Re consultation between BT Phorm and the ICO on the webwise technology

I Cooper made this Freedom of Information request to Information Commissioner's Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Dear Sir or Madam,

Dear Sir or Madam,

With regard to the covert trials carried out by BT and 121 Media/Phorm in 2006 and 2007:

- What attempts were made by ICO to obtain evidence/documentation from BT
- What evidence/documentation was requested by ICO, and disclosed by BT
- What evidence/documentation was requested by ICO, and declined by BT
- Which BT staff members were interviewed
- What was the record of those interviews
- What third party technical experts were interviewed
- What was the record of those interviews

I look forward to your detailed reply.

Yours faithfully,
I Cooper

Yours faithfully,

Internal Compliance Team,

Our Reference: FOI/953

Dear Mr Cooper

Request for Information

Thank you for your e-mail dated 11 June 2008.

Your request is being dealt with in accordance with the Freedom of
Information Act 2000. We will respond by 9 July 2008, which is 20
working days from the day after we received your request.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner's Office

01625 545894

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Internal Compliance Team,

Our Reference: FOI/953

Dear Mr Cooper

Request for Information

Thank you for your e-mail dated 11 June 2008.

Your request is being dealt with in accordance with the Freedom of
Information Act 2000. We will respond by 9 July 2008, which is 20
working days from the day after we received your request.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner's Office

01625 545894

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Internal Compliance Team,

4 Attachments

Our ref: FOI/953

Dear Mr Cooper

Request for Information

Further to our acknowledgement of 12 June 2008 we are now in a position to
provide you with a response to your request for information dated 11 June
2008.

In your e-mail of 11 June you asked for information "with regard to the
covert trials carried out by BT and 121 Media/Phorm in 2006 and 2007".
The questions that you listed are shown below, followed immediately by our
responses to those questions.

1. What attempts were made by ICO to obtain evidence/documentation from
BT?

The ICO contacted BT by email and in writing to ask for details of the
technical trials in 2006 and 2007. The dates of the ICO's contact with BT
were 3 April 2008 (e-mail), 4 April 2008 (e-mail), 10 April 2008 (e-mail)
and 25 April 2008 (letter).

2. What evidence/documentation was requested by ICO, and disclosed by BT?

Please see the attached correspondence which details the information
requested from BT by the ICO, and the responses we received from BT
(including their letter of 9 May 2008). The e-mails of 3 and 4 April
referred to above are all included within the e-mail string dated 10 April
2008.

You will notice from the attached items that certain information has been
withheld, or redacted. The following points explain what information has
been withheld from you in response to your request of 11 June 2008, and
why:

S The contact details of the individuals we corresponded with at
BT have been removed to protect their identities. This personal
information is exempt from disclosure to you under section 40(2) of the
Freedom of Information Act 2000 as to provide it to you would contravene
the Data Protection Act 1998.

S The personal details of those individuals who have contacted us
to complain about the trials carried out by BT and Phorm have also been
withheld. This too is in reliance on Section 40(2) of the Freedom of
Information Act 2000.

S Some of the information provided to us by BT was done so on the
basis that it was confidential at that time, and remains so. The primary
reason for this is where commercial sensitivities and interests are at
stake, and also in relation to the first complaint we received from a
member of the public (referred to in the two letters that are attached).
This is particularly apparent by the pages attached to BT's letter to the
ICO of 9 May that have been deleted in their entirety, and are marked
`deleted'. Where this is the case this information has been withheld in
reliance on section 41 of the Freedom of Information Act 2000, which
applies to information that has been provided to the public authority in
confidence, and the disclosure of that information to the public by the
public authority holding it would constitute an actionable breach of
confidence.

3. What evidence/documentation was requested by ICO, and rejected by BT?

No requests for information were refused.

