back to article CPW builds wall between customers and Phorm

Carphone Warehouse has become the first of the three UK ISPs who have agreed to pimp data to ad targeting outfit Phorm to announce a major rethink of how it will use the technology. Company representatives have told users in forums that they are working on a way to ensure that traffic from people who opt out will never enter …


This topic is closed for new posts.
  1. Jonathan
    Paris Hilton

    The real answers...

    "I didn't switch on this service. Why do I have to switch it off?"

    "Because BT's shareholders love money. They love it so much, that they would even sell your private data to gain money. Money is so important to them, that they think it is worth increasing the risk of compromisation of the network, increase the cost of said risk, violate your right to privacy, and lie to you. That is how great BT's commitment to money is. Please note that, at no time will you, the consumer, benefit from BT's increased revenue. If you find that you have in some way benefitted, please contact BT Customer Disservice so that your account can be downgraded. Please allow 4-6 weeks for someone to someone to help you."


    "BT is beginning a trial of Phorm's ad targeting technology with 10,000 consumers this month, under a changed privacy policy."

    Somehow I think this isnt the first trial, contrary to popular belief.

  2. Ben Mathews

    At least someone is listening...

    Carphone Warehouse announcing opt-in only and promising not to send any data from people who haven't opted in at least shows someone is listening. Whether they reverse that decision in the forthcoming months remails to be seen!

  3. mixbsd


    Why does Phorm's ticker symbol look so much like a virus name?

  4. Anonymous Coward

    Proxy server

    Isn't the answer simply to tell those who WANT to opt-in that they need to simply configure their browsers to use a proxy and then the phorm spyware can simply run against that proxy?

  5. John Bayly

    These people are so far up their arse ...

    They never thought that the customers mightn't like this idea. Even worse, they appear to have built the system without a thought as to how traffic can by-pass Phorm's systems.

    Dumb, dumb, dumb.

    Speaking of which, this did make me laugh:

  6. bobbles31


    I contacted my bank about this asking for comment, however, they appear to be plainly ignoring me.

    I hate big companies.

  7. Ian

    CPW: The Smart Ones

    At the moment there are three classes of ISPs: those that are pimping data, those that appear to be saying things to avoid pimping data, those that are saying nothing. CPW are the only members of the second category: Phorm may claim them as a customer, but if there's no kit installed and they're already talking about an opt-in scheme (presumably Phorm offer a revenue split). So CPW are positioning themselves neatly to capture the diaspora from BT: unlike random ISP X who might sign their souls to Phorm the day after you switch to them, CPW are saying clearly (a) opt-in and (b) those that don't opt-in will be fenced off so their data doesn't hit Phorm's boxes.

    Since the set of people who will opt-in is small, CPW have just for practical purposes announced they reckon recruiting Phorm refusnik's from BT is a better business model than taking Phorm's money. I reckon that's the end of Phorm, and BT's next move will be interesting and crucial. That BT have been caught lying about trials in the summer won't go well for them, either.

    Stock price down 30%, one major `customer' distancing themselves and another being neutral means that BT are now the only major customer of a shareholder toxic, PR toxic spyware company. Not a nice place to be.

  8. Rippy

    Investors must actually read more than the prospectus

    "Phorm closed the day down 31 per cent"

    Isn't it wonderful what a bit of rude journalism can do to a sleasy business plan?

  9. Anonymous Coward

    Petition the Prime Minister - 2,641 and counting :)

    We the undersigned petition the Prime Minister to Stop ISP's from breaching customers privacy via advertising technologies.

    Deadline to sign up by: 04 March 2009 – Signatures: 2,641


    35% down - :-D



    <rant on>

    Phcukoff Phorm!... Phcukoff Phorm!... Phcukoff Phorm!... ESADMFB's

    <rant off>

  10. Anonymous Coward
    Thumb Down

    Sign the petition

    There is a petition here - 2600+ have already:

  11. Law
    Dead Vulture

    @ Jonathan

    You accidentally added a </sarcasm> tag....

    The bird, because trying to reason with ISP's is like feeding tomato ketchup to a sleeping vulture.... messy and fruitless! :)

  12. Mike Crawshaw

    As a CPW user...

    I'm actually marginally impressed with their reaction to their punters. Over the last few days, I've been looking at alternative providers to the one I have with CPW, even though this one is free (I have my landline with them). I would have been prepared to leave a decent enough* free service with CPW and pay for another one purely because of this Phorm stupidity.

    Based on this, I'll delay making a decision. If CPW make their arrangements with Phorm on a purely opt-in basis, and they **guarantee** that none of my data will be piped **anywhere**, anonymous or not, then I'll stay where I am. Obviously I won't be "opting in" to Phorm's malware...

    *yes, yes, I know, everyone hates CPW Broadband. But it's free, it's a reasonable speed (I average 5MB/s) and the download limit (40GB/month IIRC) is more than generous enough for my needs, especially when compared to comparable offerings from Sky / Orange etc which limit to 2GB/month.

  13. Joe K

    The real question is.....

    .....what kind of idiot buys stock in a unproven dotcom, with a shady probably-illegal business plan, who are former spyware pushers, who aren't earning any money at all until the system goes live?

    I don't know much about the stock market, but i do like the look of the *plummeting* line on that stock page.

    Thanks El Reg!

  14. Frederick Karno

    How about a rebate

    IF, people have nothing to worry about with their privacy,and if these 3 isp's are confident that it is so good perhaps knocking £2 a month off your line rental for opting in to this service would be a suitable recompense to the people concerned....

