back to article Security firms split over Phorm classification

Security firms are split about whether they will classify Phorm's targeting cookies as adware. Kaspersky Lab, whose anti-virus engine is licensed to many other security vendors, said it would detect the cookie as adware. However, AVG, developer of the most widely used free of charge anti-virus scanner, said it would not detect …


This topic is closed for new posts.
  1. Geoff Mackenzie

    Interesting ...

    "A user must accept the user licence agreement to make the service active" - how does that work if it's an opt-out? I've seen "by continuing to use the site/software/etc you indicate that you agree" and "check this box to indicate that you agree" but never "do nothing to indicate that you agree". Taking it a little too far isn't it?

    Or does this mean all Phorm victims will be asked first? Won't that kill this thing stone dead?

  2. Anonymous Coward

    Good phorm old son

    Phorm a playing clever with this one.

    As AVG stated, if they block the phorm cookies then people can't opt-out. And what happens when I follow good practice and set my browser to remove all cookies upon closing? I opt in again?

  3. Martin Maloney
    Dead Vulture

    Some "borderline" humor

    Does Phorm follow Phu(n)que-shun?

  4. Mike Richards Silver badge

    @ Geoff Mackenzie

    'Or does this mean all Phorm victims will be asked first? Won't that kill this thing stone dead?'

    If BT are any indication you'll get something along the lines 'BT Webwise is a free service for BT Broadband customers which will help protect you against online fraud and provide a more enjoyable experience.

    'You're just moments away from a safer Internet, click [OK] to enjoy the wonderful world of BT Webwise; otherwise click [Cancel] if you feel more comfortable in the presence of hucksters and paedophiles.

    'Even if you're a weirdo and don't want to use Webwise right now, you can always opt in to our service by calling 0845 KIDY FDLR and choose 'I'm a sinner and I need to be punished' from the menu.'

  5. Sceptical Bastard

    In the right direction

    The fact that AV and security vendors are debating this at all tends to add fuel to the firestorm of bad PR. The fact there is a discussion going on helps the anti-Phorm cause, IMO.

    I think it's a shame that AVG (with its substantial installed base) is not being more robust but I await with interest the response from Symantec and McAffee.

    Oh, and before I forget, the customary message to Kent (that's Kent with a 'u') Ertugrul and his drones at BT, CPW and Virgin:

    Phuck oph, Phorm - DO NOT WANT

  6. Anonymous Coward
    Anonymous Coward

    @Good phorm old son

    > And what happens when I follow good practice and set my browser

    > to remove all cookies upon closing? I opt in again?

    Er, create a new randomized-user (fake) opt-out Phorm cookie for each browser request? (Is that even possible? what does a Phorm cookie look like? What's in it?)

  7. Anonymous Coward
    Anonymous Coward

    I thought blocking the Phorm cookie = opt-out?

    How can the system work if it can't assign a GUID cookie to you and reliably get that back every time you issue a request? If it can work even when your computer or browser blocks the Phorm cookie, then the cookie handling is being done at a lower level and is likely tied to your IP Address.

  8. James Condron

    nah- how about

    when I get an email from my ISP saying

    "By using our services you agree that phorm can [blah blah]"

    Do I join another ISP? Maybe one not using phorm? Like the ToothFairy's (tm) ISP?

    Is this not what the M$ anti trust case tried to stop? You can opt-out, but you'll be fucked? or should that be; phucked

  9. Anigel

    @Geoff Mackenzie

    It is much more likely that your ISP will utliise its rights under its ts&cs to update its ts&cs to hide some phrase in there that could just about possibly if you view it with a very highly dubious definition of stadard terms mean they can use phorm and that by not blowing up their head office you agree and opt in to this wonderful public service.

    If that is the case then you been phormd

    opt in should mean no spin and informed implicit opt in.

    "Do you want us to send all your internet traffic to third party companies for the purpose of marketing and spamming you with advertising? [yes im a twohat], or [no phork that]"

  10. Dave Bell

    There's a lot of hair-splitting going on

    As any accountant can tell you, there's a lot of stuff which looks legal at the transaction level, but lands you in deep trouble when the authorities look at the whole picture.

    A lot of these things were originally the result of court cases--there are some catch-all clauses which cover such things, but a court has to decide whether a particular instance is lawful or not.

    These anti-adware companies aren't courts, but they have the same problem of a system which seems to follow the rules, and I'm not sure they're looking at the whole context.

