call +44 20 7096 1079
April 09, 2008 | Becky Hogge

Phorm: public meeting announced for next Tuesday

Last month, we announced that Phorm, the company whose technology delivers targetted ads based on where you visit on the web, were planning to hold a public meeting to face their critics. Details of the meeting have now been announced.

When: Tuesday, 15 April, 1830 - 2030 Where: The Lecture Theatre, Brunei Gallery, School of Oriental & African Studies, London (map)

The meeting is being hosted by 80/20 Thinking Ltd, and you can read more details about it on their website. Although the meeting is free for all to attend, 80/20 Thinking are asking that you send them an email to info@8020thinking.com to let them know you're coming along. From the 80/20 Thinking website:

80/20 Thinking, with the full cooperation of Phorm, has decided to organise a public meeting as part of the PIA (privacy impact assessment) process. We intend to use feedback from this event to inform the PIA. A final version of the PIA will be published by the end of April 2008.

Attendees are encouraged to read the technical analysis produced by Richard Clayton [pdf] in advance of the meeting.

The Information Commissioner's Office have today released a further statement on Phorm, making clear their belief that any systems using Phorm (such as BT's webwise) need to seek the consent of their customers on an opt-in (and not an opt-out) basis.

I'll be going to the public meeting next Tuesday, so if you'd like to ask a question, but you can't make it yourself, please leave it in the comments.

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail


Comments (19)

  1. A Very Worried Messenger:
    Apr 19, 2008 at 08:03 PM

    It looks like the ubiquitous Phorm redirects can be prevented from calling the webwise system by blocking the proper sites using IPSEC rules, I am not sure if some Firewalls run at a low enough system level to achieve this.

    Using the Hosts File to block these sites is problematic as the True IP address can be used to redirect the Web Application instead of the URL address.

    This does not however prevent the Packet Sniffing that the Phorm System is doing! ( I consider this totally illegal without the consent of both parties, or for proper legal or operational reasons)

  2. A Very Worried Messenger:
    Apr 17, 2008 at 09:40 PM

    The Spotlight needs to be turned on to this Company as well, which appears to be quietly sneaking under the radar whilst the fuss is going on about Phorm!

    This also appears to imply direct Packet Examination at the ISP level!
    Which is under current UK law illegal monitoring, without the direct permission of both parties in the communication!

    Please Note they also state the US Version Opt-out NOT Opt-in (not that this make any difference both are illegal under current UK legislation without the consent of both parties in the communication!)

    http://www.nebuad.com/privacy/uk_servicesPrivacy.php

  3. Hugh Paterson:
    Apr 17, 2008 at 11:51 AM

    Were the questions from here answered during the meeting or was there a commitment to answer them? I hope to see them answered soon. Thanks

  4. The Open Rights Group : Blog Archive » FIPR calls on Home Office to withdraw misleading advice on Phorm:
    Apr 23, 2008 at 03:17 PM

    [...] the system is lawful, creating “an obstacle to the just enforcement of the law”. At the public meeting attended by Phorm and their critics last week, Simon Davies of 80/20 Thinking Ltd identified the legality of Phorm under RIPA as a legitimate [...]

  5. A Very Worried Messenger:
    Apr 16, 2008 at 12:55 PM

    In the light of Recent developments BT need to be asked a VERY DIRECT QUESTION!

    What is your description of a BT Broadband Customer & what Information have you released to Phorm about BT Customer Accounts, does it include all users connected to your Broadband Network, whether or not they are a direct BT Broadband Customer!

    This potentially affects Sky, Orange....etc, Customers who are connected to the BT Broadband Network.

    Remember that BT is also the Telephone Company & therefore has control of the Master Router/MAC, which can also potentially be viewed by BT as part of their ISP Network!

  6. Alert:
    Apr 10, 2008 at 08:51 AM

    Phorm are "NOW" attempting to use/divert the Cookie responses on the Safari Web Browser!

    I at present do not know how successful this is!

  7. Alexander Shannon:
    Apr 13, 2008 at 03:57 PM

    Have Phorm considdered what complications their actions could cause for visually impaired computer users, in terms of how Phorm software will interact with the access software that visually Impaired people use to access websites, and read text?

  8. Hugh Paterson:
    Apr 14, 2008 at 10:56 AM

    http://www.dephormation.org.uk/ is a site presenting tools to prevent, evade, or detect your profiling. In view of the fact that use of such tools constitutes a clear refusal to consent, will you commit to not attempting to work around these tools.

