The Foundation for Information Policy Research (FIPR) has joined the growing list of bodies opposing Phorm's targeted online advertising service, sending a letter to the Information Commissioner's Office to highlight the dangers of the service.
The controversy over Phorm, which has offices in the UK and US, highlights ongoing worries over how the personal data of web users is handled. Tracking technology offers huge advantages for companies trying to reach consumers who will be most receptive to their products, but tracing those users opens a raft of privacy concerns.
Phorm collects data such as a person's browsing history, search terms and other keywords on web pages, and then delivers advertisements that may coincide with a person's interests. That data is immediately discarded, the company says. But Phorm also puts a text file or cookie on a person's hard drive to identity repeat users of a website, although the cookie contains no personally identifiable information.
Phorm says the collected data is assigned a random number that can't be traced to a person. The computer's IP (Internet protocol) address, which can be linked to a person's account with an ISP, is not recorded. Other data such as a person's email address, postal address or phone number are not collected, as the system is designed to ignore data entered on web-based forms.
Yesterday, Tim Berners-Lee slammed ISPs planning to track consumers' browsing history using the technology, telling the BBC his data and web history belonged to him. "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me."
Now the FIPR says the system's monitoring of web traffic may violate the UK's Regulation of Investigatory Powers Act of 2000. The act makes it illegal to monitor communications between two entities without consent. The group also contends that Phorm conflicts with the Data Protection Act, which also says personal data can't be processed without consent.
Since the content of many websites requires registration, Phorm may need the consent of those sites before monitoring the communication, said Nicholas Bohm, FIPR's general counsel.
A further concern is the possible linkage of personal data with a real person. "There's a lot of sensitive personal data washing around of an identifiable kind," Bohm said.
FIPR's letter is intended to contribute to a review under way by the Information Commissioner's Office. A spokeswoman there said Phorm approached it recently to review if its system is in compliance with data protection laws. That review is ongoing, she said.
ISPs BT, Virgin Media and Talk Talk are planning to trial the service. A BT spokesman said around 10,000 users will be targeted this month to try Phorm. Those users will be able to opt out of Phorm if they want to, he said.