Bob, the good folks at The Register have been covering this subject for a while. Here's a link to their round-up page: http://www.theregister.co.uk/2008/02/29/phorm_roundup/

Hi Bob

I'm part of the tech team at Phorm and we're really proud of our product so I just wanted to let you know a little bit more about us and contribute to the debate on your blog.

We have recently developed the Open Internet Exchange (OIX) and Webwise (www.webwise.com ) and we recently launched these initiatives with our ISP partners BT, TalkTalk and Virgin Media.

Everyone we have explained this to agrees with us that the OIX sets a new 'gold standard' on privacy and anonymity as it does not gather personally identifiable information, store IP addresses or retain user browsing histories.

We have been talking to businesses, regulators, and public policy audiences about this and they are really encouraged and positive about what a brilliant development this in terms of protecting privacy, including in the European Union, where these matters are greatly debated.

The technology that we have developed has established industry-leading standards regarding storage, retention and deletion of data, a fact which an audit by Ernst and Young confirms.

And, crucially, internet users can choose if they wish to be part of this service. Consumers are in control, as they can switch Webwise off or on as they choose.

OIX is also a breakthrough for advertisers and publishers as it harnesses anonymised ISP data to help advertisers reach their most valuable customer segments with unprecedented precision.

Webwise improves on-line security by alerting consumers to potential fraudulent sites as they browse, helping to protect them from online identity theft and reducing the possibility of on-line fraud. The Webwise service is free for subscribers of participating ISPs.

We believe, as do the ISPs, that this launch was a breakthrough in internet privacy for consumers and a fillip for the online advertising industry.

Do drop us a line if you'd like any further information.

Best wishes,

techteam

Hi again Bob,

http://www.newswireless.net/index.cfm/article/3779

Just wanted to draw your attention to what we feel is a really balanced piece on our technology and the role advertising plays in making the internet world go round -- for example a lot of the tech sites we like wouldn't be there without advertising to fund them.

The author, Wendy Grossman is a well respected blogger and journalist who has her own blog (www.netwars.com) and writes for The Guardian amongst others. She is known for her integrity and is on the Boards / an active member of a number of privacy advocacy bodies including Privacy International and the Open Rights Group. As you'll see from the piece, she doesn't give us an easy ride, but she does give us a fair one. Comments welcome.

All best,

techteam

Hey techteam,

I am a very concerned Virgin Media customer. On the face of it I find the very principle of this Phorm technology both intrusive and sinister. Having said that, I do like to keep an open mind. A couple of things really stand out though.

1). You are talking about how OIX sets a new 'Gold' standard on privacy and anonymity as it gathers no personally identifiable information. I class my computer as something that can identify me, I believe the technology works by intercepting HTTP requests, processing them, profiling the data, updating a cookie on the client machine. If you can get my data and then somehow send a reply to my machine how is this done without identifying either me or my machine ?

2). Would you care to explain how the 'Opt Out' works ? I suspect that by opt out what is really meant is that a machine will not be targeted with adverts. Can you really explain exactly how the opt out process works in a technical manner and not by just referencing the website you can go to to click 'opt out' as this explains nothing. Most importantly, if someone has decided to opt out, will any data what so ever be sent from the ISP network across to the Phorm network for any form of processing ?

These are examples that indicate how 'techies' like me are getting very concerned about this technology, a big part of that concern is that we feel the vast majority of the UK online population will have no idea that this is even happening, never mind even understand the concepts and concerns behind it.

As an indication of the concerns many people are feeling, you might want to review this online petition at the 10 Downing Street website regarding this very issue.

http://petitions.pm.gov.uk/ispphorm/

Ahoy, techteam,

What is your response to Spyblog's analysis that implies you may be breaking the law? Link:

http://p10.hostingprod.com/@spyblog.org.uk/blog/2008/03/surely_the_phorm_web_page_interception_scam_is_illegal.html

And if it's such a good idea why not make it "opt-in" instead of "opt-out" because people will be queuing around the block to sign up for it, won't they?

Bob, my sincerest apologies for hijacking your blog to deal with these people.

Hi Mark,

Thanks for your questions and your contribution to the debate. I'll answer your main points now and we'd be really happy to walk you through the system in detail either over the phone or in person.

1) It's important to understand there are two distinctly separate processes in the Phorm system: data capture and ad serving. The data capture system which you describe above only stores one item of information on your computer -- a random number. The random number is the only thing that distinguishes your browser from the millions of others on the internet. It does not contain any information about you or your computer. The only person able to make that connection is you, as you have that cookie in your browser.

As you browse your browsing behaviour is matched against pre-defined advertiser categories for everyday products eg travel or sport.

No urls, browsing histories or IP addresses are retained and the raw data used to make the match is deleted in real time -- by the time the page loads. There is, in essence, no data other than the categories and the random number stored in the system and so it's impossible to know (or indeed reverse engineer from that) who you are or where you've been.

In the ad serving phase, when your computer requests an advert from the OIX (because a website has included our tag in their page), the browser sends the random number and the categories are used to deliver the targeted ad, not the details of your browsing, or anything about you or your computer.

