Darren Waters

The Phorm privacy debate - London

  • Darren Waters
  • 15 Apr 08, 18:33 GMT

I'm at the Phorm privacy meeting in London, where the creators of the controversial online ad system are coming face to face with some of their most vocal critics.

I'll be blogging throughout the meeting with key impressions and writing a report on the meeting for Wednesday's news pages.

UPDATE 20.43:
That's a wrap. News story up tomorrow morning.

UPDATE 20.12:
Mr Hanff says: "Phorm has to be opt in. You can't take implied consent on a human right."

Mr Hanff argued that privacy is a human right.

He added: "I'm concerned about the potential future use of the technology and the potential for creep."

UPDATE 20.06:
The final speaker is Alexander Hanff, someone who has campaigned against Phorm.

He says: "What Phorm is trying to do is to turn people into products; a global warehouse selling pieces of us to highest bidders."

UPDATE 19.53:
Phorm's technical officer Mark Burgess takes to the stage.

He emphasises that Phorm does not "compromise the user experience".

After concerns raised that Phorm can cause some page requests bouncing back and forth between the destination website and the Phorm system, he says that happens in less than 1% of the browsing experience.

UPDATE 19.45:
The mood of the meeting is very good. There are about 100 people here, in case you wondered.

UPDATE 19.38:
Dr Clayton wraps up saying: "It has to be informed opt in. I don't think it improves the stability of the internet. I think it's downright illegal in the UK."

UPDATE 19.25:
Dr Richard Clayton, who has said Phorm is potentially illegal, says Phorm is making the internet more dangerous and not safer.

He also says the system is counter intuitive because it uses a cookie to opt out, not opt in.

"Deleting cookies means you delete the cookie that opted you out and so you opt in. This is backwards and not helpful."

UPDATE 19.17:
Mr Ertugrul concludes by tackling the issue of legality and whether Phorm breaches RIPA because it makes an ilegal interception of people's browsing.

He makes the point that the body which is questioning Phorms's legality with respect to RIPA is the same body which attacked RIPA when it was first being proposed by government.

UPDATE 19.02:
Kent Ertugrul says Phorm can transform online advertising, helping everyone from blogs to newspapers because the ads are targeted to the user not to the content on the page.

"The internet today is two to three professionals - Microsoft/Yahoo/Google and 9,999,999 hobbyists. That is the internet today.

"Phorm makes all websites capable of making a living by publishing interesting content to consumers who get it for free.

"Even the smallest website can make money. That is a big deal."

UPDATE 18.53:
Phorm CEO Kent Ertugrul takes to the stage.

"We're saying this is a revolution in privacy. And I hope to convince you of that.

"We cannot know who you are - it's impossible."

UPDATE 18.44:
Simon Davies, of 80/20 Thinking, which carried out a privacy impact assessment on Phorm, introduces the session.

"This meeting cannot possible resolve the issue of legality. It's the elephant in the room.

"But unless there are senior legal counsel here to reflect we will end up with a bunfight.

"It's a crucial issue. But I don't want us to get bogged down in a legal quagmire that results in us having no outcome."

He added: "Hopefully at the end we can reach some sort of conclusion about how to move forward."

UPDATE 18.37:
PR exercise or genuine attempt to engage with the public? Perhaps both?

Attendees are handed a document from Phorm upon entering the meeting which compares Phorm with major search engines.

It makes the point that Phorm does not store any personal data while search engines do.

It's a fair point. But it's not the point that critics have been making for some weeks now.

They question if it's legal. They question the ethics of having an ISP snooping on your browsing activity full stop.

PS: From 1800 UK time this evening (16 April), we'll be doing some essential maintenance to all of the BBC's blogs. As a result of this, you won't be able to leave any comments on our blog posts from that time until early morning on Thursday, 17 April.
There's more about this on the editors' blog from Giles Wilson.


  • 1.
  • At 07:28 PM on 15 Apr 2008,
  • Tim wrote:

How many people are there?

  • 2.
  • At 07:41 PM on 15 Apr 2008,
  • P Fiennes wrote:

It has to be a total Opt-In system with nothing going to any PHORM server or capcha software on the ISP server if a user decides to opt-out, it should also not be cookie based.

A response from the EU regarding PHORM:

'The Commission is aware of the activities of the company Phorm in the UK,concerning the analysis of internet traffic for advertising purposes, the agreement between Phorm and major internet service providers in the UK and the concerns that have beep raised about the effects on privacy of these
activities. Privacy and the protection of personal data are fundamental rights of the citizens of the EU. They are enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights, and also protected by the European Convention on Human Rights and the related instruments of the Council of
Europe, to which all EU Member States are signatories.

The general principles for the protection of personal data are defined in Directive 95/46/EC and complemented and particularized for electronic communications by Directive 2002/58EC on privacy and electronic communications (ePrivacy Directive).

