back to article Phorm launches data pimping fight back

A week is a long time in internets. Last Friday we all felt like we were shouting at the bins about Phorm and its deals with BT, Virgin Media, and Carphone Warehouse. Now, you can't move for stories about data pimping and the massive change in people's relationship with their ISP Phorm represents, not to mention the new legal …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    It's not your data

    Look DVLA it's not your data, just because companies can make use of that data in a profitable way, doesn't mean you have the right to sell the data you are entrusted with. Saying it's for a good cause (parking controls) doesn't make it right.

    Look BT, it's not your data, just because Phorm can make use of that data in a profitable way, doesn't mean you have the right to sell the data you are entrusted with. Saying it's for a good cause (phishing protection) doesn't make it right.

  2. Anonymous Coward
    Anonymous Coward

    So let me try to understand this

    As I read this, the ISP does everything. They make deductions from your browsing habits about your interests, they store these deductions and they put adverts into pages you view accordingly. In essence Phorm merely provides specific pages they are entitled to insert adverts into.

    If that is true I am undecided.

  3. Dave

    Superfluous word here...

    "being bombarded with the amount of irrelevant advertising"

    I think the word irrelevant is irrelevant. I find advertising annoying, full stop. If I want something I'll go plug words into a search engine and browse the results. If I'm doing something else on the net then advertising is just noise. Yes I block ads, targetted or not.

    I wonder what else the bits of kit being added to ISPs server rooms is capable of in terms of what it captures, saves and passes on (and to whom)?

  4. Dam
    Thumb Up

    About less advertising

    Quote from page 4:

    "Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads. Of course, the ISPs benefit too from the additional revenue. That's not evil."

    And just HOW will that reduce the number of ads ?

    We'll still have billions of "regular" untargetted ads on websites.

    This means instead of the usual billion, we'll be getting billion+phorm.

    Sorry but I'm not sold on this.

    Furthermore and as Dave points out, it's not *irrelevant* advertising that upsets people, it's just advertising, simple.

    I'm using adblock and noscript and I'm no where near to disabling them.

    Thanks for answering El Reg's questions to clear things up guys, but even then I'm not sold.

    I don't want advertising, period.

    I know what I want to buy, when, where, and at what price.

    I have a *very limited* list of trusted sites I'll do business with, and an *excessively large* (read: rest of the world) list of untrusted ones.

    Thumb up icon because you guys went open to appease the public.

  5. Anonymous Coward
    Thumb Down

    phorm opt outs

    I must have missed the link. can someone point me in the direction of the opt out pages.

  6. Charles Fuller
    Thumb Down

    Petition at PM Gov UK

    I haven't seen this mentioned here - there's a petition at the site which expresses the problems rather well.

  7. Chris Miller

    Adverts are not going away

    At least, not until a substantial number of people want to start paying for Internet content. How much would ElReg have to charge for access to its pages if it were unable to raise revenue by including ads on the pages? (And even then it's easy to block many of them.)

    If you want to restrict your Internet browsing to sites where there are no adverts and all content is contributed for free, there's always Wikipedia :)

  8. teacake

    Doesn't add up

    "We have the opportunity to significantly reduce the amount of advertising you see online by making it more relevant and more valuable. People are concerned that there's going to be more advertising. It's not more, it's less. It's demonstrably less."

    "Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads"

    Taken together with the assertion that opted-in people will get targeted ads, and opted-out people will get un-targeted ads in the same space, the two statements above can't both be true.

    Let's assume for a moment that Ertegrul's right. Lots of advertisers take up Phorm ad placements, and find that they can reduce their number of ads as a result. Surely the opted-out people are going to also see less ads, it's just that theirs would be random? Unless sites are going to identify non-Phorm visitors and deliberately sprinkle extra ads on them... they wouldn't do that, would they..?

  9. Anonymous Coward
    Anonymous Coward

    They talk crap

    "They can't do that right now. The only thing they can do is disable all cookies, in which case the internet doesn't work, or go to each and every site that drops a cookie on them and say "don't do this". That's like trying to stop 15,000 leaks in the dam. You can't do it."

    Yes you bloody well can. Set firefox to allow all cookies, but to only keep them until firefox is closed. The internet "works" perfectly well this way, and you're only tracked until firefox is closed. When you reopen, you're a whole new user to any website you happen to visit.

    And of course you can easily set exceptions for sites where you do want to maintain a cookie beyond the life of the firefox session.

  10. Anonymous Coward

    For my own protection...

    I'm with Dave on this, I browse what I want to browse, my web browser is set up to block anything I don't therefore anything other than what I tell the browser to go to or what I search through Google, Yahoo etc

    Even Ads on El Reg's fine pages, if there is an advert that interests me, I'll make note of it and search for it later. I'm therefore worried that BT, through Phorm, are trying to tell me what I want. They can't even sell me a phoneline/ broadband package without c0cking that up!

    The fact I have to opt out is stupid, this service wasn't something I requested and isn't something I want. I might as well take my ad-blocker off and click on every ad that pops up! I am pleased to report, though, that some of my less computer minded friends have been asking me how they can block it, so at least people are starting to show interest in the normal relams!

  11. Rob Moir


    Even if we assume that the people behind Phorm are honest, not "these slimy people", offering a valuable service, etc then it keeps coming back to a couple of things I just can't see my way past.

    If the service is so valuable, why is it not "fully opt in"? If the service is that valuable then people should be convinced enough to be forming queues already and I'm not seeing that happen.

    Even if we assume good faith and honesty on the part of Phorm, again, surely the risk from their information gathering is always going to be greater than that from not gathering the data at all. A company that was truly worried about end user privacy wouldn't do anything to increase this risk.

  12. Secretgeek
    Paris Hilton


    They look at the webpage you visit and the search terms you use but won't know anything personal about you? Is that the logic they're using? Are they serious?

    'largely eliminating personally identifiable information' !

    'Largely'?! i.e. nearly all, most of, the majority of? That's a long long way from 'All personally indentifiable information.

    The point is they're still looking at your data stream!

    Paris - because they can't be acting that dumb surely?

  13. Man Outraged

    Raises still more questions...

    Spinfull... But it does actually clarify their position somewhat in terms of interception and opt-out and actually confirms my fears. The bottom line is consent, not whether we trust Phorm, but whether we consent to allow Phorm acces to our data. As a few commentators have pointed out, the DPA seems to give individuals rights to choose not to have our data processed (beyond what's necessary in providing the service). Great question Chris - it's NOT a privacy story per se, it's a question of informed consent and an extremely detailed question about system ownership at the interfaces, what is passed onto systems owned by a third party and whether the opt-out is effective. Another audit please - of the opt-out arrangements! But Chris - where were the questions on interception and RIPA? RIPA possibly requires consent of ALL parties to a transaction. Also the claim not to read form data still means one side of a transaction could be read because e.g. Facebook prints a message thread in clear. But as I said, the most worrying part is the fact that data is passing to a third party. We may trust Phorm, but once the precedent is set and rival companies enter the market, where do you draw the line? What safeguards are in place to make sure the people working on the software aren't up to mischeif? Malicious back doors, simple coding errors or unauthorised features beyond the scope of the consent. I DON'T LIKE IT AT ALL.

  14. Anonymous Coward
    Thumb Down

    I call bullshit!

    "Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads."

    The way I understand it a site like the Guardian Online sticks one or more Phorm powered ad-spaces on a page, the ad in that ad-space is served from Phorm's servers. If you have the Phorm cookie you are served a 'tailored' ad in that ad space. If not you (I'd assume) get an ad tailored to the site rather than the user in that ad-space.

    So how are we going to get bombarded by more ads if we turn the Phorm cookie off? Can the site in question sense the cookie is not there, re-format the page (or and serve more ads in more ad-spaces if you are not?

    The only obvious way I can see this happening is if Phorm actively try to make the non-submissive user's experience 'crappy' by, for example, launching a whole load of pop-ups from code in the Phorm-driven ad-spaces trying to sell you any old crap (which can be quite lucrative in itself) along with the odd popup saying "this wouldn't happen if you did what you were told and enabled that cookie".

    So that statement is either FUD or a protection-racket style threat, either way it's not a good indicator of a trustworthy company.

    In any case I simply don't care how trustworthy Phorm SAY they are. I simply do not want anyone monitoring my browsing and would not sign-up for an ISP that allowed it. I would seriously consider boycotting sites that took advantage of such a system too. At least you can block/refuse doubleclick cookies - with this you have no choice; Phorm get to see all your browsing whether you like it or not - you just have to trust them not to abuse it and I'm damned if I will trust a company that does not offer a *complete* opt-out of such a system where no monitoring at all occurs if you opt-out.

    On a final note..

    "Our [non-executive] chairman is the former chairman of Microsoft UK [David Dornan]. There's nothing shady"

    Ah, that's OK then because Microsoft are a paragon of transparent, open and fair business practices?

  15. Steve

    Data categorising

    I'm sorry Phorm/BT/Virgin,

    I do not see how you can suddenly decide to start reading the streams of data that you're not allowed to read, for any purpose.

    This is disgusting!

    The only even slightly palettable way to handle this is have, at an account level, an ON/OFF option. If that account connects from any computer, the option applies.

    All this playing with cookies nonsense means an excuse to read the data due to "user error".

    Requiring the cookie to turn this off means people will:

    1) No longer be able to block cookies for safety as yours will be needed

    2) When clearing any cookies that were required (happens sometimes) they may delete your "opt out" cookie. That would mean they're opted in again.

    I'm up for contacting ofcom as often as needed until this is squashed... anyone else?

  16. Richard Read

    Several points

    1) Even if you opt out your datastream interacts with the Phorm system. This, alone, is anough for me to oppose what is being planned. Opt out should mean fully out. Phorms comment that their system will degrade everyones browsing equally, regardless of whether they opt in or out, is not reassuring.

    2) This isn't going to reduce the number of ads that I see because I already use ad-blocking technology that cuts out virtually all adverts. This is technology that I chose, that I control and that does not expose me to potential privacy breaches. I can even examine its source code if I wish. How can Phorms offering be better?

    3) With ISPs desperate for revenue we all know that they are going to force this on us in the end. Sure, its all touchy-feely in the beginning but those who don't take the carrot will get the stick, probably in the form of higher prices or more restrictive ISP contracts.

    4) The whole track of more relevant ads is laughable. There is no such thing as a relevant unsolicited advert. If I want to buy something then I can research products on my own. If I don't want to buy something then no amount of ramming adverts down my throat is going to change my mind. If websites need revenue then why don't they offer a no-ads/subscription option? Where available I take this option.

  17. James
    Thumb Down


    Chalk up another user who ignores advertising. Even when it gets past Adblock, which is rare, I mentally edit it out. I will never buy things from adverts in the same way I will never buy anything from people who cold call me. I want something, I'll look for it or ask someone to recommend somewhere to get it. Personal recommendation and reputation have vastly more weight than an online ad, targeted or otherwise.

    The one thing I wanted to see in this interview, which there was a conspicuous lack of, was the legal standing of the process. First off, they do not have my permission to intercept my internet traffic (RIPA). Secondly, despite what they say, they *will* be processing personally identifiable data. Even if they throw it away as they claim, they still have to process it in order to decide what to throw away and thus fall foul of the DPA since they do not have my permission to process my personal data.

    Any lawyers want to comment/find fault with my interpretation?

  18. Chris Phillips

    mo' money, mo' adverts

    I certainly see a logic where a given financial return for a advertiser can be obtained by a fewer number of better placed adverts, but logic then follows that they would make even more profit by even more well targeted adverts. with a given volume of ads being sent to a potential customer per page there's clearly going to be contention for that volume, so surely that volume would creep back up, and a "responsible" level of advertising would be again dropped in favour of what level of user experience will be tolerated before they go elsewhere.

  19. Anonymous Coward
    Anonymous Coward

    Leave it alone

    I for one like the rich and diverse experience I get at the moment. The ads and links on websites are varied and I visit many pages I wouldn't normally go to.

    If all the ads were about technology and sport I would lose that diversity - I already know I like these things and have bookmarks to my favourite sites all over the place.

    I like the diversity of advertising, I like the different things I see. It adds to my experience and knowledge.

    Clear of Phorm - I don't want you


  20. Colin Jones
    Thumb Down


    1) opt-out via cookie is unacceptable. Some devices/programs I use that access port 80 don't have the ability to store cookies.

    2) Even when opted-out, your browsing is mirrored to the profiler. This causes 2 problems in my eyes: (i) what's the point of an opt-out in the fist place? (I use Ad blocking plugins) and (ii) at the very least it's a transparent proxy, and that brings up a whole new set of problems we've only just got rid of.

    I don't want it, don't need it and will take my ISP to court over section 11 of the DPA if it's implemented on my connection. I have sent that in writing via registered post to the data controller of my ISP.

  21. Andy ORourke
    Black Helicopters

    I'm Reassured

    "When you actually poll people and you say to them "what are the things that irritate you most about the internet?" they'll say two things: being bombarded with the amount of irrelevant advertising, and online dangers."

    Being bombarded by Irrelevant advertising, now phorm want to do that with targeted ads?

    "Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads. Of course, the ISPs benefit too from the additional revenue. That's not evil."

    This seems like some kind of threat, I wonder if they are working on a secret system to inject crappy ads to all those who opt out?

    I know this all sounds too paranoid but I go to great lengths to protect my privacy, blocking ads, blocking scripts and using my hosts file. I really do not want my habits monitored that closley. I would "Opt out" of my ISP (BT) but they recently offered me a promotion to reduce my monthly fee if i signed up for 12 months longer, no mention of Phorm in all this................

    Call me paranoid but if I want to search for something I'll do just that, I dont need someone telling me what they think I want to see.

  22. Elmer Phud

    In or out -- does it make a difference?

    "What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us."

    So, does that mean that the data is collected anyway - whether you opt out or not and somehow the data fairies don't look at it, just turn the other way?

    It sounds like they've set things up and are trying to say that they don't control it?

    As the man says - it's all about money from advertising, the holy grail of lazy bastards who would pimp their grannies if the revenue stream was right.

  23. Anonymous Coward

    MY data belongs to ME, my ISP has no right to sell it!

    Royal Mail are not allowed to open my mail, analyse the contents and sell their conclusions; it's MY MAIL!

    My telecom provider is not allowed to tap my phone-line, monitor my conversations and sell their conclusions; it's MY CONVERSATION!

    My ISP should never be allowed to intercept my data, analyse the information and sell their conclusions; it's MY DATA!

    These companies are paid for their services, to transport/transfer information on my behalf. The information itself BELONGS TO ME.

  24. Graham Wood

    Flaw in the logic

    The more links you have in a chain, the more attack vectors there are - this is one of the most simple things to comprehend, and Phorm's "team" seem unaware of it. Looking at it as simplistically as possible, you've now got 2 environments that your data flows through instead of 1 (phorm + ISP routing, rather than just the ISP's routing). Simple statistics means that this is less secure (attack chance(ISP) + attack chance(Phorm) CANNOT be less than attack chance(ISP)). They're either so stupid they can't understand this, or they're intentionally misinforming people - I'm not sure which of those possibilities worries me more.

    We've also got the phorm environment in all ISPs (instead of the ISPs having different setups) which means the attack vector is now a standard one instead of ISP specific. Yes, it's a subtle distinction, but it's an important one. Someone finding a vuln in Phorm (especially if it's client side) could subvert every single ISP that is using it, rather than just the one.

    They've happily admitted the data is flowing through their systems regardless of opt in / opt out... Which is so dodgy it's not true... If someone hacks phorm then even if you're opted out, your data is made available to them.

    Lets put that last one into "real terms". If I send an email to my mother (EVEN if I've opted out) saying that I'm going to be away from home for a week, and asking her to feed the cats - this has gone through phorm. If I also place an ocado order, then my address has gone through phorm as well. Most webmail systems use https only for sign in, and ocado only uses https for sign in & payment - the rest goes through in clear text. Therefore my ISP has just given (without my permission) my address and my holiday plans to some random person that now knows when to raid my house. Thanks, ISP/Phorm, my insurance claim will be sent to you shortly.

  25. Nick Pettefar

    The Internet is not free

    It seems to me that "free" web services, such as Yahoo! and Google? groups are paid for by the people that don't block the adverts and actually respond to them so that the advertisers carry on paying for the adverts and therefore the "free" service. If blocking adverts was very easy (i.e. my mother could do it) or advertisers were stopped from advertising, no "free" services would exist any more. Is this what we want, a kind of BBC Internet with a licence fee?

    I am a moderator on a charity's Yahoo! group (Freecycle) that simply would not exist if we had to pay for the service. I also use Google? Mail and subscribe to e-mail lists from other groups, all "free", so if the advertisers stopped putting their money where their mouth is I would have to personally pay for e-mail and subscriptions to my "clubs".

    We are right to keep a close watch on the advertisers and their ilk but stopping them from doing their business would end us up in a different cyber-universe. Is that what we want, if it could be achieved?

  26. Anonymous Coward

    This is layer 7 redirection, make no mistake, they get everything.

    You only have Phorm's word that they discard personal info, the layer 7 redirection gives them everything.

    If they discard it today, who's to say they don't change their minds down the road.

    What happens when their kit is hacked and all the nice data is piped into a private IRC channel?

    This is interception of everything that goes down your ADSL/Cable line. Only appears to be HTTP today, what about SMTP, all your personal correspondence and files transmitted as 7 or 8bit encoded text, just waiting to be parsed for what they call key words!

    The Google diversion has some credence, but you have to visit them *directly* (or via a toolbar; you didn't install that did you...), type the words in the box and press a button.

  27. Anonymous Coward

    Nothing to steal

    They seem very relaxed about their security since they have nothing worth stealing, I take it they did not consider the possibility someone might use their wonderfull new spyware , er i mean adware system to spread malware to users ?

    But then.. I guess thats what its designed for anyway.

  28. Anonymous Coward

    RE: It's not your data

    Too right. I could make a great deal of money with other peoples credit card details - sure as hell doesn't make it right to sell that information to me, or for me to make use of it.

  29. Sam

    Re BT not getting back to The Reg

    Is there some way we can legally force an answer out of them?

  30. Anonymous Coward

    Something missing

    There is something missing from that explanation.

    If the channel selection is based on the data digest which is then discarded, its not much of a targeting system. The ads are effectively page specific. However, the design seems more able to build a profile from all the pages visited by a specific cookie, then whatever pages you're visiting you will get targetted ads. E.g. if you spend half and hour looking at "fast car" web sites and then check the weather. Are you going to get ads for umbrellas or cars? Then first thing the next morning when you check the guardian headlines (suicide bombs in palestine, iraq and afghanistan) are you going to get insurance ads or car ads?

    They should tell us what is stored in the cookie.

    re, the reduced ad thing. Sounds like marketing speak. If successful their system will be charging advertisers more per ad, since advertisers are getting fewer ads for their money, fewer ads will end up being displayed on sites affiliated with this system. Other websites affiliated with other ad networks will get more ads for the same money, so more ads for you. Question deflected without reference to absolute numbers of ads or how they will cope with an influx of advertisers if their system is succesful.

  31. Hayden Clark Silver badge

    Government spying by proxy

    Sorry to be so tinfoil-hat mode, but that's where we are with this. It doesn't matter how Phorm claim to anonymise the data, or where they store it, or what T&C and privacy policy they have, some Government organisation (US or UK) or large corporation will simply subpoena them for their logs.

    First - "tell us which IP addresses accessed this paedophilia site"

    Then - "tell us which IP addresses accessed this terror site"

    And then finally, the real point of this..."tell us which IP addresses accessed mininova,com/"

    I bet the RIAA can't wait!

  32. NRT

    It all comes down to trust.

    They provide me with targeted adverts. So what, I block them.

    They provide me with an anti phishing service. I already have one.

    So for no benefit to me they ask me to trust that they don't store any of the data that passes through their servers. From what others have discovered about their activities in their previous incarnation I can see no good reason to do so.


  33. Anonymous Coward
    Anonymous Coward

    So, they don't store data?

    If Phorm don't store data, what is that cookie on my PC? They are using the largest storage area network on the planet.

  34. Alex
    Thumb Down


    In negotiations currently with BT Retail to move away from their broadband network, this is not what I signed up for on the T&C's and the fact that they ran it without my consent is a disgusting abuse of their position of responsibility & trust. I am strongly considering legal action. (BT have stated to me that they have to revise their T&C's on the launch of Phorm's service)

    It will be interesting to see if this ISP based Adware (since when was Adware ever a good thing?) takes off, I am more than happily sit with an ISP which allows the website or the websites chosen provider to deliver the adverts rather than allow my ISP to decide a portion of my online viewing.

    again for the record: DO NOT WANT

  35. Mike

    My View

    There are some positive points here, more than I was expecting by far. But as far as I'm concerned if my web browser makes a request for any packets related to that request should go direct to the destination, no information other than that required to route the packet correctly (Destination IP, ttl) should be read by ANY intervening party (even ISP web cache's included here). This should be the same principal used for ANY protocol. and ensures an open and free internet. If the ISP's can't afford to provide the service they are providing they should up their subscription fees, not sell data contained in packets they should not be looking at onto third parties.

    It might just be web pages now, but what if they started reading POP3 traffic? even with the privacy guards they have in place, which do sound quite good, it would be a negligable task to redirect the first recieve a client makes, and deliver a targetted spam email.

    If we start giving away our freedom on the web then other protocols would follow, it's only logical. This cannot be allowed to happen. The fact that a browser has to make two requests is very likely to slow down the end user experience. There shouldn't be a requirement to opt out with a cookie.

    However, I applaud phorm for being open about this. I expect that I'll just end up one of a hardcore of users that feel this way and want to have nothing whatsoever to do with the service. For this reason I urge phorm to be open and disclose the following details;

    Any IP address ranges associated with the phorm service, that users being tracked would normally connect to, either at phorm or at the ISP directly. with the view that this hardcore of users would like to block the service at our routers, not by using a cookie.

    I'd also like to see a discussion on what / how the above would work (I'm assuming it would), and the advantages / disadvantages compared to doing it at the cookie level, published, on your site, so that less technical users can make an informed descision.

  36. Anonymous Coward
    Anonymous Coward


    ok so assuming I've understood the interview correctly I'm less concerned about this issue than I was following the initial stories, assuming that it produces enough extra revenue to fund improvements in the service or cost savings to the consumer to actually justify it. The discussion on channels was interesting, specifically the lack of channels on adult or medical subjects. I would like to know whether the following questions could be answered:

    would these channels possibly be added at a later date? The US seems to have a very big advertising budget for drugs so it would seem like a lucrative market to tap into. Are there any assurances on this, and would the ISP be obliged to inform their customers in any changes on the channel restrictions?

    Who owns the servers involved in indexing my browsing? And who is responsible for updating or changing the software that runs on it? Can they be changed without my ISPs knowledge?

    You say you have passed an audit by E&Y, that can only be for true for the current algorithm. Will any future algorithm also be audited?

  37. Martin Kirk

    No, No, No!

    Like several others her, I use AdBlock and NoScript to virtually eliminate ads from all the web pages I visit. The 30-second skip button is the most worn button on my TiVo remote. As far as I am concerned there is no such thing as a relevant ad. IMHO the Internet actually makes advertising unnecessary. If I want to buy something, I can research it easily, so why bother looking at ads?

    I agree with the other commenters, the ISPs and Phorm are seeking to make money out of information that they have no right to use. Otherss have articulated the arguments why so thee is no need to repeat them.

    I suspect that the only way to stop this is by legislation making it illegal to sell personal information, even when anonymised. This has to apply to Government agencies as well, eg.g DVLA. This way we can kill off the whole junk paper mail/junk calls business in one go.

  38. Slaine
    Paris Hilton

    Tinternet is not free

    I pay numerous businesses for the computer parts required to build and update my PCs. I pay my 'leccie bill to power the systems. I pay BT for a phone line JUST so I can have broadband (I use a mobile for all telephone calls). I pay my ISP for the broadband connection.

    I PAY for MY stream of data, I pay for its delivery and subsequent storage - it's MINE, Aaaaaalllllll miiiiiiine (cue (wo)maniacal laughter).

