back to article Top security firm: Phorm is adware

In a fresh blow to its hopes of winning consumer acceptance, a top three anti-malware firm has said it will very likely include Phorm's targeting cookies in its adware warning database. Trend Micro told The Register: "The nature of Phorm's monitoring of all user web activity is certainly of some concern, and there is a very …


This topic is closed for new posts.


User agent

Not sure how it'll work when the service goes live, but they are supposedly ignoring certain browsers that will break with redirection.

So, grab this:

tools -> modify headers -> Add -> 1st box: "User-Agent" 2nd box: "Kent Ertugrul of phorm is a spunk bubble" (without the quotes in both boxes).

Also check configuration -> always on

Now go to and you should see a nice message: "Your User Agent is: Kent Ertugrul of phorm is a spunk bubble"

Hopefully, you should also never see a redirect in your traffic when they switch this service on. Eagerly waiting with a packet sniffer to test it though.


CEO email addresses

if you type in CEO BT EMAIL ADDRESS into google you get

as the top link

very useful

i will be emailing BT's CEO (my ISP) shortly

Anonymous Coward

Am I wrong?

I'm new to all this, but as a guess, won't they need to know your IP address to be able to send you a Cookie of any type, be it opt-in or opt-out. So I'm guessing your anonymous cookie and your IP address are together for a while!!! But then I'm sure I'm missing something.

Jobs Halo

Where is my Blocked Cookies setting

I use Safari on my Macs


I had a dream last night...

that the general public wised up to this "ISP Internet Takeover" stunt and everyone:

set their wireless access points open,

installed cookie modifying firmware on the router

and enabled local node file sharing server facilitys,

the wireless access would auto-hop between access points (and ISP's), set to hop every few minutes, and log-on was all managed seamlessly by a piece of software not unlike "devicescape"...

needless to say all adverts were blocked at the access points and the ISP's stunt left them hated by their subscriber base as they clawed for the last remaining "exploitable ignorant".

...t'was all most strange, but it worked.

Internet Service Providers NOT Advertisement Service Providers

DO. NOT. WANT. then about that 'test' privacy breach?

(originally posted over in 'Mobile' : )


Phucked if I can think of one.

I see has now got links to lots of news stories about them. Strangely enough there are no links to this site! Based on the performance of their share price again today this PR company's doing an outstanding job. :-)

To reiterate my stance on this "service" - phuck off Phorm. DO NOT WANT!


Dangerous Interpretation

I see a number of people saying BT are going to make this Opt-In based on the email a reader got from the BT CEO Office. Please re-read the email because that is not what was said at all and interpreting it as such is very dangerous and will come back to bite you on the ass.

The BT email states the Trial will be opt-in not the full launch of the service. Given the statement by the Home Office, there is no doubt that BT will make this system opt in by default by simply changing their Terms and Conditions once they go to full launch.

So please when reading information regarding this scandal calm down, take a deep breath and read it slowly, instead of just washing over it and interpreting the information as something it is not.

Also on RIPA, I find it disgusting that the Home Office does not understand RIPA. RIPA requires explicit consent from both parties for an interception to take place, so the Home Office's bullshit about implied consent is exactly that, bullshit.

There is no doubt whatsoever that this "service" is in breach of RIPA and is a criminal offence (why do you think the Home Office didn't commit to their statement in the first place and instead as a bootnote offset their responsibility to the courts?). This was clearly a paid stooge in the Home Office or some close friend/associate (possibly even investor) of execs/stakeholders of one of the companies involved (Phorm, BT, Virgin, CPW you choose).

Given that their share capital was well in excess of £100M before this shit kicking commenced, some people have lost heavily on this and the only people investing that sort of money are ones who have a far reach, the right school tie and friends in high places. Make no mistake, the Home Office statement was a payoff pure and simple, maybe not for money, but at the very least for favours or repayment of an "I owe you one" from some previous political misbehaviour.

Phorm is illegal under RIPA

Auto Opt-In is illegal under DPA

Home Office are talking shit.


@Stonewalled by BT

Nope. Got ticket and everything. No response from them at all, in fact even their canned response suggests that they can't be arsed :

"We are currently experiencing a very high volume of emails due to increased demand for information and ordering of our range of Broadband products."

