Rory Cellan-Jones

Will opt-in 'phinish' Phorm?

  • Rory Cellan-Jones
  • 9 Apr 08, 18:34 GMT

The argument continues - is the web tracking software business Phorm a big brother intent on snooping on your broadband line or a helpful service keeping you secure from web danger while serving up delightfully targeted ads?

Some of the finest minds in the world of privacy, encryption and the law, have turned their minds to these issues - including most recently Dr Richard Clayton - and I certainly don't have the technical knowledge to pick apart their arguments.

But now comes what could be a killer blow to Phorm's ambitions in the form of new guidance from the Information Commissioner, Britain's data protection watchdog. I bet executives from Phorm scanned through to the end and felt pretty chirpy about the Commisioner's conclusion that their products can operate in compliance with the data protection legislation.

But it's a couple of paragraphs in the middle that really throw a spanner in the works, when the document suggests that the Webwise product should only be offered to consumers on an "opt-in" basis if the firm doesn't want to fall foul of something called PECR - Privacy and Electronic Communications Regulations.

Now tell me, what do you do when you come across one of those online forms that tells you about some fantastic new service your bank/online retailer/ISP is offering for nothing and invites you to tick a box if you DON'T want it - in other words opt out?

I suspect most people don't bother - and so they get the service.

But what if you are asked to tick a box if you DO want it - to opt in? Equally, I suspect people are reluctant to make even the minimal effort that's required to opt in, and take-up is much smaller.

Then imagine that the service in question has been the subject of major controversy with a high volume of web noise suggesting users should avoid it all costs.

What's more one of Phorm's three clients Carphone Warehouse has already bowed to pressure, and decided it will only implement Phorm's webwise product on an opt-in basis. Surely then, an "opt-in" Phorm will be a minority taste - and that won't be of any use to ISPs hoping to sell advertising on the back of it?

When I phoned Kent Ertegrul, Phorm's chief executive, he strongly disputed this analysis. First of all, he insists that the Information Commissioner's document does not mean "opt-in" is the only option.

Secondly, he believes the process of telling customers about Webwise will fulfil the requirement for "valid, informed consent" that the law requires, with a web page giving all the details of what's involved and inviting customers to say yes or no, followed by later reminders that the service is switched on.

Finally, he rejects my suggestion that Phorm has lost the PR war long before it gets off the ground.

"We've only heard from a small group of vocal opponents so far. The public has answered very clearly in neutral polling that this is something they want."

The BT trial of Webwise is about to start and Mr Ertegrul is confident it will prove his case - that this is an attractive way of blocking unwanted adverts and internet fraudsters.

But is it really likely that BT and Virgin will choose to bring in Phorm on an opt-out basis when their bitter rivals at Carphone Warehouse are promising it will be opt-in? And in that case, who'd like to calculate how many of these firms' eight million or so broadband customers will say yes to Phorm?


  • 1.
  • At 09:31 PM on 09 Apr 2008,
  • Joe wrote:

Nobody is mentioning the potential Fraud that may be occurring by the Phorm system pretending to be a web site that it is not?

From Dr Richard Clayton white paper on how Phorm works:

"The Layer 7 switch will see that the request does not contain a Phorm "cookie" and will direct the request to a machine located within the ISP network that will pretend to be and will return a "307" response which says, in effect, "you want that page over there". The page that will be directed to is the parameters record the original URL that was wanted."

The key is "will pretend to be" (or obviously any other website you are surfing.)

Would it not be illegal to pretend to be another company or person in the UK without that company/persons permission? Particularly for commercial gain?

Is this not a Fraud against Fraud Act 2006, and exactly the same type of Fraud as Phishing, by impersonating a website that you are not?

  • 2.
  • At 09:58 PM on 09 Apr 2008,
  • Charles E Hardwidge wrote:

My reading of UK and EU legislation suggests that opt-in is, actually, the legal default. ICO now agrees. Also, his telling people about Webwise and insisting it is informed consent is merely conjecture at this stage.

