back to article BT targets 10,000 data pimping guinea pigs

BT is preparing to test Phorm's advertising targeting technology on 10,000 of its customers this month, to gauge people's reaction to their web browsing being exploited for extra revenue. The trials will begin mid-March and guinea pigs will be drawn from BT Retail's consumer broadband subscriber base. The firm believes …


This topic is closed for new posts.
  1. Barry Zubel

    Changing ToS?

    Changing their Terms of Service?

    Sounds like a good way to exploit the get-out clause while you can. Changing ToS means that existing customers can leave without penalty

  2. Alex Threlfall

    re: ToS

    Whilst they could change their ToS, if the practice is deemed illegal, they can't exclude themselves from prosecution for it by putting it in the ToS

  3. analyzer

    Re: Changing ToS

    These types of scumbags always do that, then assume that you have browsed the web page and accepted the change, and even say you must contact in a certain time or you accept.

    Send them an e-mail of complaint, then in the blurb that is always after the end of it now, add changes to the contract stating that if they do not reply within seven days they accept these changes.

    It will either change your contract to a more reasonable one or get a reply :)

    Oh and *always* e-mail your ISP regarding any changes with your contractual change in :)

    On your Marks ... get set ... (icon)

  4. Alexander Hanff

    Informed Consent

    "ensure that customers are able to take a fully informed decision"

    In order for customers to make a "fully informed decision" BT need to give them -all- the facts which I simply cannot see them doing. There is no way BT will say on the portal page that this "service" contravenes RIPA, DPA, Human Rights, Trespass to Chattels and Computer Misuse Act.

    Also there is no way BT are going to tell their customers about the dark history of the Phorm executives.

    Furthermore, I don't expect they will tell their customers that even if they opt out all their browsing will still be sent to Phorm who simply "Promise" not to use it.

    I definitely don't expect them to inform the customer that under EU anti spam laws BT are required to get people to opt in instead of opting them in by default and giving them the option to opt out (although the opt out option isn't really an opt out).

    So "informed" decision? No fucking chance. There interpretation of RIPA is about as flawed as their interpretation of what they claim their customers want.


    Finally, Chris Williams, could you please contact BT again and see if they are willing to admit that they already trialled this service last summer (illegally). I am seriously considering starting a class action against BT for the trials last summer even though I am not a BT customer.

  5. Chris Williams (Written by Reg staff)

    Re: Informed Consent

    "Finally, Chris Williams, could you please contact BT again and see if they are willing to admit that they already trialled this service last summer (illegally). I am seriously considering starting a class action against BT for the trials last summer even though I am not a BT customer."

    I have asked this question half a dozen times now. The most recent yesterday they were still "looking into it".

    I'll keep asking and if I ever get an answer, Reg readers will be the first to know.

    - Chris

  6. Jonathan

    Lies, lies and more lies

    I checked my cookies last night, and lo and behold, there was one set by, which coincidentally happens to be Phorm's portal.

    So, although Virgin claims to be some way away from an implementation, my browsing is already being monitored. Dont worry, I promptly decided to disable all cookies except those for sites I trust, changed to OpenDNS, and even installed Adblocker Plus to prevent me from even seeing these new adverts, if they ever appear. I wish Adblocker Plus was installed with Firefox by default - it must be the best addon I have ever seen. Or better, not seen!

    I do hope that BT's new homepage for these guinea pigs explains exactly what they are agreeing to, and why they shouldnt. Perhaps they should link to the discussion on El Reg, for a less biased point of view.

  7. Christoph
    Paris Hilton


    "safer, more relevant experience"

    Exactly how does being spied on make your browsing safer?

    Does safe sex mean leave the curtains open so the neighbours can watch?

    Paris - because of that video, obviously.

  8. Rich Silver badge

    Marketing crud

    I love the way they call this a "service".

    "We're going to monitor your web traffic, analyse it behind you back, serve up advertising that you don't want and never asked for, make money out of it on your behalf, and you'll damn well be grateful"

    Wasn't it a little while back when Google (?) were going to introduce something to "improve your browsing experience" with targeted ads.

    I appreciate that these companies want and need to make money, but PLEASE don't insult me by trying to convince me that I actually WANT this stuff, because I don't and never will.

  9. Anonymous Coward
    Anonymous Coward

    "take the service"

    "We consider that these steps [above] will meet the legal requirements of RIPA and also ensure that customers are able to take a fully informed decision as to whether to take the service."

    But what do they mean by "take the service"? I think this is cruicial - I bet their definition of me taking the service would differ from mine. Are we opting out of the farming process or just the serving of ads based on that farming process? I want the former; I bet they mean the latter.

  10. Ed
    Dead Vulture


    Is popping up a page when the user is browsing a legal way to obtain consent? Many households have more than one internet user in it and the one seeing this popup are not necessarily the one paying the bill (and hence bound by the contract). Equally, can someone agree to allow that someone else's web browsing is monitored by BT, e.g. their spouse's?

  11. Anonymous Coward
    Anonymous Coward

    consent when the user starts a browsing session

    every session or first time only? And do they verify during this that the person checking the box is the account holder?

    also, are we to assume that the guardian and myspace (ie news corp) are willing and paying customers of this company?

  12. Anonymous Coward

    I love their way of selling the adware

    Direct lift from the webwise website for BT they're nicely selling it as an internet security package and after this hard sell that you NEED webwise then they tell you it's going to spam you with adverts so they can make even more money than the already ludicrous prices they charge you each month for their broadband packages.

