A service soon to be implemented by several UK ISPs (BT, Virgin and Talk Talk) that records people's web activity in order to serve them targeted advertisements may violate data protection laws, a technology policy group warned the British government on Monday.
The data collected by Phorm could potentially be used to identify users, said the Foundation for Information Policy Research (FIPR) in a letter sent to the Information Commissioner's Office, the UK's data protection regulator.
The controversy over Phorm, which has offices in the UK and US, highlights ongoing worries over how the personal data of web users is handled. Tracking technology offers huge advantages for companies trying to reach consumers who will be most receptive to their products, but tracing those users opens a raft of privacy concerns.
Phorm collects data such as a person's browsing history, search terms and other keywords on pages, and then delivers advertisements that may coincide with a person's interests. That data is immediately discarded, the company says. But Phorm also puts a text file or cookie on a person's hard drive to identity repeat users of a website, although the cookie contains no personally identifiable information.
Richard Clayton, treasurer at FIPR, recently told the BBC that: "The Phorm system is highly intrusive; it's like the Post Office opening all my letters to see what I'm interested in, merely so that I can be sent a better class of junk mail.
Phorm says the collected data is assigned a random number that can't be traced to a person. The computer's IP (Internet protocol) address, which can be linked to a person's account with an ISP, is not recorded. Other data such as a person's email address, postal address or phone number are not collected, as the system is designed to ignore data entered on web-based forms.
But FIPR says the system's monitoring of web traffic may violate the UK's Regulation of Investigatory Powers Act of 2000. The act makes it illegal to monitor communications between two entities without consent. The group also contends that Phorm conflicts with the Data Protection Act, which also says personal data can't be processed without consent.
Since the content of many sites requires registration, Phorm may need the consent of those sites before monitoring the communication, said Nicholas Bohm, FIPR's general counsel.
A further concern is the possible linkage of personal data with a real person. "There's a lot of sensitive personal data washing around of an identifiable kind," Bohm said.
FIPR's letter is intended to contribute to a review under way by the Information Commissioner's Office. A spokeswoman there said Phorm approached it recently to review if its system is in compliance with data protection laws. That review is ongoing, she said.
Internet Service Providers BT, Virgin Media and Talk Talk are planning to trial the service. A BT spokesman said around 10,000 users will be targeted this month to try Phorm. Those users will be able to opt out of Phorm if they want to, he said.