back to article MPs pile pressure on ISPs over Phorm

Don Foster, the Liberal Democrat shadow secretary of state for culture, media and sport, has written to the chairman of BT asking him to explain his firm's secret trial of Phorm's advertising technology last summer. Meanwhile William Hague, the Conservative's shadow foreign secretary, has written to the Department for Business …

COMMENTS

This topic is closed for new posts.
  1. Peter White
    Happy

    at last some action

    POWER TO THE PEOPLE,

    questions in parliment, surely something has got to happen now

    people,keep emailing the mp to ask how they would like emails to and from constituants being intercepted, and how can conversations be classed as private

  2. Anonymous Coward
    Alert

    Do not want Phorm at all!!!

    I won't stay with any ISP that runs Phorm / WebWise, irrespective of whether they offer opt-in *or* opt-out.

    Given Phorm's history (as 121Media) I wouldn't trust them not to profile my data even if I *was* opted out. The only way to be sure you're not being spied on by Phorm is to use an ISP that has nothing to do with them.

  3. Anonymous Coward
    Anonymous Coward

    bloody hell

    Politicians acting on our behalf in a clear and obvious way?! What is the world coming to?

  4. Tom Chiverton Silver badge
    Stop

    opt-in not enough

    "when the nationwide Phorm system goes live it is on an opt-in only basis"

    It must not be just 'opt-in' as BT will just alter the small print in the T+Cs and opt everyone in that way. Or call it 'webwise advert spam buster' and opt-in people based on that misinformation.

    Any 'opt-in' (assuming for the moment the system is legal, any ISP wants to touch it with a barge pole and Phorm isn't bankrupt) must be based on fully informed ('we will know everything you read, including web based email and forums, personal details included') explicit consent.

    Tom, who's ISP is Zen, who have said they will never have anything to do with anything like this. Switch from BT now !

  5. Tom Chiverton Silver badge

    Politicians acting on our behalf in a clear and obvious way

    @Dave: It's almost as if local elections are just around the corner, innit :-)

  6. Tony W

    Action not words

    I just hope all those complaining have written to their MP. I have to mine. What about you? Get the email address of your MP from

    http://www.parliament.uk/directories/hciolists/alms.cfm

  7. Anonymous Coward
    Thumb Up

    Doodle Paper Anyone ?

    I've got some Phorm share certificates if anyone wants them ?

  8. Paul Louth
    Pirate

    Too late

    I've already left Virgin. I would encourage everyone else to just sack off any organisation that thinks it can opt it's customers into any scheme without their consent.

  9. Alan Parsons
    Thumb Up

    Contact MPs

    Written to MP, Tobias Ellwood, asking that he support his colleague fully in persuing this matter..

    Now to check on the share price again.. :)

  10. 3x2

    Pressure?

    While it is good that some MP's think this is something to ask questions about it's hardly the rush to defend constituents that some of us had hoped for. You might have thought that a proposal to wire-tap millions of their voting constituents (so close to an election) might have generated a bit more interest in The House.

    <...>The relationship between Internet Service Providers and their customers is based on trust.<...>

    Based on what now? To me at least "opt-in" "opt-out" is irrelevant - I don't trust my ISP to honour my choice. They have clearly demonstrated what depths they will sink to for an additional revenue stream.

    What I want to see from MP's is a closing of whatever loop-hole allowed Phorm and the ISP's to get this far.

  11. Peter White

    update required to earlyday motion

    the earlyday motion needs to add that opted out traffic is not passed via the profilers as well, not just it is an opt in to web wise

  12. Anonymous Coward
    Thumb Down

    the steam was taken from my sales.

    @Tom... I was just about to launch into joyous rapture that the bunch of muppets in the palace of westminister in london actually listened to the people in between signing themselves cheques and burying the country, then you reminded me.

    I received the "how to vote by post in the upcoming local elections" last week and it all sadly falls into place.

    Still power to the people in that phorm at least has 600+ overpaid losers now talking about it...

    Joy!

  13. Andy ORourke
    Thumb Up

    Written to mine

    Used the link on the other page:

    http://www.writetothem.com/

    I am glad to be moving house soon, I will certainly be moving my ISP (BT) since I dont feel I can trust them not to use this. I really dont think they understand, its not just about the advertising or webwise it is the underhanded interception of your requests, even if you are opted out that makes me angry about this "technology"

    Anyone been watching the Phorm share price? Phuckin Phunny reading

  14. Tim Blair
    Thumb Up

    encription?

    Why not use encryption to connect to an anonymous server in somewhere like Canada? I've managed to shift some data traffic already and I think phourm/spyware would have a hell of a time getting at my data.

    any "big brains" out there who could give us tips on encrypting ALL data traffic?

  15. Eddie
    Alert

    It may be that...

    ...the polititians are realising that if, e.g. they or their staff do web-based research on issues raised by their consitituents, the subjects that they are browsing will be patternised. Okay, there are assurances that the data is fully anonymised, but again, maybe the MPs are realising that it's a square circle that an anonymous system can provide personalised, sorry, /relavent/ advertising.

    Then again, who knows. They may have read the promotional bulls^w literature from Phorm and realised that it is bullshit. Hell, they may be raising issues that their constituents have raised with them, but I haven't seen Satan checking out snow-goggles and skis, so I doubt that's happened.

    Who knows, other than the MPs themselves.