    I do not want to see adverts at all. I hate popups, I hate rollups, I hate scrollovers. I don't give a flying fig if they are targetted or not. I am trying to read what is on the page and I NEVER click the link - for that way phishing tales lie. I used to...

    I used to leave long flaming emails on the "contact us" links regarding the fact that I actively avoid all companies and products that I see being heavily advertised, but naturally, to no avail. It's a bit like a Chinese meal though - very satisfying at the time but 10 minutes later you want to do it all over again.

    What we have is a subconscious encouragment to perform the most dangerous Tinternet practice known to hu(wo)mankind - the act of trusting spurious claims and clicking on unknown links.

    Icon - because I'd trust her with my nads before I'd trust 121media with a picture of them.

  39. StillNoCouch

    CW for Prez

    "It's important to understand the distinction between actually recording stuff and concluding stuff ..."

    So if I sneak into your room behind your back and read your diary, that's not an invasion of privacy -- unless I xerox it ?

    WTF ??? (ergo the Stop Sign)


    Good Job on this story Chris & El Reg !

  40. Man Outraged


    Yes, I know he says the profiler is operated by BT but, according to the DPA, opt-out means:

    Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

    (a) at least one of the conditions in Schedule 2 is met, and

    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

    Basically that means if the data is personal, it should not be processed withuot consent? IANAL but WE NEED ONE!!

  41. Glenn Gilbert
    Paris Hilton

    Time for a peer-to-peer HTTP?

    We've enough problems with the government spying on everything we do without this bunch of clowns adding to our paranoia.

    Maybe it's time for an encrypted peer-to-peer HTTP protocol to be developed. At least that way the marketards (and governments) won't be able to use the data.

    The good thing about HTTP is it's simple to block advertising and other crap. We need a campaign to educate the vast numbers of oiks into turning off all these adverts. Still, all the time they're running IE adverts are the least of their worries.

    Paris as it can only be someone like her who could dream up such a scheme.

  42. Dave

    Opting Out

    Surely the fact that we've opted out (or rather, chosen not to opt in) to receiving advertising ought to be of great benefit to the advertisers who don't have to pay to have their ads delivered to unreceptive victims. A bit like the mailing preference service where most companies are happy to take you off the list because it's cheaper for them if they know you're not going to be persuaded to buy something.

  43. Steve

    And the less scrupulous websites?

    If I understand this, Phorm and the ISP claim they they aren't compromising personal data because they don't keep it. Instead they store it in a cookie on your browser, so you're keeping it.

    So what's to stop some less scrupulous websites from tracking your IP address, etc. and the contents of your Phorm cookie, and using the data Phorm collect to build up a profile of you that *does* identify you?

    I like the post office analogy. This is just like employing someone in the sorting office to open every letter, read the contents to see what you're talking about, and pop in a couple of advertising flyers that 'might be of interest' before reasealing the envelope and sending it on. Personal data may only reside in memory and never be stored, but how many people would tolerate it anyway? Doesn't interfering with the Royal Mail still carry a length jail sentence? What a pity BT aren't still "part of the Post Office'...

  44. Anonymous Coward

    Hang on, not even in doubt, clearly illegal without consent.

    So all our data is mirrored to the profiler - it is this data stream that is the security risk. It doesn't matter whether the profiler is operated by the ISP, or Phorm, or somebody else, that is OUR browsing data being streamed off elsewhere, and we have no means of preventing it, or auditing what is done to it, or by whom. This cannot be legal, this is a simple wiretap. All the stuff about advertising streams, targeting and non-storage is an irrelevant smokescreen in this context. Interestingly I would consider it to be the ISP that would be breaking the law here, not Phorm. Unless of course they obtain our consent, back to the opt-out v opt-in argument.

    Great interview BTW, looks to me like they are desperately trying to hold their business model together in the face of mounting opposition. And as you say, just wait until the US public wakes up to this...

  45. Paul Barnfather

    Alarm bells...

    Full webpage data *apparently is* stored, despite the denials above.

    From last night's Webwise chat with Kent:

    [Archived here:]

    "MBurgess: Pages are not tagged (or modified), and the keyword analysis process is offline so it can't affect response times.

    narcosis: If the keyword analysis process is offline then in order to scan for keywords would you not have to have a copy of webpage in order to analyze it offline ?

    MBurgess: Yes, a mirrored copy is analyzed."

    How long is the mirrored copy kept? How is it deleted? This isn't just headers - this is a full grab of all web traffic *before* it's profiled and categorised.

  46. adnim

    Many actually pay to see ads

    Unless one has an uncapped service with truly unlimited downloads, one pays for every advert delivered. Each advert eats away at that monthly download allowance.

    Just about every other valid point has been covered by the astute Register readership. Not much more I can say. What I will say is that as an untypical non-consumer ALL advertising to me is an irrelevant and pointless waste of web page space and bandwidth. I tend to purchase things I need rather than things I want. I learned a long time ago that things I merely want are discarded in a short space of time. No amount of advertising is going to illicit me to buy an iPhone, visit a gambling site, or jump on the latest fashion accessory bandwagon. I certainly will not have any marketeers telling me what I need to have to be someone. I am just not that shallow nor insecure.

    As for cookies, these as are adverts and scripts easy to control, check out the Firefox addon cookie safe.

    Happy ad, cookie and script free browsing to you all.

  47. John Edwards
    Paris Hilton

    I don't trust Phorm. Why should I?

    I pay my ISP. If they want to sell MY data they can contact me to try to work out a deal. However the picture is a giveaway. It is obviously the evil Catbert who is controlling Kent Ertergrul.

    Paris whose ideas are much more sensible than Phorm's.

  48. Man Outraged

    ISPs haven't been in touch because...

    Phorm are the scapegoats. Yes we'll sign a deal with you but you're out there on your own to win over the great unwashed pizza-munching technorati masses.

    Maybe this raises serious questions about what ISPs are already upto?:

    At least the less-informed press have got their headlines right, if not a slight comical factual error about Simon Davies (for the followers of yesterdays Biased Breaking C_ news)

    BT selling customers' browsing histories

    (And google news have picked it up - great!)

  49. Red Bren
    Black Helicopters

    Comparing Phorm with phone tapping

    Could it be possible for your phone provider to listen in to your conversations and record the use of certain key words, so that when you hang up, a third party that sells something that you mentioned would automatically be connected? Could this be spun as a service by the telco if they promised you would never recieve any other cold calls?

    Would it be legal? If so, can I patent it? If not, why are ISPs & Phorm allowed to do effectively the same thing?

  50. Anonymous Coward
    Thumb Down

    Still intercepting the data...

    So lets say that we trust them when they say they don't store personal information, which as stated above is still dubious with the 'largely eliminating personally identifiable information' reference, the fact is they are still intercepting your traffic, even if you opt out.

    I am sure that someone has posted a snippet from RIPA that says that at least one party needs to agree for the traffic to be intercepted (it's in the comments somewhere). If you opt out and they still intercept the traffic surely that is against the users consent and in contracvention of RIPA? The fact that they say they are not processing that information is irrelevant?

  51. system

    Nothing to hide

    So why 3 different names? Changing the name of your company with every new project is not the general behaviour of an above-board business.

    To pick just one thing from the entire article:

    "Because of a peculiarity of the tokenisation, numbers three digits or shorter aren't collected anyway, they're too short so there's no numbers at all."

    So, their tokeniser has a "peculiarity" which stops them tokenizing any string of digits less then 4 digits in length? And we are supposed to place faith in their code? If they cannot even tokenise strings properly, how are we supposed to take their word that this is secure?

    They then want us all to believe that because their tokeniser cannot handle the number 123 that there are no numbers collected. If their tokeniser can handle the number 123456, then it is collected. In a badly designed e-commerce system, a site owner using BT/virgin as their ISP will be putting 16-20 digit numbers into the phorm systems while reviewing orders. Either the ISP or phorm just processed the personal credit card data of a 3rd party who has no contract with either. Whether they discard the information or not, they processed it.

    Another thing that may be worth considering is where copyright law stands on this. Although infosoc specifically exempts transmission in a network, what they are doing is creating a second copy outside of the transmission and then processing it for commercial purposes. I don't know whether that is legal or not, but it'd be interesting to find out.

  52. Anonymous Coward

    Evil Scum

    Does that sum them up? (not nearly..)

    1 Point: 'Google stores everything you search' Yes but only if you use google.

    see that, its called choice.

    Now if we can convice the animal rights nutters that phorm is a rebrand of pharm and are close to HLS then they'll get what they deserve.

  53. Parax

    Supermarket Model

    If you ask me this is akin to supermarkets tapping your phone calls, when you happen to say 'hill of beans' in a random phone call the next day a 5p off Beans voucher hits your doormat.

    but its ok the drones listening are cheap forign labourers they dont care what you say. so it doesn't matter that there listening just forget about them....

    This is very bad!

    When I use the phone I dont want people listening, when I use the ATM I dont want people interfereing when I change the TV Channel I dont wan t people peeking through my letterbox to see what Im watching. and when I use the Internet I dont want people snooping.


    That comparrison to google is lame, I choose to use Google. NOT PHORM. >:o(

  54. Anonymous Coward
    Paris Hilton

    Imagine ...

    "Most websites don't make any money. but imagine you were able to show your audience an ad based on anything they've done on the internet."

    Imagine indeed ... and imagine how are they going to do that without storing the habits of surfers ?

    It looks like any "we don't store your data" will disappear as soon as they have their technology in place and adopted.

    Paris : To reflect the tunnelling aspect of Phorm.

  55. Anonymous Coward
    Anonymous Coward

    Talk about taking the Piss.


    2nd Floor

    Liberty House

    222 Regent Street

    London W1B 5TR

    +44 (0) 207 297 2067

    Liberty House? They Taking the Piss?

    damn them for being above bricking height.

  56. Andrew Radley

    But what if

    I used to work for an organisation that was looking to offer an anti-malware and parental control service, embedded into ISP networks. The thing is that the technology to do this must look at the browsing content, otherwise you cannot detect malware, nor prevent customers going to websites they had requested be blocked.

    Now, this was an entirely opt-in service and was also going to be chargeable (so was completely transparent) and was also completely tailorable on a per-subscriber basis.

    Now, given that the outcome of the service is significantly different to that of Phorm, would the readers of El-Reg feel any different about it?

  57. Man Outraged

    Phorm does not...

    ... Analyze the contents of email websites. How do they know the url of EVERY email website, including company and hobyist servers?

  58. Patrick Shaw
    Thumb Up

    Privacy or ad resistance?

    Great article from the Reg - one of the best.

    Anyway, with regard to the argument, it depends whether it's about data privacy or getting ads in the first place. Some people genuinely seem to think they should have a completely clean, free internet experience. You either pay more for services, or put up with ads. I'd personally rather have more targeted ads.

    So then the argument is about data privacy. Are Phorm doing anything worse with data than Yahoo or Google? I don't know. And I don't know if that makes it right. At least the Reg has managed to uncover a bit about how it works, unlike Google, who's 'don't be evil' mantra is becomming an empty slogan.

  59. Anonymous Coward

    Random URL generators..

    So what would happen if we all took to running a script when we aren't actually surfing that just hammers out random page urls (from real sites).

    All of those pages would have to be filtered and profiled on the ISPs profile servers.. so how long before they turned up their toes and died. The idea of an ISPs customers actually carrying out a DDOS attack on their own ISPs servers does have a wonderful anarchistic twist to it.

  60. Lyndon Hills
    Thumb Up

    privacy loss get over it

    Do you all think that your isp has never ever done any form of packet inspection? All your data that passes over their network unencrypted is subject to being abused right now and always has been. All it would take is a nosy admin with a packet sniffer or browsing through your mail box. While I have an efficient ad-blocking strategy, I don't think this is that big of a deal. Less 'intrusive' than Google to my mind. Good interview.

  61. Jonathan

    More lies...

    Quote: MB, this article

    MB: What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us.

    Quote: MB,

    TheObserver: So if you opt out your data never touches a Phorm server? This is at odds with much coverage, which suggests the data still goes to your server but you discard it if the opt-out cookie is present.

    MBurgess: Yes. There is widespread misunderstanding of how the system works, which is why we are keen to set the record straight...

    He contradicts himself, saying in this article that your data does in fact always touch Phorm, and then in another, that it only does if you opt in. Which is it?

    Myself, with the way these guys have been acting, I'm inclined to believe that the worse of the two cases, ie that your packets always get intercepted by Phorm, is true.

    Perhaps Phorm doesnt understand that, in many people's eyes, Adware is only one step above malware. I dont care what its there for, I care that it shouldnt be there, it intercepts private data.

    Its funny how on BT's website, they try to bury the bad news that your every browsing move and search term will be monitored, by harping on the anti phishing protection. Gee, funny that, perhaps the general public isnt crazy about excessive adverts and privacy intrusions, fancy that. They already know the public wont be crazy about the idea, yet they go ahead, and even worse, they lie about it, and get caught.

    This makes me think, that the next time I shop for a new ISP, I'll be looking for one that is fast, has as little downtime as possible, a declaration stating that they do not and will never have any dealings with Phorm or any of its affiliates, or any similar schemes which aim to intercept or in any way monitor by browsing.

    Oh, and if we use targeted advertising, we will see less adverts? What is he on? Less adverts means less possible revenue - why would you remove adverts? You can have more targeted adverts. This will only lead to a very slippery slope, and makes me glad that I exlusively use Firefox with Adblocker Plus installed.

  62. Anonymous Coward


    "ok so assuming I've understood the interview correctly I'm less concerned about this issue than I was following the initial stories, assuming that it produces enough extra revenue to fund improvements in the service or cost savings to the consumer to actually justify it."


    Mark, GROW UP!

    This is about profits, pure and simple.



    We know the intraweb isn't free. I look at my VM statement every month and see £££ that I am PAYING for my connection. VM do NOT provide this connection without charge. They are being paid for their service, if they chance the service without my explicit consent then they have broken our contract.



    At times I need to access my work email via webmail. All of these pages would go through Phorm's servers. Where are these servers? China I believe. If this is correct then Phorm is taking my personal data out of the EU into an area which does not have equivalent data protection laws.


    @Man Outraged

    I would go further the DPA says that opt out means that data should NOT BE PROCESSED. It doesn't mean that it is processed and the results discarded. Not processed means leave the fscking stuff alone.


    My cookies will be limited to those I want, not those that Phorm want to impose on me.

    I do not want my granddaughter to see any ads based on my web browsing (she won't understand my fascination with hot, slinky, computer components) and I DEFINITELY do not want any Barbie based adverts.

    This idea is just another way to increase the profits going into the corporate coffers.

  63. Anonymous Coward
    Anonymous Coward

    Consider the following scenario

    Consider the following scenario.

    1. Person A starts a web browser.

    2. Person A attempts to start browsing.

    3. The first page person A requests is hijacked and replaced by the Webwise page asking them whether they consent to Phorm monitoring their web browsing.

    4. Person A decides to allow Phorm to monitor their web browsing.

    5. A non-persistent (session) cookie is sent to the web browser showing that person A has consented.

    6. The presence of this session cookie means that future web pages are not replaced by the Webwise consent page.

    7. Person A walks away from the computer without locking it, logging out or switching accounts and without closing their browsing session by closing all the browser windows.

    8. Person B comes to the computer.

    9. Person B starts browsing the web using the open web browser windows.

    10. Person B is not presented with a Webwise consent page.

    11. Phorm monitors person B’s web browsing without obtaining their consent.

    12. Under RIPA, a criminal offence has now been committed.

    Phorm cannot rely on the behaviour of users to avoid themselves committing a criminal act.

    Yes, Kent, I’m afraid I do think you’re slimy. You’re trying to ram something down our throats that’s still defective. If you could run your anonymiser/profiler on-line rather than off-line and if whole Internet accounts could be opted out rather than just session by session, then we’d be moving towards an acceptable system.

  64. Pat

    Opted out v opted in

    "Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads."

    Two things there. He says we'll see less ads because better targeted ones will raise more money. So now websites are going to have to be formatted in two versions - opt-in formats with few placeholders for ads, and opt-out ones with the normal layout. Doesn't sound likely.

    And, as an advertising dude has has no grasp of what people who don't like ads really don't like about them. I don't like how they try to worm their grubby little motives into my mind. The less relevant they are, the easier it is for me to ignore them. If I'm researching cars, I want ads for wormaria and athlete's foot cream, NOT cars.

    AdblockPlus anyway, didn't realise we still had internet advertising.

  65. Anonymous Coward

    @ Lyndon Hills

    Your ISP is allowed to 'see' your data for example in order to monitor or fix broken equipment. But they are not allowed to profit from it financial or disclose it to non-law enforcement third parties without your consent.

  66. Alexander

    paint it any way you like, but it is time to fight back by any means !!!!

    This is the thin end of the wedge,

    What if BT started monitoring my phone calls so they could keep a recorded record of all my calls and then sold the information about who i had phoned.

    What if as others have said if the royal mail started keeping copies of my mail to sell info on to advertisers.

    ISP'S have got away with murder over the last 10 years they can lie like virgin(20mb connection only if it is oversubscribed part of the network and you wont get even a half of that), or like plusnet who disconnected over a thousand users for using their 24/7 service 24/7 (fair usage) words like unlimited and fibre get tossed about like fact when the are word's of fantasy and fiction.

    As a virgin user I will be an ex- virgin user when this goes live, and I will shout from the rooftops and anywhere online I can post about this breach in my rights of my freedom as individual to go about my daily online business with being monitored by the likes of phorm.

    The opt out policy is a disgrace and a charade, and pointless as the data still goes where I don’t want it to go . it is mine I own it I pay virgin to connect my to the internet that is all, I also pay Scottish power for electricity but I don’t expected them to monitor how I use the power in my own home or sell that information on , so why then does phorm think they can pay my Internet service provider to spy on me in my very own home , which is what is happening does not matter where the data stream goes just where it came from.

    If phorm wants my data they should be paying me for it not virgin as the data belongs to me , data protections laws are a absolute nonsense and need urgently revised.

    Currently I and a few others have contacted the European Commission for Human Rights to see if a legal challenge can be made through this avenue. As I believe basic democratic rights are being abused as well as some EEC legislation which the phorm legal geniuses seem to have overlooked about international transmission of data out with member states.

  67. Man Outraged

    BBC have no forum so I'll rip Phorm apart here:

    Q: I would like to better understand the strict demarcation of ownership of equipment to be installed in the ISP to really understand the full content of the stream received at the point of entry to equipment under the control of Phorm. Bloggers purporting to be from BT claim that this is the FULL browsing (http - port 80) stream with IP addresses obfuscated in some way. Is this true? And if so, what safeguards over employee recruitment do Phorm have since they will be in an extremely powerful and trusted position, being able to read 10m peoples' web traffic.

    A: No, this is not true. IP addresses are not passed in any form, even obfuscated, to Phorm. All that is passed is a limited digest of page data from each navigation. This data is never stored on disk and is immediately deleted from memory as soon as a product category match has been made.


    Q: If two people use a shared computer - how will Phorm ensure that a surprise, e.g. a partner researching wedding venues, is not ruined when the other partner next uses the computer and is bombarded with adverts for dresses and rings?

    A: Most people have a separate login if they are sharing a computer and they will therefore have a separate random number. But also, advertisers using our system can choose to show ads based on the page they are visiting, recently visited, or a longer term basis. Only the last of these would be affected if the computer and the login were share, so this scenario if possible but not that likely. If the person really wants to hide a surprise, they can switch webwise off!

    MO: He already said that people know if webwise is off because every webwise Ad shows the current status "of/on". Now my missus would be suspecious if I said to here don't use my login, use your own. We just go with what's on. She would also be suspicious if I turned webwise off when it normally is on (she's suspicious).

    Basically if it's off it's OFF you just can't have any kind of interception and alter if it's off. SGAASKJGLSKAGJKLSAJKLGAMKLLKSGLKJ:LKJ:ASGLKLK:M

  68. Pseudopath

    T&C changes...

    I've been looking at the BT support forums and it appears that on "go live" of this supposed service all terms and conditions will be revised accordingly... I fear that may mean that in order to be a BT customer you waiver your right to no processing of personal data. Would that be legal or even and infringement of human rights?

    This is getting more sinister by the day!

  69. Anonymous Coward
    Thumb Down

    I didn't read it

    Thanks for the effort Reg, but i honestly have no interest in his excuses or PR spin, so skipped the pages.

    All i want to hear is his plea of mercy to a judge during sentencing.

  70. Bill Fresher

    Silly buggers

    Can't wait for the day I get targeted advertising through the post saying "Your bank tells us you've recently been using your debit card to buy X/Y/Z ..."

  71. Dam




    1/ Connect to my OpenVPN server

    2/ Set it as your default gateway (you'll obviously need a static route to its public IP first)

    3/ Browse your net alright.

    SERVICE STARTING $2 ONLY (£1 for UK sheep).


    Afk, filling a patent.

    French ISPs for the win, at least they don't try to push crap down our throats, have formidable bandwidth (did I mention hitting 2000kb/s on newsgroups over SSL ?) and no quotas.

  72. Anonymous Coward
    Anonymous Coward

    Profile this!

    I hope they enjoy looking at encrypted traffic as my VPN will soon be active.

  73. Anonymous Coward
    Anonymous Coward

    This is NOT about Adverts.

    Wake up, this is NOT about Adverts.

    Stopping the advert is like wiping the sweat of a child's forehead as he's dying of meningitis, you need to be looking at the disease.

    If you drop the ads at your router/firewall/application Phorm doesn't care, they delivered it as far as the logging/billing platform/customer knows, they get paid. It isn't about the latency caused by your browser having to re-submit the request, something you will barely notice.

    The issue is that they redirect your traffic and analyse the content to look for keywords, you can't ignore my_email@dress if you can't recognise it as an email address.

    To do this you need to operate at Layer 7, assemble all the packets from a single stream amongst thousands to create the original text in order to parse the string containing an email address. Now if I wear my white hat, I discard the address as it's not what I want to use to create a profile to send you an advert for "the fastest PC in the world" (You are reading the reg). If I have my black hat on, I save your address and sell it to someone peddling pills (I doubt Phorm would do this either).

    Phorm say they will ignore form fields, therefore they recognise them (easily). Address fields are common form fields, not always completed under SSL encryption, sometimes that's switched in when you are redirected to a payment gateway, so now they, or the __hacker__ that breaks in to their system, knows who you are, what you are buying and that you have the money to buy it...

    Now what else do I want to know about you, this will be great when we all have ID cards, then I will have a UK wide unique key to put in my database with all your data. I'll be able to cross reference all your loyalty cards, insurance applications, bills I get out of your trash because I know your address and anything else where an organisation asks for your ID number for their records ( we need it for your safety of course, you need to prove who you are, there's lots terrorists about you know).

    Interception of data is what Governments use to "protect us from the bad guys" they keep telling us about, (Google CALEA for the US, RIPA for UK), it is not an area for Phorm a Private company. Phorm are using the same techniques that the US Government (& others) started in the 1990's (Google spy and Echelon) to intercept Internet traffic and analyse its content. It started as passive taps, think of Y shaped cat 5 cables in a box, but now use hi-tech devices such as clever switches from the likes of TopLayer ( The Data Collection Filtering Device is the hardware from the AppSwitch 3500 with different firmware; I have used their switches and they're very good, but £20,000 is a lot for gigabit to the desktop in your home office, but great to redirect traffic for network monitoring or Internet filtering or just to send a tcp reset when you insist on trying to download that music track.

  74. gothicform

    Phorm Are Pirates

    So let me get this straight? They copy my website as the user visits it and then stores the data. Copyright design and patents act specifically legislates against this. Thankfully, we already have rulings that just because you deleted the mp3s after the downloads you don't get off the hook. Looks like they can be tripped up on this matter alone.

  75. Paul Barnfather

    @ Lyndon Hills

    If you look at the contract with your ISP, you'll find they have every right to do deep packet inspection. No problem with that.

    You'll also (probably) find that they promise to keep this data private and never sell it on to a third party.

    Now we see ISPs are planning to sell this data to a third party. Even if you're happy to have your data sold on, surely you see the problem here?