2) When you opt out -- or switch the system off, it's off. 100%. No browsing data whatsoever is passed from the ISP to Phorm. We should be clear that the Phorm servers are located in the ISP's network and browsing data is not transmitted outside the ISP. Even if you are opted out websites will still show you ads (as they do now) but these will not be adverts from the OIX system and they will not be relevant to your browsing.

It is a complicated story so we really welcome the opportunity to engage. We're glad you're bringing the privacy debate to the fore. FYI we are one of the few online companies that would welcome a decision by the Article 29 Committee to rule on IP addresses being categorised as personal data. I don't need to point out how unusual that is. Do let us know if you'd like to meet or talk this and other issues through.

Best wishes

techteam

Hi John,

There is indeed quite a bit of speculation, misinformation and simply plain confusion around our technology.

To clarify: There are three main hallmarks to the system: we don't know who you are, we don't know where you've been and participation is always a choice. Because our technology adheres to these principles, we are fully confident that it complies with the Data Protection Act, RIPA and other applicable UK law. We have obtained counsel, including leading counsel as regards RIPA, to this effect.

Best wishes,

techteam

Hi Techteam,

Thanks for the informative reply. At least it seems that you are prepared to engage in a debate on the issue which is a good thing.

I must say that I still find it difficult to believe or understand that the system does not know who I am or what I do, if that is the case then how does it know what ads to send me ?

It's also good to hear that if people decide to opt out that no data whatsoever is passed to Phorm, although I'm slightly concerned at the fact that Phorm servers are located in the ISP's network. I will leave the technical details up to others better informed than me, but suffice to say that despite your generous response, I still remain to be convinced.

I think the problem is that the whole process looks underhanded and devious, I must be up front and admit that I am against this system, even if the claim that it is 100% anonymous is true, I think this just comes down to a core belief that I am trusting my ISP with my data, I believe they have a duty of care with regards to that data, and for me that means they should not be able to pass it to any third party, or process it in any way other than for the purpose of retaining information should a customer commit a serious crime so it can be made available to Police authorities.

I think recent events with regards to the loss of personal data by the Government have shown that companies and even Government departments can and do get things wrong. What assurances do we have that Phorm have not made a mistake, or will not get things wrong in the future ? I think this is to big an issue to just be allowed to pass into effect without a serious review of the technical processes involved, implementation plans and some form of independant judgement on whether this compromises any existing privacy or data protection laws.

My own opinion, for what it's worth, is that if it's deemed that this system does not breach any privacy or data protection laws, then the laws themselves should be reviewed because I firmly believe that the people of the UK have a basic right for their data to be better protected against this very form of manipulation.

Thanks again for taking the time to respond to my questions .

Hello techteam,

I am one of the many VM, BT and TT customers that find this whole business rather reprehensible. To that end you have cleared up a few questions that have been asked (but not answered by the companies in question) on various VM, BT and TT forums however going by your answers I still have a few I would hope you could answer.

1) In answer 1 you state that there are two seperate processes at play here and in answer 2 you state that once it is off, it is off. Can I clarify that this will mean that no browsing information whatsoever will be passed through Phorms servers that are sitting in the ISP or is it just that this data will not be passed back to Phorm?

2) If I do opt-out how is this handled? I have heard about a cookie opt-out which seems kind of weak and is open to abuse if the user in question accidentally deletes their cookie or it is removed without their knowledge, say by someone else using their PC. Is it possible for the ISPs to implement some form of account based opt-out system whereby the user does not need to keep reminding Phorm in any way that they have opted-out?

3) While I can understand if this is a sensitive situation, why have you and the ISPs not been more forthcoming with this information before? In numerous areas this information would answer quite a few questions, however this has been the only blog that I've seen such talk on. Why do you not go to sites such as www.BadPhorm.co.uk and answer questions there so the users there can be calmed by the answer you give?

To make it easy for non techie's to see what is going on here, let me explain it in the context of a system everyone knows about... the phone system.

Imagine that your TSP (Telecom Service Provider) decides to make some extra money on the side by allowing "Targeted Advertising" in the same way that these ISP's (Internet Service Provider's) are with Phorm.

So here Goes:

You make phone calls to your Wife, your Doctor and your Daughter, with the new service, "The Gold Standard in Privacy" Phrom...

What happens is this:

Each time you call, someone from Phrom taps the line and listens in, they have strict instructions to write down all that you say (except numbers with more than 3 digits (to protect against the accidental collection of social security, telephone and credit card numbers), email addresses and calls to your Bank (if you use your scrambler) and to to listen for certain key words (which they say will help them send you targeted advertisements tailored to you).

So they hear that you are talking a lot about "Top Gear" and mention "Audi" and "Bentley" so the Profiler writes down "Expensive Cars" - Not against your name but against a "Number" all the time you are on the phone talking, the profiler keeps listening and adding to the different categories about you.

They also do the same if your children make a call or your grandparents or if you call your Doctor.

