back to article Top security firm: Phorm is adware

In a fresh blow to its hopes of winning consumer acceptance, a top three anti-malware firm has said it will very likely include Phorm's targeting cookies in its adware warning database. Trend Micro told The Register: "The nature of Phorm's monitoring of all user web activity is certainly of some concern, and there is a very …


This topic is closed for new posts.


Thumb Down


That would be click fraud, which is illegal as far as I am aware.

Anonymous Coward

Waiting for Eclipse confirmation...

... I'm waiting for written confirmation from Eclipse whether this is a twinkle in their eye or not.


Advertising @Jonathan & co

Phorm will compete for advertising space on Websites under the name of Open Internet Exchange (OIX). To the website owner the only difference that they will see will be that, supposedly, there will be more clicks on the adverts displayed because they will be more accurately targeted at the end user, and therefore they will get more revenue. Phorm say that they will not carry adverts for pr0n, gambling, religion,etc. They claim that because adverts will be better targeted this will result in fewer 'irrelevant' adverts, or even fewer ads overall, as advertisers switch from high volume low cost advertising to low volume highly targeted advertising. I'm not so sure; if advertising generally becomes more effective then I would expect the amount of advertising to increase. But there we are, if it wasn't for the 'small' matter of them having to record and process every web page you access, the overall browsing experience would be pretty much the same. In fact my guess would be that hardly anyone would notice. Of course it would be very easy for Phorm to introduce pop-ups, pop-unders, and all the other intrusive advertising paraphernalia that seem increasingly to blight the web, but then again so could any other advertiser.

So the real issue is the interception of all your browsed pages by your ISP, and the possible abuse, accidental or deliberate, by Phorm or others, of the data and knowledge they have accumulated. In the UK there are laws


About Phorm, Optouts & Poisoning the Database

IMO Phorm are not going to give two hoots about the quality of data collected they make there money from marketing people who belive that the ads are targetted, and hence pay premium rates. Afterall marketing is all about perceptions and assumptions, not facts.

There will of course be revenue carved off to The ISP based on adds served by users, and of course to get around the DPA Legalities The ISP will Buy and run the Servers from Phorm (they will operate a maintainance agreement with Phorm) that way no data leaves the ISP as they own the kit, the servers will be connected to the net to retrieve and serve adverts and tell Phorm how much is served so the ISP gets paid. (Kent thinks this is ok as the data does not leave the ISP. I think this is bad beacuse they are intercepting/injecting it all. no choice!) This setup does not take due regard of RIPA.

and unless the ISP's start offering free broadband I dont think anyone is going to want to be monitored like this without more benefit. google deserve my data as they provide excellent service to me. phorm do not serve me. (not the right type of adds benefit! sometimes I like odd ads they remind me of other things. and whats wrong with car ads on car sites? - oh but he mainly looks at car sites but they are expensive so advertise on this cheaper news site he reads also..)

Today I will mainly be getting Phorm Ads, as its been my priority this week, and fortunatly my ISP is not even entertaining the idea. I love my 24mbit adsl2+Thankyou be*ings.


adverts on the net

with all the fraud and dodgy dealer on the net, who in there right mind is going to click on one of these adverts and actually buy anything, very, very few people in their right minds

its a bit like the nigerian 419 scam, pump enough ads and you will hook a few suckers.

the real test will come when people start buying from any of these ads and see if the goods turn up or worst still their card maxed out by fraudulent transactions

will the ISP or PHORM be giving and fraud protection from buying from any of these adverts

let me take a micro second to think and come up with a BIG FAT NO!!!

Anonymous Coward

How's this for an idea?

You create a phishing copy of a site that is signed up to serve Phorm's advertisments, say, oooh off the top of my head Now we know that the FT probably don't employ the same sort of protection as, for example, a bank so the phishing site will stay up longer. Now our baddies have a site where they can insert phoney ad's saying


and your average slack-jawed, pregnant, benefit drawing yokel that seems to more and more common in this jewelled Isle is ripe to be served all sorts of nasty things.

Just an idea....

Anonymous Coward

@Here's an idea....(same poster)

Just occurred to me.....the average yokel wouldn't be going to the site anyway so that was a bad example, do you know if a site has signed up to Phorm anyway? You can create a phishing site of anything and insert a "Webwise is off" alert and so back to my original hypothisys....

Again, just an idea....


Phorm and ads

As I understand it, Phorm intend to include ads only in webpages of sites which have agreed to their terms, and not any other websites - much like the ads in El Reg pages.

The adprovider may not be El Reg itself, but when you call a webpage it also calls the ads up from the separate adprovider.

Phorm's problem is that in order to individually target the ads to you then they have to know something about you; or if "you" is anonymous then they have to know something about "your" web browsing history - which information they can only reasonably get by illegally intercepting "your" web traffic.


As an aside from this, but in re online advertising in general, there is an ambiguity in RIPA which might affect Phorm or even El Reg - there are two possible interpretations of section 2(5)(a). These are known as the "conduct" and "comprised" interpretations. As yet neither has been tested in Court.

RIPA section 2(5)(a) says that conduct is not interception if it is:

"any conduct that takes place in relation only to so much of the communication as consists in any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted:"

Briefly, the ambiguity is whether the "for the purposes..." phrase refers to the "conduct that takes place..", or whether it refers to the "traffic data comprised..".

