Laws against unauthorised wiretaps should not be used to prevent ISPs providing targetted advertising services, provided ISPs users consent and the service has the highest respect for the users’ privacy, according to a Home Office memo released to the ukcrypto mailing list. The memo analyses the legality of Phorm and similar services in detail, and concludes with a policy statement that

The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. Where advertising services meet those high standards, it would not be in the public interest to criminalise such services or for their provision to be interpreted as criminal conduct. The section 1 offence is not something that should inhibit the development and provision of legitimate business activity to provide targeted online advertising to the users of ISP services.

The memo’s legal analysis also provides comfort for Phorm in three key areas:

• It suggests that there are arguments that Phorm’s service might not consitute an interception under RIPA:

  Where the provision of a targeted online advertising service involves the content of a communication passing through a filter for analysis and held for a nominal period before being irretrievably deleted – there is an argument that the content of a communication has not been made available to a person.

• It suggests that even if Phorm’s services does constitute an interception, itmight still be lawful provided the ISP user consents to it, as the required consent from a web site operator might be inferred from the fact that they’re publishing content on the public Internet
  

  A question may also arise as to whether a targeted online advertising provider has reasonable grounds for believing the host or publisher of a web page consents to the interception for the purposes of section 3(1)(b). It may be argued that section 3(1)(b) is satisfied in such a case because the host or publisher who makes a web page available for download from a server impliedly consents to those pages being downloaded.

• It also suggests that ISPs might be able to redefine their service from being “Internet access” to “Internet access with value-added targeted advertising, and by so doing take advantage of wiretap exemptions originally intended to protect routers and web proxies.
  

  18. It is arguable that a targeted online advertising service can be “connected with the provision or operation of [the ISP] service”. The RIPA explanatory notes for section 3(3) state: “Subsection (3) authorises
  interception where it takes place for the purposes of providing or operating a postal or telecommunications service, or where any enactment relating to the use of a service is to be enforced. This might occur, for example, where the postal provider needs to open a postal item to determine the address of the sender because the recipient’s address is unknown.”
  19. Examples of section 3(3) interception, very relevant to the provision ofinternet services, would include the examination of e-mail messages for the purposes of filtering or blocking spam, or filtering web pages which provide a service tailored to a specific cultural or religious market, and which takes place with user’s consent whereby the user consents not to receive the filtered or blocked spam or consents (actively seeks) a service blocking culturally inappropriate material. The provision of targeted online advertising with the user’s consent where the user is seeking an enhanced experience and the targeted advertising service provides that.

The middle argument – that a web site operator implicitly consents to having access to their public web site intercepted – has been criticised by Professor Peter Sommer of the London School of Economics, a leading legal expert RIPA and occasional government advisor.

Professor Sommer argues

“There is a distinction to be made between the fact that a website is available and there is thus a consent for anyone and everyone to view the contents (the argument used by web-scraping sites that offer price comparisons, for example) and the fact that any specific person has requested a specific web-page at a particular time – which is the communication being intercepted.

[Noting that Phorm would only be feasible if applied to all web sites, not selectively] “I think the Home Office interpretation fails at this point, and where a website carries a password for access yet still uses HTTP there is no consent for an interception whatsoever.”

Phorm and its ISP partners have stated that they are entirely satisfied with the service’s legality. This week TalkTalk announced that it would only deploy Phorm on an opt-in basis, which would ensure that customers’ consent was fully informed and freely given.

Regardless of the legal debate, it is highly significant that the government has decided that as a matter of public policy RIPA should not stand in the way of Phorm and similar services, provided user consent is obtained through the ISP’s Terms and Conditions of Service. This implies that even if the legal arguments remain contested, ISP prosecution is unlikely and the government might contemplate legislative reform to clarify the legal situation in favour of Phorm and their ISP partners.