|A Cryptome DVD is offered by Cryptome. Donate $25 for a DVD of the Cryptome 11.5-years archives of 43,000 files from June 1996 to January 2008 (~4.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.|
11 March 2008
From: Watkin Simon <Simon.Watkin@homeoffice.gsi.gov.uk> To: "'firstname.lastname@example.org'" <email@example.com> Subject: Targeted Online Advertising Date: Tue, 11 Mar 2008 18:02:53 -0000 > On Behalf Of Nicholas Bohm > Sent: 11 March 2008 4:58 PM > > I now have a copy of a Home Office note dated January 2008. My source > reports that Simon Watkin said that > it could be distributed to whomever the source thought would like to see > it. It is not uninteresting. > > It is, however, in the form of a pdf of a scanned image, and is 1 MB, so > I don't propose to circulate it. If someone would offer to host it > somewhere, and better still host a version converted to text, I'll > provide a copy. It says this: TARGETED ONLINE ADVERTISING: INTERCEPTION OF COMMUNICATIONS OR NOT? IF IT IS, IS IT LAWFUL INTERCEPTION? Targeted online advertising enables ISPs, web publishers and advertisers to target consumers with contextually and behaviourally relevant messages based upon real time analysis of users' browsing behaviour, and done anonymously without reference to any personally identifiable information. Equally it offers ISPs' users an enhanced user experience in terms of the advertising and marketing they may be exposed to. 2. This note offers informal guidance on issues relating to the provision of targeted online advertising services. It should not be taken as a definitive statement or interpretation of the law, which only the courts can give. TARGETED ONLINE ADVERTISING: INTERCEPTION OF COMMUNICATIONS OR NOT? ** Do targeted online advertising services involve the interception of a communication within the meaning of sections 2(2) and 2(8) of the Regulation of Investigatory Powers Act 2000 (RIPA)? ** 3. The meaning and scope of interception of communications is set out in sections 2(2) to 2(8) of RIPA. 4. Section 2(2), RIPA reads: "a person intercepts a communication in the course of its transmission .... if, and only if he ...... so monitors transmissions made by means of the system ...... as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient". 5. Section 2(8), RIPA reads: "... contents of a communications are to be taken to be made available to a person while being transmitted ... [in] any case in which any of the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently." 6. The provision of a service to deliver targeted online advertising will tend to involve a person (an ISP and/or a targeted advertising provider on behalf of an ISP) monitoring transmissions made by means of a relevant telecommunications system so as to make some of the contents of a communication available, while being transmitted, to a person (the ISP and/or the targeted advertising provider) other than the sender or intended recipient of the communication. 7. Targeted online advertising services operate by delivering a cookie, including a unique user identity (UID), to an internet service user's computer which supports the advertising service. The UID is processed automatically in a closed system (which does not associate an IP address with the UID). The system performs an analysis of URLs and key words from web pages which allocates the UID to relevant advertising categories. Once this analysis is completed the URLs and key words are deleted from the system. The system then uses that analysis to match advertisers' criteria and to enable ISPs' users to be targeted with advertising based on their browsing interests (which includes web pages viewed, search terms entered and responses to online advertisements). 8. For the purposes of section 2(2) and (8), "available" is likely to be taken to mean that a person could in practice obtain those contents for examination. Processing of the contents of a communication under human control will be likely to be regarded as having been made "available" to a person and will therefore have been intercepted within the meaning of RIPA. 9. Where the provision of a targeted online advertising service involves the content of a communication passing through a filter for analysis and held for a nominal period before being irretrievably deleted - there is an argument that the content of a communication has not been made available to a person. 10. Where the provision of a targeted online advertising service involves storing and processing the content of a communication in circumstances where it would be **technically possible** for a person to access the content that can be regarded as having been "diverted or recorded so as to be available to a person subsequently". This might include circumstances involving a proxy server analysing the request to view a web page, in the course of it being downloaded, and presenting the user with the web page and targeted advertising content. 11. Where the technology involves the user's browser executing a script to download targeted advertising content to complement a previously or near simultaneous download of a web page, it can be argued that the transmission of a communication ceased at the point the web page reaches the user's browser, that the end user's computer is not part of the telecommunications system and that the communication has not been made available to a person **while being transmitted**. TARGETED ONLINE ADVERTISING: IS IT LAWFUL INTERCEPTION? ** To the extent that targeted online advertising services might involve interception of communications, can they be offered lawfully without an interception warrant in accordance with section 3 of RIPA? ** 12. Section 3, RIPA, where relevant to targeted online advertising, creates two situations in which interception without a warrant may be lawful: section 3(1), interception with consent and section 3(3), interception for purposes connected with the operation of the telecommunications service. 