Phorm update
It’s difficult to tell which of today’s developments the UK’s major ISPs should be more worried about - the fact that Sir Tim Berners-Lee has publicly stated that he would change his ISP if it started employing systems, like Phorm, which could track his activity on the internet, or the news that UK digital rights gurus the Foundation for Information Policy Research (FIPR) have today written an open letter to the Information Commissioner, urging him to look at the legality of Phorm.
Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial Phorm, a system which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet. As Sir Tim tells the BBC’s Rory Cellan Jones today:
“I myself feel that it is very important that my ISP supplies internet to my house like the water company supplies water to my house. It supplies connectivity with no strings attached. My ISP doesn’t control which websites I go to, it doesn’t monitor which websites I go to.”
Or as ORG might paraphrase
“Keep your mitts off my bits”
Meanwhile, FIPR have written to the Information Commissioner’s Office with a detailed analysis of the legality (or otherwise) of Phorm. FIPR spokesperson (and Open Rights Group Advisory Council member) Richard Clayton puts it like this:
“The Phorm system is highly intrusive — it’s like the Post Office opening all my letters to see what I’m interested in, merely so that I can be sent a better class of junk mail. Not surprisingly, when you look closely, this activity turns out to be illegal. We hope that the Information Commissioner will take careful note of our analysis when he expresses his opinion upon the scheme.”
The ISPs which propose to use Phorm are yet to respond to ORG’s call to publish the privacy impact assessment they commissioned from 80/20 Ltd (whose Director, Simon Davies, is also Director of Privacy International), as well as full details of how Phorm will work. Until we can all see for ourselves exactly how Phorm works – and across whose networks our data will flow – speculation about the privacy implications of Phorm will only continue.
March 18th, 2008 at 6:08 pm
There’s another issue which is equally as important: BT et. al. do not know who is actually surfing using a particular connection. For a particular household, it could be any member of the family, or a guest, or even someone who is using an open wifi connection. Phorm itself acknowledges that ISPs must obtain informed consent from users accessing their system. The fact is, even if they do obtain informed consent from one member of the household, they will not know whether it’s that member of the household who is actually online. Even if consent were to be obtained at the commencement of every session, it’s entirely possible for different members to be online at the same time (although NAT analysis might obviate this), or may switch during a session.
This is an issue for RIPA. For DPA, the problem is a bit more complex.
Much as I would love to be proved wrong, I think that BT et. al., and Phorm may be in the clear here, provided they set up their system, and the relationship between them, carefully enough.
Looking at it from Phorm’s perspective (and assuming that they are running the servers which serve the adverts), they are receiving an anonymised token through which they can track the destinations of the user associated with that token. the DPA says, this activity will only be processing personal data, when a living individual can be identified from the data Phorm has, or which is likely to come into Phorm’s possession.
Given that Phorm will, if it has good advice, be extremely careful to put a positive obligation on BT et. al. not to let them have any data which may link the token with any living individual, then neither does Phorm have that information, nor is it likely to come into their possession.
(It’s fun to speculate what might happen if someone wrote a virus which analysed a user’s computer and emailed this information to Phorm).
The fact that it is possible to link the user to the ip, the ip to the token, and the token to sensitive personal data (as suggested in the FIPR letter) is not relevant, if the chain is broken because it involves two parties, and one holds anonymised information which can only be linked to a living individual by using data which is not in its possession, or is not likely to come into its possession.
Admittedly, it’s not necessarily quite as simple as that: if the Phorm servers can see that a web page has got “welcome Richard Thomas” on it, for example, then they will have in their possession data which can link Richard Thomas with a particular token.
The FIPR letter implies that BT and Phorm are a sort of combined entity: if they were the same entity, then FIPR’s arguments are valid, but if, as I suspect, they have taken steps to segregate the data on the non-anonymous/anonymous sides of the chinese wall, then there is no issue under the DPA for Phorm.
From the ISP’s side, there may be an argument that since the ISP has details linking the user to the IP, and since they can (presumably) see which ads are served to the user by Phorm, they would be able to reconstruct information about the types of sites visited, in breach of the DPA.
However, I think this is a specious argument, because the ISP doesn’t need to know what the Phorm ad is reconstruct possible site visits: as ISP, it has access to which sites have been visited, in any event (for which appropriate consent under the DPA will be required, but the issue is no different where Phorm is involved).
I wish this were a simple issue: I feel uncomfortable about Phorm as well.