    Hopefully packages such as adblockplus and spybot will be able to block this stuff. However i'm a little confused as to how they intend to display the adverts will they simply spam you with popups or are they planning on basically mapping over existing ads so if a page with google ads is loaded will instead of it showing google ads start displaying BT's ads?

    This could have a pretty major impact on people who rely on revenues from advertising to keep their sites and communities alive

    BT Webwise helps to increase your protection against online fraud and make your Internet browsing more relevant.

    BT Webwise automatically increases your protection against online fraud by checking against a list of known fraudulent and untrustworthy websites. When you visit any website on the list, you'll receive a warning, so you can choose whether or not to visit it. It's another way BT is helping to protect you online.

  13. MarkMac

    the point isn't the adverts...

    'Targeted' adverts are a red herring, tho there have to be concerns about adverts targeted at the adult male of the house being served up to the preteen girl who happens to use the same computer.

    The issue is that irrespective of the "opt out", Phorm's servers (which currently seem to be in China) will scan your web traffic and webmail. If you opt out, they'll still gather it even tho they promise not to process it.

    And what happens when Phorm's servers are hacked? Which /will/ happen, sometime, it always does. 10 million of us will start getting 'targeted' spam.

  14. DM

    At the start of a web browsing session...

    So actually, anybody using the connection (I'm guessing whoever happens to use the web first on the day they flick the switch) can agree to your data being used in the trial....

    Not necessarily the account holder; and I'm guessing the person who has the legal rights to change things.

    Now you try doing anything over the phone if you're NOT the account holder, it's virtually impossible!

  15. Ash
    Thumb Up

    Breach of the what now?

    Could someone in the know (therefore making the work easy to the point of being inane) make everyone's life a whole lot easier and list the sections / sub-sections of RIPA, DPA, etc which this practice breaches?

    It'd make things a whole lot easier for us mere plebs who don't speak legalese to get the desired effect. A few hundred letters mentionin "Section 11 (Sub. 1) of the DPA states..." etc, with "... begin Class Action proceedings..." somewhere in there would probably get them listening.

    Many thanks!

  16. Gav

    This webpage brought to you by....

    Have they checked with the websites whose web pages their going to decorate with their adverts? When an advert appears will it be obvious to the reader who is responsible for presenting it? If Tesco have an advertising contract with BT, do they get to add their adverts to pages from Asda's website?

  17. Anonymous Coward
    Anonymous Coward

    You have to wonder what drugs they took to think they can get away with this...

    I'm two months into an 18 month contract with BT Broadband and there's no WAY I'm going to stick with them if this gets rolled out nationwide.

    I'd love for someone in the know to produce a legal letter we could all use as a template to send to BT to kill this outrage stone dead.

  18. Alexander Hanff

    re: Breach of the what now?

    The relevant sections of RIPA and DPA have already been cited in previous articles on this issue. European Convention on Human Rights (in fact pretty much all Human Rights legislation) clearly states all people have the right to privacy in their private lives and communications (note communications is the important part here).

    Trespass to Chattels is a civil tort allowing you to sue anyone who installs software on your computer without your explicit permission (cookie can be deemed as software) although it is more commonly used for property other than computers; and finally Computer Misuse Act basically covers the same points as Trespass to Chattels but is specifically written for computer use and if I remember correctly makes such action a criminal offence.

    I am too busy at the moment to go routing through the relevant legislation to give you exact sections, but you can read them all on

  19. Mike Richards Silver badge

    Terms of Service getout?

    I'm contracted with BT Total Broadband for a while yet. If they amend their ToS to Phorm's benefit am I within my rights to end the contract without penalty?

  20. Anonymous Coward


    I've seen this referred to a lot when people have worried about the tracking of their Internet activity. I can see that since it only handles DNS it can hardly track what you're doing as an individual, but it's putting control of what sites you see in someone else's hands who's trying to make a swift buck or two out of their business. What makes them any more scrupulous than BT?

    Happy to be edumicated... :)

  21. gothicform

    Europe can help sort them out

    There's a nice Europeran Directive from 2003 on telecommunications that specifically covers this. It says that if the telco does something that breaks the law with regards to the directive (such as BTs actions here) then all the contracts with their customers they are doing that action with are automatically voided so contract length becomes irrelevant. Furthermore the customers may sue the telco for damages, things like the cost of moving to another ISP.

  22. Anonymous Coward
    Anonymous Coward

    Petition to stop this

    The link is to the petition you can sign to get the government to put a stop to this (we can but hope).

  23. Roger Hughes

    @Alexander Hanff

    There is no such thing as a "class action" in English or Scottish law. Been watching too much American TV?

  24. Anonymous Coward
    Anonymous Coward

    Safer because it warns of potential phishing

    Like GAIN/Gator was an application which stored passwords for you. Nobody makes pure spyware if they can get a twelve year old to knock something up in VB to bundle with it.

  25. Cynical Observer
    Thumb Down

    Firefox anyone?

    Oh well.... Firefox with AdBlock Plus and CookieSafe then

    Even if they do manage to record something meaningful from the traffic, I'm never going to see the suggested ad content.

  26. darsyx

    dodgy browsing

    "the opt-out works means the contents of the websites you visit will still be mirrored to its system"

    so, you can opt-out, browse some dodgy sites, and then shop Phorm to the kittie-porn-cops?



  27. Alex

    it was trialed last summer... bothered me as I thought my mac had some kind of spyware on it that and my dsl was intermittent to useless

  28. Paul Barnfather
    Thumb Up

    Mainstream media getting the message?

