Don Foster, the Liberal Democrat shadow secretary of state for culture, media and sport, has written to the chairman of BT asking him to explain his firm's secret trial of Phorm's advertising technology last summer. Meanwhile William Hague, the Conservative's shadow foreign secretary, has written to the Department for Business, …
at last some action
POWER TO THE PEOPLE,
questions in parliment, surely something has got to happen now
people,keep emailing the mp to ask how they would like emails to and from constituants being intercepted, and how can conversations be classed as private
Do not want Phorm at all!!!
I won't stay with any ISP that runs Phorm / WebWise, irrespective of whether they offer opt-in *or* opt-out.
Given Phorm's history (as 121Media) I wouldn't trust them not to profile my data even if I *was* opted out. The only way to be sure you're not being spied on by Phorm is to use an ISP that has nothing to do with them.
Politicians acting on our behalf in a clear and obvious way?! What is the world coming to?
opt-in not enough
"when the nationwide Phorm system goes live it is on an opt-in only basis"
It must not be just 'opt-in' as BT will just alter the small print in the T+Cs and opt everyone in that way. Or call it 'webwise advert spam buster' and opt-in people based on that misinformation.
Any 'opt-in' (assuming for the moment the system is legal, any ISP wants to touch it with a barge pole and Phorm isn't bankrupt) must be based on fully informed ('we will know everything you read, including web based email and forums, personal details included') explicit consent.
Tom, who's ISP is Zen, who have said they will never have anything to do with anything like this. Switch from BT now !
Politicians acting on our behalf in a clear and obvious way
@Dave: It's almost as if local elections are just around the corner, innit :-)
Action not words
I just hope all those complaining have written to their MP. I have to mine. What about you? Get the email address of your MP from
Doodle Paper Anyone ?
I've got some Phorm share certificates if anyone wants them ?
I've already left Virgin. I would encourage everyone else to just sack off any organisation that thinks it can opt it's customers into any scheme without their consent.
Written to MP, Tobias Ellwood, asking that he support his colleague fully in persuing this matter..
Now to check on the share price again.. :)
While it is good that some MP's think this is something to ask questions about it's hardly the rush to defend constituents that some of us had hoped for. You might have thought that a proposal to wire-tap millions of their voting constituents (so close to an election) might have generated a bit more interest in The House.
<...>The relationship between Internet Service Providers and their customers is based on trust.<...>
Based on what now? To me at least "opt-in" "opt-out" is irrelevant - I don't trust my ISP to honour my choice. They have clearly demonstrated what depths they will sink to for an additional revenue stream.
What I want to see from MP's is a closing of whatever loop-hole allowed Phorm and the ISP's to get this far.
update required to earlyday motion
the earlyday motion needs to add that opted out traffic is not passed via the profilers as well, not just it is an opt in to web wise
the steam was taken from my sales.
@Tom... I was just about to launch into joyous rapture that the bunch of muppets in the palace of westminister in london actually listened to the people in between signing themselves cheques and burying the country, then you reminded me.
I received the "how to vote by post in the upcoming local elections" last week and it all sadly falls into place.
Still power to the people in that phorm at least has 600+ overpaid losers now talking about it...
Written to mine
Used the link on the other page:
I am glad to be moving house soon, I will certainly be moving my ISP (BT) since I dont feel I can trust them not to use this. I really dont think they understand, its not just about the advertising or webwise it is the underhanded interception of your requests, even if you are opted out that makes me angry about this "technology"
Anyone been watching the Phorm share price? Phuckin Phunny reading
Why not use encryption to connect to an anonymous server in somewhere like Canada? I've managed to shift some data traffic already and I think phourm/spyware would have a hell of a time getting at my data.
any "big brains" out there who could give us tips on encrypting ALL data traffic?
It may be that...
...the polititians are realising that if, e.g. they or their staff do web-based research on issues raised by their consitituents, the subjects that they are browsing will be patternised. Okay, there are assurances that the data is fully anonymised, but again, maybe the MPs are realising that it's a square circle that an anonymous system can provide personalised, sorry, /relavent/ advertising.
Then again, who knows. They may have read the promotional bulls^w literature from Phorm and realised that it is bullshit. Hell, they may be raising issues that their constituents have raised with them, but I haven't seen Satan checking out snow-goggles and skis, so I doubt that's happened.
