Phorm launches data pimping fight back

OMG can this be true? Please read this post:

http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?548

This suddenly shifted my attention from protecting my privacy to getting the service I paid for. I do not pay top whack for BT broadband in order to get a second-rate redirection service.

Also made me think, the ISPs are pressing ahead with this despite risking losing customers. But the informed customers they risk losing are perhaps the 5% of bandwidth hogs (20% of users consume 80% of the system resources) and so they're happy to let them move on! Note 20/80 and think: surely not!!!

@tech idiot re:Shifting Sands

Brilliant points well made. The focus shouldn't just be on who "owns" or "controls" the equipment but the net effect, and maybe who writes the software and who validates it.

What are they hoping for?

I dont see many ads, if I could fix it so that I saw NO ads I would do it immediately. I turn on ads on some sites to support the website owners, I dont click the ads and almost never even look at them. I dont want my browsing/emails/whatever else picked over like carrion in any way at all, if they offered me 10p for every webpage I visited to allow them to parse my data I still wouldnt go for it.

Saying that I can get a cookie put on my computer that will stop your servers parsing my webpages DOES NOT make it alright. I dont trust my ISP (VM), why the hell should I trust some company that is piggybacking on my ISP and trying to make money off what i do online?

This 'service' they offer of protecting me from the nasty websites of the world could have been implemented by simply changing the users DNS server ip's to Opendns (and in fact I use them already, but mainly because VM's DNS servers appear to be powered by terminally ill hamsters)...

So, to recap; an untrusted company gets to see every website I visited. If I opt out, I have to take their word for it that they wont look. Fuck that.

I am stuck with VM for another 3 months, when(if?) they do go ahead with this crap I will be moving back to Zen.

Finally; what are they hoping for? enough people not caring about the issue enough to complain / turn it off / move away to another ISP? I do hope that the media handles this the right way (i.e. lets people know that some unknown american company that had some shady software in its past is looking at everything you do online unless you tell them not to .... and even if you do its a toss of a coin if they respect your wishes or if the cookie lasts) and not buy in to the happy clappy "oh the internet will be a glorious place with gorgeous ads and no nasty internet hooligans"....

@Phorm Tech Team

So there is no way to prevent the data hitting the "profilers"?

Can you please explain your specific statements to the BBC that this WAS possible?

Secondly - if you don't interfere with the data stream, how is the webwise cookie added?

Thirdly - given that everything is processed within the ISP (as you keep saying) - what /is/ passed to "phorm"? Surely nothing leaves the ISP whether you are opted in or opted out?

Actually - forget all that - you'll spout another load of bullshit to try and wriggle out of admitting that this is one hell of a massive invasion of privacy and security risk. You are either lying, or don't know what you are talking about - and either is enough reason for me to avoid ever dealing with your company, directly or indirectly.

Weasels

So basically this was a propaganda exercise. No difference than before, they are trying to spin it the weasels.

Plan 'B' "Secure VPN Connection" - Any recommendations?

Most of the companies offering Secure VPN look worse than Phorm (if thats possible).

http://www.strongvpn.com - look legit, any one used them?

Phorm Tech Team

This story has grown over the weekend, with sites like badphorm, and cableforum melting with anger.

On every site from the BBC, the Newspaper sites, this forum, and many others we see the handle PhormTechTeam spinning the lie that phorm is a good thing.

The thing is even Phorm Tech Team is a lie. They are the PR company Citigate Dewe Rogerson (CDR).

see

http://www.citigatedr.co.uk/public_policy.html for more information. But this section I found intresting

"a specialist public policy division to help its clients understand and negotiate the political, parliamentary and regulatory issues which routinely affect their business and reputation. The division works with clients to minimise immediate and longer term threats to their organisational or business success and the maximisation of their shareholder value."

So Tech team is all about shareholder value rather then the truth.

Could the good folks at the reg please highlight this fact, as the less tech reader may think TechTeam are what they are not.

