back to article BT admits misleading customers over Phorm experiments

BT has admitted that it secretly used customer data to test Phorm's advertising targeting technology last summer, and that it covered it up when customers and The Register raised questions over the suspicious redirects. The national telecoms provider now faces legal action from customers who are angry their web traffic was …


This topic is closed for new posts.
  1. bobbles31

    Specialst subject, stating the bleeding obvious....

    "BT denied any testing and said customers whose DNS requests were being redirected must have a malware problem."

    Well duh, of course I have a malware problem. You fuckers are selling me out to the Godfather of spyware.

    Mines the one with "I'm with stoopid (Virgin Media)." on the back.

  2. Anonymous Coward
    Thumb Up


    Power to the people, Freedom for Tooting, etc.

  3. gautam

    Big Brother's Uncle....

    IS HERE !

    Nuff said.

  4. Man Outraged

    Tall tower of cards...

    Tim Berners Lee plastered all over the BBC TV, Radio and online saying NO.

    Serious legal questions are raised over the Home Office "guidance".

    It's all about trusting people with our data, now BT admit to a COVER UP.

    Phorm - a company reporting 11.6m operating LOSS last year, with invasive technology of which some have questioned the legality...



  5. Anonymous Coward
    Thumb Down

    due diligence

    I hate it when people use this term as it is meaningless. "Significant due diligence has been carried out" ... either the "due" amount of diligence has been taken or it hasn't. Obviously in this situation it wasn't otherwise this whole storm of badness would not be happening to BT and Phorm right now.

  6. Anonymous Coward
    Thumb Down

    "Only one exchange"

    Seems extremely unlikely that only one exchange of the five thousand or so broadband-enabled exchanges was involved *in any way* the trial, because to do so would require shall we say "unusual" changes to the way BT's broadband systems work.

    BT Retail's broadband service is based on BTwholesale's BT CentralPlus product which afaik only BT Retail uses, so other ISPs customers needn't be too concerned yet, apart perhaps from Plusnet customers who have chosen to use BT -based Plusnet's RIN option (and they've been offered a free ticket back to the classic Plusnet network).

    Maybe the full data gathering and analysis process was only applied to punters on one exchange? Aiui BT CentralPlus can use the phone number for authentication, rather than the usual username/password stuff, so maybe that was used as a selection criteria... presumably phone numbers aren't classed as personally identifiable in this picture (maybe they lose the last few digits at some stage of the process, that would be perfectly OK, right????)

    Phorm still sucks bigtime and it's nice to see BT have been caught out bigtime.

  7. Anonymous Coward
    Anonymous Coward

    While BT are in the mood for fessing up

    How about asking them to admit that they shape and throttle traffic. That's one myth that BT CS reps are still denying despite overwhelming evidence to the contrary. (That and if you ask for your MAC code they offer to ensure you get your full traffic speeds, but oh not, it's not because they'll un-shape you).

  8. Chris Haynes

    At what point... a technology not going to be used to make a profit at the expense of those who require that technology?

    The internet is meant to be a global network of computers that allows everyone to connect to everyone (within reason, of course). At what point does the very fact that you are connected mean you automatically have to be a source of revenue for your broadband provider? They already get our money each month. If that's not enough, they shouldn't sell access at that price. If they want more money, they most certainly should not be simply taking our data and pimping it to anyone who'll pay for it.

    I look forward to the day when the internet is "just there" - ubiquitous, and left alone to help people, not stiff them for every penny they can get.

  9. Anonymous Coward

    Sue the bastards!

    If I ever find out that they've been sucking down my data, I'll join in the lawsuit against them.

    Take them down!

  10. The Other Steve

    Due diligence my hairy arse.

    "We have carried out significant due diligence in this area"

    Really ? And which part of the due diligence process suggested that it would be a fine idea to illegally intercept and redirect peoples traffic, then tell massive whoppers about it ?

    Which part of the process suggested that it would be a great idea to do business with Kent Spunkbubble, a man so sleazy that when you look up the word 'sleazy' in the dictionary it has a picture of his face, and who heads up a company well known for invasion of privacy and is universally loathed by the technical community ?

    Which part of the process suggested that it would be a great idea to bet the farm on the novel and untested legal concept of "implied explicit consent" ?

    And which part suggested that it would be a really cool idea to fuck things up so badly that you would have to implement your corporate stock buy back policy in order to prop up your share price ?

    Clearly, BT have a very unique definition of the word 'diligence' .

    "and informed consent from our customers will satisfy the necessary legal requirements."

    It's far from clear that this is in fact the case, or that so far, BT are defining 'informed consent' in a way that would be recognised by normal human beings as being reasonable.

    I believe that BT have already received several large shipments of Phail. There are plenty more where those came from. Bastards.

  11. orsen kaht

    Recommendations for a new ISP

    I am currently using an unlimited download domestic account with BT with which I am happy as regards speed and reliability . This is a leave at any time deal ( as the contract has run out ) and costs £8 a week.

    I am not happy with the idea of PHORM and would wish to leave if it is implemented. Anyone got any alternate ISP recommendations?

  12. Andy ORourke

    Taking Notice?

    Looks like the ISP's are taking some notice, especially about opt out. I got a nice reply last week from BT's MD and the "Director of Value Added Services" who assure me they are reviewing this all the time.

    I did put to them the point that has been made on El Reg several times:

    If this 'Service' is so compelling then advertise it and allow users to subscribe, only those who subscribe get routed through the profilers and everyone else just gets on with their surfing.

    Not had a reply to that one yet, still watching and waiting to see if I need to cancel my new contract with BT

  13. Inspector_Morse

    A Question .......

    ..... for the experts.

    Will browsing via TOR, using one of the unholy trinity of ISPs, prevent Phorm from Pharming my Phucking private data?

    Equally, will Firefox, with cookies denied, AdBlock Plus and NoScript do the job? I ask because the really clever bits of browser coding are way beyond this surfer.

    If the answer to either is yes, then my current broadband provider keeps my business. If not, then they can Phuck Orph.

  14. Alex

    I also recieved the "statement"

    I wonder what their definition of "one exchange" means, I know for a fact that it can't apply to the common conception of a Telephone Exchange as I have conversed with a few others, all of whom also experienced the "trial" and are at different ends of the compass to me!



  15. Paul Stimpson
    Thumb Down

    Cookie sham

    Opt-out cookies are a sham anyway. Sure it would be trivial for the cookie to be read by the ad server and for it then not to serve ads or, more likely, not targeted ones.

    In order for the cookie to be read when the information is gathered something is going to have to be sitting in the middle of all connections, editing the HTML to query the cookie then deciding whether to profile the page. Unless, of course, the ISP and Phorm think it would just be easier to profile everything then sort it out later. Forgive me for not believing that "opting-out" will stop Phorm from seeing my data and IP address.

    Nine more days until my new IDNet broadband goes in. Virgin, I'm going to miss you like a hole in the head.

  16. Maurice Shakeshaft

    Virgin media support team member .....

    .. led me to believe - yesterday, after a second attempt and several minutes on hold - that Virgin Media had never heard of Phorm and that if they had any intention of subscribing to such a service the Clients (you & me) would be informed and could opt out....

    Now, maybe I didn't phrase my question very well or the supervisor contacted was genuinely unaware of the interest generated by Phorm didn't if Virgin Media do sign up and don't give me an opt out I shall be very displeased! They will know about it. Are there any ISPs that have declared they wont pimp client data?

    I've forgotten who said it but "the price of freedom is eternal vigilance".

  17. Jonathan
    Thumb Down


    What evidence is there that BT do traffic shaping? Is there a way that the home user (ie me) can find out if his traffic is being shaped?

