back to article Phorm agrees to independent inspection of data pimping code

Phorm has agreed to allow an independent software expert to inspect its source code as it continues to battle the firestorm provoked by agreements with BT, Virgin Media and Carphone Warehouse to let it build profiles of their broadband customers' web browsing. It seems a move by the battered firm to try to win some public …


This topic is closed for new posts.
  1. Anonymous Coward

    Why I use OpenDNS ...

    Or should probably read "Why I'm tempted to sign up with Anonymizer" ...

  2. Anonymous Coward
    Anonymous Coward

    no due diligence

    The report asks some good questions, but fails to answer them, and for the most part is desparately thin. Perhaps, as Simon has hinted, there is better to come.

    Elsewhere ( )Phorm have confirmed that they deliver their servers pre-built. They have confirmed that the ISPs do not get access to the source code (so much for ISP claims of due diligence) and that they can remotely access these servers (they say they will only do this if authorized by the ISP). Phorm say that they may consider allowing an expert to review their source code - does this mean that 80/20 have not seen the source, or are not competent to review it?

    It should never be forgotten that Phorm were rootkit makers. Any dealings with them should start on the assumption of utmost bad faith, and should therefore demand absolute transparency. We are a very long way from achieving that.

  3. Anonymous Coward

    Good news indeed

    Thank you phorm, this latest PR has had a fantastic impact on your share price.

    Down 375 points / 17% today alone.

    Keep it up chaps, and with luck you will be bankrupt by the weekend.

  4. Alexander Hanff

    Couple of problems

    Phorm PR Team have stated that an independent review of their software is being considered if it can be done without compromising their intellectual property...that could be interesting then.

    Secondly, according to the Phorm patent application the system can easily be compromised by advertisers. one of the points Phorm and their stooges keep emphasising is that no IP address is associated with the Unique Cookie ID; this is not the case. According to the patent application companies using OIX platform to deliver ads will have access to the Cookie ID via javascript (an ID which is not encrypted I should add) which makes it a very trivial task for a dishonest website to correlate IP addresses directly to the Cookie ID.

    Another point of major concern which has come about as a result of their "Answering Questions" is that they state they will have no remote access to the hardware on the ISPs networks, then in another answer they state they will only have remote access in the case of maintenance and updates with the consent of the ISP. Either they have remote access, or they don't; which is it?

    So far they have had over £1M worth of shares dumped back on the market since trading at LSE started this morning. Confidence is phalling. Viva La Privacy Revolution!!!

  5. Dazed and Confused

    Why can't Phorm understand

    This is nothing to do with their code.

    The problem is the whole idea that someone will listen in to the conversations my PC is having with the web in general.

    I don't give a stuff about how good or bad their code is

    I don't give a stuff how much they try and anonymise the data

    I don't give a stuff about where the servers are.

    I don't want anyone listening in to what I do on the web. I have a legal right to privacy.

    I don't want adverts to be served to me based on my surfing. The advertisers website will then know who I am because they will know my IP address and anything my browser chooses to tell them.

    I don't want adverts to be served to my PC based on the fact that my wife has been looking for my next birthday present. (Everyone DOES have somethings they'd like to hide)

    But above all I just don't want to establish the principal that it is OK to watch over my shoulder. It's not.

    So please Phorm, BT, VM and who ever else please get this through your thick heads.


  6. Man Outraged

    And each software update, too?

    Okay, lets say an independent expert verifies that:

    - When I'm opted-out my data doesn't go anywhere near Phorm's servers

    - ALL email websites, including private companies and support groups are ignored

    - The opt-out mechanism is robust and not open to accidental or deliberate opt-in

    - The system takes care not to categorise racial, political etc as defined by Human Rights

    - The system is tamper-proof

    What happens 4 minutes and 33 seconds into the deployment when the server software crashes? Phorm do a quick-turnaround fix. But before they deploy it, they need to:

    - Send a source for validation (validator will use delta validation method)

    - Pay and wait for this validation.

    On top of this, as those with experience in the security world will be aware, there needs to be a procedure to prove the software running on the server is indeed build from the source that was validated. This may involve independent build facility and image fingerprinting.

    So yes, I'm happy with Phorm. No wonder they need to raise an extra $mil35. This to pay for all the software audits!

  7. dervheid

    What part of...



    Do they NOT UNDERSTAND!!

  8. Oliver Freeman
    Thumb Up

    Keep up the good work el reg

    Another great article by el reg helping to keep the pressure on. Personally I think Davies needs to examine his conscience and recuse himself from commenting further on this issue. He clearly has a conflict of interest given that hes also a board member of FIPR in addition to 80/20 and Privacy International. I also dont like his response to finding out about Phorms previous involvement with spyware/rootkits. Its more than just a "Steep learning curve" its an absolute disgrace that he did not check into the history of this company given the privacy and legal implications of Phorm's proposals.

    As for phorm allowing an indepent expert to examine their code, I dont give a flying rats ass who they get to look at the code. I dont need the pope to tell me that satan is evil. I dont need an expert to tell me that Phorm represents a huge invasion of my privacy. Their PR teams cut and paste responses are laughable too.

    The only good thing that has come out of this has been the pleasure gained from watching their share price tank over the last few weeks.

  9. Slaine

    steep learning curve eh?

    Didn't know about 121media? - JEEEEEEEEEZUZ !!!

    ... suppose it would be a bit of a steep learning curve when you had to start at the bottom. Shame your job isn't being done by some of the many "anonymous cowards" that post here on a regular basis. Most people here have not had their heads buried in sand for the last decade in the desperate hope that the problem wouldn't arise or that they would be close enough to retirement when it happened to dump it onto someone else..

    Now then... I don't give a fancy four-fingered fig how many impeccably scrupled people look at the code, it takes seconds to "update" and how is anyone to know if the code that is presented is the same code that will be implemented.

    NO NO NO - Phorm is NOT welcome. Not by me, not by anyone with a vested interest in privacy. I'll get your coat shall I - you'll be needing it - it's bloody cold out there.

  10. TeeCee Gold badge
    Thumb Down


    "....... if the "service" is so great, why wouldn't people choose to be part of it?"

