BT Phorm trial leak rekindles row

Summary:Documents leaked of a 2006 secret ad-serving test show BT should be prosecuted, argues a University of Cambridge security expert, though BT says it is perfectly legal

The appearance of a leaked document about a test of ad-serving technology performed by BT in 2006 has led to calls for the company to be prosecuted.

BT confirmed to ZDNet.co.uk on Friday that the leaked documents were genuine. The documents give details of a test between September and October 2006 of 18,000 BT customers which trialled ad-serving technology by 121Media, which has since become Phorm.

The documents show BT customers were not made aware of the tests, and that their web traffic was being intercepted, according to Cambridge University computing expert Richard Clayton, who called for BT to be prosecuted.

"This appears to document a secret trial snooping personal traffic, processing data, and serving up adverts without anyone's consent," said Clayton. "BT should be prosecuted, as it seems they committed a criminal offence."

The BT document states: "The trial involved approximately 18,000 users with a maximum 10,000 concurrently active on the system during the network's peak period, and was operated on a 24/7 basis. All users were unaware they were participants in the trial."

As BT had not obtained permission from users, website owners or search companies to redirect data, Clayton argued BT had intercepted the data illegally under the Regulation of Investigatory Powers Act 2000.

"Under the Regulation of Investigatory Powers Act, you need permission from both ends of a communication to intercept," said Clayton. "BT was snooping on traffic to see which keywords were in it, in the system they describe."

Technical details of how the ads were served showed users were assigned a unique identifier, and the identifier's browsing habits were observed. Clayton argued that tracking a unique identifier (UID) browsing for cars, then serving up a car insurance advert, was "personal data" being processed, and therefore contravening the Data Protection Act.

"It's breaking data-protection principles for a user to be unaware of that process," said Clayton.

BT on Friday said it sought legal advice before initiating the tests, and insisted no personal data had been processed.

"BT can confirm that we conducted a very small scale technical test of a prototype advertising platform in 2006," stated the company. "The test was specifically conducted to evaluate the functional and technical performance of the platform. Absolutely no personally identifiable information was processed, stored or disclosed during this trial."

BT added that it was planning to conduct a technical test "soon".

Topics: Networking

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.