Who knows, other than the MPs themselves.
i thinks it's needed
as most isps buy bandwith from bt, with the large increase in internet traffic seen over the last few years they need a better way of making money. this can either be passed directly onto the consumer in increased fees or indirectly with schemes such as phorm, i think we're going to have to accept one or the other and there will be kicking and screaming with either option! that doesn't mean that it should be underhand though
Easy to 'investigate' game playing habits but serious stuff like personal intrusion isn't important. Until, that is, the baying hounds affect the share price -- then they start to take notice. Dunno what HM gov. has to do with any of this, seems like the City runs the show.
In grudging defence of the pols
While it doesn't _look_ like a storm, there are plenty of other MPs not mentioned here doing similar things. Mine wrote a letter to Tony McNulty at the home office, asking him to explain what the HO thinks it doing issuing legal advice, particularly advice that seems to be in conflict with everyone else's interpretation of RIPA, and raising various other issues.
And since there's now an early day motion, other MPs who have correspondence in their in trays will probably get involved as well. I know lots of folk have written to their MPs, MEPs and various Lords.
It could well be that we're only seeing the tip of the iceberg (or the first snowball of the avalanche, if you like). And in any case, just the spectre of having this all dragged through the house (and therefore back into the media again) might be enough for the ISPs to realise, finally, that they've crossed a line.
The fact that they've bothered to take notice _at all_ while they're in the middle of so many other wrangles indicates that they are taking it seriously. This should scare the pants of Kent Spunkbubble and his crew of PR pixies, who keep trying to convince us that only a fringe of paranoid and unreasonable techies give a toss.
The opt-in thing in the motion is a bit of a bummer, but these aren't technical people, and besides, even if it does somehow amazingly turn out to be legal after all, and they go ahead, but only with an 'opt-in', it will be worth zero to them, because no one will want it. Without mass opt-in, Phorm is worthless. Access to millions of users is tied into their core value proposition as a business (lets face it, the profiling tech isn't actually very impressive in itself). The early day motion doesn't go as far as we'd like, for sure, but if it passes, it's still a coffin nail.
Blimey, never thought I'd write anything in defence of politicians ! Think I need to go for a lie down now.
Written to my MP as well
Got a response back in less than a week, also showing me a letter he sent to the Secritary (sic!) for the Department for Business, Employment and Regulatory Reform asking why this system was being allowed to go ahead.
Don't think I'll get a reply mind you, but at least they've started something.
"BT's integrity questioned"
No question about it: they have none at all.
Just like every other corporation, or so it seems.
just looked at phorm, bt and vm share prices, all seem to be heading for the floor over the last month since the unrest started :-)
trouble is, the bright ones will wait til it is realy low then buy bt and vm shares and wait for the announcement they have canned phorm and make a killing when it rises again (they hope)
is it the pessants revolting or the revolting pessants???? depends which side of the fence you are on
Fact is the UK data prices are over inflated anyhow. I agree that people need to accept that the stupid low priced bundles offered by some misguided operators isnt sustainable as a quality service and that they either have to accept lousy speeds and tiny bandwidth allowances, or pay a realistic price. This shouldn't be used as an excuse to allow this parasitic spyware to be spread throughout the communcations network in the UK.
Its scary that the honourable member seems to be unaware of either the history of the former spyware operator, or the fact that anti phishing software is incorporated in many browsers now, and that many of us wouldnt trust a "poacher turned gamekeeper". Phorm gives nothign to the consumer that isnt already out there, but takes a lot in return, most of the details of your web activity in fact. You have to wonder why they chose to start this in the UK, the roots of this spyware are shared between the USA and Russia
...and where were these "saviours of privacy and human rights" when the actual fight was raging? Yes, too busy hoping to sneak the system through so they could benefit from it. Fucking hypocrits.
"A secret test would seriously threaten that relationship and undermine BT’s integrity."
It had none in my eyes, long before this Phorm business came along and has certainly not covered itself in glory since. All this has farce has done is convince me even more to have as little as possible to do with that wretched company.
They have even managed to overtake FastHosts and South West Trains in my 'first against the wall come the revolution, comrade' league table... and that's saying something.