    Er, because the "service" is targeted advertising. It could be the best such service in the world, you still wouldn't actively want it. Phorm *need* this as an opt-out system, on the grounds that most sheep wouldn't be arsed to opt-out.

  11. Ash

    Who cares?!

    This is crapware which nobody wants!

    GET A F*CKING CLUE, ERTUGRUL. Any ISP or company who signs up with Phorm will lose customers BY THE THOUSAND.

    The horse is dead.

  12. William Morton
    Thumb Down

    They can look at the PHORM code but what about the ISP?

    The security problems with PHORM are not limited to what they have currently implemented in their code but rather that PHORM+ISP working together have the power to monitor all network traffic and identify all the users. PHORM alone have no doubt not implement all that their patent allows but what about in the future. BT have shown that they are willing to lie about their internal dealings how can we trust either company not to change PHORM after the public spotlight has moved on. Neither PHORM or the ISP's involved have promised to keep their customers apprised of changes to this snooping system.

    So just looking at the current PHORM code will show nothing it would need to be constantly monitored and all the information exchanges between the ISP and PHORM made public

  13. Dam

    Contract ?

    Surely if Phorm wants to profit from *my* data, which incidentally is *my* INTELLECTUAL PROPERTY (whether it be search terms for google, an article in a private forum (which they don't have a right to see in the first place) or a poem to my better half), they'll need to have a contract with me ?

    I'm not signing for any lower than $10k a month, and that's without warranties of productivity, I might not write another article for some months.

    No contract, no *stealing* my intellectual property.

  14. Anonymous Coward

    No thanks

    It's not just the code that needs auditing. It's the entire operation, including (but not limited to) the ISP's procedures and infrastructure, the advertisers, and the users' browsers.

    Call me when that's all been audited and I'll still tell you to get lost. Because it'll STILL BE ILLEGAL.

  15. Alex
    Thumb Up

    I can't get an image out of my head...

    Its of a man,

    on a raft,

    within shark infested waters,

    but the raft is falling apart and for every log he grasps at another two come loose.

    I don't feel sorry for the man on the raft, I would quite like to see him gracefully drown.

    Then, less gracefully, I'd like to see the ones who supply the waters to be hung out to dry.

    all of this is being played out to the resounding sound of

    DO. NOT. WANT.

    DO. NOT. WANT.

    DO. NOT. WANT.

    so much for "Phishing for the ignorants"

  16. Alexander Hanff

    Some questions Phorm answered

    Q29. Does the system scan all unencrypted HTTP requests including online e-mail services, private social networking sites such as Facebook and if it doesn¹t what is the system in place to allow it to differentiate between these sites and other HTTP sites?

    A29. We maintain a list of webmail sites and we do not analyze their pages. In any case the content of all sites is protected by the way the system works:

    it takes a ‘top 10′ of the repeated keywords from the page and matches them against a list of advertising categories, then throws the keywords away. The categories (”Channels”) are policed to ensure they do not contain personal information or match sensitive behaviours such as medical or porn. This means that unless a word from a page is a) repeated b) is one of the top 10 and c) is found in a legitimate list of advertising keywords, then it is ignored. This means that personal information cannot be matched and it passes unnoticed by the system.

    [So basically they are saying if you are using resources not in their blacklist, they will "analyze"[sic] your webmail etc.]

    Q35. You state that the only information that will be collected are search term phrases and categories but according to the technical aspects of the patent application for your technology it allows for the collection of almost any kind of information including IP addresses. To what extent has the system been modified to disallow it from collecting such information that it is capable of and how can you guarantee that in the future it may not be modified to do so?

    A35. The patent envisages many applications, most of which have not been implemented. The current system has no disabled functions waiting to be enabled, and your best guarantee about future systems is that they will be handled with the same transparency as this.

    [Transparency? WHAT FUCKING TRANSPARENCY??? They don't state which parts of patent have or have not been implemented and then make things EVEN WORSE by saying the current system has "no disabled functions" which presumably means all the functions they have decided to use from the patent are fully implemented in the technology they are about to -try- and deploy.]

    There's a lot more where that came from but I don't want to paste it all, check out the following link for more details:,25/

  17. 3x2

    @Why can't Phorm understand

    Doh - you beat me to it.

    You have to wonder what would have happened if all of this had never reached our ears until BT and their scumware buddy were ready. Secret testing on un-suspecting customers over - time to present it all in the warm glow of "Webwise" your safe surfing friend.

    Phorm - take what's left of your investors money and run, IT'S OVER

  18. William Morton

    @All those people who think PHORM dont know we don't want ads

    PHORM know but just don't care, we are just sheep to them, to be sheared for profit. Well those people still using PHORM after it has fully implementing their patent will no doubt be happy to be free of their natural insulation from the world i.e. their anonymity.

    Don't come complaining here when you have people with power over you making decisions based upon what you did on the web, you sold your liberty when PHORM+ ISP fleeced you

    Mine is the cotton coat I don't wear wool anymore

  19. Peter Fairbrother

    80/20 report

    As Simon Davies's main critic on Ukcrypto, can I say I don't actually blame him too much - he apparently got snowed by Phorm, something which Phorm are very good at.

    I do think he might have been more careful though, both about the difference between him acting as a member of PI and acting as a member of 80/20, and about considering the wider aspects of Phorm's proposal.

    I don't doubt that Phorm has made some efforts to prevent personal information being kept and while I'm not convinced, I'm not surprised that Simon thought they were impressive - Phorm are good at impressing. They may even be right in this case.

    However Simon seems to have simply accepted that Phorm's proposal is legal under RIPA, and did not consider the wider aspect of whether anyone should be allowed to have direct access to internet traffic at all, for purposes such as targeting advertising.

    In my view this is at the heart of the matter, and is at least as important an issue as as not processing personal data (which incidentally is a defined legal phrase which doesn't mean what it seems to mean): no-one should have direct access to internet traffic beyond the extent to which it is necessary in order to pass that traffic (and maybe the Police in some cases).

