Of course, if improvements can be negative then it's perfectly possible to consider the privacy improvement provided by Phorm. No other (known) ad provider examines your browsing habits in quite the same way. I can choose to block other ad providers by barring their cookies and filtering out their URLs, whereas with Phorm that only stops me seeing the results of their snooping, at least according the public information on how they do it.

The biggest April phool around here is Phorm!!

The sooner that crock of retarded Spyware merchants gets off our internets the better - i think right now Comcast seem to be a nicer ISP than BT

Phorm = Phail

Now that's a novel use of an illegal law re RIPA

Nice one again El Reg.

"At the time of this newly-revealed first trial, Stratis Scleparis was the chief technology officer of BT Retail. He hopped across to occupy the same position at Phorm in January 2007. BT has not addressed our question over whether it is comfortable with the role Scleparis has played in the deal."

That accounts for a lot, though it doesn't make matters any better on either side, arguably it makes them worse.

Major employers typically have a corporate policy on the recruitment of staff from suppliers, customers, etc. It isn't always necessary to rule out that kind of career move, but what is generally accepted as necessary is to rule out the possibility of dodgy dealings.

Ben Verwayeen, what is your company's policy on recruitment from suppliers and customers? What processes were followed in the case of Stratis Scleparis's career move? Is any corrective action necessary?

...Just don't use an ISP that has had anything to do with Phorm. There are enough others out there to choose from, and *not* using Phorm might even become a selling point.

If you are unlucky enough to be using BT you will probably appreciate the improved performance you will get from another ISP anyway.

Simply by being associated with this spyware company VMs image is already tarnished as they have exposed themselves as no different from the rest of the money grabbing corporates out there prepared to put profit before customer satisfaction... totally opposite as to how they want to be portrayed in the media.

But then I'm presuming Branson needs all the funds he can get to finance his white elephant galactic project.

My recent letter from VM clearly states they are currently progressing with an "opt-out" policy and that they will be as transparent "as possible" with their customers regarding this solution.

Can we or the Reg come up with a list of non-Phorm broadband suppliers so when we all need to jump ship, we already have decent info to hand?

(RIPA)

1 Unlawful interception

(1) It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of—

(a) a public postal service; or

(b) a public telecommunication system.

Firstly, given your reportage to date, I accept this is not an April Fool story ;)

The important point here is that BT deliberately sought to hide what it was doing. It cynically deceived its customers and was knowingly sailing close the wind in legal terms.

BT cannot be trusted to tell the truth. The company has lied about this issue consistently; why should we accept anything BT says now as true?

Furthermore, BT has shown no signs whatsoever of backing away from Phorm nor from the concept of traffic interception for commercial gain. At least both Carphone Whorehouse and Virgin seem to be re-evaluating their commitment to Phorm.

As to Kent (with a 'u') Ertugrul and his PR people's spin:

"We think it is unethical of the Register to seek to undermine a technology..."

Bloody gall! Pots and kettles. How *dare* they accuse anyone of being 'unethical'

"... that enhances online privacy..."

Bollocks! In fact, it does exactly the opposite as K(u)nt well knows.

"....Phorm's system ensures that ads are served with no data storage ..."

Storage is irrelevent, a red herring. You bastards are intending to intercept my packets and spy on me.

"... something that will benefit readers of the Register and other websites."

No it won't. Not in the slightest. Not in any way imaginable.

This whole sorry saga needs and deserves the widest possible media coverage. El Reg has done a sterling job so far but, sadly, ninety-five per cent of DSL-using Joe Public is technically illiterate and doesn't read The Register. A lot more coverage such as The Guardian's and the BBC's is needed to generate the deluge of complaint that BT so richly deserves; and wallet-voting by switching ISP is the best way to reinforce the point.

Phuck off, Phorm. Do not want.

"BT has said it plans to change its terms and conditions accordingly to comply with the law."

... and I for one look forward to NOT accepting the change.

So I'll just take my Mac (code), and leave.

There is already a list growing at http://www.badphorm.co.uk/e107_plugins/forum/forum_viewforum.php?11

The deeper we get into this the worse it gets. Even I never saw this coming and until the end of the second page I was beginning to believe it might be a very clever April Fool but now I am left staggering.

I submitted a petition on the PM website on Friday evening to call for the PM to demand the Home Office initiate criminal proceedings against BT for the 2007 Trials which they recently admitted to and was shocked yesterday to find out it had been rejected for unfathomable reasons.

You can see the petition text and the email I got from the PM web team on the following link:

http://www.cableforum.co.uk/board/34518506-post1951.html

I am also currently investigating the possibility of filing for a High Court injunction to prevent Phorm technology being deployed in the UK with any of the 3 ISPs under RIPA; anyone who has any feedback they wish to give on that please contact me.

And in closing, Wow.

Alexander Hanff

PS.. You need a Gobsmacked icon ElReg

BT ran an experiment whereby it intercepted all web browsing to insert JavaScript into web pages, and god knows what else?

Did I read this right? 18,000 customers? Sorry I really can't believe this article Chris. You must have got something wrong. I can't believe a household name would stoop to such aruably criminal lows in the search of advertising revenues.

What are the implications? BT has been working with Phorm since 2006 we know from El Reg and The Guardian. Phuck me this seems really VERY serious...

It takes a Liberal Democrat to put forward a balanced view of the internet and to question the integrity of BT and the likes.

Just a shame they'll never get in, we're stuck with either Corrupt Cameron or Zombie Brown.

If only people would vote for parties that actually have some moral fibre and care more about the people that vote them in than the big companies that sponsor their campaigns and offer them silly money after they leave Parliament.

In light of the RIPA comments from legal experts, and even the offical gov advice suggests that this system will only be legal if users are opted in then I can't see how BT can fail to end up in court regarding this.

Any legal peeps around care to enlighten those of us who regularly have to use "IANAL"?

/Paris 'cus she knows about stickin' it up her...

"We think it is unethical of the Register to seek to undermine a technology that enhances online privacy - Phorm's system ensures that ads are served with no data storage - something that will benefit readers of the Register and other websites.

In the interests of balance, we would like the Register to reflect the improved privacy environment Phorm provides over the other major online ad targeting companies detailed in the attached table."

/end

You just cant make this up. El Reg being irresponsible by exposing a spyware scam to the Net? You know, attempting to portray your product in a positive light is one thing. This.... This is stupidity. This is from the mouth of Mr-I-Dont-Know-How-To-Do-PR (and my product sucks anyway).

Seriously, we have two options - have our internet usage monitored for the sake of advertising revenue we will never see, or.... Nothing. Or no monitoring. Which sounds like its a better deal for privacy? The jury is out on this one.

It still amazes me what people will do, and what they will convince themselves of, for the sake of money. This is a system that uses people like cattle to make more money for the ISPs and the advertisers by invading our privacy, and yet Phorm defends it as if it could cure AIDs and cancer. How? How can you not admit that your product is immoral at best, illegal at worst. How can that not make sense to you?

There must be one or two folk out there who "work from home". OK, a lot will have VPN connections, but not all.

Can somone from the cognoscenti please have a guess as to what the security implicaitons for a company and it's intellectual property are if one's outworkers are having their traffic intercepted to and from, say, internet and their company's internet accssible intranet sites (honest guv, we aren't actually reading anyfink)

Just wondered.

Jesus Kent's comments make me want to bitch slap his face.

Typically, the arrogance we expect from these parasites, they assume they have some god given right to our data in the same way that the ad boys seem to think its ok to up the volume in ad breaks (leading to a universal muting of ALL ad breaks in our household), the sad thing is they cant see they are WRONG.

From my reading in various places, side-stepping reasonable questions is standard practice for this company, just one more reason NOT to trust them. The fact that they have targetted the UK is significant given that Phorm pretty much have thier roots in the US, maybe they knew that was too big a market to try to fool first off with some very vocal privacy advocates - clearly the hope was to slip it under the radar here and then be able to point to its UK operations as proof of the "value" of this, and considering I have anti phishing in all my browsers Im still trying to work out how letting a proven malware provider anywhere near my traffic provides ME with any value.

THEY have undermined thier own "product" by secrecy and deception. Im sure if the Reg staffers were minded to do a "hatchet job" on Phorm this would have been far worse for them

Kreepy Kent can go Phormicate himself!

can BT customers demand to know (via freedom of information?) if they were within the trial that was not a trial but actually was and if they were can they then take legal action against BT and Phorm using RIPA as their consent was not given?

Phorm team, can you please answer the following questions which I've asked of you a few times.

If you don't store any browsing histories, how come the OIX website says:

"...For example, Travel advertisers will be able to target messages to anyone seeing the keywords "Paris holiday" either as a search or inside the text of any page with timing of three times in an hour..

...Advertisers create customised channels using behavioural keywords - keywords derived from searches, URLs, and contextual analysis of pages visited, with recency and frequency"

In order to know the frequency someone visits a page you are going to have to record the URL's visited against their profile complete with a list of times they visited it too, so you can tell if they visited it in the three hour example mentioned above.

So how does your system know what time a page is visited and the amount of times a page is visited by someone if it doesn't actually store the URL of the page?

Many sites have Terms & Conditions which explicitly deny data mining, extraction etc. of their content. Many of these sites are also copyrighted.

Bearing in mind that some ISP's are in talks to crackdown on copyright theft (Virgin & the BPI) and it seems to be another big thing at the moment, could yourselves or the ISP's installing your system be held accountable for copyright theft? It could be argued that you are profiting by mining this copyrighted data which doesn't belong to you or the person viewing the page to build your profiles.

If I was to own or have a website then I certainly wouldn't give you permission to mine my content so you can profit from it.

Finally, can you guarantee that the data your systems hold or process will NEVER be able to identify a living person by any means whatsover?

If so, how?

Thanks Phorm - Phanks!

