...I want vengeance. Can we destroy this thing? Botnets, DoS attacks, poisoning the database? Anything is fair game. Let's see the oft-rumored anarchist internet factions use these assholes as target practice.

Indeed, if I enter a password for a website, e.g. a blog's admin system or my webmail etc, then that's certainly not a public page that should be able to be read by Phorm (or anyone except me). What about all the people who rely on obscure URLs to hide things. Not good security practice, sure, but they're not intended for public consumption.

as a definitive statement or interpretation of the law, which only the courts can give."

So they'll most likely go ahead anyway, until someone takes the fuckers to court, where they'll most likely employ the usual army of expensive briefs and "experts" to defend their position.

And win.

Back to pen & paper and the scud-mags then!

Mine's the long, dirty, brown Mac (No, the OTHER kind of Mac, fuckwit!)

Excellent, now then, can you guys have a look at the ISP download speeds for us?

I've just finished send of my latest email owning VM tech support.

The first reply was just "go away, there's nothing going on" signed by (Your Name)

Second was a link to the original Reg article and signed by (Your Name)

Third directed me to VM Q&A which answered none of my questions but at least "Julian" paid attention to me mocking them for failing at email templates

Fourth reply suggested I used ad-blocker software but did admit that no-one at VM tech support has been told anything about what's going on, but does quote from the Q&A the we "will have the choice to keep their internet experience exactly as it is now"

Until I get an unqualified yes to the following question, I'm going to keep harassing them;

"Will it be possible for me to ensure that none of my data enters any hardware or software system owned by, operated by or supplied by Phorm or any of their aliases or subsidiaries?"

All I want is independently confirmed proof that my ISP won't be sending one single packet of my data to Phorm.

the microsoft definition of adware

Advertising that is integrated into software. Adware is often combined with a host application that is provided at no charge as long as the user ...

www.microsoft.com/security/glossary.mspx

the f-secure definition of adware

A type of Advertising Display Software that delivers advertising content potentially in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions, and therefore may also be categorized as Tracking Technologies. ...

www.f-secure.com/security_center/malware_code_glossary.html

just because the software is on the ISP's server not your PC need i say more

it is an unwanted intrusion to privacy

sign the petition at http://petitions.pm.gov.uk/ispphorm/

and complaint to you isp bt's complaint page is a link on http://www2.bt.com/contactus

I understand that lax business practices have dropped the price for internet connectivity to below cost. Please allow those of us who care to pay 20% above cost instead of being sold to the highest bidder.

Seriously. The policy here is that because they're not charging us enough they decide instead to sell our things without asking? In what universe does that make sense?

of my new 12 month contract I agreed over the phone 3 or 4 days before the phit hit the phan. I have not yet had a response to the question:

"Did the contract I agreed to verbally contain any notification that all my data was going to be intercepted"

Nor have I had a response to the question:

"If you are going to change the terms and conditions of my contract to include a clause along the lines of 'please feel free to intercept all my data and profile me' will I be able to cancel my contract because I would not agree with you doing this with my data"

I havent even had an answer to the question:

"Since I assume you have stitched me up tighter than the manx kippers I brought back from the island last week and I have no way to cancel my new contract without penalty could you please tell me how much the penalty clause is for early cancellation?"

I'll let you know if I get anything other than cut & paste replies.

Virgin will be getting my cancellation call as soon as my new line is up and running (currently penned in for next week).

I fall for the whole thing and let Phorm monitor my web usage and supply ads related to my surfing habits. Nice. Then the wife gets onto the net for 5 minutes and all she sees is ads for pr0n sites.

Who's she gonna be looking at? Hmmmm? ANSWER THE QUESTION MISTER!!!

Mine's the one that's been slashed and dumped in the garden with everything else I own...

"Phorm and its ISP partners have all stated repeatedly they believe the system to be 100 per cent compliant with RIPA and the Data Protection Act."

They can believe in the *&%$ing Tooth Fairy, for all I care; it doesn't make them right. What they propose is an illegal wiretap - we shouldn't even be discussing this, we should be screaming for the ISPs' and Phorm's diectors to be arrested if they so much as try it.

does anyone know if sky have signed upto this yet?

Paris - just because

I dont want to pay anymore! I want to pay the same amount of money, and get the service that I should be getting - no interception for any reason ever, unobtrusive traffic shaping (if you really must), 99.999% uptime, UK call centres only.

Anyway, its funny to see Phorm in such denial. "Its not Adware or Spyware!", Phorm says scandalized. "Its useful, its relevant, its.... its...."

Its advertising software, sorry Phorm, you Phail.

Now the question is, as Trend Micro says, is there a better solution to opting out than storing a cookie on your machine? What if I want to remove all traces of Phorm, even including the opt-out cookie? It seems self-defeating, I know, but I dont want any part of Phorm on my computer at all.

PS: can we have an Epic Fail pic? Like the Failboat, or Fail Kitty?

Part of my interest in Phorm is that we switched to BT from Pipex, following the Tiscali move. We went live THE DAY BEFORE Vulture Central broke the news.

We were happy with Pipex, we were happy to be paying more for a good quality connection with Tech Support based in the UK. (Insert tales of woe about telling non-native english speakers "We know it's not the Microfilters - It's at your end, probably the [frobinator]" here )

Then we saw Tiscali's prices for new customers, then we saw the line drops, the speed drops and ultimately the customer drops.

So to all the ISP's: Just sell us a good quality connection at a price that will make you some profit. If it costs you more for UK based tech support, then pass the cost on to us. We Will Pay. Cheerfully. We will gladly recommend you to our friends.

Just don't pimp our data or cut corners when we need help.

I can see the point of anti-malware reps being miffed at this.

If your whole business model is all about protecting users from being monitored/profiled and spammed with ads, then its kind of annoying when an ISP and former malware criminal team up to implement a near unstoppable system that encompasses every user.

In that case we may as well let all the profilers have our browsing history and fight amongst themselves to inject the ads.

You missed "or connected (directly or indirectly)", and the phrase "but not limited to".

Read more EULA's and you'll get the idea ;)

Maybe the ISPs should offer this:

1. Free Broadband (at max speed or should it be upto max speed) for agreeing to have adware sent to you.

2. Or just subscribe for broadband as normal with no ads.

Would there be any takers then?

Please guys also consider the issue of consent in the following cases:

1.) Private email (under RIPA) - both parties to the email must consent, yes? What steps has Phorm Webwise really taken to ensure that every web-based personal communication tool, from corporate email servers to social networks and charities will be blacklisted from examination, when to the servers it just looks like another webpage? The technical arguments about HTML <form>s are irrelevant as message threads can be reproduced as inline text etc.

2.) Protected non-public content accesed via username and password, under copyright law.

And can someone please get onto the Open Rights Group and offer some technical help over this statement on their front page "Here’s what we’ve been told about the workings of Phorm so far. Phorm assigns a user’s browser a unique identifying number, which, it is claimed, nobody can associate with your IP address, not even your ISP"

Plesae explain to them that, since cookies are transmitted in cleartext, and every packet on the network has the originator's IP address, the ISP can with a simple network sniffer easily create a lookup table of ID vs IP.

This just gets worse every day I read about it.

One thing that ISPs have to understand is that HTTP traffic is used for many more things than private individuals browsing e-commerce sites. Big companies tend to have this mindset that the internet is all about e-commerce ... of course the bits of it that are of interest to them really are, but most of the rest of it isn't.

There are all manner of private status pages and control panels which people use of their broadband line, not to mention the myriad of automated systems which communicate by HTTP (1).

ALL of this traffic will be captured and analysed by Phorm's system, even if you opt out of having your 'browsing experience' enhanced via cookie.

My vote is a big fat NO.

