* Posts by Simon Davies

5 posts • joined 6 Mar 2008

Information Commissioner: Phorm must be opt-in only

Simon Davies

Re: Phorm Meeting

"Also if it is a public meeting, shouldn't anybody who wants to go be allowed to. Or is this one where the attendee's are selected 'selectively' By Phorm."

It's always a good idea to read the background material before posting.

This meeting is open to all. Just send an email to info@8020thinking.com so we can make sure you have a seat.

And for the record - yet again - this event is being organised by 80/20 Thinking, not Phorm.

Simon Davies

Phorm meeting

As highlighted in the Reg article, please do come along to the public meeting on Phorm next Tuesday (15th April). Details are at www.8020thinking.com/events

You will have a chance to hear Phorm and Richard Clayton going head-to-head, and get involved in the dialogue.

Simon Davies

80/20 Thinking Ltd

Phorm agrees to independent inspection of data pimping code

Simon Davies

Simon's response

Oliver, thank you for your comments. I'll do my best to respond.

As I mentioned to Chris Williams of the Register, we did not initially make the connection between Phorm and People on Page. I checked out the histories of all the Phorm Directors and key staff, but failed to spot the PoP issue. This was complicated by reporting that 121 Media had become a unit of a new holding company (Phorm) - effectively making it a merger, rather than merely a name change, as has recently been claimed http://www.forbes.com/afxnewslimited/feeds/afx/2007/05/04/afx3685378.html

Even so - and again, as I've also told the Register - I'm not entirely sure that we'd have walked away even if we had made the connection between the two. Five years ago we made conscious decision to lay down our guns and engage directly with Microsoft (which was, remember, the evil empire back then). Now, five years later, even Microsoft publicly acknowledges that our carrot and stick approach has been of enormous value in re-positioning the company's approach to privacy.

Interestingly, it was not until a couple of weeks after the Phorm announcement in the press that people became aware of the 121 Media connection. As far as I can see, one of Phorm's competitors tipped off the mainstream press and that's how the wave started to break. It's also where I heard it first.

And yes, I've engaged Phorm over all this. Why should they now be trusted? Well, I'd question whether we should trust "any" organisation dealing with personal data. It's more a case of whether you believe that their business is sustainable the way they originally planned it. Right at the moment the opt-in model appears to be more viable at a number of levels.

As for FIPR, I never saw its complaint as relevant to our scope with Phorm and so didn't advise on their complaint. I can't say one way or the other whether the ISP's would be in breach of RIPA. Much depends on how they move forward from this point.

Simon Davies

Simon Davies

The conflict of interest issue - our response

The record needs to be set out in full regarding the “conflict of interest” claim relating to 80/20 Thinking and Privacy International. I have no objection to public discussion about the matter, as long as the facts are laid out in full, rather than relying on a twisted, abbreviated account.

Will people please read our report to Phorm. Read it in its brief entirety. Once you’ll do, you’ll realise that there are no conflicts whatever. In that report we argue that the system should be opt-in, that there are unresolved questions, that the matter of legal compliance is irrelevant to the issue of intrusion.

For example, from page 10 of our PIA:

"Phorm liaised with the Home Office to assess whether its system could infringe the UK law that regulates communications surveillance. The Home Office concluded that Phorm's system is consistent with the Regulation of Investigatory Powers Act and does not intercept communications. While this conclusion is a fair interpretation of Phorm and the system's capabilities, communications monitoring still takes place. Even if the Home Office's conclusions were appropriate and relevant, it would mean that if an ISP or any government wished to conduct similar monitoring of communications for segmentation purposes, albeit with consent of the user, then they may indeed do so and yet still be compliant with UK law. This could indeed give rise to a worrying situation."

Yes, FIPR has lodged a detailed complaint with the ICO. That complaint dealt with matters outside 80/20s remit. There is no conflict there.

Is there a conflict between our role in PI and our role in 80/20? Absolutely not. See above. My view is on the record at http://news.bbc.co.uk/1/hi/technology/7280791.stm Read beyond the headline.