Since the majority of ISP's are provisioned through BT Wholesale, and since they clearly have truth issues, what are the chances that, since all the data will have to through through BT exchanges and BT infrastructure to go via the ISP that all that will be profiled by Phorm too?

Just a thought, I'm not sure of the technical aspects as I've never worked for an ISP.

So BT ran a trial which involved intercepting the communications of 18,000 customers, and gifted the information that was intercepted to a third party adware/spyware provider without even seeking consent?

Someone in BT and Phorm needs to spend time in prison to think this over.

Its just appalling.

If Virgin have done this, I'll be joining Alexander in demanding prosecutions against them too.

Phorms claims not to identify users are obviously false. Their cookie is named 'UID', abbreviation for User Identifier... ie an identifier for a user. And the claim they don't store anything... of course they do... its called a profile and its linked to a specific user via a user id.

Their note must be an April fools day gag.

It's not The Register who is stirring the negative sentiment against you. It's US, free citizens, who prefer NOT to be profiled. Bollocks to your excuses, to your reasoning; you are trying to make money off my browsing habits, you pay ME, not my ISP. The cheek...

Here's to a nice fat lawsuit against BT and Phorm for breaching RIPA in 2006.

The article states "BT has said it plans to change its terms and conditions accordingly to comply with the law".

Can a customer refuse to accept the change and therefore terminate their contract and move to another ISP ? I'd move if someone could confirm. I'm not sure Zen Internet could cope with the demand though :(

Given the potential breach in law that has ocurred in 2006 where you could allege a wire tapping offence took place against 18,000 customers. Would it not make sense for some good lawyer type to effect a UK equivalent high class action case on behalf of those 18,000 people?

There are more opportunities to make money for these people in suing BT than BT will make in the first year of operation of this insidious tool.

Failing that all it will take is for one single victim to lodge a police complaint for alleged wire tapping offences to threaten this entire house of cards.

I have never used BT so sadly it could not be me, otherwise Mr Plod would get a visit this afternoon (seriously).

Somewhere our rights need to be honoured and somewhere people need to make a stand. why not here?

Paris, because she knows money when she sees it.

How the hell can Phorm dare to lecture anyone after being dumped by The Guardian for a lack of values? We're talking about a company which has behaved unethically, unprofessionally and dishonestly.

I'm stunned at the revelation that "That means all 18,000 test subjects were always opted-in without their knowledge."

I always expected the unacceptable from BT but this leaves me stunned. There's often some degree of vested interests and old boys' network in business but this is obscene.

Please please keep on them and don't let them fob you off. If they hadn't broken the law they would certainly be quick to say so. If they have broken the law then someone should be prosecuted for it - why should they get away with it? Please keep on them and don't take a sidestep for an answer.

In the reports of people being arrested because someone thought their mobile phone or whatever was a gun and similar stories the police always say they have a duty to investigate complaints.

Maybe someone based in the UK could call the police and make a complaint against BT. I recall someone already trying but if enough people did so then it might get a bit further.

Similarly with the petition on the PM website especially in light of the 2006 trials.

I..*shudder*.. went to the Phorce, erm Phorm website, had a luck at their press releases. It's amazing that El Reg has probably had more stories on this item than any other news site/paper, yet isn't mentioned once as a source for their Press Archive. In fact all the sources given are basically that sites rehash of the Phorm press releases and some even seem to think its A GOOD THING! IT ISN'T! Makes me worry about the sanity of the "tech" writers for these other sites!Or rather, wonder how much they are being paid!?

It all boils down to what is relevant to the users interests. Or rather, what shit Pharce is trying to make relevant for them. Nothing like burying your head in the sand up to your arse eh Phorm? Hoping the opponents to this "innovation" will go away? Not while there is movement in the fingers of El Reg and it's readers!

Phorm really are quite the arrogant bunch. First they say they are going to education Sir Tim Berners Lee on the benefits of their system and now they complain about El Reg coverage of all this.

Newsflash for you Phorm. You along with BT have broken RIPA. You have lied countless times. Even your PR team couldnt be honest and initially registered on the cableforum website as PhormTechTeam. You lack credibility and even the tiniest semblence of honesty. We dont believe you. We dont want your spyware. Go away.

No, Freedom of Information Act only covers the public sector (and not even all of that). You could however send a Subject Access Request (Data Protection Act) accompanied with a £10 cheque or postal order asking if you were involved with the trials. You need to send the request to the BT Data Controller and I recommend you send it by registered post and print off the delivery notification from the Royal Mail website. They have 40 calendar days to comply with the request before they are in breach of the regulations at which point you can either contact ICO with a formal complaint -or- if you can prove damage you can initiate civil proceedings against them in the county court.

@Mr Jolly

Wonder whether we can apply the 3 strikes to an ISP? E.g. three random customers each download an illegal mp3 via http.. Each has only one "strike", but phorm has three - can we therefore demand that they get unplugged? ;)

@Damian Gabriel Moran

The FoIA applies to government bodies, not private companies. However, under the Data Protection Act, you should be able to find out if you were within that trial, since they really should still have those records - there's an administrative fee associated with it, but it has to be "reasonable".

@Fluffykins

To some extent they may be protected by your lack of encryption... It's not illegal to hear something that people say in public if they shout it really loud ;) However, the RIPA doesn't seem to see an internet pipe as a "public place", so it probably isn't covered. No company should be using http/html for remote working without the "s".

@Daniel Wilkie

There's another article on the reg (can't remember the title at the moment) that includes details of how the infrastructure works. Effectively the data passes through a very small part of the BT network (from a data point of view, rather than physical), and goes immediately out on a dedicated pipe to the ISP. Therefore unless BT are putting the phorm stuff within that small section, it's not relevant... If they DO put it there, then they are likely to be really hammered by the other ISPs. If nothing else, they're increasing the data flowing over the pipe and that's what the other ISPs end up paying for...

http://www.btplc.com/Thegroup/Companyprofile/Ourcodesofethics/codeofethics.htm

Based on their actions, maybe it should say "this space intentionally blank" but what it does say includes:

"The Chief Executive Officer, Group Finance Director, the Director Group Financial Control & Treasury, direct reports to the Group Finance Director and the lines of business Finance Directors will:

* act with honesty and integrity, including ethically handling actual or apparent conflicts of interest between their personal relationships or financial or commercial interests and their responsibilities to BT;

* promote full, fair, accurate, timely and understandable disclosure in all reports and documents that BT files with, or submits to, the U.S. Securities and Exchange Commission or otherwise makes public;

* comply with all laws, rules and regulations applicable to BT and to its relationship with its shareholders;

* report known or suspected violations of this code of ethics promptly to the Chairman of the Audit Committee; and

* ensure that their actions comply not only with the letter but the spirit of this code of ethics and foster a culture in which BT operates in compliance with the law and BT's policies."

Etc,

Ben, how does the Phorm work fit this ethical policy?

In particular, what about "ethically handling actual or apparent conflicts of interest between their personal relationships or financial or commercial interests and their responsibilities to BT;"?

How does Stratis's career move (which BT and Phorm presumably knew about when BT started trialling Phorm) line up with your ethical policy?

The public want to know. In particular, your longsuffering stakeholders (employees and shareholders) want to know.

I am the one who tried to report the 2007 trials to Scotland Yard but they refused to issue a crime reference number because I was unable to provide them with an exact date and place where the criminal act took place (as I am not a BT customer nor ever will be).

So yes, we need criminal proceedings to be initiated which is why I have just refiled the petition on the PMs website with the news of the 2006 trials and again asking the PM to demand the Home Office start proceedings.

I have also started a facebook group to help publicise it here:

http://www.facebook.com/group.php?gid=12430966276

(And no I don't need lecturing on the privacy issues surrounding Facebook but thanks anyway).

Anybody seriously wish that chemical neutering was legal practice?

Someone with such questionable moral values to actually BELIEVE that this is, in any way, acceptable, legal, or even required, should not be put in charge of impressionable people, their own or anyone elses.

I worry about the state of society.

Phorm say:

We think it is unethical of the Register to seek to undermine a technology that enhances online privacy - Phorm's system ensures that ads are served with no data storage - something that will benefit readers of the Register and other websites.

I say:

This rather intemperate response means they are rattled.

Keep up the pressure, El Reg, BadPhorm, DePhormation, and everybody else who cares about this.

And if you need further encouragement, read:

http://www.thespoof.com/editorials/index.cfm?eID=2564

for a perhaps insufficiently satirical look at where this will all end up if we don't keep up the pressure....

But I am sure we can. And I sincerely hope Kent Ertugrul's phlight back to the USA goes from Terminal 5.

Paris, because her baggage will always follow her around, no matter what

Surely the owners of websites surfed to by the guinea pigs were also victims of interception? I guess you'd have a hard time proving (unless your logs go back that far), so just to make it easier, can we use the same formula's the recording industry uses to calculate damages to work out how much BT must pay ;-) ?

Well done Chris & El Reg, real Watergate stuff - or should I say 'Phormgate'. Lets just keep focused on BT and the other ISPs who are the principal villains of this piece.

Are criminal trials for the potentially millions of counts of breaches of RIPA in both 2006 and 2007. How many webpages do you think 18000 people visited over that 2006 trial period?

Good luck with the injunction; I think it's the only sensible way to stop this.

As for the No.10 petitions route, does any reader have a single example of this tactic working (i.e. our beloved leaders - past and present - actually taking any notice)?

You know, being democratic?

No?

I thought so.

El Reg - keep it up.

<..>UK equivalent high class action case on behalf of those 18,000 people?<...>

They shouldn't have to. Breach of RIPA is a criminal act not a civil one.

Either BT & Phorm have committed a criminal act or they have not. My reading of RIPA say's they have. Time for HMG to step up.

