Top security firm: Phorm is adware

Home Office advice suggests RIPA worries for webmasters

Next gen security for virtualised datacentres

In a fresh blow to its hopes of winning consumer acceptance, a top three anti-malware firm has said it will very likely include Phorm's targeting cookies in its adware warning database.

Trend Micro told The Register: "The nature of Phorm's monitoring of all user web activity is certainly of some concern, and there is a very high chance that Trend Micro would add detection for the tracking cookies as adware in order to protect customers.

"Obviously, as with other adware/spyware Trend Micro would need to constantly monitor things like... how aware users are that they are being tracked and whether the user has the ability to completely opt out of the service."

If Trend adds detection for Phorm then millions of home computers running a scan using its protection software would get a warning that their ISPs have dropped either a Phorm opt-in or an opt-out cookie onto their systems.

The statement comes as the debate over Phorm is focusing on the question of consent and interception. At present, Phorm says that an opt-out will be available via another cookie, which has not satisfied some web users who want their traffic to have nothing to do with the firm.

In response to Trend Micro, it said today: "The Webwise system is certainly not adware. We welcome the chance to brief Trend Micro on our privacy enhancing technology and why it would be inappropriate to classify it in any other way."

PC Tools, another large anti-malware firm, based in Australia, echoed Trend Micro's concerns for its customers' privacy and security. It said in a statement:

If our research confirms that Phorm places an opt-out cookie on the desktop PC, we will evaluate if it safe to remove it without re-opting the customer back into the Phorm tracking mechanisms.

If the cookie cannot simply be removed but we can find a reliable method to detect the Phorm service, and the Phorm service was evaluated and identified using our threat matrix, we will then endeavour to alert our customers of its existence.

Naturally we encourage all companies involved in handling, monitoring or storing personal information, such as web-surfing behaviour, to prominently disclose whether there is information being supplied or used by a third-party. Ideally any service with privacy implications should require users to consciously opt-in after they know all the facts.

PC Tools is a significant player in consumer desktop security because its Spyware Doctor software is bundled with the Google Pack. We are waiting for responses from Symantec and McAfee, the two largest anti-malware vendors.

It seems Virgin Media boss Neil Berkett could be gearing up to take the same stance on its deal with Phorm as Carphone Warehouse boss Charles Dunstone.

Berkett this morning responded to a customer email asking if he planned to require customers to explicitly opt-in to the ad targeting network with: "I am reviewing this again this evening."

Carphone Warehouse has stated that its 2.6 million broadband subscribers will be asked if they want to opt-in, and that an opt-out cookie won't be necessary to avoid profiling. The firm is working on a new implementation of the Phorm system that ensures data is never intercepted and mirrored to the profiler server.

Phorm has said data from opted-out customers would be completely ignored by the profiler under the normal deployment, which is administered by the ISP, but the fears of many are not allayed by such guarantees. BT is yet to answer our question about why mirroring but not profiling customer browsing does not constitute an interception under the Regulation of Investigatory Powers Act (RIPA) 2000.

Also in the last 24 hours, the Home Office advice on RIPA and ad targeting, used by the ISPs to help approve Phorm, has emerged. Written by department official Simon Watkin, like Professor Peter Sommer's assessment published here last week, it puts emphasis on the question of consent for the interception. Read the whole thing here.

In his conclusion, Watkin writes: "Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions."

Professor Sommer said the technical details revealed over the past two weeks suggest that liability for compliance with RIPA lies with the ISP, since it will operate the profiler and carry out the interception.

The Home Office document raises another question of consent, however: that of whether website owners consent to the ISP to profile their pages for keywords (the Phorm system does not propose to inject targeting advertising on websites that are not members of its Open Internet Exchange). Watkin argues that by publishing them online, website owners are implying consent for an interception, which is the stance taken by Phorm and its partners. He writes: "The implied consent of a web page host may stand in the absence of any specific express consent."

Sommer disagreed: "There is a distinction to be made between the fact that a website is available and there is thus a consent for anyone and everyone to view the contents (the argument used by web-scraping sites that offer price comparisons, for example) and the fact that any specific person has requested a specific web-page at a particular time - which is the communication being intercepted."

On this basis the ISPs would need consent to intercept from every web page you visit, he said. "I think the Home Office interpretation fails at this point, and where a website carries a password for access yet still uses HTTP there is no consent for an interception whatsoever."

Phorm and its ISP partners have all stated repeatedly they believe the system to be 100 per cent compliant with RIPA and the Data Protection Act.

In the intro to his advice, Watkin cautions: "[This] should not be taken as a definitive statement or interpretation of the law, which only the courts can give." ®

Boost IT visibility and business value

More from The Register

next story
Canadian ISP Shaw falls over with 'routing' sickness
How sure are you of cloud computing now?
Don't call it throttling: Ericsson 'priority' tech gives users their own slice of spectrum
Actually it's a nifty trick - at least you'll pay for what you get
Three floats Jolla in Hong Kong: Says Sailfish is '3rd option'
Network throws hat into ring with Linux-powered handsets
Fifteen zero days found in hacker router comp romp
Four routers rooted in SOHOpelessly Broken challenge
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
PwC says US biz lagging in Internet of Things
Grass is greener in Asia, say the sensors
Ofcom sees RISE OF THE MACHINE-to-machine cell comms
Study spots 9% growth in IoT m2m mobile data connections
O2 vs Vodafone: Mobe firms grab for GCHQ, gov.uk security badge
No, the spooks love US best, say rival firms
Ancient pager tech SMS: It works, it's fab, but wow, get a load of that incoming SPAM
Networks' main issue: they don't know how it works, says expert
Trans-Pacific: Google spaffs cash on FAST undersea packet-flinging
One of 6 backers for new 60 Tbps cable to hook US to Japan
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.