Darren Waters

Phorm hoping to stop 'phoul play'

  • Darren Waters
  • 28 Apr 09, 15:15 GMT

From the moment Phorm first hit the headlines in 2008, controversy has dogged the online advert targeting firm.

ComputerIts history as a technology company accused of peddling spyware immediately antagonised privacy campaigners.

And when it was revealed that Phorm and BT had carried out secret trials of the technology, which monitors users' web habits without their consent, battle lines were drawn.

At the heart of the argument is a debate over whether Phorm's technology breaks UK data interception laws. The European Commission has also waded into the issue, asking for better protection for consumers.

This has been a battle fought on message boards and forums, in detailed technical assessments of the technology, and even within government.

Phorm asserts that it is doing nothing wrong, that it sets higher standards of privacy and protection than rivals and that it has the support of bodies like the Information Commissioners' Office, the Home Office and the Department for Business, Enterprise & Regulatory Reform.

However, anti-Phorm campaigners have gone to each of these bodies and in turn received word that they have not endorsed Phorm's technology.

Indeed, the Home Office says it has never advised Phorm that its technology does not break UK law.

Yet e-mails between the Home Office and Phorm released under Freedom of Information appear to show the Home Office doing precisely that, and also asking Phorm for comments and changes to a document it was drawing up in order to ascertain the company's legal status.

At one point, a Home Office official asks whether Phorm and its clients will be "comforted" by the document.

Of course, the Home Office will regularly consult with private enterprise when it draws up informal guidance, especially around new technologies.

Lord West of Spithead, the government's Under-Secretary of State at the Home Office, explained to the House of Lords last year why the government had met with Phorm:

"This was an informal meeting to improve officials' understanding of the ways in which targeted online advertising could be undertaken. There was no agenda and no minutes were taken."

He added: "It would not be appropriate to provide details of that communication to a legal adviser in Phorm as we believe it is subject to legal privilege."

But anti-Phorm campaigners are questioning why the Home Office and Phorm were exchanging the document in question.

Phorm believes it is being unfairly singled out: it also believes it is the victim of an orchestrated "smear" campaign:

"Over the last year Phorm has been the subject of a smear campaign orchestrated by a small but dedicated band of online 'privacy pirates' who appear very determined to harm our company."

It has set up a website to counter these smears, called Stop Phoul Play.

The site also hints that this campaign may be the work of Phorm's competitors:

"Their energetic blogging and letter-writing campaigns, targeted at journalists, MPs, EU officials and regulators, distort the truth and misrepresent Phorm's technology.

"We have decided to expose the smears and set out the true story, so that you can judge the facts for yourself."

The company has also accused one of the leading campaigners of being a "serial agitator".

This is a battle with no sign of a ceasefire, with both sides settling down to a war of attrition, and with governments, both in the UK and the EU, drawn into the crossfire.


  • Comment number 1.

    How on earth is this story still rolling on ?


    It is spyware, the EU says it's illegal and now the company has started smearing its opponents.

    GO AWAY ! You are not wanted and we will refuse to continue to do ANY business with ISP companies which use this technology.

    Since they are an American company, let me put it in language they will recognise.


  • Comment number 2.

    Also why doesn't 'Stop Phoul Play' have a proper direct email contact person ?? So we can tell them directly what we really think ??

  • Comment number 3.

    They don't need email; just post your comment here, they'll pick it up on its way through :-)

  • Comment number 4.

    All these agitators complaining about a British company creating British jobs should be ashamed of their traitorous behaviour.
    Time they found a real issue to waste their time on.

  • Comment number 5.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 6.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 7.

    Phorm are trying to create the myth that the only people opposed to their system are an organised group of protesters lead by Alexander Hanff and in the pay or under the influence of their business rivals.

    Phorm want you to believe that ordinary individuals either want their system or have no opinion. That is simply not the case.

