April 04, 2008 | Becky Hogge

Phorm analysis out

Richard Clayton has now published his technical analysis of Phorm. There's a good introduction to it on his Light Blue Touchpaper blog.

Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.

Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic — however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.

Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.

Read the rest here, or go straight to the technical analysis.

By coincidence, the Information Commisioner has released an updated statement on Phorm. From the looks of things, they have declined FIPR's invitation to consider the lawfulness of Phorm's data processing under legislation other than the Data Protection Act (such as RIPA). They have also failed to address the news that BT trialled Phorm without seeking consent from its users in 2006.

Comments (20)

  1. Message:
    Apr 17, 2008 at 02:37 PM

    There are TWO Issues here, possible failure to protect your forum users personal data (which is important at the moment.

    The Second is that potentially, as I mentioned above the Posts may as a result NOT come from me!

    It is NOT an ill conceived idea to protect one's data, after all what is the Fuss about with phorm, if it is not to protect both privacy & data!

    I stand by my Statement!

    I have contributed to this debate, on this forum & others, but I will not compromise either my Privacy or my Personal Data, or my Identity by possibly having others impersonate me!

    A small piece of information, do not rely on the Windows Host File to block certain sites. Some of the Phorm techniques get round this in the same manner that blocking certain Microsoft Sites does not block the actual site!

  2. Dynamo_ace:
    Apr 08, 2008 at 12:09 AM

    I think we need to wait for a more viable source since its The Register.
    But the concerns are there.

  3. David M:
    Apr 08, 2008 at 03:50 AM

    what do you mean " viable source since its The Register" if it wasnt for chris, and ElReg this story wouldnt be any were near as advanced as it has become, and they have the leaked paper to prove this, what more do you want Dynamo.

    credit were its due, and and that my friend is squarely at the register and chris's door....

    did you sign the new and totally seperate BT-RIPA petition put up last night BTW ?

  4. Update:
    Apr 07, 2008 at 06:32 PM


  5. Message:
    Apr 16, 2008 at 09:28 AM

    I am not unduly concerned about posts I have written, they after all are meant to be read, however this is Not off topic this is about Phorm & protecting the User!

    Openrightsgroup.org DOES use HTTPS for it's signup form cable forum does NOT, BT keep trying to intercept my communications on HTTP it's no longer secure from my ISP/Phorm etc.

    Cable Forum are in effect asking me to enter details in an insecure way (before I can post), which would enable my ISP/Phorm to see such details & therefore it is possible for phorm or my ISP to Post using my details & also have access to another of my E-mail addresses!

  6. Pasanonic:
    Apr 17, 2008 at 12:50 PM

    With regard to posts 16 & 18.

    What a rather obscure, off-topic an moot point you make here. What does it matter that cableforum do not use https for their signup page and login pages. Are you so naive as to input personal data on one of these pages?

    Beyond your IP there is no need to place any personally identifiable data on any such page. You need a nickname, a password that you can remember or write on yor forehead and an email address that you can get access to for the purpose of returning a confirmation mail and there are hundreds of places offering web based mail services that you could use for such a purpose.
    By all means don't join the debate at cableforum but do so on the grounds that you might find it difficult to comprehend rather than some ill- perceived security issue.

  7. DPA:
    Apr 08, 2008 at 08:57 AM

    Why the DP Act is so important in this:-

    A limited company is using BT Business line, so is not Wiretapped by this System until:-

    ***"The Business contains customers Personal Details which need to be protected under the DP Act!"****

    The User is at Home & is using a BT Retail line , which BT at the moment are wiretapping (Without most users being properly informed of the danger!). The user then quite legitimately connects to the Password Protected Business Server & Updates some of this Personal Data!


    This is at that time an illegal wiretap both under the current Privacy Laws & the "Data Protection Act"

  8. Dynamo_ace:
    Apr 08, 2008 at 11:23 AM

    Indeed, but its just i don't trust The register after they flamed CC over the handling of the Non commercial clause (although that is someone controversial in itself). Though it does seem The register wants to reform these days.

    Just my opion of The register, i do appericate them taking our side on this matter but its just past problems i have with them.

  9. David M:
    Apr 10, 2008 at 04:55 PM

    reference URL(s) please...

  10. Alert:
    Apr 10, 2008 at 08:55 AM

    Phorm are “NOW” attempting to use/divert the Cookie responses on the Safari Web Browser!

    I at present do not know how successful this is!