    With the ISP doing the dirty work of the actual tracking an analysis, on hardware which they own, but running software Phorm provides, expect m'learned friends to have a lengthy and expensive argument. If it were money, instead of personal data, it woud look a lot like tax evasion or money laundering.

    But, with the whole opt-out/opt-in problem depending on the cookies, the anti-adware companies may have nothing useful they can do.

    I don't envy them.

  11. Dave Bell


    OphCom will have to become involved...

  12. Anonymous Coward

    Opt in - out - in - out -

    Why should I accept an opt *out* cookie against my better judgement and usual practice? The logic totally escapes me, plus are we honestly expected to believe that the fact that we have an 'opt out' cookie present won't be noted?

    The whole cookie monster method they are proposing fails at the first jump anyway where there is a shared 'household' computer if they are trying to make meaningful links on browsing data ...

    /me sends no love to my ISP Virgin meeja

  13. Anonymous Coward
    Anonymous Coward

    Re: I thought blocking the Phorm cookie = opt-out?

    There are some speculative ideas on how Phorm could work in the How Webwise Works thread at BadPhorm.

    AC, your conclusion about the need to fall back on IP addresses is the same as there.

  14. Anonymous Coward
    Anonymous Coward

    Do we know enough about ad and click through phases?

    Based on comments from the Phorm CEO and some reps, it appears that the Phorm system/components within the ISPs network logs the categories/channels which a particular GUID matches along with timestamps for those matches. The system also knows the match criteria for the categories/channels, which can include requested URL, search keywords, page keywords, etc as well as thresholds for said (X times within the past Y days).

    One thing that doesn't seem to have been fully explored is the potential for such detailed information to be tied to the user's IP Address by foreign servers. For example, were the Phorm ad server a foreign server and the cookie passed, Phorm would be in a position to lookup the channels matched by that IP Address and the match criteria for those channels. Even if the cookie isn't passed, just knowing what ad is requested would likely allow Phorm to lookup what criteria the IP Address matched. Conceptually, ad requests could go through the IP Address anonymizer that is used for other phases, but no where have I read a definitive statement to the effect.

    How about click-throughs? Surely the advertiser would be able to identify the matched criteria for the ad you clicked on and they'll be receiving your IP Address when you click through and visit their site. That info could easily be backdoored to Phorm.

  15. david g

    Ive decided Im off anyway

    The debate has advanced so far ahead of the reporting......(not having a pop Reg, just life I suppose)....but these AV vendors are not looking at the whole picture.

    Still waiting for an answer to "if I send mail (see phorm patent) from my non-phorm ISP to an opted-in phorm-ISP user, at what point will I be asked for my consent ? As the only answer to this is 'dunno' , how many years would you like to spend at Her Majesty's pleasure ?"

    Ready to move ISPs the day this goes live.......

  16. Hayden Clark Silver badge

    AVG need to grow a pair

    Of course the Phorm cookie contains no browse history! That's not what tracking cookies do!

    DoubleClick's cookie "contains no browse history", it's used by DoubleClick to identify which ads you view, and thus which sites you have visited - the URL of each advert is customised to include the referring page's URL or partner code. In other words, the data collected via the cookie is EXACTLY THE SAME, only the collection mechanism is different. DoubleClick use ads on partner sites, Phorm use transparent proxy log data.

    I guess AVG fear the lawyers. Pity, it's the best value AV tool around at the mo. I have about 4-5 installations - but maybe not for much longer.

  17. The Other Steve
    Black Helicopters


    "what does a Phorm cookie look like? What's in it?)"

    <tinfoil hat>

    Also, Kunt Spunkbubble says your opt-in cookie is a 'random' number, but how are we to distinguish between a 'random' number, and an encrypted set of key value pairs ? *

    Oh yeah, because we trust him.

    </tinfoil hat>

    * Which is easy peasy stuff to implement, GIYF.

  18. Anonymous Coward
    Anonymous Coward

    What... no SOPHOS???

    Considering El Reg's tendency to call Graham Cluley over at Sophos for all kinds of things, where is his quote here?

    Come on! Who dropped the ball? You do realise that Sophos does more than just antivirus, right? Their website is rather expansive.

  19. Anonymous Coward
    Anonymous Coward

    time to drop AVG it seems

    its been on the cards for a while, but it looks like time to drop AVG it seems.

    its not been very good at finding and cleaning threats in a while compared to others ,failed updates taking to much CPU time and so on, and they are now dithering on the Phorm matter.