Paris, as even she has more integrity...
RE: oh really...
"and where were these "saviours of privacy and human rights" when the actual fight was raging?"
The fight is _still_ raging. This is far from over.
"Yes, too busy hoping to sneak the system through so they could benefit from it."
Opt-in not enough & Phorm Cookie based opt-in is TOTALLY UNACCEPTABLE!
Opting-in MUST require explicit informed consent, and should be done at the account level, with the account holder required to authenticate themselves first to prove their identity.
Unless an account holder chooses to opt-in none of their traffic should go anywhere near equipment supplied, maintained or specified by Phorm.
The Phorm Cookie based opt-in / opt-out is totally unacceptable.
As it stands, any website could opt a visitor back in without the visitors knowledge, simply by placing an image tag with the source pointing to the "a.Webwise.net" opt-in URL on their webpage
<img width=1 height=1 src="http://a.webwise.net/services/OO?op=in">
Visiting the webpage would remove the opted-out cookie and create an a.webwise.net cookie with a tracking UID.
This inspired me to write to my MP again
I wrote to my MP (George Young - Conservative) a second time after reading this article. His initial response was pathetic, apparently Phorm seems 'more of a nuisance than a threat' to him, but then again he perhaps didn't fully comprehend what the system does even though I thought I provided some pretty good wiretapping analogies.
Anyway since he's a Tory he might take a bit more notice now William Hague is on board.
You know, there just might be the possibility that Phorm (and anything like it) is never allowed to go ahead, though I suppose the opt-in scenario is more likely - I feel sorry for the sheep who will choose to opt-in once they see BTs marketting lies!
best anology i can think of
best anology for a MP,
postman pat opening their snail mail, reading it and putting additional "relevant adverts" in then resealing it so they don't know and delivering it to the MP
the first they realise something is wrong is when they open there bank statement and find it full of adverts for another bank
good enough to get their attention???
RE Tim Blair and encription (Encryption)
Yes it would be possible to defeat the system using something like a VPN or SSL tunnel to another machine living on a non Phorm infested network - and preferably in a different country.
There are some people who offer such services but you will have to pay - bit like having another ISP on top of an ISP. It can work well for privacy with relatively little overhead (but it is still there - the overhead).
Of course to do it right you would also direct this at another anonymous proxy that you had paid for by the notes in a (optionally brown [not Gordon]) envelope and not by credit card.
Some of us do such things - not because we are doing anything illegal but simply because we can and it ensures anonimity.
Paris - because she likes belly dancing as well!
Amused to death.
Firstly, we have not launched BT Webwise yet. (Thank god.) We do not have a single customer going through any third party servers. (Ah, so what is Phorm then?) We do expects to begin opt-in technical trials of the BT Webwise service shortly. (Strange comment as your mates said it started 2 weeks ago.)We will be inviting around 10,000 BT broadband customers to take part in the trial. (Invite or force it on them?)
The trial invitation will be presented through a special web page that will appear when those customers start a web browsing session. (Ah yes, a pop-up we all love to get.) At this point, those customers invited can choose YES or NO. (Say no at your peril.) It is possible that you may not get invited. (Aww poor me.) In that case you won't get BT Webwise service. (Crying my eyes out.)
Any roll out plans will be confirmed only after technical trials are completed. (Yeah if you can get around the law first.) Our website www.bt.com/webwise will notify you when the date for technical trials is confirmed. (Oh thank you, will you start spamming me then?)
BT Webwise will always be offered as a fully informed choice. (More pop-ups you mean or spam mail?) Those customers who choose to opt out will not have their browsing information mirrored or profiled. (However we channel all your browsing through Phorm proxy who may have other plans.) No information is gathered, and therefore no information is forwarded to Phorm. (Either that is a change of policy or a direct lie.) Customers who opt out will not come into contact with any Phorm-managed equipment. (Yes that is a change if we can believe you.)
There are 2 ways to opt out of BT Webwise. (But why opt out if I am not opted in?)