If "for the purposes... " refers to the "traffic data comprised .." then it would mean that any use whatsoever of traffic data can't ever be interception - but if it refers to the "conduct that takes place .." then it is only lawful to intercept, look at it, or give out, traffic data if it's done in order to facilitate the transmission of that communication (or for other RIPA-acceptable reasons.)

Personally I favour the "conduct" interpretation.

This would not preclude El Reg etc from including advertising; but it would prevent El Reg from telling the adproviders which IP to send the ad to - they would have to pass the ad on themselves from an El Reg IP address.

Which would probably be quite a good thing overall - but might make ad accounting harder. However RIPA is not clear on this point.


Virgin runs away

They finally realised I wasn't going to stop emailing them and sent me this address:

"Hi there,

Thanks for your email to Virgin Media.

enquires of this kind will need to be made in writing to:

customer loyalty manager,

customer concern,

concord house,

concord business park,

threapwood road,


Kind regards,

Tech Support Agent

The Customer Concern

TeamVirgin Media"

Now it's time to reply to them and complain about the lack of capitalisation.


how to beat them

there seems to be only two ways to beat this,

1:- vote with your feet and migrate to a new isp as soon as the new contract arrives on your screen

2:- everybody block the cookies from phorm / webwise (less effective as your data is still being profiled)

these are the only two options that kill phorms (and the ISP's) revenue stream

any other method puts traffic through the system and provide both phorm and ISP with saleable traffic no matter how rubbish the data generated is


@Alexander Hanff

Ass = four legged stupid animal

Arse = phorm

Pet peeve.


Re: any legal eagles out there

Will I do?

What Phorm and BT plan to do is interception, and it's an offense under section 1 of RIPA unless both the sender and intended recipient of a communication consent to it's being intercepted. In practice this means both the user and the website owner have to consent, and that simply ain't going to happen.

All the "maybe"s in the Home Office guidance have already been discussed to death elsewhere, and a long time ago, with the general conclusion that none of them have any chance at all.

Simon Watkin, who has taken part in many of those same discussions, knows the consensus view well, and I simply can't understand why he'd give out such "maybe" advice - afaik almost no-one else thinks that any of these excuses have any chance whatsoever in Court.

Of course, while Simon is very good at words, and is to some extent good at the laws he's had written - though he didn't write RIPA itself - he's fairly darn clueless about the internet (and cryptography) in general.

I know Simon quite well, so I'm not going to suggest that he may have been bribed - I think he's a straight arrow as far as that might go - but he does seem to have been eating Phorm's PR cookies. :(

To recap: there are three possibilities which might make targeted online advertising, with the targeting being based on observing the target's webtraffic, lawful:

*First "maybe", that it's not interception because no "person" is involved if it's done by machine. That's nonsense, the ISP or Phorm is a "person" as far as the Act goes. In a very similar case, the ICO has said that automated virus scanning is interception (but legal interception under 3(3)). It is also contradictory to s.16. This "maybe" argument is garbage.

*Second "maybe", that it might be lawful interception under 3(3), which says interception is legal if it's done for the purposes of the telecommunications service, ie the transmission of communications.

This is how virus scanning is legal - your computer is considered to be part of the system when it is being used to communicate, and protecting it from viruses is necessary in order to ensure the communications get through. There is a similar, but weaker, argument for spam filtering being lawful under 3(3).

However Phorm/BT looking at your webtraffic is not done in order to help transmit your communications, it's done in order to target advertising, so this argument is garbage as well.

*Third "maybe", that it would be lawful interception if both parties consent to the interception - this is correct - but in practice it's almost impossible to get consent from both parties.

Getting consent doesn't mean that someone doesn't object - it means that both parties, the sender and the intended recipient, have actively consented to the interception.

For the user side T+C's won't do it, because the user will often not the person who agreed to the T+C's, and also because such a term in the T+C's for a ISP service contract is almost certainly not enforceable.

Even getting express consent from individual users, as opposed to the owner of the connection, is problematical - suppose you want to allow a guest to use your account? The guest has not consented. You may well be partly responsible for the subsequent interception.

From the webhost side, getting consent - well, Phorm/BT would have to ask each website publisher. The "implied consent" in Simon's advice is consent to download, not to intercept, and there is no implied consent to download for many web pages anyway.

So, while it's not garbage, this "maybe" just isn't going to work - getting consent is just too hard to do.


query to BT complaints, their reply and my reply back

very long but the full story so far, i have left only the bt CS person first name in and mine (as it is on my posts anyway)

the interesting one for me is you can permantly opt out by blocking the cookie,(so trend and co can safely remove the cookie without opting you back in) but will that show up in there stats as a opted out user

below are the emails


Thanks for your reply

But You have failed to answer my question regarding if I opt out is my traffic still passed to the profiler, nor the question about assumed automatic opt-in

If it is I still have major concerns regarding privacy as you can not guarantee the profiler can not be updated to look at the opted out traffic but just not serve adverts

And I have big , big prolems with any data passed to a company whose roots are one of the biggest original adware / crudware companies on the net, like many I do not believe leopards can change their spots

Another point is as AOL found that out last year when it released a ton of anonymised search requests with the user IDs replaced by random numbers; it had to withdraw the list in haste as it became embarrassingly obvious that users could be identified from that information alone.