    Personally i wouldn't consider it and if i were a customer of these ISP's i would leave,but thats just me.I would suggest that any customers of theirs who feel strongly enough about their privacy should do the same.

    For those who do consider signing up to this trial please ensure that BT are responsible for everthing that Phorm do with the collected data and again if they are not willing to take responsibility then dont do it !!!!

  15. Anonymous Coward

    As another CPW customer...

    I have nothing to fear, as I can never connect to the internet anyway.

  16. Chris iverson

    Why are they selling your data....

    When you government has given it away several times.

    Have they found those CD's yet?

  17. Jared Earle
    Thumb Up

    I got a reply from Virgin


    "You are losing me as a customer if you go ahead with implementing Phorm's

    data-mining package. A system like this should be opt-in." - Jared Earle, Geek


    "Please be assured that no decision has been made in terms of how we could

    implement this technology. " - Neil Berkett, Chief Executive Officer, Virgin Media

  18. Anonymous Coward

    This May Be Progress

    But the battle is far from over. There is still more to do to show Phorm up for the slime that it is, get these ISPs to recognise that and drop Phorm completely.

    Nice to see that informed customers (which we generally are here) can speak up, make a noise and make a difference to dipshit companies looking to screw customers. Oh dear, the share price has taken a bit of a dive. Can't think why.

    The word is starting to spread.

    Never thought I'd say this about CPW but they've actually listened to their customers and responded positively to them. Smart move, that.

    Now if CPW can implement a system which prevents customers' data being passed to Phorm, why can't BT and VM?

    Still waiting for a response from VIrgin Media, btw.

    Smile because this is, I hope, the start of things swinging our way, Phorm being exposed for the crock that it is and being dumped well and truly. And because the share price dropping cheers me up.

  19. Spleen

    Ooh, my dicky ticker

    @mixbsd: to be fair, I think all stock tickers look like that. Personally, I tittered when I looked at the URL of the stock page linked in the article, which ends PHRM.L&it%3Dle - or as my brain processed it, "PHORM - Let It Die".

    Although that drop to £20 per share looks lovely on the graph, at £237m market cap it's still too expensive for us to club together, buy Phorm out and have a BOFH-style ceremony involving us going into their office and throwing all their Big Brother tracking equipment off the roof. Let's keep the negative publicity going - no-one is going to opt-in to this thing (the entire business relies on the apathy of consumers not opting out, so no way are they suddenly going to be able to turn around and rely on them doing the opposite) so all we need is for other companies to follow CPW's lead, and they'll be down to 1p where they belong.

    (Actually come to think of it they don't have a proper office to throw their equipment off, just one of those pretend offices with a pretend receptionist, so it'd have to be a ceremonial sledgehammering instead.)

  20. Andy ORourke
    Thumb Up

    @ how about a rebate

    I got a call from BT about 4 or 5 days before the shit hit the fan telling me they are reducing my costs by £2.00 per month if I sign up to another 12 month contract..............

    well done Carphone Warehouse:

    "By making the service opt-in, we feel the onus remains firmly with Phorm to make the service useful and compelling enough that subscribers will choose to join it. If it fails to do this, it will itself fail."

    The first time I have EVER seen common sense by any major company!

  21. The Other Steve

    Auntie Beeb laps it up

    Beeb simpletons still drinking the Kool Aid.

    Most hilarious quote :

    Kent Ertegrul, chief executive of Phorm, told the BBC News website that he was confused about why the issue of opt-in versus opt-out was causing so much controversy.

    "There is no way of not knowing that this is switched on. There is a clear choice offered to consumers and I am surprised that there has been so many questions about this. I find it a bit bizarre," he said.

    Most dangerously inaccurate quote :

    "Phorm works by placing a cookie on a user's machine that contains a randomised identifying number. That cookie tracks websites visited and draws conclusions about a user's behaviour in order to target more relevant adverts."


  22. Anonymous Coward

    VM Logo missing from Webwise front page

    The Virgin Media logo is missing from the Webwise front page. Wonder if something's happened...?

  23. Craig

    @ bobbles31 - banks

    I contacted both of my banks, Barclays (personal) and the Co-op (business).

    The Co-op got back to me the same day saying that as HTTPS traffic can't be monitored then as far as they're concerned their system is safe. They did say I should push BT for a definitive answer on what ports would be profiled as BT weren't very clear that it would only be port 80.

    Barclays took until today to get back to me (from Sat 2nd March) with an apology for the delay, they said the delay was because they needed to consult with BT. Apparently BT has reassured Barclays that HTTPS won't be profiled and BT is satisfied with the situation. They did have a comment that confused me slightly though:

    "Whilst this information gathering will not affect your Online Banking service in any way, there could be an increase in marketing related pop-ups which you may need to take action to prevent."

    This confused me in a way as I thought I'd get the same number of ads but "targeted". I hope they're not planning on an additional advertising thingy where the Phorm servers in BT's datacentres send additional pop-up adverts. Even they couldn't be that suicidal...

  24. Anonymous Coward
    Anonymous Coward

    explicit question of legality to BT

    Here's my letter. It explicitly asks them to confirm they haven't done anything illegal with my data. It should have provoked a quick answer; it's a reasonable request:


    Hi, I came across a disturbing story of BT apparently collaborating

    with a company named phorm. Details can be found here


    I need to know if

    * You have or will have any association with phorm or any other company

    for the purpose of mining personal details which goes beyond what is


    *any of my details have already been passed to phorm or any other

    company without my knowledge

    * whether what it is alleged you will pass to phorm (as per URL link

    above) or allow phorm to mine, is and has been done legally, as it

    seems the extent of this is extreme.