In other words, don't hold your breath, your call is not important to us, everything is just peachy.

Cockbadgers. I made my formal complaint on Tue 4, so they've had plenty of time to get round to it IMHO, and tomorrow the serious foot stamping will begin.

Still also waiting on a reply from Trading Standards w/r/t variation of contract Ts&Cs, and a response from my fat lazy useless MP, although since he is basically a NuLabour sock puppet, I'm not expecting much from him. You never know your luck though, and if enough people write to their 'representatives' perhaps at least one of them will find the balls to ask a question in the house, like to see what that would do to Phorm's share price.



Am I experiencing deja va?

If not why is this graph making me think of SCO?

Thumb Down

Keep Phorm Out

With all the risks already posed on the internet, do we really need another one? I for one am determined to keep Phorm out of my system - it is my privacy and right to do so and I will not and do not tolerate spyware.

Phorm's stance to opt-out is not even democratic since permission is not even sought BEFORE a cookie is placed on a system. Those who propose an opt-in would get my vote, since then there is a choice and that choice remains with the computer user - not Phorm. However, Phorm has yet to prove to internet users that their so-called opt-out cookie is really and truely opt-out - or is it just going to be partially opt-out or if the opt-out cookie is removed, does this mean the user is automatically opted-in again? No way should Phorm be allowed to drop spy cookies onto private systems without specific authority from the owners and furthermore, the Phorm company has already been caught before, handling spy programs.


Question for Chris & John

Hey Guys,

Given the Home Office statement which states there -may- be an argument of implied consent where no expressed consent exists; can you ask El Reg execs if they plan to add expressed denied consent to their own web site terms and conditions denying Phorm and Phormesque technologies the right to access your content?

Given that El Reg has committed so much time and energy to this story (which is a good thing) it would seem fitting to commit your own website to denying Phorm access under RIPA.

Thumb Down

Malware is Malware

You cant give something to someone when they never asked for it.

Its the same as taking my email and telling me to tell you to stop taking my email.

Opt-out is only valid if you opt-in unless a said person leaves their data out there in the public domain for this purpuse so declaired. Example website put their sites on the public domain so people and search engines use them in a give - take. Not for spammers to look for fax and email adverts in a take take.

Thumb Up

@The Other Steve


Thank you for a wonderful new word :D

Gates Horns

I don't just want to avoid Phorm....

"...I want vengeance. Can we destroy this thing? Botnets, DoS attacks, poisoning the database? Anything is fair game. Let's see the oft-rumored anarchist internet factions use these assholes as target practice."

If my ISP adopted this excrement I would certainly want to have a go at poisoning the database and it should be perfectly legal too.

I think I'd compile a list of sites that carry phorm (oix) adverts as it would be unfair to burden sites that have nothing to do with phorm with the bandwidth used, and write a script to automatically opt into phorm (the opt-out is worthless after all) and access one or more sites (and maybe the odd MSN/google search query) to start building a profile, save the phorm cookie to a file and delete the original, then select one of the cookies from the file and restore it and access pages from one or more of the selected sites, then delete the cookie (keeping the copy in the file) and go back to step 1.

It has been claimed that the tracking cookie is just a random number and the profile is based on your last 10 days activity, so it should be possible for one user to create an awful lot of profiles for phorm to keep track of over a 10 day period and keep them active so they don't expire and would help to hide my genuine browsing activity.

Thumb Down

SpyBlocking software including that firefox extension will not stop your data being intercepted.

As the interception occurs within the ISP's network it does matter what you do to your PC if you allow unencrypted web request then they will be profiled. There are only two ways to stop this

1. Use a tunnelling protcol to step over the compromised network of your ISP

2. Move to an ISP that guarantees that they will not use PHORM or similar technlogies

If the ISP's continue with the OPT-OUT based service then if you block the PHORM cookie in any way you are opted in by default. If accept the opt out cookie then your data still goes to the profiling server within your ISP but they say it is ignored.