  76. Anonymous Coward

    Shared computers

    So why did no-one ask them how they cope with shared computers. A lot of ISP accounts are shared by family members, computers may be shared by family members.

    Maybe I decide I like the idea of all my internet activity being parsed and scanned and used to deliver targetted ads to me.

    My partner who uses my computer DOES NOT want it.

    If they use the same browser then they get MY cookie which says "yes I'm a muppet, I love having my browsing habits monitored"

    Also as my partner HAS NOT given consent then surely Phorm and my ISP are now intercepting my partners traffic without consent - isn't that ILLEGAL?

    Admit it PHORM - you are scum, you are leaches, your product is evil and your spin is just bullshit.

    Can we have a list of all sites using OIX to deliver adverts so we can black list them?

  77. Anonymous Coward
    Anonymous Coward

    Phishing protection - cry me a river

    If their systems get compromised you will have phishing on an unprecedented level.

    And they can turn to do actual phishing at any moment themselves.

    Warning me that a site may or may not be engaged in phishing is worthless, if that site is actually engaged in phishing and it can be proven, then steps to take if offline should be underway. I suspect we shall just see false positives and attempts to curtail traffic to sites that phorm may not agree with.

    This is a sneaky underhand power move by phorm, which is being giving some wet spin, I notice the BBC is soaking it up.

    I am moving ISP over this, and will encourage others to do so, when canceling the fact that ads are now being even considered will be the reason.

  78. Jeremy
    Paris Hilton

    Silly name

    Am I the only one who thinks the brand "Phorm" sounds just a bit... well... phallic? Where's the penile icon? I guess PH will have to do.

    I've nothing to add that previous commentators haven't already mentioned except to say cracking job, El Reg, I look forward to the day this ends up in court...

  79. Anonymous Coward

    Simply unacceptable

    I'm currently with Virgin - I have informed them that if they implement this spying network I will no longer be choosing to remain a customer.

    Opt out my arse - it's non-consensual spying pure and simple. Reminds me of the ID card - 'ok ok you don't have to carry it... but we will keep storing all this data about you in the mean time...'

  80. Eitsop
    Black Helicopters

    Disgrunted Employees?

    What happens if there is a disgrunted employee as they have mentioned, or a security breach and it's not the data they are interested in, what if they can modify the code and have access to any browing information they like from millions of users. How about a bit of javascript injection instead of an ad?

    Can they provide assurance that it is 100% impossible for anyone, ever to gain access to our browsing details.

    Also aren't search terms in form fields?

  81. tech idiot
    Paris Hilton

    Very Expensive PR

    They've been very well coached!! They use a few tried and trusted sales techniques in an attempt to divert attention from the central issue but as always, what they didn't say is more relevant.

    Looks like all ISP account holders will be subject to profiling whether opted in or out. If they could turn this off then they would have said so and the story would deflate. The fact the the data stream is ALWAYS monitored by this system indicates a far higher level of buy-in by the ISPs. My hunch is that the ISPs see a huge potential in providing advertisers with detailed breakdown of their account holders' habits. This is the start of a land-grab by BT, TalkTalk etc. to rip some of Google's revenue stream. The obvious conclusion would be ISPs selling this service direct to advertisers. The reason that they've done the deal with Phorm in the way that they have says to me that despite all the bluster they have serious worries about legal and commercial issues otherwise why not just license Phorm or copy the principle? Although I'm sure they know it, Phorm is the patsy fall-guy when the s**t hits the fan!! This will be buried! Nice try though.

    Paris asks - can I alter my profile to make sure I ONLY get adds from cam-corder merchants?

  82. John Dohrr

    Time to make SSL the standard rather than the exception

    A gem from the audit by Ernst & Young:

    "If a user deletes their opt-out cookie, then the co-opt status, which is contained in the cookie, is lost, and the user will be opted-back into the Phorm Service."


    Let me get this straight: I'm subscribed by default *unless* I keep a specific cookie in my web-browser?

    And how is it, pray tell, that my browser will know to include said cookie with *every* outgoing URL request, unless it's completely domain-unrestriced. In which case said cookie can be used to track me by all and sundry across the internet?

    I see nothing about Phorm stripping this cookie out from my traffic as it leaves the ISP.

    (Ironically, Phorm state that they use a cookie as part of the opt-out process, so my opt-out'ness can follow me around the countryside: "to ensure that such opt-out is effective no matter where the user should take his or her computer and is in other ways more protective of a user's identity". Gasp splutter on that last bit).

  83. Anonymous Coward
    Anonymous Coward

    @ AC

    ofc its about profit, these are private companies, but if an extra revenue stream enables them to hold off a little on price rises for the consumer then fine. If not then the "anti fraud" features are not enough to justify it and I doubt the ISPs would go to the expense and hassle of evaluating it and risking negative customer feedback. Anyway, I'm (slightly) less concerned about it than I was before reading the interview.

  84. bobbles31

    There are some problems with your comment: * A title is required. (eh?)

    Phorm are being really slippery around the real issues and I dislike that. When questioned about receiving data they answer:

    "We don't get any browsing data, just keywords."

    when questioned about the opt out:

    "We don't get any browsing data or keywords."

    What we really want to know is, if I opt out, am I out? Do my browsing habits get profiled or not?

    I pay my ISP to connect me to the Internet, what I do when I am on the Internet is none of their business. As the ISP's themselves are arguing at the moment in the "3 strikes" file sharing debate they are simply a conduit for my activity on the world wide web. The ISP's can't have it both ways, by examining my traffic they are doing more than provide a connection service. They are providing an Internet Experience and as such fall foul of the "3 strikes" argument and become responsible for policing their customers for illegal activity and preventing/reporting it where possible.

    As a conduit, where I go is none of the ISP's or anyone elses business.

    The model that Phorm are implementing is analogous to the Royal Mail opening all of my letters, distilling any correspondence down into a bunch of keywords and then sending details of those keywords off to a third party, and then asking that third party what junk mail I should receive in addition to the letter from my Granny.

    If the Royal Mail implemented such a system that involved reading your mail, there would be public outrage and frankly, just because all of my internet correspondence happens electronically, thus making reading all of it a technical possibility, it is no less important to me that my correspondence remains private.

    The opt out for this system is a joke, akin to the Royal Mail continuing to open your mail, but just not asking the third party what junk mail to send.

    Phorm, can tart up, explain how wonderfully secure it is and how people will get a free Phising filter all they like, the simple fact remains that they (or rather my ISP on their behalf) are still opening my mail and snooping at letters from my Granny and I really would rather that they didn't.

    Time to put on my tinfoil coat and hat and move to Zen I guess.

  85. Rat King

    I wish...

    ...they would stop using Google as an example. If I disapprove of how Google manages its business, I'll use another search engine. It's not like I have a contract with them or anything, but I do with VM and it is a lot more aggro changing ISPs. VM have already upset me because I can't watch the Simpsons all day due their spat with Sky, this could be the final nail in the coffin. Although, funny how all this coincides with them upgrading my line from 4 to 10 meg for the same monthly fee, a sweetener to take my mind off the whole Phorm thing maybe?

  86. Robbie
    Jobs Horns

    It sucks

    I'm going to leave BT for the best ISP to guarantee that they won't be using Phorm technology. BT and the rest of them stink and Phorm ... are dubious guardians of our privacy at best.

  87. Sim

    message to phorm

    I do not want your service-I do not wish to be opted in -i do not want to have to opt out-i will continue blocking ads-i do not need your anti phishing service.If you and my isp foist this service on me I will find another ISP and investigate my recourse in law.

  88. Anonymous Coward
    Anonymous Coward

    Have you got it?

    They don't care as long as they deliver an advert

    No, ISPs don't have the right to intercept data only security services with a warrant.

    They don't care about shared computers as long as the deliver the adverts.

    When Phorm get compriised the brown stuff might hit the fan, only they won't let anyone know of the intrusion and you will not be able to link the victims.

    Phorm don't store your web pages, they will do interception & keyword analysis.

    If an ISP changes their T's & C's when implimenting Phorm you might be able to get out of that 18 month contract and get your mac code free. You don't have to aggree to new terms, the contract will probably be void.

    kn*b jokes eh, ha ha, ask phorm after this goes live, they should be able to build up a good collection. Strange they won't be implimenting Adult catagories, there's so much profit in that area. However saying "we don't do sex" will go down well with the public and we could always start six months down the road when the fuss blows over.

    A high incidence of compromised hosts within companies are inside jobs.

    They can only make a profit using opt-out, why would anyone opt-in?

    The problem is you don't pay enough for your connection, which means your ISP has to find other income streams. It is not a coincidence that the "cheap" mass ISPs are doing this.

  89. Anonymous Coward

    @Random URL generators

    Funny you should mention that - cobbled one together last night.

    Essentially a web spider that requests a new page every x seconds

    Because even if you use a proxy / anonymiser they can still get your traffic.

    So hide your real traffic in a flood of other stuff - good luck phorm on sifting this.

    now just to tweak it so it doesnt exceed "acceptable usage" per month. Maybe I should release this to the general public then good luck to the isps coping with the additional traffic, rendering phorm completely useless in the process.

  90. kosmos
    Jobs Horns

    a hacker would not need to compromise phorm,

    They would only need to compromise the 'profiler'. The people that run phorm are scum. They are intercepting everyone's data. who is to sya that at some point in the future that they will not switch on a storage function.

    All the ISP's are trying to do is turn your computer which you paid for, into a web tv console using a connection you paid for so that your bandwidth which you paid for can be consumed by targetted adverts. If we're paying for all this then why the hell have I so little control over the services I've purchased.

    If I were a financial institution I would be seriously reconsiddering the credibility of any backbone operator with this technology in their network (SSL or not). How can I guarantee the security of my clients knowing full well that on certain routes their data is intercepted and massaged by 'scarevices' like phorm.

    Phorm does nothing to improve people's confidence in the internet, and instead treats everyone's connection (opted in or out) as their own personal playground. Look at the feedback they have received so far. This is hardly a shining light on trust.

    There needs to be a picture of KE with Horns, in the meantime Jobs will do the job.

  91. Anonymous Coward
    Anonymous Coward

    No Identifiable Information?

    So how's that going to work?

  92. Anonymous Coward
    Thumb Up

    @Random URL generators

    "now just to tweak it so it doesnt exceed "acceptable usage" per month. Maybe I should release this to the general public then good luck to the isps coping with the additional traffic, rendering phorm completely useless in the process."

    If they ever implement it at Plusnet then I know what my "free" usage between midnight and 8am is going to be doing.

    I'm sure you'll get a lot of people who would be interested in it if you did release it.

  93. Graham Wood

    BBC Interview

    Looks like the phorm guys are saying different things to different people.

    They've admitted to the register that they still get all the data when you opt out, but don't analyse it....

    According to the interview with the BBC they don't get the feed if you opt out:

    Q: Even if you do opt out your web traffic will still be intercepted and analysed, you just wont see the ads. Is this true?

    A: No this is not true. If you opt out no data is passed from the ISP to Phorm.

  94. David Pollard

    It's good for the kids?

    Various Reg commentators have pointed out the Phorm system's introduction of passive tap / Level 7 monitoring, and that it would be technically trivial to extend this for other purposes.

    Already there are plans in train to use youngsters as a 'soft-sell' for ID cards, and to build insidious national cradle-to-grave databases. The Phorm proposal seems to me a quite disgusting abuse of civil liberties and it beggars belief that no regulatory action has been taken over last year's secret experimental tests. If I could still be surprised by corruption I would shudder to think what may be going on behind the scenes at government level on this issue.

  95. Anonymous Coward
    Black Helicopters

    Guess Who Will Want a Piece of the Action?

    The icon says it all. Expect a little black box to be inserted before the "cleaning" system. Especially if it happens here.

  96. Jonathan

    @Random URL Generators

    I hope they have some protection against denial of service attacks - this would be easiest system in the world to overload. And if you overload the system, what happens to everyone elses browsing? Do those who have opted out still lose their connection?

    Also, about opt-out....

    my homepage is always set to my google homepage. because I rent the house, and the landlord provides the internet connection, I dont even know what login is. I have my own homepage set. So, my question is, how exactly is Virgin going to inform me that they are selling my browsing habits? And where will I be offered this opt out choice, seeing that my homepage is not virgin? Oh, let me guess, they will intercept my request and insert their page to query whether I want to use their.... ahem software.

    Well, guess what, most people will probably say no, ESPECIALLY if you are more honest with them and tell them what you are really doing.

    I think Phorm should quit it now. Reception here at El Reg has been very negative, and I'll bet that the mainstream press wont carry a favourable impression of the idea. With potential lawsuits looming, I wouldnt be surprised if all ISPs involved pull the plug on Phorm, thus sinking Phorm itself.

  97. system

    Just thought....

    Something definately is not right here. Either they are storing the copies of the pages, or they are analysing every single page regardless of opt-outs.

    The opt out is based on cookies set by phorm/oix/webwise. Cookies are only sent by the browser when you are visiting the site that set them. Your reg cookie is not sent when you visit the BBC for example.

    They can only detect a cookie set for their domain if they inject code into the returned pages. This shows their claim that the phorm side is "offline" is BS, as they cannot inject code without it being in the transmission chain.

    Now, with injection, they must wait for the browser to process the page and then initiate a link to their domain so it can send the cookie. This means they MUST store the pages until the browser initiates the connection.

    Due to the fact that you can block the connection to phorm from ever happening, they must allow for storage of the pages for a fixed length of time before it's decided that the cookie is not going to arrive and thus the user is opted out. Whether this is 10 seconds, or 5 minutes, the data is stored.

    Of course, the other way to do it is to process all pages regardless of opt out status.

    Either way, phorm ARE lying about what they are doing. They either do not allow users to opt out, or they reinvented the way the entire internet works last night.

    I hope this bunch of slimy bastards find themselves on the wrong side of a prosecution under the DPA, RIPA or any other applicable legislation.

  98. Anonymous Coward


    I dont think the point of the random URL generators is to DOS the system, more to obscure your normal browsing habits.

    If you normally look at 10 web sites a day and the generator goes to 1000 (not exactly a huge amount at around 40k ? a request) this would be plenty to confuse their system making it useless for the purpose they claim its for.

    As for the goverment tapping in: I for one dont really care as I dont have anything to hide. I do, however, have a big problem with my data / habits going to a 3rd party without my consent so they can litter my content with yet more ads.

    A further point of concern is all the business apps that have taken to using port 80 to communicate to each other in order to simplify firewalling - will this traffic also get sent to phorm? presumably so...

  99. Graham Wood


    It's a very muddy area for anyone that has multiple people on a connection, but it's worse for you since there's a precursor before phorm gets involved.

    The contract is between the ISP and your landlord - it's quite possible that he's in breach of it by letting you use the connection, since that would count as the ISP equivalent of a sublet.... I'm pretty sure that my ISP has a clause saying that I'm not allowed to give access to other people (not sure how family/friends are allowed)

    Working on the assumption that you are allowed to do this, it's not good for you with respect to the privacy side of things I would have thought.... As long as they get permission from the landlord to monitor the connection, they are covered - it's then your landlord's fault for not getting this cleared with you - they have confirmed with the person they are providing the connection to that it's "OK".

  100. GettinSadda

    Now I feel worse

    I now feel worse about this issue rather than better.

    I hope that RIPA is dropped on them like a metric shedload of bricks.

    I will only be happy once every single one of them is inside for this outrage!

  101. Secretgeek
    Black Helicopters

    I know this has been posted before.

    But with so many people commenting it's easy for it to be missed.

    Shout loud, sign up, take a stand.

  102. Anonymous Coward
    Anonymous Coward

    Privacy Guarantee

    Hi. Tech Team at Phorm here. There are some common themes here and some specific questions which I can answer over a series of posts.

    So here goes - privacy first. There's no 'largely' about it, no personally identifiable information is stored. Nor does the technology store IP addresses or browsing histories. It simply observes anonymous behaviours and draws a conclusion about the advertising category that's most relevant. All the data leading to that conclusion is deleted by the time each web page is loaded.

    The service works on the basis of a closed system which only includes the ISP and Phorm. No browsing data leaves the ISP network. No data on subscriber activity is passed to advertisers.

    It's important to understand there are two distinctly separate processes in the Phorm system: data capture and ad serving. The data capture system only stores one item of information on your computer - a random number. The random number is the only thing that distinguishes your browser from the millions of others on the internet. It does not contain any information about you or your computer. The only person able to make that connection is you, as you have that cookie in your browser.

    As you browse, your browsing behaviour is matched against pre-defined advertiser categories for everyday products, like travel or sport.

    No URLs, browsing histories or IP addresses are retained and the raw data used to make the match is deleted in real time -- by the time the page loads. There is, in essence, no data other than the categories and the random number stored in the system and so it's impossible to know (or indeed reverse engineer from that) who you are or where you've been.

    On each navigation, a data digest is created consisting of URL, search terms submitted to a major search engine, and the top 10 most frequently-occurring page keywords from the page (which are cleaned to remove email addresses, numbers and names). This is matched against a list of advertising product categories and the data digest, which is never written to disk, is deleted. When analyzing in-page keywords, only repeated information is registered - the top 10 most frequent are considered, having first screened out numbers, email addresses, names. Secondly this ‘data digest” is only used instantaneously to match against advertiser channels and is then deleted. Raw data is not stored and cannot be lost. The system only retains the advertiser categories that were matched, which by definition cannot include your data.

    In the ad serving phase, when your computer requests an ad from the OIX (because a website has included our tag in their page), the browser sends the random number and the categories are used to deliver the targeted ad, not the details of your browsing, or anything about you or your computer.

  103. Secretgeek


    Things slightly mixed up there mate. If they don't receive the cookie THEY ASSUME YOU HAVEN'T OPTED OUT and give you a new profiling cookie. It's an opt-out system remember, there has to be a cookie on your machine that says 'this user wants Phorm go f**k itself' or something to that effect.

    Even then they still get your browsing info they just don't target ads.

    The dice are loaded and not in your favour.

  104. Robin Weston
    Paris Hilton

    @ Random URL generators

    My notice has gone in with Virgin already, and I'm happy to max out my connection until I get my ADSL up and running - just waiting for one or two more replies before I decide who to go with - I think asking for a categoric promise that my data will never be intercepted or processed such as is required as an inherent part of the service or by law enforcement agencies is a fair question for anyone to ask.

    FWIW Demon, PlusNet, Zen and o2 have provided categoric assurances to me. Be offered an assurance but it was just an email reply that said something like "in repsonse to your question we would never do that"

    As for the "you'll see less adverts" ok assuming I give them the benefit of the doubt on everything else the profile of me is still going to give a fairly good idea of what social group/age/sex I am. And I know for a fact I'm target audience for a lot of ad-men. So all the adverts that miss me (ad-block plus not withstanding) and hit others not so desirable to advertisers won't need to be sent. So they'll have more resources to hit me.

    Paris because she stopped with Virgin a long time ago. Can we have Richard Branson with horns for us (ex)virgins?

  105. Man Outraged


    Very very very good point CHRIS, CHRIS, WHERE ARE YOU!? There are two explanations here. Either phorm inject a hidden iframe or some other HTML into each page to force a dummy transaction, in which case they were lying about injecting nothing into the stream, and this raises very serious questions and in any case it would be hard to tie the whole string of simultaneous requests for various elements together with the cookie, or they grab the whole stream and be damned with it. Funny the E&Y auditors didn't pick this up ;)

  106. RW


    Didn't Google do a study and demonstrate that the only webpage adverts that *work* are very short, simple ones like those Google puts alongside your search results? Where does this leave the brightly colored, flashing, moving, singing ads marketdroids continue to push down everyone's throat? IOW, targeted or no, online ads are not particularly effective.

    It also strikes me that this whole uproar is due to business once again taking the point of view "if there's no explicit law against action X, action X is okay." This philosophy is one very short step away from thinking "if the motive is profit, any action whatsoever is justified." Sorry, mac, think again.

    More and more, I think it's time to fundamentally reform the law as it affects business so that they are required to act honestly, honorably, and ethically, in the broadest possible sense. And at the same time, prohibit unilateral changes to contracts such as BT seems to be contemplating.

    As some have suggested, perhaps letters from innumerable people to their ISPs (snail mail at that) stating that they do not have your consent to tap your web browsing and referring to the relevant laws would at least put a few speedbumps in Phorm's path.

    The snail mail part is important because a piece of paper cannot be destroyed by just pressing the delete key. As a former toiler in the bowels of a bureaucracy, I can assure everyone that written letters are not easily dismissed by the recipients, unlike email.

    Flame, because I'm getting fed up with corporate self-importance and total disregard for the basics of human society.

  107. Landon

    How do they get relevant advertising?

    What me makes laugh more about the irrelevant advertising argument is that they somehow think they are able to target us with relevant advertising. Just because I may have visited a site about motorbikes doesn't mean that I want to see adverts for anything bike related in future visits. Isn't this still irrelevant advertising just in another form?

    I personally have nothing against low key advertising on sites that provide a service to me for free, as long as it has something to do with the site that I am visiting. For example being on El Reg I would expect to see advertising for computer related stuff, and that is pretty much what we get. Isn't this as targeted as what Phorm are offering and without having to analyse all our traffic and potentially invading privacy?

    I have worked indirectly in online advertising and have found that relevant advertising is the most appropriate form. If you run a games site, your target audience is likely young teens. Advertise related products in an appropriate way and you will get a much better response that bombarding users with irrelevant adverts. I worked for one company where our target audience were young teenagers and yet almost every advert was for home insurance, car insurance, life insurance etc and they then wondered why they were getting such awful responses. Then every now and then we had an advert related to this age group and the response was amazing.

    I think the way forward are those advertising exchanges that allow you to negotiate with web masters who run sites that are your likely audience. You definitely do not need to monitor peoples traffic to target adverts. Won't the Phorm system only do the same thing anyway but one step behind? If I just visited a website for fish and then go to a website for computers, wouldn't the system show me adverts related to fish based on my past request? Then on the next site show me adverts for computers? I agree that it may be more advanced than that, but in principle it must be the same. This is not particularly targeted advertising is it?

  108. Graham Wood

    @Phorm "Tech Tem"

    Please answer one very simple, unambiguous, security/privacy question.....

    How do I stop my web browsing going anywhere near your devices?

    Be they in the ISP or elsewhere, I *DO* *NOT* want my data *ANYWHERE* near your systems.

  109. Anonymous Coward
    Anonymous Coward

    cookie injection

    You can easily inject a cookie in to the web page when the data passes through a layer 7 device, some load balancing products use this to ensure that a user is redirected to the same server in a web farm in order to maintain their session state.

  110. Sam

    Re Privacy Guarantee

    Posted anonymously......much ferrous material.

  111. Secretgeek
    Dead Vulture

    @Privacy Guarantee

    'There's no 'largely' about it...'

    Seriously Phorm what is you don't get?




    Is that clear enough?

  112. Anonymous Coward

    Phorm tech team

    You SAY no data is stored - that's not the point. Even if I OPT OUT of getting your damned targeted adverts YOU (well my ISP who are running YOUR software) are looking at ALL my browsing habits - EVEN IF I DON'T WANT IT.

    Can you explain HOW that is right - in ANY sense of the word?

  113. mixbsd

    Website Injections

    Remember Belkin's gaffe with unauthorised web redirections in their routers? The sort of spammy nonsense that causes web-based services like DynDNS to fail?

    Now we have ISP's injecting code into website responses, just like Rogers wants to do in Canada (for bandwidth cap reminders):

    I bet Phorm has already approached Rogers with a view to implementing ad-spamming on their network too.

    Any ISP doing business with Phorm is a Bad Thing™ (or is that "Any ISP doing business with this "Thing" is bad Phorm"?)

  114. Stephen Booth

    Opt out cookie

    The exact form of the opt out cookie is absolutely key here.

    If all opted out users have exactly the SAME cookie then it can't be used to track your usage. If it contains a serial number then somebody will have to write a browser extension to generate a random opt-out cookie for every new web page.

    That way they will have to use your ip address to track you and the ISP has always been able to do that with or without phorm.

    For that matter how about a randomly generated opt-in cookie. That might give them a few headaches for a while.

