121Media/Phorm Registration as

P. John made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear Sir or Madam,

"Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner’s Office (ICO), unless they are exempt. Failure to notify is a criminal offence."

Accordingly, ICO issued an enforcement notice, and threatened prosecution against the "Consulting Association" for failing to register. David Smith was quoted "This is a serious breach of the Data Protection Act. Not only was personal information held on individuals without their knowledge or consent but the very existence of the database was repeatedly denied."

Please could you disclose to me

- The date on which 121Media/Phorm first registered as a data controller

- The date on which 121Media/Phorm first registered as a data controller handling information for the purpose of "Advertising Marketing & Public Relations For Others" concerning "COMMERCIAL CUSTOMERS AND CLIENTS END USERS"

- Copies of all the registration documents supplied to you by 121Media/Phorm since 1 January 2005

- The number of people who were involved in the covert trials of Phorm Webwise without their knowledge or consent

- The date on which the conduct of covert trials was first revealed to the ICO by BT and/or Phorm

- Any enforcement notices which have therefore been issued as a consequence of processing personal information without registration, and/or operating the system without the knowledge or consent of the people profiled?

Phorm's present registration number is Z1196938.

Yours faithfully,

Peter John

Information Commissioner's Office

Link: [1]File-List

18th March 2009

Case Reference Number IRQ0239626

Dear Mr John

Request for Information

Thank you for your e-mail of 16 March 2009 in which you have asked us to
provide you with various items of information relating to 121 Media/Phorm.

Your request is being dealt with in accordance with the Freedom of
Information Act 2000 under the reference number shown above.  We
will therefore respond to your request by 15 April 2009 which, allowing
for the Good Friday and Easter Monday bank holidays, is 20 working days
from the day after we received your request.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Tel: 01625 545894

Email: [2][email address]

[3]www.ico.gov.uk

show quoted sections

http://www.ico.gov.uk or email: [email address]
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 01625 545 700 Fax: 01625 524 510

References

Visible links
1. file:///tmp/radFD0AE_files/filelist.xml
2. mailto:[email address]
3. http://www.ico.gov.uk/

Information Commissioner's Office

2 Attachments

Link: [1]File-List

9th April 2009

Case Reference Number IRQ0239626

Dear Mr John

Request for Information

Further to my acknowledgement of 18 March 2009 we are now in a position to
provide you with a response to your request for information dated 16 March
2009.

In your e-mail of 16 March you asked for the following items of
information, which are followed immediately by our response:

?

The date on which 121Media/Phorm first registered as a data controller:

Following a search carried out of our current and archive records by
colleagues in our Notification Department, they have confirmed that the
only register entry we have been able to find against the names of Phorm
and 121 Media is the entry you have already identified, ie Z1196938.? This
registration was submitted in the name of Phorm UK Inc on 30 January
2008.?

The date on which 121Media/Phorm first registered as a data controller
handling information for the purpose of "Advertising Marketing & Public
Relations For Others" concerning "COMMERCIAL CUSTOMERS AND CLIENTS END
USERS":

The date Phorm UK Inc registered the purpose ?Advertising, Marketing &
Public Relations for Others concerning commercial customers and clients
and users? was also 30 January 2008.

Copies of all the registration documents supplied to you by 121Media/Phorm
since 1 January 2005:

Please find attached scanned copies of all the registration documents we
have been able to locate which relate to Phorm UK Inc?s register entry
Z1196938.? These documents include a copy of the original notification
(dated 28 January 2008, and stamped as received on 30 January 2008), a
copy of the payment remittance advice that we received on 20 January 2009
at the time of renewal, and two subsequent versions of the register entry
(1^st valid from 30/01/08 to 30/01/09, 2^nd valid from 23/01/09 to date).?

Two items of information have been redacted from these documents.?

The first item is the signature of Stratis Scleparis, Chief Technology
Officer at Phorm and signatory of the Notification Application Form.?
Whilst Mr Scleparis? contact details are publicly available (from Phorm?s
UK website), his signature is not.? This personal data has therefore been
removed in accordance with section 40(2) of the Freedom of Information Act
2000, as we take the view to provide it to you would be unfair to Mr
Scleparis, and as a result would contravene the 1^st Data Protection
Principle of the Data Protection Act 1998.

The second item is the name of the member of staff from our Notification
Department who printed out the copy of the Renewal Invoice.? The member of
staff concerned is not in a senior or public facing role, and it is our
policy not to disclose names of staff who do not meet these criteria.?
Again, this personal information is exempt from disclosure to you under
section 40(2) of the Freedom of Information Act 2000 as we take the view
to provide it to you would contravene the Data Protection Act 1998.