    The Guardian have a good summary up here (and they've spoken to an ex-Phorm employee):

    Nice work, guys - keep it coming!

  29. Anonymous Coward
    Anonymous Coward

    If I was one of them...

    ... I'd have a right yelling session with them over the phone for daring to mess with my browsing habits!!

    And no doubt those new extra splash pages will confuse the elderly and those who are 'new' to this new-fangled interweb thing.

    Bravo BT, you swine!

  30. Anonymous Coward

    Trouble opting out

    BT keep sending me spam, even though I am not a BT customer. Every time I click on the 'unsubscribe' button the web page I am taken to lets me enter my email address then fails 'page not found' How very convenient (for them)! - and no, it is not phishing. Simply, if they can't be relied on to implement their own simple opt-out system for spam, how can they be relied on in this?

  31. Anonymous Coward
    Anonymous Coward

    Just block the cookie?

    All my machines at home have been set to block's cookies at all times, joining every other advertising address I've found. I'll also keep an eye out for any other strange new ones in case they decide to stick in a few other domain names to get round blockers.

    If I understand how this works, this means that they won't be able to consistently match my surfing history... Or am I mistaken there? Do they tie it to IP addresses mapped to BT usernames?

  32. Pat

    Cookie handling

    In Firefox, if you set the Cookies to Keep Until: Always Ask, you get to see what cookies are being set, and you can decide whether to accept permanently (eg for forums, or this site) or just for the session. This latter option is great for messing with people like OIX and Doubleclick as it keeps sites working smoothly but stops profiling.

  33. Secretgeek

    For Ash et al

    Some relevant bits of the Data Protection Act 1998

    Part 1 Section 1

    "personal data" means data which relate to a living individual who can be identified-

    (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

    [Your ISP is a good example of this. On it's own it's nothing, when someone has access to your BT account details like ermm...BT then it's personal.]

    "processing" in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-

    (b) retrieval, consultation or use of the information or data,

    (c) disclosure of the information or data by transmission, dissemination or otherwise making available.

    Schedule 1

    Part 1

    The Data Protection Principles [There are 8 but you can Google for the Act itself]

    1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met [e.g. you've given your consent], and (b) in the case of sensitive personal data [i.e. medical info, gender or ethnicity etc], at least one of the conditions in Schedule 3 is also met [e.g. you've given EXPLICIT consent and it's not carried out for profit].

    [Breach of the Principles is ultimately enforceable by court order to cease processing and a possible fine, although the maximum fine is only £5K and BT probably think it's worth the risk that of couple of fines versus whatever they're making from the Phorm deal]

    Part 2


    The first principle

    1. - (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is DECEIVED OR MISLED as to the PURPOSE or purposes for which they are to be processed. [my emphasis]

    2. - (1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless- (a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph 2. - (3) The information referred to in sub-paragraph (1) is as follows, namely-

    (a) the identity of the data controller, (b) if he has nominated a representative for the purposes of this Act, the identity of that representative, (c) the purpose or purposes for which the data are intended to be processed, and (d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

    [This should be a useful starting point for the Data Protection Act - there's probably more stuff I could include but I should actually be working]

  34. Alexander Hanff

    @Roger Hughes

    In some respects you are correct we have no "official" label for class action, however, the principle of a class action in UK law does exist as far as I am aware. And by principle I mean a collaborative lawsuit brought against a defendant(s) from multiple plaintiffs.

    As for TV, I watch very little TV at all and even less American TV.

  35. Alexander Hanff

    re: Just block the cookie?

    The point has flown straight over your head and out of the window hasn't it. Blocking the cookie makes zero difference in this case. The cookie is used merely for profiling and for opting out, whether the cookie exists or not, all your browsing will still be sent to the Phorm servers they just "promise" not to use it.

    Please make an effort to read the many articles on this issue which are linked too at the bottom of this story. Telling people to block the cookies is only likely to lull people into a false sense of security when in reality, cookie or no cookie all your browsing are belong to Phorm.

  36. Morely Dotes

    A better way is already available - and free of spying

    From :

    "BT Webwise automatically checks every website you visit against our list of known fraudulent or 'phishing' websites — including websites you may visit by accident. Our list is constantly updated and sites that appear on it will trigger a warning notice before you reach them, so you can choose whether or not to continue. "

    The better way is to go to and install the MVPS hosts file (which works on Windows, Mac OS/OS X, and Linux incidentally, although you're on your own for installing it on non-Windows machines as far as MVPS is concerned).

    The hosts file contains a "list of known fraudulent or 'phishing' websites" as well as other malicious sites, and completely prevents your computer from ever contacting those sites, by redirecting any attempt to reach them right back to your own computer. Any attempt to reach (for example) www DOT almoso3h DOT com (which has attempted in the past to install on visiting computers) will simply return a "host unreachable" response.

  37. Steve

    Still better than Virgin Media

    I've sent them three emails so far asking how to opt-out of this. The first reply just gave a link to the Reg article that detailed how dodgy the scheme is:

    "BT, Virgin Media and Talk Talk argue that Phorm's anonymising techniqueswill achieve this feat. When discussing Webwise, the consumer brand for Phorm's advertising targeting system, the existing partners all place heavy emphasis on its widely-available and standard anti-phishing features.

    Here is the link for it"

    Then they recommended that I call their 25p per min tech support line! When I email them again to point out that they had made no attemp to answer my question, I got this:

    "Unfortunately, I do not have enough information from your e-mail to diagnose the problems you have been experiencing or locate your account.We need a clearer view of your computer's activities prior to this problem occurring. Can you please email again with a few more details about the problem. I will then be in a better position to help you.