    They ignored this until I chased it up by phone, upon which I was promised a call back. This didn't come, so I chased again and, again, was promised a call back. Again it didn't come. To miss three opportunities to reply seems to rule out accidental oversight IMO.

    I was also told by them verbally that nothing illegal had been done by BT but - and I was told this quite clearly - I would not get that assurance in writing.


    So, will be making formal complaint to relevant body ASAP.

    I would suggest that others here drop a quick line to their ISP to ask for statements that all their past browsing data has been treated legally.

  25. Andus McCoatover


    "giving you better protection against online fraud and giving you more relevant advertising" (BT)

    Ah, yes. "Better protection against online fraud" from the original rootkit folks - 121Media.

    Dont'cha just love marketing twats.

    No wonder the question/response was "North-Korean'd" out of history.

  26. John Dow
    Paris Hilton

    Why is it so hard to understand?

    People **do not want to be advertised at**. It doesn't matter if it's targeted or not. Do people watch TV just to catch the latest ads? No, they bugger off to the kitchen to make a cuppa while that ads are on because that way they're not wasting their time.

    Honestly, I'm seriously considering having "I Am Not A Target Market" tatooed under my forehead. Right underneath's barcode.

    I'm sure Paris will opt-in though - she thinks the BT Broadband ads are a genuine soap.

  27. therealvicz

    Complain to the BBC

    If you think the PR story on the BBC News website contains factual inaccuracies (and you may spot one or two!) you can complain about it here

  28. Anonymous Coward

    2 minor points to note here...

    1) If you have savings, investments (like a pension) or an ISA, then YOU are a shareholder of large companies like BT since you savings are invested in the stock market mostly and mostly in blue chip companies that reliably make money.

    2) Remeber CPW and the big brother advertising with all the racist stuff going on... well i would be surprised if they are not a bit more savvy about public opionion after that one!

    ... phuck Phorm and BT and Virgin. CPW has never had my custom so i dont feel i can be so nasty to them.

  29. colin stone

    From the patent application

    When reading the patent application. Everything Phorm and the PR people say is so much spin it is unbelevable.

    The bottom line Is Phorm is messing with web pages, and storing peronal data.

    EL REG Please use your power to investigate the Patent application. It says so much more then the PR people.

    Just some scary stuff from the patent application

    28. The system of claim 27, where the context reading software includes a script, and where the ISP is configured to embed the script into the web page.

    (What they Are embeding Script into webpages) They say they are not.!!!

    30. The system of claim 28, where the script is configured to cause at least a portion of the browsing information to be stored locally on a computing device running the browser.

    (so they are storing browsing info) Even though it is on my PC it is still being stored without my consent..

    32. The system of claim 30, where the script is configured to cause at least a portion of the browsing information to be stored remotely at the advertising server system.

    (OH and I see you ARE storing my peronal information on your advertising Server) Why do you say publicly you do not do this.

    So if they can and do insert Java script into the web pages, then it is likely that they can and will do pop ups.

  30. Peter Fairbrother

    Perhaps one reason why the stock is falling

    is because the Phorm proposals, whether opt-in or opt-out, are clearly criminal offenses under RIPA?

    Opt-in might take care of one part of the consent requirements under RIPA ss. 3(1) - and it might cover some DPA compliance issues, but by no means all - but for interception to be lawful under RIPA ss.3(1) the ISPs also have to get consent from the webservers, and I can't see that happening. They won't get consent to intercept traffic from my sites, that's for sure!

    And what if a connection and/or browser is shared? One person might have given consent, but that does not mean that the other sharers have - so the ISPs have to say "is that you?" every time they intercept.

  31. Anonymous Coward
    Paris Hilton

    @Fred Karno

    I don't know how cheap *your* privacy is but mine is not in the GBP2 per month range. GBP2 may get you a minute when I'm feeling charitable.

    Privacy is like virginity - once it's gone you'll never get it back

    Paris - well work it out guys :)

  32. Andy Enderby

    @Jared Earle

    Now send them another nastygram saying something along the lines of....."An email saying, 'be assured' constitutes no assurance at all. As an IT professional with influence, I will be leaving Virgin/CPW/BT (delete as applicable), and recommending that friends and customers alike do likewise as soon as practicable."

    That should get something a little less anodyne from the b*st*rds.

  33. Anonymous Coward

    Phorm called off interview.

    "Computeractive has asked Phorm for an interview, which was initially granted but then called off. Since then the company has not responded to our requests to talk to us about the technology and address reader's privacy fears."

    oh and

    "Now the ICO has requested details of the technology and the deal from Phorm and the ISPs involved – BT, Virgin Media and Carphone Warehouse."

  34. Anonymous Coward

    Just canceled

    Moved to Zen from Virgin .They are saying it won't be used on their network. Virign told me they had no phorm involvement, which is great considering it's not true.

  35. Sceptical Bastard

    What YOU can do

    I have been following this whole sorry saga (on El Reg and other outlets) for a while. To me, the past couple of days seem to indicate that the substantial and vocal objection of internet users is having an effect. I say that cautiously, however, and I note the comments of others (above).

    I strongly believe it behoves us all - whether we are customers of CPW, Virgin and BT or not - to make as much noise as possible.

    If you want to sign online petitions do it; if you want to personally contact your MP do it; if you want to give Phorm itself a roasting do it.