Now as soon as you hang up the Profiler is supposed to destroy the the notes he took of the conversation so all the following should be destroyed:

The time of the call
The number you called.
The details of the call e.g. who you called and what you talked about.
Your Name and Number.

In return for you very kindly letting the Profiler listen in to your calls you get a SupaDuppaService from Phrom its called WebSpy and its free!

How WebSpy Works:
If the Profiler listening into your calls notices that you have called a dodgy number in Russia, which is suspected of terrible behaviour, (like bugging your phone), then the profiler will shout at you to hang up.

How Phrom Targeted Advertising Works:
From time to time the guys listening into the calls you are making will notice that you have called one of their members numbers

The member will, without you knowing, pass the Profiler a note asking what you like. Then the profiler will shout at you to buy something from this guy.

Wow what a great service that is!?

Its certainly worth giving up a little bit of privacy and having someone from Phrom listening in to all your calls isn't it?!

Notes:
"Phorm's systems collect browsing information such as URLs visited, search terms entered, OS version, relevant keywords of a particular page and randomly-generated unique Ids.

techteam - your company continually references the audit by Ernst and Young, the E&Y report states...

"Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the Service or controls, the failure to make needed changes to the Service or controls, or a deterioration in the degree of effectiveness of the controls."

Question: Has Phorm changed as much as a single line of code in its software since E&Y performed their audit? Thanks for your time.

I can't believe what I'm reading.

Opt-out isn't good enough. This type of deeply intrusive 'service' should be opt-in, if it is indeed legal at all.

Webwise uses a cookie stored on the client to implement opt out (see webwise.bt.com). If you delete your cookies you are co-opted back in by default.

And the BT cookie expires silently after 24 months. So you are co-opted back in by default after 24 months.

And the Webwise UID cookie that you store is encrypted - why? If you've nothing to hide show me your cookies.

And the HTTP content that Webwise will see includes web chats using IM clients, remote desktop over http, SOAP/web services, images embedded in email, email viewed through webmail interfaces.

And if a client application doesn't or can't hold an opt out cookie, all data that originates from that client will be accessible to Webwise by default.

If you run a web site, and don't like Phorm, you can't opt out.

I've written an add on for Firefox 2 that will ensure the Phorm opt out cookie can never be deleted (accidentally or maliciously), and further randomises your UID cookie with every page load so Phorm can't monitor the browsing history of an individual user on a given IP address. But as privacy protection goes, this is a fig leaf.

Phorm should be outlawed.

http://www.planetsaturn.pwp.blueyonder.co.uk/dephormation.xpi

Phorm has been defending its spyware using a supposed endorsement from Privacy International. Here's a comment posted on the Register

http://www.theregister.co.uk/2008/03/04/phorm_ripa/comments/

"We have been pushing for Phorm to remove this content for quite some time now. PI does not work for companies, nor do we endorse products.
Two of PI's staff members, in a private venture, advised Phorm of the serious risks that their technology raised. We are pushing for Phorm to disclose this risk assessment.
To avoid any conflict of interest, we have notified our Trustees and International Advisory Board of this activity.

The reality is that PI's accounts are so weak that we must often fund ourselves through other ventures."

I would like clarity on two issues.
1. Does a notification to the ISP and/or Phorm under section 11 of the data processing act
'Right to prevent processing for purposes of direct marketing'
stop all/any customer data being sent/processed/disclosed to phorm servers without the *processing of a cookie.

2. Clarification on the legalities regarding interception of data without a warrant/court order. That part appears to be illegal

Regarding Phorm security/privacy, the really relevant part of the Ernst & Young appears to be as follows:

quote:

Because of inherent limitations in controls, error or fraud may occur and not be detected.
Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such
conclusions may be altered because of changes made to the Service or controls, the failure to make needed changes to the Service or controls, or a deterioration in the degree of effectiveness of the controls.

end quote

Full document here (seee page 5)
http://www.phorm.com/user_privacy/EY_Phorm_Exam.pdf

Phorm admits that even if you opt out, they still receive all of your browsing habits, the cookie simply tells them not to use it. I am sorry, but I do not trust a company once embroiled in a spyware scandal and with "alleged" links to the Russian secret service (see The Register's posts on this for more information). And why are Phorm's data collection and processing servers based in China?. Phorm also states that they collect all data that is not SSL encrypted. So, you sign in to your webmail, blog or other account that does not use SSL (many do not) using your full name. Phorm now has your full name associated with your so called unique, non identifiable ID. Using this they could then identify you and every website you visit, every search term you use, read your emails if they are not encrypted etc. etc.

Imagine this scenario:
You are a high ranking member of parliament, with 2 kids. At home you have a personal broadband account with BT, Carphone Warehouse or Virgin Media. Say you are having an affair, or visiting adult websites you wouldn't perhaps want the public knowing about. You sign into your email account, send an email to your mistress or a friend and end it with your name. Phorm has that data. You then browse to a porn or gay porn site. Legal and well within your rights, but not something you would want the public to generally know about if you were a married man with kids. Phorm has that data too. Now that data is passed to their servers in China. The Chinese data centre has someone working their who is also working for the Chinese secret services. They see the high ranking UK government official's name and gather all his details. Pass them on to the state authorities in China. That MP or official then gets a visit from some Chinese agents threatening to expose his details unless he passes them sensetive information. Far fetched maybe, but not beyond the realms of possibility.