    I need to know the following:

    <<insert technical questions here: no more than 4 unless its essential>> "

    Both emails were signed:

    "Kind regards

    (Your Name)

    Virgin Media Technical Support Centre"

    They can't even use a fucking email template properly! The fact that I pointed this out to them in my second email leads me to believe they are just seeing the word "Phorm", opening up a template and hitting send. If I don't a satisfactory answer from the third email, then I'm phoning them up and that'll *really* make the cunts sorry - I have honed my belittling speech to perfection.

    It's not about protecting my privacy anymore, it's about punishing VM and it's staff.

  38. Mark

    Possible answers to 'Opt Out' meaning.

    The issue of the 'opt out' is seriously bothering me with regards to how vague it sounds. I found someone claiming to work for Phorm who was posting on a blog for Labour Councillor Bob Piper. Anyway I originally asked:

    "Would you care to explain how the 'Opt Out' works ? I suspect that by opt out what is really meant is that a machine will not be targeted with adverts. Can you really explain exactly how the opt out process works in a technical manner and not by just referencing the website you can go to to click 'opt out' as this explains nothing. Most importantly, if someone has decided to opt out, will any data what so ever be sent from the ISP network across to the Phorm network for any form of processing ?"

    And got this answer from 'techteam':

    "When you opt out -- or switch the system off, it's off. 100%. No browsing data whatsoever is passed from the ISP to Phorm. We should be clear that the Phorm servers are located in the ISP's network and browsing data is not transmitted outside the ISP. Even if you are opted out websites will still show you ads (as they do now) but these will not be adverts from the OIX system and they will not be relevant to your browsing."

    It's till hasn't made me any more happy about this whole situation, and I've no idea who this person is or if they are even legit, but the full details can be found here:

  39. Anonymous Coward

    Black arts

    Wouldn't it be funny if people had been intercepting BT directors family private phone calls history. Then it got published on internet. Of course this information is anonymized so what could be the problem with that.

    A darn lot.

    Not nice thing is it?

  40. Ash
    Thumb Up

    @Everyone who says "Block the cookie!"

    No, no, and NO! The cookie is just a mechanism for building a profile for your browsing habits; it means they have a way of saying "Oh, but WE don't hold ANY data about you! It's ALL on your computer!" This does NOT stop them actually RECEIVING the data from the ISP (the bit which everyone is up in arms about)!

    Anyway, by their own description of how the service works, blocking cookies would result in your choice to "opt-out" being voided, as that choice is ALSO stored in a cookie. Note that choosing to "opt-out" only stops them serving targeted advertising, not being sent your data.

    This is they key issue in the debate, and why i'm so adament to get the right sections in the DPA, RIPA, Human Rights Act's to beat Virgin Media (my ISP) over their engorged head. I'll be visiting Citizen's Advice at the weekend, and seeking advice from one of these "No Win, No Fee" solicitors to see if their is a case. Just so happens I know one... ;)

  41. Ashley Apps

    It's got to be made public.

    Unfortunately nothing will happen unless the majority of the customers of these ISP hear about it.

    By far and away the majority of people affected will have no idea what it is all about and will be taken in by the idea of safer browsing.

    You have to realise that most of BT/Virgin/Talk Talk's customers are not technically competent and have no idea that the so called benefit can be had for free without the drawback of being spied upon.

    The only way something will happen is if this gets to be featured on mainstream TV i.e.BBC/ITN News. I have just contacted the BBC News website asking why they have not covered the story - I suggest you all do the same. If enough pressure is applied hopefully they will sit up and take notice. Another thing to do is to contact your local MP with the story.

    This has to be made public before the 10,000 user trial starts for there to be any chance of a user backlash.

  42. Anonymous Coward

    Boys and Girls in Blue

    If, as suspected, it is illegal, has anybody thought of, or tried, complaining to the Police? I know your average officer on the street won't know or care about this but there must be some way of complaining.

  43. Craig

    @ Alexander Hanff

    Hmmm, bit harsh there surely. The AC's browsing will still be sent to Pharm but without the cookie there's no easy way to "profile" the AC and there's no way for Pharm/BT/Virgin/etc to target ads at him/her meaning all that Pharm will get is a bunch of websites that someone, somewhere on BT/Virgin/etc's networks has visited.

    Assuming they can't profile without the cookie and SSL stuff is secure from them prying into the content then it goes from a major invasion of AC's privacy to something still illegal but probably less directly harmful to the AC.

  44. Roger Hughes

    @Alexander Hanff

    Reading too many reports of American court cases, then ;-)

    There's a Group Litigation Order, but it is opt-in rather than opt-out as a US class action is - it does not automatically include all potential plaintiffs (nor provide the defendants with a once-and-for-all ruling), so you have a bigger recruiting job on your hands. It also leaves all the plaintiffs potentially liable (I suspect jointly and severally) to their own (contingency fees/no-cure-no-pay can't be used) and any defence costs if they lose the case, which could be nasty.

    Mind you, I think (IANAL,) this isn't relevant to anything under the Data Protection Act, where it looks like a criminal offence is being committed rather than a civil tort anyway. So you want to get the DPP on the case...

    This doesn't mean that I don't think that hanging's too good for them, though...

  45. Someone

    For the love of Harry

    “The trial invitation will be presented through a special web page that will appear when those customers start a web browsing session,” say BT.