Also for those people thinking of waiting it out here is a snip from Professor Peter Sommer's report to the home office

20. Targeted online advertising services should be provided with the

explicit consent of ISPs' users or by the acceptance of the ISP terms and

conditions. The providers of targeted online advertising services, and ISPs

contracting those services and making them available to their users, should

then - to the extent interception is at issue - be able to argue that the

end user has consented to the interception (or that there are reasonable

grounds for so believing). Interception is not likely to be at issue where

the user's browser is processing the UID and material informing the

advertising criteria.

In other words if you accept the ISP TOC then you have agreed to the interception. Full document here

Vote with you feet and add your name to the petition to the PM here

Anonymous Coward

I was reading about talktalk last nigh

Apparently they've made it an "opt-in" service, but that's only half the battle... Even if you don't opt in, and if I understand how the whole mess works, they will still be able to gather content metrics on your browsing pattens, which I think is a crock of crap.

That's still interception and tapping, as far as I'm concerned. That's just as bad as going into the central office and plugging into random punch downs and listening to conversations, but not knowing exactly who is doing the talking.

I don't know if Phorm has established a foothold over here in the US yet, but I'd be the first American to willingly contribute to a UK legal fund to fight these suckholes from spreading their disgusting tripe anywhere else!

Thumb Up

@ tech idiot

Good catch....

I've discussed this subject at length with none technical folks who all seem to be of the opinion, "nothing to hide/nothing to fear". I feel the way to tackle this bunch is to talk up the webmail angle, as when this argument is run, bingo ...... suddenly they realise what I'm saying and somehow becomes relevant.

Anyone with an account on the aforementioned server may just want to continue singing from the hymn sheet....

Actually reading up their comments does make feel somehow...... dirty, the wording is just the same as "pump and dump" spam.


Repackaged 'people onpage'

Has anyone noticed the similarities of Phorm's Webise to 121media's previous spyware material?

You will be forced to use their software that includes a new webwise toolbar attachment because if you opt out you will no doubt suffer slower speeds as your isp prioritises its Webwise users. That's common business sense and their traffic shaping will play a big role in this.

I've mailed Bt over a dozen times over this Webise spyware business but they have not replied. I've phoned their customer services dept to arrange cancellation of my account without penalty but they passed on my request to higher office who have again also refused to get back to me.. I just want out of this mess but they won't let me go..

Webwise is a dangerous path for any isp to follow because when it enevitably goes wrong they might face the biggest clean up bill in internet history and even closure because the warnings were all there right at the beginning.

Bt are currently testing the Webwise installation in Kingston on Thames and it appears they are also testing it on behalf of all the other isps as well. However I am convinced Bt will very soon announce that Webwise has failed these tests and that Bt will no longer continue merging with the Phorm proxy server because of this..

Bt really should not be discussing any kind of mergers with a crook like Kent Ertegrul a guy that should have been imprisoned for his evil activities against so many decent law abiding internet users. The law courts should be the ones discussing the millions in compensation claims he should pay instead before banging him up where he belongs..


Are customers liable?

By accepting the Terms and Conditions and giving your ISP permission to intercept your communications you may actually be opening yourself up to criminal liability under RIPA.

As mentioned a multitude of times, consent is required from all parties for the interception of communication; by communicating with someone else with the knowledge that there is going to be an interception without the consent of the other party(ies) you could be deemed as complicit. All sort of cans of worms could be opened such as aiding and abetting; conspiracy and entrapment.

You could also be opening yourself up to Copyright Infringement offences such as Secondary Infringement and Vicarious Infringement. BT et al should be reminded that Copyright Infringement becomes a criminal offence where commercial gain and profit are involved; and since this is a profit based system (the ISPs get a cut of the advertising revenue) it seems to fall under criminal copyright law.

I am not aware of any case law in the UK which covers these points explicitly (but that doesn't mean it doesn't exist) however, there is case law elsewhere in the world. If I remember correctly there has been at least one case lost see:

Kelly v. Arriba Soft Corporation (336 F.3d 811(CA9 2003))

It should be noted that even in the case of Perfect 10 vs Google (which was originally judged in favour of the Plaintiff (Perfect 10) and then overturned on appeal) Google only managed to get the the ruling overturned on Fair Use arguments. Fair Use arguments don't work in the Phorm situation because there are differences. Google Images only created a derivative works in the form of a thumbnail which then linked directly back to the websites they came from. Phorm is copying the entire page using an illegal wire tap, so I don't think they could use the same arguments of Fair Use.