Dear HMG Home Office,

I recently received details of your new initiative to create new legitimate business opportunities in the hi-tech sector, namely in the Data Raping arena, and I'd like to register my company's interest in the scheme.

I own a conglomerate of small enterprises specialising in niche revenue opportunities. By profiling anonymous individuals we can identify those of high net worth whom we can target our product at. Out main product being simple letters offering our services, our main service being NOT writing to the press about profiles showing interest in our sister business selling a large range of man-on-man video materials.

We also have ties to a large network of software developers who are keen to install 3rd party "applications" on our data-raping hardware. Many of these are enterprising individuals whom I'm sure will find great ways to increase revenue once we have total control over users data streams.

Thank you for your interest,

Frances James "Jimbo" Gunn

Writer, TheSpoof.com

http://www.thespoof.com/search.cfm?writer=7138

look at the link

http://www.ispreview.co.uk/talk/showthread.php?p=199729

it shows how a dubious website can opt you in without your knowledge, using standard cross site request forgery techniques

so if you visit a site it can put an opt in cookie on your pc without your knowledge

then it is down to whether webwise process the opt out or opt in cookie first

hmm looking more dubious and less secure all the time

what we need is a central location to keep all the issues, websites, email addresses and places to write to, to complain so we can maximise and co-ordiate everything against phorm, is anyone aware of a site or blog like this?

we also need standard letters that list the issue we are complaining about to the relevant recipient of the complaint,

one to each of the following

ISP

to register your position on phorm and specifically remove permission for them to profile your data or pass it via profiler

info commisioner

to register a complaint with regards to BT, VM, TT and Phorm potentially breaking RIPA and the DPA, even if the user opts in

MP

general complaint, plus info on their comms to constituants and researchers web activity being profiled if using one of the 3 ISP's etc

home secretary

as it involves BT's breach of RIPA last year during trails of webwise, and potential breaches of RIPA and DPA in the future, and possibly the national security implications of governmet officials web activities being profiled etc

MEP

as it could involve european law, in particular human rights act, as right to privacy would be infringed

local press

make more people aware of the potential issues

bbc watchdog

as local press but more national coverage

have i missed anything??

Look, there's no point in messing about with online petitions. If you are a BT customer and believe your traffic may have been intercepted, contact the Computer Crime Unit of your local police force. For example, if you live in London:

http://www.met.police.uk/computercrime/index.htm#hacking

Of course you will first need to provide evidence that your traffic has indeed been intercepted.

BT also refused to reveal where in the national broadband network the thousands of guinea pigs were sourced from.

Surely they could have claimed that they would have loved to reveal where the mugs came from, but they don't hold sufficient information to be able to identify the source?

.. of course.

It suggests that the "opt out" for major search engines is "deeply embedded". However, anyone who has an anti-malware package on their PC (or otherwise knows how to delete cookies) can "opt out" by preventing the storage of the tracking cookies needed by the other ad-targeting engines to work.

Since the Phorm system is IP-address keyed, and occurs in the network, there is no way to opt out of tracking.

So the BT Retail CTO organises secret (and illegal!) trials using their customer's data, in conjunction with a notorious spyware outfit, and between them they perfect a scheme that they think they can get away with. Then when they think they might make a packet, he jumps ship to be CTO of the very company he has been sweethearting at BT's expense, leaving BT to carry the can if the legal implications blow up in their face (as they are doing). Nice move, but would you buy a used car from this man? Makes Nick Leeson look like an amateur!

I was one of the people who was entered into the parasitic trial without consent.

I am utterly appalled that the number of other people who also "wiretapped".

This is a disgusting abuse of trust and faith.

What I find most appalling that despite several emails to and from BT Directors I have still not received an apology, just belated confirmation that a test did take place despite being told at the time that there was no such thing happening.

In the words of the mighty Tony Harrison: "It's an Outrage!"

BT, looks like the sh17 is about to hit the Phan!

DO.

NOT.

WANT.

...looks like we'll be seeing BT + Phorm in the dock then!

BT having someone listen in to all your calls, taking notes - in case, say, you ask dear old dad what kind of garden shed you should buy? So they can inundate you with adverts for garden centres? I'm sure if that was forwarded as a legitimate business plan it'd get laughed out the office due to being incredibly illegal...

Plus what is the security ramifications? Like online banking? They intercept your username and password, and which memorable information selections you made? Credit card details entered in online shops? Chat text on MSN et al? Could divulge all sorts of snippets on there... OK it is encrypted but that's not the same as "100% safe" is it. And if it is recorded you've got all the time you need to crack it.

Ghastly situation, someone needs a right kicking over this.

Anyone tried em?

I'm meant to accept that because websites can see some of my data if I choose to visit them, a service that sees almost all of my data even if choose not to use it is tickety boo. This, I have 'reservations' over.

However, I must say I'm impressed that Phorm is able to offer a time-travel service in offering the ability to undo previous participation. That is something that Google is sorely lacking.

Furthermore, the magic power that means data held by Phorm can never be accidentally or maliciously disclosed is in contrast to every single data-holding device ever made ever. So credit where it's due.

If you were one of those involved in the secret trials either last summer or in 2006 then please make an official complaint to the Computer Crime Unit of the Metropolitan Police citing Regulation of Investigatory Powers Act 2000.

if you are open to that possibility but need help drafting a letter then I am sure many would volunteer to help you. One place you may be able to get help is from the members of the cableforum website where there is already a thread regarding phorm which is fastly approaching the 2000 posts mark.

"We think it is unethical of the Register..." Good God. This reminds me of the angry rantings of a dying villain in a Western or samurai flick. As the end approaches all pretense at civility disappears. Such as it was. Phorm Tech Team's sunny, cheery, one-of-you-guys attitude always reminded me of Doctor Pal from South Park. "We're very concerned about your concerns and we'd like to explain to you exactly how our technology enhances your privacy, so first off how about we take off our shirts and kiss?"

These are not just people with a bad product. These are bad people.

One minute it is a random number, the next minute it is a by definition non-random UID. One minute the system stores browsing data for 6 months, the next minute there is no data storage. One minute it is user profiles may be transferred to ISPs in other countries, the next minute it is no data leaves the ISPs network. We don't have servers in China (well, now... after you busted us). We voluntarily left the adware business (before various privacy/security orgs and US agencies caught up with us over the spyware/rootkit software we developed and distributed). This is a privacy story! Well, except for those we illegally snooped on in trials and anyone who is foolish enough to use an ISP that partners with us.

Firstly I find it depressing that the likes of MP's like Alistair Burnham (Muppet) will bang on about P2P file sharing and back proposed "3 STRIKES & OUT DSL CUT OFF PROPOSALS" yet MP's will most likely not even batter an eye lid over BT's blatent BREAKING OF THE LAW!

Secondly I am appalled that the TELCO/ISP that should be setting an example for the rest are using the public like pawns in a casual game of chess. This is an attack on our civil rights and since they have already "formally admitted" this act will any legal action be taken? Is it now ok to break the law?

Next BT will be setting up fraudulent phishing sites and passing it for security enhancement procedures!

Dirty Bastards!

Great job Reg!

the smoke, mirrors, spin and finally BS have failed, now they are down to the bottom of the barrel with trying to make El Reg appear worse than them!!

news for you Phorm not a hope in hell

about time you gave up and went back to punting spyware and crudware

and we will block that as well

It wouldn't require a dubious website, you could for example be opted in remotely by a post in a forum that allows images to be posted.

The problem is that just the act of navigating to the webwise opt-in URL deletes the opt-out cookie and retrieves an opt-in cookie with a unique ID.

There is no security to break. Neither is it a browser flaw. If your browser opens the opt-in url, you are opted in, that's all there is to it.

This means that a webpage could use perfectly standard HTML to opt you in.

For example a hidden image

<img height=1 width=1 src="http://a.webwise.net/services/OO?op=in">

or

an invisible iframe

<iframe src="http://a.webwise.net/services/OO?op=in" FRAMEBORDER=0 SCROLLING=NO height=1 width=1 ></iframe>

You should realise that all the opt-out does is store an "OPTED-OUT" webwise.net cookie on you PC.

Now browsers don't allow cross-domain access to cookies for security reasons, so in order for phorm's system to check if you are opted out, your TCP stream would still have to be modified to trick it into accessing the webwise.net domain and sending the opt-out cookie.

I don't know what the legal standing is, but in my opinion that is still interception.

Another issue with opt-out cookies is anyone with access to your PC such as your children could opt you in, it should be down to the account holder to choose after verifying their identity.

In my opinion a cookie based opt-out is totally worthless, perhaps even Phorm didn't think it was worth making it secure?

Joke alert, because a cookie based opt-out is a joke.

Actually,

Google have released several time travelling services...

http://mail.google.com/mail/help/customtime/index.html

http://www.google.com.au/intl/en/gday/index.html

/Mine's the one with the mirror shades in the pocket, next to the mr fusion

For the link to the BadPhorm site earlier on in this thread. I'll transcribe and post the contents of the letter I received from VM regarding Phorm later today on the forum.

Big thanks to all concerned who showed BT up to be liars and unworthy of being capable of securely handling peoples data. We will see how toothless OFCOM really are ,this is a criminal case and people should face jail for knowingly allowing this to happen.

I am not a BT customer and never will be now, but i would suggest all people who are, demand a refund ,and the ability to leave the company with no financial penalties.......You are not guinea pigs and you should receive recompense for being treat in such a way.

Its unbelievable that they would lie to customers who had genuine concerns at the time that there business's were being put at risk.I would like to see this taken through the courts and an end put to this holier than though attitude many people have in this country to data protection.BT have proven themselves unworthy of our trust and should be severely spanked where it hurts........in the shareholders pockets !!!!!!

