Dear Sir or Madam,

You may or may not be aware of the problems surrounding the online
advertising company Phorm and the problems that this can cause in
terms of privacy, not to mention the potential illegality of what
they are doing (especially considering Phorm's connection to
spyware that they had released when trading under another name).

More importantly from my point of view is the damage that could be
done to patient confidentiality should health records be
compromised by the ISP in their use of Deep Packet Inspection
technology (often referred to as DPI).

A number of ISPs, most notably BT Internet, have either already
signed up or shown interest in the services provided by Phorm or
other similar companies.

As a user of the health service myself I want to know that my
details are secure. The use of DPI means that privacy cannot be
guaranteed.

I would therefore like to request the name of the ISP being used by
the department of health as well as whether the ISP has any plans
to implement DPI-style surveillance on the traffic passing through
their systems, or if they have already implemented such a system.

If there is any possibility that DPI technology is to be used
within the ISPs systems then I would also like to request details
of the steps that the department of health have taken to ensure
that confidential records do not undergo unwarranted and unwanted
examination.

Yours faithfully,

Patrick Seurre

Thank you for your enquiry.

We aim to respond within 20 working days.
If there is likely to be any delay we will contact you to let you know.

show quoted sections

Dear Sir or Madam,

It has now been 20 working days since the request has been raised.
I have not yet recieved a reply. This is despite the fact that the
FoIA stipulates a maximum time of 20 working days for initial
responses.

I would appreciate either a reply by the end of the day, or an
explanation as to why you have been unable to abide by the limits
set out in the freedom of information act.

Yours sincerely,

Patrick Seurre

Dear Sir or Madam,

Please also note that if I don't recieve such a reply by the
beginning of next week then I will consider raising the matter with
the ICO, as I personally view such delays as unacceptable.

Yours sincerely,

Patrick Seurre

Email Content stored in attached file 'Long_Email_Body_19_12_2008.html'.

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Dear Mr Seurre,

I understand that a response was sent to you earlier today by my colleague
William Scott (DE369649), and I apologise for its delay. Please do not
hesitate to contact the Department should you have any further concerns.

Yours sincerely,

David Winks
Customer Service Centre
Department of Health

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Dear Sir or Madam,

Thank you for the reply.

I would like to start with BTs assertion that they are not aware of
any use of DPI technology on the national network. BT have already
been involved in a number of trials, at least one of which was
conducted without any knowledge by the users and whose existance
was completely denied by BT at the time (and on top of that
probably amounted to an illegal interception of communications).

The recent trials appear to have had at least one problem where
non-BT customers were invited to join the trials (in this case
customers of PlusNet, which is also owned by BT).

If they can't get this right then what hope is there of any opt-out
being properly respected? And they can't even limit the trials to
themselves!!! This shows a complete lack of proper control over a
system that could well impact the NHS, and this coming from an
organisation that has already lied to it's customers and for all
you know is lying to you.

Presumably a lot of the work that goes on is web-based, even if
that connection is made by your own applications rather than
through a browser. You say that emails are encrypted, but I
personally have absolutely no confidence that all other web traffic
will not be profiled even if the NHS says no to Phorm.

There has been some speculation after all that BT would simply
alter it's terms and conditions to allow for Phorm rather than
explicitly ask for permission. There's also the suspicion that
opting out would only opt you out from the targeted advertising,
but not the profiling that goes on. Your HTTP traffic would still
be sent through the same hardware.

BT are not safe to use thanks to their relationship with Phorm.

Please could you confirm that all HTTP traffic being transmitted
within NHS systems is encrypted, and if not then what steps the NHS
is taking to stop that traffic being intercepted by Phorm (bearing
in mind that you can't trust anything that BT says on the subject).

Yours sincerely,

Patrick Seurre