call +44 20 7096 1079
March 12, 2008 | Becky Hogge

The Phorm storm

Update: An interim Privacy Impact Assessment (PIA) has now been published by Phorm. You can read it here [pdf]. The PIA, produced by 80/20 Thinking Ltd, predicts the media and public backlash against Phorm, and leaves several questions unanswered, including "Can an external attacker gain access to the required information to re-link [an] individual [with their] unique identifier?". This document, which is dated 10 February 2008, anticipates the publication of a full PIA "in March 2008". As yet none has been forthcoming.


Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial a new technology called Phorm, which tracks users' online surfing habits in order to target ads at them, has caused a storm all over the internet.

Here’s what we've been told about the workings of Phorm so far. Phorm assigns a user’s browser a unique identifying number, which, it is claimed, nobody can associate with your IP address, not even your ISP. It then uses information about your surfing habits, gathered by searching the URLs you request and the websites you visit for key words, to assign that unique number to various "channels" (for example "golf", "travel" or "handbags"). When you visit a website which has a "Phorm please put an ad in here" tag, Phorm serves an ad from a channel where your unique number appears.

Phorm says that it does not write data about the content you are viewing to disc in "the production system", getting rid of it as soon as the operation to assign your unique number to a channel is complete. In a separate system (used for "research and debugging") that data is stored for 14 days, then deleted.

Despite some significant investigative work, in particular from The Register and the Political Penguin blog, several technical questions remain unanswered. The confusion is compounded by a Privacy Impact Assessment of Phorm that was conducted by 80/20 Thinking Ltd, whose core staff includes the director of Privacy International, Simon Davies. Davies has gone on record stating that "Phorm does advance the whole sector of protecting personal information by two to three steps". Yet despite the focus on Davies’ involvement, the privacy impact assessment conducted by 80/20 is yet to be published.

On top of this, question marks are beginning to appear over Phorm’s compliance with the law. Can ISPs’ employment of Phorm comply with the Data Protection Act? Is intercepting traffic in this manner an offence under section 1 of RIPA (the Regulation of Investigatory Powers Act)? The Information Commissioner has issued a statement (pdf) saying his office is making inquiries – but is this enough?

A petition asking the Government “to stop ISPs from breaching customers’ privacy via advertising technologies” has now collected over 2,500 signatures. Phorm could, as Simon Davies has claimed, represent an advance in online privacy. But because it is being applied to target ads at us, based on activity we have not asked and may not want to be tracked – the websites we visit – it is not surprising that people are shouting “keep your mitts off my bits!”.

Until we know exactly how Phorm works – and across whose networks our data will flow – speculation about the privacy implications of Phorm will only continue. The ISPs involved with Phorm, as well as the company itself, should take their lead from the Government, who last week published the controversial and critical Crosby Review of ID cards after much delay. They should publish 80/20’s impact assessment and full details of how Phorm will work now and let us see for ourselves the real privacy implications of Phorm.

Some resources:

 

 

 

 

 

 

 

 

 

 

 

  • 80/20 Privacy Impact Assessment of Phorm - forthcoming?

 

 

 

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail


Comments (46)

  1. The Open Rights Group : Blog Archive » The Phorm storm | TypicalAd.com:
    May 21, 2009 at 10:36 PM

    [...] Go here to read the rest: The Open Rights Group : Blog Archive » The Phorm storm [...]

  2. Dewi Morgan:
    Mar 28, 2009 at 11:32 PM

    Few points:

    1) Another one here saying "yes please, I'd like to be able to post here through https".

    2) ORG email just sent out says "3 Block Phorm: opt your website out, and let us know by emailing blockphorm@openrightsgroup.org" - but doesn't given any clue either in the email or on any of the linked pages, how to accomplish that.

    3) This is really just a wakeup call that we should all be using https and tunnelling for all our web browsing. If you have wifi, people are already snooping on all your browsing. Even if not, there are an infinite number of routers and governments and interested organisations that would be interested in your traffic. Neither US nor UK ISPs have shown themselves above data tapping. The only *realistic* solution is for http to become strongly deprecated, and https (with extensions that allow multiple sites on a single IP) to be heavily pushed by the browser community, hosting community, security community and user community.

    If you use HTTP, your browser, email, or word processing software should be displaying a red flag on your screen to warn that you are almost certainly being snooped. It is farcical that UNencrypted links get no warnings, but encrypted, self-signed ones get huge scary ones.

    Certificates are NOT expensive: they can be had for free from Thawte, CACert, and Comodo.

