About less advertising

Quote from page 4:

"Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads. Of course, the ISPs benefit too from the additional revenue. That's not evil."

And just HOW will that reduce the number of ads ?

We'll still have billions of "regular" untargetted ads on websites.

This means instead of the usual billion, we'll be getting billion+phorm.

Sorry but I'm not sold on this.

Furthermore and as Dave points out, it's not *irrelevant* advertising that upsets people, it's just advertising, simple.

I'm using adblock and noscript and I'm no where near to disabling them.

Thanks for answering El Reg's questions to clear things up guys, but even then I'm not sold.

I don't want advertising, period.

I know what I want to buy, when, where, and at what price.

I have a *very limited* list of trusted sites I'll do business with, and an *excessively large* (read: rest of the world) list of untrusted ones.

Thumb up icon because you guys went open to appease the public.

phorm opt outs

I must have missed the link. can someone point me in the direction of the opt out pages.

Petition at PM Gov UK

I haven't seen this mentioned here - there's a petition at the site http://petitions.pm.gov.uk/ispphorm/ which expresses the problems rather well.

For my own protection...

I'm with Dave on this, I browse what I want to browse, my web browser is set up to block anything I don't want...so therefore anything other than what I tell the browser to go to or what I search through Google, Yahoo etc

Even Ads on El Reg's fine pages, if there is an advert that interests me, I'll make note of it and search for it later. I'm therefore worried that BT, through Phorm, are trying to tell me what I want. They can't even sell me a phoneline/ broadband package without c0cking that up!

The fact I have to opt out is stupid, this service wasn't something I requested and isn't something I want. I might as well take my ad-blocker off and click on every ad that pops up! I am pleased to report, though, that some of my less computer minded friends have been asking me how they can block it, so at least people are starting to show interest in the normal relams!

Honesty?

Even if we assume that the people behind Phorm are honest, not "these slimy people", offering a valuable service, etc then it keeps coming back to a couple of things I just can't see my way past.

If the service is so valuable, why is it not "fully opt in"? If the service is that valuable then people should be convinced enough to be forming queues already and I'm not seeing that happen.

Even if we assume good faith and honesty on the part of Phorm, again, surely the risk from their information gathering is always going to be greater than that from not gathering the data at all. A company that was truly worried about end user privacy wouldn't do anything to increase this risk.

So...

They look at the webpage you visit and the search terms you use but won't know anything personal about you? Is that the logic they're using? Are they serious?

'largely eliminating personally identifiable information' !

'Largely'?! i.e. nearly all, most of, the majority of? That's a long long way from 'All personally indentifiable information.

The point is they're still looking at your data stream!

Paris - because they can't be acting that dumb surely?

Raises still more questions...

Spinfull... But it does actually clarify their position somewhat in terms of interception and opt-out and actually confirms my fears. The bottom line is consent, not whether we trust Phorm, but whether we consent to allow Phorm acces to our data. As a few commentators have pointed out, the DPA seems to give individuals rights to choose not to have our data processed (beyond what's necessary in providing the service). Great question Chris - it's NOT a privacy story per se, it's a question of informed consent and an extremely detailed question about system ownership at the interfaces, what is passed onto systems owned by a third party and whether the opt-out is effective. Another audit please - of the opt-out arrangements! But Chris - where were the questions on interception and RIPA? RIPA possibly requires consent of ALL parties to a transaction. Also the claim not to read form data still means one side of a transaction could be read because e.g. Facebook prints a message thread in clear. But as I said, the most worrying part is the fact that data is passing to a third party. We may trust Phorm, but once the precedent is set and rival companies enter the market, where do you draw the line? What safeguards are in place to make sure the people working on the software aren't up to mischeif? Malicious back doors, simple coding errors or unauthorised features beyond the scope of the consent. I DON'T LIKE IT AT ALL.

I call bullshit!

"Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads."

