back to article The Phorm files

We've had a busy time digging into the deals signed by BT, Virgin Media and Carphone Warehouse to report your browsing habits to Phorm, a new advertising company. Here's the fruits of our labour, lovingly collected for your perusal. There are tales of the secret trials conducted on tens of thousands of BT customers without …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    Well done El Reg!

    Great work being done here.

  2. Anonymous Coward
    Happy

    All Phorm Comments in one place?

    All comments from previous Phorm stories in this place also?

  3. Dave Bell

    A general question.

    I run a BT broadband router with NAT, and sometimes several people sharing the connection. Hence they look to the outside world to be a single computer/user.

    How can I be sure that inappropriate advertising content will not be delivered by this system? Others have raised the spectre of "adult" advertising being presented to children. What guarantees have we that the advertising with comply with the various UK-specific laws and codes of practice?

    I would suggest that pre-watershed TV standards would be a good start. Are Phorm's customers prepared to follow British rules when they push adverts at customers of British ISPs?

  4. therealvicz
    Dead Vulture

    Question: What did Privacy International endorse?

    A search for Phorm or Webwise on the Privacy International website shows 0 hits so what exactly are they supposed to have endorsed?

    While the use made of the information for advertising may (or may not) be as Phorm describes, what prevents them from doing anything else with it? What ongoing oversight is there? (none?).

  5. Jon
    Unhappy

    Can I have some of that data please?

    If these companies are so sure that the data is being anonymised, perhaps we should put it to the test.

    Suggest prior to setting the ball rolling with Phorm, they should run a competition, open to anyone, to see whether someone can piece together details from what they intend to send to Phorm and play pin the tail on the customer.

    If it's completely safe then there'll be no problem. They could offer the equivalent of an entire years worth of profit from their deal with Phorm, safe in the knowledge that nobody will win the prize.

  6. Leo Rampen
    Linux

    SSH Tunneling

    With these developments, I know that I will personally be tunneling all my browsing over SSH from now on. Find yourself a server and do the same!

  7. frank denton
    Coat

    The makings of a good movie?

    I just had a look at http://www.badphorm.co.uk. It seems the Phorm software was developed by the russian Lebedev Institute which has links to the russian security services. Combine that with OIX servers in china and you have the makings of a tense modern day techno-thriller involving the KGB (yes I know they've changed their name) and the PRC security services.

    If anyone had written such a book/script last year, it would have been laughed at for being too far fetched. There could be an interesting twist of a back story where the UK government had decided it was no good at this modern internet data thingy and decided to subcontract the job of surveillance to people who knew what they were doing.

    As I said earlier, it's too far fetched to be true.

    ..Mine's the one with the RFID tags hidden in the lining.

  8. Anonymous Coward
    Paris Hilton

    uk hotmail down now

    So does that mean if i browse p0rn all night, I will get p0rn banners!!!!!!!!!!

  9. Graham Wood
    Stop

    Voting with your feet is the only way to get them to listen....

    Having said that, thankfully none of the ISPs I deal with are involved so I can't do that myself...

    There is one good thing to come out of this - I've just setup a TOR server on my colo box as part of my complaint (I've also chucked a message on the forum for my ISP), so there's no another 3TB/month available to TOR directly as a result of this debacle.

  10. Joe K
    Stop

    The BT execs should be arrested for this

    Seriously, police should march them out of board rooms and off golf courses in handcuffs come Monday morning.

    They can waffle on about reviews and anonymisers all they want, the very fact that your browsing history is routed to a computer called the "Profiler" located in CHINA is reason alone to sound major alarm bells here.

    So will the profiler look at my bank details to see if i can afford a shiny new car or HD telly and so give me an ad for one?

    Serious questions need to be answered here. Fuckers.

  11. Graham Wood
    Flame

    Re: Previous Comment

    One thing occured to me on the way home - using TOR isn't necessarily going to help.

    With the collection being cross-ISP, the vulnerability is NOT the one that TOR was designed to protect against. Indeed, the ability of the "exit points" to monitor your traffic is one of the stated limitations of TOR - it means that if anyone runs a server at the end of a line provided by one of the compromised ISPs then sessions could be "nobbled".

    I wonder whether China's looking at this and thinking "Why didn't we do that?"