    The whole thing would be much much more stable, scalable and easier to accept if it ignored all streams without an opt-in cookie.

    Why does this system have to opt in by default when they can target webwise ads to anyone without an opt-in cookie !!

  115. Man Outraged

    @Phorm tech team:

    Welcome to the debate.

    It's impossible to opt out from data processing, as reported by "system" above using cookies because only cookies relevant to the website you're visiting get transmitted. you can't have a blanket cookie nor can you have a TLD cookie.

    From your own audit:

    Page 6 (pdf p8): "If a user deleted their opt-out cookie, then the opt-out status, which is contained in the cookie, is lost, and the user will be opted-back into the Phorm service".

    Kent was on Radio 4 PM talking about how important choice was. I chose not to allow persistent cookies, so I have to manually opt-out of Webwise every time I start my browser.

    So when I opt-out, how to I stop my information being aggregated into statistics, how do I stop my information being profiled. It's invasive and there aren't sufficient safeguards in place. Furthremore, the audit appears flawed and I should write to Ernst and Young and point this out. You failed to answer fully or even at all some of the questions put to you by the BBC and others on the technical issues like who writes the software for the Profiler and who audits any future software upgrades.

  116. Man Outraged

    @AC re: cookie injection

    The issue about cookies is that they are sent by the browser with HTTP GET requests and they are only sent if the domain is the same as the domain that set it or a subdomain thereof. You can't have a blanket cookie. Phorm deny that anything is injected into the data stream.

  117. Anonymous Coward
    Anonymous Coward

    What I worry about

    What concerns me is;

    1. In the interview text I see nothing to say that they dod not at least initially collect all the users sensitive data such as credit card details, passwprds and other form information. OK they SAY that they clean that data but that still means that they are initially collecting sensitive data. THAT concerns me greatly. I signed an agreement to trust BT plc NOT Phorm !!

    2. Since BT are going to be interferring with our connections are we going to get a reduction in the PRICE of the broadband connectoon from BT ?. Like hell are we.

    They SAY that there is not degradation of the connection but I cannot believe that there will be no degradation at all, even if it is miniscule.

  118. Richard Read


    >>No URLs, browsing histories or IP addresses are retained and the raw data used to make the match is deleted in real time -- by the time the page loads. There is, in essence, no data other than the categories and the random number stored in the system and so it's impossible to know (or indeed reverse engineer from that) who you are or where you've been.

    Disingeneous, the system does store the digests of each page that you load. It just deletes them afterward it has categorised the page and attached that category information to your guid. Just because something is only held in memory for a short while does not mean that it is not stored.

    The fact is that Phorm is monitoring the web pages that I view in my browser and there is no way for me to opt out of this.

    >>The service works on the basis of a closed system which only includes the ISP and Phorm.

    How is that supposed to be reassuring when I don't want either my ISP or Phorm to monitor the web pages that I view?

    I can opt out of receiving the targeted adverts that this process generates but that's not the bit that I'm worried about. Until Phorm guarantees a way for me to prevent them intercepting and monitoring the web pages that I view I will be against this. What Phorm intends to do with the data after it is intercepted is irrelevant. The assertion that the data will not leave the ISP network is irrelevant.

    >>So here goes - privacy first. There's no 'largely' about it, no personally identifiable information is stored.

    And Phorm is prepared to guarantee, in the form of a legaly-binding contract, that no information that could be used to identify a person will ever be present in the digest? For example if I used Google to search for my own name you can guarantee that that would be filtered out?

  119. Anonymous Coward
    Thumb Down

    @ Phorm Tech Team Anonymous Cowards

    I'm sure this is a technical triumph, almost but not quite having their cake and eating it. They just don't get it do they? Just because today the system 'only looks for top 10 words' or whatever, and 'discards numbers, email addresses, etc' doesn't mean that tomorrow that couldn't easily all be changed by accident or design without any knowledge or recourse from us. Where is the supervision? What is the audit trail?

    And clearly illegal without an explicit opt in. Nice try, start looking for new jobs guys....

  120. mark

    Bruce Schneier

    It would be interesting to know what Bruce Schneier thinks of this technology, given that he works for BT.

  121. Chris

    @Graham Wood

    Sorry, but I think the answer might well be that the only way of making sure of this is to move to an ISP who categorically state that they will not get into bed with this kind of thing. Thankfully there do seem to be a few who actually have some morals.

    There's a section on the message board which has a list of ISPs who have definitively stated that they will not do this. Personally I would ignore the ones where the answer has just come through standard "contact us" channels - I was told categorically that VM would never work with a spyware company when I called...

    However, at least two (I think Aquiss and Newnet) have had MD or CTO level people confirm that they wouldn't go for this. I don't know where I'll be heading yet, but they're two I'll be considering. Any other ISPs making a categorical public statement that they would not employ this kind of thing will also put themselves in the running. Whatever happens, I will be cancelling my VM contract as soon as the notification goes out that this is going live. Which is a shame as I really like the V+ box and it's going to be a royal pain in the arse to cobble something similar together myself.



  122. Anonymous Coward
    Anonymous Coward

    Hi Tech Team at Phorm, or should I say Anonymous Coward.

    Hi Tech Team at Phorm, or should I say Anonymous Coward.

    You store a unique key on my PC & parse data from my connection at Layer 7 looking for key words, therefore you _can_ parse for personally identifiable information whether do actually do or not at this particular time is irrelevant. Whether you immediately delete anything that might be identifiable is also a red herring, that programming can be changed at any point in time, dare I say after you have been audited or before you expect an audit. My 70 year old dad drives his Ferrari at 30 miles per hour, when he's on holiday and I drive it, do you think I drive it that way.

    You have created a system for reading web pages that broadband subscribers request, it reads the whole page, you program it today to react to travel or sport, it is capable of reacting to name:, address: or Login: & Password:. You intercept data from broadband subscribers without their express permission, and do not explain exactly what you are doing or how it might be used in the future or in the wrong hands.

    Recently a Police officer was pressurised by his superiors in to recording the private conversations of an MP, he knew it was wrong but felt he had no choice, someone in Phorm could be easily be pressurised into parsing the data steam for other target words, or worse Phorm itself could do so for market reasons.

    Communications interception is the realm of the security services, one that is tightly regulated, it is not the place for private companies and profit.

    Posted by another anonymous coward, you can find out who I am later by using the Webwise platform.

  123. Anonymous Coward
    Anonymous Coward

    re: re: cookie injection

    >>By Man Outraged

    >>Posted Friday 7th March 2008 17:14 GMT

    >>The issue about cookies is that they are sent by the browser with HTTP GET >>requests and they are only sent if the domain is the same as the domain that >>set it or a subdomain thereof. You can't have a blanket cookie. Phorm deny >>that anything is injected into the data stream.

    If your data stream passes though a Layer 7 device at you ISP, they _CAN_ write anything in to the cookie or page they want.

    You don't even need your own cookie, you _COULD_ add the personal ID to an existing one.

    I have not said that they do do this, or that they will do this, but having access the the data stream at that level means that analysing or abusing the data _is_ possible.

    If your friend has a gun, I doubt he will shoot you, but he has the ability to do so if he desires. If I buy his gun, now I do; do you trust me?

  124. Anonymous Coward
    Anonymous Coward

    Major Search Engine

    >>Privacy Guarantee

    >>By Anonymous Coward

    >>Posted Friday 7th March 2008 16:30 GMT

    "On each navigation, a data digest is created consisting of URL, search terms submitted to a major search engine, and the top 10 most frequently-occurring page keywords from the page (which are cleaned to remove email addresses, numbers and names)."

    Thats at lot of requests from one system, you could not do this without the permission of the search engine in question as they could cut you off at a stroke and your business would be sky diving without a parachute! Another cut of the revenue cake must go the the "Major Search Engine" I wonder whom that might be?

  125. Anonymous Coward
    Anonymous Coward

    How to block? Ask your ISP

    F5 LTMs (and GTMs) are (poor) loadbalancers,

    in order to balance you to a site it will use either

    1. A source-address persistence method (a table with your IP in it and your request)

    2. A session cookie

    3. A "hash" cookie - relatively unused.

    When using a http headers viewer, you can usually find this cookie.

    For example visit and turn on livehttpheaders (or whatever you use)

    and you will see a cookie called ::: BigIPCookie - yes this is the default - BA did not change it.

    We should be able to get around this by refusing certain (or all) cookies, but then

    other methods can be used. You cannot just say block my firewall to these IPs because how do you know where your ISP might be mirroring it to ?

    Cant stop it with SSL since F5 supports SSL proxying (which breaks RFCs)

    You could always wipe F5 off the face of the planet, thus stopping them from using it since 99% of clients with LTMs dont know how to use one.

    Even something like t0r will not do it, since your request has to hit your ISPs boundry router and from there they can just mirror it on one of the ports of their firewall or switch or load balancer.

    Im writing to my ISP demanding that no traffic from my IP be mirrored to phorm, BT, or any other subsiduary without written permission from me. I stated it would be a violation of my privacy and human rights if they do not accept - lets see what virgins cut & paste reply will be to this one...

    Anyone fancy starting PrivNet with me :)

    [An Ex-F5 employee]

  126. Ian

    Re: Bruce Schneier

    Bruce Schneier laughs at Phorm for Phorm is the Charlie to his Alice and Bob.

    Yes, Alice and Bob. For Bruce Schneier knows Alice and Bob's shared secret.

    < getting coat, leaving building... >

  127. Starace


    If the answers given by BT in the following link are anything to go by, they either don't understand the system or they'll play games with semantics to hide the reality:

    If I understand correctly, they argue that data doesn't go to Phorm but is retained in the BT network, which gives them a neat getout from privacy claims.

    The argument could be said to be accurate given the relevant server is located in the ISP datacentre and therefore 'within' the network, but the reality is that a 3rd party box is sat on the network looking at the raw data with no guarantees of what will be done with it, and ultimately forwarding a processed subset of that data to external servers.

    And the optout system still isn't clearly controlled - if they haven't worked out how to implement it yet it's hard to have any faith it could ever work.

    Looks like BT have convinced themselves they're in the right and any customer protests will just be ignored.

  128. SilverWave

    Other user-agents are ignored!!!

    Q: And does the service ever modify information you receive via http that might not be a web-page, i.e. is it possible for it to accidentally break applications that rely on http for communication, especially if those applications work in a way that Phorm didn't anticipate?

    We operate a whitelist of user-agents corresponding to major browsers (e.g. Firefox, IE, Opera). Other user-agents are ignored.

  129. Anonymous Coward

    Thinly veiled lie

    "So we can expect The Guardian and Financial Times to show less advertising?"

    "KE: Yes, I think that most sites in due course will show less advertising. They know it gets in the way of the content.

    Most websites don't make any money. but imagine you were able to show your audience an ad based on anything they've done on the internet. Right now all you know is that they're reading your page."

    This entire system will lower the value of adverts online, as now the user will be exposed to both adverts from their ISP/phorm and from the original website. This will lower the income for the website operator due to the dilution of phorm's ads.

    Unless the website partners with phorm, in which case phorm gets more money and a possible way to get more personal data, and only then will the number of ads possibly reduce. But as the ads will be more attractive to the visitor I can imagine that the number of ads will only go up, based on the past actions of the ad industry (once they find a trick that works, they use that trick constantly, because if they don't someone else will).

    And as for people not liking untargetted ads, I think you'll find people just don't like adverts at all. Thats if they can even tell the difference between the ads and the content.... and these days there are many "promotions" and other BS that is simply designed to confuse clicks out of visitors.

    But if you use one of Mozilla's browsers then there are steps you can take to get rid of adverts, and kill off a lot of tracking too with the right selection of extensions:

    Adblock, with filterset.g. There are also lists available of known tracking companies like quantserve, omniture or google. Adblock can block their webbugs.

    NoScript: necessary for granular control over what sites can do. You can allow functionality of a website with this extension whilst at the same time stopping third party tracking or advertising crud from running. Adblock can also kill certain scripts for all sites with a rule like *urchin.js*.

    A cookie management extension: I force all cookies to be session cookies, I don't allow any third party cookies ever, block cookies totally from some domains but also allow cookies for sites that where it is a convienience for me to allow the cookie, like some forums etc..

    FoxyProxy: can send your browsing via different proxies based on regexp rules. I send all my googling through TOR, as Google cannot be trusted.

    Referer blocker: I forge all my referers to be the root of a site. This stops tracking/trending based on where you visit a site from, and stops sites identifying your search terms.

  130. Leonard

    @ PHORM Tech Team

    You say " No URLs, browsing histories or IP addresses are retained and the raw data used to make the match is deleted in real time -- " and in the next breath...."On each navigation, a data digest is created consisting of URL, search terms submitted to a major search engine, and the top 10 most frequently-occurring page keywords from the page (which are cleaned to remove email addresses, numbers and names)."

    If my data that I am paying for is not being inspected in breach of any legislation and you don't retain a URL, then how do you create a URL based on my searching???

    Also, if someone has to re-do a Windoze machine, thereby losing all the cookies etc., How do they opt out again? Surely it should be an opt OUT policy from day one with the option to opt IN.

    I for one will be signing the petition to have you guys banged up for breach of RIPA and Data protection.

  131. Anonymous Coward
    Anonymous Coward

    @Other user-agents are ignored!!!

    hmm - so on FF I can change my user-agent so...

    I think a "I hate PHORM" user-agent string might be a good idea

  132. Paul


    You know, that little tech explanation from the Anonymous Coward (how very fitting!) does nothing to reassure me.

    You say it's a random number, is that truely random, or psuedorandom garbage that develops patterns over time? Also, if it's in a cookie, a website can easily be scripted to read it's contents, put a request into Phorm's system and pull out my browsing history. From there, it'd be possible to script a very personalised phising attack, giving the number of dodgy sites hiding in Google's ad system already why will your system be immune?

    On top of that, how can you guarentee your system will be "instantaneous", every god damn computer program takes some time to run, and unless you're putting a supercomputer in every exchange, there's gonna be some lag. Look at MMORPG's, during peak times servers fall over, but they're not upgraded because they're acceptable 99% of the time. Do I really think Phorm cares about us enough to pay for computers for that 1% of the time? I think not!

    Let's face it, you can never win public acceptance from this and I damn well hope you get sued for this stupidity.

    Personally I'm writing to OFCOM about BT's changing the T&C without good cause, cancelling my contract with them and moving to an ISP that hasn't sold out. If it gets really bad, sod it, I'll pay for 3G broadband...

  133. Anonymous Coward
    Anonymous Coward

    Re: How to block? Ask your ISP

    >>How to block? Ask your ISP

    >>By Anonymous Coward

    >>Posted Friday 7th March 2008 18:02 GMT

    >>Cant stop it with SSL since F5 supports SSL proxying (which breaks RFCs)

    You can stop it using SSL, you would need copies of every Internet sites SSL Cert to proxy everyone's traffic. SSL proxying means the encryption-decryption for a connection to a webite is offloaded to the load balancer and then standard http requests go from the LB to the server.

    This needs an intimate relationship between the certificate owner (website) and the load balancer owner, this is almost always the website owner, but occasionally the webhost. As the traffic has been decoded, the only hosts on the network behind the LB are the web farm servers for the website, so there is no security risk.

    You can only decrypt https traffic using the cert of the website and client token.

    I doubt that port 443 is forwarded to any part of the Phorm system as it is useless to them. They probably do Layer 4 first and only send port 80 to the first stage of their system to reduced load on the CPU expensive Layer 7 stages of their application, unless of course they want to read your email in which case they'll would be interested in 25,110 and 143 too ;-)

    Once you start arsing about with the traffic, you can do anything. It's partially a state of mind, we all know email is stored as clear text and can be read by any Sysadmin with vi/nano/notepad, but our state of mind means we don't because it's not right, it's illegal. I suppose you could say that there's also too much too read in order to find the juicey stuff, unless of course you have a big load balanced system with lots of hardware and software, built to parse IP traffic/files for key words, and that's expensive so you would only be able to afford to put it in the top six or so ISPs.

    Now, if it's illegal for a Sysadmin to read your email, how can Phorm be legal when they 'read' your webmail?

    Ask Google to SSL enable their search site, then ask every web server on the Internet to install an SSL cert. We can be happy as no one can read our data stream, the hardware manufacturers will be happy selling new servers to handle the extra CPU needed during SSL session setup, but we will need an overnight switch to IPv6 as all the servers currently working on HTTP 1.1 host headers will need distinct IP addresses and there isn't enough IPv4.

  134. system



    "If you regularly delete your cookies and want to ensure that Webwise is permanently switched off, simply add "" to the Blocked Cookies settings in your browser."

    @AC: "You can easily inject a cookie in to the web page when the data passes through a layer 7 device"

    Yes, but you cannot read cookies that were not set for the domain being visited. When I visit El Reg, they have no way of knowing if I blocked cookies for webwise or not, they can only read any fake cookie they set for

    @Phorm tech team: "No URLs, browsing histories or IP addresses are retained and the raw data used to make the match is deleted in real time -- by the time the page loads."

    You fail!

    To check if I have a cookie set for webwise or not, the page must be returned to my browser with an injected iframe, image or some other resource that would cause my browser to request a webwise page, and thus either send the cookie or not. You cannot know that I am opted out by blocking webwise cookies until my browser makes that request. If my browser does not make that request, either through firewall rules, host file blocking or some other method, you cannot know at all. While waiting on that second request, the page *must be held in storage* (RAM still counts as storage) until you receive the request or allow it to timeout. If you don't wait to find out if they are opted out then you just created the digest for an opted out user, which in page 3 of this very article you say will not happen.

    There are no global cookies, there are no methods for telling a server that you reject its cookies.

    Of course, you could use faked redirect headers to send the browser to webwise or oix first (the addresses being handled internally of course) before checking for the cookie and redirecting again to the originally requested site, but if someone has taken the step of blocking all traffic to webwise or oix, you just broke their entire web browsing ability. If you redirect to and they have set to go to, they will never receive the second redirection header and thus never get to the site they wanted.

    If you want to know what we're viewing, go back to browser toolbars and actually pay us for our personal data. If you're not willing to pay the people you are exploiting, then get stuffed.

  135. Anonymous Coward
    Thumb Down

    @ Phorm Tech Team

    All the spin and bulls**t cannot mask the fact that you are facing an increasing number of intelligent, informed people who want nothing at all to do with your company.

    You have failed to answer the simple question "What provision have you made for those who do not want *any* data passed to you?"

    "Trust us, we've been ok'd by Ernst & Young" is a very weak appeal. E&Y are an accountancy house, not an independent and respected technical evaluation house. My views on accountancy houses (Arthur Andersen anyone?) aren't very polite or positive, so you'd better get someone more respected in to conduct an assessment.

    If VM implement this, I'll drop them quicker than the ICC dropped Steve Bucknor.

    Thumbs down because it's all spin and bulls**t

  136. Man Outraged

    @AC re: re: cookie injection

    I get the feeling you don't fully understand what you're talking about. Yes, the routing infrasctructure can cause a cookie to be set, but it can't force the browser to transmit that given cookie back in subsequent page requests. The Phorm system relies on a cookie being stored on the client's web browser and that cookie will only be transmitted when visiting subdomains of the domin in which it was set. Phorm relies on this cookie to link a page request to a profile in order to serve targetted adverts. It will work for the targetted ads because they will all come from the OIX domain, but it won't work as an opt-out from profiling because the websites you visit aren't in the OIX domain so it would never see the cokie. Furthremore the highest domain you can set a cookie is one below the TLD, so it's impossible. Please, if you do question this again, have the courtessy not to post anonymously and read up on cookies first. I like to explain things but it makes it a lot easier if you don't posts anonymously...

  137. Anonymous Coward
    Anonymous Coward

    A thought

    My take on this is that they can be stopped simply by their opt out setup. Opt out should be a one time event. It clearly isn't and should not require the keeping of a cookie on my machine.

  138. Man Outraged


    Can we get in touch? I'm composing a piece about the very same thing you mentioned above re: cookies and could do with a reviewer. I'm a bit paranoid about tech team so I would ask that if you do take me up on this you include some unqique random phrase in your email to me then blog that same phrase afterwards on this forum.

    How can you trust me? Well check my earlier posts and email me privacy [dot] watch /at/ gmail /point/ com

  139. Paul Barnfather
    Thumb Up

    TalkTalk may have a solution

    As well as confirming it'll be opt-in, they seem to have realised the weakness of Phorm's cookie-based opt out:

    "We had a meeting yesterday and based on customer opinion we decided to use a different method, yet to be decided, to split the traffic so it doesn't hit a WebWise server at all for those that opt out."

    Excellent news - and kudos to TalkTalk for listening...

  140. Mr Anonymous

    re: re: cookie injection and a bit more re:

    >>I get the feeling you don't fully understand what you're talking about.

    Thank you, I think you're confused too.

    >>Yes, the routing infrastructure can cause a cookie to be set, but it can't force >>the browser to transmit that given cookie back in subsequent page requests.

    I never said that it could. You stated that "Phorm deny that anything is injected into the data stream." I replied "If your data stream passes though a Layer 7 device at you ISP, they _CAN_ write anything in to the cookie or page they want." I didn't say anything about making your browser send a cookie, or for that matter I didn't mention reading a cookie.

    My posts have mainly concerned that they are reading _all_ the content of anything you view or post including personal any info. The only thing in the cookie that we know about is a number that they would like to be set once so that they track your interests.

    >>The Phorm system relies on a cookie being stored on the client's web browser >>and that cookie will only be transmitted when visiting sub domains of the >>domain in which it was set. Phorm relies on this cookie to link a page request >>to a profile in order to serve targeted adverts. It will work for the targeted ads >>because they will all come from the OIX domain, but it won't work as an opt-out >>from profiling because the websites you visit aren't in the OIX domain so it >>would never see the cookie. Furthermore the highest domain you can set a >>cookie is one below the TLD, so it's impossible.

    Yes, I agree how a cookie works, and that is why they need to see all your traffic, as until you visit a site that has one of their ads they won't have access to their cookie. When you do visit and OIX site, they will read the cookie lookup your ID up in their database and find that you have opted out; then the ad they send you will be generic and not targeted as you have no profile.

    Before that time your browsing habits will build up the generic profile of what "people" are interested in and when they're interested in it, Phorm can then sell advertising such as (my guess) "In general Internet users have a greater interest in "celebrity" from 4:30pm until 7:30pm, so we can target your budget for your Magazine advertising during this time period, if you use another agency, a higher percentage of your budget will be wasted" K'Ching

    >>Please, if you do question this again, have the courtesy not to post >>anonymously and read up on cookies first. I like to explain things but it makes >>it a lot easier if you don't posts anonymously...

    I avoid personally identifiable data when possible, however you seem to be able to identify my posts, so I don't see the difference between Man Outraged and Anonymous.

  141. Pierre
    Thumb Down

    "other user agents are ignored"

    Really? Or does that just mean that you still hijack the stream but don't attempt anything intrusive afterwards? I'd bet 2 years worth of my pay on the second one.

    @ tech team and subsequent Phorm interventions: OK, so right now you carefully filter the stream and don't keep data for a very long time. Still:

    - what tells us that the rules won't silently change as soon as the hardware is in place? (actually, I know, and you know also, that they are going to change at some point. That is unavoidable. And we have to believe that you won't misuse that. Without being legally bound... Potential tons of money+no regulation=trouble for the user)

    - user-targeted ads make it easier for an "advertiser" to place targeted malicious ads. Which is a very bad thing and is far, far far more dangerous for non tech-savvy users than the allegedly "anti-phishing" utility (which, by the way can't be anywhere near efficient if it works the way you describe. How would blocking "known phishing sites" work? Do you have the beginning of a clue on how phishing works in the real world? E-mails, compromised legacy sites, transient redirection to constantly moving forged sites, ... heck, even https streams sometimes, which you said you didn't read!)

    -as stated repetedly here (strange, you seem not to be willing to adress the problem in your answers), even assuming that you will behave, you're adding a very heavy threat: any vulnerability in your system would allow hackers to get the complete data streams of a good half of the population. And you're seing that happening, aren't you. Your statement that "we are not processing the data, the ISP is, as our hardware will be in the ISP's facilities" (roughtly) is only you trying to put all the liability on the ISP... clever... even if YOU will probably maintain the hardware and software...