So by using a random number in a cookie will still enable users to be identified from the data passed from the profiler to the phorm server and so privacy is not guaranteed

The anti-phishing is a duplication of the function in IE7 and I believe also part of the norton security suite you provide, so I see little value add from that service, the only thing the users will see is an increase in targeted advert from the businesses signed up to OIX which was the adware rubbish form used to push, how many adverts are going to be for uk based businesses (very few I suspect) and due to the high rate of fraud and phishing on the web people are naturally sceptical of any popup and highly unlikely to purchase via them, this I doubt is of little concern as BT will only get revenue from allowing the adverts to be served and not from any form of pay per click on the actual poup-ups

Please inform your managers that the customer base is not happy with this, people are not going to put up with popups, adverts or other junk on their screens (we get enough junk in the post)and many will hopefully vote with their feet

The only way I will stay a BT broadband customer is if you can guarantee opted out traffic does not go via the profiler at all and it is an assumed automatic opt-out, this is the position that car phone warehouse is taking and looks like the same with virgin media (if they actually go ahead, which is not looking likely)

Car phone warehouse are (rightly so) of the opinion webwise / phorm will fly or fail on its merits and if customer find it usefull, not on wether you can bully customers into accepting it to obtain additional revenue

One final question how will you know if the trial is successful, I assume it will be by webwise telling you the percentage of users opting in and out, and who will audit those figures and confirm they are correct?

A better way would be to use an independent market research company to canvas ALL of the users in the trial with a web based questionaire similar to how microsoft get feedback from my after my partner training courses

when my updated terms and condition are offered to me I shall be reviewing my option to cancelled my contract early depending on whether BT has changed its position with webwise / phorm, which is a shame as I have had good service until this.


Peter white

-----Original Message-----

From: Residential Services []

Sent: 13 March 2008 12:55


Subject: Re: I want to complain - I have a general complaint (KMMXXXXXXXX71L0KM)

Dear Mr White,

Thank you for your e-mail dated 12/3/08 regarding Webwise, and the passing of your browsing or personal data to Phorm, and I am sorry for the difficulties you have encountered whilst trying to obtain information on this and for any inconvenience this may have caused.

As per your request for written confirmation, I have supplied you the information in the form of an email as i work from the e-contact queue only.

The data capture is designed to preserve your anonymity and privacy. We will be communicating to all customers during the trial with a page that appears at the start of their browsing session and ask customers to look at amended Terms and Conditions which can be viewed on There will always be clear choice in the hands of all of our customers. We also provide them with information on their current status on, which can be changed with a click of a button.

Your data? is not passed to any third party. On each browser navigation, a ?data digest? is created consisting of URL, search terms submitted to a major search engine, and the top 10 most frequently-occurring page keywords from the page (which are cleaned to remove email addresses, numbers and names). This is matched against a list of advertising product categories. After the match is made, ?data digest? is deleted permanently and immediately. The ?data digest? is never written to disk so it is never stored.

All this processing is done completely within BT?s network. The matching information ? the only information held within the system, is never sent to any system held outside the BT network. You can permanently opt-out by blocking cookies from the domain on each browser you use.

You can check whether BT Webwise is on or off by simply going to You?ll be able to see whether BT Webwise is turned on or off on the computer, user account, and browser you?re using at the time. To turn on or off this service, simply go to and click ?BT Webwise Off? or ?BT Webwise On?. BT Webwise uses cookies stored on your computer to capture your preference. These cookies are linked to individual computers, user accounts, and browsers, so you will need to switch the service on or off from each computer, user account, and browser you use. If you delete the cookie, you?ll need to reset your preference.

I hope the information provided will assist in helping you with your enquiry, and if you should have any further queries please do not hesitate to contact me again via e-mail.

Thank you for contacting BT.

Yours sincerely,


eContact Customer Service


Original Message Follows:


Feedback from: peter white (contact number ) Telephone Number:

Account Number:

Email Address:

Customer Comments:

i do not wish any of my web browsing (past, present or future) to be profiled or stores for any reason other than as you are require to keep records under RIPA for the fight against terror

i specifically do not consent to any of my web browsing or personal data being passed to phorm or any other similar company.

i do not require the webwise anti phishing product as none of my family use internet banking for the simple reason of its insecurity

i specifically do not want any advertising (targeted or other pop ups other than the single frame advert on my yahoo / bt homepage which i easilly ignore)

i want an immediate assurance in writing of the above

1:- if my terms and conditions are changed to allow any of the above,

2:- if webwise / phorm is rolled out with an assumed opt in

3:- it is proven that even when opted out my web traffic will still be passed via the webwise / phorm profiler

i will have no option but to excercise my right under the change to terms and conditions clause and immediately change ISP

please note car phone warehouse are guaranteeing "opt in" only and segregating their network so opted out users are definitely not passed through the web wise / phorm profiler, and virgin media have not finally commited to rolling this out yet

a very unhappy customer who is likely to be looking for alterantive ISP shortly


peter white


Argh its not *just* Webmail, its desktop mail, desktop apps too! STOP PHORM

We (peeps in Virgin NGs) discovered last night that content in Microsoft Office applications, and Open Office present the same 'user agent' as Internet Explorer.

To a web proxy (like Phorm) the requests will be indistinguishable from the requests submitted by a web browser.

The practical effect of this is that most popular desktop applications will be vulnerable to profiling by the Phorm profiler too.

Phorm' s oft repeated claim to operate user agent white list is a complete red herring (because all these applications appear to be Internet Explorer 7.0).

Applications like Word 2000/2003, Outlook 2000/2003, Open Office will effectively betray your desktop privacy to Phorm.

For example, the emails you read, and the domains and URLs where they came from.