  12. Sim
    Stop

    Reply from Virgin Media

    A reply from virginmedia customer support( edited to reduce tedium)

    I am sorry that the information that we are going to start using phorm

    has worried you, here is some information to help give you a better

    understading in regards to what this is.

    A safer experience

    Webwise will help customers avoid scams, such as 'phishing' - this is

    where someone pretends to be a well known brand, like a bank, but is

    looking to steal confidential information. [SNIP..]...identity theft. In this way Webwise helps to secure our customers' privacy.

    A more relevant browsing experience

    Another great thing about Webwise is that it can help reduce irrelevant

    advertising. As customers browse web pages, Webwise looks at things like

    search terms, and learns what topics might be of interest. This is done

    without collecting any personal information, so once again their privacy

    is protected. These topics are then used to help filter out adverts that

    might be irrelevant - instead they'll simply see an advert that will

    match a topic they're are more interested in.

    Don't worry, they won't see any more adverts than they currently do,

    they'll just be more relevant. [SNIP...]

    Protecting customers' privacy

    Webwise has been designed from the ground up to protect our customers'

    privacy and anonymity. As the system only learns about topics of

    interest, it does this anonymously, ensuring their privacy is completely

    protected.

    Neither the web addresses, nor search terms they use are stored. They

    are purely matched to an advertising topic and then discarded.

    Webwise doesn't store their internet (IP) address or keep track of their

    browsing. The system or advertisers won't know who you are or the

    websites they've visited.

    No personally identifiable information such as email addresses,

    surnames, street addresses, or phone numbers are ever gathered.

    No sensitive or personal financial information, such as credit card

    numbers, login IDs, passwords or bank account numbers are ever gathered.

    We found that this system met our high standards for simplicity and

    privacy - so customers' privacy is assured. These privacy standards were

    also verified independently by Ernst & Young who conducted a detailed

    audit of the whole process and Webwise solution.

    Customers won't be forced to take up Webwise, so they'll be able to keep

    their internet experience as it is now...

    [END...]

    That last phrase leaves it deliberately ambiguous as to whether or not users will be required to Opt In or Opt Out -I wrote back to Virgin Media to request clarification on this point.

  13. Anonymous Coward
    Dead Vulture

    Just the same bullshit...

    ...that is on the BT and Phorm sites. Of course the point is that whatever Phorm SAY they are doing now or whatever they showed E&Y IN THE PAST there is no ongoing supervision to ensure that they don't just change their minds or just pass the information on to their spyware purveying friends. BT and VM actually have no idea what else will happen to our data, no way of checking and no possible way of changing what is being done should they not like it. At the moment they are just happy to take their 30 pieces of silver and run. It is utterly despicable but why do I suspect that once Brown and his goons wake up this their first reaction will be 'hmm how can we get a copy too'....

  14. Morely Dotes
    Black Helicopters

    @ Joe K

    "So will the profiler look at my bank details to see if i can afford a shiny new car or HD telly and so give me an ad for one?"

    It's far more likely that a Phorm employee will set up a direct deduction from your bank account to a bank in China, Joe.

    I'd give up online banking immediately, if I were a customer of one of these three subsidiaries of the Red Chinese Army.

  15. Anonymous Coward
    Anonymous Coward

    Let's give them what they want... and then some

    Remember the SETI project - loads of computers spending spare processing time wading through data?

    Could some bright spark could come up with a 'Phorm-Feed' project? Spend night and day firing off spurious URLs to small data sources, filling their wretched database with completely meaningless data?

  16. Claire Rand

    optin/out

    it will be opt out, and in such a way you have to keep opting out, otherwise there is no money in it.

    the requirement to have a cookie to say 'opt out' is evil, since thats soooo easy for anti spy programes to nuke accidentally, then you forget to reset it.

    with adblock etc I'd never see the ads but i object tot he tracking

    data protection act?

  17. HeavyLight
    Black Helicopters

    Wondering aloud

    Will it be possible for users to identify Phorm-selected ads?

    If so, could an Adblock filter be written to *highlight* those ads?

    And if that came together, how long would it take to devalue Phorm if [a large number] of VM/BT/TT users clicked on every Phorm-served ad whenever they were fortunate enough to see one?

    Every ad. Every time.

    Just wondering, like.