If i understand it correctly in that advertisers are paying phorm to deliver their ads, Then what is needed is a list of the companies that are advertising using phorm. If enough people avoid these companies and go elsewhere they will hopefully get the message and not use Phorm.

...trust their data with a company called Phorm no matter what the circumstance? The whole use of "Ph" in place of "F" to make the same sound stinks of script kiddie cowboy naming to me. I half expect their press releases to say "lol h1 m8s w3 ar3 teh l33t ph0rm hax0rs p1mp1ng j00r d4t4".

Even if they were a professional data backup company and I needed a backup solution the name alone would put me off because it just stinks of unprofessionality. What makes our ISPs think I'd be happy to be forced into using such a company when I wouldn't even volunteer to them? If they can't even show a decent level of maturity and professionalism in deciding a company name then they can't exactly be trusted to be mature enough to manage personal data.

I'd just add one more to that list.

Every site signed up to the OIX

(Come on El Reg...surely you can get a copy of that list).

Just a quick email to them to say that whilst there is any possiblity that they're part of the OIX (and hence in league with Phorm et al) you will not use their products or services.

I know it won't stop Phorm snooping but it'll certainly hurt them where it counts - in the pocket as their clients start pulling out (Let The Guardian' be just the first)

Fighting snooping with a flamethrower.

Can I suggest to BT that they email all the users who where effected by this trial in July of 2007 to avoid being flooded by Data Subject Access Requests.

With regard to the trial, I live in the Midlands and was one of the people who was spied upon, I understand that another exchange in the south was also pimping data, I would like to know which other exchanges were effected and which version of the PHORM was being used. No doubt PHORM have cleaned up their code since then and hence are more in line with the UK legal requirements, however this does not preclude the version of PHORM where they can "see all the internet".

Given that when BT trialed the service they were looking specifically for EGG and Recruitment sites customers it suggests they were after people with money to spend and wanted to obtain their carreer details.

That BT Privacy policy of that time forbaded access to third parties, I would like to know how BT sees PHORM and THELATHE as not being third parties, further given PHORM's malware history, BT could have shared this clearly sensative information.

by _quote_ "BT has said it plans to change its terms and conditions accordingly to comply with the law". _unquote_

Surely the reciprocal of that is that by needing the opt-in BT accepts that what they have already done is not legal?

Reg has undermined their data pimping shenanigans and the Reg is at fault for not pointing out the benefits of a data pimping system.

EH?????

But consider me to understand both sides of the argument in your coverage of the phorm debacle, I do feel you are being middle ground on this, middle ground as you can given only the NONE guilty come freely to an interview and those with stuff to hide issue statements and keep quiet.

Phorm need to grow up.

And why isn't someone making BT give out who were the 18000. I have an egg card and I will have been using that web site so I could be involved.

The thing that gets on my goat... WHY TEST A FINANCIAL SITE IF THEY AREN'T BOTHERING WITH FINANCIAL INFORMATION. Egg do nothing but financial so you would think avoid that at all costs. Lunacy.

Someone has to go to jail for this, how many laws were broken, 18000? surely 1 day for each offence? :)

...but this is fat cat britain and chief execs get away with it.

I await new T&Cs so I can tell BT where to go.

/rant

"In the interests of balance, we would like the Register to reflect the improved privacy environment Phorm provides over the other major online ad targeting companies detailed in the attached table."

I find myself agreeing with Phorm here. Shock. Horror.

When I look at the data which FrontPorch claim to collect and are already collecting when the UK users of the free Hotspots click the Accept button on the T&C when they logon, then Phorm are making a point.

As long a FrontPorch and NebuAd (any HSBC Premium users - USA only? - out there looked at the T&C when they login free?), et al stay with users having to accept terms each time they logon, then I can only say that 'user beware' should be the rule. As they all operate on a 'no cookie' and data packet 'script injection' model you only know what is happening when you read the terms or see the ads.

Does anyone know who the UK ISPs are that are signed up to the services offered by these other ad/spyware providers.

However, so far, the UK users of these other ad networks systems have the choice of using the connection or not using the connection. If they don't accept the terms then they don't get connected. Simple.

Why can't Phorm / BT / VM / TT get the message that anyone who does not want the system should have the option of not being connected?

In the US, is Virgin Media being open with its cellphone customers who are selling their soul in exchange for all those free minutes for viewing adverts? - targeted at 14 - 24 year-olds.

A flame - because the more I read about how this 'technology' is spreading around the world, the hotter I get.

Maybe, if the VCs of this world put their money into real property developments, ethical mortgage suppliers and educating farmers on protecting their soil and water resources rather than virtual money generating machines, the world economy would be balanced more on the 'fair' side.

I see all those lovely blue BUYs are turning into red SELLs. No comments on the PHRM discussion so the shorters must be looking to make some more money on this news before the herds hear about it.

"one of the aims of the validation was not to affect their experience"... correct, it was to affect their spending habits.

"18000" individually distinct instances of a breach of RIPA, lets hope the sentences run consecutively.

"BT claims that when it launches, Phorm's technology will be legal" and by the powers of logical deduction are admitting that they knew damned well that it wasn't legal at the time, since the launch still hasn't happened.

"to avoid any perception that their system is a virus, malware or spyware"... not to prove it isn't, but to make people perceive that it isn't, or in other words, as we all well know... IT IS, all of the above.

"firing 'a revolution in online privacy'"... mmm yes, there again, Phormally one could also call it a 'firing squad against privacy'.

And PHINALLY... it was NOT "El Reg" who sought to undermine this bastard child of manipulative advertising, it was we, the users, your target audience, in our tidal wave of venomous responses to your actions, your intentions and your abuse of our bandwidth... We don't view El Reg for a source of bullsh*t and spin, we seek the balanced, fair and open journalism that we have come to expect (well, that and lots of articles about Ms Hilton). You C**NTS chose to lie, to us, to government - even ti yourselves. At least Paris is honest about being a bit loose with her honour.

...sorry about that, I think I'd better go and have a little lie down.

And NO that doesn't mean I want to see an advert for Slumberger or Silent Night. I'll just hang my dressing gown up.

Give it up, despite your protests this has to be an April fool right, I mean a large organisation like BT wouldn’t possibly intercept traffic without notifying it's customers and they certainly wouldn’t allow one of their upper echelon staff to enter into negotiations with a company, set up a sweet deal and then move to said company?

Good one El Reg but it really is time to give it up, this can't possibly be true............. Can it?

> No doubt PHORM have cleaned up their code since then and hence are more in

> line with the UK legal requirements

But that's just the problem. Software is notoriously hard to validate and police. It's what Phorm and their PR teams just don't get. It doesn't matter how careful they are with data, and many safeguards they *say* are in their software.

It's illegal to intercept a communications stream without permission from both ends of the communication. It has to be - otherwise you have a situation where some companies are deemed "good" and are allowed access to intercept, whilst others are deemed "bad" and aren't. But who will police this over time? Who will regulate this? Is it worth setting up a regulatory body capable of daily oversight? Probably not - therefore intercept is banned end of.

What the "secret" trials do is avoid the contested legal area on whether consent of a website can be assumed. In these secret trials, even the end user didn't consent, so plain and simple case one would hope.

"Phorm itself emphasises that it is firing "a revolution in online privacy" and that consent is a key part of its proposition"

Bollocks! But we are served a lot of that these days!

I WILL leave Virgin if they trial me or adopt Phorm.

Considering the noise that that beacon of impartial news reportage - the BBC, made over the government losing customer data recently it is interesting that the "technology" news, or should I say the "always very much out of date technology news" finds this story : un-newsworthy.

As well as BT needing an executive to talk to El Reg and the police, I can see them needing one to face a House of Commons Select Committee. This sort of behaviour harms the country’s economy. What other EU country is going to want to do electronic business with us, if we’re the EU country known for having an untrustworthy Internet infrastructure. It’s harmful in the same way that Northern Rock has been. Stratis Scleparis should get the same bollocking that Adam Applegarth got.

The whole point is that if the software was as they cry "anonymous" then why do it behind our backs. BT have admitted that they allowed what they agreed at the time to be malware to profile, "diety of your choice" knows what and where the profiled data went afterwards.

Why are the goverment sitting on their thumbs on this? This is a clear case of an illegal wiretap and needs a criminal investigation.

http://www.publications.parliament.uk/pa/ld/ldcumlst.htm

search the page for the Earl of Northesk. He has asked the government to clarify what they are doing about Phorm.

Good on him!!

1.) The BBC hate us. They think the IT community and El Reg are a bunch of fist-thumping alarmist conspiracists and have been ignoring our pleas for weeks and the first story they put up about Phorm was a "good news - Phorm are great"

2.) See point 1.)

HOWEVER... Word on the grapevine is that a mainstream TV channel will cover a Phorm-related topic this week.

Seriously.

How does one go about it? No use calling the local plod.

It's clear to me and others the law has been broken.

Just let me know when they've all been banged up in gaol.

at BT's T&C's and point 22 is quite amusing:

Using the service

You must not use the service or allow the service to be used:

in any way which breaks any law or the conditions of any licence or rights of others.

So by the terms and conditions I cannot allow the service to be used in any way which breaks the law?

BT could have just added a proxy service for all their customers to ensure they didn't hit unwanted pages. They could have applied this to any traffic from a customer's IP address, allowing the customer to specify if they wanted filtering, paying a fee to cover the service.

But, no, BT have decided to ally themselves with Phorm to generate revenue by underhand methods, perhaps thinking that their customers wouldn't willingly pay for the filtering service in the first place. Well, BT, if you had actually consulted your customers, I think you would find that most customers with children would happily pay a small monthly fee to filter their connection to ensure their children were safe on the internet, giving you the revenue strem that you seek.

