Thursday, April 03, 2008

Did you have 'Phorm'?

Well, more than 18,000 of you (i.e. 18,000 accounts with an unknown number of subscribers behind those) did, BT customers to a man, woman and Bassett Hound. But you'll never know. BT didn't keep the records of who they subjected to this dubious privilege. (Ed notes: Well, unless you check your browser for Webwise1 cookies.)

So the great Phorm saga continues with a significant presence on this morning's BBC Breakfast show, with quite a concentration of attention on the BT trial - was it legal? Was it moral? Did it work?

Kudos to the female presenter for giving the latest mendacious Phorm apologist, Emma Sanderson from BT, a hard time.  Fewer brownie points, however, to the reporter, Julia Caesar, for an unconvincing and inaccurate description of Phorm.  It doesn't record your search terms, I am afraid, it processes, analyses and records summaries of everything it can get its dirty mitts on (which is pretty much everything, folks.)

Okay, so we don't know quite a lot about how this works, yet, and I am really looking forward to Richard Clayton's report following the Open Rights Group's meeting with Phorm last week.

What do we know?
  • Phorm redirects your HTTP requests (apparently via some horrid proxy redirects2 or some DNS chicanery3), and looks for a Webwise cookie.   If you don't have one, you get one (possibly not if you are a Talk-Talk customer).

  • It intercepts the returning webstream and processes it, unless you have opted out, to see into which of their advertising categories the page falls.  It then records this data against your cookie value.
  • If the target website is an OIX customer, you will get an add inserted.  If you have not opted-out, this will be based on your previous surfing history, if you are opted-out, it will be randomly selected.
What are the concerns?
  • Phorm, themselves, have form - they used to be 121 Media Inc.  121 Media produced a product that placed ads on your system and used rootkit technology, apparently this, to stop it being easily removed.  They say 'adware', many say 'spyware'.  They say 'potatoe', many say 'potato'.

  • Phorm is potentially (i.e. it cannot stop itself from) processing personal data under the meaning of the First Principle of the Data Protection Act 1998 and therefore must justify the conditions in Schedule 2 of the Act.

  • Phorm cannot prevent itself from capturing, analysing and, therefore, processing, sensitive personal data under Section 2 and Schedule 3 of the Act.

  • The interception of the HTTP stream is, itself, clearly in breach of Section 1(1)(b) of the Regulation of Investigatory Powers Act, 2000 (see also s2(2)(b) for a definition of interception).  Unless BT (not Phorm - the ISP are doing the interception, I suspect) have 'lawful authority'.  This is hard - especially as they are a public telecommunications provider, therefore don't have access to the exclusions in 1(6).  So how can this be legal?  There are two options, 

    • s3(1) - consent - which requires both parties (browser and server).  There are also concerns that even if the subscriber consented in a contract, that they cannot provide the appropriate explicit consent for anybody who uses that service (we, for example, have an old laptop in our guest room for visitors to use.)

    • s3(3) "it takes place for purposes connected with the provision or operation of that service". I'll let the lawyers argue about that one but it certainly isn't clear that it is legal - it would be difficult to argue that provision of adverts was a vital part of the service but they may argue that the limited anti-phishing capability counts.

    We'll see how this one pans out in public and, but hopefully not, in the courts.

  • Phorm claim that their stored data is not personally identifiable and have gone to significant trouble to get 80/20 Thinking (not Privacy International although the staff lists are fairly congruent) to do a Privacy Impact Assessment.  The determiner is whether anybody holds a list that associates the Phorm cookie identifier with an individual.  As Ben Laurie points out, this would be trivial for the ISP to do, especially with the Phorm monitoring kit already installed.

This is I have to say, enough for me to consider changing ISP - if Virgin Media do implement Phorm, I will shift from cable to broadband, probably for my phone service too. As well as LightBlueTouchPaper, for the forthcoming technical analysis, can I also recommend BadPhorm, for more background (and a list of ISPs who have pledged not to go near this mendacious spyware with the proverbial bargepole) and Dephormation for a Firefox plugin that will help you avoid damage iff (Ed notes: yes, that is not a spulling mistook) you end up subjected to Phorming.

Update: And this in from el-Reg.

1. As a (NTL / Blueyonder / Virgin Media / whoever it is today) customer, it is nice to see that their logo is no longer on the home page of this site.

2. See this
/. comment.

3. But as an ex-BT customer, I run my own DNS servers? Would they still manage to capture my (and my family's) browsing?


Phorm Comms said...

Hi there
I work as part of the comms team on behalf of Phorm here in the UK. To respond to a copuple of your points, firstly we have developed Webwise to protect users privacy, delivering relevant ads without compromising on privacy online. As a result we do nto record or process everything. n fact all that is stored is a random number, advertising categories and a timestamp - that is it. No personally identifying information. No IP addresses, no emails, no names. By comparison, search engines store your IP address, search queries and details for over a year, without even anonymisisng it.

It’s not correct that Webwise will intercept and analyse all data traffic. There’s a ton of information that we do not process from email (and webmail) to medical conditions, etc. We only use a small proportion of the data to match an ad to an anonymous web browser. We don’t know who you are or where you’ve been – were only interested in showing you an ad for everyday products and services. And we’ve run various experts through our system to verify that we do not store any personally identifiable information, do not store IP addresses and do not retain browsing histories.

We certainly do not modify any pages or interfere with what a website wants you to see. Only if a website is one of our partner do we actually serve ads in the website’s usual ad slots.