    But it's more effective, IMO, to let your ISP know how you feel. After all, it is ISPs who will be intercepting your packets on Phorm's behalf and it is your ISP who will be making money from Phorm. You can obviously use their 'Contact Us' forms and/or their helpdesks and forums. Better yet, though, to dig around a little and find out the name of the ISP's CEO, the Technical Director (or equivalent) and the Head of Customer Services (if they have one). Then let those officers have it by name! And if you can't find an email adress for the individual, try that old-fashioned communication channel - write them a letter. That'll surprise the buggers!

    More generally, it also helps the cause if the media sees a lot of public interest in the story. So every time you read an article online or on paper about Phorm, respond and comment. Oh, and corny as it sounds, try writing to the letters page of your local paper.

    Or, of course, you can just sit on your hands and whinge. Then watch your port 80 traffic being monitored by money-grabbing sharp shits in suits and your broadband speed taking a nosedive.

    It may sound dated and naive but the cry must be "power to the people." Do whatever you can to phuck Phorm.

  36. Anonymous Coward

    BBC Keeps Changing its Story

    I noticed that the last article they did, changed dramatically from when it was first posted - this wasn't advertised by the BBC though ;)

    This time I am saving snapshots here are the most dramatic changes so far :


    "Campaigner Simon Davies was asked to assess its privacy measures as part of the work he does for privacy start-up 80/20.

    He believed the system "advances the whole sector of protecting personal information by two or three steps", although he was not sure that the public was ready to buy into behavioural advertising. "


    Head of Privacy International Simon Davies was invited to assess its privacy measures and he believed the system "advances the whole sector of protecting personal information by two or three steps", although he was not sure that the public was ready to buy into behavioural advertising.


    Kent Ertegrul, chief executive of Phorm, told the BBC News website that he was confused about why the issue of opt-in versus opt-out was causing so much controversy.

    "There is no way of not knowing that this is switched on. There is a clear choice offered to consumers and I am surprised that there has been so many questions about this. I find it a bit bizarre," he said.

    For him the service is a win win for consumers.

    "Having advertising behind it allows for better, cheaper broadband," he said.


    >No Mention - Phorm's PR must have been straight on the phone to their friends at the BBC

    Also The BBC say 1,000 signed the petition - actually its 2,700+

    No link to the petition but links to Phorm's PR!

    No mention that even if you opt out of Virgin or BT's scheme your information still hits the profiler! They just promise not to look!!!

    That is the reason the CFW(TalkTalk) are changing their system to opt in and segregating the opt out user - so they don't get intercepted by any of Phorm's kit!

    How could the BBC miss this?

  37. system

    Watch out for the language

    "so it doesn't hit a Webwise server at all for those that opt out,"

    could well mean that you still get your stuff passed to the profiler, which of course is ISP owned and not a webwise server.

    Notice how they are still talking of "opt out" while saying it'll be opt in only. Maybe they will genuinely count everyone not specifically opted in as being opted out, and maybe when they say opt in they mean anyone who simply clicks the O.K button.

    Every company signed up to this obviously thought it was a great idea at one point, and saw no problem with it. Just because they are facing bad press does not mean they are suddenly trustworthy.

  38. Anonymous Coward

    Blackmail? What if MP's/Judges/Police Officers where opted in?

    Just occurred to me that I haven't seen any details of a source code audit by any government.

    Just to check there are no back doors.

    e.g. What if MP's/Judges/Police Officers where opted in...

    If Phorm was comprised the cracker would know their browsing habits and could blackmail them.


    "The development team for the new software was recruited from Moscow's elite Lebedev Institute of Precision Mechanics and Computer Engineering, a vital part of of the Cold War spying effort and still a centre for developing Russia's 'national security' computer systems."

    Oh well thats ok then :)

  39. Anonymous Coward

    Home Office says Maybe has a link to the advice given by Simon Watkin of the Home Office in January regarding targeted advertising, although he stresses that the courts remain the final arbitrators of the act (RIPA). At the risk of summarising a summary, it basically says targeted advertising as described by Phorm (though not named explicitly) is probably legal if the ISP customer explicitly consents. More worrying is that it may also be lawful if the ISP can show that it is " being provided in connection with the telecommunication service provided by the ISP in the same way as the provision of services that examine e-mails for the purposes of filtering or blocking spam or filtering web pages to provide a specifically tailored content service". It gives an example of an ISP screening out religiously offensive material (do they do that?). This looks like a loophole, clearly not what the act intended but could conceivably stand up in court with the right PR.

    Yes, it looks like he bought into the idea that selecting ads for you is an 'essential service'!

    So it is not stretching the point too far to say that the Home Office gave this a green light in January, subject to it being tested in court.

  40. Anonymous Coward

    Ertugrul(Phorm) gets savaged and is obviously on the defensive.

    The chairman of the company whose advertising model has caused a storm answers your questions

    * Charles Arthur ,


    * Tuesday March 11 2008

    Charles has done his research, well done that man :)

    Going to listen to it again - I'm sure Ertugrul sidestepped the "opted out users info is still passed to the profiler" question...

  41. Anonymous Coward
    Paris Hilton

    Time to Fork Off ....

    Far be it for me to tell the illustrious El Reg hacks how to do their jobs, but it looks to me like there are two breaking stories here: one is 'Phorm are spyware scumbags after all' as per this story; and the other is 'ISPs courted by lots of other data pimps' based on the information supplied by the original (anonymous) poster:

    "Phorm was late into the UK market. They really are just 'one of the many' who have also been trying to get into the UK market.

    Here are some other behaviour target suppliers for you to get excited about - if your ISP is not looking at Phorm, they could well be looking at the competition.

    The USA and Canadian ISPs have been signed up to this crowd for months, with daily installations.




    Project Rialto


    I hope other readers here can add to the list."

