UK based broadband providers (ISPs) that attempt to abuse their customers personal online privacy, such as by monitoring what websites (URL's) you visit, could find it harder to introduce related systems in the future due to several newly proposed amendments to the government's Regulation of Investigatory Powers Act 2000 (RIPA).

The move is directly related to the previous government's inability to clamp down on Phorm , which controversially worked with broadband ISPs (e.g. BT Webwise) to monitor what websites customers visited for use in targeted advertising campaigns.

BT in particular caused outrage when it emerged that they had run two secret trials of Phorm's technology on customers, without their consent, during 2006 and 2007. At the time many likened the Deep Packet Inspect (DPI) technology used by Phorm to Spyware.

The then Labour government steadfast refused to acknowledge the problem, though the European Commission (EC) has since proven less forgiving and in September 2010 referred the UK to the EU Court of Justice for failing to fully implement its related internet and email privacy rules (here).

As a result the new coalition government, which in fairness only came to power a few months earlier, has thus been forced to take a tougher line. The result is a series of new RIPA proposals today, including one aimed at tightening up the all important issue of "consent".


Due to this ambiguity some ISPs and related UK organisations, including the City of London Police (CLP), believed that those who unwillingly took part in such trials were bizarrely deemed to have given their "implied consent". Under the new proposals that could prove a lot more difficult.


The government is also proposing new sanctions against those deemed to have made an "unlawful" interception, which naturally wouldn't apply to requests by UK security forces. At present there are two options on the table, a criminal or civil sanction, both of which could leverage a maximum fine of up to £10,000.

That's hardly going to put any big companies off. The Information Commissioner's Office (ICO) would also be given new powers to issue such fines, obtain all of the relevant information and send cease notices to those deemed to be in breach. Those affected would of course be able to appeal.


The new rules, which are currently being consulted on until 7th December 2010, could have far reaching implications. TalkTalk recently got itself into hot water (here) for failing to inform both the ICO and subscribers that it was conducting a controversial new security trial on them.

Part of TalkTalk's new service, which the ICO also likened to Phorm, effectively followed customers around the internet and made an anonymous record of the website addresses (URLs) they visited. TalkTalk claims that the system doesn't record any personal data and is thus safe from RIPA.

However website addresses can also contain personal data, such as usernames or other private details; sometimes even the location of the URL on a website can be sensitive (i.e. revealing an admin login page). Countering to the ISP's claim, this kind of information would not ordinarily be visible to the wider public or search engines like Google, although TalkTalk's unique system would have visibility.

The New RIPA Proposal (PDF)
http://www.homeoffice.gov.uk/publications/consultations/ripa-effect-lawful-intercep/ripa-amend-effect-lawful-incep?view=Binary

Elsewhere, in loosely related news, the UK Home Office has released its business plan for 2011-2015 and confirmed that new proposals designed to "End the storage of internet and email records without good reason" will be published in December 2010. However it could take until June 2015 before the full legislation that results is implemented. This relates to the controversial £2bn Interception Modernisation Programme (IMP), which was revived last month (here).