13. Section 3(1), RIPA, provides that: "conduct consisting in the interception of a communications is authorised if the communication is one which, or which that person has reasonable grounds for believing is, **both**: (a) a communication sent by a person who has consented to the interception; **and** (b) a communication the intended recipient of which has so consented." 14. The provision of a targeted online advertising service to an ISP user who has consented to receive the service should be able to satisfy section 3(1)(a). Each service will have its own relevant user agreements. Where consent to receive targeted advertising is included in the user's contract and the user should be alerted to the possibility of opting out of the targeted online advertising service at regular intervals, 3(1)(a) is arguably satisfied. 15. A question may also arise as to whether a targeted online advertising provider has reasonable grounds for believing the host or publisher of a web page consents to the interception for the purposes of section 3(1)(b). It may be argued that section 3(1)(b) is satisfied in such a case because the host or publisher who makes a web page available for download from a server impliedly consents to those pages being downloaded. 16. Section 3(3), RIPA, provides that: "(3) Conduct consisting in the interception of a communication is authorised by this section if: (a) it is carried out by or on behalf of a person who provides a ...telecommunications service; and (b) it takes place for purposes connected with the provision or operation of that service ..." 17. The provision of a targeted online advertising service, contracted by an ISP as part of the service to the ISP's users, can probably be regarded as being carried out "on behalf of" the ISP for the purposes of section 3(3)(a). 18. It is arguable that a targeted online advertising service can be "connected with the provision or operation of [the ISP] service". The RIPA explanatory notes for section 3(3) state: "Subsection (3) authorises interception where it takes place for the purposes of providing or operating a postal or telecommunications service, or where any enactment relating to the use of a service is to be enforced. This might occur, for example, where the postal provider needs to open a postal item to determine the address of the sender because the recipient's address is unknown." 19. Examples of section 3(3) interception, very relevant to the provision of internet services, would include the examination of e-mail messages for the purposes of filtering or blocking spam, or filtering web pages which provide a service tailored to a specific cultural or religious market, and which takes place with user's consent whereby the user consents not to receive the filtered or blocked spam or consents (actively seeks) a service blocking culturally inappropriate material. The provision of targeted online advertising with the user's consent where the user is seeking an enhanced experience and the targeted advertising service provides that. ** Conclusion ** 20. Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions. The providers of targeted online advertising services, and ISPs contracting those services and making them available to their users, should then - to the extent interception is at issue - be able to argue that the end user has consented to the interception (or that there are reasonable grounds for so believing). Interception is not likely to be at issue where the user's browser is processing the UID and material informing the advertising criteria. 21. Where targeted online advertising is determined and delivered to a user's browser as a consequence of a proxy server monitoring a communication to download a web page, there may be monitoring of a communication in the course of its transmission. Consent of the ISPs' user and web page host would make that interception clearly lawful. The ISPs' users' consent can be obtained expressly by acceptance of suitable terms and conditions for the ISP service. The implied consent of a web page host (as indicated in paragraph 15 above) may stand in the absence of any specific express consent. 22. Targeted online advertising can be regarded as being provided in connection with the telecommunication service provided by the ISP in the same way as the provision of services that examine e-mails for the purposes of filtering or blocking spam or filtering web pages to provide a specifically tailored content service. 22. Targeted online advertising undertaken with the highest regard to the respect for the privacy of ISPs' users and the protection of their personal data, and with the ISPs' users consent, expressed appropriately, is a legitimate business activity. The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. Where advertising services meet those high standards, it would not be in the public interest to criminalise such services or for their provision to be interpreted as criminal conduct. The section 1 offence is not something that should inhibit the development and provision of legitimate business activity to provide targeted online advertising to the users of ISP services. HOME OFFICE January 2008 ********************************************************************** This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system. This email message has been swept for computer viruses. ********************************************************************** The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free. Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.