I for one will be ensuring that I stick with an ISP that doesn't employ this technology.

in a world of ambiguity, this is a rare situation: the problem is very obvious, and very simple.

if you do ANY work-related activity at home, the confidentiality that is usually assumed in employer/employee communication is broken, if your or your employer's packets pass through Phorm's "service", no matter how briefly, retained or not. same applies to any communication confidential to you or any other parties (financial, medical, personal...).

whoever thought this was a great value-add (BT's CTO? i would take my business elsewhere on that basis ALONE), has ABSOLUTELY NO UNDERSTANDING of how communications links are used. maybe BTCTO was hypnotized by the "shiny" (which makes him a dweeb, technically, as no true geek would fail to see the bright "biohazard" stickers covering every surface of this idea).

or maybe he's just stupid and/or greedy (seems rather likely, but i'm cynical, and have dealt with far too many C-level officers).

I am even more glad that I have just left BT internet now.

If I've understood the article correctly, then this time BT are going to make this new trial an open one. This SHOULD allow people to opt out of the trial.

So, if you know anyone who uses BT as their ISP, then point them to the artices on Phorm here & elsewhere & suggest that they say no thanks if they're made part of the trial.

10,000 users saying no should drive the point home. :)

"We think it is unethical of the Register to ..."

Sounds like a scientologicalistical double-curve counterattack to me. Accuse your accusors of precisely what they are accusing you of.

Are there any known links between Phorm and Scientology, "the most ethical organization on earth" (except when their moles are stealing government records)???

As for violating RIPA, seems to me that the executive officers and directors of both Phorm and BT need to do some serious jail time. Nothing else will draw their attention to the criminality of their actions. Something like having to hit a mule with a 2x4 to get its attention.

A hefty fine in the tens of millions (pick your currency) would add a certain piquancy to the proceedings.

Note: not criminal conviction of the corporations, but of those controlling them. Big diff.

Why is there no L. Ron Hubbard icon? I had to use someone else with a fake halo as a substitute. (That is Ballmer, no?)

From the article:-

"The early iteration inserted JavaScript ..."

So they inserted program code into a computer system without authorisation and which would be executed without the users (or owners) knowledge?

That would be a virus - if I did it to either BT or Phorm you can bet it would be considered a section 3 breach - and I think that can carry up to 2 years.

It would take a braver man than I to talk to the pigs though, assuming you made it through without either a beating or a court appearance they wouldn't understand anyway.

Good heavens! I just tried to have a look at the link Cris posted to http://www.badphorm.co.uk/

However, I'm using the Defence Fixed Telecommunications Service, which tells me: "The page or file you have requested has content which is not allowed according to MoD Security Policy...

Served By: [redacted].igs.r.mil.uk/10

Request: GET http://www.badphorm.co.uk/ HTTP/1.0

01/Apr/2008:17:03:01 +0100 "

Furthermore it says: "Delivering DFTS - DE&S and [wait for it....] BT".

Maybe .mil.uk have blocked anything with the word "Phorm" in it to prevent all their secret web browsing habits being profiled by Phorm?

I am on VM and I am now running tcpdump and wireshark and dumping all packets to file now. If anyone is going to the plod about this then you will need hard evidence, or at least something that looks like it. Perhaps a letter from bt stating that you were part of a trial (that didn't happen, at least not until they got found out) then you have a case.

As for Vm, I am looking at other ISP's. If my money isn't enough for them (£18 for 2MB, the M package) then it's time to go elsewhere. O2 look good, I have an O2 PAYG phone so £5 off for me. Only £7.50 for up to 8MB, unlimited usage (fair usage policy). Even the 20MB is only £15, cheaper than what I'm paying now. I am just trying to find out if they are going to use Phorm or anything similar.

Perhaps the only way to get something done about Phorm is to get big business behind the movement. I am sure there are plenty of business's out there who have people working form home, most if not all should be using encryption of some sort, but if some of the data is not encrypted then there could be commercially sensitive data being sniffed by Phorm.

Bones, 'cos that is what should be happening to Phorm. Can't we get a gun or bomb symbol on here? Cos that is what Phorm needs.

is how I first read "a revolution in online privacy", which is MUCH more accurate. Oh, I've now started to hesitate to recommend any of the Phorm associated ISPs when friends ask my advice about changeing their broadband connection from <some crap service>.

I just listened to Kent on Radio 4. He was very persuasive that the proposed technology is benign and protects, rather than invades, privacy.

But whilst I was not really convinced, if this is true, I wondered what else the technology could be used for in the future and how we might feel about that use.

And my conclusion is that I still have very serious privacy concerns, and that it is a quantum leap to move forward the 'Big Brother' scenario which most of us seriously deprecate.

However, since the Phorm technology has already been developed, even if it is not adopted now, it will rise again in perhaps a way that we really don't like. In fact I think that this is almost inevitable.

One more step towards the life style portrayed by Ray Brdabury in the 1950's science fiction novel 'Fahrenheit 451'

I have the feeling that a door has been opened that can never be closed again.

IIRC O2 is the trading name of what used to be called BT Cellnet.

Choose with care

.... even though we really need to see the mainstream media pick up on this:

The Sun: BT pimps your data for cash!

Hopefully that will happen soon!

Phorm and BT are now in my mind crooks, the way BT present this as a service that you should bloody well be glad they are providing for *FREE* makes me sick. Check out the page:

http://webwise.bt.com/webwise/index.html

"BT Webwise is completely free — and you don't have to download or install any software for it to work."

They've gone a step too far this time, if it's not stopped in its tracks how many more ISPs will jump on the band wagon? As it is I can see this being an ongoing fight as other systems become available which probably have 'even better technology and privacy' - I think this is going to be an long-term war between technical facts and marketting bullshit.

... so I have a few minutes.

I've been following this closely since it's beginning.

I've read the comments posted before me on this as well as the other articles in this series.

I'm still curious:

A) If all the ISP's have to do is change the terms of their EULA, why don't they just do it ? To hell with whether or not it's right or wrong ? After all, many of us are stuck with pretty much only one ISP to choose from (discounting/not-counting Dial-up).

B) Apprarently, PHORM's stock isn't much of anything here (where I am) so I'd love to see a link to a semi-real-time stock ticker. Suggestions from commentors appreciated.

C) These are relatively large companies, right ? I can understand a Mom-n-Pop shop being taken in by 121Media, but not large ISP's. WTF ?

Virgin seem to have allied themselves to Google as of this morning, with their joint proposal to provide Mars based habitats ;~)

I hope BT get massive PR fallout from this, maybe they will then have to DO SOME FUCKING WORK for a change (FTTH) and LLU might also get a shot in the arm.

Phoned BT Broadband support to complain about possible interception of my web browsing by Phorm. They didn't have a clue what I was talking about and they suggested that I call BT's internet abuse support team.

Some unintentional honesty there?

.. the information commisioner will be bringing a prosection against BT for breaking privacy laws ?

I am pleased and impressed by your coverage and continued persistence in revealing the gory details of this saga

I trust the story is well affiliated to other members of the press and media.

B.T. need to be brought to Earth on this little breach of trust.

Excellent journalism boys

Omg the shit's hit the fan now...

I mailed this to my mp this morning and just had a reply saying he's forwarded it to the minister;;;;

The Phorm Webwise terms should consider the following;

It must be one time ‘opt in’ option and not include a drive by install of anything that alters the users computer or internet browser settings.

Users must be warned that their own browser settings include a perfectly adequate phishing filter by default and that adding a 3rd party phishing filter of dubious origin should be very carefully considered.

Targeted advertising is an unfair practice and ‘opt in’ users must be given a more random freedom of choice. If I search and purchase an object in the course of an hour or so then I do not want to be bombarded with useless adverts for the same product day after day as this would immediately become a nuisance. If one accidently clicks on an ad and finds it repugnant then one should not be subjected to bombardment of similar repugnant ads day after day. Also users should be subsidised for the wasted bandwidth this costs them.

Users must be made aware that Phorm Webwise hide behind invisible 3rd party proxy servers and that their private internet data is being sent to undisclosed locations throughout the world.

Finally, users must be warned that Phorm were recently called 121media with roots in adware, spyware, trojans and rootkits before being asked to ‘opt in’ to this service. The Federal Trades Commission (FTC) have been investigating 121media since 2005.

There's still plenty of evidence of what they did lying around the net. Search for "sysip.net 2006"

They also carried out a trial in 2007 using the same domain name.

http://www.ispreview.co.uk/talk/showthread.php?threadid=26640

For some reason I find it hard to imagine that they will be held legally accountable for either trial though. Maybe I'm just cynical.

Please clarify. This *isn't* an April Fools joke?

No icon, because I don't know whether to laugh or... well laugh, but ironically.

O2 is wholly owned by Telefonica of Spain. They acquired it from BT in January 2006.

I'm sure there must be more than 1 person here who is a BT shareholder. Wouldn't it be a good idea to bring this whole illegal caper to wider attention at the next AGM?

Interesting - nice to see that forums can be used as evidence - time stamped and all

http://www.bikegirl.co.uk/forum/forum_posts.asp?TID=2418&PN=1

"Posted: 22-September-2006 at 09:46 | IP Logged

< =text/>var PSpc="I.287303.1",PSsize="none"; I don't know, Sooz, seems to be happening on all my posts. Do you think I should see a doctor? Would you hold my hand, I'm a bit scared.

Tech bods on the forum, any ideas? Bit of a Luddite on computer stuff < src="http://ntp.sysip.net/tag/2.js" =text/> "

"We think it is unethical of the Register to seek to undermine a technology that enhances online privacy - Phorm's system ensures that ads are served with no data storage - something that will benefit readers of the Register and other websites.

In the interests of balance, we would like the Register to reflect the improved privacy environment Phorm provides over the other major online ad targeting companies detailed in the attached table."