  18. Ben Saxon
    Flame

    I dun made a facebook group to help spread the word

    Here it is, should anyone be interested:

    http://www.facebook.com/groups/edit.php?info&gid=9216870661

    Yes, I realise the irony of starting a group on facebook, a site which is notoriously shady in terms of privacy issues etc., but it is a powerful social tool after all. I just hope facebook members glance up from their lame Vampire/Werewolf fight applications long enough to notice something important going on.

  19. Anonymous Coward
    Anonymous Coward

    Verified...

    >>>These privacy standards were

    also verified independently by Ernst & Young who conducted a detailed

    audit of the whole process and Webwise solution.<<<

    What for, I wonder.

    Profitability?

  20. Andy Enderby
    Thumb Down

    errr a question for the phorm interview

    Just what the f**k makes them think we want any part of their cr*pware ? Enhanced user experience ! My Boney Arse !

  21. Phil A

    BT Privacy policy

    Whoops, perhaps they should have a look at their privacy policy, they seem to be violating it...

    We do not use this information to:

    identify individuals visiting our website; or

    analyse your visits to any other websites (except that we do track you if you go to websites carrying our banner, but we do not identify personal details while we do this); or

    track any Internet searches which you may make while on our website.

  22. Bob W

    @ Verified...

    From the E&Y report-

    "Because of inherent limitations in controls, error or fraud may occur and not be detected."

    What a ringing endorsement!

    Bob W

  23. Anonymous Coward
    Pirate

    SPYCOMS

    Phorm will not like have title of SPYCOMS, i don't care sue me!

    Spying with communications in anyway then that is SPYCOMS.

    Well done Phorm you have honer of being first business in the world to have title of SPYCOMS.

    Just read this and this is powerful comment, totally on the money.

  24. Anonymous Coward
    Anonymous Coward

    Data/Personal details being released .

    I have a BT connection and luckily the name on the account has been mispelled and thus I will know when and if such data is released to a thrid party to send me email or mail spam. Are BT saying that they are NOT disclosing data ?. If I receive anything under the mispelling I will be looking deeply into it and will contact the Register.

  25. Anonymous Coward
    Unhappy

    If they don't collect personal info...

    ...and they don't store IP addresses, how do they know who to target the ads to?

    It would be like a postman trying to deliver a letter that has no name and address on it, wouldn't it?

  26. poh

    Relevance is a danger in itself

    Even taking Phorm at it's word, relevant ads based on your whole browsing history are pretty scary. Say I visit the Consumer Credit Counselling Service URL, a few minutes later I'm at a phorm fed site and up pops an ad for Ocean Finance.

  27. Graham Wood
    Black Helicopters

    @AC

    To use your analogy... There's a story (I believe it is true, but don't guarantee it) that a letter was delivered "to the girls sitting on the back of the 6:30 bus from 'A' to 'B'". The postman never knew who the girls were, but got the message to them... In the same way that phorm won't know who you are, they will know that you're interested in hairy german bottoms - and therefore send you appropriate messages.

    EVERY comment from one of the companies talks about what is stored, not what passes through - quite apart from the security of my data from Phorm, how about my security from someone hacking phorm's network(s) and/or devices?

    95% of unencrypted web traffic is now going to be going through some very well defined pinch points that are all running the same software... Perfect for MI6 (if you want to stay within the law) and/or ID fraudsters (if you want to include the not so happy people) and a complete and utter "no NO NO!" to all security advice around. All anyone has to do is see a single email in your gmail/hotmail/a.n.other folder, and the anonymity is all gone.

    I've picked the helicopter because I hope, REALLY HOPE, that I'm being paranoid.

  28. salil
    Happy

    Need some help...

    so will this mean they will be changing there terms & condition (contract) which will allow me end my contract soon? i really want to change my ISP BT.

  29. Alex
    Gates Horns

    BT can put us on the list of "ex-customers"

    We currently run their top whack option with BT Vision but recently the quality and reliability of our broadband (and supplied equipment) has fallen well short of the mark but this is just plain wrong, I wonder what that other Bastien of privacy and advertising thinks about this, has any one heard from google? surely their ads being swapped out isn't going to make them very happy is it?

  30. Zap
    Stop

    Complain to the Information Commissioner

    Where the hell is the Information Commissioner in all this?

    As usual toothless and doing NOTHING, probably because not enough people are complaining.

    I think one's browsing habits count as personal information and shold NOT be sold without express written permission. The IC should also ensure that such permission is NOT included in ISP Terms and Conditions as this would clearly be an UNFAIR CONTRACT TERM.