    The public's primary protection of the privacy of their communications is Part1 Chapter1 of RIPA (which replaced the Interception of Communications Act), not the DPA, and that's pretty much what Part1 Chapter1 of RIPA says - you can't look at communications traffic unless you need to in order to pass on the communication, or have the consent of both parties.

    Which is why Phorm is illegal, and should be illegal - it's looking at, and thereby intercepting, raw internet traffic.

    It's not dissimilar to tapping your telephone and looking for keywords in order to target advertising - even if the content of calls isn't recorded, and the keyword counts are anonymised, they have no business tapping your telephone in the first place - and the privacy of both parties to the call is infringed just by that tapping.

    What Simon's report looks at is whether the call is recorded and the effectiveness of the anonymisation - but it doesn't look at whether anyone should be allowed to tap your telephone calls in the first place.

  20. Jonathan

    I'll bet Phorm's code looks like this...



    //add this later





    //not working finish later


    //higher ups said we should save anything just in case. you never know


    //he he, my little "fix"


    //hey do we free memory up now or later? oh well, hope no one notices




  21. Anonymous Coward
    Black Helicopters

    Messenger shot

    I work at BT and I've heard about the guy who leaked the document from BT to The Register. Guess wot, he don't work 'ere no more.

  22. Joe K

    @Dazed and Confused

    I was going to comment, but you said it all, nice one.

    I couldn't care less if their servers were deep underground, quantum-encrypted, and accessible only by earthworms.

    I still don't want some bloody former spyware cunts watching me web browse!!

  23. Andy
    Thumb Down

    Re: They can look at the PHORM code but what about the ISP?

    Yes, the ISP needs looking at. How are they going to guarantee that because you have opted out your traffic will go nowhere the phorm servers? Perhaps a traceroute might work? The ISPs will not be able to prove your traffic goes nowhere near the phorm servers cos they aren't going to divert your traffic. Too much like hard work and it will cost them money.

  24. Anonymous Coward
    Anonymous Coward


    ...How much would it cost to get Privacy International's browsing history, then?

  25. William Morton
    Thumb Down

    If they implement all of the PHORM patent you won't know anything

    If they implement all of the PHORM patent then with the ISP's help, they can hide what they are doing with your web traffic completely, it will not matter what you use they have the power.

  26. Mike Crawshaw

    @ Messenger Shot

    Damn, I hoped he would get away with it and carry on feeding us tidbits of info!!

    Seriously though, I feel for the guy. He saw corporate policy that was incredibly wrong, and did what his conscience dictated, making it public. Hopefully a firm that deals ethically will ignore the BS reference he's sure to get from BT, and take him on.

  27. gothicform

    Messenger Shot?

    If the BT guy who leaked the documents has been fired and Phorm turns out to be unlawful doesn't that mean said whistleblower can actually sue BT as whistleblowers who inform on unlawful action have legal protection and cannot be sacked?

    Still, I'm sure they gave him a nice big payoff and ace reference just to cover their backs cos BT aren't completely stupid... right?

  28. Graham Wood
    Black Helicopters


    Traceroute won't necessarily show anything - although from the writeup made by one of the people who hit BT's illegal wiretap (sorry, "trial") it looks like it did there.

    Layer 7 processing can be made almost totally transparent - since the interception happens along the existing data path. As a result of some of the peculiarities of the way TCP works, you MAY be able to detect layer 7 processing (but this won't work if there's NAT along the way anyway) if you have low level details from the far end... However, this is equally likely to be caused by QoS processing - so it doesn't prove anything.

    Unfortunately, if they turn off the cookie insertion it could become totally transparent to the end user - they can't do the tuned adverts as easily (but it would still be possible) but by only passively scanning the data flow at hardware controlled by a colluding party, it would be completely invisible.

    Of course, this could already be being done - who knows? If you want to see this for yourself, get a computer with 2 NICs, and a linux live CD. Setup "bridging" (without STP, we want to be stealthy remember?), and plug one NIC into your router, and the router's link to the network in the other port. About 2 minutes, and apart from the link up/link down at the switch, there's not a thing to show that it happened...

  29. kain preacher


    Wait they have access to the servers that are connected to the ISP. What if some hacks phorm. That would give them access to the ISP servers. Hmm wounder what all some could do.

  30. amanfromMars Silver badge

    Bigger Pictures

    "Phorm PR Team have stated that an independent review of their software is being considered if it can be done without compromising their intellectual property...that could be interesting then."

    Unleashing a Phorm PR Team Championing Thoroughbred into Markets would protect intellectual property and Create Greater Interest for Sovereign Investment Capital ........ Right Royal Stock.

  31. Alexander

    The penny just aint dropping yet, is it?

    I dont care if the pope checks phorm out, virgin will be losing my custom as soon as they "Phorm in" I am "Phorming out" for GOOD, taking my tv and phone package with me not just BB .....ah well time for sky HD then.

  32. The Other Steve

    I don't care if it's legal (it isn't) or anonymous (it isn't)...

    I don't care if Phorm's CEO gives me his first born son to hold in escrow as a guarantee of his promises.

    I don't care if my ISP offers a water tight privacy contract signed in the blood of their customer service department who are consistently ignoring my complaints.

    I don't care if they get the resurrected spirit of Jesus Christ to audit the source code.

    I don't care if the God of the Old Testament manifests and writes "Hey guys, Phorm is OK by me" in letters of fire upon the sky.

    I will not tolerate my ISP intercepting my communications in order to treat me as a chattel. Period.

    I do not want Kent Spunkbubble and his merry band of cold warriors and root kit artists installing equipment anywhere in the UK telecomms network, for any purpose, ever. Period.

    In other words, Fuck off, you shady bastards.

  33. Midnight_Voice

    You can't run with the hare and hunt with the hounds

    As we used to say until the government banned the latter anyway. But this is a proverb that Simon Davies might do well to master.

    I'm sure that Ross Anderson and Richard Clayton are smart enough to know it; and to know that their respect in the field would melt like April snow if they were even to consider taking Phorm's shilling.

    And what is the best they could they say anyway? "We've looked at this code, and the good news is the system is only as bad as we thought"? While the bad news is that's quite bad enough anyway.

