Most of us know we must be cautious about the security of our personal data when using the Web. So, I wasn’t that surprised when Web inventor Sir Tim Berners-Lee recently expressed his concerns about systems that can track a Web user’s activity when using the Internet.
Sir Tim’s words were not merely a general comment on Internet security. Rather, they were targeted at a system developed by a company called Phorm, which allows Internet service providers (ISPs) to track Web activity. The idea is that the information gleaned by this system can be used to bombard Internet users with advertisements that relate to their recent surfing patterns.
The system acquires keywords used by surfers in search engines to identify their interests. Supporters of the Phorm system claim it replaces any user-identifying details with random codes that cannot be traced back to a specific user.
Also, in a recent attempt to reassure concerns regarding user privacy, Phorm’s chief executive claimed that the system won’t know your identity or where you have surfed. However, there’s one problem with that statement—just how, then, do they get the Web advertisements to you? One way or another, your data details are in that system.
Sir Tim’s thinking is unequivocal on the subject of privacy. He would not use any ISP that implemented such a tracking system. His point is, and I agree with him, that the surfing history created by Web users is private and should not be accessible to any organization, unless the surfer gives permission.
The commercial conflict here is obvious. Such user data has tremendous financial value, and if the rewards are large enough, companies will push the data-protection laws as far as they can to grab some of the profit.
Here in the United Kingdom, the Regulation of Investigatory Powers Act makes the interception of any transmission across a public telecommunication system illegal without the explicit consent of users. Therefore, ISPs would need the surfer’s consent before snooping into their Internet usage.
Predictably, this has prompted the well-worn opt-in or opt-out arguments. ISPs appear split on this question; to date, only one in the UK has made a clear statement that it will implement an opt-in policy. In my view, this is the correct policy and also a clever decision by the ISP concerned. Not only does it reassure security of data to its existing and future customers, but it also means it won’t find itself on the wrong side of expensive privacy-infringement legal actions.