    With a concerted effort, HTTP could probably be killed before IPv6 takes off. Then do the same for unencrypted email connections.

  3. ToingToing! Hands off my cookie jar! » ToingToing:
    Dec 01, 2008 at 02:04 PM

    [...] have to agree, I have to understand what I’m getting in return.” The Phorm plan caused major debates online — not unlike the debate that forced social network Facebook to change a similarly intrusive [...]

  4. Blackbeaks Blog….All things Analytics - » EU Commision response about Phorm:
    Jul 19, 2008 at 02:23 PM

    [...] EU Commission letter is a response to my email which directed them to this post regarding the Phorm system which may be trialled by the UK internet service provider BT. The letter basically says that [...]

  5. Paul:
    Mar 12, 2008 at 11:06 PM

    To Jon Grant...

    If you Opt Out in the case of Phorm, afaik and according to what BT and others are saying, your web page views are still crawled over and so they still snoop at your business and classify your interests etc using software created by Phorm.

    It may be Phorm software running on an ISPs server, but how does the ISP know exactly what that is doing? And why is this not something we can Opt Out of?

    And I presume they will apply software updates from Phorm? How will teh ISPs ensure that is done properly?

    remember that Phorm is headed up by a man who was involved in sneeky adware, spyware and "rootkits" to spy on user activity and then use that data to target them with adverts they did not agree to receive.

    Still happy to just "Opt Out"??

    Sign the petition, we all need to. Then, number 2, make your next job telling your ISP what you think of this move. Phorm is not on!

    Imagine, it's like your letters being opened, scanned, resealed and given to you and opting out is only stopping adverts... what about all those scanned letters... who has access to them? And what about the man/woman doing the scanning? How do you know they are not making two copies, one for them?

    Not on. Not on at all I say! Bad PHORM!

  6. Karl Jackson:
    Mar 13, 2008 at 12:26 AM

    One point of interest for Virgin Media customers: there was a clause in their T & C (which, let's be honest, very few people ever read!) which said they wouldn't monitor users' traffic unless required to by law. Note I said 'was'; apparently it's vanished. One has to wonder why...as if we need to. :(

    In the relevant thread on the nthellworld forum, there's a form letter posted by Rob (one of the Cable Forum team) which you can post to Virgin, telling them you don't want to know - you're advised to send it by registered post (as I did today).

    This must be stopped. I can't understand why we've heard nothing from the Data Protection Registrar about this. It CAN'T be legal.

  7. Karl Jackson:
    Mar 13, 2008 at 12:37 AM

    I just found the link to said letter:

    http://www.cableforum.co.uk/board/34492295-post128.html

  8. David Pollard:
    Mar 13, 2008 at 01:07 AM

    Sleepwalking into a surveillance society...

    If details that have been shown and described on The Register (http://www.theregister.co.uk/2008/02/29/phorm_roundup/) are correct, the equipment that ISPs will use for Webwise introduces a 'Level 7' passive tap into all users' connections to the internet. (A passive tap copies data undetectably at the physical hardware level and cannot be circumvented.) In principle this tap would allow an additional copy of datastreams to be made without any tangible record of interception.

    Disturbing though this may be, use for widespread surveillance also seems possible using the system directly. The essence of claimed anonymity is based on the use of a random number to index the list of profiles, but this claim rests on the integrity of the ISP.

    The Webwise system builds a user profile based on visited websites. It would be straightforward to generate a flag in stored profiles based around keywords such as 'red mercury' or 'social security benefit' or whatever the presumed threat/scare is at any time, in just the same way that a commercial user might be interested in keywords 'car', 'fast' and 'powerful'.

    Although the tracking cookie used to index to the matching profile is itself anonymous, a link has to be made between the Unique User Identifier (UUID) and the user's internet address in order that the 'appropriate' set of advertisements can be served to opted-in users. The tracking cookie has to be set, and then read for each new website visited. The ISP must therefore at some stage hold details of both the UUID and the address to which it is attatched. (The instructions to set the cookie containing the UUID and to read it go through the ISP to/from the user address.) ISPs, of course, also keep a log which links the internet address to the user at all times; and this log is available to some government departments.

    The browser of an opted-out user will, it seems, also be expected to have a cookie containing a UUID. Although, in this case, the cookie would not be used to tailor advertisments from sites that subscribe to OIX, some reports suggest that opted-out users will also be profiled.

    As Bill Thomson pointed out recently, (http://news.bbc.co.uk/2/low/technology/7226016.stm), nearly 800 separate bodies are now allowed to request communications traffic data from providers. In the first nine months of 2007 some 250,000 such requests were made.