(1) Although fortunately anything obscured by HTTPS should avoid interception as far as I've read so far.

Even if the default option is opt-in, and some BT/Virgin user has done the opt-in, and the BT/Virgin user reads an email (webmail) I have sent to them (from another internet connection), isn't some law still being broken?

They might have asked the Virgin/BT user for their permission to profile/phorm their communications, but they won't have asked the sender to read/copy/profile/intercept the private/copyrighted email they sent to that user via webmail.

Similar to this:

http://community.zdnet.co.uk/blog/0,1000000567,10007508o-2000331777b,00.htm

Has *anyone* had a response from BT about Phorm/scumsuckers/WebWise?

I asked a week ago on their 'it'll all be lovely and won't someone think of the children' page and have yet to have a response. Likewise a question to their laughable technical support address has gone unanswered.

ISP really does now stand for Internet Spyware Provider.

We (peeps in Virgin NGs) discovered last night that content in Microsoft Office applications, and Open Office present the same 'user agent' as Internet Explorer.

To a web proxy (like Phorm) the requests will be indistinguishable from the requests submitted by a web browser.

The practical effect of this is that most popular desktop applications will be vulnerable to profiling by the Phorm profiler too.

Phorm' s oft repeated claim to operate user agent white list is a complete red herring (because all these applications appear to be Internet Explorer 7.0).

Applications like Word 2000/2003, Outlook 2000/2003, Open Office will effectively betray your desktop privacy to Phorm.

For example, the emails you read, and the domains and URLs where they came from.

The content within word processor documents, and the domains and URLs where they originated.

Phorm will not be able to differentiate between Microsoft Office applications during wordprocessing or email operations, and Internet Explorer.

The privacy and personal security risks associated with Phorm are simply too profound to be tolerable, not even as as an opt in model.

For details see

http://www.badphorm.co.uk/e107_plugins/forum/forum_viewforum.php?6

STOP PHORM!

www.dephormation.org.uk

It's software. It delivers advertising. Which part of that is hard to understand? Oh right, the "advertising is not an experience which consumers enjoy, it is a burden they have to put up with" part.

"They can believe in the *&%$ing Tooth Fairy, for all I care; it doesn't make them right"

That actually made me choke on my coffee and fall off my chair, bravo sir! :-D

-----------

Surely if the said ISP's change their T&C's to incorperate this, aren't the user entitled to cancel without penalty as the new T&C's aren't acceptable :-s

TBH I'd be surprised if this takes off, Phorm's share price has nearly halved since this all kicked off - and the more it gets discussed the less viable it appears.

"Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions"

So, we'll all be opting in by a backdoor change of some obscure section of TOCs?

I left BT Intercept (err, I mean Internet) years ago because I NEVER EVER got any response from them when I complained about their crap connection and poor service.

I would be staggered if you are treated any better these days.

One thought, of course, is that if you go down the "opt out" cookie route, you'll get automatically opted back in if you ever clear the cookies from your browser (which I do now and then for no particular reason other than to stop lots of crud building up)

I've got to hand it to the salesmen though; trying to convince their punters that this is all for their own good!

I have been following with interest BTs plans to incorporate Phorm's targeted ad software into the BT Broadband package.

As I do not consider myself to be anyone's "target market" and value my privacy highly, I would be grateful if BT could confirm either:

1. That opting out of the service will mean that none of my traffic will go anywhere near any hardware or software owned, operated or supplied by Phorm or their subsidiaries.

or

2. The substantial change in the Terms and Conditions and Privacy Policy that implementing this system will require will allow me to leave my fixed term contract early with no penalites.

I'm sure they'll enjoy ignoring that.

If you have agreed to a contract over the phone they are supposed to send you written confirmation, and you have seven days from the day after you received it to change your mind. If they don't send you written confirmation you can change your mind within three months and seven days of the verbal agreement - see http://www.out-law.com/page-430#services

I sent an email to the CEO of BT last week and i have recieved a reply today reply below (replaced names with xxxx) sent full emails to elreg.

If BT intercept any data from my password protected http pages I will sue the pants of them for infringment of my interletual property rights the pages are passworded for a reason KEEP OUT !..........

BT can't answer simple questions just keep forwarding you to their webwise page.

Dear Mr xxxxxxx

I am writing in response to your email sent to BT’s Chairman & Chief Executive’s Office and acknowledged by xxxxxxx xxxxxxxx.

I appreciate your concerns regarding the recent publicity about BT’s trial of BT Webwise. However, I would like to assure you that the proposed service is an “opt in” service. There is no intention to automatically intercept your internet connection data stream in order to collect internet usage patterns. Should a customer choose to take advantage of BT Webwise, BT is very careful to ensure that only specific data is collected.

More information, including a comprehensive questions and answers section can be found at http://webwise.bt.com/webwise/help.html. I can assure you that, in spite of your reservations, the information found there is completely trustworthy.

If I can be of any further assistance please do not hesitate to contact me.

Yours sincerely

xxxx xxxxxxxxx

I think Kevin has a good point here - if I am using Webmail, one interception is taking place of the (http) transmission between the webhost and me; but isn't another interception taking place of the correspondence between the sender of the email and me?

I know google et al scan email for keywords to target advertising, but I have agreed to this in the signup T&Cs, that doesn't give the ISP or Phorm the right to use my email contents for advertising. And if the email comes from a person using another ISP host then doesn't he/she have to consent too?

Fancy a laugh at the expense of the investors?

http://www.iii.co.uk/investment/detail?code=cotn:PHRM.L&display=discussion&it=le

Enjoy.

In response to one of the investors whining - "But what have they got to hide?"

Paris says - "well nothing...obviously..I'm for sharing!"

Then they can send me all the ads they want. But as long as I pay for the connection whatever it is PHORM can go jump in a lake with a Aircraft Carrier Anchor attached to their waist.

"I can assure you that, in spite of your reservations, the information found there is completely trustworthy."

Oh, that's ok then. We all feel like a bunch of idiots now, imagine, an ex-spyware company misusing the fountain of private information given to them from our ISPs... silly us.

<coughs> lying-t*ssers </coughs>.......

A flame, to cleanse BT!!

Let's presume I'm a retarded cabbage and actually stick with an ISP that shoves this down my throat without joining a class action suit against them. Presume.

So this magic cookie that is the basis of my having opted out of the Pharm scam... Where is it? It can't be on MY PC. Well, it could be I suppose, but what happens when I run my small suite of anti-malware/virus/adware and optimization tools which routinely delete all cookies (with my blessing)? Does this magic cookie go away? Am I now opted in by default? Do I need to go opt out after every system cleansing?

I call shenanigans. Boo-urns.

Tuesday March 11, 10:47 AM

" LONDON (Thomson Financial) - Phorm Inc (LSE: PHRX.L - news) said it is not aware of any undisclosed commercial reasons for the recent movement in its share price, as it issued a statement to clarify 'some misconceptions which we are taking steps to address' on privacy issues.

The company has been criticised in recent weeks over concerns that its technology, which categorizes web-surfing habits in order to target online advertising, compromises user privacy."

BTW the shares ended up down -11.60% at closing.

this too has an even greater negative effect on the Phorm share price.

I'm not usually one to gloat over another's misfortunes. However, I will make an exception in the case of Phorm. I will raise a glass when they crash and burn.

I am lucky not to use any of the ISP's due to be infested by Phorm. And I have much respect for my ISP. They are not cheap but do provide an excellent service and a UK based support center.

Respecting ones rights to privacy as I do, I sympathise with the victims of Phorms bad practice. And wish you well in dissuading your respective ISP's from this gross invasion of privacy, or finding an alternative provider you can trust.

Good luck with this.