    As a conclusion: you're -at best- just putting everyone at risk (assuming you stick to the "good resolutions" you exposed here and don't shaft everyone by yourself in the first place, which remains to be demonstrated).

    I vote death.

  142. mark
    Thumb Up

    @Man Outraged

    Exactly. I went on the Phorm "web chat" last night and asked for them to explain how they were going to get my browser to send a phorm cookie when I wasn't requesting a resource under the phorm domain - no surprise that they DIDN'T ANSWER THAT ONE!

    What would be really useful here is an architecture diagram showing ISP hardware (perhaps in green) and Phorm hardware (in red) and numbered arrows indicating the sequence and flow of data through the system. I asked for as much on the chat last night - and it was promised - but instead we go to and see a video of some fat woman bleating on about how great targeted advertising is.

  143. Morely Dotes
    Black Helicopters

    My analysis

    The following entirely my own opinion, as an Information Technology professional:

    'When you actually poll people and you say to them "what are the things that irritate you most about the internet?" they'll say two things: being bombarded with the amount of irrelevant advertising, and online dangers.'

    Bollocks. The sheer amount of advertising, not relevance of the advertising, is the issue. I don't need a spyware purveyor to be my nanny, thanks, I can choose which Web sites to visit and which to ignore. Anything with more than three thigns I recognize as "advertising" go on my ignore list. I'm usre other people have higher (and lower) thresholds.

    "I think that most sites in due course will show less advertising."

    How long is "in due course?" A year? A decade? A century? Duping people into understanding what you *want* them to take away from your statements, without telling outright lies, is a fine art, and it looks like Phorm is very good at that.

    'Because our privacy is better. It has got an on/off switch. There's a place consumers can go and say "off". They can't do that right now.'

    This one, however, is an outright lie. The hosts file is readily available to every Internet user, and by adding Phorm's DNS hijacker to the hosts file published by, every Internet user can permanently opt-out of Phorm's spying.

    'Look, if we had anything to hide we wouldn't invite you in here. We'd give you some bullshit statement saying "no comment"'

    No, you'd use the old standby of misdirection. I've been a stage magician; I know how it's done.

    "here are options in Firefox and IE that do that already.

    KE: I know, but how many people do you think actually use that?"

    Millions, apparently.

    "This is a way of helping people who aren't necessarily tech-savvy."

    From a tech-savvy point of view, this is a way of collecting data to which Phorm has no legal right from people who don't know they're giving it up.

    "If people come away from this interview thinking we're these slimy people, then we can't make an impact."

    No impact, then.

    And here's why I think they're slimy:

    "It'll be automatically switched on then?

    KE: The conversation over opt-in/opt-out is blurred by the one about transparency. They want to always be aware about whether something is on or off.

    So we're going to do something unprecedented, and you'll never see this anywhere. Which is, as they continue to browse periodically you're going to see in an ad space "Webwise is on" or "Webwise is off","

    So they *are* going to detect the cookie, and they *are* going to react to it, *EVEN* *IF* *THE* *USER* *HAS* *OPTED* *OUT*. And frankly, that alone tells me that Phorm cannot be trusted to not collect the data, and cannot be trusted to install their server without a back door into it. Honestly, anyone who's ever had a server in a remote data center knows that only an idiot would put it there if there was no way to access it remotely.

    In summary, I trust these guys about as far as I can throw Scotland.

  144. Sim

    your confidential

    Some of the things that phorm will be intercepting and harvesting,whether or not they do not retain them in the long term :


    usernames and passwords,

    forum posts and website comments that you make.

    I write web applications for small businesses.They often contain confidential information of various sorts that is not available to those without login credentials.

    We need some informed legal opinions about the applicability of Data Protection Laws.

  145. Leonard
    Thumb Down

    Website owners won't be happy

    If I as a website owner have gained the trust of an advertiser to advertise their wares on MY site, and they pay me for that advertising, who gives PHORM the right to change those adverts because they think they are not appropriate for my users? Is PHORM going to refund my advertiser because the advertising was not relevant for the viewer on my site? I don't think so.

    I think every web hoster and advertiser partnership would take a very dim view of this.

  146. Anonymous Coward

    burn in hell phorm

    OK a question.

    BT tested Phorm last Summer and lied about the fact

    Phorm submitted to the Data Protection people a few months ago, but after the test.

    If what they are doing is illegal then why has no complaint about last summers test been made to the police?

  147. Anonymous Coward

    Hush for a moment an listen

    . . . . the silence is the regulators heads buried in the sand hoping this will go away . . . . don't let them sleep so SOUNDLY. . .

  148. tom

    Anonymizer: still the issue

    I have to give these guys props for talking to El Reg and talking on the skeptics directly.

    They state plainly that they are not storing personal information. They also imply that it can not be easily associated with a particular individual. This is almost certainly deception through omission. It's more or less trivial to associate it with a user at a later date, if this is what you want.

    Their intentions seem good. What if their intentions change, or are changed for them?

  149. Anonymous Coward
    Anonymous Coward

    PHORM "I know what you did last summer"

    It looks like they had finally admitted that BT were trialing the service in July of last year, this being against the BT privacy policy.

    What wasn't raised during the interview was what exactly the database servers in china would be storing

    From the interview I read it as PHORM won't clickstream your data but BT might, given that it looks like BT were less than open about the last summers activities its Ernst Stavro Blofeld's cats all round.

    This is supposed to protect the less techincally able? LOL they are the only ones who will still be using these ISPs.

    Sign the Gordon Brown petition and lets protect the noobs

  150. Man Outraged

    Neat trick...

    Just realised with a google search of "phorm" and "tech team" I can easily find all the other outpourings of grief that someone has the audacity to propose tapping all our webstreams. Nice work tech team for tagging them so neatly!

    @AC re: re: *you just don't get it* - you can be anonymous and still have an identity that gives the courtessy to other users to see what else you've had to say on this topic but hides it from your boss. Of course it's your right not to, and I wouldn't be beating you up on it if you at least check your facts before you acuse others of having their facts wrong. I took the time to explain your mistake to you now grow up.

  151. therealvicz
    Thumb Up

    @ TalkTalk may have a solution

    i. e. they have cracked first! It seems the ISPs are realising that they are responsible for the illegal wiretap, and Phorm's hands are clean (if slimy). Still, some credit to TT even if their motives aren't entirely altruistic.

  152. Luther Blissett

    Phecking these jokers over

    Pretty phishy. Explanations which morph just like the company name. Sooo much effort to claim respectability with the competent authorities (did they all get the same story? how much of this is pure hype?) - yet so coy with the punters. Phorm seem to want to tell everything, but BT seem to want to tell nothing. Persistent cookies to signify opt-out rather than opt-in (like guilty until proven innocent) - Hotel California. ISPs having to change their T&Cs. You can almost smell the desperation. And why tout the "built in Russia", when everyone knows (something) about what Russian hackers can get up to?

    They claim to store (in memory - for now) only what is required to service a page request. How is that compatible with profiling? Analysing a page is not profiling. Profiling implies accumulating an analysis of pages requested - if only for the current session. So is the profile only stored in memory for the current session also? (Just about technically feasible, to venture a rough guess, if the profile comprises only indices - pointers to data on disk, perhaps?).

    To take down this thing.

    The system claims to target ads. Doubts must be raised in advertisers' minds that the premium they are paying for is worth it. As the system appears to invert (if not subvert) so many assumptions about HTTP, an ironically appropriate user defence would be to subvert the premise it relies on - that of the bona fide end-user.

    Random URL generators - perhaps it's possible to optimise these to kill the download after Phorm's system has been fully committed to the page request, ie, call it and then tell it to pheck off.

    Gaming their cookie. What happens if a user-process morphs the cookie every few seconds? What happens if cookies are sown onto bot-nets? What happens if identical cookies are sown onto bot-nets?

    Given where this thing was assembled, I expect counter-measures have already been built in.

  153. BitTwister

    No, no and NO

    Far too much spin, gloss and misdirection - even in the response from the Phorm tech guys who STILL miss answering the direct questions - along with the charmingly naive assumption common to all purveyors of this type of 'service' which assumes adverts are somehow useful to everyone - but of course the ability to provide this 'service' is of MUCH greater use to Phorm, which exists only because the web has exploitable users. (I believe the warm and friendly term used was "monetise")

    When I browse a site it's for a specific purpose and if a site doesn't cough up what I'm looking for then I simply look at another - generally easily found with any search engine. This whole experience is made annoying by the visual noise of ANY form of advertising so as a result, they're ALL disabled here. I don't WANT to see advertising, PERIOD.

    I also dislike intensely the assumption that I'm a retard who requires "targeted advertising" <spits> because plainly, I am incapable of just looking about and deciding for myself. It's far too much like that sodding MS Office paper clip popping up and asking if I want help with writing a letter. Sure, go right ahead: write the whole damn thing for me...

    It's completely arrogant and plain WRONG to be opted-in to this 'service' as the default choice: how dare you assume that I'll find useful what you provide, without even bothering to ask me first (and no; undocumented analysis of MY data doesn't count). As others have pointed out, to remain opted out I'd be REQUIRED to keep the Phorm cookie. No, not good enough; this is just shabby thinking. Further, since users who have opted in to this 'service' are helping Phorm make money it only seems fair that these users are paid for the data Phorm is harvesting. But of course it HAS to be opted-in as a default: who would (effectively) tick a box marked 'yes please - pester me with more adverts I've not asked for. The stuff I see on the streets, transport, TV and in newspapers just isn't enough'. The only acceptable form of default action is that my browsing habits are examined by nothing and no-one - unless I request it specifically. (law enforcement actions with the ISP and gubbinment snooping excepted...)

    The privacy implications are legion and no amount of smooth talk will convince me that it's anything other than targeted snooping of hog-tied users' data with the sole purpose of making money. And thanks, but no thanks - I've been around long enough to recognize a phishing attempt whether it's in a mail or on a site. It's not exactly rocket science, is it...

    The only difference between spam and "targeted advertising" is that spam tries to sell snake-oil or fakes and a site visit would likely attempt to infect Windows with something nasty, and "targeted advertising" tries to sell something legal from a trusted site.

    Curiously, while it's well accepted that addresses used for spam are gathered by underhand or nefarious hoovering techniques, we're expected to accept that because Phorm announce it would hoover details sufficient to achieve exactly the same thing as spam (unsolicited information) - it's now supposed to be a Good Thing.

    In either case any advertising received is still going to be an unrequested, hit-n-miss opportunistic attempt at getting me to part with my money.

  154. William Morton

    reply to phorm tech team

    ""Hi. Tech Team at Phorm here. There are some common themes here and some specific questions which I can answer over a series of posts.""

    I understand what you are saying to be that rather than store the phrases directly from our web requests you have a list of phrases in a database and tick each one that is on the page I requested. This way the only thing being stored is a pointer to your database of phrases, very similar to a lexicon based compression system.

    If you are being open about this then I would expect you to make your phrase database availible, this being so we can see that you dont have any phrases to capture postcodes, names, websites etc

    I say this as a lexicon based compression system is just like a zip archive in that you can get all the data back, even if you only have all the words in the english language and their number of occurrences you can still read back a lot of information as most english words are padding.

  155. Anonymous Coward
    Anonymous Coward

    Ads You dont want em, no probs

    I use admuncher

    I think its free now or maybe just cheap, i got a life time licence about 5 years ago and haven't checked for something like $10. Anyways, adverts, my computer says no, it updates, it removes, it blocks, it sticks two fingers up at stuff with IP masking for web browsing for your goat pr0n habits.

    Best software i ever used, its does what it says on the tin!

    Other than that cccleaner good for your pc and free too. I really dont have a problem with ads at all, in fact i sometimes switch it off so i can see some stuff, but not very often.

  156. colin stone

    Share price

    It looks as if this nasty company is starting to take a hit in the share price.

    from a high of 3506p at the end of last week, the current price is 2785p

    Yesterday (Friday) the price dropped by 7.3%

    Keep up the good work reg, and remember to sign the petition @

    If we can not win with the ISP's we can always bankrupt the scum.

  157. Mr Anonymous

    Man Outraged

    You can see my posts, they're quite obvious, but just in case.

    Posted Friday 7th March 2008 12:01 GMT

    Posted Friday 7th March 2008 12:14 GMT

    Posted Friday 7th March 2008 14:18 GMT

    Posted Friday 7th March 2008 15:21 GMT

    Posted Friday 7th March 2008 16:52 GMT

    Posted Friday 7th March 2008 17:35 GMT

    Posted Friday 7th March 2008 17:47 GMT

    Posted Friday 7th March 2008 17:55 GMT

    Posted Friday 7th March 2008 19:34 GMT

    Posted Friday 7th March 2008 21:10 GMT

    Unlike yourself, I have _not_ accused you of wrong facts, I could if, you want, "Yes, the routing infrastructure can cause a cookie to be set" is incorrect. routing is Layer 3, hasn't got a clue what is going on at the application layer, in my last reply, I didn't pick you up on it as it didn't help me to try and clarify what I was attempting to say.

    I repeat, that I never said that Phorm could "force the browser to transmit that given cookie back in subsequent page requests", you said that in a subsequent post that you misunderstood, I _actually_ said they can write whatever they want in to a data stream at Layer 7, something I think we both agree on.

    If we take Phorm's word about not knowing your IP, by, for instance, parsing the radius auth packets when you log in, they cannot know who you are. If they don't know who you are they can't know whether you have opted out, so by sending you non targeted ads it is like you being on a "clean" ISP as far as your received web pages go. However when you visit a site served by their advertising, they will get your id from _their_ cookie and either show targeted ads or if you've opted out show you non targeted ones.

    Phorm don't hijack other peoples ads and replace them with their own, they don't alter the html with frames, iframes, web bugs, tags or anything else, they serve advertising on some of the sites that you visit, if they know who you are they target the ads depending on the option in their/your cookie.

    Who cares about the ads, there are numerous suggestions here to block them, the easiest being to add their servers to your hosts file with a localhost IP.

    The _issue_ is that they _intercept_ your data, machine read it _all_ and then take different actions according to the content, this is done before they know that you want to opt out.

    Hiding what you do from your boss is another issue that is not relevant to this discussion, so I shall not comment. Stop the flame and fight Phorm's interception of ordinary peoples data, the masses are not all capable of understanding the issues or taking any needed avoiding actions, they don't even know anything is going on! Schemes such as polluting Phorm's data with automatic random requests, even by thousands of individuals are pointless, Phorm will still sell advertising based on your unusually patterned data. More importantly they are only interested in targeting the millions of ordinary users.

    PS, as you did not notice, my last two post are by Mr Anonymous, is that more or less anonymous :-)

  158. William Morton

    FAO PHORM TECH TEAM --------PHORM as lexicon compressed format

    If what you say about you phrase matching is true what about the 10 keywords, are these copied up to your database server to expand the lexicon?

    I ask as blogger usernames are very quickly going to be associated with your cookie so loosing the blogger his anonymity. In fact 10 keywords that dont appear in your lexicon are going to be very personal to me.

    If this system simply looked at the url of the pages I visited it wouldn't be so bad but clearly you want more than you could find in a proxy server cache or you wouldn't go to such lengths. Your method is clearly design to capture data from within my personal session and snoop on my form posts. If as you accert you are only interested in what I am viewing so you can tailor my advertising why not just use a proxy server and run your phrases off the URLs not the cached pages. No clearly you want in on my personal session, and what I post is so important that you are willing to develop this system to capture it.

  159. William Morton

    Ertegrul is the prince of darkness

    Ertegrul = Get Ruler

    Clark-Kent Ertegrul = lurking E-tracker tree

    and if you add and take some letters give 'em a bit of a shuffle you get

    "All your HTTP are belong to us"

  160. Mark

    Red herring

    There's plenty of slime in there among the spin. Google is the big red herring; those signed up to the ISPs doing this are likely tied to a contract, so cannot simply opt-out at any time by moving without paying for it. Choosing whether or not to have google/yahoo or whoever monitor your search and browsing is way simpler. Use another search engine and they'll be none the wiser you exist.

    My browsing habits are mine and not for sale, so fuck off.

  161. William Morton

    Kent Ertegrul is after you

    Kent Ertegrul =get net lurker

    That surname has got to be made up

  162. system


    mark: is a diagram of how it *may* work, cobbled together from the various info phorm have released. They say the profiler is offline, so it's a seperate branch to your browsing stream. In this diagram, data *must* wait at the profiler for a cookie that may or may not arrive with the next request after the ISP has injected an iframe/image/whatever. If it does not, then they are profiling all traffic regardless of opt out, and the only time they know about the opt out is in the ad serving stage. If it is waiting, then that is storage (which they deny) of the entire page you are looking at, and that is bad for security.

    To tie the ad server to the result storage in the ISPs building, they either need the result storage linked to the outside or the ad server on the inside. Either they have a security hole in the storage servers connections, or they must regularly enter the ISP and update the ad server.

    If the profiler is instead moved to the left and placed inline using redirection headers to detect opt outs before the page request, any block placed by you on the address the profiler is responding to will break all your web browsing.

    Man Outraged: Mr Anonymous is talking about the networking possibilities when they place something in the network operating at level 7, rather than how the thing might operate as a whole. The ISP is basically giving phorm the ability to inject or remove anything they want from the page and headers. At level 7, they have the ability to alter you El Reg cookies, or any other cookies, to store anything they want in them. If they were to inject a special OIX cookie into every single page requested, then remove it before it travelled upstream, they could work a solution to opt outs whereby the traffic never touches the profiler if no cookie is set, or the opt out cookie is set. This however would need either 100% cookie acceptance for all domains, blocking of all cookies, or blocking of cookies for all sites by cookie name.

    Infighting only distracts from the real enemy here :-P

    Anyway, I'll send you an email from the domain above (asshat). That should verify me :-P

  163. Anonymous Coward
    Anonymous Coward

    Just sue the ISP

    It's illegal to intercept a users datastream for financial gain without the users permission so....

    send BT/Virgin etc a letter saying that you deny them permission to do so.

    Wait for the webwise opt out page to appear...

    sue ISP


  164. Anonymous Coward
    Anonymous Coward

    P.H.O.R.M The Real Meaning

    Nothing stored to disc yeh right so P.H.O.M realy stands for

    P. Phishing

    H. Haven

    O. Over

    R. Random

    M. Memory

  165. night troll

    No thanks

    He has not convinced me. I still do not want this.

    If ISPs need to make more money then put up the prices the customers pay. If they put up the price and provide a good service then they will not loose customers, put up the price and provide the same crap service then they will. Hell, most customers go for the cheapest price because we know it's (mostly) crap customer service. Charge a realistic price and provide good service and that's the ISP that will win in the end.

    This PHORM thing is just a can of vipers just waiting to bite the arse of the ISPs that sign up for it, and it will hurt them big time right from day one.

  166. mark

    Note To BT Customers

    BT are telephoning customers and offering a discount on the the price of their internet but the catch is your contract gets renewed for a further 18 months.

    This seems to tie in with them starting PHORM this month to stop customers from defecting by tying them into a futher contract.

    I recieved a call 2 days ago offering me this discount I asked the BT rep on the phone what about PHORM and he said "I am sorry I am not able to comment on that".

    I told him where to get off with his discounts and told him if BT use PHORM on my account I am off to find another isp he promptly put the down.

  167. Phill

    I'm seriously pissed off

    The information I type into a browser is for the target only. There is a huge difference between a company putting ads on their website and for my ISP to track my browsing across the ENTIRE INTERNET. One is fine. One is completely immoral.

    It is irrelevent whether there is money in advertising. My ISP is an ISP and has a sole duty to provide me with nothing but a packet routing server. Injection or modification should be illegal.

    This service is opt in because nobody wants it. It is theft.

  168. tech idiot
    Paris Hilton

    Shifting Sands

    Just had a look at the interview text on and it appears that the message is changing which makes me even more suspicious. Phorm are now claiming that the absence of a cookie OR a cookie that has opt-out indicated will automatically mean that their equipment never sees the data stream i.e. that the ISP is controlling the opt-in opt-out switch not Phorm and that contrary to what most of us previously understood, Phorm doesn't profile all ISP account holders no matter what. That's what they're now claiming anyway.

    This now looks like the ISPs are far more culpable than Phorm and I suspected that there'd be no way the authorities would allow a 3rd party to control the opt-in opt-out in the way we've all believed. My guess is that in a way, Phorm is a front for the ISPs. The coincedences are too strong. The ISPs want a piece of Google's pie and they've been persuaded that profiling is the key. All that Phorm will do is act as an agent of the ISPs to flog the profiles to advertisers. If BT, TalkTalk, VM etc. all acted together to do this and didn't have Phorm as a middle-man then they'd be in deep trouble with the competition commission and the EU trade commissioner. In effect, their gambit is to achieve the same outcome by letting Phorm do the dirty for them. Phorm becomes the proxy collective negotiator with the content providers on behalf of the ISPs. From the content providers point of view this deal stinks since they now face an instantly created monopoly on who can provide this service. One Phorm to rule them all!!

    Phorm's PR offensive is extraordinary. They are super-prepared so knew this was coming. This makes perfect business sense for the ISPs. They need to understand exactly what the law will allow and what it won't. If the end result is that after all the dust has settled they are free to profile account holders then no matter all the bad publicity it will be worth it. Imagine how much your bank and credit card company could make if they were allowed to profile your spending habits and sell the results to advertisers!! I suspect that's why the story is shifting. Who owns what servers/switches? - at what point is the profiling turned on/off? - are all account holders profiled? - what terms are searched? etc. etc. all these questions are receiving subtly different answers as Phorm works through what it might get away with and what it won't! The ISPs keeping their heads down looks like a plan hatched in advance since it would be impossible for them not to contradict each other at least in fine detail if not catastrophically.

    This looks increasingly like an ambush by the ISPs. They needed to work as a cartel to do this or there would have been mass migration away from the profiling ISP(s). Phorm may well turn out to be just a patsy. The Register needs to turn the heat on the ISPs smartish.

    Paris' "agent" wonders out loud - now if I can just persuade Phorm to include Paris+Hilton+*********+******* in their lexicon I'll be rich, Rich, RICH

  169. Mr Anonymous

    Anti Phishing Benefit

    Phorm make much of the anti-phishing benefit of their system and why ISPs are opting everyone in as it will be "giving you better protection against online fraud ".

    If this is such good protection, why don't they indemnify you against any loses that occur from being fooled in to divulging security info to a phishing website? Now that would be a real benefit to users.

    Do they just prevent you visiting a site on their list, or show you a warning?

    Who decides what is on the list, it could easily be subverted into a censorship list under the guise of being anti-phishing.

  170. Anonymous Coward
    Thumb Up

    @Luther Blissett

    Phantastic post.

    A firefox plugin that periodically changes the phorm cookie and referrer url, perhaps between each request, would not only prevent phorm from building a profile on the person using the plugin, it would also infect the profiles of other users. If enough people used such a plugin, the whole phorm business model falls in a heap. No profile would be reliable. It would be impossible to tell whose browsing habits belonged to whom.

  171. Schultz
    Thumb Down


    Let me summarize this great business idea:

    Your data has to pass this way,

    when it does we will tax it

    In return we can guarantee save passage

    Make no mistake about it, they make money --> you pay, somewhere, somehow! Ads sound like they have a magic power to give you stuff for free (well, the good ones at least), but everyone down the chain makes money and it's the consumer who pays.

    Yes, that's you. You, the target of that ad. You, the innocent civilian...

  172. Aaron
    Thumb Down

    My Take

    My take is that this isnt as bad as i first thought it would be but its still wrong. First of all it doesn't add security or reduce ad's at all.

    By opting out my data should never be routed to the box that is harvesting url data. It shouldnt be down to a cookie or some other file on my pc.

    Also the way I see it my ISP does not have the right to "sell" my browsing habits. My habits are mine, they are the results of my own personal effort spare time and while I have nothing to hide if anyone has the right to make income from my own work its me and not my ISP.