  20. Dick Emery
    IT Angle

    Kas = <3

    Kaspersky came top for both AV and Spyware 'prevention' (Note I say prevention rather than just cleanup tools like Ad-Aware) in a recent shootout by a famous 'Computer' magazine so I suggest you 'Shopper' round. :)

  21. Werner McGoole

    Strange position from AVG

    The phorm cookie looks exactly like any other spyware cookie to me so I can't see why AVG would classify it differently. Of course, if they've deduced something different about the implications of deleting it (like phorm still works), then that may explain their position. None of us have very firm facts to go on at present.

    I'd expect more specialised adware/spyware products (like AdAware and Spybot S&D) to take a much dimmer view of phorm. AV companies have never been all that happy in the adware space. They'd much prefer all malware to be viruses because you know those are all bad. They haven't quite caught up with these newfangled threats where you have to make a finer judgement.

  22. Tim

    Have some fun

    Anyone know of a addin for firefox that will go to random sites get pages then delete them and so on.

    The plan is to leave a system running two or three browsers running 24/7 and fcuk there tracking up would be nice to have a couple of big high bandwidth servers but one can only dream (or hack)

  23. Fluffykins

    @Dave Bell: Offcom will have to be involved

    They are:

    Reply to message sent to

    Dear xxx

    Thank you for your email of 2 March 2008 to the Chief Executive of Ofcom.

    This has been forwarded to Central Operations to reply to as we have responsibility for considering consumer complaints and enquiries on his behalf.

    BT like any other organisation must act in accordance with the requirements of the Data Protection Act regarding personal data of subscribers.

    Ofcom does not enforce the requirements of the Act. Any concerns about the misuse of personal details should be reported to the Information Commissioner’s Office. They can be contacted at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (Tel: 01625 545745). Website

    Yours sincerely

    -------Let's fill his inbox.

  24. Anonymous Coward

    A cookie market maybe?

    Is there any mileage in having a phorm cookie exchange service running somewhere? You could then have a browser plugin that regularly swapped your phorm cookie for a different random valid one. This would mix the users up and make profiling ineffective. You'd only be able to detect this by referring to the user's IP address which, apparently, phorm claims it doesn't do.

    The exchange would need to be proof against poisoning, of course. Not sure how that could be done.

    Just an idea...

  25. This post has been deleted by its author

  26. Ed

    Firefox Plugin

    TrackMeNot is the Firefox plugin you want.

  27. Anonymous Coward

    A cookie market maybe?

    There's no need to exchange cookies, what you really need is a firefox plugin, to back-up and delete the phorm cookie, then at random will either, opt into phorm again which will give you a brand new phorm tracking GUID, or restore a backed-up phorm cookie. Then crawl a few websites, preferably ones that carry phorm's targeted ads and repeat this continuously in the background as you browse.

    If it is true that phorm doesn't track IP addresses, as the phorm cookie GUIDs would be allocated by phorms own system and therefore indistinguishable from other cookies, it should be possible for one user to have many thousand valid Phorm profiles. In fact it might be possible for a group of users to maintain more valid profiles that the rest of the ISPs customers put together.

    Having thousands of valid profiles could mask you genuine browsing and devalue Phorms targetted advertising.

  28. Anonymous Coward
    Anonymous Coward


    TrackMeNot is a fine plugin but no good against phorm. TrackMeNot addresses tracking by search engines. Phorm can see much more than just your search queries, so TrackMeNot does not help.

  29. Anonymous Coward

    Phorm Opt-in by cross site request forgery?

    Using cookies for an opt-out is a bad idea. Well bad for end users anyway.

  30. Anonymous Coward

    Internet Condoms

    Does anyone know where I can get some Internet Condoms?

    I want to practice safe computing, the last thing I want is an unexpected phormancy!

  31. Peter White
    Thumb Down

    phorm and cookies

    part of a response to me from BT

    it sheds some light on the way phorm uses cookies


    We will be inviting around 10,000 BT broadband customers to take part in the trial. The trial invitation will be presented through a special web page that will appear when those customers start a web browsing session.

    At this point, those customers invited can choose to opt in, opt out or to find out more information. Customers choosing not to take part will not be profiled. The site also contains detailed information on the service and a one-click option to switch the service off, which can be activated at any point during the trial. The BT Privacy Policy and BT Total Broadband Service Terms will be amended accordingly.