    It appears that a website can easily read your cuckoo in their domain by making the web page call for an image by a non-standard port. In view of this, any site or group of sites can easily and conveniently track all webwise-encumbered surfers. Please explain how this enhances their privacy. A website has a right to any cookies (including cuckoos) in their domain.

    A surfer can block access to webwise.net. Will this break her browsing? Do you plan to prevent this legitimate reaction to your intrusion?

    Do you plan to attach a “profile” mark to the user agent string (or elsewhere) of browsers you are profiling, as a courtesy to the websites, and to permit them to exercise their informed consent?

  9. Alert:
    Apr 15, 2008 at 05:10 PM

    The following information may explain the problem I highlighted above:
    If the IP address is dynamic, in the case of BT or Virgin Media? when the user switches ON/OFF regularly the the user may easily get a blacklisted IP address or vise versa & the surfing of http addresses may become problematic & or erratic!

    "AND THIS SUBMISSION ON FIRST ATTEMPT WAS BLOCKED BY MY ROUTER FIREWALL BECAUSE AN ATTEMPT WAS MADE TO RE-ROUTE IT THROUGH A """PHORM""" ADDRESS!!!!!"


    27. If the user has disabled cookies for CNN (viz: they don’t record their values and don’t supply them with further requests), then there is potential for an infinite loop – repeating all the 307 responses forever. The Layer 7 switch recognises this situation and records that future traffic (at least for a while) from the particular IP address to the particular (CNN) domain is not to be redirected.

    28. If the user has set a cookie within the webwise.net domain indicating that they do not wish to be tracked, then this preference is passed to the Layer 7 switch during the process in paragraph 16 above. The details on how this is done were not explained by Phorm... but it is presumably related to the mechanism described in the previous paragraph.

    29. If the user does not accept any cookies in the webwise.net domain then they will always be allocated a new identifier for every website they visit. This situation is detected by the Layer 7 switch and the IP address is “blacklisted” and future traffic is not redirected.

    30. Note that the blacklisting of IP addresses by the Layer 7 switch (as described in the three previous paragraphs), whether general, or for particular domains, will apply to all of the users who are sharing a particular IP address, not just users with a particular UID.
    However, because the “blacklisting” will time out eventually, the exact behaviour will depend upon the mixture of requests made by different users who have different browser settings.

  10. Robert M Jones:
    Apr 12, 2008 at 08:12 PM

    The link for the ICO site is returning a runtime error - maybe its crashed under the pressure?
    http://www.ico.gov.uk/Home/about_us/news_and_views/current_topics/phorm_webwise_and_oie.aspx

  11. Stephen:
    Apr 12, 2008 at 10:54 PM

    I would ask why they think people will not want Phorm?

    Are the following coincidences... and do they add up to the Phinish of phorm? (please say that they do!!)

    - that Phorm is a re-incarnation of a spyware/adware/rootkit/source of blacklisted software

    - that The Guardian has terminated their relationship with Phorm on ethical grounds

    - that BT ran 'illegal' trials of this without telling customers

    - that BT denied/lied about trials to customers who noticed the activity

    - that Phorm tried to get away with taking content out of Wikipedia (over zelous or not) i.e. about the BT 'illegal' interceptions and about The Guardian dropping them

    - that Phorm CEO lied or mistakenly claimed that Privacy International supported what Phorm was doing when actually it was only one person who works for PI that said there were some good things about what Phorm was doing

    - that BT's chap in charge of security and governance is also an advisor to 80/20 Thinking

    - that BT are telling customers that a Privacy Impact Report 'has been done' when actually it has not because the report says it is 'first stage (interim)' but BT do not tell their customers this

    - that Talk Talk quickly announced they would implement this Phorm system as an Opt In system

    - that Virgin Media are very quiet on the subject

    - that the question asked by the the Earl of Northesk (House Of Lords) to the DfBERR is still waiting an answer which was due on March 31st (what could be taking so long?)

    - that ISPs are telling customers they will change their terms and conditions and that it is not a material change - well, a number of their customers are telling them that they might very well decide that it is

    - that the Phorm Inc share price has taken a big dive

    - that BT insisted there would be an opt out option using cookies, but they gave in and later said they were working on another solution, then they have had to give in to pressure and make it opt in instead because the ICO has said so

    - that the petition to the Prime Minister is now the 9th most popular petition and yet Phorm's team thinks it's a vocal minority who have stirred this up (wrong again Phorm)

    - that nobody has ever had the brass necked arogance to tinker around with interception at layer 7 before and people don't want Phorm or anybody else to do this

    - that the ICO issued a statement and had to re-issue it with a stronger update due to public pressure