    I encourage everyone to make a complaint to the IC office at this address:

    http://www.ico.gov.uk/complaints.aspx

  31. Someone

    The text message anomaly?

    If I send and receive text messages using my mobile phone, my understanding is that they’re afforded a certain amount of protection from general, unwarranted snooping. Sometimes, I send and receive text messages using a standard web browser to access the web portal of an Internet-SMS gateway provider. If my messages have protection while being routed across the mobile phone networks, why do I suddenly lose that protection when they hit the Internet-SMS gateway?

  32. alistair millington
    Flame

    I've just complained, going to phone BT tonight.

    I don't mind having targeted ads as I ignore all online ads anyway, just a fact of life, like the ad breaks on TV, just ignore them. It is the fact it is happening without me being asked and stored and that ALL my inline activiity is being logged, not just then but for later use.

    A cookie is one thing, taking that and storing it is another. And storing it overseas is even worse.

    And this might happen using MY BANDWIDTH for the privileage is even worse than that, me paying for them to get more money. Then sending me emails to warn me of a limit I might be exceeding...

    This must be a breach of contract.

  33. Anonymous Coward
    Pirate

    Complain?

    You want to COMPLAIN to some Government (no)Body who's probably on the payroll / a shareholder of one of these corps?

    Seriously, that's why they're getting away with it; everybody's whinging to some ineffectual dullard instead of canning the direct debit on the spot, and pointing out how they're breaching UK and EU privacy law, and their own T's&C's, when they sue for breach of contract.

    The EFF exists for this exact reason.

  34. Anonymous Coward
    Anonymous Coward

    What about content owners?

    Lot of noise from the personal data crowd, which I understand. Having read the wealth of info here is anyone worried about the content owners?

    On first reading, it seems that adverts will be REPLACED or OVERLAYED with OIX adverts. Did I real that right? As a content owner reliant on revenue from advertising on my site is it really going to be that someone is replacing the adverts I chose to show with their own? If so, is this legal? What about the copyright protection? Is this opt-in or opt-out by the site? If I'm opted-in automatically when I own the content I'll be hopping mad to the point of litigation. You can't just go and paste your own adverts over mine and collect the revenue.

    I must be reading this wrong. Why has the mainstream press not picked up on this? Has The Register got it's facts wrong?

  35. poh

    @ pieman

    The Phorm ads will only appear on OIX/Phorm signed up sites. If you're advertising on a site which isn't signed up with OIX/Phorm then your ads should be unaffected.

    If your ads are on an OIX signed up site, I guess it's up to you to do a deal with Phorm or the site owner as to the exposure you want.

  36. Ben Tasker
    Paris Hilton

    Lets Knacker the system

    Aside from complaining to the ISP's, the ICO and OFCOM, lets fill Phorms system with Spam. In the process of writing a script that will be run by Cron to access various sites at regular intervals. Simple case of using wget as I imagine won't know the difference. The only thing to change regularly would be what you 'are' viewing.

    Im guessing that all the collected information will be used to create profiles for the most likely target audiences within those not being analysed by Phorm. I.e. those who have ISPs with scruples.

    If enough people fill the system with utter rubbish (one min I'm viewing a car site, then I'm viewing a clothes site, then looking at holidays, then credit cards, then back to cars and so on...) then the system won't be profitable to Phorm. Even better, set up a spider and create your own search database ;-) that'll flood their system quite well.

    Paris cos, well, do I need a reason??

  37. Peter Hunt

    What about BT Subsidiaries?

    I am a Plusnet customer. Plusnet purchased by BT at the end of 2006. I have already asked Plusnet if they too will be selling browsing data to Phorm and I have been told that they won't.

    Nevertheless, I would like to ask Mr Phorm the same question

  38. Mark

    Petition.

    If anyone is interested there is an online petition on the 10 Downing Street website asking for the use of this technology to be investigated and banned if found to breach privacy laws.

    http://petitions.pm.gov.uk/ispphorm/

  39. Paul Barnfather
    Black Helicopters

    Statement from TalkTalk

    After at first denying any partnership with Phorm, TalkTalk have replied to my complaint, stating:

    "I can advise as previously stated PHORM are unable to access any

    personal information without your permission. The service they are

    offering is called Webwise, although they are able to view your browsing

    history, they are unable to recognise who you are through this

    information."