    The more we find out about BT/Phorm, the more it sounds like a dodgy corrupt deal involving slimy businessmen and politicians looking for kickbacks. Why the whole idea has got this far is beyond me, and personally I think BT needs to take some heat for arranging trials secretly and then lying about them.

    Personally, I think the consequences for businessmen who engage in fraud or other illegal business activities is not nearly harsh enough. Such crimes need to carry mandatory prison sentences for the decision maker - maybe then businessmen will think twice about selling us down the river, when they have a chance to stay in a free hotel where each room is styled after the Bare Cast Iron look. If what BT did last summer is determined to be a crime, then whoever made the decision to go ahead with it, should spend a few years behind bars.

  18. Slaine
    Thumb Up

    the truth...

    ... is that BT lied. Blatant, deliberate and incidious. Case closed.

    Next time they tell you anything at all, remember this day.

  19. Man Outraged

    @Jaowon RE: traffic shaping

    If they don't do traffic shaping, what would they need DPI switches for? These are almost certainly unrelated to Phorm/Webwise.

    Also guys, don't forget that ORANGE is getting in on the act too, as noted here:

    Now this in the public arena let's get all the b@st*rd$ cashing in on our privacy.

  20. Man Outraged


    TOR is designed as a privacy tool, not a security tool. People who run TOR gateways are not vetted in any way. To some extent you can trust your ISP, despite Phorm, a lot more than a gateway operator.

    Reads the FAQs on TOR and look at this story:

    This just highlights how important TRUST in your ISP is. STOP LYING, STOP SPYING!

  21. Ian

    Remote Squid

    I'm considering renting a Solaris Zone from someone like Sparsezones, or perhaps a similar operation not in the UK for extra safety, and just pointing all my home browsers at an https-ised proxy running remotely. End of problem.

  22. Iain

    @The Late Inspector

    Sorry, Morse. While TOR should indeed offer you a secure way out of BT's network, it's out of the frying pan and into the fire. There are instances of TOR hosts (who could be anyone from freedom-loving geeks to organised criminals, and you won't know who you're using) running even worse snooping than Phorm offers. As in credit-card scamming. So that's not a solution as I see it.

    Firefox cookie disabling may, or may not, cause you to opt-out of tracking. But your data gets sent for processing even if they double promise to honestly not keep the outcome of that processing for later. AdBlock Plus means you won't see any adverts from OIX, but a DNS entry will acheieve the same thing, and it's not about viewing the adverts anyway; it's the tracking to gather the info to target them that is the issue here.

    In short, you're screwed. Your only choice is who you trust the most to do said screwing in the least painful manner.

  23. Graham Wood


    Re: Tor

    Possibly. Only if the exit point you leave through is not on a spyware infested ISP will that work. Therefore you've still got a chance of being hit. The docs on the TOR website specifically mention exit point monitoring as a "weak spot".

    Re: Anything browser related

    No. The ad blocking software will stop the targetted ads, they will NOT stop the data hitting the profiler. Because of the network level that this happens at, any traffic leaving over your ISPs connection that is on port 80 (e.g. normal web traffic) can be monitored.

  24. Alexander Hanff

    News of BT's confession effecting Phorm's stock again?

    Phorm, who were starting to recover towards the end of last week, are now losing even more money. First trade this morning leaves their share price down by 5.78%.

    Keep up the good work. I expect the litigation and hopefully criminal charges against BT under RIPA from the people who were illegally included in the BT trial last summer will hit their share price even more and hopefully BTs share price to boot.

    Remember if you have not signed the petition, do so. If you have not signed the facebook groups do so. For information about Phorm and how you can help check out

  25. Anonymous Coward

    Sir Tim and BT opt-in

    Hearing Sir Tim's interview on the 8 o'clock news on Radio 4 sure brightened my day this morning. Looking at the article on Beeb's site indicates that he was only talking about the ISP's profiling in the UK and that he is not yet aware of how much profiling is already happening in America and all around the globe.

    Any chance of El Reg getting an interview with Sir Tim and finding out his views on the US, Canada, EU, UK, Asia, Australia profiling which is already happening (NebuAd, FrontPorch, Adzilla, etc): mostly with no more notification than a change to the T&Cs on the ISPs' web sites or pop-up T&Cs when using hot-spots via wi-fi.

    It is a relief to see that BT are looking to follow the opt-in only option. Oh to be the fly-on-the-wall to know if that is in response to Sir Tim's comment on privacy or the complete failure of getting enough people to accept Webwise during trials (assuming the stories of trials over the last several days are true). Or the threat of legal action?

    I do have questions about opt-in though.

    Assuming that they 'hard wire' an opt-in IP address to the profiler. The user is happy opted in for some time. Then decides to opt out while viewing same sites - web mail, banking, forum, etc. Once that surfing is finished, some time later visits a site which reminds the user that they are opted out.

    Is there a time lag for 'opt-ins' between opting out and the cessation of data passing through the profiler?

    If the user decides to stay opted out, will they continue to be bombarded with reminders that they need to opt back in?

    Will all sites that have opted out of allowing their content to be harvested by the profiler need to be able to read some header so that they can pop up a display page to warn visitors that they need to opt out before using the site. Will the ISPs be able to agree on how to do this and will they provide the necessary code to all such web sites together with a grant to cover the cost of installing the code on the site. As not all users have javascript available and not all hosts offer php or other scripting languages, how would this 'header sniffing' be enabled?

    Will the profilers be able to read and obey a meta tag banning them from parsing the content - again, will the ISPs be offering webmasters a grant for the added cost of installing this code in all their pages?

    Life would be so much simpler if the ISPs decided that the profilers are just too much bother and are going to cost much more in maintenance, overheads and legal battles than they are ever likely to earn in ad revenue.

  26. Dave
    Thumb Down

    And what about the advertisers / websites ?

    As I understand it, Phorm will be running their own webvertising network. (I shuddered as I typed "webvertising" - Self Flamage) This will set itself up as competion for (say) GoogleAds.

    Which foolish businesses will advertise on this network? Which foolish websites will be looking to carry these adverts? As far as I can see anyone signing up for Phorm's services will be throwing their money away as soon as we get proper opt-in.

  27. Anonymous Coward

    Data Protection Act

    I believe that under the DPA it is illegal to use live personal data for testing purposes.

    They have a case.

  28. Inspector_Morse

    @ Man Outraged & Iain

    Thanks very much, but not what I wanted to read!

    Lewis is pretty pissed off as well......

  29. Anonymous Coward
    Anonymous Coward

    <no title>

    Seems I may not be the only one to think that "due diligence" is a meaningless term, and annoying when quoted as some form of excuse.

    Anyway; I wish these companies would stop talking about opt-out. Opt-out is not applicable when referring to spying of what folk are doing. Opt-in is the only possible area for discussion.

  30. Graham Wood


    You really need to vpn to your squid box to do it properly. There's nothing stopping BT (or whoever) doing protocol based driversions rather than just port 80. E.g. they could detect http running between X and Y on port 3128, and then bounce that to the profiler.