If they can not even tell the truth about the PR how can anybody believe them about the whole phorm system

One intresting thing about there comments they are just cut and paste, the same chant in each and every forum and topic reply. Yet no techical details have yet been released inorder to calm the storm.

"Irrelevant advertising"

This is what slimy ad companies simply do not get. If you do not click through an ad then any future instances of it become progressively more irrelevant. For me, certainly, repetition is more annoying than randomness. There is actually very little diversity of advertising across the internet - and to expect Phorm to never again show you the same ad (especially, if, as this character says, 99% of 'irrelevant' web ads are removed) is a risible idea. So Phorm has, at best, a trivially short term benefit for the consumer.

Fortunately the article shows this outfit for what it is.

System stores personal information (within the meaning of the DPA)

The legal claim that the data stored are not personal is based on the hypothesis that the Data Controller will *never* be able to identify anybody from the cookie. This hypothesis is simply false.

Most people's computers can be compromised. Most obviously people can access their own cookies and send their details to anybody they feel like. So if Phorm or the ISP offer money or some other inducement to break the "anonymisation", the mapping from cookie to person is trivially determined by the Data Controller.

Remember, under the DPA, the Data Controller must be *unable* to get (or infer) the association of any cookie with a person (or street address etc), now or in the future (even with some effort or "black hat"/"rubber hose"/"black sack" techniques) . Simply being able to buy these mappings from the people in the future makes the data personal data now.

What's worse is that anybody at the same address could break the anonymity too. Imagine a dorm room or frat house with many people, it just takes one of these people to publish or send the DC the cookie -> person mappings, and the "anonymity" is breached.

And that's not to mention breaking the anonymity through spyware, or through theft (or sale or other disposal) of the hardware itself. Or for mobile computer users, the cookie could be read out while the user wasn't looking (in the bathroom?).

So the anonymity claim is demonstrably false and the data are personal data for the ISP and (probably) for Phorm too. Hence the full force of the DPA regulations applies.

It's pretty clear that the personal data are being processed without the informed consent of the user, so the "opt out" approach is a non-starter under the DPA.

And the E&Y consultants report seems to be applying US laws and US standards in the analysis. In the UK, the definitions and laws are very different. Why hasn't Phorm published consultants' reports for each jurisdiction they intend to do this? If they plan to start in the UK, we should have a report that covers the technology in relation to our laws.

Sorry guys. Come back when you have read the DPA (and RIPA).

186 comments before this one...

... and no one mentioned that if this scheme is successful it will be a triumph of Phorm over content.

SSL proxy naysayer, think again

Somewhere back up there, someone mentioned something aout how difficult it would be to proxy SSL, and how SSL would save us. I can't recall who, and I forgot about it until just now.

Just so you know, you're way wrong. I've proxied SSL before to watch the traffic between apps on my machine and their 'call home' base during auto-updates, registration, etc.

You can do it fairly transparently.

Some links, because I know you won't believe me.

Some software, for to play with, not what BT would use in a high volume switch, but fun nonetheless, and useful if you're serious about knowing WTF your machine is up to, because it's easier to sniff the wire than follow packet data in a debugger.

http://www.delegate.org/delegate/mitm/

Embedded hardware, for to build in to your high volume, low latency, switch. This one is the real deal.

http://www.intelcommsalliance.com/kshowcase/view/view_item/e196c4babb11fae7163621c24804daf53086f015

http://www.thefreelibrary.com/Netronome+Introduces+Highest-Performance+Transparent+SSL+Proxy-a0158904664

"Unlike existing SSL proxies, the SSL Inspector is deployed as a "bump in the wire" and is completely transparent to both end users and intermediate networking elements. It does not require network configuration, IP addressing or topology changes, or modification to client IP interface and web browser configurations."

So, don't be relying on SSL to keep your data out of the BT/Phorm gestalt's filthy, grasping hands.

Black helicopter, obviously.

@ Phorm Tech Team

You guys just don't get it, do you?