  16. Arthur

    i thinks it's needed

    as most isps buy bandwith from bt, with the large increase in internet traffic seen over the last few years they need a better way of making money. this can either be passed directly onto the consumer in increased fees or indirectly with schemes such as phorm, i think we're going to have to accept one or the other and there will be kicking and screaming with either option! that doesn't mean that it should be underhand though

  17. Elmer Phud
    Pirate

    Net Nanny

    Easy to 'investigate' game playing habits but serious stuff like personal intrusion isn't important. Until, that is, the baying hounds affect the share price -- then they start to take notice. Dunno what HM gov. has to do with any of this, seems like the City runs the show.

  18. The Other Steve
    Happy

    In grudging defence of the pols

    While it doesn't _look_ like a storm, there are plenty of other MPs not mentioned here doing similar things. Mine wrote a letter to Tony McNulty at the home office, asking him to explain what the HO thinks it doing issuing legal advice, particularly advice that seems to be in conflict with everyone else's interpretation of RIPA, and raising various other issues.

    And since there's now an early day motion, other MPs who have correspondence in their in trays will probably get involved as well. I know lots of folk have written to their MPs, MEPs and various Lords.

    It could well be that we're only seeing the tip of the iceberg (or the first snowball of the avalanche, if you like). And in any case, just the spectre of having this all dragged through the house (and therefore back into the media again) might be enough for the ISPs to realise, finally, that they've crossed a line.

    The fact that they've bothered to take notice _at all_ while they're in the middle of so many other wrangles indicates that they are taking it seriously. This should scare the pants of Kent Spunkbubble and his crew of PR pixies, who keep trying to convince us that only a fringe of paranoid and unreasonable techies give a toss.

    The opt-in thing in the motion is a bit of a bummer, but these aren't technical people, and besides, even if it does somehow amazingly turn out to be legal after all, and they go ahead, but only with an 'opt-in', it will be worth zero to them, because no one will want it. Without mass opt-in, Phorm is worthless. Access to millions of users is tied into their core value proposition as a business (lets face it, the profiling tech isn't actually very impressive in itself). The early day motion doesn't go as far as we'd like, for sure, but if it passes, it's still a coffin nail.

    Blimey, never thought I'd write anything in defence of politicians ! Think I need to go for a lie down now.

  19. Paul

    Written to my MP as well

    Got a response back in less than a week, also showing me a letter he sent to the Secritary (sic!) for the Department for Business, Employment and Regulatory Reform asking why this system was being allowed to go ahead.

    Don't think I'll get a reply mind you, but at least they've started something.

  20. RW
    Unhappy

    "BT's integrity questioned"

    No question about it: they have none at all.

    Just like every other corporation, or so it seems.

  21. Peter White
    Flame

    share prices

    just looked at phorm, bt and vm share prices, all seem to be heading for the floor over the last month since the unrest started :-)

    trouble is, the bright ones will wait til it is realy low then buy bt and vm shares and wait for the announcement they have canned phorm and make a killing when it rises again (they hope)

    is it the pessants revolting or the revolting pessants???? depends which side of the fence you are on

  22. Anonymous Coward
    Flame

    Realities

    @ Arthur.

    Fact is the UK data prices are over inflated anyhow. I agree that people need to accept that the stupid low priced bundles offered by some misguided operators isnt sustainable as a quality service and that they either have to accept lousy speeds and tiny bandwidth allowances, or pay a realistic price. This shouldn't be used as an excuse to allow this parasitic spyware to be spread throughout the communcations network in the UK.

    Its scary that the honourable member seems to be unaware of either the history of the former spyware operator, or the fact that anti phishing software is incorporated in many browsers now, and that many of us wouldnt trust a "poacher turned gamekeeper". Phorm gives nothign to the consumer that isnt already out there, but takes a lot in return, most of the details of your web activity in fact. You have to wonder why they chose to start this in the UK, the roots of this spyware are shared between the USA and Russia

  23. Anonymous Coward
    Alien

    oh really...

    ...and where were these "saviours of privacy and human rights" when the actual fight was raging? Yes, too busy hoping to sneak the system through so they could benefit from it. Fucking hypocrits.

  24. Anonymous Coward
    Paris Hilton

    BT? Integrity?!

    "A secret test would seriously threaten that relationship and undermine BT’s integrity."

    BT? Integrity?!

    It had none in my eyes, long before this Phorm business came along and has certainly not covered itself in glory since. All this has farce has done is convince me even more to have as little as possible to do with that wretched company.

    They have even managed to overtake FastHosts and South West Trains in my 'first against the wall come the revolution, comrade' league table... and that's saying something.

    Paris, as even she has more integrity...

  25. The Other Steve

    RE: oh really...

    "and where were these "saviours of privacy and human rights" when the actual fight was raging?"

    The fight is _still_ raging. This is far from over.

    "Yes, too busy hoping to sneak the system through so they could benefit from it."

    PPOSTFU

  26. Anonymous Coward
    Stop

    Opt-in not enough & Phorm Cookie based opt-in is TOTALLY UNACCEPTABLE!

    Opting-in MUST require explicit informed consent, and should be done at the account level, with the account holder required to authenticate themselves first to prove their identity.

    Unless an account holder chooses to opt-in none of their traffic should go anywhere near equipment supplied, maintained or specified by Phorm.

    The Phorm Cookie based opt-in / opt-out is totally unacceptable.

    As it stands, any website could opt a visitor back in without the visitors knowledge, simply by placing an image tag with the source pointing to the "a.Webwise.net" opt-in URL on their webpage

    <img width=1 height=1 src="http://a.webwise.net/services/OO?op=in">

    Visiting the webpage would remove the opted-out cookie and create an a.webwise.net cookie with a tracking UID.

  27. Anonymous Coward
    Thumb Up

    This inspired me to write to my MP again

    I wrote to my MP (George Young - Conservative) a second time after reading this article. His initial response was pathetic, apparently Phorm seems 'more of a nuisance than a threat' to him, but then again he perhaps didn't fully comprehend what the system does even though I thought I provided some pretty good wiretapping analogies.