4. Which BT staff members were interviewed?

No BT staff members were interviewed. It is not normal for the ICO to
interview individuals in the course of investigating a complaint about the
non criminal provisions of the Privacy and Electronic Communications
Regulations 2003 or Data Protection Act 1998. The ICO has the power to
issue an information notice in the course of investigating a complaint
which specifies the information required and requires the company to
provide it. Failure to comply with an information notice is a criminal
offence. In this instance it was not necessary to serve an information
notice as we received the necessary information form BT in response to our
written enquiries.

5. What was the record of those interviews?

For the reasons stated above no BT staff members were interviewed.

6. What third party technical experts were interviewed?

No third party technical experts were interviewed.

7. What was the record of those interviews?

No record exists as no third party technical experts were interviewed.

You may also be interested to know that the ICO received an enquiry about
the BT/Phorm trials from an MP, and the following is an extract from our
letter to the MP dated 12 May 2008 which explains the position of the ICO
further:

"I have been asked to reply to your letter of 22 April regarding the
small-scale technical trials of Phorm technology that BT admit to having
carried out in September - October 2006 and June 2007.

We understand that what BT describe as two small scale technical tests
were designed to evaluate "the functional and technical performance of a
new advertising platform". BT did not discuss these trials with us
because they were technical in nature. We understand they did take
external legal advice. BT assert that "no personally identifiable
information was processed, stored or disclosed during either trial". We
understand that no adverts at all were served in the 2007 trial. For the
2006 trial BT bought ad slots from an ad network and served static default
ads that dropped a cookie on the browser. With the cookies in place they
allowed anonymous user profiles to build up. BT state that a small number
of customers were randomly selected and assert that because the whole
process was anonymous they have no way of knowing which customers were
part of these tests.

As we understand it though the trials were designed to test certain
aspects of the technology Phorm were intending to deploy at the time (we
understand changes were made as a result of the trials) they did not
involve the full deployment of Phorm's system to deliver adverts based on
profile groups and determined by the nature of the website visited by
individual users. The trials were designed to seek to check whether
deploying Phorm's technology would be likely to have any adverse effects
on BT's provision of internet services to users.

You ask whether these trials were legal under the Data Protection Act 1998
("DPA98") and Privacy & Electronic Communications (EC Directive)
Regulations 2003 ("PECR03") and in particular whether customers should

have been notified before the tests took place. As regards the DPA98 if,
as BT assert and we have no reason to doubt, these tests were completely
anonymous and no personally identifiable information was processed, stored
or disclosed then there is no question of there being a breach of the
DPA98. As for PECR03 the relevant provision is Regulation 7 which
concerns the use of "traffic data" (broadly data used to convey, route or
charge for a communication). This provides that traffic data relating to
a subscriber or user may be processed to provide further services with the
consent of the subscriber or user. There is a question whether the trials
involved the use of traffic data relating (my emphasis) to individuals if
BT could not identify individuals involved in the trial and therefore
could not link particular traffic data used to specific individuals. In
any event we are committed to taking a risk based approach to regulation,
concentrating on potential detriment to individuals. In the case of the
trials, whether or not there was a technical breach of the Regulation,
there is no evidence that the trials generally involved significant
detriment to the individuals involved. It appears that some of the
customers who were part of the 2007 trial experienced some disruption to
their browsing and were advised in good faith by customer service staff
unaware of the trial that this might be due to a virus when in fact it was
apparently an unexpected consequence of the use of the technology
trialled. In the circumstances, where there is no evidence of privacy
risk to individuals, I think BT were justified in not alerting their
customers to the fact that a small number of them might be involved in
anonymous technical tests.

In summary, as regards the trials, on the basis of the explanations
provided to us, we have no grounds for concluding that they involved
breaches of either the DPA98 or PECR 2003 which caused detriment to
individuals. BT did discuss the legal implications of commercially
rolling out targeted advertising services based on user interest profiles
with us in August 2007, particularly how they would obtain consent from
customers.".

Finally, I would also refer you to a press release which we issued on 4
April 2008 titled `Phorm advertising - ICO statement', as well as a more
detailed piece titled `Phorm - Webwise and Open Internet Exchange'. Both
documents can be found on our website via the following links:

[1]http://www.ico.gov.uk/upload/documents/p...