Ok first I want to say that I love in the States sadly. (still looking for a new mommy and daddy for moving to UK) I have been keeping up on this Phorm, BT and Virgin thing but havent commented until now since it doesnt affect me. The way Im reading it is that they will benefit "ME" as a regular reader of TheReg by serving "ME" ads? Not going to read through over 100+ comments but I want to be the first from my side of the pond to say this:

FUCK YOU PHORM THE DAY I GET ADS FROM YOU, BEING IN THE STATES I WILL SUE!!!

Sorry about the anger expressed its been a long last couple days.

/We have a thumbs up and thumbs down icon where is the international sign for "Your #1 with me"??

this bird chosen since its the closest thing to a bird I can put up

Who said there was no such thing as bad press. :-)

http://news.bbc.co.uk/1/hi/technology/7325451.stm

You deserve to be hung drawn an quartered BT. Also the fact that Phorm, this honest and totally "private with your data organisation" was involved in this sneaky interception shows everybody the weasels they are.

Least said about BT the better!

Of course BT could claim that their CTO at the time Scleparis was the culprit but he no longer works there. - Over to you Phorm, perhaps your CTO could explain? Oh they are one and the same !!!!

Within BT all is not well senior experts have warned that PHORM is untested and a very high risk undertaking. Those asked are qualified IT professionals - Their concerns have been ignored probably because of the pound signs flashing before the board members eyes and those greedy little senior managers, who unfortunately are not qualified to decide what PHORM realy is and does. There are already a number of exploits which can be used to caused a little mayhem. The other problem is that with browsers being asked to re-submit the page request as the first is intercepted for profiling. This will cause an extra overhead in bandwidth which will possibly result in reduction of users download allowances, this will result in theft of your available bandwidth, an artificial way of reducing your downloads. Tie this in with DRM (digital rights management) and eventually users will be prevented from doing certain types of downloads.

Solution write to BT chairman Michael Rake with a complaint asking for information and details. Until thousands complain in this way BT and the other iSPs will ride rough shod over their users.

for sale, guaranteed safe and secure habitat of excellent quality based on a gorgeous little beachfront on Mars. (next door to amanfrom....)

Disclaimer: the property is only available for as long as you are prepared NOT to try and visit it.

"The current version, being promoted to BT, Virgin Media, and Carphone Warehouse customers as "Webwise", does not use JavaScript in this way. BT's report identified that it makes consumers more likely to be aware that they are being profiled as they browse."

Why would it be a problem that users could detect that they were being profiled if Phorm is an opt-in system? They agreed to it; They already know. It would however make it simple to stop the system from working by disabling JavaScript.

"121Media [Phorm] will take action (both technical and public relations) to avoid any perception that their system is a virus, malware or spyware and to show that in effect it is a positive web development,"

'In effect'... That does tend to imply that isn't the purpose of it.

"BT also refused to reveal where in the national broadband network the thousands of guinea pigs were sourced from."

No **** they wouldn't! In order for someone to bring a criminal complaint someone has to be able to prove they have been the victim of a crime and when that crime occurred. BT and Phorm are relying on people not being able to bring complaints because they can't prove they were victims. The last thing they'll do is hand 28,000 (assuming the 2006 and 2007 victims were different people and every account was only one victim) the bullet to shoot them in the a*** with.

"...owing to the legal position, direct cookie dropping could not be trialed and should be verified once the legal position is clearer." = We know what we're doing is dodgy and could land us in a world of trouble.

Watkin wrote:"Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions." = We don't give a flying **** about the privacy of the public. Just send out a 4 page update to your Ts&Cs (which most ordinary people can't/don't have the time to read and understand), hide it in there and we won't touch you. In fact we may even want to buy the data in future to help us identify terrorists/kiddie fiddlers or anyone else that we may decide is undesirable or might stop us getting re-elected.

"We think it is unethical of the Register..."

"First they ignore you, then they laugh at you, then they fight you, then you win." –Mahatma Gandhi. Looks like El Reg is progressing nicely down that path then,

After reading through all of the posts several times (as of 19:45 EST), I have several questions:

1) Websites that are hosted in BT address space, through direct or second parties, are they automatically required to submit to Phorm "inspection" of their content?

2) Since most EULA (thank you for that acronym MS (bastards!)) contain intentionally misleading information that the owner of the "property" has the "right to change the terms and conditions, at any time, with out warning or notification" of the users; since BT didn't warn the 18,000 test subjects, wouldn't that make both companies, whom I will refer to as 'the defendants" guilty of illegal interception of private data?

3) .mil.* sites and any company that does business with the Royal Forces should be exempted from digestion of Phorm systems, simply because when they're hacked (which if Google, Yahoo, eBay, and countless big content providers can, it's not a matter of IF but WHEN), wouldn't it be quite plausible that any adversarial government or military (rhymes with shina) could build queries that would possibly link unclassified components to potentially classified and higher modules or platforms?

4) Based upon the rather harsh reaction of Phorm and the mechanical response of BT, either Phorm is scared shitless and using the infamous "go on the attack when attacked" strategy and BT's plan is ignorance to the law until they can bribe an official to get an exemption, OR they actually have a snowflake's chance in hell of stalling this until it's just unprofitable enough to be not worth the hassle.

5) Has anybody attempted about writing letters to major shareholders of each company, kindly informing them that their ISP customer base is abandoning them, and there's a really good chance that any of the advertisers who make use of Phorm, will be promptly ignored or boycotted?

6) For those of us in the states, I'm probably wasting efforts but based on the fallout of this genius plan and awesome pr, I'm already drafting letters to my members of congress, providing they haven't been paid off by a telcom, ISP or web content provider... Yeah, I know I tried to keep from laughing, too. But what the hell, it's mankind's last stand against the complete usurping of individual rights and privacies over making for a .5% return on corporate investments.

7) If all else fails, it's back to analog for me, baby.

“The other problem is that with browsers being asked to re-submit the page request as the first is intercepted for profiling.”

Packet sniffing will be sufficient for that; no need to cause a re-request. At least, not a repeat HTTP request.

I find it reasonable (for Phish's purposes, which I don't find reasonable) if the propagation of the intercepted packets from the web server is delayed "a little" to allow for analysis of the page content. (That might cause re-requests, i.e. sending of duplicate packets, something which is normal in TCP/IP communication in the absence of a sufficiently timely response.)

Think of the eyes in the icon as those of Big Brother Pharm. Privacy is exposure.

Any government depts us BT as as internet provider?

Can't see it going down too well if parts of the government involved in "covert" ops find that their browsing has been profiled by Phorm.

Lying by Omission is Admission of Guilt. If Phorm had just answered The Register's question with a one word answer, "No," then there wouldn't be any flak.

Instead, they got defensive, and proved themselves guilty.

Phorm could surely solve all these woes by forwarding on the increased ad revenue to us- the customers- in the form of cash or money into Paypal accounts or suchlike (so your actual details are obfuscated from them)

But as they'll not do that...

Couldn't we just all share a single UID cookie?- share a common one out via torrents, rapidshare, wherever. You'd be a small % of a large pool of "unidentifiable" data and since there was one there, you'd never download a new one. And if you did, it'd be clear that they were trying to personally identify you.

Or they could just sell off this hackproof database technology they seem to be claiming to have.

What's that in the icon? Oh, my! It's Phorm looking through my wallet :P

Hi. I run Phormwatch: http://phormwatch.blogspot.com/

I'm trying to keep an eye on Phorm participants, including ISPs, PR agencies, and participating websites and ad-agencies. So far, here is my list:

List of participating ISPs

* BT Internet, * TalkTalk, * Virgin Media

List of participating PR companies

* Citigate Dewe Rogerson, * Freud Communications, * John Stonborough, * Manning Gottlieb OMD

List of participating websites and advertising agencies

* Financial Times, * Guardian Unlimited - No Longer Participating!, * iVillage, * MySpace - No Longer Participating!, * The Telegraph, * The Times (UK Newspaper), * Unanimis, * Universal McCann

If you have any information to add, please email me at: phormwatch at fastmail dot net

I love malware, oops, I mean 'direct marketing opportunities'. Send me more crap, I just love being spoiled for choice.

Do you need my inside leg measurement as well?

I think your plotline has a definite ring to it... ah, yes, ... <a href="http://www.bignothing.co.uk/">Big Nothing</a>.

dec

parasamgate

By Aristotles slow and dimwitted horsePosted Tuesday 1st April 2008 11:41 GMT "

My recent letter from VM clearly states they are currently progressing with an "opt-out" policy and that they will be as transparent "as possible" with their customers regarding this solution.

Can we or the Reg come up with a list of non-Phorm broadband suppliers so when we all need to jump ship, we already have decent info to hand?"

heres the thing though, given there are millions on the VM cable that cant easly get a BT line even if they wanted too, is it time to force Virgin Media to open its cable to better providers ?

VM and c&w/ntl/tw befor them have been very good at making bad choices ,but npt picking the obvious stuff, avc for the stb, giving users far better upload rates that any adsl can manage on all the cable packages,.

hell they dont even allow you to rent more thant one single cable modem per account, but you can have 3 stb's without a problem.... but you cant use their internel cable modem's even though the stb's plug into the exact same ubr's,their powered and ready to use.

you might think vm cant run these internal CM's, you would be wrong, the exC&W baguley(hub for the NW) usera use these samsung and older stb's internal modems TODAY, mad VM managers ...

so, it's clear we need to alow 3rd partys on the vm cable unrestricted and un phorm style profiled in any way shape or form, the old AOL did contract for an en user cable rebadge so that proves it could be done, how can thereg and the users get a Be* cable of the future in the UK....!

This is the thin edge of the wedge and if BT (and other ISPs) get away with this, who knows where it will end.

Sadly I'm a BT customer, so as soon as BT change the T&Cs I'm off to another ISP.