1. Visit www.bt.com/webwise and click Switch Off. (Oh that sounds easy enough, switch off and that is the end of the matter.) Note that this will be activated only after the service is launched. (Oh so apart from trials you have already decided to launch the service?) This standard opt out method does depend on a cookie remaining on your machine indicating that you have opted out. (But I have opted out so why plant spyware cookies on my pc when I have clearly stated NO?) If you delete your cookies regularly, you will have to opt-out again each time you start a browsing session. (But I have already said NO to you and this would be called stalking or harassment?)
2. If you delete cookies regularly and want to remain opted out, you can set all your browsers to block cookies from the domain www.webwise.net.
When you block this domain, the service will opt you out permanently. (But this is technically too advanced for me, are Bt going to send an It guy to my house to do this free of charge?)
You can use this option now and will then be opted out of BT Webwise. (Are you sending out this advice to all your customers?)
I hope this email addresses your concerns regarding BT Webwise service. (Emmm! No! You deny the 3rd party proxy server called Phorm and you are asking me to interfere with my pc settings to block your constant pop-ups and you refuse to accept NO as meaning NO.)
Please visit www.bt.com/webwise for up to date information on BT Webwise. (No I am not that interested in Webwise or pop-ups or spyware or tracking cookies and NO means NO.)
BT Webwise Help Desk
The House has no Bollocks
F*ck how BT's secret trials effects their trust relationship with customers. What the House (and the Home Office) should be concentrating on is the FACT that BT committed multiple (possibly millions) of criminal offences under RIPA by carrying out these secret trials in the first place. Every single interception they made in their secret trials (irrespective of what they did with it, whether it was anonymised or not) was a criminal breach of RIPA.
It is now clear that the government is scared of big business, they have no balls and instead of prosecuting the bastards they say "Please don't do it again.".
If I was to intercept an MPs communications how quick would I be slammed up without charge under anti terrorism laws? Don't worry that was a rhetorical question.
The House has no Bollocks!
a small step in the right direction
but I have no faith in EDM's they are just a talking point for MP's and act really as barometer to see what other MP's are thinking about.
I'd love to see BT's response to the request though, I wonder if that will ever get made public?
Reponse from my MP
I wrote to my MP (James Plaskett, Lab, Warwick and Leamington Spa) and received this reply:
"Thank you for your correspondence. I have read your comments carefully and noted your concerns.
I have raised the matter with my ministerial colleagues at the Department for Business, Enterprise and Regulatory Reform on your behalf and will write to you again when I have a reply."
No reply yet, but it's only been a week.
The more people who write to their MPs, the more chance the dots will be joined up and something will get done.
Response from Virgin
After submitting several complaints via VM's online forms, I got this canned and patronising response (by post) from Andrea Hall, a member of the "Customer Concern" team. Either VM are still full-steam ahead on this, or the Customer Concern team is way out of touch with reality. The letter is obviously a cut-n-paste, the original text most likely Phorm-supplied:
"Thank you for your letter received expressing your concerns about the recent speculation linking your Internet usage with 'Open Internet Exchange' and Phorm.
We will soon be working with a company, Phorm, to provide some new online protection and ehhancement features for our broadband customers.
Phorm is the company behind an innovative new system called Webwise. Webwise helps give you a safer online experience by helping you avoid scam emails or websites [but not companies like Phorm, ho ho!], as well as making your online experience more relevant through advertising that matches your areas of interest.
Webwise has been designed from the ground up to protect our customers' privacy and anonymity. As the system only learns about topics of interest, it does this anonymously, ensuring their privacy is completely protected.
* Neither the web addresses, nor search terms they use are stored. They are purely matched to an advertising topic and then discarded.
* Webwise doesn't store their internet (IP) address or keep track of their browsing. The system or advertisers won't know who you are or the websites they've visitied [Yeah, but pair the unique WW tracking cookie up with cleartext containing your email address and details in web content and you are no longer anonymous to Phorm or your ISP]
* No personally identifiable information such as email addresses, surnames, street addresses, or phone numbers are ever gathered.
* No sensitive or personal financial information, such as credit card numbers, login IDs, passwords or bank account numbers are ever gathered.
To reiterate, you won't be forced to use the system, and you will be given the choice to keep your internet experience exactly as it is now [Although you'll still go through the profiler!]. As we get closer to launch we'll explain how this will work.