See also: (in German sorry)

which basically covers the situation regarding caching of websites in Europe with regards copyright law and reinforces that it is actually Copyright Infringement under European Law.

See also:

The above stemmed around Archive.Org (aka WayBackMachine) and the courts accepted that the Plaintiff had a case for the court to hear with regards breach of contract, based on the Terms and Conditions she had on her website which were breached by Archive.Org when they cached her pages.

Obviously Archive.Org settled out of court so no judgement was ever received, but they did acknowledge the infringement in their press release.

My advice to website owners who do not wish to have their pages intercepted and copied by Phorm systems (or indeed any other such systems) would be to add some Terms and Conditions to your website explicitly refusing the right to copy the pages and would then be covered under copyright law, contract law and RIPA as I understand it. If the Home Office want to try and throw around the implied consent argument, then it cuts both ways. Phorm accessing the website are bound by your Terms and Conditions through the same implied consent and would therefore be in breach of contract should such terms as "Phorm may not access or copy this website under any circumstances" appear in those terms. So potentially, a lot of popular forums could make a boat load of money from suing ISPs and Phorm for Copyright Infringement and Breach of Contract and even possibly bring criminal charges since the infringement is being used for commercial and financial gain.

Even if there is a slightest chance that my statements above are correct, they are reason enough alone, not to allow the interception of your communications.

So in the words of Nancy Reagan "Just say No!" [to Phorm]


Deny Phorm Campaign

I put up a blog on highlighting these articles, summarising the main issues and requesting web site owners to add terms to their web sites denying consent for Phorm to intercept communications between their web sites and users.

It is my belief that these terms alone should be enough to make Phorm breach RIPA with regards to consent from parties.

I have called the blog Deny Phorm because we -all- have the right to Deny Phorm access to our communications, users and content providers alike.

You can find the blog here:


Virginmedia T's & C's


Can't remember the exact wording, but it the make a significant change to their T's & C's you are entitled to cancel without penalty. First indication of a phorum cookie and I'm outta there.


any legal eagles out there

are there any legal people out there who specialise in RIPA , DPA etc that can give use a clearer picture of this

is it legal or not, mind you i i suspect even from a legal specialist it will not be black or white, just a darker shade of grey


Email campaign

Ok, Reg, how about you send a nicely worded email ato everyone on your database asking if we believe Phorm should be allowed to be implemented and spelling out what Phorm is.

If we don't agree, how to lodge our complaint with the official body. Maybe a link to complain and a sample wording.

El Reg has all of our email addresses. We can then forward that email on to everyone we know asking them to pass it on too. Lets take PHORM down on this issue. WE DO NOT WANT OUR DATA SOLD. Viral marketing is needed to kill the beast.


Phorm's anonymity is tosh

I've been thinking about phorm's claim to anonymise user data using random numbers and I've conclude that it's completely bogus. Let me lell a little story to show why...

"An evil king had 10 servants. They were loyal servants, but one of them (a ginger-haired man) had earned the king's displeasure. The king decided to remove him, but to execute a man just for being ginger was a bad act, even for this king, so he devised a cunning plan. "One of my servants has been stealing from me", he declared, "We will investigate and punish the offender". But to protect the privacy of the innocent, the investigation would be done anonymously.

So he gathered his servants and made each one pick a number at random. Then he drew a cookie on each servant's arm and wrote the servant's number inside the cookie. He then instructed each servant to write their number on the door of their room. Being loyal servants, they did this.

The king then called the head of his secret police. Publicly, the king said "Go and search the servants' rooms and if you find stolen goods, tell me the number written on the door" (but privately, the king told the policeman not to look for stolen goods, but to find evidence of ginger hair). In due course, the policeman returned and declared "Room number 7 belongs to the culprit". The king thanked the policeman and arranged for him to meet with an unfortunate accident.