    Can anybody help with a suitable rebuttal of this nonsense? It's like doublespeak. Surely anybody could be easily identified from their browsing history? What makes Phorm "unable" to the same?

  40. Man Outraged
    Linux

    @Paul Barnfather

    Hope like the rest of us that the media and/or regulators will get the ISPs to clime down?

    I totally share your frustration but it seems almost pointless to try and argue what is quite a complex point (but nevertheless important - with wide-ranging implications) with support representatives who aren't that technically/legally trained .

    I'm encouraged by the number or people commenting on these stories, write to the Information Commissioners Office, sign the petition http://petitions.pm.gov.uk/ispphorm/, write to the RIPA Commissioner and your MP, write to press and news agencies...

    Get the facts into the public domain and hopefully these issues will be tackled by the people who have the power to fix things, not the overworked customer support representatives...

  41. Stephen Booth

    What does google think of this

    Call me cynical but I bet they are going to do is base their choice of ads to serve you based entirely on your interaction with search sites.

    Its going to be a lot easier to identify somebodies interests from their search terms and click-through than anything else.

    you could see this as an attempt to undermine google by getting access their raw data.

    There are two parties to every communication. They may be able to claim that the user has opted in but the web-site sure as hell has not. If I was google I would sue them to make sure they don't intercept anything from my site.

    of course they probably want all the other data as well not to target ads but to sell on. Even anonymised that data is valuable to somebody.

  42. Anonymous Coward
    Flame

    @Stephen Booth

    Of course Google and all other search engines profile you, but that is in my mind the right side of the line. You chose to use Google, a free but valuable service, knowing that in return they will serve you adverts and take some interest in your personal data.

    In mitigation, you know a.) you can delete your cookie every day or every visit and the link will be lost, b.) Google have a well stated policy not to give your information to anyone else and c.) they only have access to a small portion on information of your web-based activities, namely search.

    Contrast this with your ISP, who you most likely pay for a service, who are in a trusted position with access to your entire (non-encrypted) web-based activities and have a legal obligation in most cases not to share personal information and now intend to a.) not only profile you but share this information with a third party and b.) in the process of doing so, potentially interrupt the service you pay for by intercepting private packets in transit between 2 parties without and consent, and injecting additional inforamtion (cookies) without consent into such transmissions. The interception element from a protocols issue is beyond belief, that's why I'm so truly upset about this whole debacle...

  43. Anonymous Coward
    Alert

    RE: When the news breaks (and others)

    A few people have commented on the various Phorm stories relating to when the news may break in the mainstream press and how this publicity will affect the ISPs involved.

    I've spoken to a few very well placed friends in the media whove alerted me to their concerns.

    Firstly, the issues are too complicated to spin simply to the punters. They can't just say "all your browsing history for sale" without the guys from Phorm and ISPs coming back with a glossy right-of-reply which will knock down the claims and lead the correspondant into detailed technical arguments that will lose the majority of readers.

    They're basically waiting for someone to act before they report, e.g. a regulator, a legal challenge from a consumer group etc. Without clear allegations from a sufficiently respectable body there just isn't a story.. apparently.

    Secondly, it appears according to this article that many national newspapers are involved in OIX-type advertising:

    http://www.newswireless.net/index.cfm/article/3779

    Phorm could be hear to stay.

  44. Anonymous Coward
    Black Helicopters

    @ Peter Hunt

    Peter, I just asked PlusNet Customer Services the same thing, and they said

    "Unfortunately we have no information regarding this. We will let our customers know when we're aware."

    That's slightly different from what they told you....

  45. Secretgeek
    Go

    Take direct action...

    you never know. It might work.

    Petition to HM Government.

    http://petitions.pm.gov.uk/ispphorm/

    Power to the people! Or somerthing like that.

  46. Anonymous Coward
    Anonymous Coward

    Tell Gordon Brown in giv petition

    http://petitions.pm.gov.uk/ispphorm/

  47. 3x2

    @Take direct action...

    Petitions? Write to? work around?

    Erm.. Dump your fucking ISP for one that states it will not pimp your browsing habits to a scumware vendor

  48. Man Outraged
    Black Helicopters

    Guardian Pulls Phorm Story?

