A service soon to be implemented by several U.K. ISPs that records people's Web activity in order to serve them targeted advertisements may violate data protection laws, a technology policy group warned the British government on Monday.
The data collected by Phorm could potentially be used to identify users, said the Foundation for Information Policy Research (FIPR) in a letter sent to the Information Commissioner's Office, the U.K.'s data protection regulator.
The controversy over Phorm, which has offices in the U.K. and U.S., highlights ongoing worries over how the personal data of Web users is handled. Tracking technology offers huge advantages for companies trying to reach consumers who will be most receptive to their products, but tracing those users opens a raft of privacy concerns.
Phorm collects data such as a person's browsing history, search terms and other keywords on Web pages, and then delivers advertisements that may coincide with a person's interests. That data is immediately discarded, the company says. But Phorm also puts a text file or cookie on a person's hard drive to identity repeat users of a Web site, although the cookie contains no personally identifiable information.
Phorm says the collected data is assigned a random number that can't be traced to a person. The computer's IP (Internet protocol) address, which can be linked to a person's account with an ISP, is not recorded. Other data such as a person's e-mail address, postal address or phone number are not collected, as the system is designed to ignore data entered on Web-based forms.
But FIPR says the system's monitoring of Web traffic may violate the U.K.'s Regulation of Investigatory Powers Act of 2000. The act makes it illegal to monitor communications between two entities without consent. The group also contends that Phorm conflicts with the Data Protection Act, which also says personal data can't be processed without consent.
Since the content of many Web sites requires registration, Phorm may need the consent of those sites before monitoring the communication, said Nicholas Bohm, FIPR's general counsel.
A further concern is the possible linkage of personal data with a real person. "There's a lot of sensitive personal data washing around of an identifiable kind," Bohm said.
FIPR's letter is intended to contribute to a review under way by the Information Commissioner's Office. A spokeswoman there said Phorm approached it recently to review if its system is in compliance with data protection laws. That review is ongoing, she said.
Internet Service Providers BT, Virgin Media and Talk Talk are planning to trial the service. A BT spokesman said around 10,000 users will be targeted this month to try Phorm. Those users will be able to opt out of Phorm if they want to, he said.