Webwise only replaces ads with more relevant ads, customers do no receive any more ads and certainly do not receive popups. <Some text here obscured>
The customer's privacy is totally [ha!] protected, again to reiterate no personal information is collected and what we will track are search terms and URL's visited, this information is not traceable and is not kept or stored as unlike some other ad targeting technologies [Yes, we know you mean Google here, but we have a choice as to whether we decide to use Google or not. No choice with with an inline architecture like Phorm] that already exist and utilise customer data. In addition, whole rafts of industry bodies and privact experts have been engaged with regard to the implementation of 'Webwise' [but you don't say how many of them actually advised against it! Quite a few as far as I've seen].
We will be as transparent and upfront [Ha ha!] with customers as we can; giving them every opportunity of not participating [Ha ha ha!] if that is what they want to do.
We are of course aware there are a number of 'stories' being circulated [El Reg, that includes you, you swines!], a lot of what is being touted is ill informed [Yeah? Sure?].
I hop this reassures over any concerns you may have and clarifies our position regarding this issue.
anyone noticed where http://bt.webwise.com is hosted ??
so much for no data leaving BT's network
bt.webwise.com (at fast hosts) then redirects you to webwise.bt.com (if i am reading it correct a server in HOUSTON???)
does the BT core network extend to both of these sites??
this is where you turn on and off webwise (phorm) and it puts the cookies on
bt.webwise.com = [ 22.214.171.124 ]
(Asked whois.godaddy.com:43 about webwise.com)
Registered through: GoDaddy.com Inc. http://www.godaddy.com
Domain Name: WEBWISE.COM
Domain servers in listed order:
For complete domain details go to:
126.96.36.199 = [ server88-208-248-102.live-servers.net ]
(Asked whois.ripe.net:43 about 188.8.131.52)
inetnum: 184.108.40.206 - 220.127.116.11
descr: UK's largest web hosting company based in Gloucester
webwise.bt.com = [ 18.104.22.168 ]
22.214.171.124 = [ ]
(Asked whois.arin.net:43 about +126.96.36.199)
OrgName: ThePlanet.com Internet Services Inc.
Address: 315 Capitol
Address: Suite 205
it is good for the Post Ofiice Profits
"best anology for a MP,
postman pat opening their snail mail,"
NO, the best anology is to tell them its like an' illegal wiretap'......
oh wait, it IS an ILLEGAL WIRE TAP under RIPA, never mind.
still this Phorm business and its many laws its braking must be good for the post offices registered post division.
you have sent your Data Protection Act Notice registered latter to forbid your ISP from collecting,procesing,storeing or Exporting your personal data outside the very strict supply and billing.
your DPA Notice to stop processing your personal data for targeted advertising.
your registered latter to your MP outlining the UK copyright law on your keyboard input.
your registered latter to your MEP outlining the EU copyright law on your keyboard input.
"AlexPosted Friday 28th March 2008 19:24 GMT but I have no faith in EDM's they are just a talking point for MP's and act really as barometer to see what other MP's are thinking about.
I'd love to see BT's response to the request though, I wonder if that will ever get made public?"
if the MPs are using web based EMail to talk to their BT mates in the executive offices, then the BT/Virgin Media's/etc the Phorm gifted deep-packet inspection equipment will be able to collect,profile sort and finally anonymise these emails and seel them to an interested advertiser or other interested party ;)
or do Phorm and their ISPs just intend collecting, process and finally filtering out these MPs and high ranking executive web emails with any MPs name in them.
perhaps the ISPs (Virgin Media contract for and carry a LOT of govt networks on their core cable network dont they ?)will just set aside special UBr's and plug these special peoples wired Broadband connections in to those instead and so not need to inPhorm them.
Should we tell them
(The MP's) That when they go to their private doctor all the records he asks for will be read and adverts for Viagra,sextoys etc will flood back.
On a side note who is paying for the extra bandwidth because sending data to China /Texas ect is going to slow any connection .I aint paying extra for adverts i dont want .
I don't get it...
So how exactly will Phorm provide a more relevant browsing experience, aka ad's based on your browsing habits, without actually storing your browsing habits in a way which is identifiable within their system? Surely a contradictorily statement?