Re the Home Office letter:

Paras 6 and 8 seem to confirm the view that Phorm are doing interception as defined under RIPA.

Para 9, I am guessing, applies to the non-processed data from opt-outs. But I don't think it is sound; the filter belongs to the 'person' (Phorm), and even though the person elects to do nothing with it, they could have processed it, so it has been made available to them. You'll notice that Phorm talk about 'our servers' at the ISP, and not about 'our software' on the ISP's servers.

Para 13 makes it clear that *both* ends must consent to the interception, for it to be authorised. So the subsequent OIX use for ad serving is entirely legal. But that is then what the letter goes on to talk about.

Instead, it should be considering the data collection at the ISP; *I* might consent to my end of a session with 'WebHost', but unless WebHost also consents, we have unauthorised interception.

The argument in para 15, for possible implied consent by WebHost, can be rapidly dismissed. Until I contact WebHost, they have no knowledge that a message is coming, and so cannot possibly have consented to its being intercepted unless they have issued some sort of blanket permission for this, in advance; and such permission could hardly be an implied permission.

We then hardly have to consider the second leg, where WebHost reply to me and the communication is again intercepted, without their knowledge. However, if we must, I need only point out that if what WebHost provide is a paid-for, password-protected, service, then the presumption of any implied consent to interception must also fail.

Re paras 16-18, I'd suggest that the lawful interception under 3(3) doesn't apply, as the Phorm data collection is clearly additional to the services needed to provide the ISP service. (Indeed, if it wasn't, then I couldn't be posting here now). And it's stretching the definition to breaking point to interpret it otherwise.

However, if what Phorm are planning is allowable under 3(3), then no sender or receiver permissions would be required. and the recommendation in para 20 would be just that - a recommendation. But it seems clearly wrong that this should be so, and para 20 should be enforceable in law, in my view.

Para 21 remains wrong about being able to assume the implied consent of web hosts. Especially, I would imagine, rival advertising services.

Para 22 I find wrong as well. However, I then have a difficulty in that the spam-blocking service provided by my other ISP, and which I have cheerfully opted into, would also seem to me not to be lawful interception under 3(3). And if not, I very much doubt that the spammers have given their consent, implied or otherwise, under section 2.

Anyone help me square this circle?

It to easy to be true to poisoning there database.

We can use there system against them self.

Remember Phorm do not get IP number information. There "so called" privacy is there akiles heal. Well you going to love this.

The only why Phorm can ID users is supposable only by a cookie this is done for "so called" privacy reasons..

Why don't we all use the same cookie. Making sites you go to pointless as 99.9% there system knows about has nothing to do with you.

All for 1 cookie and 1 cookie for all.

I say we should call this Operation Cookie Monster, yes like from Sesame Street.

;)

if some arsehole is using a bt subscribers connection via bt fon does that mean that bt subscriber will be bombarded with x-rated ads from phorm?

It's interesting to compare the BT Webwise site:

http://webwise.bt.com/webwise/help.html?_faqs=13,14,15,16,17,18#f13

with:

http://www.webwise.com/how-it-works/faq.html

Apart from putting 'BT' instead of 'ISP', these answers are word-for-word the same. So who wrote them, do you think? (Clue: who has been quoting them in interviews?)

But it's OK, they are completely trustworthy. (Except perhaps for the 'Why do I have to opt out?' question, which mysteriously vanished earlier this week; perhaps that wasn't....)

And curiously (i) webwise.com seems to have fallen off Google...though Phorm hasn't, so it doesn't look like a Google backlash

and (ii) only the BT and TalkTalk logos appear on the Webwise site - Virgin is conspicuous by its absence. I hope this means more than just that VM haven't biked over the logo artwork yet....

if some arsehole is using a bt subscribers connection via bt fon for some single handed web browsing does that mean that bt subscriber will be bombarded with x-rated ads from phorm?

surely together we can come up with either;

1) a virus which just sits in yr Temp Internet folder, just waiting for Phorm's servers to read it.

OR

2)a randomising program which changes the contents of the cookie each time a new page is visited, making ii useless.

If they really said ``I would like to assure you that the proposed service is an “opt in” service.'' then that's a massive change of position. If CPW and BT go for an opt-in scheme (ie default opt-out) and Virgin join them then the game is essentially over for Phorm.

How dare you talk about Phorm like that, do you know what she's been through?!

What are the chances of getting an injunction prohibiting any deployment of Phorm in the UK until all these very important legal questions have wended their way through to the House of Lords?

The first comment is my sentiment. Just for fun I've written a Javascript applet that generates a mix of real and randomly generated web access. I chose Javascript because I can't think of any way an ISP can easily tell the difference between a script in a browser navigating to a page, and me typing.

Anyone know something I don't ?

I own and operate Spamblocked.com and Kryptonite Hosting, and I explicitly, categorically, and without reservation *deny* to Phorm, OIX, and any other third party who is not an end-user's ISP or legitimate search engine permission to intercept and/or profile traffic sent by my server(s) ins response to the end-user's query. I further deny permission for such traffic information to be conveyed to any such third party.

below is lifted from BT's webwise faq page

it seems to infer that there are both opt out and opt in cookies and if it can't put a cookie on the machine (because you have blocked them) it seems to assumes opt out from below

About use of cookies in BT Webwise

What happens if I delete my cookies?

You will receive a new cookie from your Internet service provider (ISP) when you go online. You will need to choose again whether to turn BT Webwise on or off. You should return to www.bt.com/webwise and turn it on or off as necessary. [X]

Why does BT Webwise use cookies?

This is so that we can send relevant advertising without learning a customer's identity. [X]

I delete my cookies regularly, and I want to keep BT Webwise switched off. How do I do that?

If you regularly delete your cookies and want to ensure that Webwise is permanently switched off, simply add "www.webwise.net" to the Blocked Cookies settings in your browser. Up-to-date versions of both Internet Explorer and Mozilla Firefox have this capability. [X]

How will we recognize a "Phorm invasion" if an ISP signs up to it? My guess is that BT will foist it on its customers. Does Phorm cookie appear in the browser cookie log from where it can be deleted?

Not sure how it'll work when the service goes live, but they are supposedly ignoring certain browsers that will break with redirection.

So, grab this: https://addons.mozilla.org/en-US/firefox/addon/967

tools -> modify headers -> Add -> 1st box: "User-Agent" 2nd box: "Kent Ertugrul of phorm is a spunk bubble" (without the quotes in both boxes).

Also check configuration -> always on

Now go to http://whatsmyuseragent.com/ and you should see a nice message: "Your User Agent is: Kent Ertugrul of phorm is a spunk bubble"

Hopefully, you should also never see a redirect in your traffic when they switch this service on. Eagerly waiting with a packet sniffer to test it though.

Nope. Got ticket and everything. No response from them at all, in fact even their canned response suggests that they can't be arsed :

"We are currently experiencing a very high volume of emails due to increased demand for information and ordering of our range of Broadband products."

In other words, don't hold your breath, your call is not important to us, everything is just peachy.

Cockbadgers. I made my formal complaint on Tue 4, so they've had plenty of time to get round to it IMHO, and tomorrow the serious foot stamping will begin.

Still also waiting on a reply from Trading Standards w/r/t variation of contract Ts&Cs, and a response from my fat lazy useless MP, although since he is basically a NuLabour sock puppet, I'm not expecting much from him. You never know your luck though, and if enough people write to their 'representatives' perhaps at least one of them will find the balls to ask a question in the house, like to see what that would do to Phorm's share price.

I think the comment "But what have they got to hide?" is a mocking comment.

That "investor" only posts negative comments about Phorm from ZDnet and TheRegister and talktalkmembers.com

I suspect they are not an investor but an IT guy.