    We try and teach people to be wary of strange and unexpected things popping up during web browsing. Now BT are going to do it, and want customers to unquestioningly engage with it!

  46. Anonymous Coward
    Anonymous Coward

    All Firefox users please install TrackMeNot

    All BT VM CFW user please install Firefox + TrackMeNot

    TrackMeNot Protects users against search data profiling...

    Protects users against search data profiling by issuing randomized queries to popular search-engines.

    Select all search engines and set the query rate to 1 per minute.

    Lets see how good their profiling software is.

  47. Anonymous Coward
    Thumb Up


    One of the things I really like about this discussion is that a complex and relatively esoteric issue surrounding Internet privacy is gaining public visibility and discussion thanks to ... the Internet. There is something elegantly circular about that.

  48. Anonymous Coward
    Anonymous Coward

    Firefox + TrackMeNot

    install Firefox and the TrackMeNot extension.

  49. Ben Tasker Silver badge
    Paris Hilton


    Honestly Steve, your response from VM is better than the one I got from BT. Guess my email reached India. they sent me;

    I am sorry to learn that you are unable to use BT Webwise properly. I can understand that you are very worried about the security.

    However, I would like to mention that BT Webwise helps to increase protection against online fraud and make Internet browsing more relevant. BT Webwise automatically increases protection against online fraud by checking against a list of known fraudulent and untrustworthy websites. When you visit any website on the list they will receive a warning, so that they can choose whether or not to visit it. BT Webwise also personalises the online advertising seen on participating websites by linking it to customer's interests. For example, if you search for a weekend trip to Paris or visits pages related to Paris, BT Webwise would help provide relevant advertising for travel or hotel information. Customers would not see any more adverts than they normally do - they will just be more

    relevant. We are trialling BT Webwise in February and March before launching for all customers in phases. BT Webwise is completely free - and does not require any downloads or software installation for it to work. All users are assigned a random user identifier (cookie) to preserve anonymity but to keep the ability to be served relevant ads. BT Webwise does not collect personal information, cannot use it to serve ads, and does not attempt to identify you in any way. BT Webwise uses technology that has been built from the ground up to avoid any information that might identify a customer personally. BT Webwise does not view any information on secure (HTTPS) pages, and ignores strings of numbers longer than three digits to ensure that we do not collect credit card numbers, phone numbers,

    National Insurance, or other private information. If the issue persist, then I will advise you to switch off and switch it back on by trying the following link:

    For any further assistance please do not hesitate to contact us or use our BT Broadband Self Help web site:

    Thank you for using BT Total Broadband Support.

    Which would be fine, I suppose if I had any feeling that they may have read what i sent them;

    Dear Sir/Madam,

    I am writing to you today due to my grave concerns about BT's proposed 'service' 'webwise' which will be run in conjuction with a company named Phorm. I have numerous privacy concerns with this service, not least that the CEO of Phorm has proven links with malware. I do not trust this company with my data, and certainly do not believe BT should do so on my behalf.

    As you are no doubt aware, this issue has been highlighted recently in many technical news forums, including The Register. If BT were to read the comments on the Phorm Related stories they would see that this 'service' is not something that is wanted. I have 'anti-phishing' software included in my browser, and 'webwise' is unlikely to add any further protection.

    Whilst I am aware that I can download an opt-out cookie, it appears that my traffic (both outgoing and incoming) will continue to pass through Phorm's hardware. This is simply not acceptable. Whilst it is claimed that the information is anonymised, last years debacle with AOL releasing suppsoedly anonymised data shows that this is not always as simple as it seems. Furthermore as there appears to be no system for oversight, and given Phorm's links to malware, I fail to understand why BT expect it's customers to trust that data will be 100% anonymised.

    I believe that the proposed system constitutes 'Interception' under the Regulation of Investigatory Powers Act (RIPA), I have not given permission for you as a service provider to 'intercept' my data, except as required to provide the services I am paying you for. Even if BT can claim implied permission, the owners of any websites I am visiting are unlikely to have given permission for a third party to essentially create a copy of their copyrighted material.

    For the purposes of clarity, I do not give permission for BT to pass my browsing habits through this system, as a website admin, I do not give permission for packets sent from my server to a conencting client to pass through this system, and I will consider it an invasion of Privacy if either of these are to happen.

    I am not interested in targeted advertising, and regularly use the functionality of my browser to block unwanted adverts. This 'service' is of absolutely no use to me, and I wish to know exactly how to fully opt-out. Not just via a cookie, but to opt out any system that may be connected to my network, and to ensure that no traffic from my network will ever pass through Phorm's hardware, whether leased to BT or not.

    As a means to reaching that end, please note that the following is a Data Protection Act Notice, as provided by the UK Data Protection Act 1998.

    I, Ben Tasker, hereby withdraw permission for BT to pass any of my details, including details of my web traffic to any third party whether inside or outside of the EU, except where it is required by law. I also specifically withdraw permission for BT to pass my details outside of the EU whether to a BT Group subsiduary or otherwise. BT may only use and hold my data as required to fulfil their contractual obligations with regards to the Provision of my BT Total Broadband, BT Fusion Mobile and BT Home Phone services.

    If BT should discover that it needs to pass my details outside the EU or to a third party in order to fulfil their contractual requirements, they must obtain my most express permission in writing first.

    Thank you for your time, and I must express that I am dissappointed that an ISP such as BT have made decisions that have led their customers to this juncture. I will be considering changing ISP, however if BT can guarantee that my data will not pass through Phorms system (and they must do so in writing) then I will consider remaining with BT. Especially as this is the first issue that has arisen since BT provisioned my line.