Phorm,akin to your very own personal and yet invisable north korean minder
it must be a girl thing, a very blond moment infact.
you do know what “deep-packet inspection equipment” does dont you?
you do know that your govt needs to get a court order to use its capabilitys?
in the case of Phorm’s deep-packet inspection equipment, do you really trust them to not track every single one of your web based movements
Phorms head tech man said they can do exactly this to a US news site. and their commercial patent that discribes all the things they intend going with their DPI kit backed that quote up 100%
do you really want every single thing you do on your broadband line, collected,looked at ,sorted, select information that their interested in at the time picked out, then anonymised and sent to some interested buyer?
perhaps you dont spend your money buying stuff online and so they cant ever see your payment details , not that they would use them OC after all, they clerly see every single key press you make in that website, but promise to throw away everything, after a set No. right!
perhaps you think Phorm is wonderful, after all,who wouldnt want their own personal electronic guard, its like your personal minder ,seeing everything, and forgetting everything, except what you dont mind them remembering so they can make a few quid right.
your “Phorm deep-packet inspection equipment” is akin to your very own personal and yet invisable north korean minder, arnt you just so lucky.
and the Pr Phorm machine will be along any minute now, with a revamping of official propaganda ,just for you uk ans soon US girls and boys that theres nothing to see here , move along….
It doesn't work because with SSL or tunnels you have to set up a host authentication.
This requires a clean line, you should set up the encryption without a man in the middle attack, otherwise all you are doing is handing a request to phorm and hoping nobody reads or stores the process and passes it on to your remote server.
Otherwise all you are doing is talking to phorm who then read the line and pass it on to your proxy.
Wanted, an addon that watches phorm back:
- IP address belonging to a phorm infected ISP -> visible warning in browser frame. Clicky link to web page explaining this.
- Website serving up phorm ads -> visible warning this website is part of a spyware network. Clicky link as above. Ditto any website that tries to access a phorm cookie.
- The ads themselves -> visibly marked as spyware, clicky link to explain.
- It'd be good to add the sites of companies placing the ads into warning category too.
i.e. The advertisers need to be warned off too. Its their money thats driving this thing.
@peter - Certificates are your friend
A man-in-the-middle attack is what SSL certificates help you guard against. An SSL-based HTTPS connection will throw up warnings if a site's certificate cannot be authenticated using the SSL authority companies' (Verisign etc) public keys embedded in the browser.
However, this would not stop a man-in-the-middle (e.g. ISP, Phorm) interception if they acted as an SSL proxy, forwarding your SSL traffic to the target server and, crucially, presenting your browser with their own valid signed* certificate.
So, to be certain that your SSL connection is unmolested, you need to inspect the SSL certificate each time your browser presents you with a new one** (you can view the cert in most browsers by clicking the padlock icon that appears when you start an HTTPS connection) and make sure that it is a certificate that belongs to the target website you are connecting to, rather than a certificate that belongs to your ISP or Phorm.
* A certificate may be signed by a trustworthy security authority organisation that your web browser knows about (e.g. Verisign etc), or it may be self-signed, in which case it's not worth anything from a security point of view. Your browser will warn you if it doesn't recognise the security authority organisation.
** Firefox (and probably other browsers) can prompt you every time a website requires a certificate, and this is a useful opportunity to inspect the certificate being offered and to check it belongs to the target website, rather than ISP or Phorm (or some other unexpected organisation!). In Firefox, Preferences->Advanced->Encryption->"Ask me every time"
no need to mail you MP, just move immediately to different ISP
hit the bastards where it hurts - pockets. Move yourself and your granny immediately to different ISP.
come on phorm techies lets have a real tech seesion if you have the nerve
phorm techies would you like to answer the list below (honestly) if you can, without resorting to spin and rubbish
point by point would be good
let me guess, there will be no response as you are to chicken (cluck cluck!!!) to answer with facts
prove me wrong if you can !!!!