The way I understand it a site like the Guardian Online sticks one or more Phorm powered ad-spaces on a page, the ad in that ad-space is served from Phorm's servers. If you have the Phorm cookie you are served a 'tailored' ad in that ad space. If not you (I'd assume) get an ad tailored to the site rather than the user in that ad-space.

So how are we going to get bombarded by more ads if we turn the Phorm cookie off? Can the site in question sense the cookie is not there, re-format the page (or and serve more ads in more ad-spaces if you are not?

The only obvious way I can see this happening is if Phorm actively try to make the non-submissive user's experience 'crappy' by, for example, launching a whole load of pop-ups from code in the Phorm-driven ad-spaces trying to sell you any old crap (which can be quite lucrative in itself) along with the odd popup saying "this wouldn't happen if you did what you were told and enabled that cookie".

So that statement is either FUD or a protection-racket style threat, either way it's not a good indicator of a trustworthy company.

In any case I simply don't care how trustworthy Phorm SAY they are. I simply do not want anyone monitoring my browsing and would not sign-up for an ISP that allowed it. I would seriously consider boycotting sites that took advantage of such a system too. At least you can block/refuse doubleclick cookies - with this you have no choice; Phorm get to see all your browsing whether you like it or not - you just have to trust them not to abuse it and I'm damned if I will trust a company that does not offer a *complete* opt-out of such a system where no monitoring at all occurs if you opt-out.

On a final note..

"Our [non-executive] chairman is the former chairman of Microsoft UK [David Dornan]. There's nothing shady"

Ah, that's OK then because Microsoft are a paragon of transparent, open and fair business practices?

Legality?

Chalk up another user who ignores advertising. Even when it gets past Adblock, which is rare, I mentally edit it out. I will never buy things from adverts in the same way I will never buy anything from people who cold call me. I want something, I'll look for it or ask someone to recommend somewhere to get it. Personal recommendation and reputation have vastly more weight than an online ad, targeted or otherwise.

The one thing I wanted to see in this interview, which there was a conspicuous lack of, was the legal standing of the process. First off, they do not have my permission to intercept my internet traffic (RIPA). Secondly, despite what they say, they *will* be processing personally identifiable data. Even if they throw it away as they claim, they still have to process it in order to decide what to throw away and thus fall foul of the DPA since they do not have my permission to process my personal data.

Any lawyers want to comment/find fault with my interpretation?

DO NOT WANT!

1) opt-out via cookie is unacceptable. Some devices/programs I use that access port 80 don't have the ability to store cookies.

2) Even when opted-out, your browsing is mirrored to the profiler. This causes 2 problems in my eyes: (i) what's the point of an opt-out in the fist place? (I use Ad blocking plugins) and (ii) at the very least it's a transparent proxy, and that brings up a whole new set of problems we've only just got rid of.

I don't want it, don't need it and will take my ISP to court over section 11 of the DPA if it's implemented on my connection. I have sent that in writing via registered post to the data controller of my ISP.

I'm Reassured

"When you actually poll people and you say to them "what are the things that irritate you most about the internet?" they'll say two things: being bombarded with the amount of irrelevant advertising, and online dangers."

Being bombarded by Irrelevant advertising, now phorm want to do that with targeted ads?

"Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads. Of course, the ISPs benefit too from the additional revenue. That's not evil."

This seems like some kind of threat, I wonder if they are working on a secret system to inject crappy ads to all those who opt out?

I know this all sounds too paranoid but I go to great lengths to protect my privacy, blocking ads, blocking scripts and using my hosts file. I really do not want my habits monitored that closley. I would "Opt out" of my ISP (BT) but they recently offered me a promotion to reduce my monthly fee if i signed up for 12 months longer, no mention of Phorm in all this................

Call me paranoid but if I want to search for something I'll do just that, I dont need someone telling me what they think I want to see.

In or out -- does it make a difference?

"What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us."

So, does that mean that the data is collected anyway - whether you opt out or not and somehow the data fairies don't look at it, just turn the other way?

It sounds like they've set things up and are trying to say that they don't control it?

