HTTPS should be okay
HTTPS uses SSL which uses two forms of encryption to guarantee speed and security. Public key cryptography gives lots of protection from the problems of key distribution, whilst symmetric cryptography - nice and fast - encrypts most of the data.
When you start an HTTPS session your machine requests a copy of an asymmetric public key held by the remote server. Your computer then generates a unique symmetric session key, a copy of which is then encrypted with the server's public key and dispatched across the net. When the server receives the encrypted session key, it uses its private key to decrypt the session key. From then on all transactions are encrypted with the session key.
Phorm could intercept the public key - but can't decrypt messages encrypted with that key. It could also intercept the encrypted session key - but again it doesn't have a decryption key. The bulk traffic of the exchange can also be intercepted, but Phorm won't have a copy of that key.
So HTTPS is safe, but there is plenty of information slopping over the Internet that could cause you lots of damage - from your emails, to just the profile that could be built from watching one of your sessions.
I am with BT and demanded a full explanation of their plans and how I can possibly trust them again. I'm also threatening them with the DPA, RIPA and Ofcom. I don't expect I'll get a useful response, so I'll be switching ISP RSN.