The content within word processor documents, and the domains and URLs where they originated.

Phorm will not be able to differentiate between Microsoft Office applications during wordprocessing or email operations, and Internet Explorer.

The privacy and personal security risks associated with Phorm are simply too profound to be tolerable, not even as as an opt in model.

For details see



C'mon guys

surely together we can come up with either;

1) a virus which just sits in yr Temp Internet folder, just waiting for Phorm's servers to read it.


2)a randomising program which changes the contents of the cookie each time a new page is visited, making ii useless.

Anonymous Coward

If the ISPs want people to use PHORM they should provide FREE internet access

I have not uses virgin media and so I wont comment upon them

Bt however have for the past year and a half have been trying every dodge to sqeeze more money out of their customers, first they resell their customers bandwidth via BTFON now want to sell the user's data too. BT charge over the odds for their service and outsource the call centres to indian so removing revenue from this country. It is clear that BT do not like the people in this country at all they go out of their way to screw us at every turn, PHORM is just another example of BT Business practices.

Ofcom who are supposed to protect communication customers rights are clearly being directed by BT, I say this as BT can and do what ever they like without repercussions, who speaks for the customers protection not ofcom they speak for BT. There is evidence that BT trialed PHORM last July against BT's own privacy policy, why has this not been investigated by any goverment department?

Why is BT Wholesale (the people who charge the line rental) allowed to have a monopoly on communications outside of every city.

I will tell you why, it is because your goverment is not interested in the people only in companies and there interests.

The tax payer has to shell out when big businesses cockup see Northern Rock, LLoyd's names etc is this money well spent? I ask as I do not understand what possible benefit to me comes from giving £20Bn of our money to fat cats who gambled and lost.

The Pimps here are not PHORM they are just the middlemen, no it is BT and the Governement's policies that are the real pimps and we are just whores who have to pay for someone to screw us

Thumb Up


A simple web-proxy like glype will sort phorm out, it encrypts the url so they can't track what you're browsing. So opens another revenue stream for proxy websites :-)


ripa.. something else others haven't thought about

I sent this to chris, but I thought I'd mention it here.

Under the RIPA, interception is unlawful without the consent of both the browser and the website.

The Phorm "service" is acting as, effectively, a proxy at the heart of things, so where does this place all of the corporate and WAP proxies? Surely they break the RIPA, maybe not on the browser side (since the employee/customer would have signed a contract stating that their electronic communications would be logged and tracked) but I'm willing to bet that the websites they are caching haven't been contacted in order to gain their permission.

Does this mean that evidence collected using the proxies in disciplinaries and dismissals aren't legal? What about the "web experience" when using WAP and 3G connections?

Certainly an Interesting question.

Thumb Up


There are a number of cases where cached websites have been deemed as inadmissible in court for the purpose of evidence; on the grounds that they are "hearsay" and unable to be verified.

A quick search on Google should give you some good starters.


Do I look bovard?

I do not want Phorm.

However I care not if my ISP offers it as an opt-in.

But let me be clear. I will not opt-in, thus I expect the following

1. No cookie or similar on my PC.

2. No data mirroring or 'feeding' even if its discarded.

So long as points 1 and 2 are held to and no auto opt-in I am quite happy for my ISP to peruse new revenues.

So Virgin media you had better be listening.


Paris Hilton

@Dave "good quality connection / uk support"

By Dave

"Just sell us a good quality connection at a price that will make you some profit. If it costs you more for UK based tech support, then pass the cost on to us. We Will Pay. Cheerfully. We will gladly recommend you to our friends."

Sounds like you need to be with Zen. UK Support, clueful staff and rock solid connectivity, no shaping, management or other interference, and a stated no way to phorm policy.

Paris, cause even she'd avoid Phorm, she needs no advertising.


Looks like we have lost

The market thinks the bad press has all blown over and now its onward and upward for Phorm..


Phorm share price

I don't think it's that bad it's going back up a bit. That's what markets do, over react then correct.

This month, it reached a peak of around 3300, reached a brief low of 1800 and spent most of the last week bouncing around 2000, and now is back at 2250. So it's still lost around 32% of it's value. That's a significant correction in anyone's books.



The proxies are there for the purpose of providing you with the access to the internet - therefore they are covered by RIPA as part of the connection.

If they start skimming the proxies for a purpose other than to provide you with an internet feed, that would be a different matter.



I was wondering if BT, Virgin, et al, might not be hoping to get an undisclosed secondary benefit by making people like us go away to another ISP anyway... typically techies are the higher-end usage people and we're most likely to be the troublemakers with the Phorm interceptions.

If they get rid of the top 1% of bandwidth users then they can skimp on investment, cut services and get even more profit per user from the remaining rump of those who use their 8mbps, 40GB per month £25 connections to download two emails a day and read up on their soaps.

Finally, I wonder what the RIPA situation would be if I changed my business's website to specifically deny BT, Virgin, et al, permission to profile my website.


Have emailed BT

I emailed BT yesterday expressing my concerns about Phorm and received a form Phorm letter back teling me that they wouldn't be scanning my passwords or emails.

Naturally I was enraged; they better not be scanning my f*cking email because that would be a blatant contravention of the DPA.

If I don't see a published retraction of the Webwise/Phorm relationship within the next week I will be leaving BT. I encourage others to write as well, voting with our feet will make them change their minds.



The proxy our department runs in the company isn't there to provide people with net access, it's to restrict certain sites and to be used against people who use the net too much or for inappropriate content.

