Darren Waters

Phorm's devil is in the detail?

  • Darren Waters
  • 17 Mar 08, 13:57 GMT

The controversy over BT, Talk Talk and Virgin's plans to introduce technology by US firm Phorm which monitors web behaviour of users in order to target adverts shows no sign of diminishing.

More than 5,300 people have now signed the Downing Street e-petition, expressing their concern about the technology.

Tim Berners-Lee, the architect of the web, has even contributed his opinion; although he was speaking about such systems in general, rather than this system in particular.

Privacy advocates have been pouring over every detail of these plans, and asking very particular questions about how the technology works, and debating wider issues about the nature of privacy and personal data.

A lot of the debate and analysis is taking place in the mailing lists of UK Crypto discussion group.

The Register has also done a thorough job and has turned up some strong news lines, the most recent of which is BT's admission that it conducted a technical trial last year without the knowledge of customers.

The Register suggests BT "mis-led" customers last year about its involvement with Phorm.

If true, this may damage people's trust in BT but really has no impact on the technology and how it works.

We've had a fair sprinkling of e-mails about Phorm in the last few weeks. Some of them have urged us to almost take sides on this story, which of course we can't do.

We have to be balanced to both sides. Yes, we have a duty to readers to get to the heart of the story, but we can't assume guilt, or foul play etc.

There's also a question of detail - how much is too much for a mainstream audience? I think we've covered the key points very well, and the main issues. But you may have another view.

We are still following this story - as the Tim Berners-Lee news I hope shows.

And there are still unresolved questions that we are chasing answers on:

Will BT and Virgin make Phorm opt in or opt out?

Do website owners need to give their permission for their pages to be "trawled" by Phorm's Profiler?

If there are other questions you have, please let me know.

UPDATE: BT have contacted the BBC to ask us to change a reference in this blog in which we quote The Register's story. We have changed it only because the sentence was quoting the Register's headline, which the site itself had changed.


"Do website owners need to give their permission for their pages to be "trawled" by Phorm's Profiler?"

Speaking both as a designer and content provider, if it's even remotely possible to decline such permission I'll be one of the first to do so.

Most of the sites I design and run are under Creative Commons licensing - and all of those sites are "No commercial use". I'd consider such profiling to be using my content for commercial purposes and a violation of my site's terms and copyrights.

What *really* worries me is the implications Webwise will have with regards to *private* content, content normally protected by ACL policies. If Webwise allows Phorm to profile private content, then it's a whole new ball game - unauthorized access of a computer system.

  • 2.
  • At 06:05 PM on 17 Mar 2008,
  • Firefox User wrote:

The answer is in the Firefox browser.
Unlike others it allows you to block cookies from being set from those sites you know trawl your behaviour.
So Google, Yahoo, Phorm and many others are in my block list.
Plus, use a good cleaner to operate when you boot up or switch off.
These are freely available to download and ensure you always start with a clean slate when you log on.

Where I go and what I do is no ones business but my own.
There is too much information gathered about people as it is.

  • 3.
  • At 09:44 PM on 17 Mar 2008,
  • David wrote:

From what I've understood Phorm's approach actually reads/interprets what you get back from the website. Since that will depend on a user's request, session cookies, etc. then it seems almost impossible for Phorm not to end up reading material that the user and webpage designer would expect to be only readable by them, at least as confidential as a letter sent by post. For instance many many people still use unencrypted web-based email. Phorm have said that they recognise "private data" but since there are any number of potential ways webmail can be delivered it seems unlikely they can avoid everything. So. if Phorm's filters do not recognise someone's web-based email as being such then that someone will be marked down as interested in everything the spammers happen to send them.
Then said person visits his granny, uses her computer to check his mail, and from then on her net-environment will afflict her with targeted adds for reproductive pharmaceuticals, cheap Rolexes and making money fast..

  • 4.
  • At 10:34 PM on 17 Mar 2008,
  • Ian Kemmish wrote:

I use ad-blocking software (Pith Helmet for Safari). Even if my ISP were passing information about me to Phorm, it would merely be clogging up their system, and costing them money to store.

  • 5.
  • At 11:10 PM on 17 Mar 2008,
  • What's that stealing my data wrote:

As a professional web developer responsible for more than a number of commercial websites the idea that Phorm could profile visitors to our websites and offer our competitors (unless we pay Phorm) sites as adverts is something I have to say seriously concerns me. We have no advantage in allowing this system to profile our customers and offer them alternatives we would absolutely prevent Phorm from accessing our sites, unfortunately how to do this is unclear, if at all possible.

  • 6.
  • At 11:31 PM on 17 Mar 2008,
  • Clive wrote:

This monetising data grab, and the questionable marketing practices of ISPs, has brought to the fore the need for proper regulation of the sector.

The internet is no longer an entertainment frippery, it's a utility as essential to the economic well-being of this country as energy and water supply are.

The terms that ISPs are allowed to operate under need to be rigorously codified and then strictly applied, so that businesses and the public have clarity about their rights and responsibilities.

  • 7.
  • At 06:56 AM on 18 Mar 2008,
  • Jim_UK wrote:

The Foundation for Information Policy Research have written an open letter to the Information Commissioner claiming the whole thing is illegal.

I for one will leave BT the minute this awful thing goes live, minimum contract or not.

  • 8.
  • At 08:49 AM on 18 Mar 2008,
  • Donald wrote:

I'm not a lawyer, but how is Phorm profiling websites in order to sell advertising different to search engines such as Google, Yahoo, etc profiling websites in order to sell advertising. As such and since stuff on the web is publicly available, I don't think there's much website owners can do to prevent this.