    Opting out means that no browsing data whatsoever is looked at or processed by BT Webwise. Opting in and out of BT Webwise is extremely easy and completely transparent. Standard opt out method does depend on a cookie remaining on your machine indicating that you have opted out.

    If you delete your cookies regularly, you will have to opt-out again each time you start a browsing session. But for those who delete cookies regularly and want to remain opted out, you can block cookies from the domain on each browser you use. When you block this domain, the service will opt you out permanently.

  32. Anonymous Coward
    Anonymous Coward

    ICO Position on Phorm

    A spokesperson from the ICO said:

    “The Information Commissioner’s Office has spoken with the advertising technology company, Phorm, regarding its agreement with some UK internet service providers.

    Phorm has informed us about the product and how it works to provide targeted online advertising content.

    “At our request, Phorm has provided written information to us about the way in which the company intends to meet privacy standards. We are currently reviewing this information.

    We are also in contact with the ISPs who are working with Phorm and we are discussing this issue with them.

    “We will be in a position to comment further in due course.”

    For more details please contact the ICO press office on 0207 025 7580

  33. Anonymous Coward
    Anonymous Coward

    @AC A cookie market - and a fighting fund

    Simply collecting a whole load of phorm cookies and randomly switching between them will only make phorm's job a little bit harder. You will just look like lots of users instead of one. All these pretend users will still have the same browsing profile (yours), so you'll still get the same targeted ads.

    The thing that stops phorm is masking your behaviour by browsing random sites in the background. That works the same whether you have one cookie or many. However, it also eats up your bandwidth. For good masking, you may want 100 times as many random downloads as real ones. That's reducing your available bandwidth by 99%. Not good.

    If you exchanged cookies with other users you would completely scramble any attempt at profiling you without use of your IP address. The bandwidth cost would be minimal - just the cost of an occasional cookie exchange.

    Problem is, this solution is technically quite hard. You need some form of trust network to prevent he cookie reservoir getting poisoned. You're also vulnerable to attempts to permanently link cookies to users (by hashing browser headers, for example). I don't think the ideal countermeasure has been invented yet, but it's an interesting problem to think about nontheless.

    For my money the best "technical" solution at present is for someone to set up a site where angry users can contribute to a financial fighting fund. We'll need that to buy the sort of lawyers who can prove black is white. Robust legal action is what will crush this, but as individuals few of us can afford the legal muscle it will take. Our advantage is in numbers, but we can't exploit that unless we are coordinated. I believe organisations like Liberty and the Open Rights Group are the only ones who can provide the necessary coordination and, ultimately, legal challenge. We should be spurring them into action now.

  34. Slaine

    1, 2, 3... (a title)

    1: "AVG regards what Phorm is doing as borderline but we have to concede they have made every attempt to try to stay on right side of that line"... EVERY ATTEMPT? well they could have TOLD people what they were up to before embarking on the great experiment. That would have been an improvement. Mind you, to me AVG is only an antivirus program, Phorm is spyware.

    2: "what does a Phorm cookie look like? What's in it?"... well it's small, gnarled and twisted, and very bitter to the taste. It is made from an interesting mixture of (bull)sh!t, mince, phishing tackle, lies and chocolate-flavoured chips. I suggest you discard them if you are ever offered one.

    3: the problem with the BT responses is that they come AFTER BT have been proven to be complete liars.

  35. Luther Blissett

    Liberty (and justice)

    >> "I believe organisations like Liberty and the Open Rights Group are the only ones who can provide the necessary coordination and, ultimately, legal challenge."

    Couldn't agree more, Mr C, if Ms Chakrabarti of Liberty can just remove a finger from one of the pies that seem to have become stuck to her hands (as described here: and lay off the media tarting for a bit - as per BBC R4 this morning "celebrating" (her word) "wimmins" "fiction" (my words) - clearly a monstrous injustice there.

  36. Anonymous Coward

    ORG? You're kidding!

    Liberty has mounted successful legal challenges for many years.

    The Open Rights Group has never mounted a single one. The freetards took two weeks to notice Phorm was a story- possibly the last people in the country.

    If you're an ORG member, I'd think about asking for your money back.

  37. Anonymous Coward
    Anonymous Coward

    Lavasoft Research Blog on Phorm

  38. Peter White

    response from BT webwise team

    seems BT may be back tracking

    below is a reply i got from BT

    Thank you for your email.