    But I also want to touch on an aspect of the system that Phorm seem to be keen to keep terribly quiet about, and it's one of the most disquieting.

    They make much of 'the browsing data never leaving the ISP' and the 'equipment being physically at the ISP's premises'. But where is the profiled channel information associated with each unique user cookie being kept? Now that we know there is nothing in a Phorm cookie but that unique ID, the channel data must be elsewhere. And that means a path for data out of the ISP, to Phorm's servers.

    OK, it's just the aggregated channel data, and not any of the actual browsing details, we are told. But it's worrying that the path is even there; this isn't the closed system within the ISP that Phorm would like us to believe. And indeed, can we be sure that the traffic is all one-way? And that it is, and will remain, only what Phorm say it is? After all, Phorm aren't going to let the ISPs see the Phorm code that's running on the servers inside the ISP systems.

    Not sure this is how it's going to work? Check out this paragraph from the E&Y privacy audit:

    "If you use your computer and usual browser in a country other than your home country to log on to the Internet via one of our partner ISPs in that other country, the data that Phorm holds in its system that is associated with that cookie may be automatically transferred to Phorm's systems in that other country."

    So go abroad, start surfing via a Phorm-using ISP there, and the system is going to phone home for your UK channel information. Hmmm.

    But hang on a minute; all it has is a supposedly 'random' UID that it can't trace you with. So how is it going to even know where 'home' is, if that is the case? Maybe this random UID is not so random after all?

  34. Elmer Phud

    ISPs to grass on themselves?

    Fortunately I don't understand the technical stuff but if my ISP is supposed to tell the authorities if I'm guilty of unauthorised transfer of data then shirley it works both ways. If I don't personally authorise transfer of my data to Phorm then the ISP is guilty and should turn themselves in.

    As Regan would have it "Get your trousers on, you're nicked!"

  35. Slaine

    Suggested addendum to "Alexander Hanff"

    I suddenly realised exactly what I was reading... "policed to ensure they do not contain personal information or match sensitive behaviours such as medical or porn"...

    okay... so let's all now call up our favourite search engine, the famous one with a couple of G's and O's will suffice; turn off your "content filters" so that the search is as broad and all-encompassing as possible ... with me so far? ok ... now type in a person's name, an item of sports equipment, a piece of clothing, a shape, a colour, a random number... ok? "return/enter ... now ... switch to images.

    Do you see tits?... if so - technically that's a search that resulted in accessing porn and, by Phorm's admission cannot be included. If you doubt the claim? Try searching for "golf balls" - see images page 4? I daren't check "bananas" and for God's sake don't look for confectionary items.

    Question... does speculum come under medical or porn?

    There is absolutely nothing about a person's browsing habits can can be anything other than sensitive and therefore, logically there is absolutely no data that can be derived from any individual's browsing habits that can legally be used, except perhaps in court. CASE CLOSED.

  36. Aristotles slow and dimwitted horse

    Has anyone contacted BBC Watchdog yet?

    Just a thought. If not, then I will.

    Keep up the pressure.

  37. MYOFB

    I Am the Anti-Phorm !!

    My answer to the issue of Phorm is . . .

    If it comes to pass that BT, VM, CPW, et al implement their 'package' then I will personally Roger them all Rigid, whilst taking a 'Happy Slap' video on my mobile (which I will post to every 'social' website).

    When I'm hauled into court to face the charges of my perverse course of action, my Barrister (in my defence) will put forward this 'argument' . . .

    "How can you stand there before this court to complain of being shafted, publicly, by one man, when you yourselves have shafted millions, publicly, between you?!" "I ask the court to dismiss all charges herein based on these grounds!"

    Law Lords response . . . ?

    Case dismissed!!!

  38. Sam

    I love this bit from the BBC

    "Kent Ertugrul, chief executive, of Phorm, told BBC News: "We have not had the chance to describe to Tim Berners-Lee how the system works and we look forward to doing that."

    How about someone explains to Kunt Turdfail that we don't want his shit?

    My favourite explanation aid is a one metre length of scaffold pole, works wonders.

    On a side note, can anyone explain why the title "X-ripa" works, and "x-ripa-no-consent" doesn't work in my now modified browser header?

    x-header syntax and rules seem to be a secret on the interweb..

  39. Morely Dotes

    Davies admits that Phorm collects personal data

    "in my view the company has gone above and beyond the norm to expunge personal data from its system."

    In other words, Phorm's spyware *does* collect personal data, but then very kindly deletes it. You can't expunge data unless you collect it first.

    And there's no guarantee that they will continue to delete it in future; particularly if it becomes of "commercial value" to them.

  40. Clive Powell
    Jobs Horns

    What happens to the people who are left?

    Not everyone knows about PHORM and the deals they are trying to do, so once everyone else has opted out of BT and VM, there will be so little traffic (but fabulous speeds) that it will be quite easy to identify who is looking at what for the customers left. This is starting to look like the herds of wildebeast heading for the crocodile infested river. Most will get across unharmed, but if there is only one or two, then they are eaten. Those remaining with BT or VM will get all the ads, because why be selective to only a few. However I have noticed a few links to the debate appearing on the BBC website (who as normal are trying to be "neutral" in any debate, but not investigating the problem).

  41. Alexander Hanff


    Another important point which has been raised is that if there is no chance of personal data ever being stored, why is there a need to police the category channels to make sure there is no personal data there?

  42. Morely Dotes

    @ Mike Crawshaw

    "a firm that deals ethically"

    Which fantasy world would that be in, then?

    There are two kinds of corporations: Rapacious, sell-your-grandma-for-catfood crooked ones, and dissolved-due-to-bankruptcy ones.

  43. Anonymous Coward

    My MP

    I have had a response from my MP saying that his is looking into and shall be taking it up with an appropriate minister in Government.

    I took the angle of saying that if he had broadband with one of the major suppliers then his very surfing and communications with MP and constitutes would all be intercepted just so he could have a few ads more relevant for him.

  44. Anonymous Coward

    And inspecting the code proves what, exactly? BBB ?

    Any old set of source code will do, since no one will know what resemblance, if any, it will bear to the object code running on the profiler. Once they have your TCP stream they own you and thats the end of it! Just another PR stunt of the 'Bullshit Baffles Brains' variety.

