There is no evidence to suggest that anyone affected by the trial suffered any loss or harm as a result;
Source: Crown Prosecution Service
There are very few tech cases that hit the news in the UK, so its always interesting to look at decisions made by the CPS when the digital world is thrust into the British legal system. The Phorm case is facinating for a number of reasons, but before we look at those, lets remind ourselves of the BBC Click and its Botnet incident.
Apparently if you are the BBC and run a botnet, then there is no crime since no charges were ever placed. The decision disappointed me since it seemed you can get away with “research” and “public interest” defences if you happen to be a larger entity than the average Joe and that, has not gone unnoticed, with comments in tech forums remarking on a disproportionate balance between size of entity and chance of prosecution.
The CPS has now apparently concluded their deliberations into possible charges with respect to Phorm/BT and it transpires that there will be no further action in regards to the incident that occurred in 2006. For those that don’t know, in 2006 BT employed the Phorm service and conducted a test on thousands of its customers, without their consent or knowledge. This led to a public outcry not just by the users themselves, but privacy groups who called for BT/Phorm to be held to account for their actions.
BT can confirm that a small scale technical test of a prototype advertising platform took place for two weeks during September – October 2006. The purpose of the test was to evaluate the functional and technical performance of the platform. It is important for BT to ensure that before any new technologies are deployed, they are robust and fit for purpose. No personally identifiable information was processed, stored or disclosed during this test.
It’s very interesting that we have another “Tech crime” allegation where “public interest” is cited in as either a defense or a justification in part. In the case of BBC Click “public interest” was used to justify the intrusion performed and a banner of “education” was put forward to further support that claim. In the case of the CPS, “public interest” is used to justify inaction. But is it really not in the public interest to prosecute?
To answer that question we have to try to define “public interest”, which despite being a term vaguer than a Microsoft press release, I think we can narrow down to two possibilities in this case. From the outcry of users and the story hitting mainstream press, I certainly think there was interest from the public.
BT bosses have been increasingly concerned about consumer resistance to advertising based on monitoring users’ online behaviour and specifically about the backlash against Phorm.
The Phorm issue goes back to 2006, yet still its widespread knowledge of the sequence of events that led to BT being ousted for its dubious relationship with Phorm. Or does public interest refer to the chances of successful prosecution? and part of the CPS announcement, does mention that:
At present, the available evidence is insufficient to provide a realistic prospect of conviction.
If that is so then by looking closely at the Computer Misuse Act of 1990 (Sec1) I think the facts in this case more than meets the threshold for charge (and that’s without looking at further offenses from Sec(1) of RIPA 2000). I wonder what more evidence the CPS could want? there are thousands of victims, mass press coverage, watchdog outcry and experts explaining the technology. Whilst one could say that the digital crimes are a rather new phenomenon with groups “finding their feet” in a digital world where terms and technology are not fully comprehended, we recently we saw a university graduate jailed for using his iPhone to film a couple of cinema releases and then uploading them to a tracker, for nothing more than personal fame. There seemed to be plenty of “evidence” and “public interest” in that case.
I accept that there has been no fraudulent gain for you and I accept your motivation was for self-glory
Source: Judge Anderson – R v Nimley
So that case was in the public interest? that case had plenty of evidence? I’d love to hear it justified when BT/Phorm don’t seem to get held accountable for the “tech crime” alleged towards them. Maybe if Mr Nimley had been BBCclick pleading research/education or had been British Telecom he wouldn’t even have been charged? – I can accept that this new world of digital crime is a minefield of issues, but really, why does there seem to be a two tier system when it comes to defining “evidence” and/or “public interest”?
In the meantime though, I think we can take one positive from this case, after the press and public outcry, I don’t think Phorm will ever have a future in the UK. I would also hope other countries take note of the technology and we can hope that Phorm or a similar derivative doesn’t pop-up (no pun intended) elsewhere.
If you are new to this blog (or have not yet read it) please take time to view the OpenBytes statement, here.