Also, I believe that some of the WAP proxies are capable of injecting ads into the stream to (tho I haven't heard of any making use of this "functionality").

Anonymous Coward

LOL at the www.iii investors

you cant be serious, the class of replys on that so called investers site are so dumb its a wonder they have any cash left to invest in anything werthwhile, never mind drive this Phorm stock up for so long.

how come the better posters here and elsewere didnt join that thread and put these so called investors right?

i dont know anyone could invest in something and not even read and undertand a patent, or at the very least try and gain some basic insight into how it might work and the implications as regards the laws it must follow.

an example quote from there:

"zoiezoie:I know very little about this company and the technology, but the fact that there has been so much public opinion about it recently then I feel it must have something that someone will buy..."


@ Lol at investors

I don't know, facts don't often get in the way of a good bandwagon! I suspect there may be some concessions on improving the opt-out (though opt-in will still be the default) and then it will be rolled out everywhere as fast as they can. One thing I find strange is that BT and VM decided to go with these shyster's, given their background, when there are several more mature solutions in place already in the US and Canada, which have been slipped in without anyone knowing (oo-er missus).

I am tempted to buy in for a couple of grand myself, can't be worse than my FA Cup accumulator.....

Anonymous Coward


"Finally, I wonder what the RIPA situation would be if I changed my business's website to specifically deny BT, Virgin, et al, permission to profile my website."

its been said time and again in several places, thats exactly what web masters should be going.

along side end users sending a Data Protection Act Notice to their ISP (and now Phone companys )

removing any and all rights to collect,process or export any of their personal data outside the basic contracted supply and billing of their connections.

is it really that much trouble to write the letter and send it registered post to your data controller to protect your rights into the future and nullify any UK T&C that might try and auto-insert such concent (not that a T&C is infact an _explicit_ concent of course).


@ Lol at investors

"how come the better posters here and elsewere didnt join that thread and put these so called investors right?"

1) There is a 48 hour delay on activation of forum accounts, a speed bump, if you will.

2) Technical arguments will not work on the technically illiterate.

Keep watching the skies ;-)


Good morning! Wake up and smell the coffee.

No doubt all the people on here who have been whinging about their privacy will have been reassured by the clamour from outraged MPs protesting on their behalf. And how come these same people missed the re-branding exercise that now means that the 'K' in 'UK' stands for Klondyke. The gold-rush is on and the panhandlers are mining for your data in the entrepreneurial spirit espoused by your government.

Now that you've enjoyed the coffee, please turn over and bite the pillow while you enjoy the delights of rampant capatilism.

Shafted again.


re: "educating" the iii users

I would post on there and tell them the facts (tho is seems they just plain don't want to know, they can't see past the money symbols int heir eyes), but the place demands a user sign up and I can't be arsed to give them my email address!

Anonymous Coward

Duty to report crime

BT's previous secret trialing with Phorm would seem clear prima facie evidence to suspect that a crime was committed under RIPA. It is sufficient that someone suspects a crime may have been committed to report it to PC Plod for further investigation. While anyone can report a crime, in this instance someone who has logs of BT's activity last year would be better placed to report it. It is also open to bring private prosecutions in criminal matters, but that would a looking a long way into the future. No amount of BT talk of T&Cs and how it intends to operate the system in the future changes what it may have done in the past.

Anonymous Coward

I don't really understand the business model

I realise I'm probably slightly more technically inclined than an average user, but i have never, and will never, click on an internet ad. As far as i'm concerned all the ads are a blight on the net there simply to take advantage of naive users. In fact, like me, pretty much every firefox user uses adblocker to strip them out now. Its popularity should give Phorm an idea of the general feeling people have towards ads, i'm pretty sure that if IE8 supports user plugins, adblocker will be ported and no-one will ever see an ad again.

Even the reg drives me mad having to use IE at work, when i have to sit for 30secs staring at the header while all the ads load before the rest of the page gets displayed.


@AC - phorm's share price

Of course phorm's share price has moved the way you didn't expect. If share prices moved the way people expected then everyone could make loads of money. Not everyone can be a winner, so share prices don't move like that.

Simple really. No need to get upset about it.

Thumb Down

So glad I'm with Zen

So glad I'm with Zen.

Every aspect of our lives seems to be probed at with or without our consent and this is another step in the wrong direction. Maybe the government don't mind too much as this is the sort of technoligy they want to use to see what we are getting up to!

Anyone see the movie "Brazil"


Ask Emma at BT website, she has all the answers........

Have just been to the BT website to see if they are listing anything on Phorm. I asked Emma (their wonderful help assistant) the following questions.....

You asked me:

Who are Phorm?

My answer is:

I'm sorry, but I don't think I understood your last question. Please try rephrasing it and ask me again.

Fair enough, most people on the street wouldn;t have a clue to that one!!!!

Tried a different approach....

You asked me:

will you sell my browsing habits to phorm?

My answer is:

I'm confused. I didn't understand what you just said.

Well, its a fairly simple question!!!!

I then tried the following........

You asked me:

are you a bunch of incompetent pillocks who are going to sell my personal data to a mallware company?

My answer is:

Spyware and adware are small programs that install themselves on your computer. They track your surfing habits and collect personal data that's then sent back to their creators.

BT Yahoo! Anti-Spy is included with all BT Broadband packages. Visit the BT Yahoo! Software centre to download it.

Click here to see a web page with further information.