  45. Anonymous Coward

    Remember it is the ISPs that are the criminals...

    ...Phorm are merely selling them the tools with which to commit the crime. And yet their silence continues to be deafening.

  46. Anonymous Coward


    "Still, I'm sure they gave him a nice big payoff and ace reference just to cover their backs cos BT aren't completely stupid... right?"

    You can take a wild stab in the dark for an answer to that.


  47. Justin Otto

    @Messenger Shot

    I would like the ex-BT guy to be the auditor.

    Do we get a vote?

  48. Man Outraged


    Either I'm in a rediculously good mood or the phorum's on fantastic phorm today. Every other post getting me laughing out loud, especially:

    Slaine: "Do you see tits?"

    Jonathan: if(opt-out=1) { //add this later }

    And loads of others.

    I think Phorm-baiting could become a national pastime or even an exhibition sport for 2012.

    Here the Phorm-haters were linked to the anit-Scientology brigade as the 2 loudest ranting voices on the net today:

    At least I think that was what the author was trying to say!

  49. Anonymous Coward

    Well VirginMedia.....

    ....have already implemented this system and it is running. They say on their site they will reveal information closer to roll-out but upon scanning my machine and using a packet scanner on my internet connection it seems they are already using this system.

    I wonder for how long now.....

    Burn VM Burn

  50. Simon Davies

    The conflict of interest issue - our response

    The record needs to be set out in full regarding the “conflict of interest” claim relating to 80/20 Thinking and Privacy International. I have no objection to public discussion about the matter, as long as the facts are laid out in full, rather than relying on a twisted, abbreviated account.

    Will people please read our report to Phorm. Read it in its brief entirety. Once you’ll do, you’ll realise that there are no conflicts whatever. In that report we argue that the system should be opt-in, that there are unresolved questions, that the matter of legal compliance is irrelevant to the issue of intrusion.

    For example, from page 10 of our PIA:

    "Phorm liaised with the Home Office to assess whether its system could infringe the UK law that regulates communications surveillance. The Home Office concluded that Phorm's system is consistent with the Regulation of Investigatory Powers Act and does not intercept communications. While this conclusion is a fair interpretation of Phorm and the system's capabilities, communications monitoring still takes place. Even if the Home Office's conclusions were appropriate and relevant, it would mean that if an ISP or any government wished to conduct similar monitoring of communications for segmentation purposes, albeit with consent of the user, then they may indeed do so and yet still be compliant with UK law. This could indeed give rise to a worrying situation."

    Yes, FIPR has lodged a detailed complaint with the ICO. That complaint dealt with matters outside 80/20s remit. There is no conflict there.

    Is there a conflict between our role in PI and our role in 80/20? Absolutely not. See above. My view is on the record at Read beyond the headline.

    People have asked: “Why are they doing this?” “Why are they advising the evil empire?” Two reasons. First, we believe that engagement is more constructive than non-engagement unless there is no alternative. As PI we have directly engaged companies such as SWIFT, Microsoft and eBay with positive results for privacy.

    Second, the British Public, who apparently SO support PI, donate an average of £130 a year to us. We receive more from citizens of India, even during the height of the ID card battle. I, for one, haven’t drawn a salary from PI for eighteen years. That is not a sustainable situation. Nor is it for my staff. Our supporters believe in an ideal, but some seem to believe we must be willing for us to go to our graves principled but penniless. There is a Thatcherite condition that prevails. Namely, that many supporters will make financial contributions to people like us as long as they have some sort of formalised stake in the enterprise. We never played that game.

    What is 80/20 Thinking? Check out and find out the details. Or go straight to and you’ll see that in fact this company is very much in the advocacy realm, and is intentionally set up to distribute fifty percent of its profits to NGO civil liberties campaigners in developing countries.

    Please allow me the pleasure of a small personal reflection. It seems to me, looking back over nearly two decades as an activist, that people were always willing to hail me – and PI – as heroes and visionaries, on the strict condition that we reflected everything without deviation or hesitation that they personally believed. On CCTV, ID cards, children’s fingerprinting, US relations, police powers, DNA databases, going back further to the crypto wars and even further back in dim history to CLI and the telephone battles of the early 1990s, you were always there for us as long as we agreed with you on every point.

    So we disagree on one paragraph, namely, our point that personal information has been removed from the Phorm system “as defined in the UK DPA”. If you want to demonise us for making that observation, then go ahead. At a personal level, I find that level of aggression unnecessary. I understand you are concerned about alleged endorsement, but let me reassure you that if we ever endorsed a product, you’d know about it. The last time we endorsed anything was PGP in the era of Phil Zimmermann.

    Simon Davies

  51. Anonymous Coward
    Jobs Horns

    My MPs response when I asked him to look into Phorm....

    'more of a nuisance' indeed - looks like he hasn't fully understood this at all.


    Rt Hon Sir George Young MP

    Member for North West Hants

    Tel. 01264 401401



    Dear ************************

    Many thanks for the email, which I read with interest. I will certainly keep an eye out for this, though at this stage my view is that this is all more of a nuisance than a threat!

    Best wishes, George Young

  52. Anonymous Coward
    Anonymous Coward

    There's one lot we haven't heard from yet

    Try as I might, I can't find the tired, the poor, the huddled masses yearning to browse free.

    BT and Phorm claim there are untold millions of users who bending over, positively gagging to be pimped to the armpits.

    But they're like Tony and George's weapons in Iraq - strangely elusive. In fact the harder you look for them, the more insubstantial they seem to be. The BT forums are in meltdown with customers outraged about WebWise; the same story over at Virgin and TalkTalk. Their support staff are being inundated by customers thirsting for the blood of Phorm.

    But not a person who wants this on their system.

    Has anyone spotted a pimpee in the wild? Perhaps the Reg could offer a prize for the first sighting?

    Best be quick, the way things are going, Phorm won't be worth jack by the end of the month - not unless they can salvage their share price by merging with a classier outfit like

  53. Paul Stimpson

    @Well VirginMedia.....

    Please will you describe the tests you did so I can replicate them before making a formal complaint?