    One minute it's top of Tech-news with a link on the front page, the next it's nowhere to bee seen? Have the legal brigade been dispatched? For those who don't know it was printed on front page of Technology Guardian supplement this morning (Thursday), so a bit like horse and door and stable and bolted...

  49. Man Outraged
    Happy

    @me Scrub last comment, it's back...

    Gruaniad assure me honest rearrangement - story's been moved to Digital Media and a link's been put back to moved story on Techno page. Phew!

  50. Secretgeek
    Paris Hilton

    BBC take a moderate line.

    http://news.bbc.co.uk/1/hi/technology/7280791.stm

    Top tech story at the Beeb. Shame that they don't really seem to appreciate just what BT et al and Phorm are proposing. And no mention of Phorms shady past either. Oh and no way of commenting on the article itself.

    Lookslike they feel they have to report but aren't looking to start any kind of real debate on the issue.

    Paris - because I can't imagine her having much thought for the consequences either. Or much thoughts at all for that matter.

  51. Anonymous Coward
    Flame

    OMG BBC SPINNING THIS AS A GOOD THING

    OMG OMG OMG OMG http://news.bbc.co.uk/1/hi/technology/default.stm

    How can they not see the obvious big brother implications of tapping someone's private data stream.

    Formal complains procedure NOW!

  52. Anonymous Coward
    Go

    BBC Formal Complains Everyone - Get Writing!

    Dear Sir/Madam,

    This is a formal complaint on several grounds about the above referenced article "Ad system 'will protect privacy'" I wish to see this handled through the formal channel and look forward to a formal response from the BBC addressing my concerns:

    1.) The article is impartial, as it mentions controversy but does not report any comment from any of the 900+ signatories to the petition against such technology:

    http://petitions.pm.gov.uk/ispphorm/ and yet it gives a clear platform to advocates of the system.

    2.) Commercial bias: the article effectively reads as promoting 3 broadband service providers offering a new service which will "protect privacy" without either mentioning that without any invasive profiling privacy is protected anyway, that the anti-phishing features can be provided equally well by using free browser plug-ins, and biased by failing to mentioning rival service providers who have chosen not to support this kind of technology because of public concern, such as Zen internet.

    3.) The article lacks depth and journalistic quality in several areas:

    i) It does not address the allegations that Simon Davies and Gus Hosein were working in a private capacity under their consultancy 80/20 Thinking Ltd. when asked to perform a Privacy Impact Assessment on the Phorm system.

    ii.) It does not look at the apparent paradox between a privacy group’s endorsement of a technology that, at the heart of the system, uses technology frighteningly similar to that of oppressive regimes wanting to monitor information in a way that the same group campaigns against.

    iii) It does not address the concerns of campaigners who argue that such a system may be secure and protect data now, but there are no safeguards to protect the system after future software upgrades add new features, bearing in mind how much personal and sensitive information is carried unencrypted on the internet.

    iv.) It does not consider the implications of such a precedent: allowing 3rd parties access to a highly sensitive data stream. What will rival technologies do? Such a precedent could be explained in layman’s terms e.g. the Royal Mail opening every letter in order to understand the sender’s tastes, writing this down anonymously, then sending the letter on.

    v.) It does not look into the role of the ISP as a service provider entrusted with a unique and highly personal insight into the lives of its subscribers.

    vi.) It fails to mention the Human Rights aspect where two people make use of a shared computer. The first perhaps is researching weddings but the surprise is ruined by their partner being suddenly bombarded with adverts for rings and wedding dresses. If you doubt the effect would be noticeable, please create an account on Facebook, a popular site that uses profiling, and then change your status to “engaged”. 80% of adverts I see are for weddings. Also consider that seemingly innocuous information such as newspaper subscription or taste in movies can give away a person’s political and sexual interests – interests protected under European Human Rights legislation which is potentially breached by this new system when two people use a shared computer.

  53. Anonymous Coward
    Paris Hilton

    What annoys me is...

    How is it that two guys from 80/20 Thinking, have ( by also being involved with Privacy International) managed to speak for all of us security professionals as "Privacy Campaigners" rather than be represented as being (I'm making an assumption here) paid by Phorm to review their service.

    How many Infosec pros really support this? Go on, hands up. This is NOT a representative view of "Privacy Campaigners" or any other group as far as I can tell apart from those standing to make financial gain.

