For some months now the campaigners at nodpi who are working to prevent widespread adoption of deep packet inspection such as that implemented by Phorm have been seeking clrification of why the BBC use cookies to send of records of your IP address, your Post Code*, and what parts of their website (e.g. iPlayer videos) you've been viewing off to a third party company in the USA. This third party is Omniture, formerly known as Visual Sciences. The BBC say this is in order to monitor usage of their website. Response is here; the whole thread can be viewed here. Interestingly, such transfer of personal data seems to be legal under EU legislation, as indicated in this quotation from the FOI response Dephormation finally received:
To the extent that the bbc.co.uk homepage is capturing IP addresses and post code data for anonymous statistical reporting purposes, the BBC confirms that the BBC treats both IP addresses and post code data as “personal data” within the meaning of the Data Protection Act 1998, despite the currently uncertain legal position around IP addresses in particular. Given its position, the BBC does not permit the transfer of IP addresses and user post code data to countries outside of the European Economic Area (“EEA”) unless those countries have “adequate data protection standards” and/or there are strong contractual data protection provisions in place with the data processor. It is correct that Omniture is a USA company and therefore operates outside the EEA. However, Omniture do satisfy the European Union's Directive on Data Protection’s requirements by demonstrating “adequate data protection standards” by registering with the US Department of Commerce’s safe harbour framework.
Essentially the BBC have been rumbled, and their sole response has been to update their cookie policy to reflect this. It doesn't look as though they're going to stop tracking users. I wonder how many people actually look at such a thing as a cookie policy?
Who are Omniture? There is a Wikipedia page. Oh, look:
Omniture is a publicly-held online advertising and web analytics company based in Orem, Utah with offices worldwide. Omniture operates the 2o7.net domain name.
and
Omniture bought behavioral targeting company Touch Clarity for $51.5 million.[2] In late 2007 the company acquired web analytics company Visual Sciences, Inc. (formerly WebSideStory) for $394 million, and also purchased Offermatica for $65 million. In October, 2008 they agreed to acquire the Israeli e-commerce search solution provider Mercado for $6.5 million.
Behavioral targeting? Advertising? This is beginning to look odd to me. Is this really just a case of the BBC punting our web browsing habits off to a third party company to sift through for patterns, or is there something more sinister? I do know that the international-facing BBC home page does offer advertising to the viewer that the UK user doesn't see. Is this perhaps part of the deal? Why then do UK web page viewers get their data sent off to Omniture? In an early post to the thread at nodpi.org, Dephormation suggests adding the following lines to your hosts file:
# Suppress BBC behavioural tracking using Omniture
127.0.0.1 visualscience.external.bbc.co.uk
Windows users might find this webpage useful to find out about the hosts file. In my GNU/Linux machines it is in the /etc directory (/etc/hosts). Don't know about Macs.
*It has been suggested that the Post Code is derived from your input to the Weather page. Well there's no clear indication there that they will send that off to Omniture! The link to the cookie policy is in tiny writing at the bottom of the page.
BBC provides this list of cookies and how to block them. I think the cookie relevant to this blog post is the WebSideStory cookie.