  54. Waldo

    Pharm go **** yourselves

    Lets keep this simple BT, Virgin Media and Carphone Warehouse

    I will NEVER NEVER NEVER take a subscription to your ISP services whilst you associate with this sort of "activity".

    Got it?

    Shame, you, Phorm chose a name sounds almost like Porn hmmmmmm..... another internet spamming blight.

  55. b


    Anyone had a go at updating the appropriate pages in light of all this information?

  56. b


    Some rather important information missing from here:

  57. ilago

    You can check if your browser has the necessary

    "Just by visiting this page, your web browser is participating in our experiment. We are detecting whether some "party in the middle" is modifying a set of test web pages, and the results of the tests are shown below. If you do not see a "change found" message below, then we did not detect any modifications to the test pages. For more information on how the tests work, see below."

    It should demonstrate if your browser request has been intercepted. I can't check, I'm in the wrong country

  58. yellowperil

    Next type of malware

    Now the REALLY SCARY PART....... whats the chances the next type of malware will delete your optout cookies (LMAO WTF)......

  59. Julian Smart

    Re: The conflict of interest issue - our response

    It's good to see engagement from a central figure in the controversy on these comment pages - a refreshing change from watching the PR drones on various forums! We have probably been a bit hard on Simon Davies and I totally sympathise with the frustration of not seeing financial reward for good works. As an open source software developer I and my colleagues are in a similar position - people like the product, but don't see the necessity of paying, when it's voluntary. Privacy is even less tangible than software so it must be far more difficult to fund.

    Although the 80/20 report is about a specific issue of fact and so technically there may be no conflict of interest, I guess the problem here is the overall perception. When the BBC finally reported the story, the emphasis was on the quotation repeated on 80/20's web site: "We were impressed with the effort that had been put into minimising the collection of personal information." The tone was up-beat and in Phorm's favour, so the public comes away with the interpretation "privacy experts are impressed with Phorm, so we can all relax".

    It may not be 80/20's fault that complex issues are simplified (combined with Phorm's massaging of the facts) but it still seems a bit like giving a glowing report to a terrorist's humane killing methods. I may be naive but I would expect a privacy expert to question the sanity of allowing this kind of profiling in the first place, especially given that it could never be adequately audited.

  60. Anonymous Coward
    Thumb Down

    What part dont u undertand

    independent software expert = Someone we pay

    What part of DO NOT WANT dont you understand???

    Perhaps when all your customer move and your ISP shuts it doors is all you will undertand. Do you honestly think every geek will recomend you to their friends and family.. hahhahahahah

    No dont use them they spy on everything you do. is all they will say.

  61. Anonymous Coward

    @Well VirginMedia......

    I used Wireshark to intercept all my packets going in/out my internet connection. Also have a cookie on my PC which everytime I delete is back 10 minutes later even with no browsing. I have rebuilt my PC and have a Virus and Spybot scanner installed to so no trojans "yet"

    Another cookie I found which also has a so called "opt-out" cookie that needs installing is the one in your cookie folder called (Yes this is a tracking cookie and this one too keeps coming back)

    Oh yes, i use IE7. Yes I know its hopeless but it works.

  62. Michael

    Cold calling by BT

    I was cold called by BT last night (although I'm on whatever list that says I don't want to be called). Caller wanted to know if I'd like to switch to BT. I told the caller that I wouldn't because of the Phorm issue and pointed him to El Reg. Hit them in the £££££.

  63. colin stone

    @Has anyone contacted BBC Watchdog yet?

    Yes I did 3 weeks ago.

    They phoned on Friday , invited me to London to an interview on Saterday (I could not do it at short notice).

    The implication was they would be running the story on the following Monday.

    Well we know the BBC loves Phorm, loves the spin and publishes Phorm Press statements cut and paste as news. So maybe higher powers and PR changed there minds.

    I am glad I did not do the interview now.

  64. Anonymous Coward
    Anonymous Coward

    We need samples of HTTP traffic and source!

    There are many unanswered questions about how Phorm works now. If you have the opportunity to test it, PLEASE do so. It would be exceptionally helpful if someone could post captures and page/include source somewhere for others to look at. Being sure to XXX out things that may identify them of course. Be sure to look at behavior on:

    A Non-well-known uber simple page unlikely to be targeted by advertisers.

    A well-known page likely to be targeted by advertisers (I'd say travel related)

    A page that displays OIX ads. I've heard The Guardian and MySpace mentioned.

  65. Anonymous Coward
    Anonymous Coward

    A few comments:

    1) I believe Mr. Davies as a "come to Jesus" moment in front of him and he needs to be very careful of the decision he makes. Either he is acting as a transparent shill for Phorm or he's a privacy advocate. Either or, one or the other but obviously not both.

    2) In response to:"Phorm PR Team have stated that an independent review of their software is being considered if it can be done without compromising their intellectual property...that could be interesting then."

    This statement actually brought a tear to my eye as Phorm is worried about protecting their intellectual property by pissing all over our right to privacy.

    While I am a flaming capitalist (yes, greed is good), a persons, a business or any non-government (excluding military) agency is entitled to the protection of the law, concerning privacy.

    As it has been said countless times, Phorm's technology is comparable to tapping a telephone, but only recording specific words or phrases. Regardless of what their intent, it is still obtaining information without the expressed consent of the individual.

    If an individual is dumb enough to opt-in, whose to say that someone couldn't identify Phorm's cookie on a user machine and possibly glean information out of Phorm's system, assuming they have compromised it?

    Sorry, I don't buy it.

  66. Campbell

    @Dazed and Confused

    Totally agree with you.

    I sure as hell DO NOT want ads servered to me. I DO NOT want any of the shite they are peddling anyway.

    Besides I'd be really pissed off if a service I was PAYING for inundates me with ads for shite I DO NOT WANT

    As dervheid says, What part of DO NOT WANT do they find difficult to understand.

    Russian Spyware is Russian spyware REGARDLESS of how it's dressed up and a court order should served to allow scrutiny of Privacy International and Simon Davies bank accounts. This is the dark side of privacy and what pisses me off about it is it's probably why those like Davies scream so loudly about privacy, so NO-ONE can see the shady, underhanded, maybe even illegal, deals that they get up to.