    Whilst most of us on here are making some assumptions about how Phorm will work, most of us are informed enough to know that either way it's ethically wrong; I'm fed up with uninformed people speaking for the masses and the equally uninformed mainstream media giving them a platform to do so whilst those of us who understand the issue are sidelined.

    /Paris 'cus we could do with the media attention.

  54. Secretgeek
    Alert

    BBC redresses balance - slightly

    Take a look at the articles' author Darren Waters own comments on this issue - http://www.bbc.co.uk/blogs/technology/2008/03/looking_at_the_phorm.html

  55. Man Outraged
    Boffin

    BBC Coverage

    Firstly, Kent from Phorm appeared on Radio 4 this afternoon as I was driving home. It was interesting but quite spinfull. I'm worried as previous posters on this subject are that the mainstream press are not tech-savvy enough to disect the arguments of people who stand to gain serious money in the success of this scheme.

    After listening carefully to both Phorm and the community I have 3 serious reservations that I hope Chris and Team Register will pick up on (yes this is an aggregation of other posters - sorry):

    1.) The opt-in and opt-out arrangements appear insufficient, especially given the leaked docs on El Reg. The Data Protection Act (yes I've read it) gives individuals a clear right to inform the Data Controller of an ISP in writing of their wish for the ISP not to process their personal data more than is necessary in providing the service. Since writing a letter to the Data Controller of BT or VM does not magically set cookies on every computer in the house, the system must therefore use some kind of zoning or central look-up to first establish whether a user is to be profiled before actually profiling them. Incidentally the piece on the BBC website quotes Kent talking about choice on R4 this afternoon. If he was serious about offering choice then both the ISP and Phorm would be telling everyone the system was opt-in from day 1, and on top of that they would be providing evidence that the technology would ignore data packets from those who were not opted-in. This in my considered opinion seems to be a legal requirement (but IANAL) so why be vague at any stage on this? It's a blocking feature that they must implement from day 1. From my undestanding of the DPA, the question is about consent before processing, not whether the processing results in a sufficiently-anonymous data set.

    2.) Whilst I probably do believe that Phorm are serious about privacy (at least they appear very serious) the principal of tapping a user's data stream is abhorrent simply because of the possibilities it unlocks. It is (in the words of Pie Man) an inherently invasive technology and you really can see why interception laws exist. Like the postman reading every letter, whatever analogy you want to use. It does (also a quote) indeed seem to deploy a system architecture very similar to what I imagine a dictatorship would use to monitor its people, and so once in place, what safeguards are there that this sytem would not be abused?

    3.) IANAL but I've also read the RIPA this evening and that also does seem very clear. If your data stream is classified as a personal communicaiton, and I can see no reason why not, since yahoo, Facebook etc do not encrypt messages by default, then, if numerous exclusions are not met, consent is required from ALL [both] parties in the communication in order to intercept the communication. Now you have to tie the opinion of Professor Peter Sommer and other legal experts here that Phorm's system does constitute interception with the wording of the Act itself and perhaps you come to the conclusion that Phorm would only be legal if both the user and the website consented to interception? The next logical step is when intercepting non-encrypted web-based email then would the consent of the sender and the receiver both be needed? Please can El Reg afford legal opinion on this - can a system like Phorm ever be legal?

    And finally... any update on mysterious oix.net cookied appearing on VM connections? Again can El Reg afford to send an indepenent person to an alleged infringing connection to witness cookie-planting for themselves.

    Like most people here I can't believe this is about to happen. Great work to the guys writing to enlighten.

  56. Secretgeek
    Pirate

    The Information Commissioners Office gets stuck in...

    ...well, kind of. They're taking a look. With, I'm sure, the transparent, unhindered cooperation of the ISP providers and Phorm. Maybe El Reg would like to pass the internal BT docs to them, you know just in case BT happen to forget to.

    http://www.ico.gov.uk/upload/documents/pressreleases/2008/phorm_statement.pdf

    Skull and crossbone - for the death of privacy.

  57. Pseudopath

    What's needed...

    is a method by which we can check for any interceptions or slow down. It's just occured to me that if the monitoring is acheived using port spanning how are we to check or even trust the ISP?...

  58. Secretgeek
    Alien

    BBC gets stuck in...

    ...hopefully. BBC correspondant Darren Waters is going to ask Phorm some of the questions that we all want answers to.