    I'd also recommend the VPN so that it doesn't become an open proxy for all of the BT netblock (assuming you're on dynamic IP)

    Other than that, been there, done that - and I'm not even on one of the whoring ISPs ;)

  31. Maverick
    Thumb Up

    @ orsen kaht

    recommend a BB supplier who is open / honest / great techincal support (24x7 based in UK) ???

    dead easy one that - go to one of the Entanet resellers (bet there are more than a few on here who use them)

    I think you can spot them on here:

    the resellers offer various different styles of packages, some hosting, some freephone support (not such an issue if they answer as normal after a few rings!)

    haven't seen any comments from Steve Lalonde about this Phorm ****k but I can guess . . . :)

    wonder how many ISPs would have the b***s to offer this up?:

    yes they do shape (ALT), but they DO explain IN ADVANCE why / when / how so you can decide if it suits you, or not, BEFORE you sign up for a ONE MONTH contract

    works for me & many others


  32. Anonymous Coward

    There may be trouble ahead...

    for ANY ISP that decides to go with this or any similar technology - I foresee non-phorm ISPs using their stance is a high profile advertising campaign once (if) it goes live. I will certainly move to one of them if my current ISP signs up for Phorm (or any similar spyware cum marketing technology)

  33. Chris Simmons

    Anyone seen this frightener?

    from the Phorm entry of the ICO DP register - rather shit scary and kinda shoots down some of their claims:

    Purpose 2

    Advertising Marketing & Public Relations For Others

    Purpose Description:

    Public relations work and marketing, including host mailings for other organisations and list brokings.

    Data subjects are:


    Complainants, correspondents and enquirers

    Advisers, consultants and other professional experts



    Data classes are:

    Personal Details

    Financial Details

    Goods or Services Provided

    Sources (S) and Disclosures (D)(1984 Act). Recipients (1998 Act):

    Data subjects themselves

    Relatives, guardians or other persons associated with the data subject

    Business associates and other professional advisers

    Other companies in the same group as the data controller

    Persons making an enquiry or complaint

    Traders in personal data



  34. Anonymous Coward

    This has probably been said before, but...

    isn't this a bit of a Phorm in a teacup?

    Yes, the one with the knife-holes in the back, ta. No knife-holes? Give it a moment...

  35. 3x2

    @A Question .......

    Using <insert preferred method here> to avoid the profiler I think misses the point. You shouldn't have to.

    To me at least the issue here is that BT and others think it is OK to wire-tap your line.

    Who they pass it to, why and how they plan do it is pretty irrelevant.

    If this move goes ahead it will be partly because it has been surrounded by mirrors and smoke, mostly of our (the tech community) own making. There is a good chance that people will take up BT's offer of "a safer more relevant internet experience" because they long ago tuned out talk of cookies, TOR and layer 7 packet re-assembly.

  36. Anonymous Coward

    How does BT Wholesale fit into this?

    All the discussion I've seen so far seems to revolve around subscribers of specific ISPs.

    What about other ISPs who merely use BT's pipes?

    Will BT be phorm-ing a relationship on behalf of all their subscribers too?

    Would BT admit it if they were?

  37. Anonymous Coward
    Dead Vulture

    opt-out Vulnerability discovered - get opted in without your knowledge !

    WARNING: visiting the following link enables the Webwise opt-in cookie

    Don't forget to delete the cookie after you visit the above link.

  38. Anonymous Coward
    Anonymous Coward


    Um, plain english isn't my thing but here goes I'll assume you know what a source IP, destination IP and protocol is.

    Use wireshark to capture the traffic going to and from your PC, then do a) something you think is being shaped, such as FTP, then do b) something that you think isn't being shaped such as HTTP. End the capture and look at the data Wireshark captured specifically packets showing the data coming from the source IP (FTP/HTTP server) to your

    Locate a field called "Differentiated Services Field" and look at the value. If the value changes as the protocol changes you're being shaped.

  39. HKmk23

    Well what did youexpect?

    BT have been known as the Bastard Thieves or just plain the Thieves for over 30 years to my knowledge.....

  40. Francis Fish

    Phorm are those 121 timewasters? Great! Now I know who to send the bill to!

    Carphone Warehouse said they would opt me out when I emailed them, so we'll see ...

    Didn't realise that phorm were the timewasting bastards who were behind 121 - spent many a happy hour trying to get rid of their viral nonsense from a machine my then 10 year old son was using (no idea how they got past him not being an administrator).

    Can I send them a bill? I think they also managed to hijack firefox a while ago by putting in a bogus (and invisible) add on so I had to trash everybody's settings directory to get rid of it.

    DEFINITELY send them a bill, and then a summons through the county court for my time. Anyone else want to join in?

  41. William Morton

    I was getting snooped last year too and I'm in the midlands

    I think that BT should be made to send letters to all the users effected by this infingement of their privacy and an offer of compensation.

    Bt keep saying it is legal, how do they know? They hope it is legal more like, all the technical so evaluations say it is not legal as implemented in this country. So I would say it has not been proven illegal it has just not been taken through the courts yet. With this admission from BT you can bet it will now, so BT save yourself some data subject access requests and 'fess up'. I think that two weeks should be sufficent notice before we start flloding you with the access requests so 'fess up now or we will make you the April fool

  42. michael

    re isp recomandation

    pircy but good

  43. Anonymous Coward
    Anonymous Coward

    ORANGE is getting in on the act too @ all the news outlets

    "Man Outraged:Also guys, don't forget that ORANGE is getting in on the act too, as noted here:

    Now this in the public arena let's get all the b@st*rd$ cashing in on our privacy."

    well done Man Outraged, its good to see some are still mentioning this.

    a question that needs to be asked is: why are the other nesw outlets not even running any related storys regarding the registers Orange mobile pimping of your data?

    its clear there are a select few business mens and women right now,looking to massively expand this data pimping commercial Piracy.

    and lets not forget, the massive mobile handsets are far more wide spread than even the UK broadband customer base.

    dont let this related mobile Phorm like business pass you by, Dont ignore it,make it clear, as with the fixed broadband ISPs, its not acceptable to pimp or pirate your data be it fixed Broadband or mobile narrow/broad band in the near future.

    today its Orange mobile and the fixed Broadband providers, tomorrow, almost everyone no matter were you are or what type of connection you pay for.

    BTW, has anyone looked into or asked the up and coming UK wireless Wimax companys if they too intend pimping and pirating any of your data?

  44. Anonymous Coward

    @Maurice Shakeshaft

    Aldous Huxley - "Only the vigilant can maintain their liberties".

  45. Alex

    Opt-out Vulnerability

    So unscrupulous websites, receiving a revenue stream from OIX/Webwise/Phorm could just insert a simple modified cookie and then BAM!, you're back in, without consent!

    phishing? more like dead in the water!

    still not a bad "pump n' dump" I suppose!

    So long phorm... So long BT....

    and thanks for all the lies.


    DO. NOT. WANT.

  46. Anonymous Coward
    Anonymous Coward

    BadPhorm and Dephormation have been getting a lot of attention from Russia

    care of the BT and cable forum

    "RavenHeart:From scanning through the BT forum link Sirius posted.

    it Seems BadPhorm and Dephormation have been getting a lot of attention from Russia

    Maybe they're looking to protect their own browsing habits"

  47. Brian Miller

    @orsen kaht

    ISP suggestion:

    Demon internet.

    The home user branch of THUS PLC. Very reasonable price, they only offer unlimited, a fair Fair use policy (top 3% B/W hogs over a 10 day rolling period will be capped at peak times)

    Their parent company THUS does a lot of the banks (HSBC etc.) service provisioning, and they did sky's too once upon a time.

    Privacy policy has got clout. Thoroughly recommend them. Call centres seem to be based in britain also, at least the 1 time I had to call them it was a british person.

  48. Anonymous Coward

    Excellent progress

    Nice result and excellent reporting by El Reg as usual.

    However, I won't be happy until I see a dawn raid by police on BT and senior executives being dragged into a waiting van under arrest. Oh, and phorm declared bankrupt of course.

    I hope when those BT victims launch their court case they'll let us know where we can send a small cheque to help the cause.

    Keep up the good work.

  49. alistair millington
    Thumb Down

    I like the bit about data classes are "financial"

    How can you class with the government, legally telling them what you are up to and that you are using "financial data" from END USERS then say you aren't using financial data from end users.