Significant interest from enforcement authorities and surveys of people's attitudes suggest that Kent's claims he hasn't lost the war are premature. His own prior success has blinded him as it blinded Hannibal.

Kent is selling a useless product that nobody wants, and no amount of clever words or charisma will change that. Instead of buying into his own ego, perhaps, he might spend some time reading the Tao and develop a clue about the world.

  • 3.
  • At 10:07 PM on 09 Apr 2008,
  • ColinWH wrote:

As this is such a potentially important issue, not Phorm per se, but the principals involved, it would be a service to the public if the BBC DID find a group of people who could pick apart all the underlying pro's & con's.
It will spread to all ISP's if accepted and other vendors will clamour to get into the market, with disastrous implications to privacy and/or security.

  • 4.
  • At 10:40 PM on 09 Apr 2008,
  • DavW wrote:

I'm with Virgin at the moment with internet, TV and Phone. As soon as they state that this system is to be launched as a "service" to enhance my internet experience, I will jump into Rupert Murdoch's lap and embrace Sky TV and sign up with any ISP that can promise me Phorm will not be entertained.
There is another side to this also. The websites that are to partner Phorm and serve OIX generated ads will immediately be added to my blocked sites list and will be boycotted until I find out they no longer carry ads served up by Phorm.
In many ways, I'm compromising my use of the internet, but it is something I'm more than willing to do to avoid this company and its collaborators.

  • 5.
  • At 10:41 PM on 09 Apr 2008,
  • Peter Wells wrote:

Will BT pay me to take these ads by increasing my download allowance? I doubt it. Therefore by using my download allowance for these extra ads, I'm being charged for the privilege of being bombarded by more unwanted junk. Will 'Adblock' on my browser filter this additional rubbish out? Or is Phorm designed to cripple it?

  • 6.
  • At 05:43 AM on 10 Apr 2008,
  • Protect_Your_Privacy wrote:

"Secondly, he believes the process of telling customers about Webwise will fulfil the requirement for "valid, informed consent" that the law requires,"

This comment affirms my belief that Phorm feel that the implementation of their system is legal based on Section 33 Paragraph 5 (c) & (d) of the DPA.

33/5(c) suggests the Opt-in/Opt-out, and 33/5/(d) suggests the Data Collector must have more than reasonable belief than consent is given in the absence of consent.

The question, as I have posed continuously, is how do Phorm expect this to be legal if the DPA indicate that a child aged 12 and under cannot give consent (33/5(c)), therefore they cannot assume consent is given in the absence of consent (33/5(d)).

  • 7.
  • At 05:47 AM on 10 Apr 2008,
  • Mark Woodward wrote:

Kent Ertugul's relentless chirpiness is wearing a little thin. "Opt-in" means just what it says, not what he would like it to mean. The ICO has taken rather too long to reach this conclusion, but I suspect it's the start of Phorm's long and slippery slope to it's well deserved place in the dustbin of IT history.

BT customers could well argue that the imposition of Phorm is a breach of the deal they signed up for; but, worryingly, I'm led to believe from various technology sites that opting-out of the service will still mean your data goes through the same system and the only difference between opt-in and opt-out may be that absolutely no targeted ads reach your computer - but everything you do could still be logged and analysed.

The only way Phorm with BT and the others could possibly make this a success on THEIR terms is through customer apathy. Undoubtedly many just won't be aware of the issues when asked to make a decision, if asked to make a decision, and it is doubtful Phorm and the participating ISPs will be producing fully informative material to help customers make any decision other than the one Phorm and the ISPs actually want.

  • 9.
  • At 08:24 AM on 10 Apr 2008,
  • Donchik wrote:

Having just been told by Virgin, that the only way to opt out will be to go to Phorm's website and give them my details, I have lodged a formal complaint to the ICO.

The whole point is to avoid giving these data theives the information, and I object to them knowing a single thing about me, even my email address.

I will await the ICO verdict, but so far I am far from happy with the level of protection being provided by this Quango!