    One that I found most intriguing was Project Rialto which describes itself as "a stealth company" and has job ads for software engineers with "focus on high-speed packet analysis", and some of the others which appear to have patents pending for essentially the same design as Phorm (I wonder how many of the buyers of Phorm stock know about that?)

    Paris who allegedly knows about forking..

  42. system

    RE: Ertugrul(Phorm) gets savaged

    When asked how they get around the fact that cookies are only sent to the originating domain, he spouts complete BS about proprietary technology.

    Either they are using bog standard 302 redirection headers, or they are putting cookies into every connection which means they must be tying cookies into an ID assigned by the ISP per machine (rather like an IP address). Neither 302 headers or cookies are proprietary.

    He keeps trying to imply it's a case of putting cookies into other domains, which is total bollocks if their opt out can work by denying cookies from oix. A block on cookies from oix would not block cookies that were inserted into other domains.

  43. Anonymous Coward
    Anonymous Coward

    Dephorming the business model

    I don't want to detract from the publicity campaign which is essential, but technical counter-measures can also help if they threaten to undermine phorm's business model. Hopefully the scallywags would then find funding a bit more difficult.

    The dephormation Firefox addon looks great. By randomising cookies it ensures that the ads it receives cannot be targeted. But remember that Firefox has only a minor market share.

    However, ads delivered by phorm are going to be easy to identify (much easier than the ads that AdBlock Plus has to deal with, for example). So maybe dephormation should deliberately download these ads time and time again (and discard them, of course). If each ad was served 10 times, subject to bandwidth, the effectiveness of dephormation would be multiplied by this factor. Advertisers would be paying for a large fraction of their advertisements to go in the bin. I can't see them liking that much.

    Of course, this doesn't have to be a Firefox addon. A standalone web spider would do the job just as well.

  44. Anonymous Coward
    Anonymous Coward

    "Free consumer internet feature Webwise"

    Loved the Phorm statement:

    "...a free consumer internet feature, Webwise, which results in fewer irrelevant advertisements and additional protection against fraudulent websites."

    Sounds just like my patented beheading technology, which, through the removal of your head, results in you not having to receive any adverts whatsoever, ever again.

    Furthermore, in conjunction with several major ISUs*, I have decided to "opt in" the directors of certain spyware-producing companies by default.


    * Internet Service Users

  45. Anonymous Coward

    If its good for you its probably legal

    Based on the Home Office advice mentioned above, it would seem that if the ISP can position this as primarily an anti-phishing service, with the 'added bonus' of targeted advertising, it could be legal under RIPA. This in the same way as, for example, the ISP already scans all of your mail to screen out spam and viruses.

    So that explains why the whole Webwise PR is around the 'safer experience'; not just for the benefit of 'poor dumb customers'.

    Clearly they would rather have some sort of opt-out mechanism as a sop, preferably one that doesn't work too well, but they probably figure they are OK without it.

    And the fact that the HO casually describes the ISP screening out 'unsuitable' material from web pages says a lot about how it values individual freedom, ie not at all.

    So the best way to oppose this is probably to scare the ISPs with potentially disgruntled customers and their potential liability for the content of hosted sites.

  46. Werner McGoole

    RIPA tripper

    It doesn't sound to me like the Home Office advised phorm that this would be legal under RIPA. It sounds to me as if they advised them that it would only be legal IF it was essential to the service that the ISP is contracted to provide.

    This explains the anti-phishing angle, which was always a bit of a puzzle, given that it's tacked on for no obvious reason. Now we see why. There is a precedent for ISPs to intercept spam, so intercepting phishing might also arguably be legal.

    However, I can't see how you can slip the targeted advertising in under this disguise. Clearly it would be possible to provide the anti-phishing without the targeted advertising, so in no way is the latter an essential part of the service. The two things wouldn't require the same infrastructure either.

    If the ISPs try to argue that they're contracted to provide an "internet experience" of which advertising is a part, then a whole ton of bricks will fall on them over every disagreeable "experience" anyone has on the internet. Ouch!

    I look forward to phorm's spin being cross-examined in court.

  47. Anonymous Coward

    Phorm's software intercepts 9m UK citizens but no software audit?

    So the Home Office is going to let Phorm's software intercept 9million UK citizens Internet and they aren't insisting on a source code audit by GCHQ?

    Also any code changes would need re licensing, any mechanism in place for this?

  48. Slaine

    Slowly, the truth emerges and now we see...

    ...huge yellow slab like somethings, huge as office blocks, silent as birds, which hung in the air exactly the same way that Phorm's stock doesn't.

    The problem with an educated population is that it asks questions; really pertinent questions; questions to which an answer is either extremely damaging to admit to OR which is just a downright lie to state. Phorm (and lets not forget Virgin and BT) chose to lie; CPW decided that discretion was the better part of valour and are already scraping back some semblence of credibility. The solution, of course, is to phuk up the education system some more so that nobody has sufficient common sense to see these [grrrrrr better not type that phrase] for what they really are.

  49. Anonymous Coward
    Paris Hilton

    Is the CDT really up to speed on this?

    In the El Reg article, Ari Schwartz, chief operating officer of the Centre for Democracy and Technology (CDT), is quoted as saying:


    Schwartz said: "When we first met with Phorm they actually told us they had all of the ISPs on board." He believes the reception ad targeting based on users' browsing habits will get Stateside is dependent on how it is rolled out. "Simply clicking 'OK' on the first sign up screen is not good enough because we know people don't read those things."

    "There are precedents where the FTC has ruled that's an unfair practice."