As the man says - it's all about money from advertising, the holy grail of lazy bastards who would pimp their grannies if the revenue stream was right.

MY data belongs to ME, my ISP has no right to sell it!

Royal Mail are not allowed to open my mail, analyse the contents and sell their conclusions; it's MY MAIL!

My telecom provider is not allowed to tap my phone-line, monitor my conversations and sell their conclusions; it's MY CONVERSATION!

My ISP should never be allowed to intercept my data, analyse the information and sell their conclusions; it's MY DATA!

These companies are paid for their services, to transport/transfer information on my behalf. The information itself BELONGS TO ME.

Flaw in the logic

The more links you have in a chain, the more attack vectors there are - this is one of the most simple things to comprehend, and Phorm's "team" seem unaware of it. Looking at it as simplistically as possible, you've now got 2 environments that your data flows through instead of 1 (phorm + ISP routing, rather than just the ISP's routing). Simple statistics means that this is less secure (attack chance(ISP) + attack chance(Phorm) CANNOT be less than attack chance(ISP)). They're either so stupid they can't understand this, or they're intentionally misinforming people - I'm not sure which of those possibilities worries me more.

We've also got the phorm environment in all ISPs (instead of the ISPs having different setups) which means the attack vector is now a standard one instead of ISP specific. Yes, it's a subtle distinction, but it's an important one. Someone finding a vuln in Phorm (especially if it's client side) could subvert every single ISP that is using it, rather than just the one.

They've happily admitted the data is flowing through their systems regardless of opt in / opt out... Which is so dodgy it's not true... If someone hacks phorm then even if you're opted out, your data is made available to them.

Lets put that last one into "real terms". If I send an email to my mother (EVEN if I've opted out) saying that I'm going to be away from home for a week, and asking her to feed the cats - this has gone through phorm. If I also place an ocado order, then my address has gone through phorm as well. Most webmail systems use https only for sign in, and ocado only uses https for sign in & payment - the rest goes through in clear text. Therefore my ISP has just given (without my permission) my address and my holiday plans to some random person that now knows when to raid my house. Thanks, ISP/Phorm, my insurance claim will be sent to you shortly.

This is layer 7 redirection, make no mistake, they get everything.

You only have Phorm's word that they discard personal info, the layer 7 redirection gives them everything.

If they discard it today, who's to say they don't change their minds down the road.

What happens when their kit is hacked and all the nice data is piped into a private IRC channel?

This is interception of everything that goes down your ADSL/Cable line. Only appears to be HTTP today, what about SMTP, all your personal correspondence and files transmitted as 7 or 8bit encoded text, just waiting to be parsed for what they call key words!

The Google diversion has some credence, but you have to visit them *directly* (or via a toolbar; you didn't install that did you...), type the words in the box and press a button.

Nothing to steal

They seem very relaxed about their security since they have nothing worth stealing, I take it they did not consider the possibility someone might use their wonderfull new spyware , er i mean adware system to spread malware to users ?

But then.. I guess thats what its designed for anyway.

RE: It's not your data

Too right. I could make a great deal of money with other peoples credit card details - sure as hell doesn't make it right to sell that information to me, or for me to make use of it.

Something missing

There is something missing from that explanation.

If the channel selection is based on the data digest which is then discarded, its not much of a targeting system. The ads are effectively page specific. However, the design seems more able to build a profile from all the pages visited by a specific cookie, then whatever pages you're visiting you will get targetted ads. E.g. if you spend half and hour looking at "fast car" web sites and then check the weather. Are you going to get ads for umbrellas or cars? Then first thing the next morning when you check the guardian headlines (suicide bombs in palestine, iraq and afghanistan) are you going to get insurance ads or car ads?

They should tell us what is stored in the cookie.

re, the reduced ad thing. Sounds like marketing speak. If successful their system will be charging advertisers more per ad, since advertisers are getting fewer ads for their money, fewer ads will end up being displayed on sites affiliated with this system. Other websites affiliated with other ad networks will get more ads for the same money, so more ads for you. Question deflected without reference to absolute numbers of ads or how they will cope with an influx of advertisers if their system is succesful.