Just a thought....

if you type in CEO BT EMAIL ADDRESS into google you get

http://www.connectotel.com/marcus/ceoemail.html

as the top link

very useful

i will be emailing BT's CEO (my ISP) shortly

I'm new to all this, but as a guess, won't they need to know your IP address to be able to send you a Cookie of any type, be it opt-in or opt-out. So I'm guessing your anonymous cookie and your IP address are together for a while!!! But then I'm sure I'm missing something.

I use Safari on my Macs

that the general public wised up to this "ISP Internet Takeover" stunt and everyone:

set their wireless access points open,

installed cookie modifying firmware on the router

and enabled local node file sharing server facilitys,

the wireless access would auto-hop between access points (and ISP's), set to hop every few minutes, and log-on was all managed seamlessly by a piece of software not unlike "devicescape"...

needless to say all adverts were blocked at the access points and the ISP's stunt left them hated by their subscriber base as they clawed for the last remaining "exploitable ignorant".

...t'was all most strange, but it worked.

Internet Service Providers NOT Advertisement Service Providers

DO. NOT. WANT.

..now then about that 'test' privacy breach?

(originally posted over in 'Mobile' : http://www.theregister.co.uk/2008/03/12/mobile_phom/ )

Am I experiencing deja va?

If not why is this graph making me think of SCO?

http://www.iii.co.uk/investment/detail?type=&display=chart&code=cotn%3APHRM.L&it=le&timeframe=1m&index=&versus=&linetype=line&Go=Plot+&overlay=&overlay2=&overlay3=&overlay4=&indicator=&indicator2=&indicator3=&indicator4=&chartwidth=500

I see phorm.com has now got links to lots of news stories about them. Strangely enough there are no links to this site! Based on the performance of their share price again today this PR company's doing an outstanding job. :-)

To reiterate my stance on this "service" - phuck off Phorm. DO NOT WANT!

I see a number of people saying BT are going to make this Opt-In based on the email a reader got from the BT CEO Office. Please re-read the email because that is not what was said at all and interpreting it as such is very dangerous and will come back to bite you on the ass.

The BT email states the Trial will be opt-in not the full launch of the service. Given the statement by the Home Office, there is no doubt that BT will make this system opt in by default by simply changing their Terms and Conditions once they go to full launch.

So please when reading information regarding this scandal calm down, take a deep breath and read it slowly, instead of just washing over it and interpreting the information as something it is not.

Also on RIPA, I find it disgusting that the Home Office does not understand RIPA. RIPA requires explicit consent from both parties for an interception to take place, so the Home Office's bullshit about implied consent is exactly that, bullshit.

There is no doubt whatsoever that this "service" is in breach of RIPA and is a criminal offence (why do you think the Home Office didn't commit to their statement in the first place and instead as a bootnote offset their responsibility to the courts?). This was clearly a paid stooge in the Home Office or some close friend/associate (possibly even investor) of execs/stakeholders of one of the companies involved (Phorm, BT, Virgin, CPW you choose).

Given that their share capital was well in excess of £100M before this shit kicking commenced, some people have lost heavily on this and the only people investing that sort of money are ones who have a far reach, the right school tie and friends in high places. Make no mistake, the Home Office statement was a payoff pure and simple, maybe not for money, but at the very least for favours or repayment of an "I owe you one" from some previous political misbehaviour.

Phorm is illegal under RIPA

Auto Opt-In is illegal under DPA

Home Office are talking shit.

"...I want vengeance. Can we destroy this thing? Botnets, DoS attacks, poisoning the database? Anything is fair game. Let's see the oft-rumored anarchist internet factions use these assholes as target practice."

If my ISP adopted this excrement I would certainly want to have a go at poisoning the database and it should be perfectly legal too.

I think I'd compile a list of sites that carry phorm (oix) adverts as it would be unfair to burden sites that have nothing to do with phorm with the bandwidth used, and write a script to automatically opt into phorm (the opt-out is worthless after all) and access one or more sites (and maybe the odd MSN/google search query) to start building a profile, save the phorm cookie to a file and delete the original, then select one of the cookies from the file and restore it and access pages from one or more of the selected sites, then delete the cookie (keeping the copy in the file) and go back to step 1.

It has been claimed that the tracking cookie is just a random number and the profile is based on your last 10 days activity, so it should be possible for one user to create an awful lot of profiles for phorm to keep track of over a 10 day period and keep them active so they don't expire and would help to hide my genuine browsing activity.

As the interception occurs within the ISP's network it does matter what you do to your PC if you allow unencrypted web request then they will be profiled. There are only two ways to stop this

1. Use a tunnelling protcol to step over the compromised network of your ISP

2. Move to an ISP that guarantees that they will not use PHORM or similar technlogies

If the ISP's continue with the OPT-OUT based service then if you block the PHORM cookie in any way you are opted in by default. If accept the opt out cookie then your data still goes to the profiling server within your ISP but they say it is ignored.

Also for those people thinking of waiting it out here is a snip from Professor Peter Sommer's report to the home office

20. Targeted online advertising services should be provided with the

explicit consent of ISPs' users or by the acceptance of the ISP terms and

conditions. The providers of targeted online advertising services, and ISPs

contracting those services and making them available to their users, should

then - to the extent interception is at issue - be able to argue that the

end user has consented to the interception (or that there are reasonable

grounds for so believing). Interception is not likely to be at issue where

the user's browser is processing the UID and material informing the

advertising criteria.

In other words if you accept the ISP TOC then you have agreed to the interception. Full document here http://cryptome.org/ho-phorm.htm

Vote with you feet and add your name to the petition to the PM here http://petitions.pm.gov.uk/ispphorm/

With all the risks already posed on the internet, do we really need another one? I for one am determined to keep Phorm out of my system - it is my privacy and right to do so and I will not and do not tolerate spyware.

Phorm's stance to opt-out is not even democratic since permission is not even sought BEFORE a cookie is placed on a system. Those who propose an opt-in would get my vote, since then there is a choice and that choice remains with the computer user - not Phorm. However, Phorm has yet to prove to internet users that their so-called opt-out cookie is really and truely opt-out - or is it just going to be partially opt-out or if the opt-out cookie is removed, does this mean the user is automatically opted-in again? No way should Phorm be allowed to drop spy cookies onto private systems without specific authority from the owners and furthermore, the Phorm company has already been caught before, handling spy programs.

Apparently they've made it an "opt-in" service, but that's only half the battle... Even if you don't opt in, and if I understand how the whole mess works, they will still be able to gather content metrics on your browsing pattens, which I think is a crock of crap.

That's still interception and tapping, as far as I'm concerned. That's just as bad as going into the central office and plugging into random punch downs and listening to conversations, but not knowing exactly who is doing the talking.

I don't know if Phorm has established a foothold over here in the US yet, but I'd be the first American to willingly contribute to a UK legal fund to fight these suckholes from spreading their disgusting tripe anywhere else!

Hey Guys,

Given the Home Office statement which states there -may- be an argument of implied consent where no expressed consent exists; can you ask El Reg execs if they plan to add expressed denied consent to their own web site terms and conditions denying Phorm and Phormesque technologies the right to access your content?

Given that El Reg has committed so much time and energy to this story (which is a good thing) it would seem fitting to commit your own website to denying Phorm access under RIPA.

You cant give something to someone when they never asked for it.

Its the same as taking my email and telling me to tell you to stop taking my email.

Opt-out is only valid if you opt-in unless a said person leaves their data out there in the public domain for this purpuse so declaired. Example website put their sites on the public domain so people and search engines use them in a give - take. Not for spammers to look for fax and email adverts in a take take.