    Tell me, am I right or am I just being cynical?

  67. Anonymous Coward

    Re: You can check if your browser has the necessary

    Using VM in North London (VMs network is segmented into at least 3 distinct parts however) and it seems this web page: is not altered in transmission:

    "You're safe! If you are seeing this text, then this page has arrived at your browser without modification. "

    But then again what's to stop Phorm: a) putting a check somewhere not to alter pages downloaded from those servers or b) not having implemented the web altering part c) just having nothing worth altering on that site (no adds)

    Also came across this link on that page:

  68. Anonymous Coward
    Anonymous Coward

    More scumware?

    I've heard that this is a similar type of technolgy to Phorms sack of cack - and they are coming to the UK.

    I spoke to someone at Virgin and APPARRENTLY they aren't trialling it at present. If it goes live with an opt-out cookie, I'm gone.

  69. Steve

    Phorm, BT, Virgin etc... the matter is very simple!

    I don't want my web traffic read by your machines.

    You have no right to read it without a court order.

    Therefore, don't read it!

  70. Barbara Moore

    @Well VirginMedia......

    A cookie coming back - sounds like something has hijacked you.

    To test if it is your ISP or your computer, download FireFox, Safari and SeaMonkey.

    Visit a few of your usual sites and then check cookies.

    As it is unlikely that SeaMonkey or Safari will be in the 'approved list of browsers' to be hijacked, you many notice a difference.

    If necessary, play with the SeaMonkey security setting until the cookie stops coming back. Remember to close the browser between tests: you may need a reboot if the worm is living in memory.

    Let us know your results, everyone needs something real to start working on. I personally like the idea of installing on every page of my site the tripwire offered at

    Time for all webmasters to have a way of warning our visitors that they have a problem. And pointing out that users do not have the right to access the site if their ISP is harvesting the content for financial gain. A good, legal, terms of use statement sounds in order.

  71. Oliver Freeman

    @simon davies

    Simon, may I first thank you for your frank and thorough response to the issues that I and others have raised.

    On the issue of a conflict of interest, I think we may need to respectfully agree to disagree. Having said that let me be clear. I dont doubt that your intentions and motives in this issue have been well intentioned. I also have no problem with you trying to earn an honest living from all your hard work in the privacy rights arena over the years.

    What I do have a problem with, however, is your involvement with Phorm. This company has a very shady past (under its previous incarnation as 121media) with roots in spyware and rootkits. To use an analogy, while acknowledging that often ex-poachers make the best game-keepers, I can see no shred of evidence showing that this is the sort of situation we are dealing with here with regards to Phorm. Phorm, in my opinion and many others, represents a huge threat to our privacy rights, not to mention being possibly illegal under RIPA, and no amount of fancy PR and spinning is going to change that perception.

    In order to clarify matters could you answer some questions for those of us who would value your opinions and continued participation in this debate:

    Precisely when did you became aware of Phorms previous involvement (as 121media and peopleonpage) in rootkits and spyware? [Please note that despite Phorms claim to the contrary peopleonpage was NOT adware. Many security companies rightly categorised it as spyware/malware and it caused thousands of people countless hours of frustration trying to get rid of it (thankfully I wasnt one of them).]

    Have you discussed this history with Kent Ertegrul and other Phorm company directors? If so, can you give us any reason why we should now trust Phorm to follow through on its promises and reassurances? What are your thoughts on whether Phorm transgresses the RIPA act? What advice did you give to the FIPR before they issued their open letter to the Information Commissioners Office?

    On a final note I would like to thank you for releasing the 80/20 report to the media.

  72. SImon Hobson Bronze badge

    Re: You can check if your browser has the necessary

    That will NOT detect this intrusion. It will detect ISPs that modify pages (eg by adding banner ads), but it won't tell you if the ISP has intercepted the page, read it's contents, and then passed it to you unmodified.

    As in response to the very first post (Why I use OpenDNS), that will not help you one bit - the ISP will still see and intercept your traffic, it doesn't need you to use their DNS.

  73. Sam
    Thumb Up

    @ AC

    Ok, got Wireshark, what am I looking for? (VM customer)

  74. Simon Davies

    Simon's response

    Oliver, thank you for your comments. I'll do my best to respond.

    As I mentioned to Chris Williams of the Register, we did not initially make the connection between Phorm and People on Page. I checked out the histories of all the Phorm Directors and key staff, but failed to spot the PoP issue. This was complicated by reporting that 121 Media had become a unit of a new holding company (Phorm) - effectively making it a merger, rather than merely a name change, as has recently been claimed

    Even so - and again, as I've also told the Register - I'm not entirely sure that we'd have walked away even if we had made the connection between the two. Five years ago we made conscious decision to lay down our guns and engage directly with Microsoft (which was, remember, the evil empire back then). Now, five years later, even Microsoft publicly acknowledges that our carrot and stick approach has been of enormous value in re-positioning the company's approach to privacy.

    Interestingly, it was not until a couple of weeks after the Phorm announcement in the press that people became aware of the 121 Media connection. As far as I can see, one of Phorm's competitors tipped off the mainstream press and that's how the wave started to break. It's also where I heard it first.

    And yes, I've engaged Phorm over all this. Why should they now be trusted? Well, I'd question whether we should trust "any" organisation dealing with personal data. It's more a case of whether you believe that their business is sustainable the way they originally planned it. Right at the moment the opt-in model appears to be more viable at a number of levels.

    As for FIPR, I never saw its complaint as relevant to our scope with Phorm and so didn't advise on their complaint. I can't say one way or the other whether the ISP's would be in breach of RIPA. Much depends on how they move forward from this point.

    Simon Davies

  75. mixbsd

    New term

    Whorm [pronounced 'hawrm']

    noun: a privacy advocate who sells himself to a spyware/adware/malware monger.

  76. Bobby

    Gone fishing...

    Hey why don't we all download 'Hotbar' it has the same phishing filter Phorm will deploy on us, oh did somebody say Hotbar is Phorm? haaaaaaaa..