It's a simple question so answer it in plain and clear language:

"What provision have you made for those who do not want *any* data passed to you?"

Which means people like me and many others who want no data at all passed from our ISPs to Phorm.

Cookies fail. They are inadequate. And I'll say again just for you

"Trust us, we've been ok'd by Ernst & Young" is a very weak appeal. E&Y are an accountancy house, not an independent and respected technical evaluation house. My views on accountancy houses (Arthur Andersen anyone?) aren't very polite or positive, so you'd better get someone more respected in to conduct an assessment.

Thumbs down because there aren't icons that say "You suck ass!", "Bulls*it Merchant" or "We love Fahrenheit 451"

What is sinister about this is not the advertising component.

It is the agregation and capture and processing of every single web site you visit on the web, to build up a targetted ad profile.

Misusing your private communications and sharing them with a third party application gives that application an unprecedented level of exposure to your perosnal and private dealings with every web site you connect to.

That is the issue. its like a wiretap on your phone that you dont know about with people listening to everything said and committing a response to what was said.

Reading your webmail then the prospect is there that they can too, visiting your bank well guess what? Visiting your corporate sharepoint portal, yup that too. All this can be captured and stored, filtered, profiled and modified on its return trip to you, and just because an organisation says it isn't does not mean that it cant or wont.

People are rightly concerned over this because the potential for fraudulant behaviour is unprecented, and we are disgusted with our ISP's because they seem to think this is a good thing.

So Gareth, tell me if you think it reasonable for a third party system to have complete unfettered, un-restricted access to your and everyone elses internet connection and all the actvities and pages you visit on the web. at least the law enforcement agencies need a warrant for that kind of access, PHorm just need to get in bed with your ISP.

Still no KE with horns, come on reg you're letting the side down.

Getting the lowdown...Finally!! (and it's not good)

Just pulled this from the BBC technology interview with Phorm_

Q: There are inconsistencies appearing. Phorm told The Register that data is still passed to the "Profiler" even if people opt-out, but apparently the "Profiler" is owned by the ISP, which is how they claim no personal data is sent to Phorm, as per the reply to the BBC.

A: This isn't inconsistent. The Profiler is owned by the ISP. If someone opts out no data is passed from the ISP to Phorm.

Q: However, I would like to know who provides the software for the "Profiler" and if it's not written by the ISP, how does the ISP check that it does what it's meant to?

A: Phorm provides the software for the profiles, just like Cisco, for example, provides software for an ISP router. The ISP can see exactly what data is being passed in and out of its systems and has complete control over it.

-

The conclusion from this is that the ISP do the profiling not Phorm!!

Phorm "helps" (ahem!) the ISP set up the profiling servers that strip the data Phorm wants to see, and it's the ISPs' profiling servers that decide whether or not to pass the data to Phorm. In effect, the multitude of well rehearsed answers that Phorm have been giving over the last few days are more or less, factually correct. They just "forgot" to mention that they've dodged the issue by getting the ISPs to do all the controversial stuff. It's always what they don't say that's far more interesting!!

El Reg needs to move past Phorm and tackle the ISPs. Ask the ISPs the same questions and we might get some uncomfortable staring-at-feet type behaviour.

Q. Do the ISP servers profile EVERYONE irrespective of opt-in/opt-out?

Because after all, that's what they'd love to do!

For the benefit of Virgin and Phorm

I do not care what assurances you offer me. Because of your announced tie-up with Phorm I am going to leave your broadband service and take my business elsewhere. Not for any other reason at all other than your association with Phorm and your very apparent predisposition to start making use of my own personal information in ways that I explicitly do not want you to.

Opt out? By association you have lost my trust in Virgin Media. On that basis how can I trust you to provide me with a believable Opt Out?

Question to Virgin. When exactly were you going to tell us? It took independent media to alert us to your underhand doings. Were you ever going to ask us? Yes, it is your business, but as the law currently stands it is our money and we can take it away from you at any time we wish.