And what about corporate spying too. Many companies allow their workers to carry out work at home, although most would use an SSL encrypted company email server from home, many do use public email accounts. So someone types up some sensetive information regarding a major project the company is bidding for, signs in and emails the details to their work collegues. Phorm now has that data. Again, what is to stop unscrupulous employees, or once again those working for the Chinese authorities to gather such information and use it for commercial gain. Again, far fetched but not beyond the reals of possibility.

I do not want Royal Mail opening and reading every piece of mail I receive just so they can see what my interests are and then send me junk mail. Why is this any different.

If anybody reading this wishes to talk directly to the CEO of Phorm he will be hosting a live webchat tonight.

This from the BBC's dot.life blog:

UPDATE: If you want to put your queries/concerns direct to Phorm.....

The company's CEO, Kent Ertugrul will be available to answer your questions in a live web chat via the Webwise site at www.webwise.com/chat on 6 March 2008 from 20.30 GMT.

well well, interesting turn of events.

apparently TechTeam and PhormUKTechTeam are infact as the user on the cableforum thread below puts it "your not infact UKtechteam but rather UKPRteam."

http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-49.html#post34502409
"PhormUKTechTeam
Thanks Mick
To be clear, yes I work for an external agency for Phorm - a UK PR agency.

My job is solely to take the information Phorm is making available - the interviews, the Q&As etc and place them into these discussions.

I believe I am totally open about this - my log in name is pretty clear, and the first line of my introduction clearly states who I work for.

It is my job to simply present the facts about Phorm."

http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-50.html#post34502456
"popper
while its refreshing to see the truth from your good PR self as regards your workplace, dont you think it would have been better to pick better screens names, as your not infact UKtechteam but rather UKPRteam.

as the Phorm 3rd party UKPRteam, how do you propose to correctly answer the real Tech questions that are in many places and asked by even more people....?

is there also a UKlegalTeam to answer the RIPA/DPA/copyright and several other UK and EU legal questions.

or are the millions of UK ISP users effected by the ISP/Phorm contract going to be left with no other 'in good faith' option but to start small claims court proceedings (as was done with the UK banks due to no other 'in good faith' options being put forward by the offending banking partys) against the ISPs and Phorm etc.

perhaps to get the answers and rulings to restate the acts in question, and return some balance to the one sided contracts, and once again remove 3rd partys from interfering with the UK consumers?"

http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-50.html#post34502463
"paul Nolan
I was starting to think TechTeam was a PR agency.

It smacks of a couple of years ago where (allegedly) the then chairman of Southampton FC had a PR agency attempt to Influence the flow of information in an upcoming battle for company ownership on the most popular forum for Southampton FC fans.

but frankly TechTeam and PhormUKTechTeam, as far as we know has no detailed knowledge of the workings of ISP's data capture Phorms patents, and the like.

Maybe they're just passing on uniformed propaganda meant to mislead us and stall on complaining to the ISP's involved."

why not go over there bob and readers, and see what the cable and indeed BT customers think.

http://www.cableforum.co.uk is probably the best Phorm (and current cable news etc)thread on the net as its got many VM cable and Bt dls members (The Register being your best news outlet for Phorm news OC)

Hi, it's the techteam here:

I am part of the techteam (and use the name techteam) at phorm and as noted by our agency above, PhormUKtechteam is the agency. And point taken david pip, we can change the phormuktechteam to ukprteam. (the pr team only posts what the tech team give it, though!)

I am not sure this situation is like the Southampton one. Full disclosure and transparency is key here: the pr agency disclosed the fact they are an agency on a board, up front. As you've seen, there's lots of interest and lots of questions and we try to get to them all. We can't do it all in house.

To pick up a couple of the more lurid points:
We don't have links to the Russian security services. We, in common with all major technology companies including Google and Intel, work with Russian programmers. The last two companies are some of the biggest employers in Moscow.

We don't have anything to do with China. Full stop.

We at techteam do know in detail the systems and we've tried to clearly explain the processes. We'll be putting up diagrams showing data flows including data capture and ad serving on our site next week. Do please write to me at techteam@phorm.com if you'd like to come in and understand the system in more detail.

We do keep saying this and we mean it: we've had jack marshall from clickz and chris williams from the register in this week (both favourable coverage), we've also had bloggers here and done numerous interviews with them. We've also asked Professor Peter Sommer to conduct an indepth review of our technology. He has declined -- which makes me think some people just want to object to something without investigating it.

More questions please. I've answered some questions on the political penguin site and PP has suggested we post the rest of the answers on our site and he/she will link to it.