    - that ISPs are telling customers that Phorm is about increasing internet security first, and only after that about relevance of advertising and they don't mention Phorm's past

    - that BT has closed a forum thread dedicated to the issue of Phorm, deleted some posts which did not need deleting and after a good start where they answered customer questions have stopped doing so

    - that individuals are working hard to find ways of beating Phorm at the client and serevr side but that due to the physical intrusivity of their system proposal it must simply be stopped

    - that webmasters and legal experts believe that the interception of data is illegal even if the ISP customer has given informed consent because the webmaster of the served page content has not given consent

    - that Phorm engaged with several PR teams to blog and comment in forums to push back against the tide of opinion against their proposals, that these teams used names suggesting that they were technical experts from Phorm but in fact they were only PR agents who were not good enough to deal with the onslaught they came up against as the public became aware of the nature of Phorm (the company and their business plans)

    - that the Phorm company and ISPs set great stay behind the fact that Ernst & Young reported on the Phorm proposals but that this is flawed because the legal requirements and guidance used was US and not UK based, and further, that the report itself does state that (paraphrased): fraud may occur and E&Y might not have spotted that and cannot guarantee against it in the future.

    - that Sir Tim BL and Dr Clayton say Phorm is wrong

    Sorry, I know there is nothing new in any of the above but I wish I could be there in London on Tuesday. They need to be told exactly how evil we all see their proposal to be - apart from the fact that it is (or bl00dy well should be) ILLEGAL.

    STOP. NO. DO NOT WANT PHORM.

    PHECK OFF!!

  12. Terms & Conditions:
    Apr 11, 2008 at 08:35 AM

    I think I am stating the obvious, which has been "conveniently" overlooked by BT Phorm & Others.

    I very much doubt that any amendment to the T.O.C or an Opt-in System could ever be Termed legal!

    As this would involve the "Account Holder" (& user's at the same location), the Account Holder would then have been coerced into an illegal act, or aiding & abetting in an illegal Act!

    Under all these current Laws

    1/ Wire-tapping of Communications designed for end to end personal communications (M.I.T.M attack).
    2/ The D.P.A because sensitive data will inevitably be diverted through this system, which could either be emanating from the Server or the Client Side.
    3/ The Current Privacy Laws of the Country the Account Holder resides in.

  13. Phil Ransome:
    Apr 14, 2008 at 01:13 PM

    Where does the routing of packets take place? If we do not opt in (or we opt out) does that mean the ISP will send our packets down the clean route to their destination? Alternatively will the ISP still route everything to Phorm and the opt out will just mean the ads don't get delivered back to our browsers. If the latter then what use is any opt out?

  14. Robert M Jones:
    Apr 12, 2008 at 07:33 PM

    Questions for Phorm meeting
    1 - can I as a webmaster use robots.txt to specifically exclude Webwise/Phorm from spying on a data transfer between my site user and myself without my informed consent? A webmaster can selectively exclude search engines - can he selectively exclude Webwise/Phorm?

    2 - Can a Webmaster put a user-agent statement in robots.txt to ban Webwise/Phorm? How?

    3 - Will Webwise visits to a website be visible in website access logs? How, and in what form?

    4 - will there be specific (blockable) IP addresses used by Webwise/Phorm that can be blocked for example, via an .htaccess allow/deny statement without affecting ordinary visitors?

    5 - will it be possible for a Webmaster to block Webwise/Phorm traffic and trigger an error page that specifically advises website visitors why they are being blocked - because they are using Webwise?

    Some more questions arising out of the latest report from the Open Rights Group, about their visit to Phorm's HQ in connection with Webwise.
    http://www.openrightsgroup.org/2008/03/28/org-and-fipr-meet-with-phorm/

    or in tiny url form http://tinyurl.com/2vgho5
    Some relevant snippets:

    6 - Do you agree with the latest FIPR position on Webwise/Phorm?

    7 - Do BT still feel confident in the legality of this Webwise scheme (including the Opt-OUT plan)?

    8 - Do you agree that BT, Virgin and TalkTalk are proposing to apply the Phorm system to a layer of the web stack that has previously been free of any such tracking and targeting activity?

    9 - Do you propose to obtain Webmaster consent before monitoring the unique personal private data exchange between the site and its visitors?

    10 - If a full Privacy Impact Assessment has not yet been completed and published, do BT feel they have carried out due diligence?

    11- Does Phorm software (as installed on the Webwise equipment in BT premises) have the capability to injecting javascript?