    It's hard not to wonder that the overall business model for Webwise might be similar to that which was used to finance speed cameras. The installation of cameras and number plate recognition systems was paid for by companies who gather information about traffic flows, registration numbers being discarded after being used to measure transit times between two cameras. Their profit comes from supplying a synopsis of the aggregated pattern to customers who are prepared to pay a premium to avoid congestion. Now, however, the same equipment is also to be used to police speeding; and this process is not anonymous.

    The problem with the Phorm/Webwise scheme is not so much that, insidious though it may be, adverts of one sort or another are selected to suit the user's observed browsing habits; nor that it has been promoted on the audacious basis of default to opted-in; nor even that it might 'break' parts of the internet, that it could access and allow confidential information to leak, or that a copy of everything browsed is scanned.

    The problem is that it has the potential to be used to enhance the widespread covert surveillance that is already available to governmental bodies. In the furore over opt-in/opt-out and other details, this aspect seems so far to have been largely ignored.

    If the government can't be held to account over its use of personal data then there isn't much hope of regulating commercial use; neither is there much point. And without informed public debate, there isn't much hope of remedy. First of all it is the government that must be made accountable.

  9. Jon Grant:
    Mar 12, 2008 at 03:18 PM

    Guide how to confirm you don't opt into marketing:
    http://jguk.org/2008/03/no-online-marketing-opt-in.html

    Set's special doubleclick "do not track" cookie etc.
    Cheers, Jon
    http://jguk.org/

  10. Paul:
    Mar 12, 2008 at 11:04 PM

    To Jon Grant...

    If you Opt Out in the case of Phorm, afaik and according to what BT and others are saying, your web page views are still crawled over and so they still snoop at your business and classify your interests etc using software created by Phorm.

    It may be Phorm software running on an ISPs server, but how does the ISP know exactly what that is doing? And why is this not something we can Opt Out of?

    And I presume they will apply software updates from Phorm? How will teh ISPs ensure that is done properly?

    remember that Phorm is headed up by a man who was involved in sneeky adware, spyware and "rootkits" to spy on user activity and then use that data to target them with adverts they did not agree to receive.

    Still happy to just "Opt Out"??

    Sign the petition, we all need to. Then, number 2, make your next job telling your ISP what you think of this move. Phorm is not on!

    Imagine, it's like your letters being opened, scanned, resealed and given to you and opting out is only stopping adverts... what about all those scanned letters... who has access to them? And what about the man/woman doing the scanning? How do you know they are not making two copies, one for them?

    Not on. Not on at all I say!

  11. Pete:
    Mar 12, 2008 at 03:07 PM

    Its important to note its not just your web surfing that's vulnerable to Phorming.

    Microsoft Office products, when they request content from the web, do so using the same 'user agent' identifier as Internet Explorer.

    In non technical terms, this means Phorm can't differentiate between web requests from Microsoft Office, Open Office, and Internet Explorer.

    Consequently, if you open an email in Outlook with embedded images for example, or a Word office document with web content in, the requests that your office software sends to the web will be indistinguishable from Internet Explorer.

    Assuming Internet Explorer is on Phorm's white list, Phorm could know which email newsletters you receive, when/if/how often you read them. It could know which Word documents from which companies you had opened and read.

    See;
    http://www.badphorm.co.uk/e107_plugins/forum/forum_viewforum.php?6

    for details.

    Phorm must be stopped. Opt in isn't even tolerable any more.

    Otherwise, the only way to opt out comprehensively is to opt out of your ISP. :o(

    Pete.

  12. Andrew:
    Mar 12, 2008 at 03:00 PM

    I really dont see how Phorm can ever be anonymous:

    Phorm say the whole thing is annonymous and they cant track who you are and what you do yet in the privacy report carried out by ernst and young published here :

    http://webwise.bt.com/webwise/EY_Phorm_Exam.pdf

    Page 7 states that you can send for a copy of information that phorm holds about you. Errr wait they know who you are ? they can track you from the information gathered from your surfing habits ?

    Phorms history is also very interesting ! Phorm had a spyware complaint against it:
    "Back in 2005, when Phorm operated under the 121Media banner, CDT filed a complaint (pdf) with the Federal Trade Commisssion over distribution of what it considered spyware. 121Media later withdrew its rootkit software "

    http://uk.biz.yahoo.com/14022008/323/phorm-exclusive-ad-platform-deals-bt-talktalk-virgin-media-update.html

    An important bit here is the phrase

    "The ISPs will also get Webwise, a free software tool which offers greater consumer protection from fraud and phishing scams by warning customers if they are browsing fraudulent websites."