Good catch....

http://www.iii.co.uk/investment/detail?code=cotn:PHRM.L&display=discussion&it=le

I've discussed this subject at length with none technical folks who all seem to be of the opinion, "nothing to hide/nothing to fear". I feel the way to tackle this bunch is to talk up the webmail angle, as when this argument is run, bingo ...... suddenly they realise what I'm saying and somehow becomes relevant.

Anyone with an account on the aforementioned server may just want to continue singing from the hymn sheet....

Actually reading up their comments does make feel somehow...... dirty, the wording is just the same as "pump and dump" spam.

"Cockbadgers"

Thank you for a wonderful new word :D

Has anyone noticed the similarities of Phorm's Webise to 121media's previous spyware material?

You will be forced to use their software that includes a new webwise toolbar attachment because if you opt out you will no doubt suffer slower speeds as your isp prioritises its Webwise users. That's common business sense and their traffic shaping will play a big role in this.

I've mailed Bt over a dozen times over this Webise spyware business but they have not replied. I've phoned their customer services dept to arrange cancellation of my account without penalty but they passed on my request to higher office who have again also refused to get back to me.. I just want out of this mess but they won't let me go..

Webwise is a dangerous path for any isp to follow because when it enevitably goes wrong they might face the biggest clean up bill in internet history and even closure because the warnings were all there right at the beginning.

Bt are currently testing the Webwise installation in Kingston on Thames and it appears they are also testing it on behalf of all the other isps as well. However I am convinced Bt will very soon announce that Webwise has failed these tests and that Bt will no longer continue merging with the Phorm proxy server because of this..

Bt really should not be discussing any kind of mergers with a crook like Kent Ertegrul a guy that should have been imprisoned for his evil activities against so many decent law abiding internet users. The law courts should be the ones discussing the millions in compensation claims he should pay instead before banging him up where he belongs..

By accepting the Terms and Conditions and giving your ISP permission to intercept your communications you may actually be opening yourself up to criminal liability under RIPA.

As mentioned a multitude of times, consent is required from all parties for the interception of communication; by communicating with someone else with the knowledge that there is going to be an interception without the consent of the other party(ies) you could be deemed as complicit. All sort of cans of worms could be opened such as aiding and abetting; conspiracy and entrapment.

You could also be opening yourself up to Copyright Infringement offences such as Secondary Infringement and Vicarious Infringement. BT et al should be reminded that Copyright Infringement becomes a criminal offence where commercial gain and profit are involved; and since this is a profit based system (the ISPs get a cut of the advertising revenue) it seems to fall under criminal copyright law.

I am not aware of any case law in the UK which covers these points explicitly (but that doesn't mean it doesn't exist) however, there is case law elsewhere in the world. If I remember correctly there has been at least one case lost see:

Kelly v. Arriba Soft Corporation (336 F.3d 811(CA9 2003))

http://netcopyrightlaw.com/pdf/kellyvarribasoftjudgement03182004.pdf

It should be noted that even in the case of Perfect 10 vs Google (which was originally judged in favour of the Plaintiff (Perfect 10) and then overturned on appeal) Google only managed to get the the ruling overturned on Fair Use arguments. Fair Use arguments don't work in the Phorm situation because there are differences. Google Images only created a derivative works in the form of a thumbnail which then linked directly back to the websites they came from. Phorm is copying the entire page using an illegal wire tap, so I don't think they could use the same arguments of Fair Use.

See also:

http://www.jurpc.de/aufsatz/20020029.htm (in German sorry)

which basically covers the situation regarding caching of websites in Europe with regards copyright law and reinforces that it is actually Copyright Infringement under European Law.

See also:

http://www.archive.org/iathreads/post-view.php?id=119669

The above stemmed around Archive.Org (aka WayBackMachine) and the courts accepted that the Plaintiff had a case for the court to hear with regards breach of contract, based on the Terms and Conditions she had on her website which were breached by Archive.Org when they cached her pages.

Obviously Archive.Org settled out of court so no judgement was ever received, but they did acknowledge the infringement in their press release.

My advice to website owners who do not wish to have their pages intercepted and copied by Phorm systems (or indeed any other such systems) would be to add some Terms and Conditions to your website explicitly refusing the right to copy the pages and would then be covered under copyright law, contract law and RIPA as I understand it. If the Home Office want to try and throw around the implied consent argument, then it cuts both ways. Phorm accessing the website are bound by your Terms and Conditions through the same implied consent and would therefore be in breach of contract should such terms as "Phorm may not access or copy this website under any circumstances" appear in those terms. So potentially, a lot of popular forums could make a boat load of money from suing ISPs and Phorm for Copyright Infringement and Breach of Contract and even possibly bring criminal charges since the infringement is being used for commercial and financial gain.

Even if there is a slightest chance that my statements above are correct, they are reason enough alone, not to allow the interception of your communications.

So in the words of Nancy Reagan "Just say No!" [to Phorm]

I put up a blog on blogger.com highlighting these articles, summarising the main issues and requesting web site owners to add terms to their web sites denying consent for Phorm to intercept communications between their web sites and users.

It is my belief that these terms alone should be enough to make Phorm breach RIPA with regards to consent from parties.

I have called the blog Deny Phorm because we -all- have the right to Deny Phorm access to our communications, users and content providers alike.

You can find the blog here:

http://denyphorm.blogspot.com/

J.3.b.

Can't remember the exact wording, but it the make a significant change to their T's & C's you are entitled to cancel without penalty. First indication of a phorum cookie and I'm outta there.

are there any legal people out there who specialise in RIPA , DPA etc that can give use a clearer picture of this

is it legal or not, mind you i i suspect even from a legal specialist it will not be black or white, just a darker shade of grey

Ok, Reg, how about you send a nicely worded email ato everyone on your database asking if we believe Phorm should be allowed to be implemented and spelling out what Phorm is.

If we don't agree, how to lodge our complaint with the official body. Maybe a link to complain and a sample wording.

El Reg has all of our email addresses. We can then forward that email on to everyone we know asking them to pass it on too. Lets take PHORM down on this issue. WE DO NOT WANT OUR DATA SOLD. Viral marketing is needed to kill the beast.

Wonder if someone can come up with a standard letter for us to send to phorm/Bt/TT/VM/a.n.other ISP as webmasters?

"I hereby state that I give NO permission for phorm, or any company associated with their OIX platform, to process (or view) my data in any way. Any interception (not just processing) by systems involved in the OIX offering is therefore illegal under UK privacy laws"

Or similar, should make it very interesting. My mother uses one of my colo boxes for her email, and she's on VM... That sounds like they are going to get themselves into trouble.

I've been thinking about phorm's claim to anonymise user data using random numbers and I've conclude that it's completely bogus. Let me lell a little story to show why...

"An evil king had 10 servants. They were loyal servants, but one of them (a ginger-haired man) had earned the king's displeasure. The king decided to remove him, but to execute a man just for being ginger was a bad act, even for this king, so he devised a cunning plan. "One of my servants has been stealing from me", he declared, "We will investigate and punish the offender". But to protect the privacy of the innocent, the investigation would be done anonymously.

So he gathered his servants and made each one pick a number at random. Then he drew a cookie on each servant's arm and wrote the servant's number inside the cookie. He then instructed each servant to write their number on the door of their room. Being loyal servants, they did this.

The king then called the head of his secret police. Publicly, the king said "Go and search the servants' rooms and if you find stolen goods, tell me the number written on the door" (but privately, the king told the policeman not to look for stolen goods, but to find evidence of ginger hair). In due course, the policeman returned and declared "Room number 7 belongs to the culprit". The king thanked the policeman and arranged for him to meet with an unfortunate accident.

The king then mounted a guard on the door of his palace. When the servants reported for duty, their cookies were checked and servant number 7 (the ginger-haired one, of course) was taken out and shot."

I trust you see the connection with what your ISP and phorm are doing.