- Andrew
March 18th, 2008 at 7:30 pm
We should be concerned about the fact that such an intrusive platform as Phorm can leave unexpected consequences. There are consequences that a user may not be aware of at the time she/he opts in to use Phorm.
Simply put, what would happen if a depressed individual searches for suicidal methods and Phorm suggests a full list of related adverts?
What if a person with extremist/terrorist tendency reads some pieces of “provocative, sensitive” news and Phorm give that terrorist-to-be a boost by giving him/her full access to other destructive web resources?
And what would happen if a pedophile in your local area browses some website about “sex” and some others about “children” and is given the address of your children’s day care center?
Good people can turn bad, given enough stimulations and an “favourable” environment. Would you be sure that you won’t ever be depressed? Would you be sure that your mind won’t ever change in any psychological, emotional impact?
Phorm ensures that any of those said things can happen. No technology, however advanced it is, can understand the psychological changes in a human mind. Do you wish that you would do something bad to myself and to other people tomorrow because of your decision today?
I feel uncomfortable about Phorm. It is intrusive and it is a possible thread.
- Hugh
March 19th, 2008 at 11:32 am
If a member of the public accessed another internet users communication in this manner the POLICE would have confiscated all the Computer Equipment & taken it away for analysis by now!
Come to think of it why haven’t the Police, investigated this or seized equipment to analyze whether the ISP/Phorm are acting illegally as “many experts think”.
WHERE ARE THE PUBLIC LAW ENFORCEMENT OFFICERS A.K.A the ***POLICE***
March 19th, 2008 at 5:16 pm
Even for internet marketeers such as myself, Phorm as well as other intrusive spyware or behavioral targeting technology is raising serious privacy concerns. As with anything else, there is a line to be drawn between selling and exploiting people online.
From experience, no data is ever deleted by any company at any given time. There is no policing around this and although companies insist they delete it, they only store it elsewhere. Internet companies do not usaully make the effort of de-personalising data either. The opposite is the norm. The more you can tie up a site visitor with a postcode and an address the better.
All this action is not in a company’s interests but rather against them.
The problem is a lot more serious than people think as it also has serious political implications regarding business practices of the free market.
K
March 20th, 2008 at 3:03 pm
I fundamentally disagree with this part of the statement by FIPR
Users should have to opt in to such a system, not merely be given an opportunity to opt out.
The User would then be colluding with an ISP / Phorm system facilitating a M.I.T.M attack against the Server.
Which may or may not be password protected etc for Privacy.
Extreme Examples by I think it makes my point.
The:
Whitehouse
Kremlin?
10 Downing Street
Ministry of Defense
CIA
Do you now get the picture, this what happens when you facilitate a M.I.T.M Interception Service!
March 21st, 2008 at 10:19 am
The Opt-in Opt-out debate is a RED HERRING.
The Phorm process does not need this, except to confirm whether the User wishes to opt-in or opt-out.
Note:-
BT Users & VM Users are not Opted out by default they are Opted In if no cookie is present!
Due to the collusion of the ISP the information available to the Phorm Profiler is already enough & is available & “Operating”!
In Order to profile any Particular Subscriber a “Unique ID” comprising, probably of a “Hashed Version of the Logon Name & maybe or the MAC address of the Victim” is already in the Webwise Profiling System, which is linked to the profiler, when the Subscriber logs on!
*****************
The information in this hash & details of how to decipher it will inevitably be decoded or more likely leaked at some point!
*****************
****BT Remove my Personal Data hashed or not from this profiler, you do not have my personal permission to release such data, & you are barred from using such data under the terms of RIPA!****
THIS ENABLES THE WEBWISE SYSTEM TO ASSIGN A UNIQUE NUMBER TO THE SUBSCRIBER, Phorm already have it stored!! (Maybe with the Browser/Application hashed & added!)
It gets worse!
The Individual User is then identified via the unique properties of the Web Browser or Internet side Application Headers.
A profile is then continually made of the User’s surfing habits via keywords & the result has to be stored somewhere (hashed or not), either on the profiler or a Remote Database.
Remember this is linked to Individual Subscriber’s via the Unique ID, & the Browser Header further narrows it to an individual User.
One very Important point, the Subscriber in an opt-in scenario may have given permission for this intrusive system, but the individual User’s at this location may well be unaware of this!
I see no other way of uniquely identifying an Individual Subscriber/User.
If I am wrong then I ask the ISPs & or Phorm to Provide the appropriate information to refute this claim!
March 23rd, 2008 at 5:22 pm
It’s no use them trying to hide behind rhetoric and spin. What they’re proposing to do is *illegal* in the UK. End of. Besides, why the hell would we want this? Who wants to be deluged with yet *more* advertising?