What Virgin Media have effectively done is perform their very own 2008 version of a Gerald Ratner on their business.

Pirate - because that is what VM are doing with their Customer's private data. Shame on you, and may you never be forgiven.

A reply to the alleged 'Tech Team' at Phorm

"In terms of future safeguards, the key is transparency. We will communicate any changes and our claims will continue to be subject to external scrutiny by formal audit, partner due diligence, customer vigilance and media interest."

Thats a hell of a statement to make especially in light of BT's response to their customers "We cant talk about that". Thats about as far away from transparent as you can get, trying to dupe customers into an extended contract and failing to disclose the T&C.

Will you still guarantee that even in the face of an RIPA order? As far as I can see your organisation is about as transparent as a brick wall. And now we discover that you are effectively intercepting layer 7.....

You arent winning friends here, given how un-transparently this was revealed to customers you have a lot of work ahead if you want to win trust. Did the people who's data was pimped to you in the trial get the option to opt-out? were they even told what was going on? Did their ISP communicate what was going on? Did the T&C's mention anything about it whatsoever? Or did they try to cover it up becuase it looked like something very wrong was happening on their network and our businesses interfaces to that network. You sir and your organisation have all the transparent features of a brick wall.

"But what our research shows is that users worry about security online and prefer to have more relevant advertising."

Bollocks, users want no advertising, irrespective of whether that is achievable or even cost-effective is another question. Given the prevelance of anti-spyware and anti adware (funnily both key revenue streams for your organisation) I'd say that the evidence points to the latter. Those of us who have had to deal with one of your lovely toolbars know exactly how difficult it was to get rid off them once they were on a system.

Needless to say:-

88.208.250.66

88.208.250.85

88.208.248.102

*.live-servers.net

Will be blocked on all ports on my corporate firewall tomorrow. I'll review whether *.fasthosts.net.uk should be as well.

And while you may claim that you were never in the business of spyware/malware, any system that 1. Tracks a users browsing habbits; and 2. Allows you to alter the content of any site that individual visits; sounds a whole hell of a lot like spyware/malware to me, Just because you say you dont do it, does not mean you cant or wont.

PS: Still no KE with horns or cat for that matter. Wishing all the guys at phorm a real shitty day.

Err

Let me get this straight.

Phorm makes a copy of each and every website visited?

*HUGE GRIN*

Then, the first time a Phorm user visits a paedophile site they're guilty :

“taking or making” of an indecent photograph or pseudo-photograph of a child"

It's the catch-all the Police use to make sure that kiddie-fiddlers get done for "making" indecent images of children rather than just viewing them. Just by displaying these images on your screen, you've automagagically "made" an image and are therefore guilty of a more serious offence.

That said, Phorm will be deliberately creating these images and, as such, are open to criminal charges.

And, as they're not an ISP or a carrier, they don't have that get-out either.

Cheers

If it's not been done already

I, for one, welcome our spyware overlords.

@ face-changing Phorm guys

First, congrats. In all your answers here you "successfully failed" to explain a few things:

- your system will facilitate trapped-ad targetting.

- It will provide a new entry door for hackers in the ISPs systems.

- It menaces privacy. It tramples on the confidence between the ISP and the user by trying to take advantage of it.

- The alleged "phishing protection" will obviously be inefficient (see one of my previous posts, or, preferably, get clues about phishing) while giving a false impression of safety to non-tech-savvy users: problems waiting to happen.

- The number of adds won't decrease if advertisers make more money out of them: advertisers will make more money, that's all; no benefit for the user. The only way to decrease the number of ads on the Interwub would be by *decreasing* the money advertisers make out of them (which raises other issues, but anyway your "core argumentation" fails).

- You don't want to take any liability: the ISP will be "responsible" for your wiretapping hardware, while probably not being able or even allowed to monitor it.

- your statements, here and on other sites or other supports, are ever-changing and inconsistent (especially about the opt-out system which appears to be opt-out only for the ad-serving "service", not for the wiretapping).