The ePrivacy Directive obliges Member States to ensue the confidentiality of communications and related traffic data through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds
of interception or surveillance of communication and the related traffic
data by persons other than the users without their consent, which must be
freely given, specific and informed indication of the user's wishes. The
data concerned in this particular matter i.e. the content of search queries, constitute communication within the meaning of this Directive and the URLs used in the packets constitute traffic data. This data should therefore be protected appropriately.'

  • 3.
  • At 07:46 PM on 15 Apr 2008,
  • Craig wrote:

Good job Darren.

Please, if you get the opportunity to see comments before the q&a can you try and get an answer on how they can call this meeting anything other than a PR exercise if they refuse to answer any questions on the legality of the system?
These pints will form the mainstay of Alexander Hanff's speech and they have already dismissed the issue on the grounds that they have no legal counsel. They surely have an opinion as to why they are within the law.

Simon Davies promised me that he can be trusted to 'do the right thing'. He's already done the wrong thing by making a farce of the meeting by whitewashing the only reason the public have issues with it. Legality.



Darren to give you live feedback from the Cable forum were Alexander (on stage there)is a memeber as we didnt get the live video feed the was requested.

Florence CF member reports her email response from Simon Watkin "home office"


Simon Watkin :Firstly, I should explain that the Home Office was approached by a number of
parties, both technology providers and ISPs, seeking a view about issues
relating to the provision of targeted online advertising services,
particularly their relation to Part 1 of the Regulation of Investigatory
Powers Act 2000 (RIPA). In response to those requests we prepared an
informal guidance note.

That note [1] (which you've read) clearly states it should not be taken as a
definitive statement or interpretation of the law, which only the courts can
give. Equally it wasn't, and didn't purport to be, based upon a detailed
technical examination of any particular technology.

There are many variations on how the technology can be deployed: for example
whether the end user is asked to opt-in or opt-out, whether or not the
record of a user's interests can be linked to an identifiable individual,
and whether or not the technology immediately discards the reason why a user
is considered to be interested in a category of advertising.

As much as we were saying was, that in relation to RIPA, we considered it
**may** be possible for such services to be offered lawfully - but it all
depends on how they are offered and how they work."

"> > .... you are opening a whole Pandora's box with this ruling which might
> > come back later on and bite you back.

Simon Watkin :It's not a ruling. It's not advice. It's not a legal opinion. It's a view
and - repeating myself - all it says is it **may** be possible for such
services to be offered lawfully."

  • 5.
  • At 08:58 PM on 15 Apr 2008,
  • Ron Hughes wrote:

My browsing habits are MY property, not for some organisation like Phorm to harvest for free, then sell on.

If an organisation wants to know where I browse, let them pay ME.

  • 6.
  • At 09:08 PM on 15 Apr 2008,
  • Paul Hancocks wrote:

It's wrong. It's obviously wrong when so many false truths are told about the journey to where we are today, when there are so many questions about actions already taken, about the decisions being taken now and the policies and processes in the future.

Most of the population is too ignorant of the detail to understand the impact of what we do now on the future. That's what is scarey.

And we don't see those in power dealing with this challenge on freedoms today with enough focus to resolve the big questions.

Credit where it is due, to those who have given their time and applied their knowledge to this complex area. Raise a glass to Clayton, Alex & Co!


  • 7.
  • At 09:10 PM on 15 Apr 2008,
  • Mark V wrote:

Thanks for doing this Darren. So many of us had no chance to get there given the fairly short notice and the early start time. (No real chance if you work outside London).

"But unless there are senior legal counsel here to reflect we will end up with a bunfight."

So why didn't 80/20 or Phorm arrange one, to go on public record, rather than dismiss one of the key issues?

  • 8.
  • At 09:10 PM on 15 Apr 2008,
  • Alan Parker wrote:

There's nothing to debate. Phorm/Webwise *MUST* be stopped at all costs. My hope is that someone (or some group) with very deep pockets will hit this bunch of criminals where it hurts!

  • 9.
  • At 09:17 PM on 15 Apr 2008,
  • Andy wrote:

The same argument that has been dodged before when pointed out is still pertinent - if the system is so great and such a benefit to customers, then make it opt-in and it will sell itself on its merits.

Lets not be pandering to the sales noise - this isn't really about helping customers, its about making money for the people involved. That is what data mining does.

I for one do not need Kents help in evading phishing sites for instance - I never fell foul of his adware in the past despite being called on to help and educate others about the dangers of allowing companies like his through their doors. This is why Phorm is being so over sold, being made opt-out (but not really opted out) and why it's so dangerous. It's about making money, Kent has seen a way of data mining without the consent or free-will by the customer to install his toolbars etc.. he's fully expecting to gain the same results via the backdoor.

He is in my view, a criminal on the loose. Neither I, nor the people I know require his 'help' or advertising methods - incidentally, none of the people who come to me end up seeing adverts on the internet except for sites who deserve it... Phorm, webwise, Kent... not included.