    For those who may only have read the original article - still in Google's cache -

    there is now an update at the bottom of the page

    which indicates that NebuAd are claiming to "track Internet usage of millions of U.S. users, or about 10 percent of the U.S. online audience". As they are only one of the many players in this market, how many American internet users are now benefiting from this system without noticing the wording in the T&C provided by their ISP? - every supplier of the profiler whose website I have looked at makes the ISP responsible for updating their T&C and Privacy Statements and getting customer consent.

    I have not seen one USA poster here mention that this is even common stream in America. People I have contacted in the USA about this have never heard about any of it: one uses ad networks to monetise his sites, so he should be within a group of people who are aware of the benefits from the website publisher's point of view, the other is the head of an internet marketeers organisation that has many members across various internet marketing fields, and there again no knowledge about any ISP involvement.

    Perhaps the CDT will start to investigate how this is being sold for those the other side of the pond? Wake up America.

    How is it that so many articles about Phorm, NebuAd, et al are just being updated with the real facts rather than a whole new article being written. Anyone reading the original Clikz article would not get very excited about 10,000 - 30,000 users being on the system. But, 10% of internet users and more profilers being installed daily? - now there is a story worth investigating.

    Another point I find interesting is that, in the US model, 10,000 - 30,000 users represents one installation of the profiling equipment and BT is about to roll it out to 10,000 users. Perhaps the slow responses form VM and CPW are more down to waiting for reports from their cost accountants on the minimum number of subscribers that make the profiler profitable. BT already have the profiler installed(?) so rolling out the system will only serve to offset the costs of installing the profiler/s.

    Paris - because the questions are growing faster than the answers.

  50. Anonymous Coward
    Thumb Down

    Phorm... to install monitoring services within those ISPs

    "Ex-adware company Phorm has done deals with lots of ISPs to install monitoring services within those ISPs, the better to target advertising at customers.",1000000567,10007508o-2000331777b,00.htm

  51. Werner McGoole
    Thumb Down

    Home Office advice a bit wobbly?

    From the link above, this is the Home Office advice on whether intercepting a downloaded page is lawful under RIPA, given that they don't have the explicit consent of the web site:

    "15. A question may also arise as to whether a targeted online advertising

    provider has reasonable grounds for believing the host or publisher of a web

    page consents to the interception for the purposes of section 3(1)(b). It

    may be argued that section 3(1)(b) is satisfied in such a case because the

    host or publisher who makes a web page available for download from a server

    impliedly consents to those pages being downloaded. "

    Anyone see a problem with this? Consenting to a download does not imply consent to intercept that download. Specifically, if the download is in response to a user-specific request (possibly containing a session cookie or other UID, or a search query) then the download is clearly personal and not intended for anyone else. It could, and often will, contain sensitive data. I don't think any court is going to accept that this implies consent to interception. It's no different to me asking you a question on the phone and someone intercepting your answer.

    I don't think you can argue that consent is implied even if the user has given it, either. RIPA requires that both sender and receiver give consent. One can't give consent on behalf of the other.

    Is this just the HO not understanding the technology, or what? Do they think all web pages are like static public billboards?

    Of course, the web site could always publish an explicit prohibition on interception. How would phorm deal with that?

  52. John Edwards
    Paris Hilton

    Might be useful if there is a lawsuit



    I forbid the collection of data concerning the use of my computer and its connections for any purpose whatever beyond that which is necessary for billing or monitoring for technical faults.

    In particular I expressly forbid for passing any of my information to Phorm, (or any like organisation), for any purpose whatever.

    This letter may be taken to over-ride any past or future conditions in your End User License Agreement.

    Yours faithfully,

    Paris because she has more sense than my ISP

  53. Dave S
    Paris Hilton


    "...a free consumer internet feature, Webwise, which results in fewer irrelevant advertisements and additional protection against fraudulent websites."

    How does this offer 'additional protection against fraudulent websites'? I've read it a few times and it's still confusing me.

    Paris because her pictures have been on a few dodgy websites in the past.

  54. Anonymous Coward

    @ Werner..a bit wobbly?

    If a website is publically available without requiring a password etc then it is easy to argue for consent. But I think you have a good point regarding web pages from sites that eg require you to register to access some of the pages (presuming they are not carrying OIX tagged adverts of course).

  55. colin stone

    The Story of the Emperor's New Adverts

    Story of the Emperor's New Adverts

    With apologies to Hans Christian Andersen

    Once there lived an Advertiser who was so fond of spywear and routekits that he spent developing them in the hope of making even more money. He did not care about security, he did not care about the people; he only liked to make money. He had an excuse and justification for the people’s fears, every hour of the day he would pronounce trust me, I am not a bad man. My past products were not spywear, and lo the BBC trusted him, and he was happy.

    In the great where he traded there was always something going on; every day many strangers came there. One day two impostors arrived once went by the name Ernst & Young and the other was 20/80. They wrote reports and said “yes we trust you, you are not a seller of bad things. We absolve you, and all you do is good. The people will be happy and protected from all that is bad. They said that they knew how to manufacture a report that was so trustworthy only a fool would not believe it. And so they did, they wrote a report wit such texture that we words were spun so greatly that the government believed it. the companies believed it , and the broadcasters believed it . It was written with the most beautiful words imaginable. Not only were the words and syntax written in a most uncommonly beautiful way, but the whole report was of the quality that no advert peddler could ever imagine. The report was so fantastic that all of the bad things went away as it possessed this wonderful property called spin that had never been seen in this way before. The spin was so good that they said it will be invisible to anyone who was not fit for his office, or who was unpardonably stupid.