    I have objected to the use of Phorm's system since their secret trials with BT were first uncovered but I am not part of any organisation or group and I act entirely as an individual. I am not a member of any forum, blog or group that is in any way connected to this subject. My last involment with any forum was on BT's own support forum but that was censored by BT and they now ban all discussion of the subject in any context. I am a BT customer - that's my only commercial connection to this issue - and I'm the one paying them rather than the other way around.

    Over 20,000 people signed an official Downing Street petition asking for control of DPI systems like theirs and Phorm are now claiming - on their new website - that "The website managers at 10 Downing Street recognised their mistake in allowing a misleading petition to appear on their site, and have since provided assurances to Phorm that they will not permit this to happen again."

    If that is true it would appear that "collusion" is inderstating the situation. If Downing Street relly has arraged with a company to surpess future petitions that moves the relationship in to areas of conspricay and corruption.

    If it's not true I hope that Downing Street will act swiftly to remove this claim from Phorm's website and prevent them from making any more of these claims.

  • Comment number 8.

    Smearing opponents seems to be in vogue at the moment, so I can see the rationale behind Phorm's idea for this site.

    However, Phorm are the ones who have been planting stooges in online forums, whispering into politicians ears, conducting secret trials... not those campaigning for our privacy.

    I'd like to declare my interest in this as purely that of a member of the public. I have no connection to any competitor of Phorm, or indeed any advertising service.

    Hamsterwheel, can you declare your interest please? A lot of us know you from old and you have, at various times, declared that you are a Phorm shareholder and/or employee (your drunken rant on nodpi was a classic btw).

  • Comment number 9.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 10.

    PHORM is dying...

    "Liberal Democrat home affairs spokeswoman Baroness Sue Miller told the BBC the emails made her jaw drop, and that "anything the Home Office now says about Phorm is completely tainted"."

    Can someone please 'put it out of its misery' - Quickly.

  • Comment number 11.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 12.

    I've just been reading the "Phorm Service Privacy Policy" off their website, and I've immediately spotted a problem with it:

    The system collects data and assigns it to a randomly-generated user ID, that contains no personal data. This is good.

    But it leaves a cookie on your computer, that contains the user ID information. This is *very* bad, as it means that Phorm is creating yet another way by which people intent on gaining illegal access to personal data can do so.

    However - I also note from their site: "Phorm ignores any numbers longer than 3 digits, to avoid capturing credit card numbers/phone numbers", and "Phorm does not collect IP addresses."

    Simple solution then - someone develops a Firefox plugin to automatically convert a web address to an IP, and then Phorm becomes unable to track anyone who uses it.

  • Comment number 13.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 14.

    There is now way I will ever connect to the Internet through an ISP which enables my Internet connection to be intercepted by an advertising company, answerable to no one.

    Phorm must be stopped, if MPs give it a provisional all clear, one would have to question their motives, although their actions in recent times shows that their motives is their own wellbeing, and financial gain.

  • Comment number 15.

    Tens of thousands of people signed a petition in protest against Phorm's business model so I fail to see the logic in attributing their troubles to a few agitators.

    The fact is, people like humble old me, or giants like Sir Tim Berners-Lee, recoil in disgust when they understand exactly what it is this company wants to do.

    This is no protest against advertising, but against the little black snooping boxes that companies like BT are allowing Phorm to put on their networks.

    And it seems our friends in Korea are now targets as well.

  • Comment number 16.

    On a related point, doesn't the BBC have some sort of 'trade mark' or 'service mark' for the term 'WebWise' with that funky little spider ??

    If so, why aren't they suing Phorm for breach of trademark ?? Or at least making much more of a fuss to state clearly that they don't endorse 'Phorm' and that BT Webwise has NOTHING to do with them ??

    Many consumers who are not 'tech-savvy' may be under the impression that WebWise is a BBC 'trusted brand' and therefore give it a 'benefit of the doubt' it does not deserve.

    Come on BBC ! Explain the situation to the general public !

  • Comment number 17.