The king then mounted a guard on the door of his palace. When the servants reported for duty, their cookies were checked and servant number 7 (the ginger-haired one, of course) was taken out and shot."

I trust you see the connection with what your ISP and phorm are doing.

So was anonymity really achieved by the random number technique? I would say no. Definitely not.

As far as the secret police (phorm) are concerned, there is a bogus claim to anonymity. The policeman who scanned each room didn't know which servant it belonged to. The information was then deleted (the policman killed) and the only information that remained was that room number 7 contained stolen goods (or ginger hair, actually). But clearly this didn't protect the innocent ginger servant from the consequences of his data being abused. So the claim to anonymity is completely fake.

The reason is that the king (ISP) retained the ability to link random numbers back to servants (users) by inspecting cookies. In reality, phorm holds the randomised data and the ISP holds the method of linking random numbers back to users. Neither of them acting alone holds personally identifiable information, but acting in concert they do. The data are not anonymised.

To summarise: I believe the Data Protection Act applies to this case because personally identifiable information is being held. The information is about "advertising preferences" (or whatever phorm extracts) and the link to an individual exists because phorm and the ISP are acting in concert and the ISP can match the so-called random numbers against the cookies presented by users (it not only can do this, it *has* to do this in order to deliver the adverts).

Phorm is not using random numbers. It is using numbers that can be (and are) traced back to users. It's a fraud.


Implied Consent

Wonder if someone can come up with a standard letter for us to send to phorm/Bt/TT/VM/a.n.other ISP as webmasters?

"I hereby state that I give NO permission for phorm, or any company associated with their OIX platform, to process (or view) my data in any way. Any interception (not just processing) by systems involved in the OIX offering is therefore illegal under UK privacy laws"

Or similar, should make it very interesting. My mother uses one of my colo boxes for her email, and she's on VM... That sounds like they are going to get themselves into trouble.


Detect users coming in via Phorm

Just a quick question. Does anybody know how I as a web host can detect if one of my users is coming in from via a Phorm wire-tap? Will there be odd IP ranges to look out for (perhaps not, seeing as the Phorm wire-taps are within the ISP)? Given that Phorm seem to have some mechanism for injecting a cookie into my domain, does this mean I can find it with Javascript?


The other party to the conversation

As a British citizen domicilled in Sweden with servers located outside the UK, and the other party to conversations between my website users and my servers, I would really like to see what BT and Phorm make of the privacy laws here... I've already sent letters to Phorm, BT, Virgin Media and Talk Talk informing them that I do not give permission for such monitoring of my conversations on my Swedish operated servers and that they must cease and desist.

I've already got the Read Receipt from BT's company secretary on whom notices should be served. It'll be difficult to argue they've not received it.

As each page on my websites is generated by scripts, and personalised for each visitor, that makes them a private communication, especially the areas protected by usernames and passwords.

Black Helicopters

Excellent smithers

Excellent, now the home office is involved. (Queue image of trembling boots and a scary home secretary... Who is it now anyway?)

Not that I expect any action, as it is a government agency, but at least people somewhere in the hallowed halls of antiquity are beginning to take notice.

**Dons tin foil hat.**

Why is that, helping the general populace out at a time of company underhanded ness.


The petition and ruccus caused by this and other sites?


Word from bethere

I quite liked bethere when I used it in a previous house, so I contacted them to ask them about Phorm, to hlpe me make a decision in future. This is their response:

Thank you for contacting us.

We are not a part of the Phorm system and we are not even planning to be, so there will be nothing to worry about.


Be Team

So, assuming this isnt the same kind of like that BT spouts, I think they at least, are in the clear.

I thought of something else though - what if someone wrote a program, that created random Phorm cookies, and made random requests. Distribute this program to a few addresses, and suddenly Phorm's database becomes far less relevant - it will now contain lots of redundant and useless information. Although, I guess it doesnt stop them profiling people.



There is a non-zero cost associated with running the Phorm system. If there's no return (no-one clicks on the ads), then eventually the companies will stop doing it.

Therefore if the system can be "stressed", and at the same time made to be less effective, it'll start showing up as a negative on the companies' bank statement.

Given the throughput that this needs to support to not affect the customer's "browsing experience", we're not looking at a single small server.