    Yours sincerely

    Ben Tasker

    Anyone else get the impression they read Webwise and said Right!! Template 1, send, close ticket. Done, who's for coffee?

    P.H. Cos at least she would read it, might not understand it.......

  50. Anonymous Coward
    Anonymous Coward

    Problems with ads, and how to block them - for now

    I've signed the no.10 petition and am waiting for BT to reply to my query on whether they have been or will be behaving illegally with my data. Still waiting.

    Anyway: Some have mentioned here blocking ads using hosts file, squid or privoxy/proxomitron. I recommend against using squid as it can do a lot, including blocking, but that's not what it was designed for. Messing with ACLs is mucky and squid on the whole is a bit of a hairy beast. Go for something designed for the job.

    I have to say that using hosts (at least on windows) has problems. First, it slows down page loading as a blocked/hostfiled URL will try to resolve to the local machine and that seems to take a couple of seconds to timeout on my machine (win2k).

    2nd, and this is worrying, hosts file can be bypassed. I understand there's a win2k API call to resolve, explicitly ignoring hosts (read of this in link below). But I can confirm that when skype (ver. at least) is online, URLs are resolved to some weird degree, for definite, even if'd in the hosts file. It looks like skype is intercepting browser requests. Here's the link to my original query with some thoughtful feedback:


    Finally, and perhaps most problematically, I've recently noticed that adverts' text seem to be being served up within the page - not via another URL; actually embedded. I noticed this when, prompted by another story, I checked up the stuff about safari security. I got the page, I also got embedded ads about safari perfume (so much for precise demographic targetting...).

    Here's the link although it doesn't seem to be doing the adverts thing today


    This last development is going to be hard to tackle using technical means only...

  51. anonymous sms

    Profiling Potential Scam Victims?

    As I understand it BT will not be giving Phorm our identities but they will be giving them our internet 'addresses'. They will also be giving them a complete profile of the type of person at that address.

    Would we want Royal Mail to give our addresses and a complete list of the organisations we communicate with to unknown third parties? Certain mass-marketing 'companies' that currently target us with various scams would love that type of information.

  52. SilverWave

    From politicalpenguin,295/

    "Our first avenue of investigation available when trying to hunt down the information on this system should come from the hint on Phorms own website, that this technology is patent pending.

    There are numerous repositories on the net that monitor and collect information on new patents. We also know the name of one of the directors of Phorm, Kent Ertugrul. A quick look around new patents reveals this.

    As far as can be told, it is the only patent registered by Kent Ertugrul and is registered with the US Patent Office.

    A quick look at the overview of the system and it’s title ‘Targeted advertising system and method’ not to mention the inclusion in the system of the use of ISP’s would clearly indicate that this is indeed the system that Phorm are planning to implement through their deal with UK ISP’s.

    I’ll first reproduce the claims of the technology here then do a brief synopsis of what this actually means."

  53. Steven Burn

    @Those recommending TrackMeNot

    For those recommending Firefox + TMN, this will NOT stop them profiling you, nor will it stop them tracking you (I suspect they'll just filter out requests to search engines if enough people start doing this). Identifying fake requests is alot easier than some of you seem to think ;o)

    If you want to stop them tracking/profiling you, use a proxy (i.e. Tor) .... and even then, make sure the traffic is encrypted for the proxy BEFORE it leaves your computer/network (i.e. SSH) .... and HOLY CHOCOLATE CAKES BATMAN - you can use shells other than FireFox with these!!!

    @ the person that mentioned the government petition, ignore it - they'll not give a hoot ....

    Best way to stop them doing this is to vote with your cash and move providers (i.e. to one that IS NOT selling your data). I'm currently with PlusNet, who claim may not be introducing this - which is also false (their RIN customers WILL be affected by this), and I doubt PN themselves will not be going for this themselves as they've been more interested in cash than customers for quite a while now (and I don't mean since being taken over by BT either).

    For those wondering, whether you opt out, use TMN, your provider is a BT "reseller" (e.g. PN, AOHell, Tiscali, TalkTalk etc etc) (by reseller, I mean they still require you have a BT line, so it's obvious they go through BT pipes) - if your traffic is not encrypted before it leaves your end, it's going to go through BT/cable pipes, so it'll be trivial for them to profile you (they've actually been doing this for years - whether or not they previously sold it to third parties is debatable).

    Can you end your contract without penalty if your ISP is using Phorm? yes you can. Your ISP has changed your contract without notifying you first and thus, has broken the contract themselves, thus all you need to do is write to them (ALWAYS put this type of thing in writing), and give them notice of their breach of contract and your subsequent cancelling of such contract.

    A simple;

    "Dear Sir/Madam,

    Due to your introducing Phorm on your network, without giving me prior notice or requiring my written consent, you have breached our contract and thus made it void. I am therefor cancelling my subscription to [ISP NAME] immediately and without penalty."

    I did the same to end my Tiscali and AOL contracts (though this was for a breach of contract, it had nothing to do with their tracking or selling me data or browsing habits).

    Anywho, Top Gear is on ....... so I'm gonna stop rambling and caboot .....

  54. Anonymous Coward

    The Key is in the last sentence

    The last sentence of the BT statement suggest that once people understand the 'benefits' they will be able to make an informed choice about opting out of the service.

    The point is that even if they do opt out they will still have their calls intercepted. It's like "if we change the words we use then the law won;t apply to us!"