    Two small things 121media used to get you to download its spyware by embedding it in a free program sound familiar ?? :|

    In an interview with The Register (http://www.theregister.co.uk/2008/03/07/phorm_interview_burgess_ertegrul/), Mark Burgess of Phorm was asked...

    "So if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?"

    His response was...

    "What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us."

    The Data Protection Act does not give the ISP exemption simply because the data sent by THE isp to Phorm isn't used. If the ISP send my data to a third party for marketing purposes without my consent you will be in breach of the act regardless of how or if Phorm chose to use or ignore the data.

    STOP THIS PHORM NONSENSE NOW !!!! the fact its even been allowed to get this far just shows how lapse the laws have become in this country. Legalising spyware/adware is just madness

  13. Andrew:
    Mar 12, 2008 at 02:52 PM

    why is it i dont trust Ernst and Young ?

    Is this the same Ernst & Young involved in the enron Scandal

    Is this the same Ernst & Young involved in the WorldCom Scandal

    Is this the same Ernst & Young involved in teh sprint Scandal

    Is this the same Ernst & Yong involved in The 'Late Trading' and 'Market Timing' Mutual Funds Scandal

    To name but 4 of many.

    Was this Privacy audit done under UK or USA law?

    OH USA law... Why was that is UK law too tough?

    why is it i dont trust ernst and young given its past reputation ?

    read here : http://www.forbes.com/2002/05/21/0521topnews.html

    here : http://www.albetzreporting.com/cs_worldcom.html

    and here: http://www.sundaytimes.lk/070204/Fin...mes/ft309.html

  14. Andrew:
    Mar 12, 2008 at 02:53 PM

    edit:

    that last link should be

    http://www.sundaytimes.lk/070204/FinancialTimes/ft309.html

  15. sassenach:
    Mar 13, 2008 at 10:53 PM

    what concerns me is that even if we can opt out at home, what about work? How many people know who their employers ISP is? I know my employers and unfortunately it's BT.
    Companies should alert their staff if they remain opted in to Webwise as if not then people who check their webmail/facebook/forums etc in their breaks (cough cough) could unwittingly be exposing themselves or rather their data to Phorm.

  16. Andy:
    Mar 13, 2008 at 05:09 PM

    Isn't this just dodging the issue?

    Yes Phorum and ISPs are going to be looking at users data but isn't the real concern the fact they even have that ability?

    What we need is to actually use encryption!

    ALL pages on the web should support SSL or some other form of encryption, this would stop ISPs looking at content wouldn't it?

    (Note I tried to use SSL for this page but I got sent to some supporters web form, come on ORG let us encrypt our traffic to you!)

  17. Mike:
    Mar 13, 2008 at 12:18 PM

    Phorm claim that the data is not identifiyable, and yet they keep refering to an identification number.

    So it is identifyable. catagorised and timestamped.


    If phorms database is not secure.. (whos is? - yes its exchange only but...)

    With the ID number from a cookie on my pc you could retrive entries from Phorm database by unique ID and obtain the times and catagories viewed.

    If you went one step further you could match catagories from the same timestamp and infer they were on the same page, you could then cross reference the catagories with say google to identify the pages viewed and when.

    Lets go one step further I can see when my neighbours lights are on, I can cross reference to Phorm timestamps and deduce a possible ID, not only this I can see catagories and interests and possibly by crossreferencing with google determine sites visited.


    Yes its definatly 'an advance in privacy' yeah right !

  18. JayUK:
    Mar 14, 2008 at 12:48 PM

    My rant letter to BT:
    "I am concerned about BT's trial of Phorm. I need assurances that my account will not be used to sell my browsing habits to a third party such as phorm. This is a violation of RIPA Regulation of Investigatory Powers Act 2000 (c. 23)In particular sections 1(1) and 2(2):1. Unlawful interception.??? (1) It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of???(a) a public postal service; or(b) a public telecommunication system.2. (2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he???(a) so modifies or interferes with the system, or its operation,(b) so monitors transmissions made by means of the system, or(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication." I would like to opt OUT of any of my browsing data going to any third party, particularily Phorm. If any of my information, data or habits is given to a third party then I would like my account closed. For now I would like an assurance that my details will not be shared. Regards"


    BT's reply:
    "Thank you for your email regarding your BT account. I am really sorry that you have had to contact BT about your personal information and can understand any annoyance this has caused you. Unfortunately, I am unable to access your account without your Telephone number and your account number. The reason I need this is for security purposes. In light of this, If you could reply with the said information as well as a brief summary of how I can help I will gladly assist you further. I apologise as this is clearly not the response you were waiting on, but let me assure you, upon receipt of the relevant details I will assist you further. Yours sincerely, Philip McManuseContact Customer ServiceRef: 16073590 British Telecommunications plc Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no. 1800000. This electronic message contains information from British telecommunications plc which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email immediately. Activity and use of the British Telecommunications plc email system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes. For BT's privacy and security policy for web and email usage, for pricing information, and for our terms and conditions, please visit www.bt.com."