  • 10.
  • At 09:35 PM on 15 Apr 2008,
  • Patrick wrote:

thanks for your coverage this evening, but why no coverage of the Q&A session after?

My vote is for PR exercise.

Phorm still refuses to answer to the theft of content, how content owners can block it (since it identifies as the users themselves), and how it plans on abiding by the legally binding licenses we publish under.

Right now, Phorm will be akin to you going to the Library, asking the librarian to fetch a book for you, and on the way back she photocopies it and hands the copy to Phorm.

Publishing online does *not* grant permission for Phorm to copy.

RIPA aside (and content owners are specifically denying consent), it still boils down to copyright infringement.

  • 12.
  • At 11:06 PM on 15 Apr 2008,
  • Kevin T wrote:

Hi Darren

Why no coverage of the Q&A session?

  • 13.
  • At 11:28 PM on 15 Apr 2008,
  • Khoa Huynh wrote:

Phorm is a violation of privacy and I shudder at the amount of personal data that Phorm is gathering on the uneducated masses.

It's a vile idea and those ISPs who use it should be condemned.


  • 14.
  • At 12:11 AM on 16 Apr 2008,
  • Clive wrote:

There really was nothing to debate. Unless specific, informed, consent is given to intercept data then the system is in breach of legislation, both in the U.K. and Europe wide.

The cookie system is not fit for purpose as an opt in or out. If the opt-out cookie crumbles, for whatever reason, then the legislation is immediately breached, putting aside the fact that interception is required to read the cookie in the first place.

If the ICO or Home Office won't act on this then perhaps the EU will.

As the EU Commissioner for Information, Society & Media states, 'The ePrivacy Directive obliges Member States to ensue the confidentiality of communications and related traffic data through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communication and the related traffic data by persons other than the users without their consent, which must be freely given, specific and informed indication of the user's wishes. The data concerned in this particular matter i.e. the content of search queries, constitute communication within the meaning of this Directive and the URLs used in the packets constitute traffic data. This data should therefore be protected appropriately.'

  • 15.
  • At 12:33 AM on 16 Apr 2008,
  • Ad Averse wrote:

Why? Why must I have adverts targeted at me? This is the internet equivalent of junk mail.
If I happen to visit a site for a new camera I go there to see what is on offer, then maybe go somewhere else.
At the end of the day price and availability often dictates where I buy.
Opting in? Now really who is going to bother doing that when they know it is purely advertising and hard selling.
Make it opt in by default and it does not get off the ground. If any ISP makes it otherwise they are going to lose out.
How about always using a proxy IP address? How is Phorm going to deal with that apart from getting a headache!!! If the cookie is not on your machine your IP address is and you can be followed by this whether you are opted in or out.
Give this the big boot NOW

So long as Phorm is opt in, what's the problem? (excepting any laws about intercepting communications for a moment - which weren't constituted with this capability in mind).

Blyk ( launched last year to interest and some acclaim. It gives young people free talktime on their phone in return for them receiving targetted ads.

Phorm is just a distributed Blyk.

[P.S. Same difficulty as Michael W in submitting this post]

  • 17.
  • At 08:48 AM on 16 Apr 2008,
  • David W wrote:

So the big question is whether or not phorm is legal, and pretty much the first words out of Simon Davies' mouth tell us to disregard the issue of legality! PR exercise, and pretty obvious at that

  • 18.
  • At 09:25 AM on 16 Apr 2008,
  • Geoff W wrote:

The Phorm analogy with Google is flawed, I can choose not to use Google and not get profiled.

With their system the ISP will snoop 100% of my traffic, and pass this to the external Phorm servers. Even they do implement an opt out, they will still snoop 100% of my traffic to see if I have a cookie before deciding not to pass it to Phorm.

I agree with Alexander Hanff, it's an invasion of privacy I don't want.

  • 19.
  • At 11:15 AM on 16 Apr 2008,
  • Canis wrote:

Whenever Phorm claim they can't find out who you are, because their snooping is "anonymised", with your personal data "only" associated with a unique number, not your name or address, my blood pressure rises a little further.

Anyone who actually believes this, should check out two articles: The first is the AOL Search Data scandal, which demonstrates people being tracked down from their "anonymised" AOL search history.

The second is a scientific paper, Robust De-anonymization of Large Datasets, which describes how to reverse the "anonymise data by associating it only with a unique number" technique to discover the person behind the data. The authors demonstrate tracking down users based only on which films they like.

Fundamentally, Phorm cannot honestly claim that their system is both anonymous and works: If they didn't collect personal data, they couldn't personalise adverts. What else do they personalise ads with if not personal data?

And once you have personal data, as the paper's authors demonstrate, you have the person.

It comes down to this: You can't spy on people and say you don't collect personally-identifying information. What people do online is personally-identifying, as has been repeatedly proven, and shown in the articles above.

(This point seems to be woefully under-reported...)

This post is closed to new comments.

The BBC is not responsible for the content of external internet sites