Privacy activists have urged top web firms to ensure they tell Phorm not to monitor communications with their users, ahead of BT's proposed deployment of its interception and profiling system. In an open letter to privacy officers at Amazon, AOL, eBay, Facebook, Google, Microsoft and Yahoo!, campaigners claim the system, which …
Phorm = Lying Bastards
Here's what they say for web site owners to preclude their web site traffic from being intercepted. They basically say you have to (1) encrypt your traffic, (2) require all visitors to log in via RFC 1945, or (3) use a robots.txt file to block *ALL* web crawlers. In other words, they are claiming the only way to transparently protect your visitors from their criminal behavior is to block *ALL* search engines of any kind from crawling & indexing your site.
i have requested thay exclude my domain
only had a automated reply so far
Is the opt-out global?
Will opting out of BT webwise also opt the site out of Korea-Telecom webwise?
"36. To avoid processing non-web traffic, the Phorm system has a "whitelist" of "User-Agent"
identification strings, the type and version text that browsers place into their requests.
If an HTTP request does not appear to have been generated by a "well-known" browser,
then the request will be ignored."
So we all change our User-Agents to a random string (may I suggest something along the likes of 'PHUCKYOUPHORM') and tracking is ignored.
Quote:"Many of them have, like Phorm, demonstrated their commitment to user privacy as signatories to the IAB UK’s interest based advertising good practice principles."
Didnt Alexander Hanff shoot those guidelines full of holes by showing how the guidelines were less restrictive than current UK and EU law?
If I was Google, I'd be demanding Phorm for a share of the profits. Lets face it, Google gets a lot of traffic and now BT/Phorm are profiting from that. Google can either explicitly deny Phorm the right to profile searches, or it can demand a profit, which of course a struggling company like Phorm cant really afford to share. Either way, Phorm would be scuppered if Google played hardball. In fact, if Phorm goes live, wouldnt this mean that Phorm and Google are now in competition? I'm putting my money on Google.
@ AC 14.22
I disagree with Phorm as much as the next man (it's very much the thin end of the proverbial insidious wedge), but learn to read!
Below the bit that you quote:
"Alternatively, you may request specifically that your website is not scanned by Webwise. To request that your website not be scanned by Webwise, please email:
This I believe is the 'opt-out' clause referred to in the letter/article.
Surely there is a nice and easy way to get this done?
1) El Reg and everyone else encourages every site owner to send a mail to them at email@example.com as per their instructions (as I just did)
2) Programme dead in the water
I forsee a number of comments on this story.
Stop. Do not write your comment.
Open your favourite word processing package and write to your MP. Ranting on the comment section of an IT website achieves NOTHING.
Opt In is the only legal solution
Opt in for users.
Opt in for web sites.
Anything else was, and still is, simply illegal.
The people who broke the law in 2006, 2007 and even 2008 must be prosecuted.
I've asked for exclusion of my site
My puny little site has nothing of any commercial interest, but if we all write to ask for exclusion then they will have to spend time dealing with the requests.
The advice on the webpage cited is essentially to put "Agent * Disallow /" in your robots.txt, in other words to opt of of being indexed by Google, and thereby to lose all of your customers. Thank you, very helpful.
You have to email firstname.lastname@example.org to get excluded. There is no form or other kind of automation, so some poor sod is going to have to read through all of the messages. That is, unless they ignore them.
The advice in the autoreply from this email is that your contact details have to be up to date with "whois", whereas individuals registering .uk domain names can opt out of having these on the public pages. Another attempt to bully people into surrendering their privacy.
Do not ask to have your site excluded
By people asking for their site to be excluded you are adding validity to phorms model,do not opt out.
If you are a big company wait until they are live then proceed with copyright complaints etc.
Tthe one with a pocket full of fake UID's
<insert title here>
I would like to congratulated el reg for their contued coverage of they Russian spyware company. Its always good being able to keep tabs on your enemies activities.
Even looks like they are serious about it working to opt-out.