Anyway, take a look at and for more info on how the service will work.

Surreptitious Evil said...

Dear "Phorm Comms",

Firstly, if you are part of a professional PR team (and I have worked with such in the past), you need to learn how to spell. You have the 'failing to answer the questions posed' stuff down pat, though.

Phorm processes personal data - you cannot stop yourself from "processing" - check the definitions in the DPA, sensitive personal data, without explicit permission. You do not need to 'store' to 'process' - even checking the data to see if it is sensitive is processing. Don't blame me - I didn't write the law.

Your system, although technically it is the ISP employing your kit not OIX, are intercepting data contrary to RIPA.

So that's 2 potential offences.

Also, the comparison to search engines is mendacious. I chose to go to a search engine - if I want to disclose personal or sensitive data in search terms, that's my choice. Phorm, on the other hand, is imposed by my ISP.

Believe it or not, as for your second last paragraph, I have actually read how OIX works. You may note my comment in the post: "If the target website is an OIX customer, you will get an add (sic) inserted". I have re-read my post and cannot see where I have said that you modify webpages? You do modify web page requests through your complex sequence of 307 redirects and stripping at the Layer 7 switch, but I didn't say that originally, not then having access to the detail.

Anonymous said...

Er... Hello Phorm Comms (PR) Team. You do spring up in the most unlikely of places LOL

Right, everyone reading this... Be aware that Kent Ertugrul (CEO of Phorm) is a plonker. Secondly, his Comms (cough... PR) Team are also not very clever people. They, the expert PR team, thought it would be ok to "edit out" true facts about Phorm on Wikipedia. This was spotted and changed back. The Phorm Comms (PR) Team admitted their very wrong act of trying to get rid of statements that were true about Phorm.

Now, of the 3 UK ISPs who Phorm claimed to have signed deals with, 1 quickly pulled out of the automatic "Opt In" which Phorm planned (that's Talk Talk/Carphone Warehouse). Another, Virgin Media, has recently announced, in a clarifying press release, that they are under no obligation to implement Phorm (but don't think that is the end of it with VM... we need to watch them).

The third ISP, BT, started a web forum for customers to ask questions. And they promised to give answers too. They did give answers, then they stopped giving answers! Then they closed the forum down. A new one was started. Naughty BT, they cannot silence the opposition to this.

Finally, and this is the juicy bit... BT ran a trial of Phorm technology in 2006, then another in 2007. Did they ask or tell their customers? No. They did it secretley.

What is Phorm? It's a way of listening in, on everything you do, on the internet. It's like the operator listening to every telephone call you make or receive. It's like Royal Mail, opening every letter and jotting down key points about you before they deliver the letter.

Phorm, previously 121Media, have a history of spyware/adware and a nasty way of hiding their software using something called a rootkit. Not nice.

And they are not nice. Kent is a nasty piece of work (go back and watch him on the BBC Click TV programme 3rd May... The interviewer did not make a joke about the temeperature during the interview with Alexander Hoff for nothing)

Who is Alexander Hoff? Well, he wrote a paper about the legality (or maybe I should say "Illegality") of Phorm implementation.

You can read much more (there's A LOT) on the Cable Forum where this has been debated strongly. You'll even see the wonderful Phorm Comms Team in action (although they have given up there due to losing every argument with people that understand technology and the law!)

Remember please that whilst they may like to say you can "switch webwise off" that does not stop them being there - between you and the internet. It's like them intercepting your phone call but not listening whilst you've told them not to. Can you be sure they won't listen? They're there, in the middle - once they are there, you cannot actually get them out even if you tell them not to listen in (look up "Network Layer 7" if you want to understand that more)

And finally, although I strongly believe this will be found to be illegal, we need your support:

Over 12,000 people have signed the Downing Street Prime Minister Petition. Please join them.

Write to your MP, tell them you think that Phorm is wrong.

And head over to the Cable Forum, there's lots to learn about this. Please join us. We need to stop Phorm.

PS. Before anyone starts to argue with any of the above, I've heard all the arguments in favour of sitting back and doing nothing. None of them impress me. If you think Google is the same as Phorm for tracking your behaviour, for spying on you etc... Well, Google has it's own issues, but it's not a patch on the loss of privacy you get if Phorm gets going.


Surreptitious Evil said...

You do spring up in the most unlikely of places LOL

Yes, seems to be yet another mockery of 'Do no harm'!

Be aware that Kent Ertugrul (CEO of Phorm) is a plonker.

Not the insult I would have chosen, really. 'Plonker' implies, under modern usage, harmless twit. I don't think Ertugrul is the latter and I am positive he isn't the former. If you want a reference from British TV comedy, I would suggest he is more Blackadder (the First or Third) than Rodney.

Secondly, his Comms (cough... PR) Team are also not very clever people.

This seems to have significant supporting evidence :)

(but don't think that is the end of it with VM... we need to watch them)

Like a fucking hawk, mate - as they're my ISP.

Who is Alexander Hoff? Well, he wrote a paper about the legality (or maybe I should say "Illegality") of Phorm implementation.

Thanks for this. I've been following things through FIPR, instead - the legal work by Nicholas Bohm and the technical by Richard Clayton. Will off and read now.

Surreptitious Evil said...

Oh, a minor correction - it appears to be Alexander Hanff, rather than Hoff, and you can find his paper (pdf) here.

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.