People have asked: “Why are they doing this?” “Why are they advising the evil empire?” Two reasons. First, we believe that engagement is more constructive than non-engagement unless there is no alternative. As PI we have directly engaged companies such as SWIFT, Microsoft and eBay with positive results for privacy.

Second, the British Public, who apparently SO support PI, donate an average of £130 a year to us. We receive more from citizens of India, even during the height of the ID card battle. I, for one, haven’t drawn a salary from PI for eighteen years. That is not a sustainable situation. Nor is it for my staff. Our supporters believe in an ideal, but some seem to believe we must be willing for us to go to our graves principled but penniless. There is a Thatcherite condition that prevails. Namely, that many supporters will make financial contributions to people like us as long as they have some sort of formalised stake in the enterprise. We never played that game.

What is 80/20 Thinking? Check out www.8020thinking.com and find out the details. Or go straight to http://www.8020thinking.com/ethics.html and you’ll see that in fact this company is very much in the advocacy realm, and is intentionally set up to distribute fifty percent of its profits to NGO civil liberties campaigners in developing countries.

Please allow me the pleasure of a small personal reflection. It seems to me, looking back over nearly two decades as an activist, that people were always willing to hail me – and PI – as heroes and visionaries, on the strict condition that we reflected everything without deviation or hesitation that they personally believed. On CCTV, ID cards, children’s fingerprinting, US relations, police powers, DNA databases, going back further to the crypto wars and even further back in dim history to CLI and the telephone battles of the early 1990s, you were always there for us as long as we agreed with you on every point.

So we disagree on one paragraph, namely, our point that personal information has been removed from the Phorm system “as defined in the UK DPA”. If you want to demonise us for making that observation, then go ahead. At a personal level, I find that level of aggression unnecessary. I understand you are concerned about alleged endorsement, but let me reassure you that if we ever endorsed a product, you’d know about it. The last time we endorsed anything was PGP in the era of Phil Zimmermann.

Simon Davies

ISP data deal with former 'spyware' boss triggers privacy fears

Simon Davies

Phorm - the official Privacy International position

Quite a few comments have been published about claims that Privacy International has "approved" the Phorm technology. As some of these comments are speculative, I'd like to precisely clarify our position.

To begin, Privacy International does not endorse specific products or services. I can't think of a time in 18 years that we've done so, though we have supported certain technologies, particularly those involving secure encryption, anonymisation and user control. However, as a product, Phorm is not among them.

Any claim that PI has "endorsed" Phorm is incorrect. This is not because we don't believe the Phorm technology has some benefits. It does. It's because PI simply doesn't conduct that type of endorsement.

However Gus Hosein (Senior Fellow at PI) and I were asked as part of the new privacy startup 80/20 Thinking Ltd to assess the Phorm technology and processes, and provide a Privacy Impact Assessment. We agreed to do so.

Our conclusions will be published in due course, but the top level summary is that we felt the process contained a number of innovative privacy features. We were impressed with the effort that had been put into minimising the collection of personal information, and were particularly impressed with the idea that such a system could be established without the need for IP's, retention or profile building.

We did notify Phorm of a number of danger areas, particularly the notification and consent conditions applied by its ISP partners, however we felt the Phorm process itself warranted praise at a number of key levels. In comparison to, say, the potential of the Google/Doubleclick process, Phorm deserves credit for attempting to create a stronger privacy and anonymisation focus.

Now, as I've observed in one or two reports such as http://www.newswireless.net/index.cfm/article/3779 this assessment does not provide a get-out from the fundamental questions of "opt-out", intrusion or the general polemic over advertising on subscription ISP services. But then, those questions largely fell outside our brief.

Our work, plain and simple, was to check whether Phorm's claims were valid. We found that to the best of our knowledge they were accurate, and that the process does what it says on the tin.

Simon Davies


Privacy International

Biting the hand that feeds IT © 1998–2019