- By refusing to adress these points it seems that you mistake us for a bunch of morons with no clue about how networking and IT works. Alternatively, you could do that naively, which would tend to prove that YOU are a bunch of morons with no clue about networking or IT. Either way, it's not very reassuring, is it?

- the ISPs concerned seem very reluctant about telling the truth about it too. Actually, it's worst than that: it seems that they don't KNOW the truth either.

- plus a few "minor" points, such as, but not limited to, where will be the info stored? In the cookie? Storage facility! Gimme money! On your server? Privacy breach! (noone is buying the BS about the requests and content of webpages not being PII. We routinely access services which request name and/or account number as part of the request. Not to mention the served page). You "imply" that you have no backdoor access to your hardware, and you state that you won't silently change the rules. Still we have to take your word for it...

As a result,

- you fail to give a truthwothy image (AC postings says it all).

- you look slimy.

- you make us belch (me at least).

- I vote death more than ever (sorry, can't insert more than just one "thumb down" icon, but be sure I would have)

Potential Advertising Dynamite

What we need is one of the ISPs who hasn't signed up to this, to advertise widely that they will never do it.

Can you imagine the rush of new customers they'd get with a scaremongering TV advert directed at the mass market?

E.g. Did you know that many of the main Internet Service Providers are selling information about the websites you visit to other companies without your consent? Furthermore you have no way to opt out of this.

We here at [insert brand name] will always protect your data, because we believe you have the right to privacy etc. etc. Call 0800 [whatever] to change ISP now!

stack market says fuck off phorm

Hi all,

Just as I had hoped the market has responded strongly this morning to phorm

the share price has dropped by 19%

Still waiting for Kent to own up

Still waiting for the system architecture to be published on the webwise site, showing clearly where the phorm hardware sits and what the flow of data is, how the phorm cookies are requested when the user is not looking at a page under a phorm domain and where the interception happens.

This was promised on the webwise chat but has still not materialised.

Also I am still waiting on evidence that you do not modify page responses.

This claim was made on the webwise chat but have seen nothing to back it up.

Interesting read, good of them to do it. HOWEVER

Makes me think if we as a bunch of readers of this hadn't stepped up and done the petition, the complaints to the Information commissioner etc and raised the level of awareness to public media, would they have come forward for an interview.

Although good on us [the reg readers] for doing the run around and making this at least reach main stream media. Perhaps there is something in shouting and ranting and kicking up a fuss.

My tuppence and my cynical view.

Still don't like it though, having read the BT link. PR and spin.

Helicoptor icon because I don't think they would have come forward without the argument.

Place a value on privacy to prevent a Tragedy of the Commons

I agree with so many people here who wish to protect their privacy. Like them, I do see pernicious outcomes from Phorm. For me, this is not an absolute principle that I'd be willing to kill or die for, but I would be willing to pay something for the privilege of fully opting out. Not with a Cookie, but at the Switch and in my Terms of Service. Surely ISPs could manage this. And they should be given an incentive to do so. They'll have revenue from both streams and, to keep their behaviour in check, the threat of legal action, competition, widespread encryption or amanfrommars style obfuscation.

Our privacy is a priceless asset. To those who would make this a matter of principle, I say we'll get better long term results if we place a value on it now.

comparisons with Google are disingenuous

It is disingenuous to compare this Phorm system with Google and to claim that they're better than Google because they don't store data (which is a barely credible claim anyway).

The difference is quite simple: no one is forcing anyong to use Google's service, and those that do, as pointed out in the interview, are receiving A SERVICE. This Phorm system will INTERCEPT your browsing regardless of whether you're opted-out or not.

Thankfully, I shall be leaving this country soon and hopefully Virgin Media won't manage to implement this precursor of Skynet before then...

I've opted out for carphone warehouse / talk talk

Log in, then:

https://www.mycarphonewarehouse.com/portal/servlet/gben-onlinebilling-contact-ContactUsServlet

Then:

I believe you have been working with a company called Phorm about putting targetted advertising into my broadband.