    Anyone explain that in any other way other than it's all lies? Either to the government or the END USERS.

    Any ISP that doesn't sign up to it gets my vote. Just waiting for the final say from BT before I jump ship and look for others

  50. Jonathan
    IT Angle

    @Phorm PR

    Anyone else notice how the "Phorm Tech Team" no longer posts here? Most likely they realized it was a battle they cant win with PR and gave up.

    When PR gives up trying to paint your idea in a favourable light, you know that your idea is immoral at best, and illegal at worst. Lets hope Phorm gets the Epic Fail it deserves - pullouts from BT, Virgin and CPW, and shares that no one would take if they were given away.

  51. Keith Williams
    Thumb Up

    The price of liberty

    "But you must remember, my fellow-citizens, that eternal vigilance by the people is the price of liberty, and that you must pay the price if you wish to secure the blessing. It behooves you, therefore, to be watchful in your States as well as in the Federal Government." -- Andrew Jackson, Farewell Address, March 4, 1837

  52. Chris Simmons

    Virgin and targeted advertising

    I was just going through my cookies on FF2 and under the two Virgin sections ( and there are 7 separate cookies referring to sageamp.

    Googling sageamp throws this as the first hit:

    with these bullet points:


    Key Benefits

    Increased ad revenue from targeted advertising.

    Increased run-of-site inventory yields by an average of 50%.

    50% higher CPM for targeted run-of-site inventory.

    Six times more Auto and Travel inventory moved outside their respective channels; 10 times more for Shopping.

    Rich criteria to create target groups based on behavioral and registration information.

    Full integration with DoubleClick ad server.


    There's a lot more detail of the "service" on the link above.

    I must admit I am probably jumping to the wrong conclusion here, but it looks at least as though VM are profiling us when we visit, at least, their own pages.


  53. Johnny FireBlade

    Dad's Army?

    "Stephen Mainwaring, a BT Business customer in Weston-super-Mare, believes sensitive banking data relating to his online horse racing business was press-ganged into a trial of an unproven technology."

    Don't panic Mr. Mainwaring! Actually, on second thought...

  54. Anonymous Coward

    Webwise is not available in your area, so it is not possible to switch on or off.

    I tried webwise and it said

    Webwise is: NOT AVAILABLE

    Webwise is not available in your area, so it is not possible to switch on or off.

    Went to the vuln site and got a cookie

    Webwise is: ON

    Switch off Webwise and turn off anti-fraud and relevant advertising features.

    Turned if off at webwise site.

    Webwise is: OFF

    Switch on Webwise and turn on anti-fraud and relevant advertising features.

    Shouldn't it revert to "Webwise is: NOT AVAILABLE" not "OFF" otherwise all the webwise site is telling me is the state of the cookie, not the state of my exchange.

  55. Anonymous Coward
    Dead Vulture

    Opt-out Vulnerability

    "So unscrupulous websites, receiving a revenue stream from OIX/Webwise/Phorm could just insert a simple modified cookie and then BAM!, you're back in, without consent"

    It would take nothing more than a <img src="webwise_opt_in_URL">

    It is called a cross site forgery request.

    It could be turned off just as easily, so bang there goes their phishing protection, but no one need worry about that because modern browsers protects have phishing detection anyway.

    I'm sure Phorm are aware of the issue by now and will have it fixed ASAP, but if they miss an obvious potential security issue like that...

  56. Anonymous Coward
    Dead Vulture

    @opt-out Vulnerability discovered

    So their security got hacked before they even rolled out the service.

    Is that a record?

    Not much chance we'll believe their other claims now is there!

  57. Ian

    How to fight back

    One option is to change ISP. A more effective one is to boycott websites that pay Phorm: their main source of revenue. I'll miss the Guardian's website, but it looks like I'll be paying it my last visit.

  58. Anonymous Coward
    Anonymous Coward

    Traffic shaping

    Of course BT traffic shape. Their unlimited package is capped at 80Gb. Never tell you that, do they, when taking your extra tenner a month.

    Disgruntled ex-worker who has actually spoken to the people who do the traffic-shaping? Scared of ramifications if I identify myself?

    Why, yes. Yes I am.

  59. Anonymous Coward

    I'd opt in....

    If they paid me £20 per ad served to my router.

    Unscrupolous bloody sharks.. and that's just BT, CPW and VM. As for malPHORMed, well the sooner they crawl back under the rock from which they've emerged the better. On second thoughts, they'd better crawl out from under the rock and stay in the open so everyone knows what they're up to with my (and your) web traffic.

  60. vincent himpe

    in or out

    Unbelievable that these guys have their head up their behind.

    I understand that they want to make money, but at the same time a lot of people don't want to be profiled or have stuff dropped on their computer.

    Why don't they simply do the following :

    If a person want customized ads : Go to BT / Vrigan / whatever portal , sign in and click : "I want ads". This places a cookie on your machine that you WANT ads. No cookie is NO ADS. By default this is OFF for every user.

    BT/Virgin whatever could send a letter to their subscribers about an 'exciting new service for free, or with a 1 pound reduction of subscription fee if they are willing to look at advertisements'

    If you don't accept , nothing happens.

    Simple no / But then again , i wonder how many people would sign up .... none ?

  61. Paul Delaney
    Thumb Up

    @orsen kaht & Maverick

    Re: Recommendations:

    It changes by the month but at the moment:

    Be Internet: - not available everywhere but guaranteed not to phuck around with your connection in any way shape or phorm.

    ADSL24: - Entanet reseller (thanks Maverick) caps: 30gb peak, 300gb off peak, one month contract, no setup fee, free migration, no telco tie-in - 19 quid per month!


  62. Anonymous Coward
    Dead Vulture

    Opt-out vulnerability

    "I tried webwise and it said

    Webwise is: NOT AVAILABLE


    Shouldn't it revert to "Webwise is: NOT AVAILABLE" not "OFF" otherwise all the webwise site is telling me is the state of the cookie, not the state of my exchange."

    I'd think it checks if a Webwise cookie is present on your PC before checking if Webwise is "available in your area", maybe they use that approach in case someone uses their laptop in more than one location.

    Delete the cookie and it will go back to being not available in your are.

  63. Anonymous Coward
    Thumb Up

    Re: opt-out Vulnerability discovered

    Good test.

    Browser test results:

    FireFox - accepted webwise cookie when accepting cookies was set

    SeaMonkey - custom security settings (very high security), did not even try to visit the webwise site

    iCab - also did not even try to visit the webwise site

    For anyone who uses Safari, you will understand why I did not even test it.

    Assuming that SeaMonkey works the same for M$ and Linux as it does for Mac, and as it is not on the 'approved browser list' for sniffing your port 80 http traffic, I can only recommend that anyone who is worried that they may be opted in without their knowledge downloads the browser.


  64. Anonymous Coward
    Anonymous Coward


    The way they are detecting your state is the cookie, which is actually pretty sensible for 99.99999% of people.

    If you're going through a webwise connection, then the cookie will have to exist - they create it before you get anywhere, if you don't have one.

    If you're not, then there's no reason (unless you're the sort of person that reads 'el reg) that you'd have the cookie.

    Of course, the fact that the cookie is accessed (even in normal sites, from the BT trial write up) via a hacked data stream means that another of Phorm's claims is shown to be a lie.

    What are they at now, 5+ proven lies, and about 3 statements we're still working on? Do they have ANYTHING they've said that we haven't got doubts about?