So was anonymity really achieved by the random number technique? I would say no. Definitely not.

As far as the secret police (phorm) are concerned, there is a bogus claim to anonymity. The policeman who scanned each room didn't know which servant it belonged to. The information was then deleted (the policman killed) and the only information that remained was that room number 7 contained stolen goods (or ginger hair, actually). But clearly this didn't protect the innocent ginger servant from the consequences of his data being abused. So the claim to anonymity is completely fake.

The reason is that the king (ISP) retained the ability to link random numbers back to servants (users) by inspecting cookies. In reality, phorm holds the randomised data and the ISP holds the method of linking random numbers back to users. Neither of them acting alone holds personally identifiable information, but acting in concert they do. The data are not anonymised.

To summarise: I believe the Data Protection Act applies to this case because personally identifiable information is being held. The information is about "advertising preferences" (or whatever phorm extracts) and the link to an individual exists because phorm and the ISP are acting in concert and the ISP can match the so-called random numbers against the cookies presented by users (it not only can do this, it *has* to do this in order to deliver the adverts).

Phorm is not using random numbers. It is using numbers that can be (and are) traced back to users. It's a fraud.

Just a quick question. Does anybody know how I as a web host can detect if one of my users is coming in from via a Phorm wire-tap? Will there be odd IP ranges to look out for (perhaps not, seeing as the Phorm wire-taps are within the ISP)? Given that Phorm seem to have some mechanism for injecting a cookie into my domain, does this mean I can find it with Javascript?

As a British citizen domicilled in Sweden with servers located outside the UK, and the other party to conversations between my website users and my servers, I would really like to see what BT and Phorm make of the privacy laws here... I've already sent letters to Phorm, BT, Virgin Media and Talk Talk informing them that I do not give permission for such monitoring of my conversations on my Swedish operated servers and that they must cease and desist.

I've already got the Read Receipt from BT's company secretary on whom notices should be served. It'll be difficult to argue they've not received it.

As each page on my websites is generated by scripts, and personalised for each visitor, that makes them a private communication, especially the areas protected by usernames and passwords.

Excellent, now the home office is involved. (Queue image of trembling boots and a scary home secretary... Who is it now anyway?)

Not that I expect any action, as it is a government agency, but at least people somewhere in the hallowed halls of antiquity are beginning to take notice.

**Dons tin foil hat.**

Why is that, helping the general populace out at a time of company underhanded ness.

Or

The petition and ruccus caused by this and other sites?

I quite liked bethere when I used it in a previous house, so I contacted them to ask them about Phorm, to hlpe me make a decision in future. This is their response:

Thank you for contacting us.

We are not a part of the Phorm system and we are not even planning to be, so there will be nothing to worry about.

Regards,

Be Team

So, assuming this isnt the same kind of like that BT spouts, I think they at least, are in the clear.

I thought of something else though - what if someone wrote a program, that created random Phorm cookies, and made random requests. Distribute this program to a few addresses, and suddenly Phorm's database becomes far less relevant - it will now contain lots of redundant and useless information. Although, I guess it doesnt stop them profiling people.

I have not uses virgin media and so I wont comment upon them

Bt however have for the past year and a half have been trying every dodge to sqeeze more money out of their customers, first they resell their customers bandwidth via BTFON now want to sell the user's data too. BT charge over the odds for their service and outsource the call centres to indian so removing revenue from this country. It is clear that BT do not like the people in this country at all they go out of their way to screw us at every turn, PHORM is just another example of BT Business practices.

Ofcom who are supposed to protect communication customers rights are clearly being directed by BT, I say this as BT can and do what ever they like without repercussions, who speaks for the customers protection not ofcom they speak for BT. There is evidence that BT trialed PHORM last July against BT's own privacy policy, why has this not been investigated by any goverment department?

Why is BT Wholesale (the people who charge the line rental) allowed to have a monopoly on communications outside of every city.

I will tell you why, it is because your goverment is not interested in the people only in companies and there interests.

The tax payer has to shell out when big businesses cockup see Northern Rock, LLoyd's names etc is this money well spent? I ask as I do not understand what possible benefit to me comes from giving £20Bn of our money to fat cats who gambled and lost.

The Pimps here are not PHORM they are just the middlemen, no it is BT and the Governement's policies that are the real pimps and we are just whores who have to pay for someone to screw us

There is a non-zero cost associated with running the Phorm system. If there's no return (no-one clicks on the ads), then eventually the companies will stop doing it.

Therefore if the system can be "stressed", and at the same time made to be less effective, it'll start showing up as a negative on the companies' bank statement.

Given the throughput that this needs to support to not affect the customer's "browsing experience", we're not looking at a single small server.

If I were to set this up, I'd be looking at a pair of BIG L7 "interceptors", probably 4 profilers, running load balanced, and then probably a clustered backend DB to keep track of so many cookies. That's going to need to be separated into 2 racks at least (each containing the L7, 2 profilers, and one of the DB nodes), and from previous experience with hosted equipment, they're going to want full racks.

2 racks in a server room (rental, power, cooling, maintenance) is not going to be cheap if there's no income.

>...I want vengeance. Can we destroy this thing? Botnets, DoS attacks, poisoning the database? Anything is fair game. Let's see the oft-rumored anarchist internet factions use these assholes as target practice.

Makes you just as bad as them. *plonk*

>So they'll most likely go ahead anyway, until someone takes the fuckers to court, where they'll most likely employ the usual army of expensive briefs and "experts" to defend their position.

Maybe so but unlawful interception of communications is a criminal offence so there could be people at the top of these companies being arrested.

True.

Although, I guess such an attack wouldnt be legal, and would probably lead to banned subscribers.

But, if the ISPs dont pull out because of negative press alone (and lost subscribers), I wouldnt be surprised if something like that were to arise.

@Stephen Baines

I'm very interested in cases like yours. As you say, you dont give permission for your conversations to be intercepted, so in order to be legal, BT Webwise would need to block your site to prevent interception. Something has got to give - I imagine BT's execs will realize its too much of a nightmare to implement solely because of the interception.

Hopefully Phorm's stock will bottom out some more, and hopefully its founder will lose everything he ever invested (including a lot of time!), and will come away a little wiser.

I do a lot of automated web scraping (just for my own purposes; occasionally cheekily but I'm not a scumbag and don't hammer servers or peddle scraped data or grub around for email addresses - just thought I'd better be clear about that for starters!). I'm planning on tweaking this to poison Phorm's database; obviously my automated jobs don't say very much about my preferences and interests. I was thinking, add a couple of random fetcher jobs as well to occasionally fetch a random page and spider around a little. It might even be possible to switch the ID in the cookie now and then - with any luck you might hit someone else's ID and poison the records about them, too, although I'm less sure that this would work.

It's not foolproof of course - they could probably spot this easily enough if they were keen - but if a lot of people started doing this it could make their database relatively worthless. The same trick would also be a little irritation for doubleclick and the like.

I may hack together the random fetcher / spider / cookie poisoner as a standalone application and see if anyone else fancies chipping in a small amount of bandwidth to this 'project' at some point in the near future. To have any real power the poisoner would need to be running in several places. A kind of voluntary botnet. If it really caught on it could really dent this spy-ad industry.

Of course I can't really do that much about Phorm myself as I'm on Plusnet. I know they're owned by BT but Plusnet assure me they aren't involved in this (so good news for Plusnet customers out there assuming that's accurate).

I do know some big scary lawyers who do pro bono work.

But they need to think that there is a case, and that they can win, as well as concluding that this is a good use of their time.

RIPA is a good start, but if the ISPs change their T&Cs does it apply ?

I assume the reason for BT's silence is that someone senior has just realised they are doing this logging anyway, so why split the rake off with Phorm ?