    Anyway since he's a Tory he might take a bit more notice now William Hague is on board.

    You know, there just might be the possibility that Phorm (and anything like it) is never allowed to go ahead, though I suppose the opt-in scenario is more likely - I feel sorry for the sheep who will choose to opt-in once they see BTs marketting lies!

  28. Peter White

    best anology i can think of

    best anology for a MP,

    postman pat opening their snail mail, reading it and putting additional "relevant adverts" in then resealing it so they don't know and delivering it to the MP

    the first they realise something is wrong is when they open there bank statement and find it full of adverts for another bank

    good enough to get their attention???

  29. Anonymous Coward
    Paris Hilton

    RE Tim Blair and encription (Encryption)

    Yes it would be possible to defeat the system using something like a VPN or SSL tunnel to another machine living on a non Phorm infested network - and preferably in a different country.

    There are some people who offer such services but you will have to pay - bit like having another ISP on top of an ISP. It can work well for privacy with relatively little overhead (but it is still there - the overhead).

    Of course to do it right you would also direct this at another anonymous proxy that you had paid for by the notes in a (optionally brown [not Gordon]) envelope and not by credit card.

    Some of us do such things - not because we are doing anything illegal but simply because we can and it ensures anonimity.

    C

    Paris - because she likes belly dancing as well!

  30. Bobby
    Linux

    Amused to death.

    Firstly, we have not launched BT Webwise yet. (Thank god.) We do not have a single customer going through any third party servers. (Ah, so what is Phorm then?) We do expects to begin opt-in technical trials of the BT Webwise service shortly. (Strange comment as your mates said it started 2 weeks ago.)We will be inviting around 10,000 BT broadband customers to take part in the trial. (Invite or force it on them?)

    The trial invitation will be presented through a special web page that will appear when those customers start a web browsing session. (Ah yes, a pop-up we all love to get.) At this point, those customers invited can choose YES or NO. (Say no at your peril.) It is possible that you may not get invited. (Aww poor me.) In that case you won't get BT Webwise service. (Crying my eyes out.)

    Any roll out plans will be confirmed only after technical trials are completed. (Yeah if you can get around the law first.) Our website www.bt.com/webwise will notify you when the date for technical trials is confirmed. (Oh thank you, will you start spamming me then?)

    BT Webwise will always be offered as a fully informed choice. (More pop-ups you mean or spam mail?) Those customers who choose to opt out will not have their browsing information mirrored or profiled. (However we channel all your browsing through Phorm proxy who may have other plans.) No information is gathered, and therefore no information is forwarded to Phorm. (Either that is a change of policy or a direct lie.) Customers who opt out will not come into contact with any Phorm-managed equipment. (Yes that is a change if we can believe you.)

    There are 2 ways to opt out of BT Webwise. (But why opt out if I am not opted in?)

    1. Visit www.bt.com/webwise and click Switch Off. (Oh that sounds easy enough, switch off and that is the end of the matter.) Note that this will be activated only after the service is launched. (Oh so apart from trials you have already decided to launch the service?) This standard opt out method does depend on a cookie remaining on your machine indicating that you have opted out. (But I have opted out so why plant spyware cookies on my pc when I have clearly stated NO?) If you delete your cookies regularly, you will have to opt-out again each time you start a browsing session. (But I have already said NO to you and this would be called stalking or harassment?)

    2. If you delete cookies regularly and want to remain opted out, you can set all your browsers to block cookies from the domain www.webwise.net.

    When you block this domain, the service will opt you out permanently. (But this is technically too advanced for me, are Bt going to send an It guy to my house to do this free of charge?)

    You can use this option now and will then be opted out of BT Webwise. (Are you sending out this advice to all your customers?)

    I hope this email addresses your concerns regarding BT Webwise service. (Emmm! No! You deny the 3rd party proxy server called Phorm and you are asking me to interfere with my pc settings to block your constant pop-ups and you refuse to accept NO as meaning NO.)

    Please visit www.bt.com/webwise for up to date information on BT Webwise. (No I am not that interested in Webwise or pop-ups or spyware or tracking cookies and NO means NO.)

    Regards,

    BT Webwise Help Desk

  31. Alexander Hanff
    Black Helicopters

    The House has no Bollocks

    F*ck how BT's secret trials effects their trust relationship with customers. What the House (and the Home Office) should be concentrating on is the FACT that BT committed multiple (possibly millions) of criminal offences under RIPA by carrying out these secret trials in the first place. Every single interception they made in their secret trials (irrespective of what they did with it, whether it was anonymised or not) was a criminal breach of RIPA.

    It is now clear that the government is scared of big business, they have no balls and instead of prosecuting the bastards they say "Please don't do it again.".

    If I was to intercept an MPs communications how quick would I be slammed up without charge under anti terrorism laws? Don't worry that was a rhetorical question.

    The House has no Bollocks!

  32. Alex

    a small step in the right direction

    but I have no faith in EDM's they are just a talking point for MP's and act really as barometer to see what other MP's are thinking about.

    I'd love to see BT's response to the request though, I wonder if that will ever get made public?

  33. Anonymous Coward
    Thumb Up

    Reponse from my MP

    I wrote to my MP (James Plaskett, Lab, Warwick and Leamington Spa) and received this reply:

    "Thank you for your correspondence. I have read your comments carefully and noted your concerns.

    I have raised the matter with my ministerial colleagues at the Department for Business, Enterprise and Regulatory Reform on your behalf and will write to you again when I have a reply."