If I were to set this up, I'd be looking at a pair of BIG L7 "interceptors", probably 4 profilers, running load balanced, and then probably a clustered backend DB to keep track of so many cookies. That's going to need to be separated into 2 racks at least (each containing the L7, 2 profilers, and one of the DB nodes), and from previous experience with hosted equipment, they're going to want full racks.

2 racks in a server room (rental, power, cooling, maintenance) is not going to be cheap if there's no income.



>...I want vengeance. Can we destroy this thing? Botnets, DoS attacks, poisoning the database? Anything is fair game. Let's see the oft-rumored anarchist internet factions use these assholes as target practice.

Makes you just as bad as them. *plonk*



>So they'll most likely go ahead anyway, until someone takes the fuckers to court, where they'll most likely employ the usual army of expensive briefs and "experts" to defend their position.

Maybe so but unlawful interception of communications is a criminal offence so there could be people at the top of these companies being arrested.


@Graham Wood


Although, I guess such an attack wouldnt be legal, and would probably lead to banned subscribers.

But, if the ISPs dont pull out because of negative press alone (and lost subscribers), I wouldnt be surprised if something like that were to arise.

@Stephen Baines

I'm very interested in cases like yours. As you say, you dont give permission for your conversations to be intercepted, so in order to be legal, BT Webwise would need to block your site to prevent interception. Something has got to give - I imagine BT's execs will realize its too much of a nightmare to implement solely because of the interception.

Hopefully Phorm's stock will bottom out some more, and hopefully its founder will lose everything he ever invested (including a lot of time!), and will come away a little wiser.

Paris Hilton


...being with Tiscali 'Cheap 'n' Cheerful' ISP doesn't seem so bad. I may suffer occasional 6pm slowdowns (usually having dinner anyway) and unintelligible customer support but I'm not being spied upon and my family and partner have no idea how much p0rn I actually look at... (One Night In...[pic])


Something I'm not getting here...

Just had a look at their site and they reckon that they will replace ads with theirs, am I missing something? If someone has paid for an ad to go on a web page and it is replaced by a third party then it is like fly posting and surely breaching some law.

Meanwhile does this mean that all traffic has to go through this link? Tantamount to saying that all cars in the world have to go through the Dartford Tunnel on every journey?

I get more confused everyday!

Apart from that there is another site that have a copyright notice from 2000 which grabs the trade mark Phorm (php-net) are they the same people?


Re: poisoning the database

I do a lot of automated web scraping (just for my own purposes; occasionally cheekily but I'm not a scumbag and don't hammer servers or peddle scraped data or grub around for email addresses - just thought I'd better be clear about that for starters!). I'm planning on tweaking this to poison Phorm's database; obviously my automated jobs don't say very much about my preferences and interests. I was thinking, add a couple of random fetcher jobs as well to occasionally fetch a random page and spider around a little. It might even be possible to switch the ID in the cookie now and then - with any luck you might hit someone else's ID and poison the records about them, too, although I'm less sure that this would work.

It's not foolproof of course - they could probably spot this easily enough if they were keen - but if a lot of people started doing this it could make their database relatively worthless. The same trick would also be a little irritation for doubleclick and the like.

I may hack together the random fetcher / spider / cookie poisoner as a standalone application and see if anyone else fancies chipping in a small amount of bandwidth to this 'project' at some point in the near future. To have any real power the poisoner would need to be running in several places. A kind of voluntary botnet. If it really caught on it could really dent this spy-ad industry.

Of course I can't really do that much about Phorm myself as I'm on Plusnet. I know they're owned by BT but Plusnet assure me they aren't involved in this (so good news for Plusnet customers out there assuming that's accurate).



I do know some big scary lawyers who do pro bono work.

But they need to think that there is a case, and that they can win, as well as concluding that this is a good use of their time.

RIPA is a good start, but if the ISPs change their T&Cs does it apply ?

I assume the reason for BT's silence is that someone senior has just realised they are doing this logging anyway, so why split the rake off with Phorm ?

Given that ISPs keep being pushed by the government to log web access, I can't see it as very hard for them to write scripts which use this data for commerical ends.