Not quite the answer we were looking for, but BT apparently know what mallware and spyware are!!!!

Next try.....

You asked me:

how do you think your customers will feel when they realise that all their communications are being ...

My answer is:

I'm sorry but I can't discuss our competitors, I'm only here to answer questions about BT

OK, so are Phorm a competitor or a business partner?

Next try......

You asked me:

Is bt breaking the data protection act by profiling customers and selling this information?

My answer is:

Sorry, I didn't understand that. Please reword your question.

Again, a fairly simple question, and a Yes/No answer would have sufficed.

Final question......

You asked me:

can i sign up to have my data sold to phorm

My answer is:

Click here to sign up to All BT customers can manage their bills online - it's free to sign up, and only takes a few minutes. You'll need to let us know your email address and your account number (which you'll find on your most recent BT bill) if you want to manage your account online.

So, the online help service is completely useless, but you can sign up to have your data sold off to a third party company.........

Tinfoil lined parker on the far peg please.........


@I don't really understand the business model

> [Adblock's] popularity should give Phorm an idea of the general feeling people have towards ads

Apparently Phorm doesn't care in the slightest - not when there are users to be exploited and money to be made.

As was said in one of their warm-n-fluffy pronouncements (I'm paraphrasing), this is an exciting service designed to help the poor befuddled user by providing ads. which Phorm claim would be of interest - and all at the simple and painless expense of tracking browsing habits using closed & proprietary software.

Naive or just plain ol' predatory - it's in there somewhere.


Re: I don't just want to avoid Phorm....

"...I want vengeance. Can we destroy this thing? "

I don't do "internet anarchist" attacks, but..

I've just pointed out to Google that Phorm will be illegally collecting (stealing?) their commercial data, as Google have not consented to Phorm's interceptions, and urged Google to seek an injunction to stop BT doing trials.

I say stealing? with a question mark, as the question of whether it is stealing or something else is legally complicated, but ask yourself - how much would Google charge for that data (if they could legally sell it)?

That this would also likely remove one of Google's potential competitors in the online advertising market - well, Google may see that as a bonus :)

If anyone else with relevant connections would like to urge any of the other big sites to seek their own injunctions .. someone has to pay the lawyers, and the big sites have both the money and the incentive.


The BBC?

Hey - the BBC have a 'have your say' thingy on Phorm:

Just thought I'd mention it...

Anonymous Coward

Data profiling - the dummies' guide: Part one

The time has come to separate out the wood from the trees with regard to ISPs, profilers, data packets and advertising networks.

First point to consider is that the marrying of user profiles and adverts has been going on for a few years. The big difference between now and a few weeks ago was that everyone bought into the "it's OK because I am getting a good service" spiel without any knowledge or understanding of the privacy aspects. Ever noticed how easy it is to do a search on a mobile phone and be offered businesses nearby matching your query? - isn't this one of the selling points of the iPhone?- not yet available(?) in the UK but coming soon. More on this below.

Back to the ISPs and a little background technical information.

Data packet inspection systems: this is hardware which sits within the routing system at the ISP. Simply, data packets are the clear text (including cookies) sent from your browser to the ISP to identify your request. The ISP sends this data packet on via DNS and routing servers until it meets the server which hosts the data requested. The host server sends the response data packet back to the ISP who returns it to you. And you see your request being displayed in your browser.

A request leg and a response leg, both under the control of your ISP and everyone else along the route taken by your data.

ISPs and networks have been recording the content from the data packet inspection systems for years, logging traffic in and out. The content can be assembled and analysed to give an idea of what you are doing every time you turn on your computer.

When required to do so by law, the ISPs are able to supply all kinds of information about the user. This includes but is not limited to your e-mails, chat sessions, banking (even though they only see the encrypted data - urls are in the clear), purchases, etc.

Now a quick look at advertisers.

Google is evil goes the cry. Google (and the other search engines) tracks queries and builds up a profile of its users. Even if you don't use a search engine there are webmaster tools like google-analytics which are also used to track users as they browse the web. In case you miss the visitor tracking tools there are also scripts which deliver adverts across many partner websites: each time you see an advert you are being profiled.

Just in case you missed that: each time you see an advert which has been delivered by a script, you are being profiled.

Those who know about the tracking being done by the search engines and all the rest of the ad networks have not been too worried about that as it is seen as a small price to pay for a free service and it is possible to block the profiling by restricting the way in which the browser uses scripts and by using the host file to divert requests to domains used for tracking. We are happy.

BUT, the advertisers are not happy. They complain to the advertising networks and say that they want a system which does not rely on cookies: they want their adverts delivered and they want a good ROI for their advertising dollar.

Now the data packet inspection systems come into their own.

It is a very short step from collecting the data packets to using the data collected to generate profiling information. Privacy is an issue and different countries have different rules. Not to worry: as part of the data mining the ISP is able to provide an added value service which their users will be so very happy with. A small sacrifice and so like the sacrifice made for the availability of free search.

Here are some examples of services:

When you logon to your ISP, the first thing you see is a report of how much bandwidth you have used. If you have a mobile, your ISP can give you a report on your remaining credit balance or the balance of inclusive minutes available. Webwise will tell us if we are about to visit a phishing site. Wonderful, something useful for nothing.

You will notice that I have not made any mention of all the free wi-fi hot-spots that are springing up wherever there are people with wi-fi connections. Don't forget to disable WEP so that you can use the system. And there are all these T&C that pop up and you are asked to agree to before you use our wonderful free hot-spot. Just click OK else the battery will be flat before you get to the end of the text.

