbub.labs.bt.com/
Hub info & forum here: http://www.frequencycast.co.uk/homehub.html
http://www.wimborne-baptist.org.uk
Free trial of Mailwasher Pro - effective email spam filter - (commission
goes to our partners in Bulgaria)
http://fta.firetrust.com/index.cgi?id=420