Publisher Exclusion Request Autoreply
Thank you for your submission to the Phorm website exclusion list. If there are no obvious grounds to doubt the legitimacy of the request the URL will be blocked as soon as possible, usually within 48 hours.
Requests must be made by the legitimate owner of the domain. If we have questions regarding your domain Phorm may take a number of steps, including attempting to contact the domain administrator by email for confirmation of this request. If the request remains questionable and is not confirmed within 10 days, the URL will be removed from the exclusion list and an email will be sent informing you of this decision.
Where applicable, please ensure that the Administrative Contact details for this domain are up to date. If you need to update them, please resubmit your request when the amended details are visible in the WhoIs database - (use a public whois service such as http://who.godaddy.com/whoischeck.aspx if you are unsure it has been updated)
Most intelligent answer ...
... would be to insist it be OPT-IN not opt out, and to require both the WEBSITE owner and the END USER to have actively and knowingly opted in before a third party can make use of the data in any way.
Opt-out is absolutely *NOT* an option, nor is any form of opt-in that can happen by accident.
And above all, any government official, BT or phorm employee who fails to understand and agree with the above must be deemed to have OPTED OUT of their JOB due to complete and utter incompetence.
If the list of companies mentioned opt out, won't that make phorms data largely useless?
apples and oranges
The only network you use all the time is that of your ISP so I don't see the point of comparing BT with Korea-Network. Besides, your ISP can associate your IP address with your name while another ISP can't.
These companies could SSL all connections to their sites by default.
Re:Is the opt-out global?
No, it is not.
AFAIK, you have to opt-out of each Phorm implementer's 'service' individually.
Which is why the web-site opt-out idea is generally impractical as, for each potential visitor to your site, you have to check if their ISP is 'Phormed' and ensure *your site* has opted out.
I believe there are ways to detect Phormed visitors to your site. If they can be shown to work reliably then I favour a (polite) message to the Phormed visitor asking *them* to opt-out of Phorm/webwise and blocking access to commercially sensitive areas of your site (ie, anywhere they can browse your goods while Phorm can see what they are looking at) until they do so.
Pirate, 'cos Kent is trying to steal your customers.
I still don't understand...
(Well I do really) how Prorm can keep defending their model by stating that it is similar to Googles. Yes, maybe - but at a stratospheric level only.
The next "town hall" meeting will be very interesting. Trust El Reg will be their to report on proceedings? Does anyone have an agenda for this?
@ Andy .S
No the point is, is this website opt-out global or will the Korean trialists still phorm your website if they visit.
Goto www.nodpi.org for more info.
Do it dynamically
There are 2 main ways to opt out of Phorm:
- Email them, as described above, and hope that they honour your request.
- Use a robots.txt to exclude them, and hope that they honour that request.
Their suggested method to block via robots.txt will also block all other search engines, but you can implement a simple system to just block Phorm if you have dynamic scripting such as PHP available to you. See http://phormcheck.co.uk/website-tools/#robots for an example method.
Of course, if you do request opt-out via email then you're being supportive of their use of opt-out rather than opt-in. Using robots.txt is less so, but still not ideal.
But in a country whose government refuses to defend you against the privacy pirates, you've got to do whatever you can to protect yourself.
No this is wrong..
by using the method proposed by BT and Phorm you are legitimizing their postion that 'Anyone can opt out'. This is wrong the only option for this system to be legal is for users and websites to OPT IN.
If sites are asked to do this all it will do is give Phorm the ammuntion to say ' look how easy it is to opt out , what is the problem?' . The problem is that the law states it must be OPT IN by both parties, ie webstie and user, if this doesn't happen then BT /Phorm or whoever are breaking the law.
Do not opt out, watch your logs and sue the arse off them.
This also falls if the sites that opt out do not make the fact public then there is no publicity, who will know if the campaign has had any effect? I have deep reservations about this move.
Thumbs up to El Regizera to keeping track on the enemy.
As for writing to your MP, I agree but, are there any MPs who can wrap their heads around this?