I sent a DPA notice to Virgin, withdrawing all permission (not that I ever gave them any!) to pass on any of my details or datastream to any third party - and all I got in response was an email pointing me in the direction of *their* website explaining Webwise, and a letter from Customer Concern about my “complaint”!
Plus, anyone who uses IE7 or Firefox doesn’t even *need* Webwise; both have spam and phishing protection built-in, as well as ad blockers. Ten years ago web users might have fallen for this, but we in the UK are a bit more clued-up now. We’re not having it. I’d sooner trust Sir Tim Berners-Lee than a known spyware & rootkit peddler. Hell, I’d sooner trust a politician! If Virgin do this, I’m off; I use online banking services, and I am NOT taking such a needless risk as trusting an ISP which spies on its own subscribers and consorts with the creator of PeopleOnPage. No way.
March 24th, 2008 at 7:28 pm
The Phorm Patent is a worrying read- they have the facility to analyse everything that goes across the connection, be it http https VPN or forms.
They also have a javascript that will link a users ID directly with the ’so-called’ hashed cookie.
Remember, just because they say they ‘don’t’ doesn’t mean they can’t.
This is just a new updated version of spyware in my opinion and should never ever be allowed.
March 25th, 2008 at 10:30 am
Welcome “Global Slaves” to our “New Improved Investors Market”, where all your data is analyzed, checked cross checked filed/stored & acted upon, whether you want it or not!
You cannot get away from it “Slaves” whether at Home,Work or trying to Relax, so sit back & enjoy!
March 25th, 2008 at 5:00 pm
Andrew Katz (comment 1) speaks eloquently of a demarcation of ownership and knowledge between the ISP and Phorm. I don’t disagree with the argument made by Andrew, however I do question whether the premise that neither entity has sufficient knowledge to trace the profile back to a living person.
Having a somewhat deep understanding of IP networks I strongly suspect that one or the other of the two parties will be able to make some link to potentially sensitive information using the limited information in their possession.
Ultimately the ISP has access to the raw data streams, and is highly likely to have attached to their network other monitoring equipment such as passive taps (for law enforcement and network troubleshooting) and/or DPI (deep packet inspection) switches for traffic management. Since the Phorm Unique User ID (UUID) is carried unencrypted on its network, it is able should it be so compelled to make the link between IP address and UUID, and from billing records from IP address to real person/physical address.
So the ownership of the profile must rest with Phorm, however the system in its entirety must be capable of delivering adverts back to the end user, so the ISP must provide a facility to channel content back to the end user which is dependent on the profile owned by Phorm without disclosing the IP address of the customer to the Phorm servers.
Given what we know of the system to date, and making some assumptions, I can see a couple of potential areas where information “leakage” might occur. The ISP may learn a small bit about its customer in each transaction with the Phorm server, e.g. the customer is interested in the Conservative party or is being send adverts for a right-wing newspaper.
Also, the Phorm servers may learn something about the user; either in the terms garnered or in the temporal relationship between the profile lookup and the advert “image” ultimately server to the customer. For example, the lookup will precede the rendering of the advert, and analysis over time will make it fairly easy to narrow down the IP address to which adverts are being server.
For the benefit of fairness, the above argument uses some speculation and assumption, but the examples I highlight are not beyond the realms of possibility and reinforce my belief that such a system will be very difficult to validate from a DAP perspective.
March 26th, 2008 at 2:18 am
Of course there is nothing to prevent, save a viable business model, a consortium of privacy advocates from setting up their own ethically guided ISP. Perhaps there are responsible, and reliable ISPs out there already - please let me know. Any recommendations will be greatly appreciated.
In fact it’s probably long overdue we left these corporates to their easily-pleased-middle-of-the-road consumers and head for something more bespoke.
I concur wholeheartedly with Sir Tim Berners-Lee’s statement. A vote of no confidence as exercised by taking our business elsewhere is the only language these businesses will ever understand.
March 26th, 2008 at 9:55 am
I known this is not Cricket but……
Phorm are on record as stating that they do not use the IP address for tracking, the Logon Name usually contains Personally identifiable names, so that means the Main Tracking system would more than likely be the ISP MAC ADDRESS WHICH IS UNIQUE TO THE CUSTOMER!
(Hashed or otherwise this is still a vulnerability for the User, but I digress…)
The Real Kicker is the structure of the WWW & how things are linked up.
