Features

A Phorm spokesperson told PC Pro: "Our technology complies with all the relevant UK laws." Does the Information Commissioner agree? "That depends," the Information Commissioner's Office (ICO) stated, "on the extent to which the company is processing personal data. Phorm has stated it does not have, nor would ever want or need, access to any information held by the ISP that would enable it to link their user ID and profile to an individual. So the Data Protection Act does not actually apply, as Phorm itself is not processing personal data."

The Privacy and Electronic Communications Regulations 2003 (PECR) is of more concern, as both Phorm and the ISP have to comply even if they don't process personal data. PECR Regulation 6 states a user must

ADVERTISEMENT

be informed when a cookie is placed on their PC, and given clear, and comprehensive information about the purpose of the storage, as well as having the option to refuse it in the first place. "The information we have seen so far indicates users will be informed by the ISP about the use of cookies as part of the process of being told about the service and given a choice about whether or not to participate," said the ICO. PECR Regulation 7, however, requires the consent of customers for their traffic data to be used for any value-added services. "This strongly supports the view that Phorm products will have to operate on an opt-in basis," the ICO insisted.

Which just leaves the Regulation of Investigatory Powers Act (RIPA), which legislates on surveillance and information-gathering methods, aimed primarily at public bodies and crime prevention. Pinsent Masons' Robertson says that assuming there is user consent, "the RIPA concern is reduced to a minor one that is unlikely to result in any prosecution". For Robertson, the rollout of Phorm will be the critical test. "If the nature of Phorm's operation is transparent, with a clear opportunity to say yes or no, there will be no uprising."

Is Phorm really that bad?