Using email signatures to prohibit interception

I'd just like to point out that many existing email systems (especially business ones) already append a legal statement to each message along the lines of:

"This message is for the intended recipient only...

...if you receive it in error, you must not act on its contents...

...bla bla bla"

If such messages are being sent or received via an HTTP connection, they would potentially be intercepted by phorm's system. There is clearly no implied consent for others to read such messages - so that interception would be illegal. If you wanted to be sure, you could easily add an explicit statement to prohibit interception by ISPs.

Actually, I would suggest that everyone adds such a statement to their email signatures. It's an easy way of getting lots of prohibition statements into the system. It's also a good way of spreading the word about this problem, especially if you include a link to web sites like El Reg.



RIPA does apply as it requires consent from all parties, so the web host would have to give their consent as well. The Home Office have cast a shadow of doubt over whether Phorm breaches RIPA or not (probably unintentionally) by stating that there might be an argument for implied consent where expressed consent does not exist. note how they say "may" and how they offset the interpretation of the law to the courts.

Of course the consequence of their statement for Phorm, is the acknowledgement that expressed terms which refuse consent by the web host would constitute a breach of RIPA should Phorm or an ISP intercept communications between themselves and their users.

See for details on a campaign I have started to encourage web site owners to express denied consent in Terms on their websites.

Anonymous Coward

@Werner McGoole

I've always thought email signatures were pretty useless, perhaps until now.

I sent an email to Neil.Berkett (CEO of Virgin Media) complaining about Phorm.

I got a response which I read in webmail. The content was pretty useless, but his email signature may or may not have been something like the following:


Save Paper - Do you really need to print this e-mail?

Visit for more information, and more fun.

This email and any attachments are or may be confidential and legally privileged and are sent solely for the attention of the addressee(s). If you have received this email in error, please delete it from your system: its use, disclosure or copying is unauthorised. Statements and opinions expressed in this email may not represent those of Vxxxxx xxxxxa. Any representations or commitments in this email are subject to contract. Please note that we are migrating our email addresses to a company wide address of "@xxxxxxxxxxx.xx.xx". If you are sending to a Txxxxxxx or nxl email address your email will be re-directed.

Registered office: 1xx xxxx, xxxxx. Registered in England and Wales with number xxxx



Here's another thought

Having noticed the number of concerns from posters who like to look at a bit of p0rn and are therefore (legitimately) concerned about being swamped with ads for p0rn sites, here's another thought.....

If I have a habit of accessing sites about something mainstream like cars, PC equipment, or whatever, its arguable (just) that having information about my browsing habits used to service me with ads for sites about cars, PCs etc etc is frightfully handy....

And were I a single chap living alone and somewhat find of one handed reading material, I might find ads from p0rn sites quite agreeable.

Not so however if I were a married man and my wife (how embarrassing) or children (far far worse than embarrassing) were to access my PC and be exposed to such stuff.

I'm a transgendered person. That's not a life style, nor a sexual quirk, but simply a condition that I am not responsible for. I frequently access sites that are designed to provide advice, support, and information for people like me. However, were anyone to enter the word 'transgender' into any search engine such as Google and I can pretty much guarantee that a significant proportion of the sites listed in the search result will have titles like 'Thai Ladyboys' or 'Chix with Dix' or similar tasteful stuff. I have no interest in such things. As a libertarian I dont find them particularly offensive, but I dont want to see them.

So - this bunch of bottom-feeders not only have the potential to seriously impact my personal privacy (which, given my circumstances, is particularly important to me for obvious reasons), but also to bombard me with unsolicited material of a distasteful nature.

I believe that's called Spam

And I'm expected to pay an ISP to actively collude with that?

I dont think so.


@Steve B

They only replace the adverts on sites that have signed up to the service; if you run a site with Google Ads (for example) they're not going to steal your revenue stream.

The Phorm party line is that this is going to be wonderful for the user, because more targeted adverts will mean companies need to place fewer ads. Which says to me "companies are going to pay a premium for a Phorm-served ad".

