BT Escapes Prosecution Over Phorm

BT will not face prosecution over its secret trials of behavioural advertising technology Phorm in 2006 and 2007, the Crown Prosecution Service has announced.

The CPS explained that there was insufficient evidence to begin a prosecution under the Regulation of Investigatory Powers Act (RIPA) 2000, and that it would not be in the public interest to proceed any further.

“We have concluded a prosecution would not be in the public interest,” said Andrew Hadik, reviewing lawyer for CPS London’s Complex Casework Unit, in a statement. “We would only take such a decision if we were satisfied that the broad extent of the criminality had been determined and that we could make a fully informed assessment of the public interest. This is such a case.”

Behavioural ad targeting

Phorm is scanning software that uses cookies to build a profile of users’ habits and interests based on websites they visit, and then assigns relevant ads. When the covert trials came to light in 2008, they led to public outrage and calls for prosecution.

The call to bring BT and Phorm to court was led by privacy campaigner Alexander Hanff who took his complaint to the CPS after the police refused to take up the case.

“I’m very disappointed and I’m going to look at the possibility of a judicial review,” said Hanff, reacting to the announcement. “I don’t see their excuse for not prosecuting is acceptable.”

In its conclusions, the CPS said there was no evidence to suggest either company acted in bad faith. “It could be reasonably argued that any offending was the result of an honest mistake or genuine misunderstanding of the law,” it said, adding that the trials were unlikely to be repeated, and there was no evidence to suggest that those affected by the trial suffered any loss or harm as a result.

European involvement

Although the CPS has dropped the case, the government’s reaction to the Phorm trials prompted the European Commission to launch infringement proceedings against the UK in 2009. According to the EC, the technology contravenes EU ePrivacy and personal data protection rules, which cover the confidentiality of communications, because it intercepts and monitors user actions – in some cases, without the user’s consent.

The controversy highlighted loopholes in UK privacy law, leading the European Commission to threaten to sue the British government for privacy violations. However, on 8 April – the same day the CPS said it would not prosecute – the Home Office published changes to RIPA that will close the loopholes around interception by private companies.

Last month, the Information Commissioner warned businesses and other organisations running websites in the UK that they need to ‘wake up’ to the fact that EU legislation, which will require them to get consent in order to store or access information on consumers’ computers, is coming into force soon.

The new law, which will come into force on 25 May 2011, is an amendment to the EU’s Privacy and Electronic Communications Directive designed to keep pace with the constant evolution of online fraud.