    Our plans are confined to conducting a opt-in technical trial for about 10,000 customers at the moment.

    I want to confirm to you that BT Webwise will always be offered as a choice. Those customers who have chosen not to participate will not have their browsing information mirrored or profiled, and no information will go to the BT managed profiler. No information is gathered, and therefore no information is forwarded to Phorm. Customers who opt out will not come into contact with any Phorm-managed equipment.

    Opting in and out of BT Webwise is extremely easy and completely transparent. Standard opt out method does depend on a cookie remaining on your machine indicating that you have opted out. If you delete your cookies regularly, you will have to opt-out again each time you start a browsing session. But for those who delete cookies regularly and want to remain opted out, you can block cookies from the domain on each browser you use. When you block this domain, the service will opt you out permanently.

    In parallel with the trial, we are already developing an opt-out solution that would remove the need for opt-out cookies altogether.

    BT Webwise technology is designed in such a way that it is not possible to reverse engineer identity. The service doesn't store personally identifiable information, doesn't store IP addresses or browsing histories of websites visited. The technology simply observes anonymous behaviours and draws a conclusion about the advertising category that's most relevant. All the data leading to that conclusion is deleted by the time each web page is loaded. The service dispels the myth that data on user browsing behaviour must be retained and stored in order to provide more relevant advertising.

    I hope this email answers some of your concerns.


    BT Webwise Helpdesk

    -----Original Message-----

    From: peter white []

    Sent: 13 March 2008 17:20

    To: BT Webwise Help Desk G

    Subject: RE: Technical enquiry from BT Yahoo! online help (broadband)

    May I correct you on several facts

    Talk talk have scaled down and now working on opt in and anybody who has opted out the data will not go via the profiler at all (a higher level of privacy than BT)

    Virgin media seem to be back tracking to the same position as talk talk from the report on the web

    Only BT at this point are proceeding as planned

    The anomonised data can still yield id information as AOL found that out last year when it released a ton of anonymised search requests with the user IDs replaced by random numbers; it had to withdraw the list in haste as it became embarrassingly obvious that users could be identified from that information alone.

    So by using a random number in a cookie will still enable users to be identified from the data passed from the profiler to the phorm server and so privacy is not guaranteed

    The anti-phishing features of webwise is a duplication of the function in

    IE7 and I believe also part of the Norton security suite you provide, so I see little value add from that service, the only thing the users will see is an increase in targeted adverts from the businesses signed up to OIX which was the adware rubbish phorm used to push, how many adverts are going to be for uk based businesses (very few I suspect) and due to the high rate of fraud and phishing on the web people are naturally sceptical of any popup and highly unlikely to purchase via them, this I doubt is of little concern as BT will only get revenue from allowing the adverts to be served and not from any form of pay per click on the actual poup-ups

    Can you confirm if the data of a user who has opted out or blocked the cookie is still sent to the profiler, and although supposedly not , is still possibly scanned (even if in error)

    Can you confirm catagorically that phorm / webwise does not breach my right to privacy under european law of human rights, RIPA, or the data protection act

    I understand the data is held on servers run by BT in BT's hosting centres, but the software is provided by phorm whose past appears to be dubious from the forums and information on the web

    I will be blocking the cookies on all machines in my house to protect myself as best I can and if webwise goes ahead I will be migrating out of BT asap after the notification

    Can you confirm if I Will be offered the option of terminating my contract early due to the changes to the terms and conditions of my contract if bt deem the trial a success and proceed with a full roll out


    Peter white

  39. jon stansfield


    Thats how i feel........ I emailed virgin who are my ISP ..... thier policy is to answer all customer enquiries within 48 hours via a return email.... After five days I had no such reply... However, after six days I had a phone call.... In next to no time after querying

    the privacy infringments, "pimping" users browsing data and asking why I should have to come into contact with this company to "opt out". The guy on the other end of the phone didnt seem very forthcoming with any definite answers to anything at all concerning thier tidy little earner.... I then asked for them to send me the relevent answers to my questions via my email but unsurprisingly they declined to be able to do so as "nothing is definite and theres still things needing to be ironed out". This translates as "we`re waiting to see if we can get away with this latest scam before we tell our customers what we have done"... i shall keep spamming thier inbox and also the customer forums on thier website in the hope that others will join in....

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022