At which point, automated reloading of Phorm-associated sites, frequent cookie recycling and similar techniques to poison the waterhole will be pretty effective in killing the whole process. Advertisers aren't completely stupid; they won't pay a premium if they're not seeing escalated returns for their money.


Re: Phorm's anonymity is to

Warner I agree with you, but you are missing one point. This isn't just "personal data" we are talking about, as defined by the data protection act this is "sensitive personal data" as your surfing habits will reveal details such as sexuality (if you start looking at gay porn sites), trade union membership (must be some that don't use https to log you in), medical conditions/religious belief/ethnic origin/political opinion (if you subscribe or view regularly to a website about a particular condition/religion/ethnic origin/political party).

The requirement of the DPA is that explicit consent is required for processing of sensitive personal data, in my view automatic opt-in would therefore be unlawful even if they attempted to gain it by telling you there T&Cs have been updated - without positive action from the subscriber it can't be classed as explicit consent.


I'm sure there was some case recently

that showed that email disclaimers actually have no power in court.


virgin media have it

I have just spoken to Customer Services at Virgin Media and after being passed around to half a dozen different people I finally goit someone to check and they tell me that it is already in place and I cannot opt out! The women said to opt out I need to use firefox!?

Well I'm going to cancel and go with zen.

IT Angle

As a Website owner.....

I Dont really understand how this works 100% but will they be able to post adverts over any website?

If Phorm end up dumping adverts over my website when people access it, will I be able to invoice them for my going rate (which for them would be atleast £1000/week)



I'm pretty sure that was just Customer Disservice being stupid. Because if they arent, they lose any possibility that Phorm is legal under RIPA.

The thing is, as I see it, is if the customer is offered the choice, it could be argued that forms consent. If you dont, then they cant legally intercept your traffic. If I were you, I'd phone them up, ask to speak to a supervisor, and tell them that unless you are given the option to opt, you will a) switch to a different ISP, b) sue them. Hopefully such threats will jog their memory.

I'd also say that Phorm should have a bigger problem with websites. Now that website traffic can be intercepted, I imagine websites wont be too keen on the idea. Anything could be exposed, and Phorm has no right to intercept. As far as I understand RIPA, it requires consent from both parties, not just one.


Tinfoil hats?

With all due apologies...

At first they came and only wanted me to accept adverts. I said nothing.

They came and only wanted to catch child-pornsters. I said nothing.

They came and only wanted to catch copyright criminals. I said nothing.

They came and only wanted to assure my safety. I still said nothing.

Finally there was only me left, I could say nothing.

If this gets in, where will it stop? This is merely the start of exactly what the MPAA/RIAA and the government's war on Internet filth merchants and terrorists, want. An easy way to track the habits of every internet user, what where, how and why?! Fantastic! Adverts my arse! The adverts is a slightly easier way to sneak this nasty insidious tech in early for a far more nefarious purpose! Average Joe Public won't care about a bit of advertising being tailored made to his preferences.

It has to be stopped now!

This did make me laugh though.

"Kent Ertegrul a guy that should have been imprisoned for his evil activities"..."before banging him up where he belongs"...

Hmmmm, very painful! However I'd derive great pleasure in watching it happen to that low life.


Anyone else better than 8Mb?

Unfortunately I can't find anyone else that can match the 20Mb service I get with VM other than an expensive leased line, otherwise I would be off like a shot! But VM insist it is not in place or under trial yet.


Wouldnt this be easy to scam?

@Vishal Vashist

As far as I know, no. You would need to embed special javascript into your pages to make them fetch the phorm ads - the adverts wont be inserted unless you have agreed to it.

But that makes me wonder if the system can be abused. Say we get the script someone is thinking of writing, that makes random requests using random cookie IDs. And we change it to make random requests a particular page hosting a Phorm advert, retrieve the URL that the Phorm advert leads to, and request it. Unless they have some other protection, this will net the website owner some cash. Done hundreds of times per second with multiple willing bots, and....

Even if the website is chosen without the owners knowledge (ie the scripters are not in league with the site owner, and thus do not stand to benefit) they can create havok as now Phorm needs to work out what is a legitimate request, and therefore eligible for money, and what is not.



This topic is closed for new posts.


Biting the hand that feeds IT © 1998–2018