Phorm may be illegal. The Phorm service soon to be implemented by ISPs that records people's web activity in order to serve them targeted advertisements may violate data protection laws.
The Foundation for Information Policy Research (FIPR) said that the data collected by Phorm could potentially be used to identify users, in a letter sent this week to the Information Commissioner's Office, the UK's data protection regulator.
FIPR says the system's monitoring of web traffic may violate the UK's Regulation of Investigatory Powers Act of 2000. The act makes it illegal to monitor communications between two entities without consent. The group also contends that Phorm conflicts with the Data Protection Act, which also says personal data can't be processed without consent.
The controversy over Phorm, which has offices in the UK and US, highlights ongoing worries over how the personal data of web users is handled. Tracking technology offers huge advantages for companies trying to reach consumers who will be most receptive to their products, but tracing those users opens a raft of privacy concerns.
Phorm collects data such as a person's browsing history, search terms and other keywords on web pages, and then delivers advertisements that may coincide with a person's interests. That data is immediately discarded, the company says. But Phorm also puts a text file or cookie on a person's hard drive to identity repeat users of a Web site, although the cookie contains no personally identifiable information.
Phorm says the collected data is assigned a random number that can't be traced to a person. The computer's IP (Internet protocol) address, which can be linked to a person's account with an ISP, is not recorded. Other data such as a person's email address, postal address or phone number are not collected, as the system is designed to ignore data entered on web-based forms.
Since the content of many websites requires registration, Phorm may need the consent of those sites before monitoring the communication, said Nicholas Bohm, FIPR's general counsel.
A further concern is the possible linkage of personal data with a real person. "There's a lot of sensitive personal data washing around of an identifiable kind," Bohm said.
FIPR's letter is intended to contribute to a review under way by the Information Commissioner's Office. A spokeswoman there said Phorm approached it recently to review if its system is in compliance with data protection laws. That review is ongoing, she said.
Internet Service Providers BT, Virgin Media and Talk Talk are planning to trial the service. A BT spokesman said around 10,000 users will be targeted this month to try Phorm. Those users will be able to opt out of Phorm if they want to, he said.