    I think the issue is simple here:

    If you have an account with an ISP that is intending to deploy the Phorm technology, then you will be able to opt out of having your web traffic profiled, but you will *not* be able to opt out have having your web traffic intercepted, collected and stored.

    Personally, despite the assurances af Phorm and others, I believe this to be illegal and will be opting out by the only means that I can see is open to me: I WILL NOT purchase my broadband services from an ISP that considers deploying Phorm, and would suggest others with concerns about this thechnology to do likewise.

  • Comment number 18.

    Oh, Phorm - I just read all of your "Stop Phoul Play" website. I'm astounded.

    1) You post something up as "by someone disguised as "FightingfromWithin"." And yet, you don't identify the person writing your site, or have any meaningful contact details. Therefore, in the interest of fairness, please amend your posts to read "by someone disguised as "Stop Phoul Play".

    2) For an international company to stoop to personal attacks to meet their aims is laughable. Further, congratulations on alienating everyone who reads your site, in the wake of the McPoison fiasco.

    3) Your past business practices demonstrate how small your commitment to privacy is, regardless of how many times you claim it is a privacy-compatible system.

    4) You base an assertion that those opposed to Phorm are a very small vocal minority on the grounds that one protest attracted only 8 people. Given that the first I knew of any protest was today, and I like to think of myself as well-informed, I think your conclusion is erroneous.

    5) The Downing Street petition website is not for yourselves to administrate, there are people employed already to do that. There are hundreds of petitions on there that I disagree with far more than I object to Phorm - do you see me trying to censor these people as you have?

  • Comment number 19.

    This is nothing compared with what our MEPs and bureaucrats are doing in the name of consumer protection in Brussels as we speak.

    On May 5th, MEPs are voting on EU Telecoms Package which includes several in the UNiversal Service Directive, which will allow ISPs to decide what websites and datastreams can be blocked, as long as they inform us in the small print. Known as the AT&T amendments they have been drafted by UK Civil servants and MEP Malcom Harbour.

    Furthermore, the promises of hard opt in to services like Phorm is reduced to assuming acceptance of cookies is an expression of your wishes. Visit Blackouteurope or laquadnature for more detail. There are Citizens amendments being promoted.

    Please write to your MEPs. Do your bit to save the web.

  • Comment number 20.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 21.

    Hamsterwheel: British jobs?

    Phorm: ........ lucky to have a first-class team in Moscow. It is entirely normal for international companies to operate development groups overseas, e.g. in India, the far East, and central Europe, and Russia is of course pre-eminent in software development.

    The group in Moscow is an integral part of the Phorm team. Under the direction of Phorm's UK headquarters, and with colleagues from the UK and USA, they have helped us to build a world-class technology product.

    So, that's Moscow, near Surbiton, then?

  • Comment number 22.

    A warning for anyone thinking of visiting the StopPhoulPlay website.

    The site has a link to a non-existent privacy policy. If you try to follow the link it takes you to Phorm's commercial website and the privacy policy there only covers the domain.

    Phorm are in the business of scanning information about visitors to websites and were previously known as 121Media - a spyware producer. Now they are openly operating and publicising a website that doesn't even claim to offer visitors any privacy or protection. You put yourself at risk by visiting the StopPhoulPlay website and you should block access from any commercial computers to avoid the obvious risks of malware and data theft.

    If you do visit StopPhoulPlay, be sure to delete all cookies afterwards and run a virus/malware scan just to be on the safe side.

    Especially bear in mind that their whole site is built on information that they have scanned the internet to find and use - including taking data without consent from sites such as NoDPI that specifically state that Phorm may not extract any information. Unless you are happy to provide Phorm with personally identifiable information with no right of redress under any form of privacy policy, do not visit this site.

  • Comment number 23.