Given that ISPs keep being pushed by the government to log web access, I can't see it as very hard for them to write scripts which use this data for commerical ends.

Just had a look at their site and they reckon that they will replace ads with theirs, am I missing something? If someone has paid for an ad to go on a web page and it is replaced by a third party then it is like fly posting and surely breaching some law.

Meanwhile does this mean that all traffic has to go through this link? Tantamount to saying that all cars in the world have to go through the Dartford Tunnel on every journey?

I get more confused everyday!

Apart from that there is another site that have a copyright notice from 2000 which grabs the trade mark Phorm (php-net) are they the same people?

...being with Tiscali 'Cheap 'n' Cheerful' ISP doesn't seem so bad. I may suffer occasional 6pm slowdowns (usually having dinner anyway) and unintelligible customer support but I'm not being spied upon and my family and partner have no idea how much p0rn I actually look at... (One Night In...[pic])

I'd just like to point out that many existing email systems (especially business ones) already append a legal statement to each message along the lines of:

"This message is for the intended recipient only...

...if you receive it in error, you must not act on its contents...

...bla bla bla"

If such messages are being sent or received via an HTTP connection, they would potentially be intercepted by phorm's system. There is clearly no implied consent for others to read such messages - so that interception would be illegal. If you wanted to be sure, you could easily add an explicit statement to prohibit interception by ISPs.

Actually, I would suggest that everyone adds such a statement to their email signatures. It's an easy way of getting lots of prohibition statements into the system. It's also a good way of spreading the word about this problem, especially if you include a link to web sites like El Reg.

RIPA does apply as it requires consent from all parties, so the web host would have to give their consent as well. The Home Office have cast a shadow of doubt over whether Phorm breaches RIPA or not (probably unintentionally) by stating that there might be an argument for implied consent where expressed consent does not exist. note how they say "may" and how they offset the interpretation of the law to the courts.

Of course the consequence of their statement for Phorm, is the acknowledgement that expressed terms which refuse consent by the web host would constitute a breach of RIPA should Phorm or an ISP intercept communications between themselves and their users.

See http://denyphorm.blogspot.com/ for details on a campaign I have started to encourage web site owners to express denied consent in Terms on their websites.

I've always thought email signatures were pretty useless, perhaps until now.

I sent an email to Neil.Berkett (CEO of Virgin Media) complaining about Phorm.

I got a response which I read in webmail. The content was pretty useless, but his email signature may or may not have been something like the following:

------------------------------------------------------------------------------

Save Paper - Do you really need to print this e-mail?

Visit www.Vxxxxxxxxxa.com for more information, and more fun.

This email and any attachments are or may be confidential and legally privileged and are sent solely for the attention of the addressee(s). If you have received this email in error, please delete it from your system: its use, disclosure or copying is unauthorised. Statements and opinions expressed in this email may not represent those of Vxxxxx xxxxxa. Any representations or commitments in this email are subject to contract. Please note that we are migrating our email addresses to a company wide address of "@xxxxxxxxxxx.xx.xx". If you are sending to a Txxxxxxx or nxl email address your email will be re-directed.

Registered office: 1xx xxxx, xxxxx. Registered in England and Wales with number xxxx

==============================================================================

They only replace the adverts on sites that have signed up to the service; if you run a site with Google Ads (for example) they're not going to steal your revenue stream.

The Phorm party line is that this is going to be wonderful for the user, because more targeted adverts will mean companies need to place fewer ads. Which says to me "companies are going to pay a premium for a Phorm-served ad".

At which point, automated reloading of Phorm-associated sites, frequent cookie recycling and similar techniques to poison the waterhole will be pretty effective in killing the whole process. Advertisers aren't completely stupid; they won't pay a premium if they're not seeing escalated returns for their money.

Having noticed the number of concerns from posters who like to look at a bit of p0rn and are therefore (legitimately) concerned about being swamped with ads for p0rn sites, here's another thought.....

If I have a habit of accessing sites about something mainstream like cars, PC equipment, or whatever, its arguable (just) that having information about my browsing habits used to service me with ads for sites about cars, PCs etc etc is frightfully handy....

And were I a single chap living alone and somewhat find of one handed reading material, I might find ads from p0rn sites quite agreeable.

Not so however if I were a married man and my wife (how embarrassing) or children (far far worse than embarrassing) were to access my PC and be exposed to such stuff.

I'm a transgendered person. That's not a life style, nor a sexual quirk, but simply a condition that I am not responsible for. I frequently access sites that are designed to provide advice, support, and information for people like me. However, were anyone to enter the word 'transgender' into any search engine such as Google and I can pretty much guarantee that a significant proportion of the sites listed in the search result will have titles like 'Thai Ladyboys' or 'Chix with Dix' or similar tasteful stuff. I have no interest in such things. As a libertarian I dont find them particularly offensive, but I dont want to see them.

So - this bunch of bottom-feeders not only have the potential to seriously impact my personal privacy (which, given my circumstances, is particularly important to me for obvious reasons), but also to bombard me with unsolicited material of a distasteful nature.

I believe that's called Spam

And I'm expected to pay an ISP to actively collude with that?

I dont think so.

Warner I agree with you, but you are missing one point. This isn't just "personal data" we are talking about, as defined by the data protection act this is "sensitive personal data" as your surfing habits will reveal details such as sexuality (if you start looking at gay porn sites), trade union membership (must be some that don't use https to log you in), medical conditions/religious belief/ethnic origin/political opinion (if you subscribe or view regularly to a website about a particular condition/religion/ethnic origin/political party).

The requirement of the DPA is that explicit consent is required for processing of sensitive personal data, in my view automatic opt-in would therefore be unlawful even if they attempted to gain it by telling you there T&Cs have been updated - without positive action from the subscriber it can't be classed as explicit consent.

that showed that email disclaimers actually have no power in court.

I have just spoken to Customer Services at Virgin Media and after being passed around to half a dozen different people I finally goit someone to check and they tell me that it is already in place and I cannot opt out! The women said to opt out I need to use firefox!?

Well I'm going to cancel and go with zen.

I Dont really understand how this works 100% but will they be able to post adverts over any website?

If Phorm end up dumping adverts over my website when people access it, will I be able to invoice them for my going rate (which for them would be atleast £1000/week)

I'm pretty sure that was just Customer Disservice being stupid. Because if they arent, they lose any possibility that Phorm is legal under RIPA.

The thing is, as I see it, is if the customer is offered the choice, it could be argued that forms consent. If you dont, then they cant legally intercept your traffic. If I were you, I'd phone them up, ask to speak to a supervisor, and tell them that unless you are given the option to opt, you will a) switch to a different ISP, b) sue them. Hopefully such threats will jog their memory.

I'd also say that Phorm should have a bigger problem with websites. Now that website traffic can be intercepted, I imagine websites wont be too keen on the idea. Anything could be exposed, and Phorm has no right to intercept. As far as I understand RIPA, it requires consent from both parties, not just one.

With all due apologies...

At first they came and only wanted me to accept adverts. I said nothing.

They came and only wanted to catch child-pornsters. I said nothing.

They came and only wanted to catch copyright criminals. I said nothing.

They came and only wanted to assure my safety. I still said nothing.

Finally there was only me left, I could say nothing.

If this gets in, where will it stop? This is merely the start of exactly what the MPAA/RIAA and the government's war on Internet filth merchants and terrorists, want. An easy way to track the habits of every internet user, what where, how and why?! Fantastic! Adverts my arse! The adverts is a slightly easier way to sneak this nasty insidious tech in early for a far more nefarious purpose! Average Joe Public won't care about a bit of advertising being tailored made to his preferences.

It has to be stopped now!

This did make me laugh though.