    Only a fool would believe all this ingenious Phorm Webwise software was written from scratch in the few weeks since closing 121media..

  77. Anonymous Coward

    Don't blame Simon Davies, Its the ISP, its the ISP, its the...

    It is the ISPs who are potentially selling us down the river, by intercepting our communications and selling our details to - who knows to who? Whatever diligence they may or may not have applied to their assessment of Phorm or any other of the similar vendors, it was clearly insufficient to overcome their corporate greed. We have seen how adept the spyware scumbag's PR machine is at pulling the wool over the eyes of Davies, the BBC, Investors and most of the non-tech media. But the ISPs are the real villains of the piece, and they seem to be content to let Phorm take the flak while they lie low and see if the storm blows over. If Phorm goes down the drain, regrettably there are plenty of others ready to take its place. Tempting and satisfying though it may be to hurl abuse at Ertegrul and co, this will NOT solve the problem. We need to get the principle established in law, be that RIPA or whatever, that the ISP is not entitled to intercept our TCP stream for the purposes of advertising, without an explicit opt-in.

  78. Oliver Freeman

    To Simon Davies

    Once again thank you for your response. I appreciate you taking the time to answer the questions I put to you. I feel I can understand more clearly exactly where you are coming from on this issue.

    I am reassured that you seem to be supporting the opt-in model as the most viable option and I hope that this is reflected in your communications with Phorm. To be candid, although I am still passionately and vehemently against what Phorm is going to be doing, if they were to make this system truly opt-in only then I would tone down my opposition to them. For this to be the case, though, those who decide against opting in must have their data bypass all of phorms systems entirely.

    One thing that deeply concerns me is the fact that Phorm have stated that "research and debug logs" may be stored for up to 14 days on a seperate system. There has been virtually no information as to what data these logs may contain, whether this separate system will be within the ISP network or even whether they will remain in this country.

    The term "research" is the most worrying. Let us not forget that it was under the guise of research that the so-called anonmyised search terms of 600,000 people were released by AOL back in 2006 and the onsuing debacle where it took researchers only hours to track down people from the search data released.

    On a final note, having read what you have said regarding FIPR and your not having advised them on their complaint to the Information Commisioners Office, I feel I might have been hasty accusing you of a conflict of interest.

    On a different, slightly facetious note, some of us believe Microsoft to STILL be an evil empire but thats a whole other issue *grin*

  79. Anonymous Coward


    Seems it may not be the best time to be launching Phorm anyway, even on the great unwashed. They seem to fit the bill on all points of concern.

    If they can just be enlightened as to the similarities.

    Most likely outcome of all this will be the majors providing the Innit-net, with 24hr Burberry and White Lightning ads, to those that don't see this as the thin edge of a particularly crappy wedge. And the smaller, somehow more civilised providers, catering for the discerning stroller of strange, unprofiled climes.

    MACs -check, list of principled ISPs -check. Taxi!

  80. Mr Anonymous

    Phorm: As you browse, we’re able to categorize all of your Internet actions

    “As you browse, we’re able to categorize all of your Internet actions,” said Virasb Vahidi, the chief operating officer of Phorm. “We actually can see the entire Internet.”

  81. Alex

    ICO says "Hello Dummies!"

    look at this, tell me I'm not seeing things:

    "UK consumers wake up to privacy"


    For a copy of the ‘Data Protection Guide for Dummies’ please go to

    Our data protection rights

    • An organisation should tell you what it is going to do with your information before you provide any details unless this is obvious

    • Your information should only be used for the reason it was collected in the first place (unless you give your consent to your information being used in other ways)

    • An organisation should not collect any information which is unnecessary. You only need to provide the basic information which is required to deliver the service required

    • Your information should be kept accurate and up to date – if you ask any organisation to make changes to your details, it should do this

    • An organisation should not keep your details if they are no longer needed

    • An organisation must provide you with copies of all information held on you - if you ask. You can also ask an organisation to stop using your personal information if it is causing you damage or distress or if you wish to stop it being used for marketing purposes.

    • An organisation must keep your personal information secure at all times

    • An organisation should not transfer your personal details to another country unless adequate data protection arrangements are in place.

    and then it goes on to say....

    David Smith said: “For any of us to have trust in an organisation we must be confident that our information is held securely and processed in line with data protection rules. If we all regularly start to ask the right questions then organisations will respond to public demand and take the protection of our personal information more seriously. If organisations fail to recognise the importance of data protection they not only risk losing business. They could also face action from the ICO.”

    ..astonishing! does that mean the snakes are dead??

  82. Anonymous Coward

    There once...

    There once was a scoundrel called Kent

    Who stole data wherever he went.

    Simon says, "I'm impressed!

    You pimp only the best

    Of our bits. I wonder where the rest of it's sent..."

  83. Slaine

    Dear Simon Davis

    "Phorm liaised with the Home Office to assess whether its system could infringe the UK law that regulates communications surveillance. The Home Office concluded that Phorm's system is consistent with the Regulation of Investigatory Powers Act and does not intercept communications. While this conclusion is a fair interpretation of Phorm and the system's capabilities, communications monitoring still takes place. Even if the Home Office's conclusions were appropriate and relevant, it would mean that if an ISP or any government wished to conduct similar monitoring of communications for segmentation purposes, albeit with consent of the user, then they may indeed do so and yet still be compliant with UK law. This could indeed give rise to a worrying situation."

    It has !!!

    ...and thank you, sincerely, for taking time and effort to join us here. Wait-a-minute.... you say the HOME OFFICE sanctioned this ?... oh, that's ok, they're an arm of government. We enlightened ones don't expect them to get ANYTHING right.

    Truth is, the cat's out of the bag now ... we know what was done last Summer... We know that we were lied to by "certain ISPs"... We know that 20 gallons of spin have failed to smooth the waters... there is now no way to resolve this issue.

    PS - I can't afford to donate anything, I live in the UK and I don't whore out my integrity or other peoples security, livelihoods or data for cash.

  84. Anonymous Coward
    IT Angle

    isnt it funny that a company that self praises cannot even secure a simple apache server?

This topic is closed for new posts.

Other stories you might like