    No reply yet, but it's only been a week.

    The more people who write to their MPs, the more chance the dots will be joined up and something will get done.

  34. Anonymous Coward
    Thumb Down

    Response from Virgin

    After submitting several complaints via VM's online forms, I got this canned and patronising response (by post) from Andrea Hall, a member of the "Customer Concern" team. Either VM are still full-steam ahead on this, or the Customer Concern team is way out of touch with reality. The letter is obviously a cut-n-paste, the original text most likely Phorm-supplied:

    "Thank you for your letter received expressing your concerns about the recent speculation linking your Internet usage with 'Open Internet Exchange' and Phorm.

    We will soon be working with a company, Phorm, to provide some new online protection and ehhancement features for our broadband customers.

    Phorm is the company behind an innovative new system called Webwise. Webwise helps give you a safer online experience by helping you avoid scam emails or websites [but not companies like Phorm, ho ho!], as well as making your online experience more relevant through advertising that matches your areas of interest.

    Webwise has been designed from the ground up to protect our customers' privacy and anonymity. As the system only learns about topics of interest, it does this anonymously, ensuring their privacy is completely protected.

    * Neither the web addresses, nor search terms they use are stored. They are purely matched to an advertising topic and then discarded.

    * Webwise doesn't store their internet (IP) address or keep track of their browsing. The system or advertisers won't know who you are or the websites they've visitied [Yeah, but pair the unique WW tracking cookie up with cleartext containing your email address and details in web content and you are no longer anonymous to Phorm or your ISP]

    * No personally identifiable information such as email addresses, surnames, street addresses, or phone numbers are ever gathered.

    * No sensitive or personal financial information, such as credit card numbers, login IDs, passwords or bank account numbers are ever gathered.

    To reiterate, you won't be forced to use the system, and you will be given the choice to keep your internet experience exactly as it is now [Although you'll still go through the profiler!]. As we get closer to launch we'll explain how this will work.

    Webwise only replaces ads with more relevant ads, customers do no receive any more ads and certainly do not receive popups. <Some text here obscured>

    The customer's privacy is totally [ha!] protected, again to reiterate no personal information is collected and what we will track are search terms and URL's visited, this information is not traceable and is not kept or stored as unlike some other ad targeting technologies [Yes, we know you mean Google here, but we have a choice as to whether we decide to use Google or not. No choice with with an inline architecture like Phorm] that already exist and utilise customer data. In addition, whole rafts of industry bodies and privact experts have been engaged with regard to the implementation of 'Webwise' [but you don't say how many of them actually advised against it! Quite a few as far as I've seen].

    We will be as transparent and upfront [Ha ha!] with customers as we can; giving them every opportunity of not participating [Ha ha ha!] if that is what they want to do.

    We are of course aware there are a number of 'stories' being circulated [El Reg, that includes you, you swines!], a lot of what is being touted is ill informed [Yeah? Sure?].

    I hop this reassures over any concerns you may have and clarifies our position regarding this issue.

    Kind regards,

    Andrea Hall

    Customer Concern"

  35. Peter White
    Joke

    anyone noticed where http://bt.webwise.com is hosted ??

    so much for no data leaving BT's network

    see below

    bt.webwise.com (at fast hosts) then redirects you to webwise.bt.com (if i am reading it correct a server in HOUSTON???)

    does the BT core network extend to both of these sites??

    this is where you turn on and off webwise (phorm) and it puts the cookies on

    ???

    bt.webwise.com = [ 88.208.248.102 ]

    (Asked whois.godaddy.com:43 about webwise.com)

    Registrant:

    Phorm Inc

    Registered through: GoDaddy.com Inc. http://www.godaddy.com

    Domain Name: WEBWISE.COM

    Domain servers in listed order:

    NS1.PHORM.COM

    NS2.PHORM.COM

    For complete domain details go to:

    88.208.248.102 = [ server88-208-248-102.live-servers.net ]

    (Asked whois.ripe.net:43 about 88.208.248.102)

    inetnum: 88.208.248.0 - 88.208.248.255

    netname: FASTHOSTS-UK-NETWORK

    descr: UK's largest web hosting company based in Gloucester

    descr: England

    country: GB

    webwise.bt.com = [ 207.44.186.90 ]

    207.44.186.90 = [ ]

    (Asked whois.arin.net:43 about +207.44.186.90)

    OrgName: ThePlanet.com Internet Services Inc.

    OrgID: TPCM

    Address: 315 Capitol

    Address: Suite 205

    City: Houston

    StateProv: TX

    PostalCode: 77002

    Country: US

  36. Anonymous Coward
    Anonymous Coward

    it is good for the Post Ofiice Profits

    "best anology for a MP,

    postman pat opening their snail mail,"

    NO, the best anology is to tell them its like an' illegal wiretap'......

    oh wait, it IS an ILLEGAL WIRE TAP under RIPA, never mind.

    still this Phorm business and its many laws its braking must be good for the post offices registered post division.

    you have sent your Data Protection Act Notice registered latter to forbid your ISP from collecting,procesing,storeing or Exporting your personal data outside the very strict supply and billing.

    your DPA Notice to stop processing your personal data for targeted advertising.

    your registered latter to your MP outlining the UK copyright law on your keyboard input.

    your registered latter to your MEP outlining the EU copyright law on your keyboard input.

    etc,etc.....

  37. Anonymous Coward
    Anonymous Coward

    @Alex

    "AlexPosted Friday 28th March 2008 19:24 GMT but I have no faith in EDM's they are just a talking point for MP's and act really as barometer to see what other MP's are thinking about.