    This is typical cockup by someone very senior in the business, they think it;s a good idea, and believe they will be covered with Glory for scoring a few extra pence a month per subscriber.

    "oh Rodney, if only we could sell a pencil to everyone in China"

    Now they are prepared to risk their shareholders money to cover their incompetence.

    Classic ivory tower thinking, "pride, fall, etc..."

    We had a boss like that at Worldcom !!!

  55. VulcanV5


    Please, everyone: sign the petition, and get everyone else you may know -- whether they're BT customers or not -- to do likewise.

    Also: please don't meander off into the world of cookies. The issue at the heart of this is that customers have contracted with BT to provide an Internet service. They have not contracted with some scumbag outfit for that traffic to pass through and be sampled and recorded by China-based computers -- which is what will happen whether the cookie's there or not.

    BT is hoping that because current UK legislation is protective of "personal data" it can side-step the issue by claiming that no personal data is transmitted. Actually, your online habits are unique to you and therefore as personal as your name. The fact that your name isn't in the hands of the dreadful Phorm means nothing -- be interesting to see what happens when Phorm itself gets hacked, as it most surely will after this rumpus.

    As to looking for assistance from the BBC: forget it.

    It seems not to employ real journalists any more and there certainly aren't any in news management. It spent more time covering the Oscars with more staff -- who was that stupid woman saying how wunnerful to be at Elton John's party, oh look, there's Stevie Wonder, Stevie! Stevie! Oh he doesn't appear to have seen me? -- than covering anything that truly mattered that week.

    As to "Watchdog", it thinks it's a branch of show business. And a cookie is nice biscuit from America. Then again, if there's a chance for any BBC journalist to wangle a free trip to America on the back of this, then yes, there'll be some publicity. Perhaps someone should send the Head of News a travel brochure for Delaware.

    Stick with liberal newspapers like The Guardian and Observer. . . but give them something to write about by ensuring the petition becomes a news story in its own right. Thousands, not hundreds, of signatures are needed, so if you're a member of any other online forums, spread the word on there, too.

    * Finally. . . Congratulations to The Register. In an age when journalism is becoming more rare than hen's teeth, how gratifying to find The Register telling the truth and providing a genuine public interest service. Well done, everyone.

  56. Steven Burn


    I meant to add, with regards to;

    [Q]"And got this answer from 'techteam':

    "When you opt out -- or switch the system off, it's off. 100%. No browsing data whatsoever is passed from the ISP to Phorm. We should be clear that the Phorm servers are located in the ISP's network and browsing data is not transmitted outside the ISP. Even if you are opted out websites will still show you ads (as they do now) but these will not be adverts from the OIX system and they will not be relevant to your browsing.""[/Q]

    This isn't actually true ....... whilst Phorm hardware exists on the ISP's network, the browsing data and everything else going to/from your computer, is passed to the central Phorm servers (located OUTSIDE of the ISP's network).

    Additionally, you may want to mention to them that it's been pointed out time and time again that opted out or not, everything going from/to your computer, is still logged by the Phorm servers (just as it's always been logged by the ISP's servers (contrary to their claims)).

  57. Anonymous Coward
    Black Helicopters

    the spooks will not be happy.

    What would GCHQ make of Phorm? With some of the UK's largest ISP's signing up, the home surfing habits of a large fraction of their employees is about to be analysed inside the jurisdiction of a foreign power. And they're as human as the rest of us. De-anonymization? Guess who'll be working on it.

    Black helicopter, on its way to make a small crater.

  58. Pseudopath

    @ Ben Tasker

    Thank you, just the type of letter I was looking for. And as I'd simply be moving to a reseller I think I might as well blugeon it out with BT.

    Bones - cause pirates don't just do software

  59. alphaxion

    about phorms china server

    Interesting to note that when the rumours of being based in china begun surfacing, the domain info got changed... anyone have any screen caps of the IP they used to use before feb 29th?

    Since both their .com and .net addresses now point to UK based IP's, would be very interesting to see where they used to point to.

  60. peter ashworth

    reported to ofcom

    this sort of thing really annoys me so i have just reported it to ofcom, and the guy i spoke to certainly seemed interested to hear about it, saying it was the first he had heard of it

    now to contact the data protection bunch who have been renamed ICO at

  61. alphaxion

    ceo interview

    techcrunch uk have released a video interview with the CEO of phorm

  62. Anonymous Coward
    Anonymous Coward

    Emailed the Beardy One directly...

    ...don't know if he saw it, but got a "reply" from Virgin Media.

    Posted verbatim...

    Dear Matthew,

    Thanks for your email.

    With the information that you have supplied I am still unable to locate your Virgin Media account on our Customer Services Database.

    Also note that our privacy policy relates to the way that information is stored on our websites and database system. The privacy policy prevents us from displaying or sharing your payment details in full the Virgin Media portal.

    I am sorry if you feel that we are in breach of our privacy policy but I can ensure you that we are adhering to both the privacy policy

    Also note that Virgin Media is a conglomeration of different companies and we deal with only non-cable/ADSL (formerly Broadband connection issues.

    I would request you to contact 0845 840 7777 where one of our representatives will help you with any query that you may have.

    Please visit this link and choose the appropriate the department:

    If you need any further assistance please contact us again, or visit the following address:

    Many Thanks


    Virgin Media Customer Support

    --Original Message--

    From: {email address}

    Date: 3/5/2008 8:59:30 PM


    Subject: Virgin Media - Phorm Deal


    As an existing Virgin Media customer (Account Number XXXXXXXX) I have read with alarm of the proposed tie up between Virgin Media & Phorm. This apparently, somehow, involves the disclosure by Virgin Media, to a third party (Phorm) of my web browsing habit.