    At the end of the day I dont accept ad's in my browsing, I maintain a personal host's file that blocks the ad's and redirect all known adserv's to a blank image and flash on a webserver on my local network. This means I dont see any ad's no delays waiting for blocked links and pages dont look distorted or appear to have missing content. While this is a little more advanced than most peoples ad blocking methods im by far not alone in saying no to ads of any kind. If I want your product I will search for it and come to you, I will NEVER buy from you if you try to force your product in my face.

  173. Anonymous Coward

    Contact Us on phorm's website

    OK, have clicked on the PHORM webpage, and hit the contact us button and sent the following....

    Dear Sirs,

    I am very concerned about your deal with certain UK ISP's in reference to the "targetted ads" which will be supplied to me within web pages that I am viewing, and that I also have to opt-out by installing a cookie on my PC. I would like to make it very clear that I do not wish to be automatically opted into this service now or at any time in the future without my express consent, and do not agree to allow any of my personal information (this includes but is not limited to my browsing habits) to be viewed by yourselves or any other company/person/entity. I would like confirmation that I will not be included in your program, and assurances that you will not be viewing any of my personal information (including but not limited to web browsing, web searches, clicked online adverts, mis-types in address bars, text entered on web pages). My ISP is Virgin Media.

    Yours faithfully

    Will see if I get any reply to this

  174. Steve

    @ Phorm Tech Team

    Fuck off.

    I really can't be arsed to type out all the arguments against what you're doing - you're being disingenuous and desperately trying to avoid answering any pertinent questions. You know, we know it.

    So just fuck off.

  175. Graham Wood


    Oh, I've already got a way of doing it, I just want them to tell me how to really opt out, rather than just opting out of the targetted ads.

    Their lovely attitude of answering with respect to the subset of the system that they can be nice about is why I want a definitive answer about a complete opt out... (e.g. opt out refers to only the ads, "not going to phorm" is because the hardware is at the ISPs site, questions about privacy are answered from the point of storage not visibility, I could go on).

    My current ISP "has no plans" to go with Phorm, at present, but that may change... So I'm going to setup a VPN to a colo box with a spare IP - and the only traffic that will be allowed through my ISPs link is the VPN. Snoop that you ba****ds.

    (Apologies to my current ISP for any implied 'all businesses are aresholes', I don't actually have any issues with you as things stand *grin*)

  176. Anonymous Coward

    ISP trust

    The two biggest problems are that

    1. they will use a cookie for opt-out, so that cookie itself can be used as a tracking mechanism by anyone (all advert servers must have access to that cookie right?) and could be inadvertently deleted by disk cleanup tools too.

    2. BT (and other ISPs that buy into this deal) will store a full copy of the webpage that we visit.

    in regard to point 2 as well. BT are famous for outsourcing all development and support (TCS/Tech Mahindra/HCL to name a few prominent partners) so these BT servers that hold this cached data will almost undoubtedly be supported from offshore centres and therefore whilst the data may be stored in the UK, they will be easily accessible from offshore (i.e. outside the EU) people and could retrieve/query such data. BT currently allow non EU partners to access all your billing/phone details (as they provide 1st/2nd and 3rd line support to the systems!)..what makes you think this will be better protected?

  177. Graeme Hill

    If I opt out....

    "Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads."

    Does this mean if i opt out, i will get double adds on the pages i view? will someone come round to my house and wave things in front of my monitor so I cant see what im doing (which would make my internet experience a bit crappy)? or will my ISP come round and re-educate me on my opting out habits????

    Methinks that my internet experience will remain the same as it is now (allright unless i have to call my isp at a premium rate to talk to someone over the other side of the world who speaks less english than my 6 month old child)

    mines the donkey jacket with the mittens on a string through the sleeves................

  178. BitTwister

    @Ads You dont want em, no probs

    > I use admuncher

    Well good for you, but ads. are easily blocked by a number of techniques. However, they're not the problem - they're just the end result of the REAL problem. (or in Phorm-speak, the "service")

  179. BitTwister

    @William Morton

    Or: "Phorm targeted advertising" = HTTP adage, overriding terms.

  180. SilverWave
    Paris Hilton

    TalkTalk do the right thing - Now... what about the others?


    There has been a huge amount of speculation about Phorm and the possible involvement of Talktalk with their service.

    This is the current situation.

    * There is no Phorm equipment in our network. We have never run any trials, nor implemented any aspect of this nor any of Phorm’s previous systems in our network.

    * We are committed to running a trial with Phorm, but with two very important conditions.

    o Firstly, it will be an Opt In, not an Opt Out service. This means you will have to proactively choose to be a participant of the service.

    o Secondly, those who have not chosen to participate will not ever come into contact with any Phorm equipment hosted within Talktalk. Details of who has membership of Phorm will be maintained in our network, and only those who have chosen to participate will be passed to Phorm.

    * We have been reassured by the advice of the Lawyers, Accountants and Home Office that the Phorm project is not an invasion of privacy, and that in fact the protection and integrity of anonymity provided is superior to that which we all experience from using existing Portals and Search Engines on the internet.

    * Webwise, does offer real protection against fraudulent phishing sites, which are an increasing problem to our customers, particularly those who are new to broadband.

    * By making the service Opt In, we feel the onus remains firmly with Phorm to make the service useful and compelling enough that subscribers will choose to join it. If it fails to do this, it will itself fail.


    Paris Icon - 'cause now even the Tech illiterate's as Virgin don't have any excuses.

  181. Anonymous Coward

    Recording or not is a completely bogus distinction.

    "It's important to understand the distinction between actually recording stuff and concluding stuff ..."

    I understand it perfectly well: it's nothing. Zero. Zilch. No matter how you cut it, YOU ARE CONDUCTING AN ILLEGAL WIRETAP OF MY PRIVATE TRAFFIC. Not recording it makes no difference, it is intercepting it in the first place that is repulsive and criminal.

    See you in court!

  182. colin stone

    lies dam lies and phorm

    Ok Proof phorm are not telling the truth.

    In an article published in TechCrunch on Feb 29th the following was reported

    "Phorm’s privacy claims have been approved by Ernst & Young and Privacy International. The cookie doesn’t track you on sites like SSL or forms you fill in. Of course, data is secure as the companies that keep it - and it’s possible to de-anonomyse data. Phorm says it wouldn’t mix surfing data with, say, an ISP’s billing data on users."

    So just a couple of weeks ago they say it is possible to de-anonomyse data, now they say it is totally anonymous.

    I am even more angry then before. Lies Lies and more lies from a slime ball company all in a couple of weeks.

    An intresting thread of comments as well

  183. Anonymous Coward
    Anonymous Coward

    Phorm Opt Out

    Phorm Tech Team here. There are several issues being raised about opting out.

    When you opt out - or switch the system off - it's off. 100%. No browsing data whatsoever is passed from the ISP to Phorm - the Profiler is owned by the ISP, which performs the opt out check. We should be clear: the Phorm servers are located in the ISP's network and browsing data is not transmitted outside the ISP. Even if you are opted out websites will still show you ads (as they do now) but these will not be ads from the Phorm service and they will not be relevant to your browsing.

    Opting out is as simple as visiting And you can permanently switch off the service: simply add to the Blocked Cookies settings in your browser.

    It’s worth noting that the very first thing you will see when you go online after the technology has been deployed is a full-page notice and at that point you can decide to opt out. In line with our commitment to transparency, you will see banner ads saying that Webwise is on. So if you don't want it, you will be able to click on these ads and switch them off.

    Phorm provides the software for the Profiler, just like Cisco, for example, provides software for an ISP router. The ISP can see exactly what data is being passed in and out of its systems and has complete control over it.

    And we've been very open on this issue. We have said that we would consider using another agency to audit the opt out provisions in addition to our existing external auditor, Ernst & Young and the Privacy Impact Assessment being conducted by 80/20 Thinking. If you have any suggestions for additional auditing you can send them to us at

    In terms of future safeguards, the key is transparency. We will communicate any changes and our claims will continue to be subject to external scrutiny by formal audit, partner due diligence, customer vigilance and media interest.

  184. Anonymous Coward
    Anonymous Coward

    Internet Publishers Benefit Too

    Hi. Phorm Tech Team here again hoping to clarify this post:

    "This entire system will lower the value of adverts online, as now the user will be exposed to both adverts from their ISP/phorm and from the original website. This will lower the income for the website operator due to the dilution of phorm's ads."

    We partner with websites, we don't hijack their pages. That would be, frankly, nuts, not to mention commercial suicide.

    OIX uses an auction model. I'll briefly explain how it's a real benefit for website publishers.

    So let's say you decide to partner with us, you as a website owner insert our tag into your page. You decide the minimum price for your ad slot (as an aside -- all OIX ads go into the existing ad slots on sites, we don't do pop ups or pop unders) and we ONLY serve an ad into that slot if we beat your threshold price. That means you can only make more money for that slot than you are making now. You can maximise revenue for all inventory types using different thresholds and give your users a better site experience with fewer irrelevant ads.

    Overall, we have the opportunity to significantly reduce the amount of advertising you see online by making it more relevant and more valuable. People are concerned that there's going to be more advertising. It's not more, it's less. It's demonstrably less. Long term, we believe if you're opted-out the experience you're going to get is quite poor because you're going to get bombarded with ads.

    That's because the economics of taking a targeted ad approach mean that, in the long run, that there will be a smaller number of higher value ads rather than the situation today in which we face high volume, low value ads. You can opt out of the Phorm system and block ads as a number of you already do. Many Internet users including people posting here are happy to use the free services that are in fact paid for by ads.

    But what our research shows is that users worry about security online and prefer to have more relevant advertising. Right now people often feel they have to make a trade off between getting a personalised service on the one hand and giving up personal data on the other. We've created something that resolves that tension. Our system gives you advertising that’s relevant to your interests without storing details on your browsing behaviour.

  185. Anonymous Coward
    Anonymous Coward

    Screw you Virgin!

    Perhaps we should be reporting Virgin to their own NetAbuse department:

    Virgin - implement this and you'll be losing me as a customer. Your service has gradually worsened since you took over NTL/Telewest but this is the final straw.

  186. Anonymous Coward

    Virgin Breaching Their Own Policies!

    Taken from Virgin's own Code of Practice Document:

    5.8 Confidentiality of customer information

    We will treat any information we have about you in confidence and will not disclose it to

    anyone except yourself, or in accordance with any instructions you have given us. However,

    there are circumstances in which we may be required by law to disclose information. Such

    requests normally come from Statutory Authorities, for example, Police Forces, Customs and

    Excise etc. Any such disclosure will be strictly controlled and will be made fully in accordance

    with current UK legislation, in particular the Data Protection Act 1998.

    We are also obliged to pass directory information about our customers to other companies to

    enable them to provide a publicly available directory service. These companies can only use

    this information strictly for this purpose, and in accordance with customers’ specified wishes.

    Now the first sentence of this seems clear enough to me. Nowhere can I see any clause allowing them to do what they are planning.

  187. Anonymous Coward

    Here's What Needs to Happen

    I am a website operator, and what this means to me is that I now have to spent money on an encryption certificate so that traffic to and from my visitors will be encrypted (https). With an encrypted connection, none of these snoops should be able to intercept and/or modify the data (theoretically).

    This also goes to another one of my beliefs. This belief is the fact that big business will manage one way or another to put a stranglehold on the greatest source of information since the Gutenberg printing press. Big Business and Big government want to turn the "superhighway" into the super spyway.

    Pretty soon, the only use people will get out of the Internet without being spied upon is that it will become a simple (encrypted) bridge between wireless community networks. The more I read about this type of crap, the more I am convinced that the FreeWan is the way to go.

  188. system

    Just to put paid to another phorm lie

    "But what happened was it became very clear to us that there was no distinction in people's minds between adware - which is legitimate - and spyware."

    Start at the f-secure site, with their description of Apropos.

    "Apropos uses highly sophisticated stealth techniques to avoid detection. The spyware collects users browsing habits and system information and sends it back to the ContextPlus servers. Targeted pop-up advertisements are displayed while browsing the web." "PeopleOnPage makes the Apropos family of spyware."

    Norton also lists Apropos as being published by peopleonpage, and calls it Spyware.Apropos.

    The best quote has to come from McAfee on this though.

    "This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted."

    I find that description very fitting of the way phorm are selling this. It is a trojan, only this time it's being rolled out to 10 million people in one go.

  189. Gareth Jones Silver badge

    Not convinced by either side

    I'll certainly opt out of this, simply because I don't see how this particular scheme can benefit me.

    However I'm totally unconvinced by the nay sayers. In what way exactly is this sinister? I simply don't get it. Legal challenges to this scheme? Forget it. If you object change your ISP.

    Targetted advertising sinister? The internet is simply full of it, it runs on it. Mr and Ms 2.4 children don't realise just how driven by advertising the major search engines are. They just see Google as a useful and free tool, it never occurs to them to think that Google has to make it's fortune somehow. If they did realise would they find it sinister? Probably not. TV ads aren't random, nor are ads in magazines. Obviously they are targetted based on your chosen viewing/reading material. The difference here is that if you don't suddenly get an ad in the middle of a serious documentary that hints to your wife what you watch when she isn't there.

    I suspect the real issue a lot of people have with this is that the ads they get when people are looking over their shoulder will reflect the browsing they do when they are alone. That's the privacy issue under threat here. Personally I don't look at anything on the web when I'm alone that I wouldn't do when others are present. Do you?

  190. Jeff Deacon
    Black Helicopters

    This is another twist!

    Re: @William Morton By BitTwister, Posted Saturday 8th March 2008 17:42 GMT

    "TalkTalk do the right thing - Now... what about the others? ...

    " ...

    "* We have been reassured by the advice of the Lawyers, Accountants and Home Office that the Phorm project is not an invasion of privacy, ... "

    What on earth do the Home Office know about the protection of privacy? Why are they endorsing this scheme?

    Black Helicopters because we haven't found out the half of this yet. When the whole story comes to be written up, it would not surprise me to find that Big Government has a finger in this pie! Surveillance.

  191. William Morton

    ISP's Privacy Policies are going to be scrapped just like BT's

    There is little point in quoting these ISP's PP or TOC, when they go live with PHORM they will just change them to allow them to sell your data.

    Any AD blocking software on your machine is not going to have any effect on PHORM. They get your data regardless and PHORM dont care if you see the ADs because they are still making money. Its the same as the "per click" revenues that were taken by BOTNET controllers. The AD company can write off the cost of the advertising to TAX so even if 1 person in 10 buy after foillowing an AD they make money.

    From PHORMs previous post I have concluded that they have a database of phrases and simply mark the occurance of the phrase in each web page requested. The phrase database will be automatically updated via the 10 keywords not already in the DB. These 10 keywords are going to be personal to you and include any web aliases you have, passwords, home addresses etc. The way they say they are not capturing names would have to be to put all the possible names into the database so they can be marked as present but not used by advertisers. They dont need your IP address as this is associated with the cookie ID by the ISP and the web server holding the OIX place holder.

    The phrase databse is what needs to be transparant and open for viewing by all users. I could decided that im am interested in capturing all user's login detail for facebook. all I need to do is link every combination of say 10 letters not already in the phrase database and the phrase facebook. Now when you come to one of my advertising sites I get that you are interested in facebook, a phrase for your password, a phrase for your username. I can now log into facebook as you, this will work for any site that doesnt use encryption from the start of login. Given China's history with regard to spying I am suprised that the western security services have allowed this to go ahead, it isnt just going to be just Joe Public's data being captured its going to be scientists, engineers and other company employees. If I work for a company that is in a competing field with a Chinease company and I mention im going to be working/bidding for a job whats to stop them using the data to get the winning bid.

    For the above reason we need to see what phrases are being captured and for whom, we need to be able to remove phrases or advertisers if they are capturing phrases that are not specific to their products or are invasive in anyway.

    I think that this enterprise is a very dangeous thing not just in terms of personal privacy but also in the implications to the western economy.

  192. Dave

    AC @ Phorm

    My data should be going nowhere near your profiler. That is the crux of the problem. If I opt out, my data is still being sent to the profiler. There is no point in this. I don't want this to happen. It's my data. I don't want it profiled.

    Although the ISP can check what data is being sent to Phorm, unless it checks Phorm's codes with a fine tooth comb, the data could contain absolutely anything that Phorm wanted to send and there would be virtually no way for the ISP of finding out. Just because the profiler is mounted in the ISP doesn't mean that people want to be profiled.

    Also, for the profiler to know if I have opted out or not, it obviously has to interact with the browser. Therefore, it is going to take longer to get any specific page because my browser has to talk to your profiler before it can actually talk to anything else.

    It seems to me that if BT want to incorporate this "service", they are going to be forced into doing what Talk Talk says it's going to do with Phorm. If they do not, I will be leaving as well as many others.

  193. Mr Anonymous

    re: Phorm Opt Out

    >>Phorm Opt Out

    >>By Anonymous Coward

    >>Posted Saturday 8th March 2008 22:13 GMT

    >>When you opt out - or switch the system off - it's off. 100%. No browsing data >>whatsoever is passed from the ISP to Phorm - the Profiler is owned by the ISP,

    >>which performs the opt out check. We should be clear: the Phorm servers are >>located in the ISP's network and browsing data is not transmitted outside the >>ISP.

    You still don't understand, people do not want their traffic intercepted and profiled by anyone and that includes their ISP. They don't want the equipment there whoever ones it or "their data" period.

    To make this work for you, you need a mass market so you are using an opt-in model and are using a method (cookies) that are easily reset. This means that opted out users are likely to be opted back in at a future date; eg. you set your cookie to expire after 30 days for opt-out cookies as opposed to 30 years for opt-in, or when a user clears their caches out and chooses to delete cookies too you have them back in the system.

    If you want a fair system, you would have an opt-in model. The opt-in would be via a users radius profile**, so that went they login to their ISP the radius server would assign them a IP address from a specific Webwise pool that is routed past your Layer 4 redirection/interception stage. Default opt-out users would be assigned an IP from a default pool which would be routed out of the ISP's normal gateway that was not subject to any layer 4 or 7 interception.

    As for the adverts, you are saying that a website owner whom is trying to make a profit, will , as a result of your system, drop the number of ads they display that are now worth $2 instead of 20 cents! Bad for their bottom line and yours. Google always display as many add links as they can, whether they are 20 cents or several dollars, that is what corporations do, they maximise profit.

    ** For those that don't know what a radius profile is:

    A radius profile is nothing to do with Phorm, it holds ISP data like your username and password, IP pool, service quality levels, is the standard authentication mechanism and has been in place since the days of Dial-up. Of course, if you added a Phorm attribute, you could also add a quality of service attribute to lower service level as the ISP will not be making money on your web traffic!

  194. Anonymous Coward

    keeping data

    Question to Phorm Tech Team or should in reality be "Phorm PR Team"

    In the document you hawk regarding your privacy

    May I draw your attention to this paragraph

    "The form service is designed to avoid the collection and storage of Personally Identifiable Information (PII), however you have the right to request a copy of any information that Phorm may have about you and to have any inaccuracies corrected."

    If you do not store data, then why should there be a right to have what is not stored corrected.

  195. Anonymous Coward
    Anonymous Coward

    Some lies cant be hidden.

    I've arrived at this site by following a trail whilst trying to understand what my ISP (Virgin Media) is proposing to do, Im not particularly tech savvie, so I hope regular readers will forive me for this. (I am, perhaps, the 'ideal target' for this game of spin and confusion the various PR departments are currently playing though).

    I do , however, have a very good understanding of Law. Not privacy law specifically, but legal tapdancing is not a foreign language to me.

    The crux of the issue is the claim, made sevreal times by Phorm, that they will not touch private data , log in forms, email addresses etc.

    That is a lie. Technically, its a logical fallacy, were I to give them the benefit of the doubt . There are two options as to why they utter this untruth several times.

    They either have little understanding of how the software works, or the laws they are operating under, or its a deliberate lie.

    Why is it untrue? How can I be so sure?

    To KNOW its private data, it must be actioned.

    I have no understanding of how or what processes take place, but it is a simple fact that to seperate privacy data, they must action it to know its private , they appear to do this even if you opt out.

    That, in and of itself, is a breach of privacy law in this country.

  196. Julian Smart


    "But what our research shows is that users worry about security online and prefer to have more relevant advertising... Our system gives you advertising that’s relevant to your interests without storing details on your browsing behaviour."

    It's good that you're interested in what people want. Now you know that many many ISP users don't want your systems and that you are damaging the reputation of the ISPs involved. Hopefully this will inform Phorm's decisions (and those of the ISPs).

    Do we believe that opt-out will be genuinely Phorm-free? It's hard to simply take something that important on trust given the contradictions we hear. But also you have got our backs up with your arrogance, greed and lies to the extent that opt-out may not be enough - we'll simply vote with our feet.

    I just want to add my voice and express the fact that I will never ever go with an ISP that does this. The economic argument from the Telegraph and others is pathetic - just add a few quid to my bill, thank you. I guess the ISPs/Phorm are counting on the majority to be too stupid to avoid selling their privacy for a few measly pounds.

    Totally disgusted by Phorm and the ISPs concerned. You must have thought we were all mugs. Now you know better.

  197. Anonymous Coward
    Anonymous Coward

    William Morton/Lexicons

    Hi - it's the Phorm Tech Team here with an answer on your question about 'lexicons'.

    As far as I understand the question is about composition of advertising categories, i.e. the list of keywords used in these categories. These categories are defined by advertisers and matched against our vocabularies, so called white- and black-lists. The while-list contains keywords, which are allowed to be targeted, for example “London hotels”, whereas the black-list contains keywords which under no circumstances can be present in the category (for example, terms related to adult contents). When an advertiser submits a new category into the system, it is checked against both lists, and doesn’t go live unless all keywords are from the white-list. If there are keywords which are neither black-listed nor white-listed, then such keywords undergo manual checking and placed in either of the lists. Due to large number of channels and keywords, such lists (especially white-list) may grow to millions of entries and it may become unpractical to publish them, but Phorm will consider such option as well as other alternatives.

    There is no association made between end users and their raw browsing data (URLs and keywords). Browsing behaviour is matched against predefined advertiser categories in real time and raw data is discarded immediately thereafter. If a keyword is not defined in any advertiser category, then there is no match and no association is made with the category. User keywords, including unmatched keywords, are not stored by the system. Expansion of our categories (and the lexicon) is done by advertisers when they submit new advertising categories.

    Let me know if have any other questions - I can be reached via

  198. The Other Steve
    Thumb Down

    @Phorm Tech Team

    Stop dissembling. Stop spinning. We don't care. Your description of the opt out mechanism has changed, AGAIN. Fail.

    The fact that the 'profiler' will be owned by my ISP is irrelevant both to me personally and to the law, I do not, and will not give my consent for my data to be processed in this way.

    Any attempt on your part, or my ISPs part, to use such a flawed mechanism as cookies to protect my data is insufficient, and will fall foul of the DPA. Fail.

    Even if you somehow manage to persuade my ISP and any statutory bodies that this is somehow OK, you will not convince me, nor the majority of internet users, and they will desert any ISP you have a deal with in droves. I doubt that a trickle of ad revenue will make up the difference in lost revenue. Fail.

    Along with many others, I have registered my displeasure with this scheme to my ISP, OFFCOM, ICO, Trading Standards and my MP.

    You, and my ISP will shortly be receiving by registered post notification of my explicit prohibition of any of my data being processed in this way, and my explicit prohibition of webwise, phorm, OIX and any other associated domain from placing cookies on any machine on my network, and the first time one comes down the wire, my next call will be to the police to initiate a prosecution under the Computer Misuse Act.

    Your pathetic, slimy, twisting PR offensive is not convincing anyone except the simpletons at the BBC. You are filthy parasitic scum. We know it, you know it, the press know it. Our ISPs know it, and when they finally realise that we have figured it out, they will hang you out to dry and try not to get any of the mess on them.

    And there's going to be a lot of mess. Come Monday morning you're going to be up to your necks in shit, and I hope you drown in it. Bastards.

    I hope the members of the "Phorm Tech Team" have their CVs all up to date, and valid passports, because considering how much you have pissed off the technical community in the UK and how hard your employer is about to fail, you're going to be job hunting overseas very soon.