  • 10.
  • At 09:11 AM on 10 Apr 2008,
  • Mike wrote:

the whole question of Consent needs further distilling. The spinners at Phorm talk of consent to recieve targetted adverts (the webwise on/off option) however the real issue is consent to have your internet traffic mirrored monitored and adjusted by the phorm 'man in the middle' servers. Every time Kent talks to journos he leads them straight to the webwise consent, and glossess straight past the interception issues.

  • 11.
  • At 09:46 AM on 10 Apr 2008,
  • Paul Davis wrote:

Opt-in is an official cop-out.

I seem to remember that the payment-protection insurance on personal loans and credit cards etc. is 'opt-in', and even though people are required to pay for this, there is still a huge issue with people being 'opt(ed)-in' without their explicit permission.

User apathy is a huge problem here, since most will simply not be aware of or unable to comprehend the issue. This is why the powers-that-be need to act on it, since the majority are unable to (for one reason or another) make the correct decision.

  • 12.
  • At 11:12 AM on 10 Apr 2008,
  • Chris Garman wrote:

Now that computing power is so cheap, it is my belief the time has come for consumers to demand that all web traffic is transmitted over SSL.

This is the encryption system used by banks etc that makes it impossible for anyone to impersonate their site or eavesdrop their traffic. The argument for not using it is that it increases the demand on the processor of the web server.

I wish I could set my PC to only allow SSL traffic - then the only computers on the internet that could talk to my computer would need a proper security certificate. Viruses, security threats and privacy problems would be wipeout out overnight!

Chris Garman Bsc Computer Science.

  • 13.
  • At 11:49 AM on 10 Apr 2008,
  • John wrote:

I haven't been paying too much attention to the implementation details, does this just add more ads at the top of the web page, or does it intercept the ads served by the original content provider and replace them with their own?

If the latter, I don't think the websites will be too pleased at losing the income, if the former I don't think they will be happy about someone free-loading on their work, or worse still having their competitors being able to gazump them (would BT be happy with thier homepage having a giant TalkTalk banner ad at the top?). They also won't be happy about losing control over what ads appear alongside their content which could be entirely inappropriate. And if the number of ads increase, I don't think most people will realise it's the ISP's fault, they'll blame the website.

If ISP's really feel they need to augment their income (as that is all this effort really is forget that blarney about improving the customer experience), then they need to look at their pricing structures, the race to the bottom has done nobody any favours.

  • 14.
  • At 12:53 PM on 10 Apr 2008,
  • Andy R wrote:

Is there any chance that, one day, someone will consider the real customer service alternative: I wish I knew how much I would have to pay for a no advert system.

I don't want random ads, I don't want targetted ads. I want no ads! Surely there's a viable commercial model that could support that?

I'm not sure if this has already been noted, but I find it very troubling that the very existence of the Phorm deal between the UK ISPs was broken by an American newspaper (NYT).

The lack of a UK press release, or as far as I am aware any mention of this on the BBC TV / Radio news, speaks volumes about Virgin / BT / Carphone Warehouse' prior knowledge that this would be a controversial scheme, which is clearly geared towards increasing profits to them, with no possible benefit to the consumer.

I think it's also worth pointing out that a Virgin Media representative I spoke to, who was subsequently in contact with my MP, Dari Taylor, made it clear that Phorm would be an opt-in scheme open only to Microsoft Windows users - since it requires a client side application.

Ah, the daily reminders of why I use Mac just keep on coming.

  • 16.
  • At 01:00 PM on 10 Apr 2008,
  • George Johnson wrote:

Yep I have just, last week, dumped Virgin/NTL over this plus the fact that their service is way overpriced compared to ADSL and I have embraced Mr Murdoch's Sky broadband.

The main thing that bothers me now over the Phorm system, yes OK it's opt-in, but I bet you will still be capturing all the traffic at BT and VM, but only those with an opt-in will actually have the details kept for any length of time. BT have already admitted that they performed trials without user knowledge in 2006, what's to stop them simply capturing the details for Phorm and recording the opt-in stuff in one DB and casually scanning the opt-out traffic as it passes, then simply dumping it, so they won't get in any legal trouble.

