Feeds

Top security firm: Phorm is adware

Home Office advice suggests RIPA worries for webmasters

5 things you didn’t know about cloud backup

In a fresh blow to its hopes of winning consumer acceptance, a top three anti-malware firm has said it will very likely include Phorm's targeting cookies in its adware warning database.

Trend Micro told The Register: "The nature of Phorm's monitoring of all user web activity is certainly of some concern, and there is a very high chance that Trend Micro would add detection for the tracking cookies as adware in order to protect customers.

"Obviously, as with other adware/spyware Trend Micro would need to constantly monitor things like... how aware users are that they are being tracked and whether the user has the ability to completely opt out of the service."

If Trend adds detection for Phorm then millions of home computers running a scan using its protection software would get a warning that their ISPs have dropped either a Phorm opt-in or an opt-out cookie onto their systems.

The statement comes as the debate over Phorm is focusing on the question of consent and interception. At present, Phorm says that an opt-out will be available via another cookie, which has not satisfied some web users who want their traffic to have nothing to do with the firm.

In response to Trend Micro, it said today: "The Webwise system is certainly not adware. We welcome the chance to brief Trend Micro on our privacy enhancing technology and why it would be inappropriate to classify it in any other way."

PC Tools, another large anti-malware firm, based in Australia, echoed Trend Micro's concerns for its customers' privacy and security. It said in a statement:

If our research confirms that Phorm places an opt-out cookie on the desktop PC, we will evaluate if it safe to remove it without re-opting the customer back into the Phorm tracking mechanisms.

If the cookie cannot simply be removed but we can find a reliable method to detect the Phorm service, and the Phorm service was evaluated and identified using our threat matrix, we will then endeavour to alert our customers of its existence.

Naturally we encourage all companies involved in handling, monitoring or storing personal information, such as web-surfing behaviour, to prominently disclose whether there is information being supplied or used by a third-party. Ideally any service with privacy implications should require users to consciously opt-in after they know all the facts.

PC Tools is a significant player in consumer desktop security because its Spyware Doctor software is bundled with the Google Pack. We are waiting for responses from Symantec and McAfee, the two largest anti-malware vendors.

It seems Virgin Media boss Neil Berkett could be gearing up to take the same stance on its deal with Phorm as Carphone Warehouse boss Charles Dunstone.

Berkett this morning responded to a customer email asking if he planned to require customers to explicitly opt-in to the ad targeting network with: "I am reviewing this again this evening."

Carphone Warehouse has stated that its 2.6 million broadband subscribers will be asked if they want to opt-in, and that an opt-out cookie won't be necessary to avoid profiling. The firm is working on a new implementation of the Phorm system that ensures data is never intercepted and mirrored to the profiler server.

Phorm has said data from opted-out customers would be completely ignored by the profiler under the normal deployment, which is administered by the ISP, but the fears of many are not allayed by such guarantees. BT is yet to answer our question about why mirroring but not profiling customer browsing does not constitute an interception under the Regulation of Investigatory Powers Act (RIPA) 2000.

Also in the last 24 hours, the Home Office advice on RIPA and ad targeting, used by the ISPs to help approve Phorm, has emerged. Written by department official Simon Watkin, like Professor Peter Sommer's assessment published here last week, it puts emphasis on the question of consent for the interception. Read the whole thing here.

In his conclusion, Watkin writes: "Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions."

Professor Sommer said the technical details revealed over the past two weeks suggest that liability for compliance with RIPA lies with the ISP, since it will operate the profiler and carry out the interception.

The Home Office document raises another question of consent, however: that of whether website owners consent to the ISP to profile their pages for keywords (the Phorm system does not propose to inject targeting advertising on websites that are not members of its Open Internet Exchange). Watkin argues that by publishing them online, website owners are implying consent for an interception, which is the stance taken by Phorm and its partners. He writes: "The implied consent of a web page host may stand in the absence of any specific express consent."

Sommer disagreed: "There is a distinction to be made between the fact that a website is available and there is thus a consent for anyone and everyone to view the contents (the argument used by web-scraping sites that offer price comparisons, for example) and the fact that any specific person has requested a specific web-page at a particular time - which is the communication being intercepted."

On this basis the ISPs would need consent to intercept from every web page you visit, he said. "I think the Home Office interpretation fails at this point, and where a website carries a password for access yet still uses HTTP there is no consent for an interception whatsoever."

Phorm and its ISP partners have all stated repeatedly they believe the system to be 100 per cent compliant with RIPA and the Data Protection Act.

In the intro to his advice, Watkin cautions: "[This] should not be taken as a definitive statement or interpretation of the law, which only the courts can give." ®

5 things you didn’t know about cloud backup

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
EE fails to apologise for HUGE T-Mobile outage that hit Brits on Friday
Customer: 'Please change your name to occasionally somewhere'
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?