How are these services offered?

This is the simplest part of the whole system. Back to the data packets and the ISP.

Up until now, data packets had only been analysed to created revenues from consolidated demographic data and to calculate the popularity of URLs. Along comes the profiler to analyse data by user and by target market segment and promises of a share of advertising revenue from all the net browsing of their users. No need to e-mail users about new services that they have been surfing for, just pop your ad up onto the screen when they logon (no one will know that they are seeing something different from their neighbour).

But, how to sell the system and get around privacy issues?

The easy option is to give each user an anonymous random ID via a cookie and to provide the profile supplier all the analysed data they require together with the cookie ID. Then, all that is needed is to give the ad networks a script which reads the user's cookie ID, looks up the profile for the user with that ID and displays a relevant ad that matches the target interests.

Giving the user a cookie is easy. The ISP only needs to intercept the data packets and inject a script that will lodge the cookie ID on the user's system before they are delivered the request they made. Once they have their cookie ID, all requests are easily identified with them and the content requested can be analysed by a split system. Simplicity itself.

This is so simple, what if it fails? What about users who delete their cookies or who can't accept cookies? - cable TV downloads and all those handhelds with different operating systems.

Now this also has a simple system. No cookies required. Just an electronic short delay between the response data packet being delivered from the host server to the ISP, analysing the data packet and injecting code into the data packet before being delivered to the user. Warning: the data you are about to download is not permitted as per your T&C. If you continue with the download of pirated content you ....

I think you get the idea. I am sure that the Chinese engineers can explain the identifying of content far better than my simple example.

For the advertiser, the match code is already available in the browser and all that is needed is to match the injected content with their data and the user sees a targeted and relevant advert. And no one is any the wiser. If it is a TV programme that is being watched, rather than the data packet being sent to the TV it is sent to the ad network who now know that the user likes watching programmes about 'summer holidays' or has been surfing on sites promoting holidays. So easy to send a relevant ad or two during the next ad break.

Part 2 to follow

Anonymous Coward

Dummies guide: Part 2

OK, I admit that some of the above details could be way off course. That is because it is so hard to find any information.

The data packet inspection systems are real. All that is needed is a parsing script and you can use the data in any way you can imagine.

The delivery of targeted messages before the user views the content they asked for is real.

The deliver of targeted adverts to cable TV users is real.

Now it is time to look at the profile providers.


Looking at the UK Privacy Policy of NebuAd at

personal information and the following is not supplied by the ISP:

Email Addresses

Last Names

Street Addresses

Telephone Numbers

National Insurance Numbers

National Health Service (NHS) Numbers

Financial information, including credit card numbers, login IDs, passwords, or bank account

However, data collected does include the following data:

Web pages viewed and links clicked on

Web search terms

The amount of time spent at some Web sites

Response to advertisements

System settings, such as the browser used and speed of the connection

Post code

Sensitive personal data is not stored or used.

Cookies are used to record whether you are opted in or out. They are also used to record how often you have seen a particular advert. NebuAd also process information contained in the server logs when you visit a site: "may include a user's Web request, Internet Protocol address, browser type, browser language, and the date and time of the user’s request" and will be used to facilitate the serving of advertisements that match the user's interests.


To summarise: even if you are not having your data collected and profiled by the ISPs NebuAd have signed up with, every page within their partner network is collecting all the data that that search engines and every other ad network has been collecting and that those who know try to block.


From the FrontPorch web site: "Front Porch also enables Internet providers to leverage their networks to deliver any targeted ad or customer message directly to users’ browsers anytime and anywhere they surf the web."

To summarise: They are in over 3,000 installations in over 33 countries including cable, telcos, internet providers, wireless hot zones, conference networks, airports, shopping mails, sports centres, train stations, resorts, universities, commuter hubs, coffee shops and tourist attractions. FrontPorch works without cookies, using meta data from the browser session to match the user profile to display ads during the current session. They also deliver targeted notifications from ISPs direct to the browser before the requested page as users surf the net - available credit balances and bandwidth notifications being common uses.

With the growing delivery of TV content via the internet, ISPs can now deliver targeted ads to viewers of regular TV programmes.

FrontPorch are running trials with cable and telephone companies in the USA, Australia, Asia and Europe. shows 126 hot-spot locations for London.

For the technically minded, see United States patent No. 6,442,577.

Suddenly those free hot-spots are not so free - boycott anyone?

Why do I get the feeling that all wi-fi connectors are about to end up in the bin? Do people really turn WEP off just so that they can have free surfing, including checking e-mails, at the hot-spot in their local cafe or coffee shop?


I am not going to repeat it all again. Their site shows that advertisers can match on broad market sectors, key words and URL visits. That is a lot more than the information that can be stored in a cookie so your cookie is identifying you with your profiling data, wherever that is stored, via a script hosted on a 3rd party web site. The 3rd party site will be able to track you, even your IP address.

It is difficult enough to believe that the unique cookie and IP address are safe in the hands of the ISP. Who believes that there is a bamboo curtain between the cookie ID and the IP address on the 3rd party site?

For our US and Canada cousins.


The Adzilla site has less information. However, no cookies are required so a real time data packet injection is suspected. The ISP may provide access to personal information (which stays within the ISP) to improve the ad targeting. Ad serving partners use cookies to track your behaviour and user trends. Adzilla will also record the logging information supplied by the browser when accessing servers.

