Leaked Report Details Secret Ad Software Trials in UK

A leaked internal report detailing the secret test of a targeted advertising system by British operator BT in 2006 could fuel further complaints that the test violated data protection regulations.

The 52-page report was posted Wednesday on Wikileaks, a Web site that publishes sensitive information such as internal documents from companies.

The report details a trial of the Phorm advertising system, formerly known and referred to in the report as PageSense. The system monitors people's browsing in order to serve ads matched to their searches or Web pages visited.

BT conducted a two-week test in September and October 2006 without informing users. That was already known, since some users who had been targeted for the test noticed something was wrong with their computers and began posting messages on discussion forums.

BT eventually came forward and acknowledged the test but maintained it did not violate data protection regulations that mandate how companies process personal data.

After BT was outed, a storm of complaints came from users and privacy activists, who say the system -- with or without a user's consent -- poses serious threats to privacy.

The leaked report includes interesting details of how BT endorsed evasive means to deploy Phorm so as to not come in conflict with the terms and conditions its subscribers agree to.

Phorm assign a cookie -- a piece of data stored in the browser -- in order to track a user's Internet activity. The cookie contains an anonymous user ID, which is then associated with certain categories, such as "cameras" or "computers," which then determine what ads a person may see on Web pages that use Phorm to serve ads.

Phorm would normally deploy the cookie directly to a user's machine. But the leaked report says that would have violated BT's terms and conditions. Instead, the company Phorm -- which was then known as 121Media -- bought advertising on popular third-party Web sites in the two weeks prior to the trial.

Those Web sites then silently dropped the Phorm cookie onto user's machines without their consent. Most of the 18,000 users never noticed, but between 15 to 20 did, according to the report. Glitches, such as "navigation bar flutter" and "web-page tag insertion" were cited.

BT did appear to see privacy concerns looming on the horizon. Page 14 of the document reads that "any deployment of PageSense [Phorm] will clearly require the user base to be informed."

But the report may give more ammunition to Phorm opponents who have complained to regulatory authorities about the test. At least two users unsuccessfully tried to get the police interested in opening an investigation into whether user data was unlawfully intercepted, said Nicholas Bohm, general counsel for the Foundation for Information Policy Research.

"This report will, I think be used as the basis for further pressure on the regulatory authorities," said Bohm, whose group has lobbied against Phorm. "I doubt whether at the moment the police will alter their view."

Phorm spokesman David Sawday referred questions to BT, which will shortly begin a second trial of Phorm, this time with users' consent. BT did not respond to a query by deadline, but has maintained even the secret test did not improperly handle personal data.

A group of activists are planning on protesting BT's use of Phorm at the company's annual meeting in London on July 16.

Phorm also has agreements to begin trials with two other major ISPs (Internet service providers), Carphone Warehouse and Virgin Media. The Information Commissioner's Office, which handles data privacy regulation, has said it will monitor the trials in relation to data privacy.

In January, the Home Office declared that targeted ad systems with user consent don't violate the law.