  11. David M:
    Apr 13, 2008 at 08:36 AM

    Interesting comments from Simon Davies,MD, 80/20 Thinking Ltd
    on the Cable Forum http://www.cableforum.co.uk/board/12/33631213-phorm-public-meeting-official-thread-page-2.html thread

    perhaps you have a comment or two of your own....

  12. Rob:
    Apr 16, 2008 at 12:43 AM

    And equally this website is not https. So we of Cable Forum fail to see the point you are trying to make.

    However there is a contact form the cable forum site, so perhaps that question is better raised there.

    But that is all rather Off Topic for this site surely ?

  13. Dynamo_ace:
    Apr 10, 2008 at 10:09 PM

    David M:


    Discussion on its crediabity as a Tabloidic site. And also i feel uncomftable with them after the spats with CC and Wikipedia.

    Maybe it is the tech equivlment of privite eye?

  14. Webwise Blog » Blog Archive » Critic from FIPR Supports Key Phorm Claim:
    Apr 06, 2008 at 03:31 PM

    [...] Becky also made the following observation on the new ICO statement yesterday on her blog: http://www.openrightsgroup.org/2008/04/04/phorm-analysis-out/ “The Information Commisioner has released an updated statement on Phorm. From the looks of [...]

  15. Alert:
    Apr 10, 2008 at 09:35 PM

    I have no direct evidence however, I am a BT Retail Customer.

    I have been experiencing a severe latency problem from one of the sites I visit for a Couple of weeks on "HTTP!!!", which has been causing the Web Page to time out.
    (The Server is probably reacting to an "attempted forged cookie")

    I have not been experiencing the same problem either through a VPN Service or the same page which is being Served through HTTPS!

    Until this morning, the Windows Safari Web browser was "not" having trouble connecting to this site, however the Saafari Web Browser is now also experiencing the same affect when using HTTP port 80. (still as before connects via HTTPS or VPN).

    Although I cannot prove this is anything to do with the BT Phorm network, given the current situation it is a candidate for investigation, hence my Earlier warning!

    I would rather not wait this time given the illegal tests in 2006-2007, to warn other's of the possible change.

  16. Message:
    Apr 14, 2008 at 09:22 PM

    Message to cableforum.co.uk

    Since your Sign On Page is http & not https & I am a BT Customer, it would not be in keeping with my Security to Enter either a Sign in Name, PASSWORD or E-mail Address on your Site!

    I am sure other potential posters, who may have useful information have also declined to join in your discussions for this very reason!

  17. Outrageous:
    Apr 05, 2008 at 06:15 PM


    Potential Outcome of essentially making 307 illicit redirects "Legal"

    Independent Web Site Owners or Organisations who don't like the present setup????

    "Now which SCAM Site do we want to 307 redirect BT Board Members through this Week?"

  18. Dynamo_ace:
    Apr 05, 2008 at 04:01 PM

    It seems very much that BT has been rumbled, with the icing on the cake being its usage for some time and that Virgin media and Talk Talk has just got on the bandwagon. In the wrong hands Phorm could be used for nefarious purpose by some who want to ruin the country. But i don't see any real good use for it either.

    I have also noticed that Talk Talk wants to stand by the people against the "anti-pirates" coup attempts (I.e Censorship), yet they also use Phorm. It feels a bit like a PR attempt by Talk Talk. But as they say, the enemy of my enemy is my friend.

    Also, Talk talk's a non-ISPA member, so that means this is the first non-union ISP to take a stand against the "anti-pirates".

  19. Phorm Blog » Blog Archive » Critic from FIPR Supports Key Phorm Claim:
    Apr 06, 2008 at 03:26 PM

    [...] Becky also made the following observation on the new ICO statement yesterday on her blog: http://www.openrightsgroup.org/2008/04/04/phorm-analysis-out/ “By coincidence, the Information Commisioner has released an updated statement on Phorm. From [...]

  20. Brad Wright:
    Apr 06, 2008 at 02:06 PM

    I am worried that Phorm is actually a front organization for a powerful group of men who hope to rule the planet by learning which porn sites you visit and then blackmailing you into total submission. I have reason to believe that BT, Talk Talk and Virgin have been infiltrated by members of this world order, who are right now planting hidden cameras in your home so that they can know exactly how many beers a day you consume. With this vastly critical information in its databases, armies will fall, governments will collapse and the UK will be placed in ruin. I'm so glad that a few brave souls, such as Dynamo_ace, are alerting us to this dastardly threat. Well done. Well done.

This thread has been closed from taking new comments.