I opt out, thanks.

If I can't opt out I will be moving to another provider where I can.

RE: re: PHORM reply to William Morton

Basic PHORM DB structure to deliver adverts regardless of clientside blocking tools

PHRASE table (ID, phrase, colour)

0, Peter, black

1, holiday, white

2, Greece, white

3, SW1, black/ white?

4, £12, black/white?

5, mystreet, black/white?

6, I-phone, white

7, gadgets, white

8, hate, black/white?

9, kill, black/white?

10, sex, black

11, felching, black/white?

12, Pakistan, black/white?

13, pistol, black/white?

14, kids, black/white?

15, earn, black/white?

16, swallow, black/white?

17, taste, white

18, love, black/white?

19, throat, black/white?

20, breast, black/white?

21 chicken, white

etc

USERS table (internal ID, external ID, isp)

0,-1, BT

1,-2, Virgin Media

etc

ADVERTISERS (ID, hit count, ^phrase, ^phrase, ^phrase, ^phrase, ^phrase, ^phrase, )

0, holidays R us, 3, -1, -1, -1, -1, -1, -1

1, burger king, 9, -1, -1, -1, -1, -1, -1

2, mc donalds, 9, -1, -1, -1, -1, -1, -1

3, homophobes anonymous, 2, -1, -1, -1, -1, -1, -1

4, gadget phreaks, 4, -1, -1, -1, -1, -1, -1

5, toysRus 5, -1, -1, -1, -1, -1, -1

If I was not interested in people privacy and just wanted to make money then the ad delivery it would go like this

User goes to OIX ad hosting site(WEBSITE1), his cookie is de-domained at LVL7 and cookie ID passed to OIX

OIX return link to AD content on WEBSITE1.

Now it doesnt matter what ad blocking tools the user has he gets my advert from WEBSITE1 direct. No more advertisers complaining of non-delivered advertising.

Now just the phrase list interpretation alone is going to be a nightmare as many english words have different meanings. How are you going to keep up with the changing informal/ obscure language used by specialist groups. How are you going to vet who is allowed to advertise and hence have access to captured data.

From the phrase list above I have left out the ^phrase see if you can work it out.

Even if PHORM allow you to block the ad as WEBSITE1 just redirects to OIX they still get to capture. Change the cookie ID they link it to the internal ID and still capture your data.

The answer is clear if you dont want them to capture your data move to an ISP who will not pimp your data. If enough users start tunneling though the ISP's compromised network then the ISP will just add encrypted streams to the banned protocols on the fair use list.

PHORM TECH TEAM would you be so good as to repost the phrase list with the correct colours.

I'll get my coat shall I, its the one with your data hanging out the pockets

Comparison with Ciscow

Hey Phorm, I liked your comparison with Ciscow. 2 things though:

- it's not necessarily helping here.

- Does Cisco provide code THAT SEND THEM INFO on what's happening on the servers they sell? It does make quite a difference. Should they do that, their sales would drop to 0 instantly (which is where they belong anyway, but that's another problem). Hope this happens to you and to the ISPs who'll implement that wicked system of yours.

HELP SOMEONE PLEASE HELP FIGHT THE INCONSISTENCY

Just appeared on the BBC now:

http://news.bbc.co.uk/1/hi/technology/7283333.stm

Q: Even if you do opt out your web traffic will still be intercepted and analysed, you just wont see the ads. Is this true?

A: No this is not true. If you opt out no data is passed from the ISP to Phorm. The ISP controls which data is passed to Phorm and its systems check for the presence of an opt-out cookie. Opting out means that you will not see relevant ads from the OIX (Open Internet Exchange - the platform developed by Phorm) and that none of your data is analysed. You will however continue to see untargeted ads, just as you do today.

Compare that with El Reg:

Ok, so if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?

MB: What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us.

You couldn't make it up...