  19. Mike:
    Mar 13, 2008 at 12:03 PM

    ".. an advance in online privacy."
    Just how is this an advance on no-one intercepts at all?

    I do not mind sites recording my presence or preferences but I do object to blanket monitoring. Blanket intercepts are wrong and should be banned just like phone tapping is.

    121media has previous phorm in the spytoapplyads-ware market, and its not good.

  20. Phorm..... - The Consumer Forums:
    Mar 22, 2008 at 02:31 AM

    [...] Phorm..... The Open Rights Group : Blog Archive

  21. The Open Rights Group : Blog Archive » ORG and FIPR meet with Phorm:
    Mar 28, 2008 at 12:07 PM

    [...] that they are selling to BT, Virgin and TalkTalk actually work. Over the last few weeks, the story that three of the UK’s major ISPs are signed up to trial Phorm, which tracks users’ online surfing habits in order to serve them targeted ads, has been met with [...]

  22. Tim:
    Mar 20, 2008 at 06:21 PM

    UK ISPs using Phorm and other such intercept/profiling technologies without the explicit consent of their customers are acting immorally and more than likely illegally.

    It is almost inevitable that countries like Burma, Iran, China & others will seek to acquire Phorm or similar technologies to assist in profiling and targeting legitimate dissenters.

    There needs to be a blanket ban on the export of Phorm & similar intercept/profiling technologies to repressive regimes.

  23. Privacy what Privacy:
    Mar 21, 2008 at 04:50 PM

    Privacy what Privacy, I now have noted two Entities trying to track me through the Web System using Data that BT /Phorm say they are "NOT" collecting????

    I may as well tell them they are at the moment going up a blind alley, but if they find me beware my "BITE" is far worse than my "BARK"!

  24. pip:
    Mar 16, 2008 at 04:45 PM

    before it disapears, you might want to grab this page for your legal case you might see fit to bring later!

    http://www.beta.bt.com/bta/forums/message.jspa?messageID=14251#14251
    "Adam Liversage



    Posts: 32
    Registered: 11/1/04
    Re: BT Webwise technical trials to begin from mid-March 2008 [Q&A thread]
    Posted: Mar 14, 2008 9:58 PM in response to: Peter N Reply

    SYSIP.NET ISSUE - UPDATE

    BT can confirm that we conducted a very small scale technical test of a prototype advertising platform on one exchange in June 2007.

    The test was specifically conducted to evaluate the functional and technical performance of the platform.

    Absolutely no personally identifiable information was processed, stored or disclosed during this trial.

    As with all Service Providers, it is important for BT to ensure that, before any potential new technologies are employed, they are robust and fit for purpose.
    Adam
    "


    'The Other Steve' here, makes several Phorm points clear enough (thanks)
    http://news.digitaltrends.com/news/story/16035/phorm_creates_a_storm
    "Reader Comments


    The Other Steve on Mar 13th, 2008 at 6:34 AM

    A few problems with that statement from Phorm. Firstly, their assertion that their technology complies with RIPA is based on an opinion offered by Simon Watkin of the Home Office covert investigation policy team.

    His opinion ( http://cryptome.org/ho-phorm.htm) is that although the technology does constitute "interception" under RIPA it would be lawful because (although RIPA requires explicit consent from all parties to a communication) permission from the web hosts would be implied by having made their content publicly available.

    However, not all web content is public, things like web mail for instance, or private forum access.

    Phorm has repeatedly stated that they comply with the DPA, however the ICO has not issued any statement as to weather this is the case, although they are currently investigating the company.

    From the publicly available information on the Phorm technology, provided by Phorm themselves, it seems that processing of sensitive information (as defined under Section 2 of the DPA) will take place even if users have opted out of the scheme, since in these circumstances, their web traffic will be still be proxied through the 'Profiler'.

    If this is the case, it's a clear contravention of the DPA.

    Phorm have repeatedly stated that the technology "doesn't store IP addresses or retain browsing histories", however the patent covering the t5echnology tells a different story, saying "As explained above, the context reader may be configured to more than just keyword and other contextual data pertaining to a given web page.

