UK ISPs to sell users' private browsing information

This shocking post by Mike Scott in RISKS DIGEST deserves the widest possible publicity--and condemnation of the plan.

Three major UK ISPs apparently are in advanced talks with a company called Phorm, intending to let Phorm monitor all unsecured web traffic to and from their users. The expressed intent is to offer an "improved browsing experience" through better targeted web advertising, and anti-phishing protection - thereby "improving" one's internet security. One, BT, has already trialed the system...

Phorm claim the data is summarized and anonymized; regular readers of RISKS will I'm sure be aware that true anonymization is exceedingly difficult--and in fact this scheme would give ready access to identities should anyone take the trouble. Quite apart from being a breach of trust by the ISPs involved, it appears to drive a coach, horses and a whole army through protection offered by assorted UK legislation, including the Data Protection Act, Computer Misuse Act, Regulation of Regulatory Powers Act, etc, etc. It will if nothing else provide a central point for cracking to obtain information about these ISPs' users.

Edited on 4/9/08 to add: Phorm is also seeking deals with US ISPs. For more technical detail on what Phorm is doing and why it is pernicious, see "Phorm's All-seeing Parasite Cookie."