Re: any legal eagles out there
Will I do?
What Phorm and BT plan to do is interception, and it's an offense under section 1 of RIPA unless both the sender and intended recipient of a communication consent to it's being intercepted. In practice this means both the user and the website owner have to consent, and that simply ain't going to happen.
All the "maybe"s in the Home Office guidance have already been discussed to death elsewhere, and a long time ago, with the general conclusion that none of them have any chance at all.
Simon Watkin, who has taken part in many of those same discussions, knows the consensus view well, and I simply can't understand why he'd give out such "maybe" advice - afaik almost no-one else thinks that any of these excuses have any chance whatsoever in Court.
Of course, while Simon is very good at words, and is to some extent good at the laws he's had written - though he didn't write RIPA itself - he's fairly darn clueless about the internet (and cryptography) in general.
I know Simon quite well, so I'm not going to suggest that he may have been bribed - I think he's a straight arrow as far as that might go - but he does seem to have been eating Phorm's PR cookies. :(
To recap: there are three possibilities which might make targeted online advertising, with the targeting being based on observing the target's webtraffic, lawful:
*First "maybe", that it's not interception because no "person" is involved if it's done by machine. That's nonsense, the ISP or Phorm is a "person" as far as the Act goes. In a very similar case, the ICO has said that automated virus scanning is interception (but legal interception under 3(3)). It is also contradictory to s.16. This "maybe" argument is garbage.
*Second "maybe", that it might be lawful interception under 3(3), which says interception is legal if it's done for the purposes of the telecommunications service, ie the transmission of communications.
This is how virus scanning is legal - your computer is considered to be part of the system when it is being used to communicate, and protecting it from viruses is necessary in order to ensure the communications get through. There is a similar, but weaker, argument for spam filtering being lawful under 3(3).
However Phorm/BT looking at your webtraffic is not done in order to help transmit your communications, it's done in order to target advertising, so this argument is garbage as well.
*Third "maybe", that it would be lawful interception if both parties consent to the interception - this is correct - but in practice it's almost impossible to get consent from both parties.
Getting consent doesn't mean that someone doesn't object - it means that both parties, the sender and the intended recipient, have actively consented to the interception.
For the user side T+C's won't do it, because the user will often not the person who agreed to the T+C's, and also because such a term in the T+C's for a ISP service contract is almost certainly not enforceable.
Even getting express consent from individual users, as opposed to the owner of the connection, is problematical - suppose you want to allow a guest to use your account? The guest has not consented. You may well be partly responsible for the subsequent interception.
From the webhost side, getting consent - well, Phorm/BT would have to ask each website publisher. The "implied consent" in Simon's advice is consent to download, not to intercept, and there is no implied consent to download for many web pages anyway.
So, while it's not garbage, this "maybe" just isn't going to work - getting consent is just too hard to do.