    (If there's an (ex-)member of the BT management on the Phorm board, that starts to explain the background to how it's taking off too)

  65. Anonymous Coward
    Dead Vulture

    Webwise is: NOT AVAILABLE

    "Shouldn't it revert to "Webwise is: NOT AVAILABLE" not "OFF" otherwise all the webwise site is telling me is the state of the cookie, not the state of my exchange."

    Oh, hang on, you're right. I keep forgetting Webwise is supposed to be protecting us against phishing, so if we were to use our laptops at another location, saying it is enabled when it is not available at our current location might make us think we don't need phishing protection enabled on our browsers.

    I guess it is poor coding.

  66. Sam


    Can these slags follow what you are doing if you are using a newsgroup via SSL on port 443?

  67. John Edwards
    Paris Hilton

    Why not rob BT

    I suggest a wages clerk at BT walks off with as much cash as he can lay his hands on. When questioned he merely has to reply that it was a very small sum of money in comparison with BT's total wage bill and that he carefully destroyed the payslips.

    Paris because she would see the logic of this.

  68. Law

    @ orsen kaht

    Yup - I second Be Internet. (

    They have been consistantly good for the last 3 years I've been with them... that is moving address quite a few times to different parts of the country too.

    Only problem is, their support team tend to take a day to answer tickets over their web system. The phone guys are in bulgaria, but infinately more helpful than Indian call centers - and seem to know what they are talking about.

    Oh - it's £22 a month for unlimited - and no minimum contract (although they do want 3 months notice for leaving I think!)... I do 250GB+ every month without any letters complaining, outages or traffic shaping.

  69. Mostor Astrakan
    Paris Hilton

    Like the noise. Noise good.

    My learned friend informs me that "Due Diligence" in law has a well defined meaning. STFW comes up with this link:

    This definition I think is most relevant: "The care that a prudent person might be expected to exercise in the examination and evaluation of risks affecting a business transaction." You can use it as a defense if one of your jobs goes pear-shaped, but you genuinely analysed all the risks and nobody would have expected the sudden outbreak of squid in the computer room.

    Now "significant due diligence" on the other hand, has no legal meaning whatsoever. If taken logically (hah!) it means that Due Diligence was <i>not</i> taken, only a "significant" portion thereof.

    Frankly, not telling a number of users that you're syphoning off their -until then- private conversations on the web is about as far away from "Due Diligence" as it is possible to get without actually breaking into their homes.

    Paris, because she, too, is now an expert on legal matters.

  70. William Morton

    What about

    BT say they didnt realse to a third party but what abouts weren't they a third party? weren't the developing and testing for BT at this time?

  71. Anonymous Coward
    Anonymous Coward

    and how do I stop this?

    from what I read, it looks like BT customers will have ads injected to their pages,

    am I to read that ads that are not in the design are going to be put into the pages or ads that appear on the page will be targeted to the users but still maintain the original ad placements?

    for example i create a page with no adverts, will ads be injected into this page so that BT can make money by displaying my page.

    or, if I create a page that does have advert boxes, will the advert boxes now be filed with adverts *more relevant* to the users normal browsing habbits.

    last question.

    assuming that I only ever surf for pron say from after 7pm (when the kids go to bed) till 1 am, my targeted adverts could be for new porn sites, sex aids and internet sex dating sites? -not a problem for the 6hr a day porn surfer. but what about the ads that are displayed to the kids?

  72. Anonymous Coward
    Anonymous Coward

    @opt-out Vulnerability discovered

    "So their security got hacked before they even rolled out the service.

    Is that a record?

    Not much chance we'll believe their other claims now is there!"

    What security? I personally don't think it even qualifies as a "hack".

    "Hacked" would suggest a degree of skill and or difficulty, and "security" would suggest some obstacle to circumvent.

  73. Magnus

    TOR obfuscates the PATH not the CONTENT

    repeat: TOR obfuscates the PATH not the CONTENT. It prevents people from tracking a connection back to you or from someone seeing where you are sending data to. It does that well but obviously not perfectly.

    If you want to send any confidential data (I was going to say through TOR but...) then make sure it is encrypted.

  74. Jolyon Ralph

    sageamp cookies

    I noticed after visiting the Mirror website that two turdware cookies were installed to do with sageamp with the domain set to '' - I didn't actually think it was possible to set a cookie as a root-level domain (but I guess .uk would be the root in this case), but apparently it is.

    I've written a little bit of js to stick on my websites that clears these out for anyone who visits, but shouldn't browsers prevent the creation of cookies that are at a higher-level domain than the visiting page?


  75. RW

    Yes, yes, yes, it's definitely malware: BT says so! (plus rant at no addtional cost)

    BT: "customers whose DNS requests were being redirected must have a malware problem."

    So even BT agrees that Phorm's system is malware. There you have it folks, straight from the horse's mouth.

    Deeper thoughts: once again the malaise that infects business worldwide appears: the idea that you can do anything you want in the pursuit of profit (or shareholder value) as long as there's no explicit law against it. IANAL, but my understanding is that statute law is only part of the law, and a minor one at that, that common law is in fact the main part of law. Plus there's the old concept that the courts must seek justice, without being held to the restrictions of both statutory & common law: a legacy from the good old days of the Courts of Chancery.

    Time for a new legal principle to be promulgated: business must act ethically, responsibly, honestly, morally, and openly at all times in all ways, never mind the impact of profit or shareholder value. Behaving honestly and morally, sensu *very* latu, simply becomes a condition for doing business at all.

    As for the scumbags at Phorm and BT, we need a new legal penalty as well: do something dishonest, and you are issued a sort of ASBO that precludes you ever again being involved in business in any kind of responsible capacity. Perhaps tattoo the word "dishonest" across the foreheads of those found guilty? Think of it: no more directorships, no more management jobs, no job involving money or confidential data, nothing much but a being a salaried grunt at the lowest level of the hierarchy: the janitor or the guy who cleans the toilets, for example.

    And make sure that even consultancies are out of the question.

    Vengeance is mine, sayeth the Lord!

  76. Anonymous Coward

    Alternative ISP

    If its on your exchange get the ADSL2+ service from be*

    Check your exchange here:

    Unlimited (£18) is cheaper than BT and runs at 24mbits and (pro £22) if you want 2.6kbit upload.

    I get advertised rate 24/24 although on BT kit I only ever got 6/8.

    And no Phorm, and no plans, Direct from staff on the forum.

  77. Anonymous Coward
    Anonymous Coward

    Arse, shoulderblades, kick

    Now we finally have an admission from BT, I sincerely hope someone gives them a Reganesque arse kicking up to their shoulderblades via the courts.

    Personally I'm not surprised given the pathetic treatment BT used to give me and my last employer.

    Is there a definitive list of sites that are part of the Phorm network so we know which sites to boycott?

  78. Man Outraged

    @Jolyon Ralph re: cookies

    You can't set a TLD cookie, but is not a TLD. .uk is a TLD.

    RFC2965 explains all.

  79. bill

    @anonymous coward :re: browser test

    Anonymous coward...why did you "not even bother" to test Safari? Is is not susceptible to this attack vector, or is it just that nobody in their right mind would be using it in the first place?

  80. Chris Simmons

    The Beeb... currently building a story around:


    Online advert system Phorm is illegal in the UK, digital rights group The Foundation for Information Policy Research (Fipr), has argued.

    BT, Talk Talk and Virgin, have all signed up to use Phorm, which targets adverts to users based on web habits.

    Fipr believes Phorm contravenes the Regulation of Investigatory Powers Act 2000 (RIPA), which protects users from unlawful interception of information.

    Phorm and BT have said the technology does not breach any UK laws.