Let’s start with what appear to be facts
• Both the profiler and the Phorm server sit in the ISP data centre, (this apparently enables the ISP to legitimately claim no data leaves there network)
• The profiler is owned and run by the ISP (while this is correct, what isn’t made clear is that the code running on the profiler is supplied by Phorm and the ISP has no access to the source code, nor can they verify 100% what it is actually doing,)
• Parts of the code for WebWise were written by a group of programmers in Russia, allegedly from a team that Kent Ertugrul used to create his “People on Page” spyware several years ago
• Phorm are also in talks with Sky Broadband and Orange to push this product out to yet more users in the UK
• Adverts will appear “in frame” and not as pop ups, so pop up blockers will not stop them
• Part of the weighting as to which advert is displayed is the amount the advertiser is willing to pay, it is in effect an auction of advertising space which reduces the advertising relevance to which advertiser in a category is will to pay the most for your screen area. Look at Phorms website at http://www.phorm.com/oix/ad_networks.php to get the picture
• Phorm Inc. was previously known as 121Media who were allegedly involved in adware / root kits before changing their name to Phorm Inc. and creating WebWise
• The profiler has a list of webmail and other sites not to be profiled, BUT there are no tools to check if your favourite site is on this list or a means for webmasters to submit a site to be excluded from profiling
• Phorm have remote access to both servers, for support and software upgrades (it is unclear if only on invite only or if it is full unrestricted access)
• The code has not been independently verified to ensure it does ONLY what it says on the tin, Phorm are looking at this and will consider independent verification so long as it does not affect there intellectual property (fat chance and what happens if they change the code straight after ???)
• The information commissioners office is talking to both Phorm and the ISP’s about how WebWise affects privacy and how this is being addressed, a response has not yet been posted
• The foundation for information policy research have published an open letter ( available at http://www.fipr.org/080317icoletter.html )to the information commissioner office setting out exactly why they believe WebWise and Phorm is open to legal challenge under UK and European law, even down to section and paragraph level of the relevant acts they think it contravenes
Let’s now look at what appear to be grey areas
• Your pc is reduced to a random number in a cookie to protect privacy
o Random numbers as AOL found out do not guarantee privacy
o Phorm (we have to take their word for it) say the Phorm server can not recreate the link from the cookie to a user / IP ,
o External websites which have the Phorm placeholder in can access the cookie, so how long before people start trading this information?
o By using a cookie they can serve games adverts to your kids and DIY adverts to the adults,
o if they just used IP addresses they would not get such granular stats
so a cookie is better for their sales of advertising relevance not the user
• WebWise / Phorm may be illegal under the data protection act
• WebWise / Phorm may be illegal under the section 1 of RIPA as it is being argued it is in effect an illegal wire tap as both parties ( the user and webmaster of the website) need to give permission
• Anti Virus and Anti Spyware companies are considering whether to flag the WebWise cookies for removal, AVG have announced they won’t Trend have said they are reviewing the option of removing it so long as it does not automatically opt the user in, others have not made public statements yet
• (from phorms website, ISP FAQ page) http://www.phorm.com/about/faq.php?_faqs=10,11,12,13,14,15,16,17,18,19#isp
o Q. How does the OIX use ISP data?
o A. The OIX uses data from ISP pipes to upgrade the generic advertising on websites with more relevant ads. These ads will be viewed by that ISP's subscribers who are most likely to be looking for the advertised product or service based on keyword patterns in their browsing behaviour. (This seems to suggest that Phorm advert will replace some other advertisers adverts as well as sites with Phorm place holders)
• How can the ISP’s claim to store no identifiable data when the system has to track you to be able track you to build a database of relevant sites and categories over the last 14 days and then serve you the relevant adverts, you are identified by a unique number and a cookie can be accessed by a website
• BT (my ISP) always gives me a vague answer which is carefully worded about opted out traffic not being profiled, they will not give me a direct answer about “will my traffic pass through the profiler and can they guarantee it is not profiled but no adverts served” come on phorm or BT a straight answer please
• Phorm and the ISP’s say the profiler ignores data with @ sign and strings of numbers over 3 digits long to prevent emails address and credit card details accidentally being profiled, but the security code on the back of a credit card is 3 digits long so could be profiled
And finally questions for which there seems no answer at the moment
• Virgin Media’s logo has vanished from the WebWise front page? (Have they had a change of heart due to public opinion??)