BT and Phorm have lied all along, I have no doubt they will simply summerise the opt-out traffic for their own nefarious needs! So sick of ads everywhere I go, please just stop trying to sell me junk I don't want!

  • 17.
  • At 01:02 PM on 10 Apr 2008,
  • Andrew X wrote:

John: I'd just like to clarify for you how this system works.

1) Your request for a page gets diverted to by your ISP to Phorm.

2) The page you've requested and any search terms you've used gets analysed by Phorm.

3) If the webpage you've requested is part of a site/company/etc that's signed up then Phorm insert ads depending on criteria set by the site and by the analysis of your previous and current web browsing.

4) That page and its ad is then served up to you.

The issue with consent is that the only thing you would be saying is 'Please don't send me targeted ads'. I don't currently see any comments from BT, Phorm or elsewhere that says 'If you're not opted-in we won't send your web browsing to Phorm'. This is the real crux of the concerns. Opt-in or opt-out, all you're removing is step 3 as listed above.

The legal questions around this have not been answered. Kent Ertegul and Phorm are being disingenous at best to state that the ICO's report exonerates them from any breach of communications interception law (RIPA).

The ICO clearly state that they have only addressed the issue from a Data Protection legislation standpoint and have not considered the interception of communications issue. That's one for the Home Office (who've remained strangely quiet so far).

  • 18.
  • At 01:05 PM on 10 Apr 2008,
  • Trevor Minksy wrote:

Attention is being focused on Phorm as "data thieves", but it is your Service Providers who are inviting Phorm to harvest your data and browsing patterns.

All the focus to date has been on the ISP customers, with no mention of the content owners themselves and their IP rights.

There is no way to prevent Phorm from analyzing web content when a customer visits, short of disabling all search engines.

This is a flawed idea based on the concept that anything on the web is up for grabs.

It basically says "If you're open to search indexing, your content is freely available for us to use for our commercial gain".

It involves Phorm accessing, replicating, and storing someone else's IP.

Not to mention masquerading, through cookie rewrites, as the site in question.

This would violate the licensing terms many content owners operate under - no commercial, no derivatives.

Most content providers do not grant Phorm permission to do what it does - if Phorm goes ahead and does it anyway, that's violating site licenses.

If Phorm goes ahead, I'll be more than happy to file a civil suit for unauthorized access and copyright violations/IP theft/license violations against both Phorm *and* the ISP(s) of site visitors unless Phorm gives website *owners* a specific way to block Phorm from even beginning to slurp our content.

A couple of million website owners filing a class action lawsuit against BT and Phorm?

Computer trespass investigations?

Clear violations of RIPA because of site owners specifically declining permission for Phorm to see anything but a "Get lost and don't index"?

We. content providers, are facing a huge theft of our intellectual property for commercial gain of a third party, without any way to block it if we want to.

When content providers sign up for advertising like AdSense, it is *our* choice to add such things to our site or not. Phorm is taking away our right to control the uses of our sites.

Just as Verislime was shot down for hijacking domain not found redirects, Phorm needs to be shot down for hijacking our content.

  • 20.
  • At 01:46 PM on 10 Apr 2008,
  • Charlie wrote:

Your browsing history will become apparent to all members of your family by virtue of the advertisements that are presented to your computer.

A parent worried, for example, about a serious illness such as cancer may not immediately wish to discuss such a sensitive issue with their children.

However the entire family may start to see specific advertisements for hospital treatment, cancer therapy, life insurance etc. and start to ask questions.

By any common-sense measure, this concept is a gross invasion of privacy.

I believe the public's awareness of this issue will now start to increase and force a climb-down by all major ISPs.

  • 21.
  • At 02:07 PM on 10 Apr 2008,
  • christopher boote wrote:

"I don't want random ads, I don't want targetted ads. I want no ads! Surely there's a viable commercial model that could support that?" says Andy R

Then install Firefox with AdBlock - never see an advert again!

Phorm wants to intercept my electronic communications without my consent - how can that be legal?