    I can find nothing in Virgin Media’s stated privacy policies, terms and

    conditions or service, or indeed anywhere else that permits Virgin Media to

    disclose my browsing habits or indeed any personal information to third

    parties, other than as specifically required by law. To do so, discloses or may

    disclose sensitive personal data and until recently, there were clauses in the

    Acceptable Use Policy which indicated that as my ISP you did not even monitor how I used my services and I have not consented to this change.


    I hereby confirm I do not opt in.

    I also note it might be the intention of Virgin Media and / or Phorm to operate

    an “opt out” system which relies on data placed on a users computer. I am not obliged to retain on my computer any means of storage of information of my preferences, which may be used by others.

    In relation to cookies I do not consent to this. In relation to root-kits, I do

    not consent.

    To the extent that either of these are placed on my computer and cause my

    computer to operate in any way differently, I do not consent to this and to

    place root-kits on my computer (if this is how it is done) is a breach of the

    Computer Misuse Act and a criminal offence of unlawful access to my computer.

    [Please see the Information Commissioner’s Office: Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003, Part 2, section 2.2.

    Thus reliance on a cookie to prevent transmission of my browsing habits to

    Phorm via Virgin Media, or simply to prevent me seeing their served up

    electronic ads breaches these rules.

    I confirm I do not give consent for such a cookie to be placed on my computer.

    I confirm that I do not consent to you having any permission whatsoever to

    amend or control any operations taking pace on my computer.

    For the avoidance of doubt, I do not consent to my browsing habits, or indeed

    any other personal data being disclosed to third parties, or even other Virgin

    Group companies. This applies to any marketing or other purposes that are not directly associated with the supply of the services I have contracted to


    To the extent that any of the URL's contains content, and by inference,

    authentication information within what would otherwise be traffic data this is

    considered to be a breach of RIPA.

    The claim that Phorm get the content of the web pages you see (and therefore your mail if you use webmail) is a breach of RIPA as certain operations on my computers take place in the background and RIPA applies and you are not entitled to have, not do you have my consent to hold authorization codes embedded in my URLs and in the event that you are providing search content direct from my computer to Phorm in parallel with my use as user,then that constitutes an interception as defined in RIPA and a criminal offence.

    Please confirm your receipt of this email and acknowledgment that I have

    exercised my right to opt out as provided for by the Data Protection Act and

    that my data will not be passed to Phorm, whether to be ignored by them or

    processed by them or otherwise.


    Anthony {Surname}


    London {Post Code}

    I would particularly like to draw Register Readers attention to the incorrect name in the reply, no acknowledgment of my refusal of consent and the fact that they do not mention Phorm or this proposed agreement AT ALL. It seems that they possibly know they are breaching laws etc, but are pushing this through anyway because Ofcom, the ICO et all don't have the powers or drive to seriously punish them, and the most of the slack-jawed tracksuit wearing public of the British Isles won't understand this or give a shit.

    Bunch of incompetent fuck-wits, the lot of them.


  63. Dan

    found on the bbc today

    I just found:

  64. Steven Burn

    Just an FYI folks,61201.msg500802.html#msg500802

  65. Stephen Cole

    The BBC/Phorm

    That BBC "article" is really gulping down the Phorm koolaid there...

    The whole tone of the article is more about people being paranoid and "spooked" by our ignorance for not understanding how much better our lives will all be with more internet ads from ISP's SELLING OUR PRIVATE DATA TO A DISREPUTABLE 3RD PARTY.

  66. 3x2

    The BBC "article"

    Is that what passes for journalism on the BBC now?

    It's a cut and paste job from Phorm and BT website blurb. Well there you have it - Phorm say it's OK and the BBC agree. Nothing to see here move along.

    Perhaps Phorm will eventually breach the BBC carbon footprint standards then we'll see some real journalism.

  67. Anonymous Coward

    RE: BBC Article - read my post here!

    I won't cross-post, you can get it here:

    According to their charter, the BBC have to consider every formal complaint. Make sure it is slanted towards their journalistic code (bias, quality) rather than rant about alleged links to Russia etc.

  68. Steve

    re - bt sending spam

    I found a good solution to this; having given bt their own email address (ie. bt@...) whilst a customer, they started spamming it after I'd stop being their customer.

    So, tell them to stop or all future emails automatically forward to their abuse team and their head office will a covering note explaining that they were still sending unwanted emails, before being deleted from the server.

    Every now and then I'd remove the autodelete to see if it was still being spammed, and if so put it back again. It took them several months, but eventually they got the message.

  69. Alexander Hanff

    Emails removing consent to process

    A quick word of advice to everyone using emails to their ISP to remove their consent to process or pass on their data to 3rd parties. Instead of sending email you should really send them a printed letter by registered post. It will cost you about a fiver but they can't deny they have seen it because you can print out the delivery confirmation from RMs website.

  70. Anonymous Coward

    If you really want to get some attention

    Forget the liberal papers for the informed, this story needs to get in to a sensationalist rag like the Sun, sadly that's how you get attention in this country

  71. Anonymous Coward
    Paris Hilton

    Underage browsers

    What about children under 13? If they use their own computer and accidently click to opt in or don't notice the opt out. What are the legalities of tracking what they do online?

    Paris, because thats probably what 13 year old boys are searching for online.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021