Government spying by proxy

Sorry to be so tinfoil-hat mode, but that's where we are with this. It doesn't matter how Phorm claim to anonymise the data, or where they store it, or what T&C and privacy policy they have, some Government organisation (US or UK) or large corporation will simply subpoena them for their logs.

First - "tell us which IP addresses accessed this paedophilia site"

Then - "tell us which IP addresses accessed this terror site"

And then finally, the real point of this..."tell us which IP addresses accessed mininova,com/thepiratebay.com"

I bet the RIAA can't wait!

DO NOT WANT

In negotiations currently with BT Retail to move away from their broadband network, this is not what I signed up for on the T&C's and the fact that they ran it without my consent is a disgusting abuse of their position of responsibility & trust. I am strongly considering legal action. (BT have stated to me that they have to revise their T&C's on the launch of Phorm's service)

It will be interesting to see if this ISP based Adware (since when was Adware ever a good thing?) takes off, I am more than happily sit with an ISP which allows the website or the websites chosen provider to deliver the adverts rather than allow my ISP to decide a portion of my online viewing.

again for the record: DO NOT WANT

No, No, No!

Like several others her, I use AdBlock and NoScript to virtually eliminate ads from all the web pages I visit. The 30-second skip button is the most worn button on my TiVo remote. As far as I am concerned there is no such thing as a relevant ad. IMHO the Internet actually makes advertising unnecessary. If I want to buy something, I can research it easily, so why bother looking at ads?

I agree with the other commenters, the ISPs and Phorm are seeking to make money out of information that they have no right to use. Otherss have articulated the arguments why so thee is no need to repeat them.

I suspect that the only way to stop this is by legislation making it illegal to sell personal information, even when anonymised. This has to apply to Government agencies as well, eg.g DVLA. This way we can kill off the whole junk paper mail/junk calls business in one go.

Tinternet is not free

I pay numerous businesses for the computer parts required to build and update my PCs. I pay my 'leccie bill to power the systems. I pay BT for a phone line JUST so I can have broadband (I use a mobile for all telephone calls). I pay my ISP for the broadband connection.

I PAY for MY stream of data, I pay for its delivery and subsequent storage - it's MINE, Aaaaaalllllll miiiiiiine (cue (wo)maniacal laughter).

I do not want to see adverts at all. I hate popups, I hate rollups, I hate scrollovers. I don't give a flying fig if they are targetted or not. I am trying to read what is on the page and I NEVER click the link - for that way phishing tales lie. I used to...

I used to leave long flaming emails on the "contact us" links regarding the fact that I actively avoid all companies and products that I see being heavily advertised, but naturally, to no avail. It's a bit like a Chinese meal though - very satisfying at the time but 10 minutes later you want to do it all over again.

What we have is a subconscious encouragment to perform the most dangerous Tinternet practice known to hu(wo)mankind - the act of trusting spurious claims and clicking on unknown links.

Icon - because I'd trust her with my nads before I'd trust 121media with a picture of them.

CW for Prez

"It's important to understand the distinction between actually recording stuff and concluding stuff ..."

So if I sneak into your room behind your back and read your diary, that's not an invasion of privacy -- unless I xerox it ?

WTF ??? (ergo the Stop Sign)

_______________________________________

Good Job on this story Chris & El Reg !

Time for a peer-to-peer HTTP?

We've enough problems with the government spying on everything we do without this bunch of clowns adding to our paranoia.

Maybe it's time for an encrypted peer-to-peer HTTP protocol to be developed. At least that way the marketards (and governments) won't be able to use the data.

The good thing about HTTP is it's simple to block advertising and other crap. We need a campaign to educate the vast numbers of oiks into turning off all these adverts. Still, all the time they're running IE adverts are the least of their worries.