    The context reader may also include behavioral data (e.g, browsing behavior), other historical data collected over time, demographic data associated with the user, IP address, URL data, etc." http://www.freshpatents.com/Targeted-advertising-s...

    This is clearly at odds with Phorm's public statements.

    Since Phorm are a former spyware distributor (under the name of 121Media they developed the PeopleOnPage browser hijacker http://www.thisismoney.co.uk/investing-and-markets... and had a complaint filed against them with the FTC by the Centre for Democracy and Technology in 2005, http://www.cdt.org/privacy/20051103istcomplaint.pd... ) it isn't difficult to see why users are seriously unhappy, and will resist the introduction of this technology.
    "

  25. Alison Hinckley:
    Mar 12, 2008 at 02:19 PM

    As the owner of a private,(advert-free) Members only webforum, I am horrified that the Phorm software will be able to gain (unauthorised) access to the forums via members ISP's. The forums contain a lot of personal information relating to to the forum members, including 'keywords' that the phorm software scans for in webpages. Furthermore, names and members aliases are also deemed personally identifying information - how does the Phorm software recognise which words are personal info, and which are not?

    I have a total bot exclusion in place on my forums through a robots.txt file. Will the Phorm software recognise and respect my forum (and members) wish for privacy? NO.

    Phorm say users will have the option to opt-out. Will webowners and forums also have that option? NO.

    Why should I pay to buy a security certificate to make my forums https? Anyway, we have still to be reassured that https pages will not be intercepted by Phorm software - Phorm says its software ignores any data entered on https pages, however, to ignore it, it has to first process it.

    There will be many website owners and administrators who are concerned about the security of information placed within members only areas of their websites, and who will wish to stop Phorm or anyone else intercepting this information. Yet why has Phorm not addressed this? Why have the media ignored this aspect - especially considering the recent publicised spate of confidential information being 'lost'.

    So many questions, so few answers . . . .

  26. David Wilcox:
    Mar 12, 2008 at 01:53 PM

    I find Phorm's Patent Application particularly worrying as it states that the technology they use is easily capable of reading IP addresses, form fields (and by implication, user names and passwords) and virtually anything that is not on an encrypted https page. We only have their assurance that they are not going to look at this information in any future applications. Considering their CEO's past record in internet security grey areas, it is like putting a reformed alcoholic in charge of an off-licence.

  27. Mark Levitt:
    Mar 12, 2008 at 11:58 AM

    I think it's important to not that, as we've seen with the AOL search data debacle, just assigning a random unique number is not enough to anonymise the data.

    In thinking about the sites I visit, for example del.ico.us or flickr, where my username is embedded in the URL, it doesn't seem like it would be too hard to figure out who I am.

  28. Alison Wheeler:
    Mar 12, 2008 at 01:09 PM

    Something I have yet to see on the Phorm debate (and as a Virgin media customer I will be a sufferer from the added delays) is who actually gets to use this information. If they (who?) are targeting advertisements specifically to match someone's browsing habits does this mean that only the sites who buy Phorm information will use this or do the ISPs concerned plan on removing a website's chosen adverts and replacing it with their own? They already do this with adverts on satellite television channels ...

  29. Observation:
    Mar 18, 2008 at 01:46 PM

    Trojan Horse(s)

    What is the Origin, is it something to do with Ancient Greece?

    Some Organizations neither listen or learn, are you listening, in particular my ISP!

    If you leave them inside the Installed Software may crawl over all your Inner Routers!

  30. M:
    Mar 18, 2008 at 02:10 PM

    I pretty much sure that is dodgy business making by dodgy people audited by dodgy auditing company.

    I afraid that there are some secret services behind who will have a simple ability to gather web-profiles on citizens in addition to dna, fingerprints, cctv records etc.

    I think that the only way to win over this - to spread truth in mass. To educate public and make this kind of business feel dirty. Then BT, Virgin and other gridy businesses will abandon partnership being afraid to lose money on bad publicity.

    I personally see those people same as Soho brothel owners who can do anything to get rich. I despise them.

  31. ISP Intercepting & Redirecting DNS:
    Mar 18, 2008 at 05:23 PM

    This is part & parcel of the same problem we have with Phorm but the ISP DNS Service needs closer monitoring.

    See below for some details of what can be done with DNS some legitimate, but some really dodgy trends which are becoming more & more prevalent!

