The company behind an ISP-based web-advertising user-tracking system has denied claims that what it is doing is illegal.
Phorm — whose Webwise and Open Internet Exchange (OIX) technologies were used by BT in a secret trial on its customers — says the Foundation for Information Policy Research (FIPR) is wrong to say the use of Phorm's technologies constituted unlawful interception under the Regulation of Investigatory Powers Act (RIPA).
Nicholas Bohm, the FIPR's general counsel, said on Sunday that "the illegality stems… from the fact that the system intercepts internet traffic". "Interception is a serious offence, punishable by up to two years in prison," he added. "Almost incidentally, because the system is unlawful to operate, it cannot comply with data-protection principles."
On Wednesday, a statement from Phorm argued there was "no interception issue in the Phorm system".
"FIPR asserts — under a very narrow interpretation of RIPA — that although we obtain user consent, without the explicit consent of each website, there is an unlawful interception under RIPA," the statement read. "We would point to the many important and valuable consumer internet services such as Gmail or spam filters where data from one side of the 'communication' is analysed for the purpose of showing ads or blocking spam. Under FIPR's interpretation such services would be deemed illegal."
On Tuesday the Information Commissioner's Office (ICO) issued a statement on Phorm's activities, in which it said any allegations of RIPA non-compliance were a matter for the Home Office, rather than the ICO. The ICO also said Phorm had already approached the Home Office to check it was complying with RIPA — a point that Phorm reiterated in its Wednesday statement.
"Our extensive consultations have led to only one conclusion — that Phorm's systems are legal under any full interpretation of the law," Phorm's statement read. Also in the statement, Phorm's chief executive, Kent Ertugrul, pointed out that FIPR had campaigned against RIPA when it was drawn up eight years ago, but was now using it to attack Phorm.
"We're delighted to have a dialogue with FIPR but it has to be in the context of how today's online world actually works and how to improve it for the future," said Ertugrul. "Our objective is to ensure the internet continues to be a vibrant and thriving community, where new developments can contribute greatly to user experience and safety."
Richard Clayton, FIPR's treasurer, told ZDNet.co.uk on Thursday that FIPR's issues with RIPA — such as the "way that police could self-authorise [interception]" — remained, but had nothing to do with the elements of RIPA forbidding the use of services such as Phorm.
"[Phorm's statement] is a wonderful piece of PR, but it had very little basis in reality," said Clayton. "[Phorm asked] the Home Office a rather general question about the way the things could be done," he added. "[The Home Office] gave an opinion, not a legal opinion, of their understanding of how the law was [to be applied] — it was essential to get opt-in permission from people whose outgoing traffic was being intercepted."
Clayton criticised the Home Office's view that incoming traffic from websites was publicly available, making it legal to intercept. "We agree to a large extent, but there are quite substantial areas of the internet which are not publicly available, but that Phorm will intercept," he said. "If, for example, you put up a webpage and publish the URL to your friends, asking them not to tell anyone else what the URL is, you have an expectation that no-one else will look at that page because you trust your friends. Phorm will be able to see your page, so we feel that for that reason they are intercepting traffic."
Clayton was also keen to point out that FIPR was not suggesting that Phorm itself was breaking the law. "What Phorm are doing is legal," he said. "It is the ISPs who are intercepting the traffic and giving it to Phorm — it is that that is illegal."
Intercepting traffic for spam-filtering purposes or for blocking denial-of-service attacks was a different matter, Clayton added, because RIPA contains an exemption for technologies that are needed to protect the functioning of an ISP's service.