  199. Alex Laity


    Many of you have raised concerns about the legality of the system.

    To make clear: Yes, our technology complies with the Data Protection Act, RIPA and other applicable UK laws.

    As some background, we¹ve spent a long time developing our technology, systems and practices as regards privacy protection. We believe that most people like personalisation online. We just don¹t believe they should have to give up their personal data to get it. And that philosophy has informed the development of our entire system.

    There are three main hallmarks to the system: we don¹t know who you are, we

    don¹t know where you¹ve been and participation is always a choice.

    We have walked several experts though our service from Ernst & Young and 80/20 Strategic Thinking to the Home Office, which is responsible for the application of RIPA. Also, you should be aware that we have spent an enormous amount of time, as have our ISP partners, verifying that all of our activities are fully compliant with all regulation. I believe that it is reasonable to suggest that if BT, Virgin and Carphone Warehouse are all participating, it is because they have fully satisfied themselves of the legality of their decision.

    Unlike other online advertising products, the service doesn't store personally identifiable information, doesn't store IP addresses or retain browsing histories. So it can't know who you are or where you've browsed. The ISP will not be passing any personal information to Phorm. We do not tie into their authentication systems or use any subscriber information. Plus, users choose - they can switch the system off or on at anytime.

    On the privacy front we are one of the few online companies that would welcome a decision by the Article 29 Committee to rule on IP addresses being categorised as personal data. I don't need to point out how unusual that is.

    Tech Team

  200. Anonymous Coward
    Anonymous Coward

    Liesdam lies and Phorm/Colin Stone

    Hi there

    "Of course, data is secure as the companies that keep it - and it’s possible to de-anonomyse data."

    This is an interpretation not a statement by Phorm - it's incorrect and we've not changed our position that there is no way to de-anonymise data in our system. The service doesn't store personally identifiable information, doesn't store IP addresses or browsing histories.

    The technology simply observes anonymous behaviours and draws a conclusion about the advertising category that's most relevant. All the data leading to that conclusion is deleted by the time each web page is loaded.

    The service dispels the myth that data on user browsing behaviour must be retained and stored in order to provide more relevant advertising. Plus, users choose - they can switch the service off or on at anytime.

    So to restate: Clickstream data is never stored. Therefore is cannot be sold on or 'de-anonymised'. The AOL / Netflix situation cannot occur because the clickstream data has been deleted in real time as the page loads.

    You can review the Ernst & Young audit here:

    Phorm Tech Team

  201. Anonymous Coward
    Paris Hilton

    @Phorm Tech Team

    "When you opt out - or switch the system off - it's off. 100%. No browsing data whatsoever is passed from the ISP to Phorm - the Profiler is owned by the ISP, which performs the opt out check. We should be clear: the Phorm servers are located in the ISP's network and browsing data is not transmitted outside the ISP. Even if you are opted out websites will still show you ads (as they do now) but these will not be ads from the Phorm service and they will not be relevant to your browsing."

    Yes but does that mean that my ISP is still scraping EVERY damned webpage I visit? How can I opt out of that? That is the BIG question which you KEEP IGNORING. Can your so called profilers cope with the huge load that you know will be thrown at them if this goes live and people decide that they HATE it and intend to push so much crap through the profilers that they are generating useless information. If those profilers go down then what happens to my browsing experience (in terms of speed)

    I object to someone with NO legal authority snooping at my surfing habits, or do you think its OK for the Royal Mail to open all my post, or my phone company to listen to all my calls?

    Paris because frankly she talks more sense than phorm.

  202. Man Outraged
    Paris Hilton

    OMG can this be true? Please read this post:

    This suddenly shifted my attention from protecting my privacy to getting the service I paid for. I do not pay top whack for BT broadband in order to get a second-rate redirection service.

    Also made me think, the ISPs are pressing ahead with this despite risking losing customers. But the informed customers they risk losing are perhaps the 5% of bandwidth hogs (20% of users consume 80% of the system resources) and so they're happy to let them move on! Note 20/80 and think: surely not!!!

    @tech idiot re:Shifting Sands

    Brilliant points well made. The focus shouldn't just be on who "owns" or "controls" the equipment but the net effect, and maybe who writes the software and who validates it.

  203. youvegot tobejoking

    What are they hoping for?

    I dont see many ads, if I could fix it so that I saw NO ads I would do it immediately. I turn on ads on some sites to support the website owners, I dont click the ads and almost never even look at them. I dont want my browsing/emails/whatever else picked over like carrion in any way at all, if they offered me 10p for every webpage I visited to allow them to parse my data I still wouldnt go for it.

    Saying that I can get a cookie put on my computer that will stop your servers parsing my webpages DOES NOT make it alright. I dont trust my ISP (VM), why the hell should I trust some company that is piggybacking on my ISP and trying to make money off what i do online?

    This 'service' they offer of protecting me from the nasty websites of the world could have been implemented by simply changing the users DNS server ip's to Opendns (and in fact I use them already, but mainly because VM's DNS servers appear to be powered by terminally ill hamsters)...

    So, to recap; an untrusted company gets to see every website I visited. If I opt out, I have to take their word for it that they wont look. Fuck that.

    I am stuck with VM for another 3 months, when(if?) they do go ahead with this crap I will be moving back to Zen.

    Finally; what are they hoping for? enough people not caring about the issue enough to complain / turn it off / move away to another ISP? I do hope that the media handles this the right way (i.e. lets people know that some unknown american company that had some shady software in its past is looking at everything you do online unless you tell them not to .... and even if you do its a toss of a coin if they respect your wishes or if the cookie lasts) and not buy in to the happy clappy "oh the internet will be a glorious place with gorgeous ads and no nasty internet hooligans"....

  204. Anonymous Coward
    Anonymous Coward

    @phorm tech team

    Lets suppose for a second I stay with my ISP after they implement your system, and I opt out of the phorm/webwise system... I browse a webpage [say the guardian website] and I'm not subject to targetted ads. Your post here at 22:13 08/03 suggests I will get more adverts than someone who is happy to opt-in.

    How does the website in question know that the banner ads it is showing me are not targetted by your system, and hence likely to be earning it a lower revenue, and therefore know to display more adverts to offset this?

    I ask this as a web browser, and as the webmaster of a small website.... so please bear in mind that your answers will cut both ways!!


    I suspect that you are simply a lying cnut twisting facts to suit the phorm agenda. The only thing you can do to convince me otherwise is to admit that your previous posting that I am referring to is mistaken, and to post a correction.,

  205. Alex

    the internet "personalised"

    "Right now people often feel they have to make a trade off between getting a personalised service on the one hand and giving up personal data on the other. We've created something that resolves that tension."

    what?!?! I have never in my life heard a single person state "if only the internet was more personalised.

    what a load of nonsense!

    "Our system gives you advertising that’s relevant to your interests without storing details on your browsing behaviour."

    a profile is a record of personal activity/information/interests otherwise it would just be an irrelevant subset?

    you can stay well away from my interests, DO NOT WANT.

  206. Graham Wood

    @Phorm Tech Team

    So there is no way to prevent the data hitting the "profilers"?

    Can you please explain your specific statements to the BBC that this WAS possible?

    Secondly - if you don't interfere with the data stream, how is the webwise cookie added?

    Thirdly - given that everything is processed within the ISP (as you keep saying) - what /is/ passed to "phorm"? Surely nothing leaves the ISP whether you are opted in or opted out?

    Actually - forget all that - you'll spout another load of bullshit to try and wriggle out of admitting that this is one hell of a massive invasion of privacy and security risk. You are either lying, or don't know what you are talking about - and either is enough reason for me to avoid ever dealing with your company, directly or indirectly.

  207. Badg3r
    Thumb Down


    So basically this was a propaganda exercise. No difference than before, they are trying to spin it the weasels.

  208. SilverWave
    Black Helicopters

    Plan 'B' "Secure VPN Connection" - Any recommendations?

    Most of the companies offering Secure VPN look worse than Phorm (if thats possible). - look legit, any one used them?

  209. colin stone

    Phorm Tech Team

    This story has grown over the weekend, with sites like badphorm, and cableforum melting with anger.

    On every site from the BBC, the Newspaper sites, this forum, and many others we see the handle PhormTechTeam spinning the lie that phorm is a good thing.

    The thing is even Phorm Tech Team is a lie. They are the PR company Citigate Dewe Rogerson (CDR).

    see for more information. But this section I found intresting

    "a specialist public policy division to help its clients understand and negotiate the political, parliamentary and regulatory issues which routinely affect their business and reputation. The division works with clients to minimise immediate and longer term threats to their organisational or business success and the maximisation of their shareholder value."

    So Tech team is all about shareholder value rather then the truth.

    Could the good folks at the reg please highlight this fact, as the less tech reader may think TechTeam are what they are not.

    If they can not even tell the truth about the PR how can anybody believe them about the whole phorm system

    One intresting thing about there comments they are just cut and paste, the same chant in each and every forum and topic reply. Yet no techical details have yet been released inorder to calm the storm.

  210. Jeff
    Thumb Down

    "Irrelevant advertising"

    This is what slimy ad companies simply do not get. If you do not click through an ad then any future instances of it become progressively more irrelevant. For me, certainly, repetition is more annoying than randomness. There is actually very little diversity of advertising across the internet - and to expect Phorm to never again show you the same ad (especially, if, as this character says, 99% of 'irrelevant' web ads are removed) is a risible idea. So Phorm has, at best, a trivially short term benefit for the consumer.

    Fortunately the article shows this outfit for what it is.

  211. Adrian Wrigley

    System stores personal information (within the meaning of the DPA)

    The legal claim that the data stored are not personal is based on the hypothesis that the Data Controller will *never* be able to identify anybody from the cookie. This hypothesis is simply false.

    Most people's computers can be compromised. Most obviously people can access their own cookies and send their details to anybody they feel like. So if Phorm or the ISP offer money or some other inducement to break the "anonymisation", the mapping from cookie to person is trivially determined by the Data Controller.

    Remember, under the DPA, the Data Controller must be *unable* to get (or infer) the association of any cookie with a person (or street address etc), now or in the future (even with some effort or "black hat"/"rubber hose"/"black sack" techniques) . Simply being able to buy these mappings from the people in the future makes the data personal data now.

    What's worse is that anybody at the same address could break the anonymity too. Imagine a dorm room or frat house with many people, it just takes one of these people to publish or send the DC the cookie -> person mappings, and the "anonymity" is breached.

    And that's not to mention breaking the anonymity through spyware, or through theft (or sale or other disposal) of the hardware itself. Or for mobile computer users, the cookie could be read out while the user wasn't looking (in the bathroom?).

    So the anonymity claim is demonstrably false and the data are personal data for the ISP and (probably) for Phorm too. Hence the full force of the DPA regulations applies.

    It's pretty clear that the personal data are being processed without the informed consent of the user, so the "opt out" approach is a non-starter under the DPA.

    And the E&Y consultants report seems to be applying US laws and US standards in the analysis. In the UK, the definitions and laws are very different. Why hasn't Phorm published consultants' reports for each jurisdiction they intend to do this? If they plan to start in the UK, we should have a report that covers the technology in relation to our laws.

    Sorry guys. Come back when you have read the DPA (and RIPA).

  212. Anonymous Coward

    186 comments before this one...

    ... and no one mentioned that if this scheme is successful it will be a triumph of Phorm over content.

  213. The Other Steve
    Black Helicopters

    SSL proxy naysayer, think again

    Somewhere back up there, someone mentioned something aout how difficult it would be to proxy SSL, and how SSL would save us. I can't recall who, and I forgot about it until just now.

    Just so you know, you're way wrong. I've proxied SSL before to watch the traffic between apps on my machine and their 'call home' base during auto-updates, registration, etc.

    You can do it fairly transparently.

    Some links, because I know you won't believe me.

    Some software, for to play with, not what BT would use in a high volume switch, but fun nonetheless, and useful if you're serious about knowing WTF your machine is up to, because it's easier to sniff the wire than follow packet data in a debugger.

    Embedded hardware, for to build in to your high volume, low latency, switch. This one is the real deal.

    "Unlike existing SSL proxies, the SSL Inspector is deployed as a "bump in the wire" and is completely transparent to both end users and intermediate networking elements. It does not require network configuration, IP addressing or topology changes, or modification to client IP interface and web browser configurations."

    So, don't be relying on SSL to keep your data out of the BT/Phorm gestalt's filthy, grasping hands.

    Black helicopter, obviously.

  214. Anonymous Coward
    Thumb Down

    @ Phorm Tech Team

    You guys just don't get it, do you?

    It's a simple question so answer it in plain and clear language:

    "What provision have you made for those who do not want *any* data passed to you?"

    Which means people like me and many others who want no data at all passed from our ISPs to Phorm.

    Cookies fail. They are inadequate. And I'll say again just for you

    "Trust us, we've been ok'd by Ernst & Young" is a very weak appeal. E&Y are an accountancy house, not an independent and respected technical evaluation house. My views on accountancy houses (Arthur Andersen anyone?) aren't very polite or positive, so you'd better get someone more respected in to conduct an assessment.

    Thumbs down because there aren't icons that say "You suck ass!", "Bulls*it Merchant" or "We love Fahrenheit 451"

  215. kosmos
    Jobs Horns

    What is sinister about this is not the advertising component.

    It is the agregation and capture and processing of every single web site you visit on the web, to build up a targetted ad profile.

    Misusing your private communications and sharing them with a third party application gives that application an unprecedented level of exposure to your perosnal and private dealings with every web site you connect to.

    That is the issue. its like a wiretap on your phone that you dont know about with people listening to everything said and committing a response to what was said.

    Reading your webmail then the prospect is there that they can too, visiting your bank well guess what? Visiting your corporate sharepoint portal, yup that too. All this can be captured and stored, filtered, profiled and modified on its return trip to you, and just because an organisation says it isn't does not mean that it cant or wont.

    People are rightly concerned over this because the potential for fraudulant behaviour is unprecented, and we are disgusted with our ISP's because they seem to think this is a good thing.

    So Gareth, tell me if you think it reasonable for a third party system to have complete unfettered, un-restricted access to your and everyone elses internet connection and all the actvities and pages you visit on the web. at least the law enforcement agencies need a warrant for that kind of access, PHorm just need to get in bed with your ISP.

    Still no KE with horns, come on reg you're letting the side down.

  216. tech idiot

    Getting the lowdown...Finally!! (and it's not good)

    Just pulled this from the BBC technology interview with Phorm_

    Q: There are inconsistencies appearing. Phorm told The Register that data is still passed to the "Profiler" even if people opt-out, but apparently the "Profiler" is owned by the ISP, which is how they claim no personal data is sent to Phorm, as per the reply to the BBC.

    A: This isn't inconsistent. The Profiler is owned by the ISP. If someone opts out no data is passed from the ISP to Phorm.

    Q: However, I would like to know who provides the software for the "Profiler" and if it's not written by the ISP, how does the ISP check that it does what it's meant to?

    A: Phorm provides the software for the profiles, just like Cisco, for example, provides software for an ISP router. The ISP can see exactly what data is being passed in and out of its systems and has complete control over it.


    The conclusion from this is that the ISP do the profiling not Phorm!!

    Phorm "helps" (ahem!) the ISP set up the profiling servers that strip the data Phorm wants to see, and it's the ISPs' profiling servers that decide whether or not to pass the data to Phorm. In effect, the multitude of well rehearsed answers that Phorm have been giving over the last few days are more or less, factually correct. They just "forgot" to mention that they've dodged the issue by getting the ISPs to do all the controversial stuff. It's always what they don't say that's far more interesting!!

    El Reg needs to move past Phorm and tackle the ISPs. Ask the ISPs the same questions and we might get some uncomfortable staring-at-feet type behaviour.

    Q. Do the ISP servers profile EVERYONE irrespective of opt-in/opt-out?

    Because after all, that's what they'd love to do!

  217. Danny Thompson

    For the benefit of Virgin and Phorm

    I do not care what assurances you offer me. Because of your announced tie-up with Phorm I am going to leave your broadband service and take my business elsewhere. Not for any other reason at all other than your association with Phorm and your very apparent predisposition to start making use of my own personal information in ways that I explicitly do not want you to.

    Opt out? By association you have lost my trust in Virgin Media. On that basis how can I trust you to provide me with a believable Opt Out?

    Question to Virgin. When exactly were you going to tell us? It took independent media to alert us to your underhand doings. Were you ever going to ask us? Yes, it is your business, but as the law currently stands it is our money and we can take it away from you at any time we wish.

    What Virgin Media have effectively done is perform their very own 2008 version of a Gerald Ratner on their business.

    Pirate - because that is what VM are doing with their Customer's private data. Shame on you, and may you never be forgiven.

  218. Graham Wood

    @Gareth Jones

    I have no problem with any adverts that get tuned to me, indeed the adverts have been pretty much passed over by most people posting in the thread(s).

    The issue is that my data is now going through an additional monitoring stage, simply to allow some third party with a dodgy history at best to make a profit.

    Even with opt out, all the web pages go through their "profilers" - there is NO way to avoid this from their admissions to the register, although from their conversations with the BBC, you would think otherwise.

  219. Anonymous Coward
    Jobs Horns

    A reply to the alleged 'Tech Team' at Phorm

    "In terms of future safeguards, the key is transparency. We will communicate any changes and our claims will continue to be subject to external scrutiny by formal audit, partner due diligence, customer vigilance and media interest."

    Thats a hell of a statement to make especially in light of BT's response to their customers "We cant talk about that". Thats about as far away from transparent as you can get, trying to dupe customers into an extended contract and failing to disclose the T&C.

    Will you still guarantee that even in the face of an RIPA order? As far as I can see your organisation is about as transparent as a brick wall. And now we discover that you are effectively intercepting layer 7.....

    You arent winning friends here, given how un-transparently this was revealed to customers you have a lot of work ahead if you want to win trust. Did the people who's data was pimped to you in the trial get the option to opt-out? were they even told what was going on? Did their ISP communicate what was going on? Did the T&C's mention anything about it whatsoever? Or did they try to cover it up becuase it looked like something very wrong was happening on their network and our businesses interfaces to that network. You sir and your organisation have all the transparent features of a brick wall.

    "But what our research shows is that users worry about security online and prefer to have more relevant advertising."

    Bollocks, users want no advertising, irrespective of whether that is achievable or even cost-effective is another question. Given the prevelance of anti-spyware and anti adware (funnily both key revenue streams for your organisation) I'd say that the evidence points to the latter. Those of us who have had to deal with one of your lovely toolbars know exactly how difficult it was to get rid off them once they were on a system.

    Needless to say:-


    Will be blocked on all ports on my corporate firewall tomorrow. I'll review whether * should be as well.

    And while you may claim that you were never in the business of spyware/malware, any system that 1. Tracks a users browsing habbits; and 2. Allows you to alter the content of any site that individual visits; sounds a whole hell of a lot like spyware/malware to me, Just because you say you dont do it, does not mean you cant or wont.

    PS: Still no KE with horns or cat for that matter. Wishing all the guys at phorm a real shitty day.

  220. Legless


    Let me get this straight.

    Phorm makes a copy of each and every website visited?


    Then, the first time a Phorm user visits a paedophile site they're guilty :

    “taking or making” of an indecent photograph or pseudo-photograph of a child"

    It's the catch-all the Police use to make sure that kiddie-fiddlers get done for "making" indecent images of children rather than just viewing them. Just by displaying these images on your screen, you've automagagically "made" an image and are therefore guilty of a more serious offence.

    That said, Phorm will be deliberately creating these images and, as such, are open to criminal charges.

    And, as they're not an ISP or a carrier, they don't have that get-out either.


  221. Mark Duncan

    If it's not been done already

    I, for one, welcome our spyware overlords.

  222. kosmos

    A correction to an earlier post.

    well not exactly a correction, a clarification. The web site is not copied, the pages you view are, and then allegedly deleted after they have been scanned and modified with targetted ad content.

  223. Pierre
    Thumb Down

    @ face-changing Phorm guys

    First, congrats. In all your answers here you "successfully failed" to explain a few things:

    - your system will facilitate trapped-ad targetting.

    - It will provide a new entry door for hackers in the ISPs systems.

    - It menaces privacy. It tramples on the confidence between the ISP and the user by trying to take advantage of it.

    - The alleged "phishing protection" will obviously be inefficient (see one of my previous posts, or, preferably, get clues about phishing) while giving a false impression of safety to non-tech-savvy users: problems waiting to happen.

    - The number of adds won't decrease if advertisers make more money out of them: advertisers will make more money, that's all; no benefit for the user. The only way to decrease the number of ads on the Interwub would be by *decreasing* the money advertisers make out of them (which raises other issues, but anyway your "core argumentation" fails).

    - You don't want to take any liability: the ISP will be "responsible" for your wiretapping hardware, while probably not being able or even allowed to monitor it.

    - your statements, here and on other sites or other supports, are ever-changing and inconsistent (especially about the opt-out system which appears to be opt-out only for the ad-serving "service", not for the wiretapping).

    - By refusing to adress these points it seems that you mistake us for a bunch of morons with no clue about how networking and IT works. Alternatively, you could do that naively, which would tend to prove that YOU are a bunch of morons with no clue about networking or IT. Either way, it's not very reassuring, is it?

    - the ISPs concerned seem very reluctant about telling the truth about it too. Actually, it's worst than that: it seems that they don't KNOW the truth either.

    - plus a few "minor" points, such as, but not limited to, where will be the info stored? In the cookie? Storage facility! Gimme money! On your server? Privacy breach! (noone is buying the BS about the requests and content of webpages not being PII. We routinely access services which request name and/or account number as part of the request. Not to mention the served page). You "imply" that you have no backdoor access to your hardware, and you state that you won't silently change the rules. Still we have to take your word for it...

    As a result,

    - you fail to give a truthwothy image (AC postings says it all).

    - you look slimy.

    - you make us belch (me at least).

    - I vote death more than ever (sorry, can't insert more than just one "thumb down" icon, but be sure I would have)

  224. system

    RE: OMG can this be true?

    Man Outraged: See the email I sent you. I mentioned exactly that sort of method.

    The big problem with doing it that way is that anyone who blocks traffic to or from the oix domain is instantly cut off from all web browsing as they will never see a second redirect to point them back at the original page.

    Another whacking great problem with this, and the claim that they can never tie your IP to an anonymous cookie:

    Browser requests a page from a site with oix ads on it.

    ISP intercepts with a 302 header and points to, or similar.

    ISP removes all IP info and sends the request to the profiler along with the oix cookie

    Profiler checks opt out or not, and sets some cookie data.

    Browser redirected to the original page, where it encounters the oix domain in the ad space.

    Browser goes to oix to fetch the ads, supplying the cookie that was set in the ISP stage. This time however, the connection is not intercepted by the ISP and cannot have its IP data removed or it will break the connection on a TCP level.

    oix now has your unique ID and your IP on its chinese servers, where, by happy coincidence, they can completely ignore the DPA, RIPA and any other UK law.

    If they are not serving ads from a remote machine outside of the ISP, then they must be injecting code into the pages. If they are injecting the code at the ISP level, then phorm has open access to come in and change the ads on the machine in the ISPs building, or their machine which is networked to the profiler has a connection to the internet which is a security issue.

    @phorms supposed "tech team", let's see if you can break out of your PR role for a moment. Out of all the "experts" you have consulted, how many have a background in I.T, and specifically the internet and networking? I don't give a damn if you consulted accountants, privacy activists looking for a payout or government departments, I want to know who you consulted on the technical side other than your hired gang of russian physicists.

  225. Anonymous Coward

    Potential Advertising Dynamite

    What we need is one of the ISPs who hasn't signed up to this, to advertise widely that they will never do it.

    Can you imagine the rush of new customers they'd get with a scaremongering TV advert directed at the mass market?

    E.g. Did you know that many of the main Internet Service Providers are selling information about the websites you visit to other companies without your consent? Furthermore you have no way to opt out of this.

    We here at [insert brand name] will always protect your data, because we believe you have the right to privacy etc. etc. Call 0800 [whatever] to change ISP now!