    I'd love to see BT's response to the request though, I wonder if that will ever get made public?"

    if the MPs are using web based EMail to talk to their BT mates in the executive offices, then the BT/Virgin Media's/etc the Phorm gifted deep-packet inspection equipment will be able to collect,profile sort and finally anonymise these emails and seel them to an interested advertiser or other interested party ;)

    or do Phorm and their ISPs just intend collecting, process and finally filtering out these MPs and high ranking executive web emails with any MPs name in them.

    perhaps the ISPs (Virgin Media contract for and carry a LOT of govt networks on their core cable network dont they ?)will just set aside special UBr's and plug these special peoples wired Broadband connections in to those instead and so not need to inPhorm them.

  38. Anonymous Coward
    Anonymous Coward

    Should we tell them

    (The MP's) That when they go to their private doctor all the records he asks for will be read and adverts for Viagra,sextoys etc will flood back.

    On a side note who is paying for the extra bandwidth because sending data to China /Texas ect is going to slow any connection .I aint paying extra for adverts i dont want .

  39. Anonymous Coward
    Anonymous Coward

    I don't get it...

    So how exactly will Phorm provide a more relevant browsing experience, aka ad's based on your browsing habits, without actually storing your browsing habits in a way which is identifiable within their system? Surely a contradictorily statement?

  40. Anonymous Coward
    Anonymous Coward

    Phorm,akin to your very own personal and yet invisable north korean minder

    it must be a girl thing, a very blond moment infact.

    you do know what “deep-packet inspection equipment” does dont you?

    you do know that your govt needs to get a court order to use its capabilitys?

    in the case of Phorm’s deep-packet inspection equipment, do you really trust them to not track every single one of your web based movements

    Phorms head tech man said they can do exactly this to a US news site. and their commercial patent that discribes all the things they intend going with their DPI kit backed that quote up 100%

    do you really want every single thing you do on your broadband line, collected,looked at ,sorted, select information that their interested in at the time picked out, then anonymised and sent to some interested buyer?

    perhaps you dont spend your money buying stuff online and so they cant ever see your payment details , not that they would use them OC after all, they clerly see every single key press you make in that website, but promise to throw away everything, after a set No. right!

    perhaps you think Phorm is wonderful, after all,who wouldnt want their own personal electronic guard, its like your personal minder ,seeing everything, and forgetting everything, except what you dont mind them remembering so they can make a few quid right.

    your “Phorm deep-packet inspection equipment” is akin to your very own personal and yet invisable north korean minder, arnt you just so lucky.

    and the Pr Phorm machine will be along any minute now, with a revamping of official propaganda ,just for you uk ans soon US girls and boys that theres nothing to see here , move along….

  41. peter

    RE: Encryption

    It doesn't work because with SSL or tunnels you have to set up a host authentication.

    This requires a clean line, you should set up the encryption without a man in the middle attack, otherwise all you are doing is handing a request to phorm and hoping nobody reads or stores the process and passes it on to your remote server.

    Otherwise all you are doing is talking to phorm who then read the line and pass it on to your proxy.

  42. Bill
    Pirate

    Passive resistance

    Wanted, an addon that watches phorm back:

    - IP address belonging to a phorm infected ISP -> visible warning in browser frame. Clicky link to web page explaining this.

    - Website serving up phorm ads -> visible warning this website is part of a spyware network. Clicky link as above. Ditto any website that tries to access a phorm cookie.

    - The ads themselves -> visibly marked as spyware, clicky link to explain.

    - It'd be good to add the sites of companies placing the ads into warning category too.

    i.e. The advertisers need to be warned off too. Its their money thats driving this thing.

  43. Anonymous Coward
    Black Helicopters

    @peter - Certificates are your friend

    A man-in-the-middle attack is what SSL certificates help you guard against. An SSL-based HTTPS connection will throw up warnings if a site's certificate cannot be authenticated using the SSL authority companies' (Verisign etc) public keys embedded in the browser.

    However, this would not stop a man-in-the-middle (e.g. ISP, Phorm) interception if they acted as an SSL proxy, forwarding your SSL traffic to the target server and, crucially, presenting your browser with their own valid signed* certificate.

    So, to be certain that your SSL connection is unmolested, you need to inspect the SSL certificate each time your browser presents you with a new one** (you can view the cert in most browsers by clicking the padlock icon that appears when you start an HTTPS connection) and make sure that it is a certificate that belongs to the target website you are connecting to, rather than a certificate that belongs to your ISP or Phorm.

    * A certificate may be signed by a trustworthy security authority organisation that your web browser knows about (e.g. Verisign etc), or it may be self-signed, in which case it's not worth anything from a security point of view. Your browser will warn you if it doesn't recognise the security authority organisation.

    ** Firefox (and probably other browsers) can prompt you every time a website requires a certificate, and this is a useful opportunity to inspect the certificate being offered and to check it belongs to the target website, rather than ISP or Phorm (or some other unexpected organisation!). In Firefox, Preferences->Advanced->Encryption->"Ask me every time"

  44. Peter White
    Joke

    come on phorm techies lets have a real tech seesion if you have the nerve

    phorm techies would you like to answer the list below (honestly) if you can, without resorting to spin and rubbish

    point by point would be good

    let me guess, there will be no response as you are to chicken (cluck cluck!!!) to answer with facts

    prove me wrong if you can !!!!

    peter white

    Let’s start with what appear to be facts

    • Both the profiler and the Phorm server sit in the ISP data centre, (this apparently enables the ISP to legitimately claim no data leaves there network)

    • The profiler is owned and run by the ISP (while this is correct, what isn’t made clear is that the code running on the profiler is supplied by Phorm and the ISP has no access to the source code, nor can they verify 100% what it is actually doing,)