[2]http://www.ico.gov.uk/Home/about_us/news...

I hope this provides you with the information you require. However, if
you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Internal Compliance Team
at the address below or e-mail [3][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to the Senior Complaints Resolution Manager, Complaints Resolution Team at
the address below or e-mail [4][email address].

A copy of our review procedure is attached along with details of our
enforcement powers and your rights of appeal.

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner's Office

01625 545894

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

References

Visible links
1. http://www.ico.gov.uk/upload/documents/p...
2. http://www.ico.gov.uk/Home/about_us/news...
3. mailto:[email address]
4. mailto:[email address]

Internal Compliance Team,

4 Attachments

Our ref: FOI/953

Dear Mr Cooper

Request for Information

Further to our acknowledgement of 12 June 2008 we are now in a position to
provide you with a response to your request for information dated 11 June
2008.

In your e-mail of 11 June you asked for information "with regard to the
covert trials carried out by BT and 121 Media/Phorm in 2006 and 2007".
The questions that you listed are shown below, followed immediately by our
responses to those questions.

1. What attempts were made by ICO to obtain evidence/documentation from
BT?

The ICO contacted BT by email and in writing to ask for details of the
technical trials in 2006 and 2007. The dates of the ICO's contact with BT
were 3 April 2008 (e-mail), 4 April 2008 (e-mail), 10 April 2008 (e-mail)
and 25 April 2008 (letter).

2. What evidence/documentation was requested by ICO, and disclosed by BT?

Please see the attached correspondence which details the information
requested from BT by the ICO, and the responses we received from BT
(including their letter of 9 May 2008). The e-mails of 3 and 4 April
referred to above are all included within the e-mail string dated 10 April
2008.

You will notice from the attached items that certain information has been
withheld, or redacted. The following points explain what information has
been withheld from you in response to your request of 11 June 2008, and
why:

S The contact details of the individuals we corresponded with at
BT have been removed to protect their identities. This personal
information is exempt from disclosure to you under section 40(2) of the
Freedom of Information Act 2000 as to provide it to you would contravene
the Data Protection Act 1998.

S The personal details of those individuals who have contacted us
to complain about the trials carried out by BT and Phorm have also been
withheld. This too is in reliance on Section 40(2) of the Freedom of
Information Act 2000.

S Some of the information provided to us by BT was done so on the
basis that it was confidential at that time, and remains so. The primary
reason for this is where commercial sensitivities and interests are at
stake, and also in relation to the first complaint we received from a
member of the public (referred to in the two letters that are attached).
This is particularly apparent by the pages attached to BT's letter to the
ICO of 9 May that have been deleted in their entirety, and are marked
`deleted'. Where this is the case this information has been withheld in
reliance on section 41 of the Freedom of Information Act 2000, which
applies to information that has been provided to the public authority in
confidence, and the disclosure of that information to the public by the
public authority holding it would constitute an actionable breach of
confidence.

3. What evidence/documentation was requested by ICO, and rejected by BT?

No requests for information were refused.

4. Which BT staff members were interviewed?

No BT staff members were interviewed. It is not normal for the ICO to
interview individuals in the course of investigating a complaint about the
non criminal provisions of the Privacy and Electronic Communications
Regulations 2003 or Data Protection Act 1998. The ICO has the power to
issue an information notice in the course of investigating a complaint
which specifies the information required and requires the company to
provide it. Failure to comply with an information notice is a criminal
offence. In this instance it was not necessary to serve an information
notice as we received the necessary information form BT in response to our
written enquiries.

5. What was the record of those interviews?

For the reasons stated above no BT staff members were interviewed.

6. What third party technical experts were interviewed?

No third party technical experts were interviewed.

7. What was the record of those interviews?

No record exists as no third party technical experts were interviewed.