If it is proposed that users have to 'opt in' (by displaying an opt in page), then surely it is necessary to intercept the first call in order to display that opt in page? If that is so, then the technology automatically breaches the Act by unlawfully intercepting traffic.

BT are too far embroiled to get any good out of this. But here is an idea.

Virgin Media why don't you state your not going to continue with this half baked idea.

Tell the public the truth that your not happy with the intrusive 'none privacy' aspect of the system.

Tell everybody that Phorm hoodwinked you.

Pick up loads of BT dissatisfied customers.

Become a hero!

Increase your profits respectfully.

Now that's marketing!

Dear BT,

"I think I have committed a crime. Its very serious and everybody's up in arms about it."

BT: "Don't worry all you have to do is change the T&C's of the law. That should make it OK again".

"But its really serious.... it could be murder"

BT:"Don't worry, all you have to do is change the T&C's and everything will be OK again. We do it all the time".

"Cheers, I was worried for a second there".

Nice to note that the Beeb is running the story today in its RSS top news stories under the headline " BT advert trials were illegal"

See:

http://news.bbc.co.uk/1/hi/technology/7325451.stm

At this rate, the dreadful PR and (and its consequences for Phorm's share price and capitalisation) will render K(u)nt's business unviable.

Congratulations to El Reg for the lead it has taken on this issue.

i wonder if the reason VM etc can't just dump this technology is the contract they have signed with phorm.

this is not a defense of BT,VM ot TT, (i am totally against phorm) but VM my not be in a situation where it can get out of it without some phorm (sorry just had to do it) of compensation or pay off to phorm to break the contract, unless they can prove poor opt in (up take of the service), there must be a get out clause but it may be they are working towards it but can't say so publically

looking at history 121 media tried a similar product, its share price hit the floor and went back to the drawing board, rebranded to phorm and webwise was built

what gets me is why people are buying shares in a company that made a 10,000,000$ loss last year, which amounted to about 10% of turnover, and a 4,000,000$ loss the year before

i would be curious to see who dumped shares as the sh1t hit the fan and the share price started to fall, could anyone at phorm or bt etc have insider trading added to the list of charges

this just reminds me of the monty python parrot sketch, with bt complaining to phorm the product is dead and phorm saying "its not dead , just tired and shagged out after doing a big pile of sh1te" then at the end phorm offering bt another dead duck

When you view a web page, the web server sends you the data it wants you to see. 18,000 people viewed web pages that had been distorted by Javascript secretly inserted by BT Phrom.

Secretly intercepting and altering communications, changing the message, as it passes from sender to reciever is not exactly novel or difficult. Quite easy for the carriers of the data since it's sent unencypted.

The fact is we *trust* the data carriers not to peek at the data and not to alter it.

In the case of BT, the biggest carrier of data, THAT TRUST HAS GONE!!

The only way a website can be sure that their page arrives at their customers computer without been peeked at or altered is to encrypt it. HTTPS for all websites.

So the reg is being less than ethical in opposing this huge new benefit to us in terms of privacy enhancement eh?

I propose I collect all the details of everyone in the uk and keep them very safe in my shed in order to make the uk much more secure than it is now. Any takers??

Paris because the general people seem to be as deep thinking and easily led as she is.

Just as an aside really but the BBC website doesn't have a link to El Reg on it's latest Phorm story. Do we really think that they're not getting a lot of their info from here?

I'll take the jacket with all the real news in thanks.

i wonder if verisign and co, are considering an advert campaign on OIX like this

"wondering how to protect your website from being profiled by PHORM?

get a cheap SSL cert for your site today and encrypt that data fast

contact ??? ???? ???? for details now"

(should have thought of that one yesterday (april fools day))

Actually, the $10m loss was on $1m turnover, so it was a 1000% loss, not a 10% one.

Obviously that doesn't actually mean anything, technology startups will usually have a few years of losses before their product comes out (I actually wonder where that revenue came from). But it leads to the point about why people are buying shares that value the company at over £200m, which is: because they're idiots. If you're buying shares in a technology company with no proven revenue then it's critical you understand the technology. These people don't and know they don't, yet they still invest. There may be some people playing the graph, buying low and selling high without caring about whether Phorm ever turns a profit or not, but that relies on other people being idiots. It amounts to the same thing.

Andy

O2 broadband is actualy provided by Be Broadband, who I went to after dumping Pipex/Tiscali.

In an earlier Phorm story comment a Be customer posted a responce from them saying they arent trialling and have no intention of ever trialling.

Which makes me happy because they have a bloody marvelous service .... and fast too :D

I like the idea of those petitions. They give a real feel of democracy. However they are only one of the things we have to do. Clearly it will take a lot of persistance to get BT arrested.

The problem we have is that BT is now part of the 'government'. Their data snooping plans fit in well with the governments law enforcement policy. You may have noitced how the law seems to be enforced on you by your suppliers or your boss at work. Think of the smoking ban, it's not the police who tell you to smoke outside, it's your pub land lord and your boss. Similarly with parking, it will be NCP who fine you for not parking in their car park (see Brighton).

Phorm is an ideal system to enforce DRM. Currently they don't track your IP address for advertising, but when the ISP's, think Virgin, start looking for people violating copyright they will use Phorm. I am not talking copyright vilations where someone steals your artwork from your website to use in their movie. It will be when you download the movie where they stole your artwork.

BT and Phorm are on the side of the government so you can't expect the government to arrest them with the same zeal as they would arrest an ordinary person found breaking the same laws.

I do believe that if we manage to win this one it may slow them down abit.

"Stratis held senior technology management roles with leading firms Orange UK plc (formerly Freeserve/Wanadoo), AOL Europe and the BBC"

Does this account for biased reporting on te BBC website?

From what I have seen the system uses a 302 response to redirect the user so that they can hijack your session and insert their cookie.

It can't be that difficult to write a plugin that will call up a site that it knows doesn't redirect and checks the response to see if a 302 has been received.

Once this is detected you could warn the user that they are being profiled and how to opt out.

Better still, if there is a page to go to opt out of profiling then automatically make the call and opt the user out.

If this could be made slick and quick and be sold akin to a phishing filter, maybe we could lobby to have it included by default in the browser and attack them by getting the browsers modified to prevent their profiling.

Anyway, its just an idea, I could write the software but alas have no knowledge of writing plugins. Perhaps I'll read up this weekend.

"BT has said it plans to change its terms and conditions accordingly to comply with the law."

So that means they will update the terms and conditions so that it won't be illegal for them to intercept data traffic. They will make it an integral part of the terms, so that when you *click* accept, you are automatically giving your consent for BT to monitor the traffic.

B@*stards!

Paris, cos she knows when to stop.....

..I was a BT Broadband customer at the time.

I have contacted someone in BT high level complaints requesting confirmation as to whether i was part of the trial.

If I was I'll be reporting this to the police and take it from there.

Is this why I recieved phone calls about 6 months ago from BT offering me a credit card? I asked them where they got this information from and they declined to tell me ...

Just switch..

Dont think about it!!

The longer you stay with these clowns the longer they think they in the OK.

After everyone switched a leason for any other ISP.

DONT MESS WITH THE CONSUMER!

Love to see who thinks up this garbage ideas.. Would love to see their face when it all goes pear shape... Run Hide.!

Love to see what they put on their CV

Hokay, several written compaints to BT got nothing, first ispa complaint likewise, 2nd ispa complaint got phone call and email from someone in chairman's office at BT, whom I shall refer to as TP.

Email said in essence "complain to OTELO", which is BTs Ombudsman.

The phone call was a bit surreal. TP (who lives in the chairman's office, recall) said he'd never heard of phorm (go on, read that again.He actually said that). He also stonewalled and fudged, repeatedly asking for proof that data had been shared with phorm (I was contacting BT exactly to try and determine the truth behind the rumour, as I explained, but that didn't faze him), and was generally unhelpful.

He did say clearly that no private data had been intercepted or used but told me I wouldn't get anything in writing saying so, then went back to demanding proof and generally stonewalling.

So, I did as he suggested and raised complaint with OTELO.

I suggest that others here complain and keep pushing.

"Written by civil servant Simon Watkin, it argues that the system will probably be legal if consent is obtained from users."

Oh will it ?

A client consents to his data being spyed upon.

Said client connects to *my* servers, logs in a *restricted* area and receives *my* data (say a tech article).

Phorm *intercepts* said data without *my* consent and falls foul of RIPA, despite having the end user's consent.

Despite of what BT and Phorm may think, a user can't give them consent to intercept intellectual that belongs to me.

Phorm can't be legal because it'd need consent from every site admin and publisher everywhere.

***"So that means they will update the terms and conditions so that it won't be illegal for them to intercept data traffic. They will make it an integral part of the terms, so that when you *click* accept, you are automatically giving your consent for BT to monitor the traffic."***

If they do that I'll be off to another ISP.

In any case, consent has to be obtained from *both* parties in the conversation, so if I am visiting The Register and The Register hasn't given explicit consent to be 'Phormed' then, IMHO Phorm (and BT) are still contravening RIPA.

As far as I can make out, the only time it would be legal for Phorm to profile would be when a BT customer who has opted-in to Phorm visits a Phorm partner website.

Virgin have changed the terms of my account before (turning my Blueyonder bundle into separates so I don't get the discount for multiple services) with a neat little trick of saying in the small print (this is a paraphrase, I don't have my bills here) "If you don't get in touch your consent will be assumed"

Check every page of all your receipts/bills very, very carefully from now on.

Several of us are currently attempting to get a new petition going calling on the Prime Minister to ask the Home Office/Crown Prosecution Service to investigate bringing criminal charges against BT/Phorm for the illegal trials in 2006 and 2007 but so far we keep getting rejected. I cant help wondering who is behind these attempts to protect BT. Does anyone know if any senior members of the Labour Party sit on BTs board?

perhaps the person to email to get the ball rolling about BT's previous trials of phorm is

correspondenceunit@attorneygeneral.gsi.gov.uk

as he oversees the entire legal systems

got to be the coat as the BT exec just checking in case the data CD's lost by the gov are in his pocket

Why is PHRM.L going up in price ?