    • Parts of the code for WebWise were written by a group of programmers in Russia, allegedly from a team that Kent Ertugrul used to create his “People on Page” spyware several years ago

    • Phorm are also in talks with Sky Broadband and Orange to push this product out to yet more users in the UK

    • Adverts will appear “in frame” and not as pop ups, so pop up blockers will not stop them

    • Part of the weighting as to which advert is displayed is the amount the advertiser is willing to pay, it is in effect an auction of advertising space which reduces the advertising relevance to which advertiser in a category is will to pay the most for your screen area. Look at Phorms website at http://www.phorm.com/oix/ad_networks.php to get the picture

    • Phorm Inc. was previously known as 121Media who were allegedly involved in adware / root kits before changing their name to Phorm Inc. and creating WebWise

    • The profiler has a list of webmail and other sites not to be profiled, BUT there are no tools to check if your favourite site is on this list or a means for webmasters to submit a site to be excluded from profiling

    • Phorm have remote access to both servers, for support and software upgrades (it is unclear if only on invite only or if it is full unrestricted access)

    • The code has not been independently verified to ensure it does ONLY what it says on the tin, Phorm are looking at this and will consider independent verification so long as it does not affect there intellectual property (fat chance and what happens if they change the code straight after ???)

    • The information commissioners office is talking to both Phorm and the ISP’s about how WebWise affects privacy and how this is being addressed, a response has not yet been posted

    • The foundation for information policy research have published an open letter ( available at http://www.fipr.org/080317icoletter.html )to the information commissioner office setting out exactly why they believe WebWise and Phorm is open to legal challenge under UK and European law, even down to section and paragraph level of the relevant acts they think it contravenes

    Let’s now look at what appear to be grey areas

    • Your pc is reduced to a random number in a cookie to protect privacy

    o Random numbers as AOL found out do not guarantee privacy

    o Phorm (we have to take their word for it) say the Phorm server can not recreate the link from the cookie to a user / IP ,

    o External websites which have the Phorm placeholder in can access the cookie, so how long before people start trading this information?

    o By using a cookie they can serve games adverts to your kids and DIY adverts to the adults,

    o if they just used IP addresses they would not get such granular stats

    so a cookie is better for their sales of advertising relevance not the user

    • WebWise / Phorm may be illegal under the data protection act

    • WebWise / Phorm may be illegal under the section 1 of RIPA as it is being argued it is in effect an illegal wire tap as both parties ( the user and webmaster of the website) need to give permission

    • Anti Virus and Anti Spyware companies are considering whether to flag the WebWise cookies for removal, AVG have announced they won’t Trend have said they are reviewing the option of removing it so long as it does not automatically opt the user in, others have not made public statements yet

    • (from phorms website, ISP FAQ page) http://www.phorm.com/about/faq.php?_faqs=10,11,12,13,14,15,16,17,18,19#isp

    o Q. How does the OIX use ISP data?

    o A. The OIX uses data from ISP pipes to upgrade the generic advertising on websites with more relevant ads. These ads will be viewed by that ISP's subscribers who are most likely to be looking for the advertised product or service based on keyword patterns in their browsing behaviour. (This seems to suggest that Phorm advert will replace some other advertisers adverts as well as sites with Phorm place holders)

    • How can the ISP’s claim to store no identifiable data when the system has to track you to be able track you to build a database of relevant sites and categories over the last 14 days and then serve you the relevant adverts, you are identified by a unique number and a cookie can be accessed by a website

    • BT (my ISP) always gives me a vague answer which is carefully worded about opted out traffic not being profiled, they will not give me a direct answer about “will my traffic pass through the profiler and can they guarantee it is not profiled but no adverts served” come on phorm or BT a straight answer please

    • Phorm and the ISP’s say the profiler ignores data with @ sign and strings of numbers over 3 digits long to prevent emails address and credit card details accidentally being profiled, but the security code on the back of a credit card is 3 digits long so could be profiled

    And finally questions for which there seems no answer at the moment

    • Virgin Media’s logo has vanished from the WebWise front page? (Have they had a change of heart due to public opinion??)

    • The list of items included and excluded from profiling seems to change depending on who you talk to at the ISP, a detailed list would be good

    • How does the system distinguish between web browsing and an application such as word or open office which has a internet explorer agent embedded

    • How often is the Phorm / profiler software updated or patched, who then checks on what has changed and verifies it still conforms to the relevant laws etc

    • Do Phorm still profile opted out traffic but just not server adverts, this would enable them to harvest information like common search words etc they could then sell to advertisers at a premium price

    • Is the traffic between the profiler and Phorm server encrypted, if it is even the ISP hosting the system can’t verify (even by packet sniffing) what data is transferred and therefore could not guarantee end user privacy.

    • Where is the value add of the Webwise anti phishing (which is what most ISP’s are using to persuade users to opt-in) it is a duplicate of internet explorer 7’s service, it is also a function of most if not all internet security packages, so I see no value add (smoke, mirrors and spin to confuse the customer)

    • Are the adverts stored on the Phorm server or does the Phorm server just redirect the users browser back out onto the web to pick the advert up from elsewhere

    • If the Phorm server does redirect the browser out to an external website to collect the advert there is the possibility for an advertiser or Phorm to externally make the connection between IP address, cookie and any other data to identify the user

    • If you block the cookie are you registered in the statistics as opted out? Or just not counted, thereby skewing the stats in Phorm’s favour when it comes to deciding if the trial was successful

    • Why is there no list of OIX customers so we can see the sort of companies we will be getting adverts from? Is it because they are not relevant to the UK Market? Are they companies that do not want to be publically linked to Phorm?