    'Those must indeed be splendid adverts,' thought the Advertise. 'If I had them on my web servers I could find out which men in land would help me with the spin and I could distinguish the wise from the stupid! Yes, this report must be written for me at once.' And he gave both the impostors much money, so that they might begin their work.

    They placed two computers, and began to do as if they were working, but they had not the least thing on the computers, no research no law nothing. They also demanded the finest truth and wisest words, which they put in their report, and worked at the blank computer till late into the night.

    'I should like very much to know how far they have got on with the report,' thought the Advertiser. But he remembered when he thought about it that whoever was stupid or not fit for his office would not be able to the truth. Now he certainly believed that he had nothing to fear for himself, but he wanted first to send somebody else in order to see how he stood with regard to the law. Everybody in the whole town knew what a wonderful power the truth had, and they were all curious to see how bad or how stupid their neighbour was.

    'I will send my old and honoured minister to the writers,' thought the Emperor. 'He can judge best what the truth is like, for he has intellect, and no one understands his office better than he.'

    'Is it not a beautiful report?' asked the two impostors, and they pointed to and described the splendid truth which was not there.

    'Stupid I am not!' thought the man, 'so it must be my good office for which I am not fitted. It is strange, certainly, but no one must be allowed to notice it.' And so he praised the truth which he did not see, and expressed to them his delight at the beautiful truth and wisest words with such splendid texture. 'Yes, it is quite beautiful,' he said to the advertiser.

    Everybody in computer land was talking of the magnificent report, this great system, which would save them all from untargeted advertisements, all hail to the great Advertiser they sang, all hail to Phorm went up the cry from the great leader of the internet, all hail to Phorm sang BT, Virgin alike, while . Car Phone Warehouse pondered and though yet still they sang all hail to Phorm.

    Now the Advertiser wanted to read it himself so he brought together a great crowd of select followers, amongst whom were both the worthy buisness who had already been there before, he went to the cunning impostors, who were now spinning and name calling with all their might, but without a shred of truth.

    'Is it not splendid!' said both the old statesmen who had already been there. 'See, your adverts so targeted so fine. See the protection form the evil Phishers!' And then they pointed to the report, for they believed that the others could see the the truth just as they could see it as well.

    'What!' thought the Advertiser 'I can see trouble and law, I can see RIPA and DPA! This is indeed horrible! Am I stupid? Am I not fit to be the Great advertiser? That was the most dreadful thing that could happen to me. Oh, it is very beautiful,' he said. 'It has my gracious approval.' And then he nodded pleasantly, and examined the report and believed all of the spin and guff and nodded with a happy smile.

    His gathered his investors around him and they looked and looked, and read and read, and saw no more than the others; but they said like the Advertiser, 'Oh! it is beautiful!' so wonderful what can go wrong, and they invested millions. And they advised him to show the world his wonderful new adverts.

    In the morning he called the PR he called the media, he called the stock market. Come Look at the great advert system I have invented, come look at the report that sings its praises, come look at me, I am not a Spywear peddler or rout kit seller, I am the Great saviour of the world, I will Protect you all from untargeted adverts .

    'Spun words are so wonderful that one would imagine that not one word was the truth.

    'Yes,' said all the leaders and the BBC we believe everything you tell us. , but they could see truth , for there was no truth there.

    And they called a press conference so the Great Advertiser could tell the world of his new plan and the reports came, and the TV people came, and the interviewers came. And he told the world, and it was reported. The stock price went up, and money was made and the great Advertiser was happy, the inverters were happy and So the Advertiser went along in procession of media and web chats across the Internet and media he went, and to all the people on every computer, and interview he said , 'How matchless are the Advertisers great adverts! and as they listened and read they all great that the Great advertiser was truly wonderful.

    No one wished it to be noticed that it was all spin, for then he would have been unfit for his office, or else very stupid. None of the spin before had met with such approval as these had.

    'But he talking rubbish !' said a reporter at El Reg at last.

    'Just listen to the innocent reporter!' said the a man in the comments, and each one whispered to his neighbour what the reporter had said.

    'But he is all spin!' the whole of the people called out at last.

    This struck the Advertiser, for it seemed to him as if they were right; but he thought to himself, 'I must go on with the spin now. And the company leader and the BBC spun some more, as they could not be seen to be fools after all.

    The End

  56. Anonymous Coward

    121 You've got PHORM.

    I dont care about opting out of adverts. (so shut up about your opt out.)




    I CHOOSE to use GOOGLE - They know what I SEARCH - Im Happy

    I CHOOSE my SUPERMARKET - They know what I BUY - Im Happy

    I CHOOSE my INSURER - They record my INSURANCE calls - Im Happy



    Blanket Monitoring is the same crap you have been pimping for years it didn't work as Ad/spy-ware it wont work now.

  57. Werner McGoole
    Thumb Up


    Thanks AC, you put it more succinctly than I did.

    If a web site requires credentials in order to view it, then it is implied that those without credentials are not authorised to view it, and may therefore not legally intercept it.

  58. Peter Fairbrother

    Home Office advice and RIPA

    Reading through this carefully, and it is always advisable to read Simon Watkin's words very carefully, at no point does he say that the conduct necessary to perform targeted online advertising, even when done to the highest standards, is not a RIPA section 1 offense.

    He says "there is an argument that" ,"may stand", "might" and the like, but he never explicitly says it can be done legally.

    He does, or the Home Office do, come out on the online advertiser's side a bit more than I'd like though, - the last part might be read as "it probably is an offense, but don't worry" - so it's likely that the Home Office might recommend to the DPP that he not prosecute. Maybe. The advice is dated January, and things may have changed since.