Project Rialto

Even less information available. Stealth as per their site, stealth in reality. A little searching gives a China connection to the CEO.

Back to the ISPs

There is nothing that says that an ISP can't install something that shares data with all the various profilers of the world - it all depends on how much of the non search engine ad dollars they want to get their hands on and how many times they can sell their users' demographics.

What my investigations show is that there is a very small step from the available data packets to earning revenue from the content. It also shows that most users don't realise that the 'service' they are getting is coming at the cost of their privacy. Mobile users will be most under attack with the ISP sharing their location with advertisers - i.e. Google's local search. Yes, search engines are using this to get their ads better targeted too, even if only sniffing our IP address or local hot-spot. And, which social network was looking forward to knowing where members logging on via WAP are so that it can track members? - for the benefit of other members, of course.

I am beginning to understand why the protesters at El Reg are being counted as ignorant fools without any vision of the bigger picture. Only 4,000 have signed the petition. Not even a drop compared with the market.

Today I did a little market research. No one knows about this. Only one said that they may change ISPs because they use the home connection for work via https. One said that they had had so much trouble getting their current ADSL working that they could not think about going through all that again.

Profiling of personal data has already happened all around us and until the last couple of weeks everyone had been very happy with it. Now that there is more information and the process is understand a little everyone has the choice of whether or not to use any of the services that give away data that some want kept private.

Blocking cookies and using the hosts file does not work against data packet injection by the ISP.

Blocking cookies and scripts is just good browsing practice. Redirecting tracking sites to is best practice to preserve privacy. If more people complained about sites that don't work without cookies and insecure browser side scripts there may be more sites that meet the accessibility standards that are required under the Disabilities Act.

You are wrong, Kent et al, if you think I am going to lower my security settings just so that I can view your partners' sites. Well written sites work very well without cookies and insecure scripts.

If every site owner and web host was required to be registered under the DPA there may be a little less sharing of the logging information for monetary gain. My IP address is personal identifiable information. It is bad enough when spammers spoof my e-mail addresses. If anybody did anything illegal while spoofing my IP address, guess whose door would be getting the first knock.

It is all a matter of security. The security of our personal data. Each one of us is our own gatekeeper. The security tools are out there, many freely available.

It is time to shut the gate.

How many signatures does it take? - will 10 million petitioners please wake up before their life is enslaved?

Anonymous Coward

Dummies guide: Part 2

Phorm Comms team here

Your description of the Phorm system is plain wrong. Phorm doesn't store any personally identifiable information, no IP addresses and no browsing history. That surely is the starting point for any fact based discussion of our system.

We've built the system from the ground up with privacy in mind. We don't know who you are or where you have been - that's something other targeted ad providers would struggle to claim.

Phorm Comms Team (

Anonymous Coward

the petition


How many signatures does it take? - will 10 million petitioners please wake up before their life is enslaved?"

OC it might also be said that people dont want their personal names posted on

a public petition, due to privacy concerns, catch 22 and all that.


As they read every page they can't ignore this

We have at the top of every page, as the first line after the <head> statement the following, we urge all website/content producers to do the same.

<meta name="ATTENTION" content="Attention: Phorm Inc, All Subsidiary Companies of Phorm Inc, OIX Network, Internet Service Providers using the technologies provided by the former mentioned companies; [sitename] specifically denies permission for the former mentioned companies to intercept any communication between a remote user accessing content on any [sitename] Server and that person's Internet Web Browser, or any other Interface that such a remote user may use to obtain [sitename] data.">


@Phorm Comms Team

"We don't know who you are or where you have been - that's something other targeted ad providers would struggle to claim."

However, it's possible that an advertiser could discover which web pages its phorm adverts were displayed on, or a web site could discover which phorm adverts were displayed on its pages. This may be trivial, or it may involve tricky javascript, web bugs and browser exploits, but it seems very likely it would be possible.

In that case they have all the information they need in order to discover (approximately over time) the advertising preferences assigned by phorm to a specific IP address.

In other words, you may not know who we are, but thanks to your link-up with the ISP everyone else in the world will be able to find out who we are and what our preferences are. Your "anonymous" system is nothing of the sort.

Anonymous Coward

NO @Phorm Comms team , pay us our fee

Phorm Comms team here

...Phorm doesn't store any personally identifiable information, no IP addresses and no browsing history. That surely is the starting point for any fact based discussion of our system.

Phorm Comms Team (

No PCM, thats not the starting point, the starting point would be about paying the users a licence fee for legal use of their data.

Anonymous Coward

@Mr Anony there are more than Phorm out there profiting off your data

while its good to see some initative Mr Anony,the fact is there are more than just Phorm out there profiting off your data without paying you a fee.

for any web master out there, the fact is as a general rule you need to simply refuse collecting,processing, copying or export by any profiling electronic device or software ,nor for profit or fee without explicit written consent and any fees due payed in advance or £20 per page per view.

you get the idea ;)

that profit and fee would also probably also exclude the mobile phone companys that charge by the megabit for free content perhaps ,yeah for fixed fee mobile BB.


looks like it's already happening on BT

I've noticed over the last few days whenever I go to one of those god awful one click hosting sites that the bandwidth foe my ip address has been exceeded yet the ip address that they report is completely diffent to the one I actually have.

they all seem to be in the range of 194.72.*.*

looks like the start of phorm to me.



This topic is closed for new posts.


Biting the hand that feeds IT © 1998–2018