    • How are the ISP’s going to be paid, flat rate for allowing the service, number of adverts served, pay per click or a percentage of revenue generated. I realise this may be classed as commercial in confidence information but a general idea without the full commercial details would help

    • Research and debug logs are able to be held on a “different system” for up to 14 days, what information is in these logs and on what other server will they be held???

    • The data collected can not be accessed by the ISP, so how can they verify what data has been collected

    • If Phorm do not store personal data about people why do the have a dataprotectionofficer@phorm.com email address and offer to tell you what information they hold about you and the option to have inaccuracies corrected for a reasonable fee?

    One final question which is probably the most important of them all

    Kent Ertugrul no doubt still has contacts who are on the dark side of the web, the placing of the profiler and phorm servers directly in the data stream at the ISP’s data centre gives them a access to an absolute gold mine of information that all sorts of people would pay millions for. What is to stop a patch being temporarily applied to harvest the wrong information, encrypt it and send it off somewhere into cyberspace.

    joke alart as the jokers at phorm have not got the balls to answer honestly

  45. Anonymous Coward
    Anonymous Coward

    Russian Spy

    It is well known and admitted by Phorm that Russion programmers are involved with the Phorm creation / setup webwise etc. What are the security implications of Phorms black box sitting in BT exchanges and VM's broadband data stream. Of course the cold wars over - isn't it?

    Don't worry all you MP readers trying to get a handle on this. Phorms promised us total privacy and since these programmers are so talented that they can write root-kits that can be difficult to detect by security components, we can be assured they are putting all their coding talents into protecting our countries online private data conversations.

    Reassuring?

  46. Wayland Sothcott
    Pirate

    Phorm is a great benefit to consumers

    BT have broken the RIPA laws and admitted it. However the government is in favor of spying as long as it's done by responsible large organizations on individuals. This means a small retrospective change will be made to RIPA to allow these beneficial services.

    We will need a substantially larger level of outrage to actually get BT prosecuted and put a stop to Phorm. Anything large enough to actually make a difference would most probably be against anti-terror laws. We are ignored to an unbelievable extent. Then we are appeased by some tough sounding but ultimately lame actions. In two years time this will all be forgotten and ISPs will routinely spy on all traffic, by law.

    Finally we will hear how a rouge employee of Phorm has been harvesting credit cards and identities. It will always be an individual, not a corporate policy by Phorm. Someone has to be the patsy.

    There are ways round this, Tor for instance and encryption. But these will be outlawed and made inconvenient for mainstream websites. They won't be used by the majority of Sheeple.

  47. peter

    RE: Certificates are your friend

    Sorry, I typed SSL instead of SSH by mistake

    Setting up SSH host authentication for the first time phorm can just hand over their keys MITM style. Most people don't check the fingerprint using an out of band method like the postal mail or SSL pages, and the dedicated server providers don't offer the service. In theory I should record the initial value and check against the server itself.

  48. b166er

    BT's integrity questioned

    Splutter ROFL

    So GOV.UK wants in on the act? (there'll be no US data-mining without us being in on it)

    Isn't it time all computers ran an Onion router?

  49. Michael
    Black Helicopters

    I suspect..

    the MP's are weighing in on Phorm, just to make sure it dosent create a backlash against Cleanfeed.

  50. Anonymous Coward
    Thumb Up

    @Peter White

    Well done, it's nice to have everything in one place. Much appreciated.

  51. Andy Worth

    Re:Do not want Phorm at all!

    "Given Phorm's history (as 121Media) I wouldn't trust them not to profile my data even if I *was* opted out. The only way to be sure you're not being spied on by Phorm is to use an ISP that has nothing to do with them."

    Actually, the only way to be REALLY sure would be not to use the web at all, given their history in malware and hidden "bundled" installs.

    As long as it is specific opt-in (i.e. you have to physically tick the box yourself rather then forget to untick one that is left already ticked) then I don't see it as a problem. So few people will bother to opt-in that it'll die a death before very long.

  52. Sam
    Go

    Grey area

    "Finally we will hear how a * rouge * employee of Phorm has been harvesting credit cards and identities."

    If you mean they will be ground into a fine powder if I catch up with them, then it's nit a spooling mistook.

  53. Kieron McCann
    Thumb Down

    I Won't be voting for Kate Hoey MP

    Sent her a lengthy email explaining Phorm and my concerns over three weeks ago and have received no reply - nothing!

    She won't be getting my vote.

  54. Anonymous Coward
    Thumb Up

    Share price still falling and ePetition nears 10,000

    http://www.iii.co.uk/investment/detail%3Fcode%3Dcotn:PHRM.L&it%3Dle

    http://petitions.pm.gov.uk/ispphorm/

  55. Peter Lovatt
    Happy

    Virgin are weakening - keep up the pressure

    http://www.virginmedia.com/customers/webwise.php

    says

    We are currently at the early stages of working to deliver the Webwise solution and will be writing to you nearer the time to advise when the solution will be ‘switched on’ providing more detail of what this will mean to you. Given the benefits of Webwise, we’re pleased to be offering you this service and making your web experience safer and more relevant.

    BUT

    customer service have gone from quoting the above to

    "Ultimately customers will not be forced to use the system and will be able to keep their Internet experience just as it is now should they wish.

    To reiterate, no solution has yet been implemented and will not be until we are confident that it is compliant to do so, in accordance with Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

    "

    Quoting

    Helen At*****

    E-Contact Team

    29th March

    (She will know who she is, I respect her right to privacy, wonder if they will do the same for me)

  56. Anonymous Coward
    Joke

    Aren't these complainers just Google employees

    Go on, admit that you just want Google's adSense to be the monopoly on carefully targetted advertisiting on your screen.