You may also be interested to know that the ICO received an enquiry about
the BT/Phorm trials from an MP, and the following is an extract from our
letter to the MP dated 12 May 2008 which explains the position of the ICO
further:

"I have been asked to reply to your letter of 22 April regarding the
small-scale technical trials of Phorm technology that BT admit to having
carried out in September - October 2006 and June 2007.

We understand that what BT describe as two small scale technical tests
were designed to evaluate "the functional and technical performance of a
new advertising platform". BT did not discuss these trials with us
because they were technical in nature. We understand they did take
external legal advice. BT assert that "no personally identifiable
information was processed, stored or disclosed during either trial". We
understand that no adverts at all were served in the 2007 trial. For the
2006 trial BT bought ad slots from an ad network and served static default
ads that dropped a cookie on the browser. With the cookies in place they
allowed anonymous user profiles to build up. BT state that a small number
of customers were randomly selected and assert that because the whole
process was anonymous they have no way of knowing which customers were
part of these tests.

As we understand it though the trials were designed to test certain
aspects of the technology Phorm were intending to deploy at the time (we
understand changes were made as a result of the trials) they did not
involve the full deployment of Phorm's system to deliver adverts based on
profile groups and determined by the nature of the website visited by
individual users. The trials were designed to seek to check whether
deploying Phorm's technology would be likely to have any adverse effects
on BT's provision of internet services to users.

You ask whether these trials were legal under the Data Protection Act 1998
("DPA98") and Privacy & Electronic Communications (EC Directive)
Regulations 2003 ("PECR03") and in particular whether customers should

have been notified before the tests took place. As regards the DPA98 if,
as BT assert and we have no reason to doubt, these tests were completely
anonymous and no personally identifiable information was processed, stored
or disclosed then there is no question of there being a breach of the
DPA98. As for PECR03 the relevant provision is Regulation 7 which
concerns the use of "traffic data" (broadly data used to convey, route or
charge for a communication). This provides that traffic data relating to
a subscriber or user may be processed to provide further services with the
consent of the subscriber or user. There is a question whether the trials
involved the use of traffic data relating (my emphasis) to individuals if
BT could not identify individuals involved in the trial and therefore
could not link particular traffic data used to specific individuals. In
any event we are committed to taking a risk based approach to regulation,
concentrating on potential detriment to individuals. In the case of the
trials, whether or not there was a technical breach of the Regulation,
there is no evidence that the trials generally involved significant
detriment to the individuals involved. It appears that some of the
customers who were part of the 2007 trial experienced some disruption to
their browsing and were advised in good faith by customer service staff
unaware of the trial that this might be due to a virus when in fact it was
apparently an unexpected consequence of the use of the technology
trialled. In the circumstances, where there is no evidence of privacy
risk to individuals, I think BT were justified in not alerting their
customers to the fact that a small number of them might be involved in
anonymous technical tests.

In summary, as regards the trials, on the basis of the explanations
provided to us, we have no grounds for concluding that they involved
breaches of either the DPA98 or PECR 2003 which caused detriment to
individuals. BT did discuss the legal implications of commercially
rolling out targeted advertising services based on user interest profiles
with us in August 2007, particularly how they would obtain consent from
customers.".

Finally, I would also refer you to a press release which we issued on 4
April 2008 titled `Phorm advertising - ICO statement', as well as a more
detailed piece titled `Phorm - Webwise and Open Internet Exchange'. Both
documents can be found on our website via the following links:

[1]http://www.ico.gov.uk/upload/documents/p...

[2]http://www.ico.gov.uk/Home/about_us/news...

I hope this provides you with the information you require. However, if
you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Internal Compliance Team
at the address below or e-mail [3][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please write
to the Senior Complaints Resolution Manager, Complaints Resolution Team at
the address below or e-mail [4][email address].

A copy of our review procedure is attached along with details of our
enforcement powers and your rights of appeal.

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner's Office

01625 545894

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

References

Visible links
1. http://www.ico.gov.uk/upload/documents/p...
2. http://www.ico.gov.uk/Home/about_us/news...
3. mailto:[email address]
4. mailto:[email address]