Best wishes,

Tech team

Hi Kevin H,

To be totally clear: if you opt out none of your (or rather a random number's) browsing data is passed to Phorm. The ISP's profiler detects the presence of an opt out cookie and does not pass any data whatsoever to phorm.

Phorm does not have any links with the Russian security services.

Phorm does not have any servers in China.

Phorm's technology does not analyse SMTP mail or the content of webmail sites.

Phorm's technology ignores all form fields.

Phorm can never know who you are or where you've browsed. All that is ever stored is a random number, advertiser categories eg sport or travel and a timestamp.

Come in and see us. Please mail techteam@phorm.com

Best wishes

Techteam

Hi again Kevin,

To address your scenario point by point.

The first is a big one: Phorm doesn't have the data you suggest. We have:
1) a random number
2) everyday advertiser categories
3) a timestamp

But back to your scenario:
Imagine this scenario:
You are a high ranking member of parliament, with 2 kids.

Phorm: We don't and can never know who you are.

At home you have a personal broadband account with BT, Carphone Warehouse or Virgin Media.

Phorm: We don't know who you are and our technology cannot tie into the ISPs authentication systems or any other information the ISP holds on their subscriber.

Say you are having an affair, or visiting adult websites you wouldn't perhaps want the public knowing about.

Phorm: The only data we store is for everyday product categories, a random number and a timestamp. We match browsing behaviour with product categories. There is no advertiser category for 'adult' -- (or for things like gambling, alcohol, tobacco and so on). This means there is no record of browsing to adult sites.

You sign into your email account

Phorm: we do not analyse SMTP mail or the content of webmail sites. We ignore all form fields

, send an email to your mistress or a friend and end it with your name. Phorm has that data.

Phorm: We do not have that data.

You then browse to a porn or gay porn site.

Phorm: As above: There is no advertiser channel for porn or gay porn. There is no record.

Legal and well within your rights, but not something you would want the public to generally know about if you were a married man with kids. Phorm has that data too.

Phorm: Phorm does not have that data.

Now that data is passed to their servers in China.

Phorm: Phorm does not have any servers in China.

The Chinese data centre has someone working their who is also working for the Chinese secret services.

Phorm: Phorm does not have any servers in China. There is no data centre and no one working for the Chinese secret services.

They see the high ranking UK government official's name and gather all his details.

Phorm: Phorm does not have this data on the MP. Phorm only stores product categories, a random number and a timestamp.

Pass them on to the state authorities in China.

Phorm: Phorm does not have this data.

That MP or official then gets a visit from some Chinese agents threatening to expose his details unless he passes them sensetive information.

Phorm: Phorm does not have this data. No personal information can be derived from a product category a random number and a timestamp.

Far fetched maybe, but not beyond the realms of possibility.

Phorm: This scenario is far beyond the possibilities of our technology.

Best wishes,

Techteam

is This some form of 'layer' 7 redirection your using to the profiler kit Tech team?

Hi techteam, I thank you for taking the time to reply to my, and others points I really do appreciate your company actually attempting to answer such questions. Many companies would not bother, but I gather a lot of this is due to the highly sensitive nature of what you are proposing. I think the problem, and why myself and others are so completely against this is a simple point of principal. If I come to the attention of the authorities for whatever reason, they must follow appropriate channels to obtain browsing details etc. They must fully comply with the DPA, RIPA and various European directives and must have signed authority from high ranking officials in their departments or seek legal clarification and authority to intercept. Why is this not the case with your system?. In the case of other advertising systems it is also different, Google for example, requires you to actually opt in to receive their targeting advertising, as do the other targeted advertising systems. Yours does not, why not?. Yes, you can opt out but this still installs something on MY computer which I do not want (albeit a small cookie), regardless of the merits. Surely you could have avoided all of this and the bad feeling and publicity by asking those interested to opt in rather than having them opt in by default. If your system was such a boon to the public then we would be rushing to opt in. I am sorry, but the anti-pishing arguement is not a winner either. Many IT professionals, including myself, know that no matter how secure a system is it can be compromised either by a hacker or by a disgruntled employee. I accept that you will only be reading the cookie that contains an annonymous ID, and will be stripping out information that can be used for identification purposes, but there are many ways someone could tie this back to someone's identity. You state on your website that full names, email addresses etc. are discarded when your system comes to read through the data. However, such data is still passed to your server at the ISPs data centre in the first place, it is simply discarded by whatever program or script reads the data. A disgruntled or criminal employee would still be able to intercept that data before it passes to the appropriate script or application and, theoretically at least, have access to full names, addresses etc. Many, many e-commerce websites do not encrypt such data until you actually go to their checkout systems to enter credit card information. I accept that this information is to be stripped out by your equipment at the ISPs data centres, and will not be there when it is sent to your advertising servers, however, I would presume it is YOUR employees who would have access to these script servers if required (such as a fault or for software upgrades).