  57. Chris Cheale

    BS

    ----

    as most isps buy bandwith from bt, with the large increase in internet traffic seen over the last few years they need a better way of making money. this can either be passed directly onto the consumer in increased fees...

    ----

    Bollocks, basically.

    ISPs are charged for data transfer in the same way that web hosting companies are charged for data transfer - it's exactly the same thing but in the other direction.

    That being the case VirginMedia charges me £25 a month - with fair usage and traffic shaping policies (300 meg in "primetime" before shaping) - and that's cable not DSL.

    My web host charges me on data transfer - a 2 gig limit a month, go over that and they just roll the additional charge over. Totally painless, totally simple - I pay for what I use (or rather what my visitors use). As long as I'm within 2 gigs a month this service costs me £15 a YEAR; 1/20th the price.

    The ONLY reason ISPs charge the amount they do per month is so that those of us who don't transfer a whole lot of data (don't use iTunes, BBC iPlayer nor transfer movies/music over p2p) subsidise those that do. About the most data intensive website I visit is YouTube, other than that it's software and games patches.

    Bring on price-per-gig billing, I could potentially save a fortune and not only that, it could get rid of all these crappy "fair use" policies and idiotic moneyspinning ideas like Phorm. If I was on DSL I'd just switch suppliers, but I'm not losing cable TV/Internet to switch to Freeview/DSL (I'm in a flat - satellite dishes are a no no).

    Oh, and it'd make the movie industry happy because p2p-ing movies would probably cost as much as buying the physical media; especially for older moves as you can pick them up for £3 - £5 in sales.

    @AC Response from Virgin

    I've got exactly the same letter in my inbox at home - so I sent a detailed reply about Phorm, the Data Protection Act, RIPA legislation and AOL's bungle with displaying search results (and how people were identifiable through that very limited amount of data - nothing like the amount Phorm will harvest).

    I had a phone call yesterday - unfortunately it was a customer care rep who was in over his head within the first 20 seconds - but he said he'd escalate it (we'll see).

  58. Anonymous Coward
    Anonymous Coward

    @Aren't these complainers just Google employees

    No, different thing altogether. It's not the ad serving (we can always block ads), it's the illegal interception that's bothering us. Just in case you hadn't worked it out.

    BTW my 2nd complaint to ISPA has just been made. BT still declined to reply to the first ISPA complaint or any made directly to them from me before that. BT are clearly worried.

  59. Peter White

    central resources

    what we need is a central location to keep all the issues, websites, email addresses and places to write to, to complain so we can maximise and co-ordiate everything against phorm, is anyone aware of a site or blog like this?

    we also need standard letters that list the issue we are complaining about to the relevant recipient of the complaint,

    one to each of the following

    ISP

    to register your position on phorm and specifically remove permission for them to profile your data or pass it via profiler

    info commisioner

    to register a complaint with regards to BT, VM, TT and Phorm potentially breaking RIPA and the DPA, even if the user opts in

    MP

    general complaint, plus info on their comms to constituants and researchers web activity being profiled if using one of the 3 ISP's etc

    home secretary

    as it involves BT's breach of RIPA last year during trails of webwise, and potential breaches of RIPA and DPA in the future, and possibly the national security implications of governmet officials web activities being profiled etc

    MEP

    as it could involve european law, in particular human rights act, as right to privacy would be infringed

    local press

    make more people aware of the potential issues

    bbc watchdog

    as local press but more national coverage

    have i missed anything??

  60. Peter White
    Stop

    important question

    does BT have any plans of rolling phorm out OR profiling the traffic of ISP's that buy web access from BT and resell it under their own brands

    if they were to do this by changing the T's & C's to the smaller ISP's would the smaller ISP then have to change their customer T's & C's or would it go through quietly until someone noticed?

    this seems to be a point that has been missed

  61. Peter White
    Stop

    phorm opt-in broken

    look at the link

    http://www.ispreview.co.uk/talk/showthread.php?p=199729

    it shows how a dubious website can opt you in without your knowledge, using standard cross site request forgery techniques

    so if you visit a site it can put an opt in cookie on your pc without your knowledge

    then it is down to whether webwise process the opt out or opt in cookie first

    hmm looking more dubious and less secure all the time

  62. fiddler

    What Early Day Motion?

    My MP can't locate Don Foster's reported Early Day Motion. Is he really tabling one, or is it another MP? Or have we been misinphormed?

    fiddler

  63. Chris Williams (Written by Reg staff)

    Re: What Early Day Motion?

    I have been told by his office that he intends to table the motion. Suggest you contact them for when it'll go on the books.

    - Chris

  64. fiddler

    Don Foster's EDM

    Thanks Chris.

    f

  65. Dave Howarth
    Go

    Don Foster's EDM

    Hi all,

    Don Foster's EDM has now been tabled and has the number 1311. Please get your MP to sign it.

    Thanks.

  66. Jimmy

    Washington Post article on Phorm type spying.

    Scumware companies like Phorm have been deploying similar technologies in the US using the same shameful tactics as BT. Testing without consent or knowledge of ISP customers, burying changes to T&Cs deep within the usual legalistic bullshit they use to cover their backsides. Obscuring so-called 'opt out' choices by making them hard to find. Spinning the same 'we know what you do, but we don't know who you are' fairytales as Phorm.

    Activists in the US are stirring into action using what is left of their constitutional rights to oppose this 'peeping tom' technology. Read more here:-

    http://www.washingtonpost.com/wp-dyn/content/article/2008/04/03/AR2008040304052.html

This topic is closed for new posts.

Other stories you might like