Feeds

Top security firm: Phorm is adware

Home Office advice suggests RIPA worries for webmasters

High performance access to file storage

In a fresh blow to its hopes of winning consumer acceptance, a top three anti-malware firm has said it will very likely include Phorm's targeting cookies in its adware warning database.

Trend Micro told The Register: "The nature of Phorm's monitoring of all user web activity is certainly of some concern, and there is a very high chance that Trend Micro would add detection for the tracking cookies as adware in order to protect customers.

"Obviously, as with other adware/spyware Trend Micro would need to constantly monitor things like... how aware users are that they are being tracked and whether the user has the ability to completely opt out of the service."

If Trend adds detection for Phorm then millions of home computers running a scan using its protection software would get a warning that their ISPs have dropped either a Phorm opt-in or an opt-out cookie onto their systems.

The statement comes as the debate over Phorm is focusing on the question of consent and interception. At present, Phorm says that an opt-out will be available via another cookie, which has not satisfied some web users who want their traffic to have nothing to do with the firm.

In response to Trend Micro, it said today: "The Webwise system is certainly not adware. We welcome the chance to brief Trend Micro on our privacy enhancing technology and why it would be inappropriate to classify it in any other way."

PC Tools, another large anti-malware firm, based in Australia, echoed Trend Micro's concerns for its customers' privacy and security. It said in a statement:

If our research confirms that Phorm places an opt-out cookie on the desktop PC, we will evaluate if it safe to remove it without re-opting the customer back into the Phorm tracking mechanisms.

If the cookie cannot simply be removed but we can find a reliable method to detect the Phorm service, and the Phorm service was evaluated and identified using our threat matrix, we will then endeavour to alert our customers of its existence.

Naturally we encourage all companies involved in handling, monitoring or storing personal information, such as web-surfing behaviour, to prominently disclose whether there is information being supplied or used by a third-party. Ideally any service with privacy implications should require users to consciously opt-in after they know all the facts.

PC Tools is a significant player in consumer desktop security because its Spyware Doctor software is bundled with the Google Pack. We are waiting for responses from Symantec and McAfee, the two largest anti-malware vendors.

It seems Virgin Media boss Neil Berkett could be gearing up to take the same stance on its deal with Phorm as Carphone Warehouse boss Charles Dunstone.

Berkett this morning responded to a customer email asking if he planned to require customers to explicitly opt-in to the ad targeting network with: "I am reviewing this again this evening."

Carphone Warehouse has stated that its 2.6 million broadband subscribers will be asked if they want to opt-in, and that an opt-out cookie won't be necessary to avoid profiling. The firm is working on a new implementation of the Phorm system that ensures data is never intercepted and mirrored to the profiler server.

Phorm has said data from opted-out customers would be completely ignored by the profiler under the normal deployment, which is administered by the ISP, but the fears of many are not allayed by such guarantees. BT is yet to answer our question about why mirroring but not profiling customer browsing does not constitute an interception under the Regulation of Investigatory Powers Act (RIPA) 2000.

Also in the last 24 hours, the Home Office advice on RIPA and ad targeting, used by the ISPs to help approve Phorm, has emerged. Written by department official Simon Watkin, like Professor Peter Sommer's assessment published here last week, it puts emphasis on the question of consent for the interception. Read the whole thing here.

In his conclusion, Watkin writes: "Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions."

Professor Sommer said the technical details revealed over the past two weeks suggest that liability for compliance with RIPA lies with the ISP, since it will operate the profiler and carry out the interception.

The Home Office document raises another question of consent, however: that of whether website owners consent to the ISP to profile their pages for keywords (the Phorm system does not propose to inject targeting advertising on websites that are not members of its Open Internet Exchange). Watkin argues that by publishing them online, website owners are implying consent for an interception, which is the stance taken by Phorm and its partners. He writes: "The implied consent of a web page host may stand in the absence of any specific express consent."

Sommer disagreed: "There is a distinction to be made between the fact that a website is available and there is thus a consent for anyone and everyone to view the contents (the argument used by web-scraping sites that offer price comparisons, for example) and the fact that any specific person has requested a specific web-page at a particular time - which is the communication being intercepted."

On this basis the ISPs would need consent to intercept from every web page you visit, he said. "I think the Home Office interpretation fails at this point, and where a website carries a password for access yet still uses HTTP there is no consent for an interception whatsoever."

Phorm and its ISP partners have all stated repeatedly they believe the system to be 100 per cent compliant with RIPA and the Data Protection Act.

In the intro to his advice, Watkin cautions: "[This] should not be taken as a definitive statement or interpretation of the law, which only the courts can give." ®

High performance access to file storage

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.