The number of people who were involved in the covert trials of Phorm
Webwise without their knowledge or consent:

We do not have a definitive figure recorded, but we believe that around
15,000 users were involved in the 2006 trial, but we have no recorded
information in relation to the 2007 trial.? We are also aware that
information has been published by bloggers on other websites where they
assert that the figure is likely to be much higher based on their analysis
of an allegedly leaked internal BT report (we don't have a copy of this
report, but understand that it can be accessed online).

The date on which the conduct of covert trials was first revealed to the
ICO by BT and/or Phorm:

The ICO first became aware of the trials from news reports towards the end
of March 2008.? Our first contact with BT about the trials was on 2 April
2008, and our first discussion with Phorm about the trials was on 6 May
2008.?

Any enforcement notices which have therefore been issued as a consequence
of processing personal information without registration, and/or operating
the system without the knowledge or consent of the people profiled?:

No enforcement notices have been served on Phorm by the ICO, therefore
there is no information to provide in response to this part of your
request.?

By way of background information on this issue, under section 17 of the
Data Protection Act 1998 data controllers established in the UK are under
a duty to register their processing of personal data with the Information
Commissioner's Office unless an exemption applies. Companies processing
personal data solely on the instruction of data controllers are defined as
data processors and the responsibility for complying with the
Act continues to rest with the data controller who is instructing them.
Whilst Phorm UK Inc are a data controller in their own right regarding
some of the personal data they process it is our understanding that in
respect of the 2006 and 2007 trials they were at all times operating as a
data processor under the instruction of BT. Therefore, to the extent that
any personal data may have been processed by Phorm UK Inc as part of the
trials in 2006 and 2007, BT was the data controller and Phorm UK Inc would
not have been required to notify that particular processing.

I hope that this provides you with the information you require.? However,
if you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been handled
you should write to the Internal Compliance Team at the address below or
e-mail [2][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.? To make such an application, please write
to the Case Reception Team, at the address below or visit the ?Complaints?
section of our website to make a Freedom of Information Act or
Environmental Information Regulations complaint online.

?

A copy of our review procedure is attached.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

show quoted sections

http://www.ico.gov.uk or email: [email address]
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 01625 545 700 Fax: 01625 524 510

References

Visible links
1. file:///tmp/rad8D017_files/filelist.xml
2. mailto:[email address]

M Veale left an annotation ()

Hmm. So BT were the data controller for the 06/07 trials.

I wonder if Phorm/121media did the processing outside the UK. I also wonder if they were covered by any 'safe harbour' agreement.

Dear Sir or Madam,

thank you for your prompt response.

Give BT are considered to be the Data Contoller I hope you won't mind if I make a separate request for BT's corresponding registration documents covering the same period.

thanks again,
Yours sincerely,

P. John

P. John left an annotation ()

This FoI is important for two reasons.

Firstly, in 2006 and 2007 121Media conducted covert trials of their profiling system on tens of thousands of BT customers. 121Media were receiving communication data secretly intercepted by BT, and using that information to construct personal profiles of those customers. 121Media were not registered under the data protection act.

Secondly, prior to 2006, 121Media were using desktop spyware/rootkits to monitor internet users and present advertisements. During this period, by their own admission, they gathered information about millions of internet users. For that purpose, and other uses of personal data, they should also have been registered under the data protection act.

During this period they had a registered business address in London.

Unless exempt, failing to register is a serious criminal offence.

Should they have registered? That question is answered in the response to this FoI.

"Are you exempt from notification but have decided to register voluntarily?"

Phorm answered; "No".

More info see here:
https://nodpi.org/forum/index.php/topic,...

Francis Irving left an annotation ()

Following instructions from the ICO, I've replaced the attachment in their response.

It is almost entirely the same, but has had a small amount of personal information redacted that shouldn't have been in the original reply (the digital copy of someone's signature, and someone's name).

The filename of the .doc attachment has also changed.

Steve Hankin left an annotation ()

QUOTE: "We are also aware that
information has been published by bloggers on other websites where they
assert that the figure is likely to be much higher based on their analysis
of an allegedly leaked internal BT report (we don't have a copy of this
report, but understand that it can be accessed online)." UNQUOTE

They don't have a copy of that report? Have they asked for one? When did they ask for it? What is the policy around retention of such reports that they ask for and get? If they did not ask for it, on what basis was the decision not to request sight of a copy made? Who made that decision, when did they do it, who discussed it and what are the minutes of all meetings in connection with this event?

As background: This refers to the internal report which BT did not make public (it was "leaked"). The report covers the subject of the trial of a "deep packet inspection system" to intercept the communication of their customers whom they did not even ask permission of. BT did not tell their customers what they had been doing until it was clear that the activity was in the public domain and was to be covered in the national news on TV.