I think the Royal Mail analogy is highly accurate. I would not be comfortable with the Royal Mail opening and scanning all of my correspondence searching for keywords to then send me targetted advertising. I have nothing to hide and do not engage in criminal activity, but this is not the point.In my mind, and that of many hundreds of thousands it seems, what you are proposing is no different to the Royal Mail analogy and is simply not acceptable. I fully predict that there will be ISPs in the UK who will come out and state that they will not entertain such systems and I can see a huge rush of people from BT, Carphone Warehouse and Virgin to leave and join these smaller ISPs. In fact many users on forums such as those at www.digitalspy.co.uk are already investigating this. Some have written to various ISPs to ask and are awaiting their replies. I expect this information will travel around these forums and other techie news sites extremely quickly once they have the replies. You could be just about to catapult one or more of the smaller ISPs into the big league inadvertantly.

The DPA also says if someone does not give permission for information to be collected and used then you must not do so (legal authorities accepted of course). Myself and many others do not give permission for our data to be used regardless of whether it is supposedly annonymous, do not give permission for my browsing habits to be logged, again, regardless of whether it is annonymous, and do not give permission for any kind of cookie from any company associated with this to be installed on my computer. How are specific requests such as this to be handled by your system?.

I accept that your company probably has none of the shady links eluded to on some forums and news sites, and apologise for picking this up and reiterating it here.

Hi Kevin,

Sorry for the delay in getting back to you -- I've been over on techdirt. You can read the whole gory story here:

http://techdirt.com/articles/20080306/074534461.shtml?threaded=true

Your note was thoughtful and fair and I'll talk through a few of your points in detail later this evening or tomorrow morning.

A couple of quick remarks:
We're communicating a lot because we think this is a big leap forward for privacy online. There are many so called 'behavioural targeting' companies around; some of them very close to big search engines. These companies -- look at their websites -- offer marketers precision targeting via various means including post code. That to me sounds a little (excuse the pun) too close to home.

We don't do that, we don't store data and we don't use your personal data to serve ads. And our system has a big bold on/off switch. The only way you can switch the other stuff off is to disable cookies (the internet becomes unusable) or block cookies on a site by site basis. There aren't enough hours in the day.

2) We comply with RIPA, DPA and all applicable UK law

3) Re opt in and opt out. Each ISP will decide which method they offer at launch. In any event, users will ALWAYS be able to opt in our out -- that functionality is core to the system.

4)The information we have: a random number, a timestamp and a product category eg sport or travel, cannot be reverse engineered to reveal someone's identity. If someone were to break into the system they would see a pile of numbers, categories and times -- it's information that's of no use to anyone beyond serving an ad.

5) We are getting you diagrams to show how the system works in detail. Watch this space.. early this week.
6) Phorm employees will never have access on their own to an ISP's network -- that's unthinkable. We will always work with the ISPs engineers and be under their control.

Ok, that's it for the moment. And thanks again for your comments and evenhandedness.

Best wishes

Techteam

Thank you once again Techteam. I think much of the opposition to this is not so much to do with the targetted advertising side. It is more to do with the precedent that it sets. At the moment, many ISPs refuse to co-operate with the likes of the MPAA and RIAA in the United States and here in Europe. The ISPs state that they are nothing more than a conduit for data in the same way as the telephone companies or the Royal Mail. This seems to change that relationship and I have no doubt lawyers for the likes of the security services, or the MPAA and RIAA could successfully argue in a court (particularly in the US) that an ISP with your equipment in their data centres can track a users activity online. They would argue that if a third party advertiser can do it, why can they not do it themselves by default instead of having to go through convoluted legal channels. From my discussions with other people both IT literate and not, it is that kind of point that is worrying them not the actual prospect of targetted advertising. Of course the old arguement that if you have nothing to hide you have nothing to fear but that really is not the point. Thanks for taking the time to answer us once again and I lookd forward to the diagrams you mentioned.

Tech Team,

please explain this:

It's important to understand there are two distinctly separate processes in the Phorm system: data capture and ad serving. The data capture system which you describe above only stores one item of information on your computer -- a random number. "
...
"In the ad serving phase, when your computer requests an advert from the OIX (because a website has included our tag in their page), the browser sends the random number and the categories are used to deliver the targeted ad, not the details of your browsing, or anything about you or your computer."

So let me get this straight.

you have two distinct parts
part 1 - a relationship between you and the ISP where your equipment sees all raw (non ssl) data and then stores a digest and assigns me a UIN.
part 2 - a relationship with a website where you have code injected into a website (like an img tag) that will cause ME (my browser) to go to webwise.net (and present the cookie you assigned me in part 1) and grab a targetted advert..correct?

i.e. from part 1 you know that my computer is UIN=34578 and that I like cars, and I'm looking at holidays.

then as soon as I hit a partner website, you must surely then get a request from MY computer to get an image or whatever..that request will come straight from my computer and not by proxy (the only trusted proxy would be my ISP) right? if so, that means that I therefore transmit to you my IP address (TCP packets) and my cookie with my UIN (34578).

so combining part 1 (UIN + browsing history profile) and part 2 (IP address + UIN) you can easily correlate my computer IP address to my unique cookie number and therefore track and identify me online.