    LegendHamsterwheel : Phorm are not a UK company, they are simply listed on the UK stock market. Their origins are in a US company who were were known for peddling spyware and a lot of their technology comes out of Russia. They are not going to create many UK jobs at all and their product relies on third parties such as the BBC producing websites and then intercepting people reading those sites to work out what interests them so that on partner websites they can target adverts at you.

    Many people who run websites object to their material being used by third parties to make money. Phorm have said that you can stop your site being scraped by blocking ALL search engines.

    As someone who pays his TV licence I object to my money being used by the BBC to create a website then a private company using that information to make money.

    Wikimedia and some other large sites have formally requested to have their domains permanently excluded from Phorm's scraping technology. I wait hopefully for the BBC to announce that they have done the same.

  • Comment number 24.

    As the person who created the petition on the 10 Downing street website, I'm quite upset at how Phorm have chosen to characterise it on this 'smear' website they have setup. They have it portrayed as though a group of 'anti-Phorm privacy pirates' (whatever that means ?) got together and worded the petition to be dilberately misleading in an effort to damage Phorm, they also go on to basically alledge that it was desecrating the tradition of raising popular petitions against percieved miscarriages of justice.

    Let me set a few facts straight, I created the petition myself, having had no contact with any other antiphorm people. I had no intention of missusing or desecrating anything and never setout to be in anyway deliberately missleading in how I worded the petition. Maybe it isn't worded in the best way, but I still don't see what is wrong with what I petitioned the government about, I basically asked for technology such as Phorm to be investigated and for Privacy laws to be changed in order to protect peoples privacy. I guess Phorm have some kind of issue with that sentiment. I'm just a normal person who is concerned with the way the Phorm technology works, what is so wrong in me raising this concern in the form of a petition ?

    The site further goes on to try and discredit the petition by mentioning multiple signups and then referencing the small number of people who signed up in relation to ISP subscribers. But the fact is that the petition ran for a year and sat in the top 10 petitions on the 10 downing street website for most of that time (I believe it was the 4th most signed petition when it closed).

    I mention this because it is only one part on this smear website, but if Phorm cannot even get there facts right on this one issue, then how can they be trusted on anything else they have put on the site. It is disgraceful the way Phorm as a company seem to be going after individuals in an effort to discredit them. Is this really a company I would trust with having access to all my online viewing habits, I think not.

  • Comment number 25.


    I'm glad that you were able to post here with those details.

    Unfortunately Phorm's offensive website has no facility for comments or corrections so they will continue to print their accusations without having to worry about trivial details such as accuracy or honesty.

    While I'm here...

    I want to say thanks to Darren Waters for covering this story and providing comprehensive links for people who want to check the background details for themselves. It can get rather confusing trying to follow events without being dragged into one side or other of the arguments and a piece like this makes it much easier for everyone.

  • Comment number 26.

    "Simple solution then - someone develops a Firefox plugin to automatically convert a web address to an IP, and then Phorm becomes unable to track anyone who uses it."

    The WorlWideWeb works by converting an IP to a www. address! Try putting into your browser and see what happens!

    I would not comment on something unless I understood how it worked. Perhaps you should do the same to avoid looking completely stupid.

  • Comment number 27.

    Quite apart from the "users" objecting to being snooped on, Phorm do themselves no favours in the world of webmasters either, by their unethical method of trawling websites to find the information they use to "categorise" them. Of course, no commerical web site would ever voluntarily wish their content to be handled this way, since it will be used to redirect customers to competitors' web sites, but this is not the first time that this sort of issue has come up, so there is a well-defined industry standard to allow web sites to control which "robots" they wish to access their sites. This system is well-known, well respected and easy to use, but relies on each trawling system using a unique name, and respecting explicit requests for it not to trawl sites at which it is not welcome. Unfortunately, Phorm have "decided" that they will not abide by these rules, and instead masquerade as Google and/or Yahoo!, so that they give themselves permission to search any site which wishes to indexed by (useful) search engines.

    This approach does rather sum up their ethical users really wish to trust their private browsing habits to a firm which doesn't even respect basic rules of the web?