  81. Chris Simmons
    Thumb Up

    The FIPR letter to the ICO

  82. Alexander Hanff
    Thumb Up

    FIPR Open Letter/Press Release

    FIPR state "Phorm system illegal to operate in the UK" (based on their analysis of RIPA, DPA and European Data Protection Law).

    Phorm Stock down 1.5% since the press release. (down 8.81% so far today).

  83. Werner McGoole

    Good one FIPR

    A choice move by FIPR. They've thoughtfully analysed many of the arguments that have been floating around and presented them in a very comprehensible manner. It should certainly attract some attention and concentrate minds at the ICO.

    Well done guys!

  84. Rog69
    Paris Hilton

    Was I a test subject?

    So, as a BT customer is there any way I can find out if I was part of the Phorm testing?

    Paris, because she's almost as big a slag as BT.

  85. Anonymous Coward

    @anonymous coward :re: browser test

    >>Anonymous coward...why did you "not even bother" to test Safari? Is is not susceptible to this attack vector, or is it just that nobody in their right mind would be using it in the first place?


    One of the options for cookies in Safari is:

    Accept cookies - Only from sites you navigate to. For example, not from advertisers on those sites.

    3rd party cookies are blocked :D

    This is why Safari is not on the Phorm approved browser list: no point is using CPU on a browser that will reject all their cookies.

    While the latest Safari browsers are a lot better and more compliant than earlier versions they are still very bugsy and therefor not my browser of choice.

    The cookie security filters on SeaMonkey are are lot easier to set and block from specific sites, i.e. block, session or allow.

    Why use a Mini when there is a Rolls in the garage?

  86. Anonymous Coward
    Anonymous Coward

    Funny that

    Phorm and BT have said the technology does not breach any UK laws.

    I thought only courts could decide what does and what does not breach a law?

    Scum sucking, low life, no better than the old company they used to run, only now hiding behind "laws".

  87. Alexander Hanff


    You can send a Subject Access Request (SAR) under the Data Protection Act to BT along with a postal order or cheque for £10.00 requesting information on whether or not you were included in the trial.

    If you were included in the trial then the trial would have involved processing of data which falls under the remit of DPA.

    I am not sure how you might word the SAR but their are general guidelines here:


  88. Andy Turner

    WRT this snippet of the BBC story:

    "Phorm's system works by "trawling" websites visited by users and then matches keywords from the content of the page to a profile. Users are then targeted with adverts that are more tailored to their interests on websites that have signed up to Phorm's technology"

    Surely the websites themselves aren't going to be happy about this? If I spent a while on looking at Robbie Williams CDs and then as a result I start getting adverts from Amazon about Robbie Williams and I end up purchasing from there instead, then are surely not going to be happy about that?!

  89. Andy Turner


    "So, as a BT customer is there any way I can find out if I was part of the Phorm testing?"

    Sure, check your credit card bill for impulse purchases that you're no longer sure why you bought!

  90. Anonymous Coward

    That's odd...

    ...I was under the impression that Lewis Hamilton is the greatest living Briton.

  91. Anonymous Coward
    Anonymous Coward

    @ orsen kaht

    Look at Zen - good solid service, if a little expensive.

    And they have specifically stated they will not consider foisting this shite on customers.

  92. Anonymous Coward

    I asked Freedom2Surf whether they were thinking about Phorm - here's the reply-

    Take particular note of the bit I surrounded in asterisks. Well - that a lovely attitude. Since I already pay them a fee every month I wonder why they think that they should get every extra bit of revenue out of me by whatever means they see fit just because the are 'not a non profit making organisation' - grrrr :-(

    Dear **********,

    To my knowledge we are not looking at using PHORM, however we in sales are usually the last to hear

    of this so all I suggest is to keep an eye out on your members area and the website. It appears that

    those ISP's that are trialling this appear to be using an opt in or opt out system anyway.

    ***** At the end of the day all ISP's are not non profit making organisations ***** and PHORM offers a revenue

    stream so unless people raise this in profile more with those that are trialling now then all ISP's

    will probably end up using it in one form or another. If you wish to raise your concerns officially

    I suggest that rather than emailing your concerns to us in sales you put it in writing to:


    Best regards


    Freedom2surf sales

  93. Sam


    Do we see BT suits cuffed and stuffed??


  94. Anonymous Coward
    Anonymous Coward

    What if they did this on your postal mail?

    New business plan:

    1) Look at lots of people's mail (really only the envelopes) to see what they send out and what they receive.

    2) Skip those that have flimsy "opt-out" stickers on their mailboxes.

    3) Be sure to hire teenagers to rip off all the "opt-out" stickers.

    4) Send the mailbox LOTS of nice "targeted" ads from the information gleaned from #1.

    5) Go into a subdivision a few months ago to do a test run.

    6) Tell everyone that this is not your personal data.

    7) Attempt to make lots of money doing this. Post balance sheet that says you are losing money.

    8) Have post office do all the dirty work, and say it is for your own good.

    I doubt it will work!!

  95. mixbsd

    @Jonathan - Phorm PR

    Phorm's own blog at hasn't had a new post since March 7th. Even the Phorm CEO/Chairman/President/King-of-his-own-shrinking-fiefdom has been silenced.

    What's interesting is that on you'll see a list of investors with Phorm Inc in their portfolio that also have these companies (amongst others):

    BT Group PLC

    Carphone Warehouse Group (The) PLC

    Talk about triple whammy.

  96. Anonymous Coward
    Anonymous Coward

    How do you test for this kind of redirection?


    A little off topic; although I don't think my ISP is redirecting traffic, I'd love to know how you find out if it's happening in the first place.

    Could some kind soul tell me how you'd check for this redirection? Or, failing that, point me in the right direction?

    BTW, I'm using XP Pro.



  97. Ben Tasker
    Paris Hilton

    Sorry to bring up system details again

    but I've been feeling a little slow lately, I've only just clocked onto the following;

    Phorms system, IIRC, will send two requests to the server you are accessing (i.e. which has raised concerns about forms being submitted twice, but what about my bandwidth as a webhost? now my server is not the busiest on the net by a long shot, but imagine you get 1000 hits a day, if all your readers are on Phorm-infested-lines then your bandwidth will take the equivalent of 2000 hits.

    Am i right? or is there a reason that last coffee tasted strange?

  98. Anonymous Coward

    Who to contact

    Does anyone have the email address of the various ISP's to register your complaint about using the Phorm system.

    Being a webmaster, some of my clients have asked me to protect their sites from being profiled, capture etc by Phorm. Not even Google has access to the sites.

    These sites are behind a password protect logon system using normal http protocol.

    I know moving the sites over to https but this involves cost to myself and my clients but we should not have to finance this.

    So I would like to email the various ISP's (ie the correct person and not the monkeys on the helpdesk) and explain that they can not profile the sites as the data is not for their eyes.

    Thank you

  99. Morely Dotes

    @ David Wiernicki

    There are millions would argue for Pterry. It's all a matter of opinion,isn't it?

  100. Tim Blair
    Thumb Down

    why work when you can steel?

    "A spokesman for BT told BBC News: "Provided the customer has consented, we consider that there will generally be an implied consent from website owners."

    so they are going to ask them then???

  101. Fluffykins Silver badge

    RIPA say its a BAD THING

  102. Anonymous Coward
    Anonymous Coward

    Re: How do you test for this kind of redirection?

    "A little off topic; although I don't think my ISP is redirecting traffic, I'd love to know how you find out if it's happening in the first place."

    The easy way is to do a traceroute. The problem is that if you don't know what you are looking at then this will probably cause you more problems than make you feel relaxed about whether or not there is a redirect.

    The way it works is that your request is sent first to your ISP. Your ISP will look to see if it has the destination in its DNS cache. If not, it will send you to another DNS cache, etc, until the destination is discovered. The next step it to send your request down the least congested route to the destination - which could be all the way around the world.