The service has to be Opt-in although BT has wrapped it up in its web-(un)wise disguise, if I did use BT I would switch ISPs to those who dont use Phorm & state that as the reason.
Has El Reg opted out?
Please tell me you have....
We need is a list of ISPs not using (or going to use) Phorm
I don't care about cookies. (I block most anyway and delete all on exit, so I could never be sure I was enabled to disable Phorm). Also Phorm are such unscrupulous people proving they have no ethics, so I doubt (and certainly do not trust) they would even honor all cookies and they could just as easily end up say, oh sorry, a bug means we profiled larger numbers of people than we intended. They are ruthless people feeding data (for a price) to the rich and powerful. Given the historic track record of the rich and powerful, there is no reason to trust anything they say or do, as everything they do is for their own gain.
This technology has political implications. Its not simply a marketing tool. Make absolutely no mistake, they will also use it to profile political orientation which is part of opposition research. Identifying, then tracking, then making life a bit harder for political opponents is all part of the political game. Help supporters and hold back opponents. Plus NuLabour's Jacqui Smith has shown time and time again she and her lot want to profile everyone. Meanwhile the lot of them rob the country blind of billions and then they want to police us even more. No wonder, given the morally corrupt crimes they are committing against us all. (But of course, we can't actually make their morally corrupt crimes considered as officially illegal, as they write the laws, so they choose what is considered illegal). It wouldn't surprise me in the slightest to learn these cookies only control which pipes the data gets fed into for archiving. Marketing people get the filtered data. Governments get the raw data.
All we need is a list of ISPs not using (or going to use) Phorm. (That is until the Thought Police decide its mandatory for all ISPs).
I notice that the current issue of Private Eye has a small report on the government's failure to address BT's transgressions, and a comment on the fact that NebuAd ("the US equivalent of Phorm") slunk off and disappeared - for now, anyway!
Good to see the Eye keeping an eye on this too.
....& has to be opt in for web sites
As I for one dont give them permission
I wrote to my MP
I wrote to my MP who doesn't understand the issue since he's not technically aware. All he could do was pass on the usual information (most of it copy'n'pastes of Phorm PR) which claim the system is legal, etc.
However, it's time I wrote to him again, especially with the EC's Viviane Reding's take on the situation. Even if he doesn't understand the issues, it will momentarily bring the issue to the front of his mind, and he may well start to join the dots if others do the same.
Any Korean speakers?
Could any anti-phorm Korean speakers please make themselves known on nodpi.org
Your help would be invaluable in any future publicity drive in that area.
Settling their hash
If I were one of those big websites, I'd wait until an ISP had been running an in-ISP BT tracker for oh, about 30 seconds, establish that it was phorging cookies with my site's name in them, and get an instant High Court 'cease and desist' injunction against the ISP and whoever supplied them with the software that did that.
Sure all those big websites are using, or considering, BT of their own.
But you think they will just let some in-ISP pipsqueak upstart BT tracker come along and muscle in?
In the IIPUBTT's dreams...
Paris, because she certainly knows how to raise the bar...
Had a BT sales droid trying to get me to switch back a week or so ago, let her go through her script (only cost me 3 minutes of my time) established that they could, potentially, save me 3 squids per month. Right, said droid, would you consider switching back to BT. Never, says I, you are using Phorm; "Thank you, goodbye" says droid. Methinks they may be starting to get the picture. :-)
"But you think they will just let some in-ISP pipsqueak upstart BT tracker come along and muscle in?"
When I first read that sentence I thought you must be related to amanfrommars, however, having re-read it, it makes perfect sense. :-)
Mine still says Phuck off Phorm on the back, and I've put it on the front too.
Don't play phorm's game
I'd strongly recommend that site operators DON'T request an opt out, it's just adding legitimacy to phorms activities. There are normal methods of opting out of site scanning that don't involve jumping through hoops and writing emails; why should this have a different methodology requiring that WE jump to their tune?