The personal privacy angle is the one which interests me. When you sign into a website you are implicitly agreeing that they can collect some data on you, if only how often you visit their site and what pages you look at. I would definitely prefer Phorm to be an opt in service, especially given the wide ranging scan it can do.

After all, if it wants to collect private data from me it has to pay me for the information, especially since the information has value to Phorm. I'm afraid I don't place much value on better targeted adverts, and I'm not looking for more phishing protection, so I can't see that Phorm is currently offering me anything I want in exchange for what it wants.

  • 9.
  • At 08:49 AM on 18 Mar 2008,
  • David G wrote:

Yes you have to be balanced, but could you at least do some investigation ? The early BBC report was little more than a reprinting of a Phorm press release.

It was only after 'the vociferous minority' began to point out the issues with this that the media changed tack.

Kudos to The Register and its readers, who have moved this story on.

  • 10.
  • At 10:36 AM on 18 Mar 2008,
  • David Donachie wrote:

As the owner of a number of websites I too would be amongst the first to deny Phorm access to my content if a way was provided to do so, just as I already deny access to search engines. Even if Phorm does not bother to give this ability I will try my best to protect the privacy of my users by blocking it anyway, if it is technically possible.

Invasion of privacy in the UK has become almost casual in its ubiquity, it's long past time we took a stand against it.

  • 11.
  • At 12:44 PM on 18 Mar 2008,
  • Alex @ Phorm wrote:

In response to post #7, we don't agree with FIPR's analysis. And its description of the Phorm system is inaccurate. Our technology complies with the Data Protection Act, RIPA and other applicable UK laws. We've sought our own legal opinions as well as consulted widely with experts such as Ernst & Young, 80/20 Strategic Thinking, the Home Office, Ofcom and the Information Commissioner's Office (ICO). We discussed our system with the ICO prior to launching it and continue to be in dialogue with the organisation.

There's loads more information on the technology at and the Phorm CEO is holding a live webchat on Thursday at 1.30pm - the URL is

Phorm Comms Team

  • 12.
  • At 01:07 PM on 18 Mar 2008,
  • Matt wrote:

Donald said: "I'm not a lawyer, but how is Phorm profiling websites in order to sell advertising different to search engines such as Google, Yahoo, etc profiling websites in order to sell advertising. As such and since stuff on the web is publicly available, I don't think there's much website owners can do to prevent this."

I think the difference is twofold: First, where Google and Yahoo! include adverts on webpages it is done so with the direct cooperation of the website owner, who will be remunerated for adverts clicked on by users. The Phorm process seems to not depend upon the consent of web publishers whose users Phorm is profiling, and wouldn't offer them any financial reward.

Second, the means by which user data is captured is quite different to any currently existing systems as users' web browsing is analysed by Phorm by monitoring all the information sent between the ISP and the user. Once operating this method wouldn't be dependent on any browser cookies, and would capture far more data than any methods currently used by Yahoo! or Google.

  • 13.
  • At 04:08 PM on 18 Mar 2008,
  • Dan Negus wrote:

The Data Protection Act 1998, Part 2, Section 11 states...

"Right to prevent processing for purposes of direct marketing

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
(2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
(3) In this section “direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals"

Email your ISP stating this and prevent them from using the data.

  • 14.
  • At 05:49 PM on 18 Mar 2008,
  • Dane wrote:

In Response to Post #11:

Firstly, as you work for Phorm you are biased and of course you won't agree with the FIPR's analysis.

Secondly, saying that Phorm complies with the law is only one important aspect, on which only time will tell if it does or not.
The critical aspect in my view is the ethical and morale aspects of this software.
Why should the general public have their information gathered regarding their web site usage? And don't start the argument 'it will lead to more focused adverts' cause I think most people hate adverts generally, focused or unfocused: I know I do.

Ultimately, this is just another exercise for companies to find new, or improve current revenue streams. The general public will never get any money from this, or from what I can tell, any benefit at all.

Yes there are many ways to block this, but that isn't the point. The point is should it be allowed full stop?
My answer would be no.

..I'm not even hanging round to watch the results as they come in..

BT ISP duly switched after 7 years happy customer..

  • 16.
  • At 11:08 AM on 23 Mar 2008,
  • kudos wrote:

In Response to post 11 by "Phorm Comms Team" If you are so open and honest why don't you admit that posts by this team are by a PR organisation paid by Phorm to offset the anti phorm posts. You seem to know little technically and that is why you seem to have stop posting on "The register". The Register is for technical people and they saw through your pre scripted articles and the replies posted by you!

  • 17.
  • At 12:12 AM on 24 Mar 2008,
  • Pedro Cadiz wrote:

In response to post #11.

I'm glad to see that someone from Phorn is viewing these comments. Perhaps they will get the message that their system is unwelcome.

Internet users do not want their browsing habits profiled. We don't want targeted advertising on the internet. Internet traffic is chocked enough by spammers.

As for the claim that Webwise will protect from phishing sites, there are other tools that can do this without advertising.

I for one, refuse to buy anything from online advertising, except for from mails from companies that I have already dealt with and trust. I also completely ignore all mails, genuine or not from banks. If everyone took this view then phorn / spamming / online fraud would be far less profitable.

  • 18.
  • At 08:46 AM on 03 Apr 2008,
  • Mike wrote:

Your comment about having to be neutral infers that the BBC may under no circumstances question the legality of anything? this is just not true! You [The BBC] are not a press release reproduction service, you can print the concerns of the people they do exist! this is not china!

Dear Firefox user, the tracking system uses cookies but it monitors you without using cookies, so you will be served random adverts but you will still be monitored.

This post is closed to new comments.

The BBC is not responsible for the content of external internet sites