• The list of items included and excluded from profiling seems to change depending on who you talk to at the ISP, a detailed list would be good
• How does the system distinguish between web browsing and an application such as word or open office which has a internet explorer agent embedded
• How often is the Phorm / profiler software updated or patched, who then checks on what has changed and verifies it still conforms to the relevant laws etc
• Do Phorm still profile opted out traffic but just not server adverts, this would enable them to harvest information like common search words etc they could then sell to advertisers at a premium price
• Is the traffic between the profiler and Phorm server encrypted, if it is even the ISP hosting the system can’t verify (even by packet sniffing) what data is transferred and therefore could not guarantee end user privacy.
• Where is the value add of the Webwise anti phishing (which is what most ISP’s are using to persuade users to opt-in) it is a duplicate of internet explorer 7’s service, it is also a function of most if not all internet security packages, so I see no value add (smoke, mirrors and spin to confuse the customer)
• Are the adverts stored on the Phorm server or does the Phorm server just redirect the users browser back out onto the web to pick the advert up from elsewhere
• If the Phorm server does redirect the browser out to an external website to collect the advert there is the possibility for an advertiser or Phorm to externally make the connection between IP address, cookie and any other data to identify the user
• If you block the cookie are you registered in the statistics as opted out? Or just not counted, thereby skewing the stats in Phorm’s favour when it comes to deciding if the trial was successful
• Why is there no list of OIX customers so we can see the sort of companies we will be getting adverts from? Is it because they are not relevant to the UK Market? Are they companies that do not want to be publically linked to Phorm?
• How are the ISP’s going to be paid, flat rate for allowing the service, number of adverts served, pay per click or a percentage of revenue generated. I realise this may be classed as commercial in confidence information but a general idea without the full commercial details would help
• Research and debug logs are able to be held on a “different system” for up to 14 days, what information is in these logs and on what other server will they be held???
• The data collected can not be accessed by the ISP, so how can they verify what data has been collected
• If Phorm do not store personal data about people why do the have a email@example.com email address and offer to tell you what information they hold about you and the option to have inaccuracies corrected for a reasonable fee?
One final question which is probably the most important of them all
Kent Ertugrul no doubt still has contacts who are on the dark side of the web, the placing of the profiler and phorm servers directly in the data stream at the ISP’s data centre gives them a access to an absolute gold mine of information that all sorts of people would pay millions for. What is to stop a patch being temporarily applied to harvest the wrong information, encrypt it and send it off somewhere into cyberspace.
joke alart as the jokers at phorm have not got the balls to answer honestly
It is well known and admitted by Phorm that Russion programmers are involved with the Phorm creation / setup webwise etc. What are the security implications of Phorms black box sitting in BT exchanges and VM's broadband data stream. Of course the cold wars over - isn't it?
Don't worry all you MP readers trying to get a handle on this. Phorms promised us total privacy and since these programmers are so talented that they can write root-kits that can be difficult to detect by security components, we can be assured they are putting all their coding talents into protecting our countries online private data conversations.
Phorm is a great benefit to consumers
BT have broken the RIPA laws and admitted it. However the government is in favor of spying as long as it's done by responsible large organizations on individuals. This means a small retrospective change will be made to RIPA to allow these beneficial services.
We will need a substantially larger level of outrage to actually get BT prosecuted and put a stop to Phorm. Anything large enough to actually make a difference would most probably be against anti-terror laws. We are ignored to an unbelievable extent. Then we are appeased by some tough sounding but ultimately lame actions. In two years time this will all be forgotten and ISPs will routinely spy on all traffic, by law.
Finally we will hear how a rouge employee of Phorm has been harvesting credit cards and identities. It will always be an individual, not a corporate policy by Phorm. Someone has to be the patsy.
There are ways round this, Tor for instance and encryption. But these will be outlawed and made inconvenient for mainstream websites. They won't be used by the majority of Sheeple.
RE: Certificates are your friend
Sorry, I typed SSL instead of SSH by mistake
Setting up SSH host authentication for the first time phorm can just hand over their keys MITM style. Most people don't check the fingerprint using an out of band method like the postal mail or SSL pages, and the dedicated server providers don't offer the service. In theory I should record the initial value and check against the server itself.
BT's integrity questioned
So GOV.UK wants in on the act? (there'll be no US data-mining without us being in on it)
Isn't it time all computers ran an Onion router?
the MP's are weighing in on Phorm, just to make sure it dosent create a backlash against Cleanfeed.