    C:>nslookup www.google.com 208.67.222.222
    Server: resolver1.opendns.com
    Address: 208.67.222.222
    Non-authoritative answer:
    Name: www.l.google.com
    Addresses: 216.239.59.103, 216.239.59.99, 216.239.59.104, 216.239.59.147
    Aliases: www.google.com

    C:>nslookup www.goggogllle.com 208.67.222.222
    Server: resolver1.opendns.com
    Address: 208.67.222.222
    Non-authoritative answer:
    Name: www.goggogllle.com
    Address: 208.69.32.130 ***Relocated 404 Error to Serve Ads etc!****
    ********
    $$$$This should be a 404 error returned to Browser as below to report not found!!!$$$
    *** resolver1.opendns.com can't find www.goggogllle.com: Non-existent domain
    *********

    C:>nslookup www.google.com 4.2.2.2
    Server: vnsc-bak.sys.gtei.net
    Address: 4.2.2.2
    Non-authoritative answer:
    Name: www.l.google.com
    Addresses: 66.249.91.103, 66.249.91.147, 66.249.91.104, 66.249.91.99
    Aliases: www.google.com

    C:>nslookup www.goggogllle.com 4.2.2.2
    Server: vnsc-bak.sys.gtei.net
    Address: 4.2.2.2
    *** vnsc-bak.sys.gtei.net can't find www.goggogllle.com: Non-existent domain

    C:>nslookup www.google.com 194.74.65.69
    Server: ns7.bt.net
    Address: 194.74.65.69
    Non-authoritative answer:
    Name: www.l.google.com
    Addresses: 66.249.91.147, 66.249.91.103, 66.249.91.99, 66.249.91.104
    Aliases: www.google.com
    C:>nslookup www.goggogllle.com 194.74.65.69
    Server: ns7.bt.net
    Address: 194.74.65.69
    *** ns7.bt.net can't find www.goggogllle.com: Non-existent domain

    C:>nslookup www.google.com 217.146.139.5
    Server: ns1.de.eu.orsn.net
    Address: 217.146.139.5
    Non-authoritative answer:
    Name: www.l.google.com
    Addresses: 209.85.129.104, 209.85.129.99, 209.85.129.147
    Aliases: www.google.com

    C:>nslookup www.goggogllle.com 217.146.139.5
    Server: ns1.de.eu.orsn.net
    Address: 217.146.139.5
    *** ns1.de.eu.orsn.net can't find www.goggogllle.com: Non-existent domain

    C:>nslookup www.google.com 67.138.54.100
    Server: 067-138-054-100.nsi-communications.com
    Address: 67.138.54.100
    Non-authoritative answer:
    Name: www.l.google.com
    Addresses: 64.233.167.99, 64.233.167.147, 64.233.167.104
    Aliases: www.google.com

    C:>nslookup www.goggogllle.com 67.138.54.100
    Server: 067-138-054-100.nsi-communications.com
    Address: 67.138.54.100
    Name: www.goggogllle.com
    Address: 67.138.54.98 ***Relocated 404 Error to Serve Ads etc!****
    ********
    $$$$This should be a 404 error returned to Browser as below to report not found!!!$$$
    *** 067-138-054-100.nsi-communications.com can't find www.goggogllle.com: Non-existent domain
    *********


    Notice all the Different Aliases for www.google.com depending on the ISP DNS Server, this of course "could be" entirely genuine in order to handle the router traffic, or it "could be" a redirect through one of their own router's for another purpose?
    *****************************
    **dns.sysip.net was logged as a BT DNS Server by MY ROUTER last year for example!**
    If I had known why at the time I would have kept the log!
    ****************************
    The worrying trend is that some ISP's have started to redirect the user to a custom page when a webpage is misspelt etc. *See Above*

    Even more worrying is that some sites are reporting detections of some rogue ISPs intercepting DNS calls & replacing the call with their own DNS aliases!!

    Redirection of DNS is like redirection of your mail, legitimate if done properly by your Service, but redirection or interception is illegal unless due process of law is followed!

    ****Therefore DNS Servers/ISP DNS Servers need closer monitoring to comply with safe use on the Internet!****

    **************************************
    BT J'Accuse of redirecting/intercepting my legitimate communications with others, without due consent of Law & I insist you remove all such monitoring devices forthwith, which may still be doing so at present!
    **************************************

  32. Vic Z:
    Mar 21, 2008 at 01:54 PM

    Let's be clear, it is the ISPs who are responsible here, it is they who are potentially breaking the law, Phorm is only (one of several) tools that are available for them to use. Yet they are keeping their heads down while everyone hurls abuse at Phorm - an easy target for sure given their past and their sleazy PR machine - and will no doubt move quickly on to yet another intrusive technology if this one doesn't work out.