In my case I'm going to be adding a prominent banner for every visitor coming from BT (or any other ISP that signs up) informing the visitor of what their ISP is up to, who with, and what it entails. And when someone stands up and drags this through court to protest the illegal interception of their traffic, I'll stick my hand in my pocket to help out with costs, then stick my hand out for compensation for having my traffic interfered with and IP violated.
It is NOT up to us to keep Pimp Boy's hands clean.
Pirates, cos ertugrul and his scumbags are
"Phorm executives will appear at a second "Town Hall Meeting" at the London School of Economics on April 7, a year after they mounted a first public defence of their firm."
Where is the evidence of their first public appearance? I hope someone films this one independantly (someone who can be relied on not to sell out for example).
Gates icon coz Phorm even manage to make M$ look positively philanthropic.
Great to see BT and Phorm continuing to justify their nasty little enterprise by likening its user impact to that of Google's. But who the hell uses Google anyway?
What I can't harvest on ixquick I pick up from Scroogle. Doesn't everyone???
Bollox because it's all bollox.
"watch your logs"
... won't help. If I understand how Phorm works, it intercepts packets between the user and the website, so leaving no trace on the site's server logs.
Someone, somewhere clearly wants all internet traffic to be encrypted in the near future.
20 or so less PHORM'd domains
That's all mine mailed to them to exclude.
I'm gonna make a little anim gif thingy with a webwise/phorm struck out so site visitors know I proactively told them to jeff off.
"This site is Phorm-Free"
Just a thought, has anyone taken this up with Which/Consumer Association people? This stuff about optin vss optout is what they have been fighting about in the wider (read non-IT) world for years.
These people have had some quite impressive successes over the years in this area.
this could actually be a good thing...
...in the long run, if it encourages more websites to use SSL to keep the phuckers out.
Increased security all round is a good thing! Now hurry up and get CACert's root key included in the major web browsers!
Opt out by foot?
Sorry I know I should have kept more up to date with this one but kids and work and stuff and blah blah...
This is just BT right?
The easiest and surest way for me to opt out will be with my feet and move to another ISP won't it?
That'll work won't it?
I can't be bothered altering settings or getting into some sort of geeky traffic hiding thing with BT - they have more resources than me, far easier to leave them to it and sign up with someone else
Serious question that hopefully someone informed can answer - will joining another ISP sort this or will my traffic still get analysed as I have a BT phone line? (no option for cable in my area)
@Opt out by foot?
"Serious question that hopefully someone informed can answer - will joining another ISP sort this or will my traffic still get analysed as I have a BT phone line? (no option for cable in my area)"
Phorm are not the only supplier of DPI equipment. The major contractor and supplier of equipment to networks all round the world sems to be Alcatel-Lucent and they have their own routers with DPI systems, trademarked as KindSight. Then the Cisco routers are soon to be enhanced with Feeva scripts supplying geo-demographic data supplied by the ISP injected in a header tag for every HTTP request.
You will know who is an ISP which respects their customers enough to rely on service to cut down on customer churn - none that I have come across tie you down to paying more than one months notice for leaving (and it takes 2 weeks for the transfer to happen anyway).
I solved the BT phone line issue by moving to the Post Office - that is still classed as a BT phone line for broadband supply purposes: the connection is within a BT OpenReach maintained exchange.
got acknowledgement for opt-out
I received an acknowledgement from email@example.com that mentioned the name of my website (so it was not just a blanket autoreply) and said that they had excluded it.
It's noticeable from the various web pages and email addresses that "webwise" and "phorm" are essentially the same thing.
- Teardown Pop open this iPhone 6 and see where the magic oozes from ... oh hello again, Qualcomm
- Analysis Apple's warrant canary riddle: Cock-up, conspiracy, or anti-Google point-scoring
- Pics Facebook's Oculus unveils 360-degree VR head tracking Crescent Bay prototype
- Bargain basement iPhone shoppers BEWARE! eBay exposes users to phishing vuln
- Something for the Weekend, Sir? Oh God the RUBBER on my SHAFT has gone wrong and is STICKING to things