Please explain that.

also please explain why you think its justified for customers that OPT OUT to (a) require a cookie for that instead of nothing at all [a cookie should be there if and ONLY IF you've opted in via a dedicated opt in page] and (b) why opted out customers STILL have their data passed to your equipment in the ISP (im talking of BT here, CPW has indicated it will change its infrastructure so that won't happen).

Also you claim people will know they are opted in as the ads will have that indicated..but that only applies on webpages that have your adverts on them! you could be tracked for a long time before hitting one of those servers and suddenly realising you were opted in.

Also does opting out DELETE any and all data associated with the UIN you previously had? somehow I doubt it and if not how do we get that data removed.

First of all thanks to Bob Piper for allowing us to continue posting on this.

It is becoming obvious that the proverbial stuff is hitting the fan on this, it appears to have opened up a major can of worms. I note that Phorm's own website has recently changed too. The Virgin Media logo seems to now be conspicious by it's absense, does this mean a change of heart on Virgin Media's part who have been suspiciously quiet on all of this?. Talk Talk (part of Carphone Warehouse) have now publicly stated that users will be specifically required to opt in. If a user does not opt in then their data will go no where near Phorm's equipment. Well done to Talk Talk for listening to their customers, although this could have a lot to do with the many thousands of their customers who have stated on various blogs and forums that they will cancel their accounts if this goes ahead. AOL are also part of the CW network and I would presume the same applies to them however, nothing has been publicly stated. As a result I have written to AOL for further clarifcation on this issue and I await their response.

A BT user on Digitalspy.co.uk has also received an email from the office of the CEO of BT stating that BT customers may also be required to specifically opt in although BT have not stated so publicly yet.

The Information Commissioner in the UK has also stated that his office are investigating and will publish details once their investigation is complete.

Details of this controversy have also made tech blogs all around the world, and opposition appears to be gathering pace in the US another of Phorm's main target markets.

The Open Rights Group (who campaign for transparency, privacy and freedom of information on the internet) have also picked this up and will be investigating.

The controversy also appears to have reached investors in the major world markets. Shares in Phorm and the ISPs looking at this have all fallen sharply, although Phorm says this has nothing to do with the controversy. Is it just coincidence then?.

The arguement that other ad tracking systems (such as Google's adsense) also track our habits are not valid. To have your browsing habits and keywords tracked on these other systems you must explicitly sign up and sign in. Google's privacy policy is also surprisingly clear on what will happen. If you do not sign in you will, of course, still receive ads but as you are not tracked these are random.

While I understand Phorm believe they are complying with all relevant laws I fail to see how this can be the case. Both RIPA and the DPA require a user to give explicit consent for such tracking regardless of whether such tracking is annonymous or not. Lets say opt in by default is legal for the sake of arguement. In this case both acts advise that tracking cannot take place if a user does not consent, by opting out a user does not consent. Phorm's system however, still tracks your browsing and search habits regardless, they simply promise not to use said data. How can this be reconciled with RIPA and the DPAs requirements for explicit consent?. answer, it cannot. Regardless of whether your data is not used it is still collected thereby likely breaking the relevant terms of both acts.

From talking to some of my American friends it also seems that similar systems have been implemented in the US, although the average user is not aware of it because of ambigious user agreements and terms and conditions. However, many of them are now becoming aware and are beginning to questions whether their ISPs have signed up to Phorm or other similar systems. The revolt appears to be gathering pace.

As I have said before, this fundamentaly changes the relationship between ourselves and our ISPs. How can an ISP continue to argue against increased government intrusion by saying that it is technically not possible to track everything, they are just a data conduit etc. if this goes ahead. That arguement becomes less valid and could potentially leave our major ISPs open to prosecution for anything that passes across their network. It could potentially leave all of us open to much stricter tracking and control. First the internet, then the phone system, the mail and any other way we exchange information.

George Orwell is probably spinning in his grave.

Kevin, you bring up a very clear case against Phrom, and I'd just like to add a query of my own regarding the RIPA legislation. If RIPA requires explicit consent for personal data to be intercepted, then in what way can Phrom possibly say that their opt-out scheme complies with these laws? Having to opt-out, as seems to be the case at least with BT at the moment, requires having to know very clearly what is going on and how to do it. I'm not sure turning on the internet and hopefully being aware that you have to go to website to turn something off, whilst BEING TRACKED, counts as explicit consent at all.

This kind of rubbish is one of the reasons I recently emigrated from England to Denmark. This system is spying - plain and simple. If implemented, the people responsible should find themself behind bars for a very long time.

Hi TechTeam,

Could you respond to the accusation that your breaking copyright law?
http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?1037.0#post_1247

Many thanks.

Would it be possible for PhormUKTechTeam to advise whether the statement on badform.co.uk is true. One of the moderators advises he has discovered that those passing themselves off as the techteam ar in fact PR representatives of Phorm's PR company,Citigate Drew Rogerson and are not employees of Phorm.

This just gets murkier and murkier.