The Customer’s ISP can use the MAC they have assigned to install Webwise, but the “MAIN TELCO HAS THE MASTER MAC” which is released to other ISP’s on their lines in order to connect!
Therefore any Customer who is switching ISP from “BT etc” may still be capable of being tracked through this “MASTER MAC by BT /PHORM etc”.
Since their MAC Addresses have probably already been (hashed??) fed to the Webwise Interceptor there is “NO guarantee that the former BT Customers data” is not still being routed through the Webwise System!
***Phorm Release this Information & or Release the Information about the safeguards you have put in place.***
Bottom Line the MAIN TELCO “could” depending on their Router Configurations still track all their Users & “other ISP’s Users” connected to the MAIN MAC ADDRESS!!!
March 28th, 2008 at 12:07 pm
[...] ORG Board < Phorm update [...]
March 28th, 2008 at 7:51 pm
Gary says, “there is nothing to prevent, save a viable business model, a consortium of privacy advocates from setting up their own ethically guided ISP.”
I could be wrong, but isn’t it mandatory for ISPs to keep logs which hold details of all connections that are made and to provide these on request to government departments? Some ethical views hold that it is no one’s business but one’s own to know with whom one communicates and when; this is an aspect of freedom of speech and some still hold that it is an essentially private matter.
Bill Thompson has pointed out that a huge number of requests are already made for details of communications traffic data (’Are the watchers being watched?’, http://news.bbc.co.uk/2/low/technology/7226016.stm) The BT diagram of Phorm/Webwise equipment published by The Register (http://www.theregister.co.uk/2008/02/29/phorm_documents/)
shows passive taps installed in the hardware that connects users to the internet.
There would not need to be much ‘function creep’ for a system like Webwise to be profiling users for all manner of purposes, with a tap on every connection. If something like this isn’t already in place, the only way to stop it would be to make the government accountable. For unless the government can be made accountable then neither can anyone expect commercial organisations to be.
March 30th, 2008 at 12:28 pm
Greg and David Pollard mention creating an “ethical” ISP. I think there is a much lower cost (and hence more viable) solution: create an ethical VPN. There two models which I think could work:
1) A virtual ISP. With peering arrangements at a couple of internet exchanges, like a real ISP, but no infrastructure: just the endpoints of a VPN. Users would sign up with any ISP (even a RIP-violating one) and then use a VPN connection tot he Virtual ISP. Of course, the user would be paying extra but they would be confident that the only interception that could be happening would be in the virtual ISP and they would be competing on the basis that they do not intercept.
2) Small groups. There is nothing to stop a small interest group (say ORG and members, No2ID might set up another one, a group of friends might set up another one, etc.) renting a server (physical or virtual) somewhere on the internet (maybe not even in the UK) and using it as a VPN endpoint. Of course, they would be dependent on the co-lo provider not to be intercepting but it would be easy enough to change to another server. This could be quite cheap: one or two servers shared between a small number of people.
In other words, I think that the ISPs are shooting themselves in the foot. ISPs (and telco’s) are absolutely DESPERATE to not just be commodity bit-pipes. They want to provide value-added servcies (to differentiate and to have a profitable revenue stream). And there ARE services that people value and will pay for — for example, some people (no one reading this blog, but some people) who would value ISP-based content filtering. Others may value advertising-sponsored TV content. Others might welcome a way to charge internet purchases to their phone bill. Etc.
But, if the ISP goes too far, as BT is doing with Phorm, then users will switch to something like a VPN and, all of a sudden, the ISP is cut out completely — literally all they are providing is a bit-pipe. They have then lost that customer completely from their value-added propositions.
Personally I do have a server on the Internet and I do use a VPN (this is partly because I sometimes use an unencrypted, WiFi-based rural broadband service so anyone could intercept my traffic listen in). At the moment I only use the VPN for mail, I let web traffic go directly, but a small configuration change on my router would send all my traffic over the VPN.
April 1st, 2008 at 12:14 am
The last person to mistakenly call be Greg was John Peel, gawd bless ‘im, so you are in good company Graham ;p
In the meantime and with respect to taking this a little off-topic, I need to switch supplier anyway and one consideration is asdl24. If anyone has any comments on them I’d be grateful to hear them. They claim not to block any ports or throttle traffic but perhaps best of all one can buy their service on a month-by-month basic rather than the year long or more obligation imposed by most, if not all, the corporate players. Long term fixed contracts never particularly inspire confidence in me.
Your points regarding VPN Graham are certainly food for thought and ought to be something I should experiment with. Many thanks for sharing your aforementioned scenarios on this subject.