    There is one stated opinion I disagree with: getting consent through T+C's. This doesn't work when a connection is shared, as the user may very well, and very often will, not be the person who accepts the T+Cs.

    The rest is all maybe's:

    - maybe there is an implied general consent to download a webpage (but that's not consent to have it intercepted, and isn't even true of many webpages anyway, eg those with secret URLs or requiring log-ins)

    - maybe it's not interception because it's done by machine (a point the ICO, and most lawyers, explicitly disagree with)

    - maybe it's okay because it's part of the service (but this is contradicted by the definitions of telecommunications service and telecommunications system in section 2.)

    All just maybe's.

  59. Parax
    Thumb Up

    nice one colin..

    Send a copy here..

  60. Jamie

    Stop the spam

    The only way to make sure that your traffic is not put to those servers and to make the business listen is to quit and move to a different supplier.

  61. Peter Fairbrother

    Re:Werner..a bit wobbly?

    "If a website is publicly available without requiring a password etc then it is easy to argue for consent. "

    Consent to what? Consent to download your webpage, maybe*, but that's all.

    It's not consent to have your communications intercepted, consent to count the number of hits you get, or which pages on your site are more popular, or to count the other stuff the people who hit your pages hit.

    *though not by any means necessarily, for instance many people use secret URLs - if you don't know the URL you can't get the webpage.

    Not great security, but it happens a lot - one estimate is that there are as many secret URLs as public ones (tip o' the hat to Richard Clayton for pointing that out).

    Incidentally that was the cause of the scandal about Junior Doctors details being available online, they used a URL which was not supposed to be publicly known for each doctor.

  62. Anonymous Coward

    Does Phorm's box work the same as NebuAd's little set of tricks?

    As NebuAd is also talking to ISPs in the UK, you may be interested in this report.


    He [Bob Dykes, C.E.O. of NebuAd] adds that the browsing information, "goes either directly into the network so all of the traffic goes through this appliance or you can configure it as a hairpin of an existing B-rad and run a portion of the traffic through it. Nevertheless, we see all of the HTTP traffic that is going across the network. We have a very low latency—less than 1 microsecond latency for VoIP, for example—so we really don't tread on any traffic that goes through the appliance. If there are any problems with the appliance, it fails open."


    The box communicates with NebuAd servers that serve up the most appropriate advertisement. "When a person goes to a website, there are multiple ways to decide which ad is going to be shown," said Dykes. "We will be in rotation and ready, so when we get the call, we know the best ad to serve to that user. Because of the high value of our advertising, we generally get to the top of the rotation in each instance."


    "We are looking to increase our average revenue per user by about 10-percent for a high-speed Internet subscriber,' says Chris Mangum, vice president of strategic planning for CenturyTel, which is headquartered in Monroe, Louisiana and operates in 25 states.


    And no mention of any little boxes in the CenturyTel privacy statement - perhaps that is covered by the 'affiliated' data sharing?

    Stop - because that is the only outcome which can be regarded as successful.

  63. Anonymous Coward
    Anonymous Coward


    "If a website is publicly available without requiring a password etc then it is easy to argue for consent. "

    If I was to run an ad-free website (or a website that didn't use Phorm's advertising system) and they used my content for making a profit from their ads on other sites then I wouldn't consent.

    Dear ISP's & Phorm, I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

  64. anonymous sms

    Phorm and BT both fail the Due Diligence test

    "We believe BT Webwise is an important improvement to your online experience - giving you better protection against online fraud"

    The Register should look at BT's record concerning online fraud and protecting it's customers. I believe its time a few chickens came home to roost.

    In 2004 BT(Redstone) supplied B&B Services LLC with revenue share 09 premium rate numbers to be used to sell on-line porn.

    Thousands of BT customers complained that these numbers were appearing on their bills and they were being billed for internet services they had not requested or received.

    Despite BT being fully aware of the epidemic levels of internet fraud using trojan dialler software, BT continued to insist the bills must be paid.

    The Sunday Times investigated and discovered BT had failed to carry out any due diligence check on B&B.

    From the Icstis Adjudication:

    Members of the public complained about charges incurred as a result of connecting to the Internet through premium rate numbers.

    Complainants stated that they had not agreed to connect to any premium rate service and claimed that the dialler software used must have made repeated calls without their knowledge or consent (4.3.1b and 4.1.3 tenth edition).

    As complainants appeared to be connected to the services without their knowledge, they were unable to supply details of where or how the services had been promoted. They did, however, supply copies of their telephone bills, which showed successive calls resulting in high bills.

    I for one do not believe BT or any of their friends are fit and proper people to be trusted with the information they propose to collect.

  65. Peter Johnstone


    Anyone who has installed anti-adware software that has been paid for should be pretty pissed of at this move. It effectively circumvents the protection that they have paid for.

  66. Frank Rizzo

    pre - Home Office advice and RIPA

    If Phorm / BT take Simon Watkin's words as evidence that they would not be contravening RIPA (because if the T&C state monitoring takes place, value added service.... customer agrees etc.) then clearly they have fallen foul with the covert trials which took place last year.

    If Phorm / BT did contravene RIPA or DPA during those trials what kind of penalty can be imposed on them and what recourse is there for those of us who were unwittingly part of the trials?

  67. Sean Purdy

    wrong title?

    Why is this under the URL

    ? I see nothing about Phorm shares plummeting - I was looking for the link to the share graph page.

  68. Chris Williams (Written by Reg staff)

    Re: wrong title?

    See page two

This topic is closed for new posts.

Other stories you might like