  • 22.
  • At 02:16 PM on 10 Apr 2008,
  • Clive wrote:


As far as I'm aware the NYT article was based on a press release, by Phorm, as part of their PR effort in the U.S.

It was picked up by someone in the Virgin Media support groups and the alert went out from there to the Register.

'Phorm would be an opt-in scheme open only to Microsoft Windows users - since it requires a client side application.'

This is the first I've heard of this. Although I have heard that the Phorm system can't perform its cookie juggling with Safari.

  • 23.
  • At 02:47 PM on 10 Apr 2008,
  • linuxsimon wrote:

Andy R..
>>I don't want random ads, I don't want targetted ads. I want no ads! Surely there's a viable commercial model that could support that?

I don't understand why people are not using adblock with firefox or ie7pro with internet explorer to give you 99% ad-free web surfing. If you're really concerned about Phorm than install dephormation too.

These adblocking systems transform the whole web surfing experience for the better

  • 24.
  • At 02:58 PM on 10 Apr 2008,
  • Jonny wrote:

It doesn't matter if you choose to opt in or out of Phorm. The opt in/out only covers the targeted adverts.

If you opt in you get adverts displayed on participating websites if you opt out you don't.

HOWEVER... even if you opt out, or choose not to opt in all of your traffic will still be inspected by Phorm.

I will not go near an ISP that implements Phorm. Phorm inspects all traffic through the network recording what pages you visit etc. It checks if you have opted in or out while inspecting the data you have sent over the network. If I choose to not opt in or to opt out I am doing so not just because I don't want targeted adverts but because I do not consent to inspection and recording of the data sent over the ISPs network from my machine. So by looking to see if I have opted out Phorm is already assuming I haven't.

Apart from the fact that this is all morally and legally questionable what about the financial compensation. The ISP is going to be getting paid for MY data. Data going from MY pc to another PC/Server. The ISP is selling the contents of my data packets to Phorm... surely then they are claiming ownership of these data packets otherwise I would be getting paid for the transaction. How can they claim ownership of my data and make money from it?

If they are saying that they own the data sent over their networks the music and movie industries can now surely sue ISPs for copyright abuses because in the past they have said they only provide a conduit for the data. If they now own the data....

And don't even get me started on the security issues (including the dodgy legal ground they are on here as mentioned in previous comments...).

The general public will probably respond with apathy and allow this to go through, until that is they figure out that Phorm is logging everything from their google searches to what they buy on Amazon...

  • 25.
  • At 03:00 PM on 10 Apr 2008,
  • John wrote:

One thing the News forgets to mention is that Phorm used to be called 121Media who installed Spyware and Rootkits on unsuspecting user's PCs to monitor their internet activity.
Now they are just bypassing the PC and installing their Spyware directly into the ISP.

What is there to stop Phorm from keeping "useful" data (like bank account details, etc) once their system has been rooted into the ISP network?

  • 26.
  • At 03:00 PM on 10 Apr 2008,
  • Abhinav Bajpai wrote:

It's important to note than whenever phorm or the participating ISPs say this is something their customers want, their customers are the advertisers and the internet subscribers are the product being sold.

  • 27.
  • At 03:18 PM on 10 Apr 2008,
  • Graham wrote:

I am already extremely uncomfortable about unknown organisations, public and private, 'watching' me. Personal information about UK citizens, like me, is already stored on an average of 1,000 databases according to Privacy International and I don't want to add to that. Some of the information is 10 minutes old and some of it 10 years old. Much of it is inaccurate or just wrong and organisations are making value judgements about me based upon this data.
I want to manage my personal information and share it only with organisations that I want a relationship with. I don't like CRM - I want VRM (Vendor Relationship Management). There are a number of UK developers working on ways to deliver this to individuals and the ISPs need to embrace this concept now or, from the previous comments, start losing customers

  • 28.
  • At 03:47 PM on 10 Apr 2008,
  • Ian wrote:

I dont think there is enough public awareness about Phorm and their webwise system. However, the Downing Sreet petition is gathering momentum.

I have spoken to many colleagues who are Virgin and BT customers about the Phorm system. Most don't know what I am talking about.