    Watch this space:

    http://www.bbc.co.uk/blogs/technology/2008/03/more_questions_for_phorm.html

    Aliens because whether we'll get honest answers is a mystery.

    As an aside - all credit goes to El Reg for highlighting this issue and sticking with it. I'm no gung ho flag waving patriotic type but it's this kind of reporting that keeps our freedoms alive for that little bit longer.

  59. Tonsko

    Privacy International

    Someone asked if PI had actually endorsed this. I emailed them last week to find out, and this is what Simon Davies said:

    "The short answer is that PI does not endorse products unless in exceptional circumstances. Gus Hosein and I had independently reviewed the technology at Phorm's request and concluded that it was generally privacy friendly and that the organisaton had taken all steps to minimise or extinguish personal data from its system. This assessment was done through our company, 80/20 Thinking Ltd, and not through PI."

    So there you go. The MD of Phorm was being strictly honest, although he didn't tell an outright fib.

  60. Anonymous Coward
    Anonymous Coward

    BBCtech blog getting 502 Service not available

    well it seems somethings broke at the BBC tech blog above as i keep getting 502 Service not available....

    makes you wonder if they dont want your feedback aired until someone cames up with a way to offset the mess the UK ISPs and phorm seem to have place themselves?

    rock on TheRegister, you keep on running.

    it might be nice if you reviewed your choice of messageboard software though as these phorm collective theads could do with a better way to cross link and reference.

  61. Anonymous Coward
    Anonymous Coward

    the potential reason the likes of Phorm want in on the market.

    heres the potential reason the likes of Phorm want in on the market.

    http://www.dailywireless.org/2008/03...data-for-sale/

    "

    Your Data: For Sale

    A new study from comScore and The New York Times attempts for the first time to estimate how much consumer data is transmitted to Internet companies. It finds that the five largest Web firms — Yahoo, Google, Microsoft, AOL and MySpace — record at least 336 billion transmission events in a month, not counting their ad networks.

    The analysis, conducted for The New York Times by the research firm comScore, is said to provide the first broad estimate of the amount of consumer data that is transmitted to Internet companies.

    “When you start to get into the details, it’s scarier than you might suspect,” said Marc Rotenberg, executive director of privacy group the Electronic Privacy Information Center. “We’re recording preferences, hopes, worries and fears.”

    ....

    "

    the full two pager here

    http://www.nytimes.com/2008/03/10/te...ss&oref=slogin

    "To Aim Ads, Web Is Keeping Closer Eye on You

    By LOUISE STORY

    Published: March 10, 2008

    A famous New Yorker cartoon from 1993 showed two dogs at a computer, with one saying to the other, “On the Internet, nobody knows you’re a dog.”

    That may no longer be true.

    ....

    Consumers have not complained to any great extent about data collection online. But privacy experts say that is because the collection is invisible to them. Unlike Facebook’s Beacon program, which stirred controversy last year when it broadcast its members’ purchases to their online friends, most companies do not flash a notice on the screen when they collect data about visitors to their sites.

    “When you start to get into the details, it’s scarier than you might suspect,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a privacy rights group. “We’re recording preferences, hopes, worries and fears.”

    But executives from the largest Web companies say that privacy fears are misplaced, and that they have policies in place to protect consumers’ names and other personal information from advertisers. Moreover, they say, the data is a boon to consumers, because it makes the ads they see more relevant.

    .....

    Large Web companies like Microsoft and Yahoo have also acquired a number of companies in the last year that have rich consumer data.

    “So many of the deals are really about data,” said David Verklin, chief executive of Carat Americas, an ad agency in the Aegis Group that decides where to place ads for clients.

    ..."

  62. JB

    Sooo

    They say they don't collect form data.

    Yes but the next page may have the info not in a form tag. eg confirmation page. Doesn't have to be ssl as were not yet entering credit card info. Eg small sites who take your address then forward you to paypal etc. Also forums and the preview post page, private massages, Webmail etc. You can eventually build up enough info to work out who someone is.

    How are they going to be able to deal with forums?

    They say they go by a phrase being on the page several times. SO if I'm reading a thread on a forum and the user named Imac has posted several times do I get gay computer ads?

    Names are not collected.

    What's a name?. Poor Guy Kawasaki nothing but bike ads for him!

    Opt out cookie.

    If your service is so great, have the balls to do opt in only.

This topic is closed for new posts.

Other stories you might like