"Kent Ertegrul a guy that should have been imprisoned for his evil activities"..."before banging him up where he belongs"...

Hmmmm, very painful! However I'd derive great pleasure in watching it happen to that low life.

@Vishal Vashist

As far as I know, no. You would need to embed special javascript into your pages to make them fetch the phorm ads - the adverts wont be inserted unless you have agreed to it.

But that makes me wonder if the system can be abused. Say we get the script someone is thinking of writing, that makes random requests using random cookie IDs. And we change it to make random requests a particular page hosting a Phorm advert, retrieve the URL that the Phorm advert leads to, and request it. Unless they have some other protection, this will net the website owner some cash. Done hundreds of times per second with multiple willing bots, and....

Even if the website is chosen without the owners knowledge (ie the scripters are not in league with the site owner, and thus do not stand to benefit) they can create havok as now Phorm needs to work out what is a legitimate request, and therefore eligible for money, and what is not.

Unfortunately I can't find anyone else that can match the 20Mb service I get with VM other than an expensive leased line, otherwise I would be off like a shot! But VM insist it is not in place or under trial yet.

Will I do?

What Phorm and BT plan to do is interception, and it's an offense under section 1 of RIPA unless both the sender and intended recipient of a communication consent to it's being intercepted. In practice this means both the user and the website owner have to consent, and that simply ain't going to happen.

All the "maybe"s in the Home Office guidance have already been discussed to death elsewhere, and a long time ago, with the general conclusion that none of them have any chance at all.

Simon Watkin, who has taken part in many of those same discussions, knows the consensus view well, and I simply can't understand why he'd give out such "maybe" advice - afaik almost no-one else thinks that any of these excuses have any chance whatsoever in Court.

Of course, while Simon is very good at words, and is to some extent good at the laws he's had written - though he didn't write RIPA itself - he's fairly darn clueless about the internet (and cryptography) in general.

I know Simon quite well, so I'm not going to suggest that he may have been bribed - I think he's a straight arrow as far as that might go - but he does seem to have been eating Phorm's PR cookies. :(

To recap: there are three possibilities which might make targeted online advertising, with the targeting being based on observing the target's webtraffic, lawful:

*First "maybe", that it's not interception because no "person" is involved if it's done by machine. That's nonsense, the ISP or Phorm is a "person" as far as the Act goes. In a very similar case, the ICO has said that automated virus scanning is interception (but legal interception under 3(3)). It is also contradictory to s.16. This "maybe" argument is garbage.

*Second "maybe", that it might be lawful interception under 3(3), which says interception is legal if it's done for the purposes of the telecommunications service, ie the transmission of communications.

This is how virus scanning is legal - your computer is considered to be part of the system when it is being used to communicate, and protecting it from viruses is necessary in order to ensure the communications get through. There is a similar, but weaker, argument for spam filtering being lawful under 3(3).

However Phorm/BT looking at your webtraffic is not done in order to help transmit your communications, it's done in order to target advertising, so this argument is garbage as well.

*Third "maybe", that it would be lawful interception if both parties consent to the interception - this is correct - but in practice it's almost impossible to get consent from both parties.

Getting consent doesn't mean that someone doesn't object - it means that both parties, the sender and the intended recipient, have actively consented to the interception.

For the user side T+C's won't do it, because the user will often not the person who agreed to the T+C's, and also because such a term in the T+C's for a ISP service contract is almost certainly not enforceable.

Even getting express consent from individual users, as opposed to the owner of the connection, is problematical - suppose you want to allow a guest to use your account? The guest has not consented. You may well be partly responsible for the subsequent interception.

From the webhost side, getting consent - well, Phorm/BT would have to ask each website publisher. The "implied consent" in Simon's advice is consent to download, not to intercept, and there is no implied consent to download for many web pages anyway.

So, while it's not garbage, this "maybe" just isn't going to work - getting consent is just too hard to do.

That would be click fraud, which is illegal as far as I am aware.

... I'm waiting for written confirmation from Eclipse whether this is a twinkle in their eye or not.

Phorm will compete for advertising space on Websites under the name of Open Internet Exchange (OIX). To the website owner the only difference that they will see will be that, supposedly, there will be more clicks on the adverts displayed because they will be more accurately targeted at the end user, and therefore they will get more revenue. Phorm say that they will not carry adverts for pr0n, gambling, religion,etc. They claim that because adverts will be better targeted this will result in fewer 'irrelevant' adverts, or even fewer ads overall, as advertisers switch from high volume low cost advertising to low volume highly targeted advertising. I'm not so sure; if advertising generally becomes more effective then I would expect the amount of advertising to increase. But there we are, if it wasn't for the 'small' matter of them having to record and process every web page you access, the overall browsing experience would be pretty much the same. In fact my guess would be that hardly anyone would notice. Of course it would be very easy for Phorm to introduce pop-ups, pop-unders, and all the other intrusive advertising paraphernalia that seem increasingly to blight the web, but then again so could any other advertiser.

So the real issue is the interception of all your browsed pages by your ISP, and the possible abuse, accidental or deliberate, by Phorm or others, of the data and knowledge they have accumulated. In the UK there are laws

with all the fraud and dodgy dealer on the net, who in there right mind is going to click on one of these adverts and actually buy anything, very, very few people in their right minds

its a bit like the nigerian 419 scam, pump enough ads and you will hook a few suckers.

the real test will come when people start buying from any of these ads and see if the goods turn up or worst still their card maxed out by fraudulent transactions

will the ISP or PHORM be giving and fraud protection from buying from any of these adverts

let me take a micro second to think and come up with a BIG FAT NO!!!

IMO Phorm are not going to give two hoots about the quality of data collected they make there money from marketing people who belive that the ads are targetted, and hence pay premium rates. Afterall marketing is all about perceptions and assumptions, not facts.

There will of course be revenue carved off to The ISP based on adds served by users, and of course to get around the DPA Legalities The ISP will Buy and run the Servers from Phorm (they will operate a maintainance agreement with Phorm) that way no data leaves the ISP as they own the kit, the servers will be connected to the net to retrieve and serve adverts and tell Phorm how much is served so the ISP gets paid. (Kent thinks this is ok as the data does not leave the ISP. I think this is bad beacuse they are intercepting/injecting it all. no choice!) This setup does not take due regard of RIPA.

and unless the ISP's start offering free broadband I dont think anyone is going to want to be monitored like this without more benefit. google deserve my data as they provide excellent service to me. phorm do not serve me. (not the right type of adds benefit! sometimes I like odd ads they remind me of other things. and whats wrong with car ads on car sites? - oh but he mainly looks at car sites but they are expensive so advertise on this cheaper news site he reads also..)

Today I will mainly be getting Phorm Ads, as its been my priority this week, and fortunatly my ISP is not even entertaining the idea. I love my 24mbit adsl2+Thankyou be*ings.

You create a phishing copy of a site that is signed up to serve Phorm's advertisments, say, oooh off the top of my head FT.com. Now we know that the FT probably don't employ the same sort of protection as, for example, a bank so the phishing site will stay up longer. Now our baddies have a site where they can insert phoney ad's saying

"ALERT ALERT WEBWISE IS OFF - CLICK HERE TO TURN ON"

and your average slack-jawed, pregnant, benefit drawing yokel that seems to more and more common in this jewelled Isle is ripe to be served all sorts of nasty things.

Just an idea....

very long but the full story so far, i have left only the bt CS person first name in and mine (as it is on my posts anyway)

the interesting one for me is you can permantly opt out by blocking the cookie,(so trend and co can safely remove the cookie without opting you back in) but will that show up in there stats as a opted out user

below are the emails

Chris,

Thanks for your reply

But You have failed to answer my question regarding if I opt out is my traffic s