  33. David S:
    Apr 12, 2008 at 12:02 AM

    Gee, why don't they just install a key logger... seriously we know where the UK government stands don't we, can you really imagine this government batting an eyelid stopping them, may be even using Phorm as a proxy to catch the 'bad guys'.

    If this does contravene the Data Protection Act 1998 howcome the ISPs are getting away with it and not been sued to date, no one bothered?

    Hope I'm wrong.... maybe this is the way that Internet is going, note how it alway's starts with the big guys, BT and Virgin I mean.

  34. ethority blog » Phrom- ein britischer Trageting Anbieter unter Beschuss:
    Mar 19, 2008 at 05:25 PM

    [...] Telecom ein, ohne dass der User dieses bemerken kann. Exemplarisch sollte hier ein Blogbeitrag auf openrightsgroup.org [...]

  35. Links » Bad Phorm?:
    Mar 13, 2008 at 02:28 PM

    [...] anyone even half-awake knows, there has been a storm of protest over Phorm. I won’t reiterate the basic arguments, but I am intrigued by a couple of inconsistencies [...]

  36. links for 2008-03-15 « Kathryn Corrick:
    Mar 16, 2008 at 12:04 AM

    [...] The Phorm storm >> The Open Rights Group Blog Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial a new technology called Phorm, which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet…. (tags: advertising privacy phorm ISP article)  Subscribe in a reader [...]

  37. ISP Intercepting & Redirecting DNS:
    Mar 17, 2008 at 10:45 PM

    There is also an associated & equally dangerous practice being employed by more & more ISPs.

    DNS Names (the backbone of the WWW System) are either being redirected first through another DNS alias and then back to the original, or even worse if a User chooses to change their DNS server to avoid this practice the ISP does in some cases intercept this DNS service call & pretend to be the Server the User has asked for & redirects the DNS Anyway.

    This will inevitably lead to anarchy on the Net if this practice is also not deemed illegal!

  38. A Very Worried Messenger:
    Mar 17, 2008 at 10:46 AM

    I re-iterate.

    There is no place inside any ISP for this type of system which compromises not just their own users but all internet users.

    The ISP is guilty of "M.I.T.M /Illegal Wire Tapping" inside a system the Users & the Web Servers contacted can do nothing to mitigate!

    Opt-in Opt-out is not the Issue, these Boxes must be removed from ALL ISP locations!

  39. A Very Worried Messenger!:
    Mar 15, 2008 at 09:29 PM

    Do the Internet Providers really want a new word in the English Language.

    "PHORMSTORM"

    A Biblical Size plague of flies from within the ISP & a corresponding plague of Ravenous Locusts from irate Personal Internet Servers who have been stepped on by a questionable AD Provider.

    There is no place inside any ISP for this type of system which compromises not just their own users but all internet users.

    These internet providers are stepping on a "BASIC HUMAN RIGHT" the right to communicate with others without being constantly monitored & or spied upon!

    (Communicating through Tor to partially cover my tracks, YES I HAVE THE MISFORTUNE TO BE ONE OF THE USERS INSIDE SUCH A COMPROMISED INTERNET PROVIDER!)

  40. MJR: Web Applications:
    Mar 17, 2008 at 01:31 PM

    [...] post from either blog. Secondly, the Phorm advertising system has faced hard questions from both Open Rights Group and Sir Tim Berners-Lee over its mysterious user tracking. Phorm hasn't yet replied properly about [...]

  41. ToingToing | ToingToing! Hands off my cookie jar!:
    Mar 17, 2008 at 03:48 PM

    [...] have to agree, I have to understand what I’m getting in return.” The Phorm plan caused major debates online — not unlike the debate that forced social network Facebook to change a similarly intrusive [...]

  42. The Open Rights Group : Blog Archive » Phorm update:
    Mar 17, 2008 at 05:28 PM

    [...] Berners-Lee has publicly stated that he would change his ISP if it started employing systems, like Phorm, which could track his activity on the internet, or the news that UK digital rights gurus the [...]

  43. Kevin:
    Mar 17, 2008 at 10:12 AM

    Checked with my ISP, the PhoneCoop. They say that introducing Phorm is "not something the PhoneCoop is planning to do."

    They may not be the cheapest, but there are advantages of an ISP that is owned by its users...

  44. Internet Protection:
    Sep 19, 2009 at 09:02 AM

    The phorm'sinterim Privacy Impact Assessment which is now published by Phorm is avery important and useful document.



This thread has been closed from taking new comments.