I was horrified when I read about Phorm. Virgin Media, BT and TalkTalk are teaming up with Phorm to track all web browsing on their networks. The tracking info will be used to spam subscribers with targeted ads. The privacy implications are mind bloggling…
I have already written a few letters of complaint, but it seems what it boils down to is there is no easy way to escape being monitored by Phorm – a company run by a fraudster who used to run the PeopleOnPage spyware. Their business is based on raping users privacy, and they clearly don’t give a damn. They do offer a rather patheitic “opt-out”, but people people who regularly clear their cookies it’s next to useless.
The bottom line is what they are doing is most likely illegal, breeching either the Data Protection Act, RIPA or the Human Righs Act. It seems moves are already under way to bring private prosecutions.
See http://www.badphorm.co.uk for more details. More good info here: Spyblog
So, how can we fight back? Well, aside from avoiding ISPs that use Phorm (not an option for many people unfortunately) tracking can be avoided either by using Tor or signing up with an encrypted VPN provider like Relakks or Perfect Privacy. Using a VPN is probably not a bad idea anyway, as is using OpenDNS, because it ensures UK agencies can’t spy on you without going to a lot of effort. Certainly, it should prevent any causal monitoring or censorship, and of course block Phorm.
I also recommend blocking Phorm cookies by adding the following to your blocked list in Firefox:
*.oix.*
*.phorm.*
*.sysip.*
*.webwise.*
By blocking cookies, Phorm will find it impossible to track your specific browsing habits. They will still see what sites you visit and deliver ads, just not be able to join all the dots.
Also sign the petition at: http://petitions.pm.gov.uk/ispphorm/
5 Comments
Hi
I work for the UK PR team for Phorm. To clarify a couple of points:
Some time ago, Kent did have an adware company called PeopleOnPage. This was not spyware, and the distinction between the two is very important. Adware is a software component designed to deliver ads as part of a legitimate commercial product or service.
Spyware or Malware has four essential features:
1. It is installed on a user’s computer without their knowledge or
consent
2. It is hidden so that the user cannot find it
3. It is designed to be difficult or impossible for the user to remove
4. Does some harm (often illegal) to the user or their computer: in the
case of spyware, stealing information (particularly passwords, credit card details etc.)
Spyware/Malware is surreptitiously installed, is hidden, cannot be removed and does intentional harm, e.g. stealing data.
The PeopleOnPage program, in contrast:
1. Was installed as part of a download process in which the user had to
read and confirm acceptance of an End User Licence Agreement (EULA). In the EULA, the user had to explicitly accept that in return for the free software, they would be shown advertising.
2. Was clearly displayed in the user¹s Add/Remove programs listing.
3. Was removable by using the standard Add/Remove program dialogue.
4. Was designed to legally show targeted advertising to users, based on
their browsing behaviour as part of a commercial relationship with software providers and advertisers, and with the consent and knowledge of the user.
PeopleOnPage was installed with knowledge and consent, could be identified and deleted, and was not intended to cause harm or steal information.
POP was gradually phased out by Kent due to his changing the direction of the Company which culminated in Phorm and the creation of OIX. OIX has been built with the highest standards of consumer privacy protection in mind which has been verified by Ernst & Young and the world’s foremost privacy advocate, Simon Davies of Privacy International. In addition, our 3 ISP partners have done their own detailed due diligence and are entirely satisfied that this poses no threat whatsoever to their customers or their personal data.
If users opt out of Webwise, none of their data will pass through a Phorm-owned server. To be clear, your browsing behaviour will not be sent to Phorm if you opt out. If you are looking for an opt-out mechanism that doesn’t rely on the presence of a cookie, you can set your browser (Firefox, IE and Opera) to block cookies from our ad-serving domain, webwise.net.
The DPA regulates the processing of personal data (as defined in the Act). technology is designed in such a way that it does not collect or store any information from which it is possible to identify an individual. Because we at Phorm treat Data Protection issues with the highest degree of importance, our ISPs, in conjunction with us, will obtain the consent of their users to the Phorm service and users are free to withdraw that consent and opt out of the service at any time.
RIPA is intended to protect the privacy of private communications. The Phorm service respects users’ privacy at all times by ensuring that users remain anonymous and by obtaining the user’s consent to the service via our ISPs. We have considered RIPA with great care and are satisfied that our technology does not breach RIPA.
Hope this helps – feel free to post any further questions and I will pass on to Phorm.
To clarify the above:
Simon Davies, MD of 80/20 Thinking, a privacy consultancy, conducted a Privacy Impact Assessment into our technology, systems and practices. Simon is a thirty year veteran of privacy advocacy and a Director of Privacy International.
Simon has publicly commented: “In our view, Phorm has implemented privacy as a key design component in the development of its system. In particular, Phorm has quite consciously avoided the processing of personally identifiable information.”
Simon and Gus Hosein were invited by Phorm to assess its privacy protection measures.
The two work with campaign group Privacy International but their work for Phorm was done as part of a new privacy start-up, 80/20 Thinking Ltd.
You can yak on all you like about how POP isn’t spyware and how you really care about privacy, but in the end your actions speak far louder than your words.
In order for your claims about privacy to be valid, you need to first be independently audited by technical people with access to your source code. I’m sure Simon Davies knows a lot about privacy, but he does not appear to be a technical expert and was after all in your pay.
You also need to publicly respond to this: http://mojochan.wordpress.com/2008/03/11/phorm-the-smoking-gun/
Please explain how your technology can possibly decide which pages are private. There is no known technical means of doing it, and if you have somehow found a way you should have no problem passing a Turning test or winning a Nobel Prize.
Also, how does this not violate copyright:
“Based on analysis occurring at the proxy server, the proxy server may modify client-requested data it receives so that a targeted advertisement appears on a web page requested by a client”
From your own patent. If you modify a web page, you are violating the copyright of the page author and stealing their ad revenue. A case regarding this has already been though the courts in the US and was decided against the spyware company doing it (Gator IIRC).
POP is widely considered spyware and removed by many anti-malware products. Again, it’s not your decision to make, it’s up to others if they consider it spyware and by most definitions it is.
Here is some info on POP: http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?9
Finally, if you really are well intentioned, where is the proper op-out? I don’t mean a cookie – I clear cookies every time I close my browser so it’s useless to me. Anyway, the data still passes through your systems. I need a way to completely opt out permanently – none of my data will ever go through your systems. How do I do that? Why is it not opt-in?
Arent Phorm the same guys as 121Media – the same company that planted root kits on millions of PCs? And we’re supposed to trust these guys with our information?? Madness.
Thanks for the advice, i agree – phorm is well dodgy. I’ve blocked the cookies as you have suggested. Phorm is covered in exquisite detail here http://www.grc.com/securitynow.htm – episoide 151.. It seems like if you are with one of the 3 ISPs that use phorm and block phorm’s cookies, there might be some side effects to your web surfing – but i’ve blocked it anyway.. (i’m not with the three ISPs)