Top security firm: Phorm is adware

Home Office advice suggests RIPA worries for webmasters

Boost IT visibility and business value

In a fresh blow to its hopes of winning consumer acceptance, a top three anti-malware firm has said it will very likely include Phorm's targeting cookies in its adware warning database.

Trend Micro told The Register: "The nature of Phorm's monitoring of all user web activity is certainly of some concern, and there is a very high chance that Trend Micro would add detection for the tracking cookies as adware in order to protect customers.

"Obviously, as with other adware/spyware Trend Micro would need to constantly monitor things like... how aware users are that they are being tracked and whether the user has the ability to completely opt out of the service."

If Trend adds detection for Phorm then millions of home computers running a scan using its protection software would get a warning that their ISPs have dropped either a Phorm opt-in or an opt-out cookie onto their systems.

The statement comes as the debate over Phorm is focusing on the question of consent and interception. At present, Phorm says that an opt-out will be available via another cookie, which has not satisfied some web users who want their traffic to have nothing to do with the firm.

In response to Trend Micro, it said today: "The Webwise system is certainly not adware. We welcome the chance to brief Trend Micro on our privacy enhancing technology and why it would be inappropriate to classify it in any other way."

PC Tools, another large anti-malware firm, based in Australia, echoed Trend Micro's concerns for its customers' privacy and security. It said in a statement:

If our research confirms that Phorm places an opt-out cookie on the desktop PC, we will evaluate if it safe to remove it without re-opting the customer back into the Phorm tracking mechanisms.

If the cookie cannot simply be removed but we can find a reliable method to detect the Phorm service, and the Phorm service was evaluated and identified using our threat matrix, we will then endeavour to alert our customers of its existence.

Naturally we encourage all companies involved in handling, monitoring or storing personal information, such as web-surfing behaviour, to prominently disclose whether there is information being supplied or used by a third-party. Ideally any service with privacy implications should require users to consciously opt-in after they know all the facts.

PC Tools is a significant player in consumer desktop security because its Spyware Doctor software is bundled with the Google Pack. We are waiting for responses from Symantec and McAfee, the two largest anti-malware vendors.

It seems Virgin Media boss Neil Berkett could be gearing up to take the same stance on its deal with Phorm as Carphone Warehouse boss Charles Dunstone.

Berkett this morning responded to a customer email asking if he planned to require customers to explicitly opt-in to the ad targeting network with: "I am reviewing this again this evening."

Carphone Warehouse has stated that its 2.6 million broadband subscribers will be asked if they want to opt-in, and that an opt-out cookie won't be necessary to avoid profiling. The firm is working on a new implementation of the Phorm system that ensures data is never intercepted and mirrored to the profiler server.

Phorm has said data from opted-out customers would be completely ignored by the profiler under the normal deployment, which is administered by the ISP, but the fears of many are not allayed by such guarantees. BT is yet to answer our question about why mirroring but not profiling customer browsing does not constitute an interception under the Regulation of Investigatory Powers Act (RIPA) 2000.

Also in the last 24 hours, the Home Office advice on RIPA and ad targeting, used by the ISPs to help approve Phorm, has emerged. Written by department official Simon Watkin, like Professor Peter Sommer's assessment published here last week, it puts emphasis on the question of consent for the interception. Read the whole thing here.

In his conclusion, Watkin writes: "Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions."

Professor Sommer said the technical details revealed over the past two weeks suggest that liability for compliance with RIPA lies with the ISP, since it will operate the profiler and carry out the interception.

The Home Office document raises another question of consent, however: that of whether website owners consent to the ISP to profile their pages for keywords (the Phorm system does not propose to inject targeting advertising on websites that are not members of its Open Internet Exchange). Watkin argues that by publishing them online, website owners are implying consent for an interception, which is the stance taken by Phorm and its partners. He writes: "The implied consent of a web page host may stand in the absence of any specific express consent."

Sommer disagreed: "There is a distinction to be made between the fact that a website is available and there is thus a consent for anyone and everyone to view the contents (the argument used by web-scraping sites that offer price comparisons, for example) and the fact that any specific person has requested a specific web-page at a particular time - which is the communication being intercepted."

On this basis the ISPs would need consent to intercept from every web page you visit, he said. "I think the Home Office interpretation fails at this point, and where a website carries a password for access yet still uses HTTP there is no consent for an interception whatsoever."

Phorm and its ISP partners have all stated repeatedly they believe the system to be 100 per cent compliant with RIPA and the Data Protection Act.

In the intro to his advice, Watkin cautions: "[This] should not be taken as a definitive statement or interpretation of the law, which only the courts can give." ®

The essential guide to IT transformation

More from The Register

next story
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Canadian ISP Shaw falls over with 'routing' sickness
How sure are you of cloud computing now?
Don't call it throttling: Ericsson 'priority' tech gives users their own slice of spectrum
Actually it's a nifty trick - at least you'll pay for what you get
Three floats Jolla in Hong Kong: Says Sailfish is '3rd option'
Network throws hat into ring with Linux-powered handsets
Fifteen zero days found in hacker router comp romp
Four routers rooted in SOHOpelessly Broken challenge
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
US TV stations bowl sueball directly at FCC's spectrum mega-sale
Broadcasters upset about coverage and cost as they shift up and down the dials
O2 vs Vodafone: Mobe firms grab for GCHQ, gov.uk security badge
No, the spooks love US best, say rival firms
Ancient pager tech SMS: It works, it's fab, but wow, get a load of that incoming SPAM
Networks' main issue: they don't know how it works, says expert
Trans-Pacific: Google spaffs cash on FAST undersea packet-flinging
One of 6 backers for new 60 Tbps cable to hook US to Japan
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.