A Phorm of Intrusion
While i’m complaining about Virgin Media, any of you with VM, BT, or TalkTalk as your ISP might want to read this, and if you want a techy angle on it, this as well. British ISPs seem all to ready to jump into selling anonymised web surfing data to a company with known spyware history.
For me, the interesting bit is the opt-out, which seems merely to switch off the targeted ads, unless I’m missing something. The system intercepts your HTTP requests, and sends that data to Phorm. If you’re opted out, it then discards the data (honest), but the data is sent regardless. The other issue perhaps is performance: each and every request you make is being interrupted, so lets hope the ACE switches are fast.
If you want to, you can post on an online petition, but that seems pretty ineffective most of the time.
[edit 10-Mar-2008 20:15]
Some one has written up a wonderful analogy of the Phorm process, and now that I’ve read the tech description on El Reg in more detail, this really *does* seem to be what happens. Read it here (scroll down to SilverWave, as the direct link to the comment doesn’t work) on Bob Piper‘s blog.
March 10th, 2008 at 10:10
I’ve missed the deadline to sign up! Its a bit much this I think – where’s it going to stop? Talk about big brother and big commerce. Outrageous!
March 10th, 2008 at 10:54
Hello pigblog,
Welcome to the fray! I’m from the Phorm comms team. If I could direct you to the following knockabout press /postings where we get clobbered, respond, people consider and come back, either with a different view, more questions or roughly the same view. In doing this I hope to jettison some of the more lurid stuff — Russians, China servers, spyware — so that we can talk about what’s at the heart of the matter: privacy and technology.
We’ve created a technology that is a big leap forward in privacy protection. We’ve created a system that never ever needs to, or can, know who you are or where you’ve browsed. We don’t store data other than a random number, an everyday product category eg sport or travel and a timestamp. All ad serving technologies and search engines store PII in one form or another.
What they say in order to reassure you as a consumer is: We have the data and it’s safe with us. We’re saying and doing something radically different. We’re not saying: trust us with your data, we’re saying: we don’t have the data.
Do email us with questions (techteam@phorm.com) or come and see us if you’d like to be walked through the system.
Best wishes
Phorm Comms Team
March 10th, 2008 at 11:38
There’s a Q & A on the BBC website about this to add to the debate.
Phorm Comms Team: Do you hold ISO 27001 accreditation?
March 10th, 2008 at 11:59
Whoops!
Sorry, I didn’t include the links:
Bob Piper’s blog
http://www.bobpiper.co.uk/2008/03/theyve_got_phorm.php#comment-9224
We’ve posted answers in the comments section of political penguin:
http://www.politicalpenguin.org.uk/
Techdirt is interesting:
http://www.techdirt.com/articles/20080306/074534461.shtml
Plus this piece on techcrunch:
http://uk.techcrunch.com/2008/03/06/video-phorm-ceo-rejects-allegations-of-big-brother-tracking/
Best wishes,
Phorm comms
March 10th, 2008 at 13:18
Hello Phorm Comms Team,
Didn’t take long for you guys to turn up!
I’m not suggesting you serve up spyware, but the head of your company has history.
Can you confirm exactly what happens to my HTTP requests if I’m a customer of a participating ISP, first of all if I haven’t opted out, and then if i have? If I (for example, request a page from amazon.com, I expect my browser to make a HTTP request (well, several) to amazon’s servers, and then they return me some HTML. What will change *exactly*?
March 10th, 2008 at 13:27
And how were you alerted to this posting on this blog?
Also, you didn’t answer my question about ISO 27001 or are you still looking that up on Google?
March 10th, 2008 at 15:24
Hello CB,
No need for sarcasm! Google alerts alerted us. Google knows all. No we are not ISO 27001 certified.
March 10th, 2008 at 16:46
PC: Sarcasm, is an essential requirement of this site! So don’t try and be the Internet Police.
Any company that has privacy and data integrity at heart would be ISO 27001 certified thus assuring the public of a rigorous regime for data security.
Having read all of this and noted your prompt replies today, maybe we should insist on an ISP that does have “this facility”.
March 10th, 2008 at 16:47
I meant doesn’t have this facility! Can’t type either……..
March 10th, 2008 at 19:34
@Phorm Comms team:
You must be new here
. Welcome anyway.
Sorry, as the Bumpkin says, sarcasm is practically a requirement. Feel free to browse through the posts and see if you can spot any.
I’m amazed Google’s crawl hit it so fast. Now, if “Comms Team” means “Marketing and PR” you might want to peruse for my general view of marketing and sales. Sorry and all that, but I’d be more interested in a technical breakdown than all the assurances in the world that no personal data is retained. I want to know what is actually collected at the ISP, and who controls how it gets to you guys. The Reg article states that the profiler (or “Spying Box” as I’m calling it now) is operated by the ISP, but presumably it has Phorm’s code on it? Is the source code available? If not, there’s no way to guarantee it’s not spying. So it looks like I’ve answered the one question for you.
The extra latency from the profiling and multiple HTTP requests and various conversations between the load balancer (presumably a VRRP router), the ACE, the F5 and the “spying box”? We’ll have to see.
Please, do continue the debate. I *do* want to know, so I can make an informed choice. The way VM are going, it’s not looking good for them. (and no, this isn’t sarcasm)
Anyway, this should be opt-in. I pay my ISP for one reason and one reason only: I want to route packets of data to and from the Internet. I don’t want “value-added” bullshit. I can spot my own phishing sites, thanks, and take care of my own email and webspace.
March 10th, 2008 at 20:28
That goes for me as well – opt-in and no added value bullshit. I hate advertising and I should have the right to not have it shoved down my throat.
March 11th, 2008 at 19:59
Hello…..?
Phorm?
Anyone there?