Here BT tell you how great they are at managing security, presumably including detecting just the sort of stream hijack they are perpetrating themselves!

http://www.counterpane.com/

@ Slimeballs (Phorm Tech Team) - Informed Consent

Firstly, stop cutting and pasting, and answer some points properly.

Secondly, you keep hiding behind the idea of choice, and more importantly from a DPA point of view, consent. Lets get this cleared up a bit, the DPA requires "informed consent".

Truly informed consent would be every user receiving a letter from their ISP phrased thusly :

"Do you [name of contract holder], consent to having every single web page you visit proxied through a piece of software written by ex Soviet cold war hackers, profiled, analysed, and then passed to a company whose last project was a massive effort to install intrusive spyware onto peoples machines without their consent in order to spy on their web browsing habits, sell the data to marketers and open pop ups advertising porn, gambling and dodgy pharmaceuticals to any user of said machines, including, quite often, minors. PS, they promised they won't do these kinds of things any more, and we believe them because they offered us money.

Optionally, you may also chose to see relevant advertising based on this profiling and analysis.

To consent to this, you must also accept a change of Terms And Conditions which abandons our existing privacy policy and effectively allows us to sell your data to all and sundry, opening the floodgates to a whole new future of web use where we make money from profiling our customers without their consent or knowledge because it says we can in our new contracts.

If this sounds like the kind of thing you would like, please complete the attached consent form, and send it by registered post to the Data Controller at [ISP]."

Sorry, but anything short of that is NOT informed consent from where I'm sitting. What users will get is a web page saying "CLICK HERE TO SWITCH ON [ISP]s NEW ANTI PHISHING SUPER SECURITY SERVICE IT'S GREAT (oh, and some ads).

CLICK HERE NOW."

Then they get a mutable, expiring, easily deleted by accident, couple of bytes of data on their machine. And guess what, if they DO delete it by accident, or they have a software failure, or have to reinstall their machine, or they switch browsers, you opt them back in by default without their consent AT ALL.

Bull Shit. You want informed consent, get it in writing from the Contract Holder, or end up in court. No informed consent, no interception for purposes other than those necessary in the course of the provided service. If ICO had any teeth, they would already be chewing your arse off. Get one of your legal droids to actually read the DPA. And stop spewing the same godawful dissembling copy'n'paste shit around the web. Get some REAL technical people on the front line with some REAL answers.

The power....

Anyone looked at their share price today? unless I'm mistaken its down nearly 33%

Lost - one PhormPRteam member

We have recently lost a member of our PR team.

He was last see hanging about several message board and forums

It is though he was posting misleading information about our spywear products and services, although not a member of our company

If found please do not return as our share price has tanked and we hold him fully accountable

thank you

Phorm Managment.

Putting the pieces together...

It seems that the pieces are falling into place now, I think there are some misconceptions about the "business model" but this is what I can fathom out from all the gumph, PR, forum postings, comments from the "tech team" etc.

Bear with me, this was meant to be short but it went on a bit! ;-)

The system itself...

Phorm PAYS the ISP to put one or more servers in their network which will intercept all customers HTTP traffic (I assume they will only intercept port 80 web browsing). No captured data ever leaves the ISP however a cookie is set on the customers machine that contains information about your "interests" (as determined by the profiling server) and a unique number for that customer.

When the customer visit's a website that has signed up to OIX to display adverts, their cookie information is read and an advert is displayed that is relevant to their browsing habits. Phorm do NOT replace adverts, just display more "relevant" adverts when the customer visit's a site signed up to their advertising scheme. Phorm make their money from the advertisiers themselves and pass on a "cut" of this to the ISP's.

That in itself doesn't sound 'too' sinister, just like many others I don't like it but it's not as bad as was originally thought however the rather more complex issue...

Opting out...

The customer can opt out of being shown "relevant" advertising by setting a cookie on their machine. It appears (although there are contradictions) if the customer opt's out then the web pages they view are NOT processed by the "profiller" however the customers requests are still being intercepted in order to check if they have opted out. And this is the real issue.