    I have just done a traceroute on one of my domains - 9 different routes (IP addresses) starting from my computer, through firewalls, routers, ISP, web host routers, each showing the time taken from the one to the other.

    To do a traceroute is relatively easy.

    First you need a DOS prompt - you should be able to find this among your program options. This opens a new window, probably black, where you may see some text and then a cursor. Just type

    traceroute www.domain.tld

    i.e. any domain name. After a while, you should see the result of the traceroute printed to the window. The final destination will be the address of the server hosting the domain, which may be different from the domain name.

    If you want to make more sense of what you are seeing, you can use one of the whois services to look up all the IP addresses and then look up the domains returned in the results to see to whom they belong.

    Try a traceroute to a few more domains. The first part for each traceroute will probably be the same, up to the point the domain DNS is discovered.

    I hope the above helps.

  103. Anonymous Coward
    Anonymous Coward

    ac@Who to contact

    put the companys name in here to get their Data Protection controllers address, but as a webmaster, you can just put a no profiling allowed on all your and clients pages if they want coverage under the RIPA.

  104. Anonymous Coward
    Anonymous Coward

    the markets

    i notice everyones tracking the Phorm stock, but not the others so heres a snapshot

    BT Group PLC -6.75 (-3.18%)

    Carphone Warehouse Group -21 (-7.18%)

    Virgin Media Inc -0.01 (-7.69%)

  105. Anonymous Coward
    Thumb Down

    Legal counter?

    I have added the "Modify Headers" plugin to Firefox on my systems. Whenever I send a browser request, I add a specific header that is of the form "X-RIPA-NO-CONSENT: RIPA: NO CONSENT FOR INTERCEPTION OF THIS TRANSMISSION".

    Am I now, legally, capable of stating that I am specifically denying consent for any phorm of information interception for this http request? Would this hold up in court if I then discovered that interception had taken place?


  106. Anonymous Coward

    Notes on a Phorm sales pitch

    well worth reading.

  107. Mark

    Checked with Eclipse, a so-so answer

    Eclipse said:

    "We've had some preliminary discussions with Phorm but have not committed to anything at this stage.

    If we decide to work with Phorm, we would notify our customers. Our customers' experience is of paramount importance to us and we would not do anything that we felt harmed their experience or the service we provide to them."

  108. Craig

    @ mixbsd

    It amuses me slightly to see that 38.18% of Phorm shareholders have Northern Rock shares. Bad money after bad.

    I have absolutely no sympathy for people who invest in companies like Phorm which are morally dubious at best.

    I have enough money in shares and enough experience to know what are truly dodgy shares, if it seems too good to be true, it usually is. The striking ignorance of some of those posters on the iii Phorm forum makes it seem like Phorm has more than its fair share of "get-rich-quick investors" who usually end up as "get-poor-quick investors."

  109. colin stone

    Crash and burn

    It is good to see the stock down -375 (-16.30%) this morning. Every trade so far today has been SELL.

    Keeping everything crossed that by friday they will be bankrupt.

  110. Anonymous Coward

    @AC - Phorm sales pitch

    If what these notes say is true about injecting code into browsers ahead of downloading pages, then maybe we should all read up on the computer misuse act.

    Looks a lot like its just a new way of putting malware on your computer to me.

  111. Aristotles slow and dimwitted horse

    Can all VM customers...

    Like me, start to bombard their customer services phone lines and online feedback system with demands for an "official" corporate line on this.


  112. Sam
    Thumb Up

    @Pink Pole

    Got the plugin, now, what goes where?

  113. Charles Pearmain

    Add Eclipse Internet to the list

    After much wriggling and many weasel words pointing me towards their "Privacy Policy" Eclipse Internet finally admitted that "We've had some preliminary discussions with Phorm but have not committed to anything at this stage."

    We've got more than 130 punters signed up with Eclipse who will be reaching for the MAC code [Request] button should enlightened self-interest not prevail there.

  114. David Goadby
    Thumb Down

    They lied once... and Talk Talk fib too....

    Since BT have now admitted they lied to us then how are we expected to believe anything else they say?

    Only one exchange? No private information? Small trial? Due diligence? No Cookie? No Mirroring? Opt out? ..... Once you are caught out lying then the trust goes. BT we don't believe you!

    Only this morning I had TalkTalk trying to sell me their Phone/Broadband package. I asked about Phorm and he went quiet and then read out what seemed to be a prepared statement saying that the project was not certain to go ahead after some "difficulties".

  115. b

    terrorism act

    Don't some misuses of computers also fall foul of the various terrorism acts that have been introduced recently?

    Or are they not THAT loosely worded?

  116. Anonymous Coward
    Anonymous Coward

    Re: cash and burn

    The problem is that the sellers are probably selling short - they were talking about that the other day.

    In a few days, when the price is down and the less initiated sell, all they do is go in and buy, maybe on an automatic trade when the shares hit a give price. Profit being the difference between the selling and buying price. They never actaully own any shares - just balance the trade account.

    They are the clever ones. Which ever way the price goes, there is a better than 50% chance that they are making money. Just now, they must be loving the price drop.

  117. Anonymous Coward
    Thumb Up


    Add a new header. Make the header = X-RIPA-NO-CONSENT and the contents = RIPA: NO CONSENT FOR INTERCEPTION OF THIS TRANSMISSION

    Go to and use the ShieldsUP! service to display your transmitted HTTP request headers. It should have the new one in there.

    Join the battle!!

  118. Sam

    @Pink Pole

    Done...I had to call it "user-agent" instead of "x-ripa-no-consent" though.

  119. Anonymous Coward
    Anonymous Coward

    @sam @@Pink Pole

    >Done...I had to call it "user-agent" instead of "x-ripa-no-consent" though.

    Not sure if munging/hiding/faking the user-agent is an abuse of the HTTP/HTML standard. If it is then you might be undermining your moral position slightly. If possible, use an x-... header. Perhaps someone else here can comment.

    I like the idea of adding an x- header. I think that we should try to settle on one then present it to ISPs as an informal 'standard' they must check for and respect ('twill be UK only of course). So, if any lawyers out there, what do you think of


    Broad enough?

  120. Sam


    "x-ripa" works, "x-ripa-no-consent" doesn't...something to do with the title length?

  121. Stephen Baines

    Run an apache server?

    Are you a webmaster and want to say you don't want your server snooped? Do you want to make it clear you don't consent to Phorm?

    If your apache server supports mod_headers try adding a modified version of this to your .htaccess files:

    Header add Phorm-Consent "No"

    Header add Phorm "Phorm Inc, All Subsidiary Companies of Phorm Inc, OIX Network, Internet Service Providers using the technologies provided by the former mentioned companies; NAME specifically denies permission for the former mentioned companies to intercept any communication between a remote user accessing content on any NAME Server and that person's Internet Web Browser, or any other Interface that such a remote user may use to obtain NAME data."

  122. Anonymous Coward

    @ Notes on a Phorm sales pitch

    As you said in your post is a really interesting description of the Phorm sales pitch on slashdot. Even more fascinating is the response from what purports to be the 'Phorm Tech Team', which repeats word for word the bland repudiations we have already seen at El Reg and in many other places. With due deference to my technical colleagues, these statements are so remarkably consistent and articulate that they are obviously pre-planned answers from the PR team. So if they can't even tell this simple truth how the devil do they expect us to believe anything else they say?

    They do however debut a new spin utterance ' The Russian development team operates under the direction of the Phorm UK headquarters'. So that's OK then?

  123. Anonymous Coward

    @ Notes on a Phorm sales pitch

    What I find most interesting about the Phorm PR's responses to the slashdot post is what they don't deny.