  • Comment number 28.


    How sad, you pick on the single, least-relevant part of my post, that was a throwaway comment, largely unrelated to the title. Anyone who knows how the internet really works would recognise this as a non-serious comment anyway - I seriously doubt Phorm would use something so mundane as the browser address to determine where you're going.

    Hate to say it though - but you're the one misunderstanding how the web works. [Unsuitable/Broken URL removed by Moderator] is passed to a DNS server, which then converts that to the appropriate IP address - this is the exact opposite of what you describe. To state this clearly - is meaningless to the internet - it's just a name associated with the relevant IP.

  • Comment number 29.


    They don't respect any kind of basic rules of the web - including anything resembling best practice in website design!

  • Comment number 30.

    Can't these people take a hint ??

    Why do they want to go where they are clearly not welcome ??

    Can they not see that they and their snooping spyware have overstayed their welcome ??

  • Comment number 31.


    D'oh, this was supposed to be post 28, but I did something bad :) Hopefully I haven't broken any similar rules this time - there are no web addresses this time, promise!

    Right - I'm sad that you picked the least-relevant part of my post to talk about, and one that's a fairly obvious throwaway comment, but...

    When I put a www. address into my browser, that is sent to a DNS, which converts that into the appropriate IP. Not the other way around.

  • Comment number 32.

    Phorm claim that their system has enhanced privacy because IP adresses are not stored and neiter is any identifiable information that can be traced back to a living indivdual but this claim has a huge flaw.

    IP addresses are accepted as bring "Personally Identifiable Information" - PII for short - and should not be used or stored by anybody without our consent and only then under a strict set of guidelines.

    Imagine being given the following information..

    A man lives next to a canal.

    He visits Stroud County Councils website when he wants to dispose of an old fridge.

    He looks at Jeep service centres for green paint.

    He also looks at the BMW dealers website ion the new cars section.

    He looks at the website for a list of upcoming entertainment at a pub called "The Pilot".

    He posts a picture entitled "View of the old oil refinary from my front window"

    He visits the Mothercare website looking at items suitable for a newborn.

    He looks at the Hardwicke Garden Centre for hanging bac=skets containing fuscias.

    With no more information than that, I could find the address of the person. I would look at the dozen - at most - houses that overlook the old oil refinary site that is in Gloucestershire - about 200 hundred yards from the Pilot Pub and about a mile from the Hardwicke Garden Centre. I would look for a house with a green Jeep parked outside - one with a few sratches - and new hanging baskets outside. I would guess that someone in that house is probaly pregnant. I would also guess that there is a reasonable amount of disposable income - has to be to afford a new BMW. Without very much effort I could get the name and telephone number of the person. I would already know that they are a BT customer as I am working on their network and I know the format for BT issued email addresses so I could reasonably expect to have that detail very quickly.

    Without any PII I have now got enough information to identify an individual. It's not difficult - I know because I used to work as a debt collector and traced people with far less information.

    The facts of the matter are very simple. Does any company - ISP, their agents or any external operator - have my best interests at heart when they use a DPI system in this way? If not, then they should not be allowed access to anything that I do, read or say on-line. It's not enough to say that it's better than an alternative - it's got to be right first time.

    Privacy is not the same as secrecy - it's about our right to conduct our lives in a lawful way without having anyone - commercial or government - watching what we are doing. Ultimately, it's none of Phorm's or BT's business what I do with my internet connection provided I stay within their terms and conditions.

  • Comment number 33.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 34.

    Phorm want you to believe that ordinary individuals either want their system or have no opinion. That is simply not the case.

    Unfortunately, Phorm have "decided" that they will not abide by these rules, and instead masquerade as Google and/or Yahoo!, so that they give themselves permission to search any site which wishes to indexed by (useful) search engines.How can that be accepted? I have objection to that!!!
    [Unsuitable/Broken URL removed by Moderator]


The BBC is not responsible for the content of external internet sites