I saw a comment further up supposedly from the Phorm tech team that said they comply with RIPA. And this is where the issue gets muddy.

Technically Phorm are NOT intercepting any data, it's the ISP's that are intercepting their customers data. The only connection Phorm have is that they have supplied the software to enable them to "profile" the information they are intercepting and I assume inject certain content into the web pages returned to the customer.

As people have said an ISP can look at any of the data crossing their network and this is true however the data is being carried across devices who's function is simply to route traffic where it is supposed to go (I'll skip the OSI model for now). The most sensitive information that is "inspected" is the addressing (where's it going to and where has it come from). The devices look no further into what is being sent. (there is no getting away from this, it's just the way it is).

The ACTUAL information you are sending and receiving "could" be captured and reassembled in order to track what you have been doing however this is where RIPA rears it's head. Without consent from either the operator of the server the customer is connecting to or the customer themselves, capturing and reassembling this information would contravene RIPA.

The issue is that the ISP's are now essentially being assisted and paid by phorm to do exactly that. Capture the information that their customers are sending and receiving, piecing it back together and inspecting the contents even if you opt out.

Because the method of opting out is in the form of a cookie, they need to capture and reassemble the entire communication in order to determine that you didn't want your data intercepted in the first place. It's chicken and egg!

So assuming my assumptions are pretty close to the mark, it's the ISP's that are on dangerous ground here not Phorm. Phorm are merely providing them the means to do this AND paying them to do it (perhaps there is guilt by association?). My fear is (as has already been stated) that the ISP's will simply change their t's & c's so that in order to use their service you consent to them intercepting your communications.

I'm not defending Phorm, far from it but I think the wrong company is being questioned, the likes of BT etc are the ones that need to start answering the questions.

Contradictory answers

The answers from Phorm and BT are beginning to contradict themselves a lot. eg is clickstream data saved? one source says not, another from an interview with Phorm's CEO says the full webpage data is analysed offline so as not to create a performance problem with the end users dsl speeds (therefore it must be saved for some period).

They claim in many places (as does BT) that no data is looked at / processed if you opt-out, yet Phorm's interview with the Register admit that their server (located at BT but written by phorms' developers) still processes the full webpage data but doesn't actually send it externally (or so we are told, has any 3rd party software experts examined this software?)

I know many BT employees and the mood internally among staff is strongly against this sellout deal due to the privacy concerns (internal newsgroups from what I hear are particularly anti-phorm)

having the system opt-out (BT claim in a few places that "no decision has been made" --yeah right, like the marketing dept would allow an opt-in solution) is ridiculous esp. combined with the fact you need an opt-out cookie to be present! you could block all cookies from webwise.com but show to say that the profiler won't/can't fallback to tracking you via your IP address (they say they don't but I for one won't trust known adware pedallers)

Too lazy to read everything

Did I miss an article about the "China Connection" I thought I heard in the first stories about this that some of the servers were located in China but from the BT Webwise site:

I understand that Phorm has equipment in China. Is that true?

Phorm has absolutely no connection with China. All processing is done in the UK and within the BT network. No data is ever passed outside BT network to any third parties. The system has been built from the ground up to ensure that there is no way user data can be accessed or stored in any way.

The BT opt out clause in the total broadband T&C's

If we have made a change which is to your material disadvantage, you will not have to pay a charge if you decide to end your agreement early, unless the relevant price terms say otherwise. However, once we have told you about such a change, you must let us know that you want to end the agreement within ten days. When we make a change that we reasonably believe is to your material disadvantage we will also let you know that you may end the agreement early without paying a charge for doing so.

So by saying Phorm is an advantage for it's users they have effectivley got you screwed to your 12 months!

Talk to Phorm!!!!!

If people want to challenge Phorm directly then they should go and meet Hugo Drayton - CEO, Phorm UK who will be at the Chinwag session on March 18th.

http://www.chinwag.com/events/2008/03/chinwag-live-tomorrows-ad-formats

I think I may go along and see the fireworks!