    From their silence, I deduce that the following is a non technical description of the hijack which does take place, with all the open holes such a hijack invites.


    With Phorm, the initial HTML request to gets intercepted by the Phorm equipment, which respond with a 302 redirect to, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for with the correct address for, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begins, the code can be just about anything, javascript, iframes, cross-site scripting attack, activeX exploits. The code can be used to read and set cookies, add some javascript in an iFrame to survive no matter where the user browses to, etc. It's a malware writer's wet dream, to have complete control over the TCP stream the browser sees before the user ever gets to the internet.

    Once the browser has been sufficiently hijacked, another 302 temporary redirect can be injected into the browser session using the original HTTP request, so the user sees only a slight delay before reaching their intended website. Given the glacial speeds most UK networks operate at, an extra half second delay is not going to be noticed by non-technical types.

    More fun is now to be had, as the page returned from the website can also be copied and analyzed by the Phorm intercept kit. If you log onto a private website, the Phorm kit can see the entire contents. This means a user checking their webmail on the local ISP's server (without an SSL session since it isn't going over the internet) can have the contents read and analyzed by Phorm.


    This method means that it is impossible for the user to block the activity. Even running a traceroute may not show anything amiss as all that will be seen are spoofed IP addresses for the ISP. It matters little where the first server that sends the hijack is positioned, with the admission of spoofed IP addresses no one is going to be able to accept the domain, server or IP address as being anywhere near the country it says it is. It is not unusual for a server host to host in a particular country while offering the IP address of a different country. As this separation of IP address country ID from actual country ID is regarded as normal, for any host one has to assume that the servers could be part of a network hosted anywhere in the world - again some hosts offer this as being one of their USPs.

    It is so simple with Phorm only being responsible for webwise, only being responsible for the phishing allerts which of course do not have any PII of any form, just a random cookie that says ON or OFF.

    Innocent little school boys. Look, clean hands. Not me, Miss. He did it, Miss. The ISP, he's the one who did it, Miss.

    Joke alert: because only a very sick Joker would think that paying customers will be prepared to accept such a system.

  124. Anonymous Coward
    Anonymous Coward

    the latest US Phorm quotes are so cool

    if you liked the ./ notes I took from a sales pitch .

    you will love the latest US Phorm quotes before PhormPRteam gets over there and orders the retraction/re-write to sofen the UK reaction to them.

    get them while their HOT, and they say its your fault for gettign the storie/quote wrong, you need to register though,shame.

    A Company Promises the Deepest Data Mining Yet


    Published: March 20, 2008

    Amid debate over how much data companies like Google and Yahoo should gather about people who surf the Web, one new company is drawing attention — and controversy — by boasting that it will collect the most complete information of all.

    The company, called Phorm, has created a tool that can track every single online action of a given consumer, based on data from that person’s Internet service provider.


    "Phorm’s pitch to these companies is that its software can give them a new stream of revenue from advertising. Using Phorm’s comprehensive views of individuals, the companies can help advertisers show different ads to people based on their interests.

    “As you browse, we’re able to categorize all of your Internet actions,” said Virasb Vahidi, the chief operating officer of Phorm. “We _actually can see the entire Internet._”


    "Phorm says that these deals give it access to the Web-surfing habits of 70 percent of the British households with broadband. "


  125. Alexander Hanff

    @William Morton


    It is very important that you contact the police if you were part of the "trial" last year as BT have committed a criminal offence under RIPA.

    People must not simply look at this as a civil matter, all people who were included in secret trials of this can press criminal charges against BT under RIPA and this is going to hit them much harder than the civil litigations people are looking at starting.

    Remember just because you are pressing criminal charges it doesn't mean you can't pursue litigation as well.

    So please, everyone who has been subjected to the secret trials, contact your local police station.

  126. Anonymous Coward
    Anonymous Coward

    Re: Notes on a Phorm sales pitch

    Indeed, well worth reading.

    What follows is a very simple explanation.

    That 302 redirect explains a lot. I have been looking for something like that for the last few months - since about December - and not been able to find it.

    The big question is: is that how all the profilers that have already been installed by the IPSs around the world work? If it is, then it explains one of the most confusing gremlins seen.

    I don't know how many webmasters read these pages. My guess is a few. Many webmasters have been noticing that their home page has disappeared from the Google SERPs for a fews days or longer, then reappeared. A true yo-yo effect. In part this has been blamed on the decreasing PR effect from link pages / link farms. It has also been blamed on the data centers updating cycles: wait a few days and it will all come right.

    Problem is, the home pages disappear again a fews days / weeks later, then come back again.

    A 302 redirect will kill home pages.

    Why? - a search engine bot should not be seeing the redirect because they do not use the ISPs when crawling for data.

    Wrong assumption. Google uses the Google Toolbar. As everyone knows, that is Google's little bit of spyware that tracks your every move. People who know about this disabled the toolbar years ago. But there are millions of people still using the toolbar.

    With over 10% of the US internet users already being profiled, that is a lot of users who may have the Google Toolbar. How many UK hotspot users have the toolbar? That is a lot of users supplying Google with the 302 redirect information for every page that they visit.

    What is the effect of the 302 redirect? Unfortunately one of the gremlins is that a 302 redirect is treated as a 301 redirect.

    Net effect is the PR of the URL requested is transferred to the 302 redirect URL. Also, the original URL is removed from the database and the toolbar now requests that googlebot goes out to crawl the 302 redirect URL so that it can include the new content in the database. Unfortunately, what it finds there has nothing to do with your site - it may even be blocked to all crawlers.

    Meanwhile, one of the other googlebots has discovered a link to the orignal URL and goes off to crawl that. A few days after the crawl, the original URL is added to the database and again appears in the SERPs.

    One day the URL is in the SERPs, next day out.

    Every profiler sells itself as a means of earning some of the advertising dollars currently enjoyed by the search engines. What better way than by exploiting the 302 gremlin?

    As far as market timing goes, it could not be better. Google has improved its page relevance ranking factors and diminished link spamming effects. Most webmasters don't have a clue about how to write a page that will rank, in its own right, as a relevant page and have relied on the PR effect. To keep traffic they have moved into PPC at the time when Google has been charging more for non-relevant landing pages.

    Not only have the profilers killed the website in the natural SERPs they are now offering a targeted audience. Which marketing director would not jump at the offer of an improved ROI for the advertising dollar.

    I don't care where you as webmasters are in the world, the only way you are going to be able to protect your websites and ensure that they remain in the natural results is to tell everyone that the ISPs are tracking and profiling their every move around the internet.

    The more people who have their ISP tracking their surfing, the more that 302 gremlin is going to remove your pages from the SERPs.

    What chance that the gremlin will be fixed? Most unlikely. The gremlin has been around since the crawler script was first written and repeated requests have fallen on deaf ears. Why fix something that would decrease revenue?

    If you want to see your advertising expense grow by the projected 30% a year, do nothing. Even you you don't advertise, you are paying for that increased advertising overhead every time for buy something which has been advertised. Whichever way, ISPs re taking money directly out of your pocket and putting it into there's.

    If you want your business to be found in the natural results displayed by the search engines and use advertising when it makes marketing sense rather than having a gun to your head all the time, then you had better get out there and start campaigning before you do not have a business left.

    I think that Sir Tim has a very sound understanding of the effect of interactions on the value of the web. If what I have written makes no sense to you, then ignore what I say.

    Sir Tim says that data capturing and profiling is a bad idea. At the very least, listen to him.

    Stop ISPs from intercepting and profiling your customers. Or go out of business.

This topic is closed for new posts.

Other stories you might like