Paris as it can only be someone like her who could dream up such a scheme.

And the less scrupulous websites?

If I understand this, Phorm and the ISP claim they they aren't compromising personal data because they don't keep it. Instead they store it in a cookie on your browser, so you're keeping it.

So what's to stop some less scrupulous websites from tracking your IP address, etc. and the contents of your Phorm cookie, and using the data Phorm collect to build up a profile of you that *does* identify you?

I like the post office analogy. This is just like employing someone in the sorting office to open every letter, read the contents to see what you're talking about, and pop in a couple of advertising flyers that 'might be of interest' before reasealing the envelope and sending it on. Personal data may only reside in memory and never be stored, but how many people would tolerate it anyway? Doesn't interfering with the Royal Mail still carry a length jail sentence? What a pity BT aren't still "part of the Post Office'...

Hang on, not even in doubt, clearly illegal without consent.

So all our data is mirrored to the profiler - it is this data stream that is the security risk. It doesn't matter whether the profiler is operated by the ISP, or Phorm, or somebody else, that is OUR browsing data being streamed off elsewhere, and we have no means of preventing it, or auditing what is done to it, or by whom. This cannot be legal, this is a simple wiretap. All the stuff about advertising streams, targeting and non-storage is an irrelevant smokescreen in this context. Interestingly I would consider it to be the ISP that would be breaking the law here, not Phorm. Unless of course they obtain our consent, back to the opt-out v opt-in argument.

Great interview BTW, looks to me like they are desperately trying to hold their business model together in the face of mounting opposition. And as you say, just wait until the US public wakes up to this...

Alarm bells...

Full webpage data *apparently is* stored, despite the denials above.

From last night's Webwise chat with Kent:

[Archived here: http://www.badphorm.co.uk/page.php?10]

"MBurgess: Pages are not tagged (or modified), and the keyword analysis process is offline so it can't affect response times.

narcosis: If the keyword analysis process is offline then in order to scan for keywords would you not have to have a copy of webpage in order to analyze it offline ?

MBurgess: Yes, a mirrored copy is analyzed."

How long is the mirrored copy kept? How is it deleted? This isn't just headers - this is a full grab of all web traffic *before* it's profiled and categorised.

I don't trust Phorm. Why should I?

I pay my ISP. If they want to sell MY data they can contact me to try to work out a deal. However the picture is a giveaway. It is obviously the evil Catbert who is controlling Kent Ertergrul.

Paris whose ideas are much more sensible than Phorm's.

ISPs haven't been in touch because...

Phorm are the scapegoats. Yes we'll sign a deal with you but you're out there on your own to win over the great unwashed pizza-munching technorati masses.

Maybe this raises serious questions about what ISPs are already upto?:

http://www.techdirt.com/articles/20070313/213014.shtml

At least the less-informed press have got their headlines right, if not a slight comical factual error about Simon Davies (for the followers of yesterdays Biased Breaking C_ news)

BT selling customers' browsing histories

http://www.pcpro.co.uk/news/175317/bt-selling-browsing-histories.html

(And google news have picked it up - great!)

Comparing Phorm with phone tapping

Could it be possible for your phone provider to listen in to your conversations and record the use of certain key words, so that when you hang up, a third party that sells something that you mentioned would automatically be connected? Could this be spun as a service by the telco if they promised you would never recieve any other cold calls?

Would it be legal? If so, can I patent it? If not, why are ISPs & Phorm allowed to do effectively the same thing?

Still intercepting the data...

So lets say that we trust them when they say they don't store personal information, which as stated above is still dubious with the 'largely eliminating personally identifiable information' reference, the fact is they are still intercepting your traffic, even if you opt out.

I am sure that someone has posted a snippet from RIPA that says that at least one party needs to agree for the traffic to be intercepted (it's in the comments somewhere). If you opt out and they still intercept the traffic surely that is against the users consent and in contracvention of RIPA? The fact that they say they are not processing that information is irrelevant?