    12 - Will Webwise when implemented by BT, both in the trial, and if and when it finally goes live across the network, ever be used to actually inject/insert anything other than a unique identifier cookie onto my computer?

    13 - Are their clear finalised plans for the Phorm software source code (ALL of it) that is to be inserted into Webwise hardware on BT's network, be independently audited/inspected, and by whom? and how often?

    14 - Do BT trust Phorm given that they have a record in the lower echelons of the adware business?

    15 - Is a report from a US auditor with a dubious record of associations, and which does not report on the EU/UK privacy legislative framework, nor on the specifics of the UK implementation of Webwise of any value at all?

    16 - Is BT confused in its various public statements, between 80/20 and PI and Ernst and Young?

    17 - Will Webwise examine password-protected areas of websites?

    18 - Will Webwise ignore websites which bear a clear Legal Notice on their index page informing visitors of their objection to Webwise/Phorm intrusion?

    19 Is BT happy to be less privacy friendly than Carphone Warehouse, who have indicated that they will have an opt-IN policy for Phorm?

    20 - If Webwise/Phorm ignores https requests, how can it protect me against a phishing site that does use https access? (the "best" phishing sites aimed at bank customers for example) ?

    21 - How many exchanges and customers were involved in the "small scale technical test last summer" (BT executive quote) of the Phorm/Webwise technology?

    22 - How do BT propose to establish MY informed consent to Webwise (not the consent of my family members, or children using the computer, or the first person to use a browser after Webwise goes live but MY consent as the account holder and contract holder, and admin of the computer). (As required by PI ) - ditto for the Webwise trial - will you ask ME or just anyone in my family who uses one of their sub accounts to login?

    23 - Can customers of BT trust Phorm and their executives?

    24 - How long is any/all user data stored by Webwise/Phorm software on your Webwise/Phorm servers?

    25 - Is BT happy to be less privacy friendly than Carphone Warehouse, who have indicated that they will have an opt-IN policy for Phorm?
    Many thanks.

  15. Concerned:
    Apr 10, 2008 at 10:42 PM

    Nice how the buck has passed to the Home Office who don't seem to be commenting on the RIPA breach.
    Bottom line (like Mr Clayton) - the traffic must be inspected at layer 7 (i.e. content interception) to establish whether to treat it specially or not. The rest is just icing and PR.
    This needs to be opt-in client software and should never be done by the ISP whose job stops at layer 3 (network delivery).

  16. Alert:
    Apr 15, 2008 at 02:13 PM

    Just had to deal with a problem concerning a Virgin Media customer.

    The customer could no longer connect to several http sites as of this morning, having noticed similar symptoms on BT, indicating Phorm activity!, I was able to advise the customer on how to re-establish connections to these sites.

    This however was not an ideal mitigation, it involved altering certain Firewall settings!

  17. Phorm Blog » Blog Archive » Phorm Town Hall event April 15, Central London:
    Apr 10, 2008 at 07:44 PM

    [...] details are below and can also be found on the 80/20 Thinking and Open Rights Group Site. Similar information has been posted on the Foundation for Information Policy Research (FIPR) and [...]

  18. Alert:
    Apr 15, 2008 at 05:07 PM

    The following information may explain the problem I highlighted above:
    If the IP address is dynamic, in the case of BT or Virgin Media? when the user switches ON/OFF regularly the the user may easily get a blacklisted IP address or vise versa & the surfing of http addresses may become problematic & or erratic!


    27. If the user has disabled cookies for CNN (viz: they don’t record their values and don’t supply them with further requests), then there is potential for an infinite loop – repeating all the 307 responses forever. The Layer 7 switch recognises this situation and records that future traffic (at least for a while) from the particular IP address to the particular (CNN) domain is not to be redirected.

    28. If the user has set a cookie within the webwise.net domain indicating that they do not wish to be tracked, then this preference is passed to the Layer 7 switch during the process in paragraph 16 above. The details on how this is done were not explained by Phorm... but it is presumably related to the mechanism described in the previous paragraph.

    29. If the user does not accept any cookies in the webwise.net domain then they will always be allocated a new identifier for every website they visit. This situation is detected by the Layer 7 switch and the IP address is “blacklisted” and future traffic is not redirected.

    30. Note that the blacklisting of IP addresses by the Layer 7 switch (as described in the three previous paragraphs), whether general, or for particular domains, will apply to all of the users who are sharing a particular IP address, not just users with a particular UID.
    However, because the “blacklisting” will time out eventually, the exact behaviour will depend upon the mixture of requests made by different users who have different browser settings.



This thread has been closed from taking new comments.