  226. Spleen

    "Less ads"

    What crap. TV ads have become more targeted over the past couple of decades (increased number of channels = more specialised channels = more targeted advertising), so have ad breaks become shorter? Have they f**k.

  227. N

    Vote with your feet...

    I dont like what they do or how they do it

    We dont have to tolerate this, so resolve their IP addresses to the root & move to an ISP that dosnt do this

    Perhaps then these ISPs will realise their foolish ways & tidy up their act

  228. Mark

    tech team (or PR company unwilling to identify itself)

    This here is another lie.

    'Many of you have raised concerns about the legality of the system.

    To make clear: Yes, our technology complies with the Data Protection Act, RIPA and other applicable UK laws.

    As some background, we¹ve spent a long time developing our technology, systems and practices as regards privacy protection. We believe that most people like personalisation online. We just don¹t believe they should have to give up their personal data to get it. And that philosophy has informed the development of our entire system.

    There are three main hallmarks to the system: we don¹t know who you are, we

    don¹t know where you¹ve been and participation is always a choice.

    We have walked several experts though our service from Ernst & Young and 80/20 Strategic Thinking to the Home Office, which is responsible for the application of RIPA. Also, you should be aware that we have spent an enormous amount of time, as have our ISP partners, verifying that all of our activities are fully compliant with all regulation. I believe that it is reasonable to suggest that if BT, Virgin and Carphone Warehouse are all participating, it is because they have fully satisfied themselves of the legality of their decision.'

    What you are doing isnt complying with current legislation.

    What you are doing is exploiting a loophole in the current legislation to accomplish your goal.

    The loophole?

    By stating the hardware is owned by ISP's, you are trying to circumvent the issue with 3rd parties having access to personal data.

    That, as said isnt complying, its simply a legal loophole.

    Where will it fall down?

    If I have stated in writing I will not agree to this,the ISP does not have intrinsic permission to duplicate my personal information.

    The second that the data is copied to 'the isp's' hardware, without my express permission, they are, in fact, breaching my right of privacy.

  229. Anonymous Coward

    stack market says fuck off phorm

    Hi all,

    Just as I had hoped the market has responded strongly this morning to phorm

    the share price has dropped by 19%

  230. William Morton

    re: PHORM reply to William Morton

    Can I confirm that PHORM does indeed retain pointers to the phrase databse for each cookie and this is how you say you are not capturing the data but rather linking to advertisers phrases. The fact that the original data (WEB PAGE) is not transferred does not mean the content of the web page is not being stored. Using pointers to a table of phrases is just a method of compressing the user's web pages. You say that the phrase database is constructed from white and black phrases with humans deciding each phrases catagory and yet your auditors admit that the system could be compromised by a disgruntled employee.

    Can you confirm that the only data being passed to the advertisers is the pointers to the white list relevant to the cookie ID. And that any other cookie specific data will never to be used outside of PHORM especially the "black list". Further that no linked tables for any non-"white list" are retained, I ask as clearly, having a linkable black list means that you are also capturing data you know to be dodgy. If the black table was never linked to the cookie I could understand its use in keeping the white table white.

    The system would work just as well for advertisers with only a white list and storing another linked phrase table of data "we are never going to use" smacks of a hidden agenda.

    You say that this white list will quickly contain millions of entries and that you would find it difficult to provide this in it entirety, however you already store the cookie specific linked phrase table for the user and hence this data is readily availible and infact necessary to your system.

    Can I suggest that a web page with just the user specific white list with a tick box per phrase be availible. Where the user removes the tick from a phrase this phrase is not allowed to be linked in any way. Further if sufficent users remove their consent to a phrase it is moved to the black list or just removed from the white table permanently.

    Can I also point out that after cracking your cookie and obtaining a copy of you phrase database all advertising website will be able to use you system to target advertising, even the ones not paying you. It would be in your interests to reorder the database regularly otherwise you will loose revenue as the adverisers build their own phrase databse from what they know they are interested in.

  231. m4rk

    Still waiting for Kent to own up

    Still waiting for the system architecture to be published on the webwise site, showing clearly where the phorm hardware sits and what the flow of data is, how the phorm cookies are requested when the user is not looking at a page under a phorm domain and where the interception happens.

    This was promised on the webwise chat but has still not materialised.

    Also I am still waiting on evidence that you do not modify page responses.

    This claim was made on the webwise chat but have seen nothing to back it up.

  232. alistair millington
    Black Helicopters

    Interesting read, good of them to do it. HOWEVER

    Makes me think if we as a bunch of readers of this hadn't stepped up and done the petition, the complaints to the Information commissioner etc and raised the level of awareness to public media, would they have come forward for an interview.

    Although good on us [the reg readers] for doing the run around and making this at least reach main stream media. Perhaps there is something in shouting and ranting and kicking up a fuss.

    My tuppence and my cynical view.

    Still don't like it though, having read the BT link. PR and spin.

    Helicoptor icon because I don't think they would have come forward without the argument.

  233. Anonymous Coward

    Place a value on privacy to prevent a Tragedy of the Commons

    I agree with so many people here who wish to protect their privacy. Like them, I do see pernicious outcomes from Phorm. For me, this is not an absolute principle that I'd be willing to kill or die for, but I would be willing to pay something for the privilege of fully opting out. Not with a Cookie, but at the Switch and in my Terms of Service. Surely ISPs could manage this. And they should be given an incentive to do so. They'll have revenue from both streams and, to keep their behaviour in check, the threat of legal action, competition, widespread encryption or amanfrommars style obfuscation.

    Our privacy is a priceless asset. To those who would make this a matter of principle, I say we'll get better long term results if we place a value on it now.

  234. Sceptical Bastard

    Phuck off, phorm

    Just what the internet needs - another bunch of get-rich-quick slimeball packet-sniffing advertising pimps.

    I object on both privacy and technological grounds. If my ISP turns whore and starts phlirting with phorm, I'm taking my custom elsewhere.

    Great to see twenty per cent knocked off their share price BTW.

  235. jon

    comparisons with Google are disingenuous

    It is disingenuous to compare this Phorm system with Google and to claim that they're better than Google because they don't store data (which is a barely credible claim anyway).

    The difference is quite simple: no one is forcing anyong to use Google's service, and those that do, as pointed out in the interview, are receiving A SERVICE. This Phorm system will INTERCEPT your browsing regardless of whether you're opted-out or not.

    Thankfully, I shall be leaving this country soon and hopefully Virgin Media won't manage to implement this precursor of Skynet before then...

  236. Francis Fish
    Black Helicopters

    I've opted out for carphone warehouse / talk talk

    Log in, then:


    I believe you have been working with a company called Phorm about putting targetted advertising into my broadband.

    I opt out, thanks.

    If I can't opt out I will be moving to another provider where I can.

  237. Anonymous Coward
    Anonymous Coward



    2nd Floor

    Liberty House

    222 Regent Street

    London W1B 5TR

    +44 (0) 207 297 2067"


    "And it’s unbranded so your clients won’t know you’re in a serviced office."

  238. William Morton

    RE: re: PHORM reply to William Morton

    Basic PHORM DB structure to deliver adverts regardless of clientside blocking tools

    PHRASE table (ID, phrase, colour)

    0, Peter, black

    1, holiday, white

    2, Greece, white

    3, SW1, black/ white?

    4, £12, black/white?

    5, mystreet, black/white?

    6, I-phone, white

    7, gadgets, white

    8, hate, black/white?

    9, kill, black/white?

    10, sex, black

    11, felching, black/white?

    12, Pakistan, black/white?

    13, pistol, black/white?

    14, kids, black/white?

    15, earn, black/white?

    16, swallow, black/white?

    17, taste, white

    18, love, black/white?

    19, throat, black/white?

    20, breast, black/white?

    21 chicken, white


    USERS table (internal ID, external ID, isp)

    0,-1, BT

    1,-2, Virgin Media


    ADVERTISERS (ID, hit count, ^phrase, ^phrase, ^phrase, ^phrase, ^phrase, ^phrase, )

    0, holidays R us, 3, -1, -1, -1, -1, -1, -1

    1, burger king, 9, -1, -1, -1, -1, -1, -1

    2, mc donalds, 9, -1, -1, -1, -1, -1, -1

    3, homophobes anonymous, 2, -1, -1, -1, -1, -1, -1

    4, gadget phreaks, 4, -1, -1, -1, -1, -1, -1

    5, toysRus 5, -1, -1, -1, -1, -1, -1

    If I was not interested in people privacy and just wanted to make money then the ad delivery it would go like this

    User goes to OIX ad hosting site(WEBSITE1), his cookie is de-domained at LVL7 and cookie ID passed to OIX

    OIX return link to AD content on WEBSITE1.

    Now it doesnt matter what ad blocking tools the user has he gets my advert from WEBSITE1 direct. No more advertisers complaining of non-delivered advertising.

    Now just the phrase list interpretation alone is going to be a nightmare as many english words have different meanings. How are you going to keep up with the changing informal/ obscure language used by specialist groups. How are you going to vet who is allowed to advertise and hence have access to captured data.

    From the phrase list above I have left out the ^phrase see if you can work it out.

    Even if PHORM allow you to block the ad as WEBSITE1 just redirects to OIX they still get to capture. Change the cookie ID they link it to the internal ID and still capture your data.

    The answer is clear if you dont want them to capture your data move to an ISP who will not pimp your data. If enough users start tunneling though the ISP's compromised network then the ISP will just add encrypted streams to the banned protocols on the fair use list.

    PHORM TECH TEAM would you be so good as to repost the phrase list with the correct colours.

    I'll get my coat shall I, its the one with your data hanging out the pockets

  239. Pierre
    Thumb Down

    Comparison with Ciscow

    Hey Phorm, I liked your comparison with Ciscow. 2 things though:

    - it's not necessarily helping here.

    - Does Cisco provide code THAT SEND THEM INFO on what's happening on the servers they sell? It does make quite a difference. Should they do that, their sales would drop to 0 instantly (which is where they belong anyway, but that's another problem). Hope this happens to you and to the ISPs who'll implement that wicked system of yours.

  240. Man Outraged


    Just appeared on the BBC now:

    Q: Even if you do opt out your web traffic will still be intercepted and analysed, you just wont see the ads. Is this true?

    A: No this is not true. If you opt out no data is passed from the ISP to Phorm. The ISP controls which data is passed to Phorm and its systems check for the presence of an opt-out cookie. Opting out means that you will not see relevant ads from the OIX (Open Internet Exchange - the platform developed by Phorm) and that none of your data is analysed. You will however continue to see untargeted ads, just as you do today.

    Compare that with El Reg:

    Ok, so if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?

    MB: What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us.

  241. Chris Cheale

    Advertising does not a free service make.

    You have to connect to the ad-server and download the additional data - time, as they say is money. Even the fraction of a second it takes to download that additional data, glance at the ad and realise it's an ad and you don't care, is time. Get enough of them and that's how you're paying. Nothing is free.

    Personally I actually PAY for my email addresses; well I pay for my "generic" address independantly - I've got 5 other mailboxes with my web server which I also pay for. With my paid-for service I don't have to log into a webmail system if I don't want to (it's got pop and smtp), nor do I need to look at the adverts funding said "free" webmail sytem.

    I also get black, white and grey list filtering - and how much does this service cost me? $15 (US) - which converts to about £7.80 or something - A YEAR. More than worth it I think.

    I've got nothing against online advertising, per say, with the possible exception of the intrusive "float over content" ads that El Reg indulges in; they get right on my tits. There is a HUGE flaw, however, in the assumptions made by the Phorm people - personally I have no objections to adverts being served up that are relevant to the site I'm visitng what I REALLY object to is ad-servers trying to make their ads "relevant" to me by tracking my web usage (I use Firefox's cookie exception list to allow certain specific cookies at home, everything else is blocked).

    If the ISPs can't fund their own services from their subscriptions, then their business model is broken. I've actually got to the point where I'd much rather my ISP (VM) charged per-GB transferred (in the same way I am charged for hosting my website) than the crappy "fair usage" policy, traffic management and now this... and since I transfer <2GB per month, I think I deserve a fucking rebate!

  242. Anonymous Coward

    You couldn't make it up...

    Here BT tell you how great they are at managing security, presumably including detecting just the sort of stream hijack they are perpetrating themselves!

  243. The Other Steve
    Thumb Down

    @ Slimeballs (Phorm Tech Team) - Informed Consent

    Firstly, stop cutting and pasting, and answer some points properly.

    Secondly, you keep hiding behind the idea of choice, and more importantly from a DPA point of view, consent. Lets get this cleared up a bit, the DPA requires "informed consent".

    Truly informed consent would be every user receiving a letter from their ISP phrased thusly :

    "Do you [name of contract holder], consent to having every single web page you visit proxied through a piece of software written by ex Soviet cold war hackers, profiled, analysed, and then passed to a company whose last project was a massive effort to install intrusive spyware onto peoples machines without their consent in order to spy on their web browsing habits, sell the data to marketers and open pop ups advertising porn, gambling and dodgy pharmaceuticals to any user of said machines, including, quite often, minors. PS, they promised they won't do these kinds of things any more, and we believe them because they offered us money.

    Optionally, you may also chose to see relevant advertising based on this profiling and analysis.

    To consent to this, you must also accept a change of Terms And Conditions which abandons our existing privacy policy and effectively allows us to sell your data to all and sundry, opening the floodgates to a whole new future of web use where we make money from profiling our customers without their consent or knowledge because it says we can in our new contracts.

    If this sounds like the kind of thing you would like, please complete the attached consent form, and send it by registered post to the Data Controller at [ISP]."

    Sorry, but anything short of that is NOT informed consent from where I'm sitting. What users will get is a web page saying "CLICK HERE TO SWITCH ON [ISP]s NEW ANTI PHISHING SUPER SECURITY SERVICE IT'S GREAT (oh, and some ads).


    Then they get a mutable, expiring, easily deleted by accident, couple of bytes of data on their machine. And guess what, if they DO delete it by accident, or they have a software failure, or have to reinstall their machine, or they switch browsers, you opt them back in by default without their consent AT ALL.

    Bull Shit. You want informed consent, get it in writing from the Contract Holder, or end up in court. No informed consent, no interception for purposes other than those necessary in the course of the provided service. If ICO had any teeth, they would already be chewing your arse off. Get one of your legal droids to actually read the DPA. And stop spewing the same godawful dissembling copy'n'paste shit around the web. Get some REAL technical people on the front line with some REAL answers.

  244. Anonymous Coward
    Thumb Up

    The power....

    Anyone looked at their share price today? unless I'm mistaken its down nearly 33%

  245. colin stone

    Lost - one PhormPRteam member

    We have recently lost a member of our PR team.

    He was last see hanging about several message board and forums

    It is though he was posting misleading information about our spywear products and services, although not a member of our company

    If found please do not return as our share price has tanked and we hold him fully accountable

    thank you

    Phorm Managment.

  246. Anonymous Coward
    Thumb Down

    Putting the pieces together...

    It seems that the pieces are falling into place now, I think there are some misconceptions about the "business model" but this is what I can fathom out from all the gumph, PR, forum postings, comments from the "tech team" etc.

    Bear with me, this was meant to be short but it went on a bit! ;-)

    The system itself...

    Phorm PAYS the ISP to put one or more servers in their network which will intercept all customers HTTP traffic (I assume they will only intercept port 80 web browsing). No captured data ever leaves the ISP however a cookie is set on the customers machine that contains information about your "interests" (as determined by the profiling server) and a unique number for that customer.

    When the customer visit's a website that has signed up to OIX to display adverts, their cookie information is read and an advert is displayed that is relevant to their browsing habits. Phorm do NOT replace adverts, just display more "relevant" adverts when the customer visit's a site signed up to their advertising scheme. Phorm make their money from the advertisiers themselves and pass on a "cut" of this to the ISP's.

    That in itself doesn't sound 'too' sinister, just like many others I don't like it but it's not as bad as was originally thought however the rather more complex issue...

    Opting out...

    The customer can opt out of being shown "relevant" advertising by setting a cookie on their machine. It appears (although there are contradictions) if the customer opt's out then the web pages they view are NOT processed by the "profiller" however the customers requests are still being intercepted in order to check if they have opted out. And this is the real issue.

    I saw a comment further up supposedly from the Phorm tech team that said they comply with RIPA. And this is where the issue gets muddy.

    Technically Phorm are NOT intercepting any data, it's the ISP's that are intercepting their customers data. The only connection Phorm have is that they have supplied the software to enable them to "profile" the information they are intercepting and I assume inject certain content into the web pages returned to the customer.

    As people have said an ISP can look at any of the data crossing their network and this is true however the data is being carried across devices who's function is simply to route traffic where it is supposed to go (I'll skip the OSI model for now). The most sensitive information that is "inspected" is the addressing (where's it going to and where has it come from). The devices look no further into what is being sent. (there is no getting away from this, it's just the way it is).

    The ACTUAL information you are sending and receiving "could" be captured and reassembled in order to track what you have been doing however this is where RIPA rears it's head. Without consent from either the operator of the server the customer is connecting to or the customer themselves, capturing and reassembling this information would contravene RIPA.

    The issue is that the ISP's are now essentially being assisted and paid by phorm to do exactly that. Capture the information that their customers are sending and receiving, piecing it back together and inspecting the contents even if you opt out.

    Because the method of opting out is in the form of a cookie, they need to capture and reassemble the entire communication in order to determine that you didn't want your data intercepted in the first place. It's chicken and egg!

    So assuming my assumptions are pretty close to the mark, it's the ISP's that are on dangerous ground here not Phorm. Phorm are merely providing them the means to do this AND paying them to do it (perhaps there is guilt by association?). My fear is (as has already been stated) that the ISP's will simply change their t's & c's so that in order to use their service you consent to them intercepting your communications.

    I'm not defending Phorm, far from it but I think the wrong company is being questioned, the likes of BT etc are the ones that need to start answering the questions.

  247. Anonymous Coward
    Black Helicopters

    Contradictory answers

    The answers from Phorm and BT are beginning to contradict themselves a lot. eg is clickstream data saved? one source says not, another from an interview with Phorm's CEO says the full webpage data is analysed offline so as not to create a performance problem with the end users dsl speeds (therefore it must be saved for some period).

    They claim in many places (as does BT) that no data is looked at / processed if you opt-out, yet Phorm's interview with the Register admit that their server (located at BT but written by phorms' developers) still processes the full webpage data but doesn't actually send it externally (or so we are told, has any 3rd party software experts examined this software?)

    I know many BT employees and the mood internally among staff is strongly against this sellout deal due to the privacy concerns (internal newsgroups from what I hear are particularly anti-phorm)

    having the system opt-out (BT claim in a few places that "no decision has been made" --yeah right, like the marketing dept would allow an opt-in solution) is ridiculous esp. combined with the fact you need an opt-out cookie to be present! you could block all cookies from but show to say that the profiler won't/can't fallback to tracking you via your IP address (they say they don't but I for one won't trust known adware pedallers)

  248. Andy ORourke

    Too lazy to read everything

    Did I miss an article about the "China Connection" I thought I heard in the first stories about this that some of the servers were located in China but from the BT Webwise site:

    I understand that Phorm has equipment in China. Is that true?

    Phorm has absolutely no connection with China. All processing is done in the UK and within the BT network. No data is ever passed outside BT network to any third parties. The system has been built from the ground up to ensure that there is no way user data can be accessed or stored in any way.

  249. Andy ORourke
    Thumb Down

    The BT opt out clause in the total broadband T&C's

    If we have made a change which is to your material disadvantage, you will not have to pay a charge if you decide to end your agreement early, unless the relevant price terms say otherwise. However, once we have told you about such a change, you must let us know that you want to end the agreement within ten days. When we make a change that we reasonably believe is to your material disadvantage we will also let you know that you may end the agreement early without paying a charge for doing so.

    So by saying Phorm is an advantage for it's users they have effectivley got you screwed to your 12 months!

  250. Anonymous Coward

    Talk to Phorm!!!!!

    If people want to challenge Phorm directly then they should go and meet Hugo Drayton - CEO, Phorm UK who will be at the Chinwag session on March 18th.

    I think I may go along and see the fireworks!

  251. Anonymous Coward

    Fluff piece

    This was a nice fluff piece.... Phorm controlled the conversation and used it to spin away.

    Where were the hard hitting legal and technical questions I expect from El Reg?

    Before I give some of my thoughts on how the technical side of it might work, let me just say that I believe that this system is (or should be) illegal as it is clearly interception not needed for the transmission of the data. Especially due to the fact that there is no way to get even implied consent from everyone who might use a connection.

    However if I were to be implementing this system:

    I would "copy" all of the http traffic - strip it back to the data stream (ie remove all the packet headers, IP addresses etc) and pass only the data stream onto the profiler. This could be done using transparent proxying but it would be better to use the advanced features available on most modern high end carrier grade routers used by the likes of BT and Virgin. Many high end routers can do this without any noticible hit on performance.

    The profiler would then work on data streams meaning it does not ever need to save copies of any traffic to disk. The profiler would start a new thread for each new stream from the router, which would first check for the opt out cookie and if not found it would massage the stream in memory, spit out the 10 keywords for matching channels with the users cookie and then terminate. In this way, the profiling is not done inline (ie not on the live connection - just on a real time mirror of the connection)

    Using this implementation I don't see any easy way to distinguish between connections coming from those who want to opt-in and those who want to opt-out. About the easiest would be to give all those opting out a static ip in a specific range and then filter the traffic based on that. But as many ISP's charge extra for a static IP, they probably don't want to do that.

    Using the cookie idea means you get to distinguish between different users on the same connection (at least where they use different computers or logins - shared logins or the same user using different browsers will look the same) meaning you can better target the ads. However it also means that you can only opt-out using a cookie too. And having it be opt-in using a cookie would not work as too many users would delete the cookie by mistake and end up opted out.

    Overall I'd say their claims of the privacy of the scheme are fairly accurate (thats not to say it can't be maliciously subverted - just that as they claim it "probably" doesn't record any personal information). The design is actually quite brilliant - apart from the fact that it is quite possibly illegal. Consider young children not related to the subscriber using the connection... no court would recognise implied consent in this situation.

    Of course if Phorm are shrewd (I see no reason to believe they're not), they will they will be providing the profiler and the channel information to the ISP and just buying cookie to channel mappings from the ISP. They won't be do any interceptions or processing of personal information, the ISP's will. The ISP's could claim they are not selling identifiable information, but it doesn't solve the problem of the interception. And it is the ISP's that are left with the problem of sorting out the legality.

  252. Zap

    Phorm must be stopped - Where is the IC when you need him.

    Why does he keep referring to Google, when I go to Google I know that they are recording whatever I type into their site. However, Google can't see every site I visit and my browsing is confidential or at least I would like it to be. I may be accessing my bank, booking a flight, watching a you tube video or something stronger. What right do they have to profile me I never authorised it and I never agreed to it.

    So the opt out is not an opt out as it still processes your data, why does this matter well the answer is in the interview.

    He says his systems are located within the ISP, the systems use pagefiles ((Windows) or page partitions (Linux) these are not secure. So a tech within the ISP can copy those and write a simple program to contruct data from it, with enough analysis the tech can marry information to individuals. Also chances are that the tech has access to the ISP customer database servers and can identify personal information.

    If you think this is unlikely, think again.

    A tech at a major telecom company stole my the debit card details of my wife 3 times, each time we re-registered the card they took it again. The worse thing is that the company found out about it and sacked the guy but did not report it to the Police.

    This is typical because there is a lack of confidence that comes with such admissions.

    Phorm needs to be stopped now, it is a MAJOR abuse of privacy by both the ISP and Phorm.

  253. dijital
    Thumb Down

    Online Ads

    I cannot understand ad companies. At what point will they realise that people not only do not want advertising, but also that many simply ignore it irregardless of content. Phorm claims to be offering a service to people but as far as I can see it's simply another way for them to advertise (and an intrusive and potentially insecure way at that!).

    If companies want to attract more customers online they need to make it easier for people to find them. If I'm looking for a product, the last place I will look is in a site's advert boxes. I'll do use a search or ask a friend for a recommendation, companies should try and take advantage of these methods rather than spoiling people's browsing with and endless stream of adverts.

This topic is closed for new posts.

Other stories you might like