There is also an interesting article on ZDNet about how Phorm and your ISP could actually be breaking copyright law by capturing and storing certain information (emails, blog postings, data on social networking sites etc.).
http://community.zdnet.co.uk/blog/0,1000000567,10007508o-2000331777b,00.htm

The Foundation for Information Policy Research has published a letter arguing that Phorm is illegal by contravening the Regulation of Investigatory Powers Act 2000.

http://www.fipr.org/080317icoletter.html

Here is BBC coverage of the illegal PHORM activities:
http://news.bbc.co.uk/1/hi/technology/7301379.stm

Just thought I would give you guys a link to this. Lavasoft are the developers of the excellent and highly respected AdAware program and even they have no love for Phorm and their practices.

Link here:
http://www.lavasoft.com/support/securitycenter/blog/?p=203#more-203

Incidently, if anyone is interested in discussing this and finding many much more information these two links are very useful:

Badphorm website, with links to almost all of the current data and an forum for discussion:
www.badphorm.co.uk

DigitalSpy.
Excellent discussion going on over at Digital Spy, a lively forum for everyone from computer users, techies and those just interested in the media in general:
http://www.digitalspy.co.uk/forums/showthread.php?t=754214

Let's use the Royal Mail analogy, which still holds firm.

If Royal Mail were to introduce a service of targetted junk mail inserted into your post, but then made it 'opt in' only, would that still be okay?

I would hope it wouldn't, because you're eroding privacy by allowing what is unethical to become an acceptable business activity. Do normal people sit around dreaming up invasive/spying business models? No. Why on earth do you want to start a business like this? Why would it be acceptable to make money this way? A country with a sense of the public good wouldn't want any business like this operating in its land.

What about if BT introduced this service for voice calls, playing jingles at you while you're in the middle of a conversation with your grandma, after monitoring key words of the conversation and finding that you're talking about weeding the garden so they start pushing adverts for garden centres at you?

The point is, just because it's data, not voice, it makes it easier for things you would otherwise be outraged by, to be done to you without you noticing.

The national default has to be for privacy. Technologies that invade privacy without court orders and suchlike must be banned outright. There can be no concessions, because a concession is merely a stay of execution. The same goes for ID cards/database: to water down the legislation is to approve it with minor modifications which are later removed.

Spying is spying, folks. Interception is interception. There is no 'opt in' that could ever make it okay.

Don't be boiled frogs please. Stand up for UK-wide privacy.

Hi,

great article. By the way everyone you can ignore so-called 'Phorm techteam' they are nothing more than PR goons.

Let's get this straight. This is what Phorm is *actually* for:

1) Making money for BT and any other ISP who decides to sell their customers down the river. Phorm pays BT to allow the Phorm wiretapping equipment to be connected to their network

2) Making money for Phorm. The idea is advertisers pay Phorm to use their system, I guess they think they will get more ad-clicks and hence sales.

3) SCREWING THE CUSTOMER - that's right, the internet users who are subjected to Phorm will get *nothing* of any use. They will get less secure web browsing (and possibly slower) whilst BT and Phorm effectively make money from *your* mouse and keyboard clicks. WOW - this is a fantastic system, I click away and effectively deposit some money in BT and Phorms bank accounts. Sounds like just the kind of thing I want! *note the sarcasm*

Phorm is junk and illegal - and of story.

http://www.openrightsgroup.org/2008/04/09/phorm-public-meeting-announced-for-next-tuesday/#comments

Terms & Conditions Says:
April 11th, 2008 at 8:35 am
I think I am stating the obvious, which has been �conveniently� overlooked by BT Phorm & Others.

I very much doubt that any amendment to the T.O.C or an Opt-in System could ever be Termed legal!

As this would involve the �Account Holder� (& user�s at the same location), the Account Holder would then have been coerced into an illegal act, or aiding & abetting in an illegal Act!

Under all these current Laws

1/ Wire-tapping of Communications designed for end to end personal communications (M.I.T.M attack).
2/ The D.P.A because sensitive data will inevitably be diverted through this system, which could either be emanating from the Server or the Client Side.
3/ The Current Privacy Laws of the Country the Account Holder resides in.

I'm presuming that this could just be deleted by firefox with the adblock & noscript extensions. But a thought occurred to me that if you really wanted to pervert this, you could do what some people do with google traffic. Have an extension that searches for random terms, all the time your connected to the net, that means the signal, (real searches) is lost in the noise of the fake/generated searches.

I imagine you could actually do the same to phorm, in that you could just have an extension that visits random pages active in another browser, than the one you're actually using. To phorm it would all look alike, but it would screw up their metrics.

I do this all the time with the data collection activities that are supermarket club cards, etc.

Ultimately phorm will stand or fall on how accurate it targeted ads are, and the click through on those ads. If we can pevert the database, then we can skew the results, and thus that which phorm is paid to provide.

A far quicker way to kill it would simply be to DDOS or cache poison, webwise. Since that would kill the browsing potential of a large portion of the UK, and that would create a real stink. With the added benefit of making non phormed ISP's quicker, given the load it would take off the UK's backbone.