FX: [tumbleweed]
Incidentally, TalkTalk have stated that they will only implement the service if opt-in: and that if opted out, no customer traffic will hit the spy box.
March 13th, 2008 at 11:54
Well done Talk Talk! What have you got to say about that Phorm marketing team?
March 13th, 2008 at 13:16
Nothing, I’d guess.
March 13th, 2008 at 20:25
Nothing surprises me any more. I am glad I recently emigrated to Denmark, where freedom of speech has been well-tested! When I closed my Virgin Media account, surprise surprise they still continued to bill me. I have completely lost my faith in British companies. I have had no end of trouble trying to tie up loose ends.
March 13th, 2008 at 21:13
All is now clear, a certain major telecoms outfit and ISP have just given all the staff free internet, so now they can spy on their staff home internet use as well as the from the office.
time to install squid on my linux box for some of my private surfing
March 14th, 2008 at 13:28
Funny you should say that.
I did it myself a while ago. Install squid, and enable port-forwarding tunnels in sshd. Set up a forwarded port in PuTTY and point your browser’s proxy setting at that, then all your borwsing gets pushed up the ssh tunnel.
March 17th, 2008 at 09:36
Sir Tim Berners-Lee told BBC News he would change his internet provider if it introduced such a system.
http://news.bbc.co.uk/1/hi/technology/7299875.stm
March 20th, 2008 at 08:03
Dont even wait for the results..
I’m out of BT after 7 years, switched phone too if they going into deals with this lot…
Privacy technology my arse..
March 20th, 2008 at 08:20
It *is* a privacy technology. It takes your privacy, and sells it to the highest bidder.
March 28th, 2008 at 02:39
It’s funny how Phorm are only doing all this after the storm has come.
Phorm and BT were happy to trial it without permission from webmasters and webusers.
Phorm are happy to promote the Ernst & Young report in the UK, when it was done in the USA and much is different between the two countries.
Phorm were happy to not give you an opt in/out until the storm, and expect a cookie – still requiring an intercept – to be tough enough, and the burden of effort on the user to re-set the cookie. Ha!
If these people are selling privacy, why did they and BT do a deal to use data without permission and in secret?
April 7th, 2008 at 12:33
I see on the BBC website the ICO has finally got involved.
April 7th, 2008 at 19:24
Indeed. The linked PDF makes for a good analysis of Phorm.
It’s also good to see BT in the shit for doing what comes naturally (i.e: fucking it up good and proper).
May 10th, 2008 at 13:40
Er… Hello Phorm Comms (PR) Team. You do spring up in the most unlikely of places LOL
Right, everyone reading this… Be aware that Kent Ertugrul (CEO of Phorm) is a plonker. Secondly, his Comms (cough… PR) Team are also not very clever people. They, the expert PR team, thought it would be ok to “edit out” true facts about Phorm on Wikipedia. This was spotted and changed back. The Phorm Comms (PR) Team admitted their very wrong act of trying to get rid of statements that were true about Phorm.
Now, of the 3 UK ISPs who Phorm claimed to have signed deals with, 1 quickly pulled out of the automatic “Opt In” which Phorm planned (that’s Talk Talk/Carphone Warehouse). Another, Virgin Media, has recently announced, in a clarifying press release, that they are under no obligation to implement Phorm (but don’t think that is the end of it with VM… we need to watch them).
The third ISP, BT, started a web forum for customers to ask questions. And they promised to give answers too. They did give answers, then they stopped giving answers! Then they closed the forum down. A new one was started. Naughty BT, they cannot silence the opposition to this.
Finally, and this is the juicy bit… BT ran a trial of Phorm technology in 2006, then another in 2007. Did they ask or tell their customers? No. They did it secretley.
What is Phorm? It’s a way of listening in, on everything you do, on the internet. It’s like the operator listening to every telephone call you make or receive. It’s like Royal Mail, opening every letter and jotting down key points about you before they deliver the letter.
Phorm, previously 121Media, have a history of spyware/adware and a nasty way of hiding their software using something called a rootkit. Not nice.
And they are not nice. Kent is a nasty piece of work (go back and watch him on the BBC Click TV programme 3rd May… The interviewer did not make a joke about the temeperature during the interview with Alexander Hoff for nothing)
Who is Alexander Hoff? Well, he wrote a paper about the legality (or maybe I should say “Illegality”) of Phorm implementation.
You can read much more (there’s A LOT) on the Cable Forum where this has been debated strongly. You’ll even see the wonderful Phorm Comms Team in action (although they have given up there due to losing every argument with people that understand technology and the law!)
Remember please that whilst they may like to say you can “switch webwise off” that does not stop them being there – between you and the internet. It’s like them intercepting your phone call but not listening whilst you’ve told them not to. Can you be sure they won’t listen? They’re their, in the middle – once they are there, you cannot actually get them out even if you tell them not to listen in (look up “Network Layer 7″ if you want to understand that more)
And finally, although I strongly believe this will be found to be illegal, we need your support:
Over 12,000 people have signed the Downing Street Prime Minister Petition. Please join them.
Write to your MP, tell them you think that Phorm is wrong.
And head over to the Cable Forum, there’s lots to learn about this. Please join us. We need to stop Phorm.
http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated.html
PS. Before anyone starts to argue with any of the above, I’ve heard all the arguments in favour of sitting back and doing nothing. None of them impress me. If you think Google is the same as Phorm for tracking your behaviour, for spying on you etc… Well, Google has it’s own issues, but it’s not a patch on the loss of privacy you get if Phorm gets going.
Ste.
May 11th, 2008 at 19:51
@Steve,
Yes, they do pop up in odd places, and very quickly too, thanks to Google.
I’m hoping Phorm is dead in the water now, at least in it’s present ‘phorm’ where all your traffic is monitored, all the time.