Yes, there is plenty of media coverage going on in the background (such as this one and others in the BBC News technology section) reporting on the privacy issues, some of which suggest serious breaches. Yet there is no main stream media coverage.

Until these reports become front page news for all to see then there is little hope of the general public becoming sufficiently aware of the potential intrusion to their privacy.

Virgin are being very tight lipped about this whole issue in public. Almost every article on this subject states that 'three ISP's have signed up including Virgin Media'.
Perhaps they are shying away from the controversy.

Many customers that have written to the Data Controller to inform him that no consent is given, implied or otherwise, to intercept or profile web traffic, and in the response Virgin deny any deals have been struck with Phorm.

All Phorm will achieve (if anything) is to increase the already overloaded internet.

Ads are, however, generally as wanted as spam. Phorm is a parasite that can be dealt with by installing tools to crop out ads in the same way that mail can be filtered for spam.

It doesn't bother me as it is not an infringement of my privacy.

The only adverts I find useful are supplied by Google in side of my mail window as they are relevant and interesting. I admit finding them valueable.

  • 30.
  • At 04:12 PM on 10 Apr 2008,
  • Craig wrote:

Under RIPA the informed consent of both parties is required for a third party to intercept a telecommunication.

I'm a website owner. I am one of two parties in a "conversation" when someone visits my site. The other party is the end-user.

PHORM plan to intercept these communications. PHORM are seeking end-user consent but have stated that websites give implied consent.

Guess what? Mine doesn't. Quite a few don't. In fact many, including myself, have put up a legal notice regarding RIPA explicitly denying PHORM, BT, Carephone Warehouse, TalkTalk or any other organisation without a legal warrant from intercepting communications between the site and the end user.

Unless Webwise is capable of reading these notices and turning itself off accordingly, it is undoubtedly in breach of Section 1 of the Regulation of Investigatory Powers Act 2000.

This is something I've yet to see PHORM or any of their new affiliates cover.

  • 31.
  • At 04:58 PM on 10 Apr 2008,
  • Matty wrote:

Chris, for someone with a Bsc in Computer Science, you don't seem to know a lot about web technology!
'Layer 7' switches intercept EVERYTHING. When you visit an SSL website, the certificates are exchanged online.

Webwise works by having a layer 7 switch intercept and impersonate the client and server requests on the network: -
You browse to a secure site, the switch takes this request and passes it to the site as its own, adding the Webwise cookie. When the site responds with its public encryption key, the switch strips the public key for the site out, adds its own public key and forwards the request to you.
Even when you exchange a private key, the switch will also intercept this, (seeing it already has the public key) create its own private key and use its key to communicate with your 'secure' website. Meanwhile, all this decrypted data is being forwarded into Webwise for 'processing'. This is the fatal flaw with SSL, if your ISP or your network admin wants to 'snoop' on your browsing, they can. Bear in mind that you can send certificates in the post on a USB stick, however, header information is NOT encrypted - so they can still see which sites you are visiting, even if they can't decrypt the traffic being sent.

This isn't new, fancy technology either, it's been happening in any company that needs to 'monitor' their network.

Blocking Webwise cookies does nothing, all your traffic is being routed through the switch anyway!

Ad-blockers may prevent the adverts from reaching your PC, but they will not prevent Phorm from gathering your browsing data.

Some of the websites that were hoping to host the directed advertising for Phorm have already pulled out, such as the Guardian Online. The BBC signed up to this, have they also dropped out?

I find it disturbing that the ICO has stated this service should be opt-in, yet Phorm still believe that they have a right to spy on everyone. They may believe they have 'implied consent' from the users, however they do not have the consent of the websites themselves! Not to mention the trials conducted in 2007 and 2006 where NO USERS WERE INFORMED OR ASKED THEIR PERMISSION!!!

They should give up with this nonsense, nobody wants this. They say they offer a more secure internet and protect against phishing attacks - how exactly? They just keep repeating the same PR rubbish on the privacy of your browsing...

This post is closed to new comments.

The BBC is not responsible for the content of external internet sites