Some simple people out there still buying

> Does anyone know if any senior members of the Labour Party sit on BTs board?

Patricia Hewitt.

And slimeware supremo Ben Verwaayen was knighted yesterday at Lancaster House (unless this was an April fool).

http://www.publictechnology.net/modules.php?op=modload&name=News&file=article&sid=14985

Keep attempting the petitions, as a form of protest we could keep raising petitions as a form of signing a rejected petition.

If you search for Phorm in the petitions system rejected petitions are shown with the accepted petition.

see http://www.theregister.co.uk/2008/03/13/hewitt_joins_bt/

I have seen your attempts to start a new 'more accurate' petition but personally think it would be better to just encourage people to sign the original petition. They are very wary of people submitting multiple petitions in support of a cause, which is obviously easily abused.

That being said BT do have many massive Govt contracts, most notably much of the NHS NPFIT programme and as value-added carrier for most HMG networks.

It could be argued that the Govt would be pleased to see Phorm used to 'soften up' citizens by getting them used to the idea of having their browsing spied on, prior to forcing ISPs to monitor for terrorists, kiddie porn, copyright violation, etc. (Actually any one of these would be a much more justifiable use of the technology than advertising, even though it would still be an illegal invasion of privacy at the moment). Paradoxically it is BT and other ISP's who do not want to be responsible for monitoring surfers habits who have always argued that it would be unfair / impossible for them to inspect and police everything that their customers are doing. So it could be hoisted petards all round then.

I emailed BT to ask if I had been part of the trial. This is the response.

"A small number of customers on one internet exchange were randomly selected for the test and were completely anonymous. Absolutely no personally identifiable information was processed, stored or disclosed during this test. BT has no way of knowing - because the trial was completely anonymous - which customers were part of the test."

"If you don't get in touch your consent will be assumed"

It's very hard to see this tallying up with the explicit consent that's required in the DPA and RIPA. It'll get ripped apart in court.

"A small number of customers on one internet exchange were randomly selected for the test and were completely anonymous. Absolutely no personally identifiable information was processed, stored or disclosed during this test. BT has no way of knowing - because the trial was completely anonymous - which customers were part of the test"

That can be loosely translated as: "We knew what we were doing was illegal so we made the trial anonymous so that it would be difficult to prove what we were up to"

... has said he will raise this matter in the EU parliament.

I must admit that I would have thought BT upper management would have started distancing themselves from this technology by now. In fact the original document disclosing how the network was setup so there was no way to actually opt-out was leaked with the intention of saving BT from themselves (believe that or not but them's the facts).

From a personal point of view I've moved on and have other work prospects in the pipeline for slightly more ethical companies, it's a shame BT haven't come to their senses. However, they seem to be taking an awful risk, as even if individual people cannot raise a legal case for their information being tapped in the trial that was covered up, then I personally could put the whole matter into the public eye by taking them to an industrial tribunal for unfair dismissal. I believe there are provisions in the PIDA (Public Information Disclosure Act) that protects whistleblowers, even when the disclosure was made to a media outlet (as there was evidence that an internal disclosure would have been covered up - see the El Reg articles detailing the admission of their potentially illegal acts from last year being covered up).

Personally, I've suffered enough and not really interested in a crusade. My original intentions have been mis-read and punished enough by BT management - even after a personal apology for the difficulties it obviously would have caused internally within BT. Unfortunately BT's actions since have only served to re-inforce the original decision made to disclose to the media as they have shown absolutely no integrity in this matter whatsoever.

This will probably be my last word on this matter, suffice to say - Shame on you Ben Verwaayen. Get a clue, put some distance between yourself and this issue for a few days and try and think about it from your customers' point of view. This isn't about a vendetta against BT or even Phorm, it's about the law and justice and keeping your customers' trust.

You have some catching up to do Sir Ben.

So Patricia Hewitt is on the BT board. Surely only a corrupt government would allow something like this to influence legal issues to act in the favour of the wrongdoer.

I have been a solid Labour supporter for many years and it would sadden me considerably if they were to not act properly on this issue. So much so they would lose a vote that has never ever gone any other way than Labour's.

I fully demand and expect BT and Phorm to be severely treated in this issue with the full impact of the law brought down on them. This is not Robert Mugabe's Zimbabwe where people in power have in the past protected each other. This is Great Britain where citizens rights and laws should be upheld.

It is obvious to anybody within IT that Phorm and BT have acted totally irresponsibly.

Well done, good reply. Its a pity we couldn't get a list of the BT users that were spied on and conact them, surely out of that lot we could find one willing to sue.

As far as I know, that kind of thing isn't legally enforceable under UK consumer contract law, whatever the cowboys may try to kid you. In particular it is prohibited by the stuff which deals with unfair terms in consumer contracts. IANAL, but ask a Trading Standards bod or someone with appropriate legal background. If your contract changes, you have an excuse to get out, regardless of "assumed consent". Threaten them with court and they'll give in, as the cowboys know it's easier to settle quietly with the few folks who raise a fuss, rather than be dragged to the courts and have a public precedent set against them and have their (unenforceable) Ts+Cs changed.

If the trials were to show Phorm did not affect customer experience..

Then why in the 2007 trials did the customer support reps act clueless when the aggrieved customers phoned up to complain about dodgy redirects and cookies?

Surely if you are testing the water, you brief the customer support people to give you a heads-up to stop you jumping head-first into the boiling pool?

If the first trials were in 2006 - THEN WHY WAIT UNTIL JANUARY 2008 TO GET PRIVACY IMPACT ASSESSMENT AND DATA SECURITY REPORTS!!!

SURELY DATA PROTECTION AND PRIVACY SHOULD BE CORE TO THE SYSTEM, DESIGNED IN FROM THE START AND NOT AN AFTERTHOUGHT.

This just STINKS and BT will get what they deserve. Piss the staff off, they WILL get you back. Piss the customers off, they WILL have the last laugh.

Just had a 'phone call from BT Broadband offering me a £4 per month discount if I sign up for another year. One can't help but wonder if this was precipitated by a wish to retain customers in face of the unfavourable coverage they have received recently.

I did, however, get the opportunity to "educate" the poor phone-peon in why I was unhappy with BT. Poor fella hadn't heard of Phorm, Webwise or "Targeted Advertising". To his credit he did agree with me that profiling was a bit off.

Needless to say I indicated that I found BT's behaviour in this regard despicable and that under no circumstances would I be willing to enter into another twelve months' contract.

I have my eyes on www.fast.co.uk, who look like thoroughly decent folk who (bizarrely) seem to be labouring under the impression that they are there to provide a service to their customers!

Joke 'cos I did actually laugh when I found out who was calling me!

I'm no lawyer but if VM signed a contract with Phorm for an activity that is illegal, and if VM did not know that said activity was illegal at the time of signing the contract, then I don't see why they couldn't tear up the contract and use for toilet paper. The truth of the matter I imagine is more that the guys on high at VM are just standing back and monitoring the situation, still sorely tempted by the carrot of Phorm-based revenue.

Almost every decision in life is made on a cost-benefit basis. You weigh up your projected benefits, measure them against your projected costs, and if the benefits outweigh the costs (with suitable certainty) then you go for it. At the moment, the costs associated with a handful of IT-related folks such as ourselves leaving for another ISP, and of the effort of lobbying for a change to the law (or even easier a relaxed interpretation of current law) to make future Phorm-related interception activities legal, are still far less than the rewards to be reaped. So VM and partners are biding their time...

A heart, because in the end love is all that counts.

i can tell you who..

http://www.bikegirl.co.uk/forum/forum_posts.asp?TID=2418&PN=1

or

http://pwcforums.co.uk/wiz/printer_friendly_posts.asp?TID=10304

or

https://www.bluffmagazine.com/forum/forum_posts.asp?TID=4108&PN=1&get=last

or

http://www.raisingkids.co.uk/forum/display_topic_threads.asp?ForumID=72&TopicID=17698&PagePosition=1&ThreadPage=2

or

http://www.angelways.co.uk/forum/forum_posts.asp?TID=326&FID=3&PR=3

or

http://www.pwcforums.co.uk/wiz/forum_posts.asp?TID=10314

badphorm.co.uk

Pardon me if someone else has already spotted this but PHORM is an anagram for MORPH . Same person different 'form'.

Thursday morning BBC Breakfast will have an interview (sorry, I don't have the link, can anyone else get into Cable Forum at the moment?)

We need to subsequently ask the Beeb to follow this up. There is a link to the Newsnight programme here :-

http://news.bbc.co.uk/1/hi/programmes/newsnight/default.stm

The 'contact us' link is on the left hand side.

E-mail them asking that they follow this up. Put Kent in front of Paxman! Keep the BBC rolling on this one.

Well done the Register for helping to keep this issue alive.

After complaining to BT Customer Services about Phorm Spyware, I got this letter back:

----------

Thank you for your e-mail dated xx/x/08 about I want to complain - I have a complaint about my service.

I am sorry it took so long to get back to you.

Im sorry about the issue your having at the moment.

Your broadband contract expires on the xx/04/08

If you are wanting to remain with bt for your broadband you are entitled to a £5 per month discount for a further 12 months now you are coming to the contract.

If you want to take up this offer than dont hesitate to get in touch, and i will arrange it for you.

Thank you for contacting BT.

Yours sincerely,

Dean Lee

eContact Customer Service

--------

If they are instituting a policy of bribing customers to stay, they're obviously having one big customer retention problem.

- phormwatch

Seeing Paxman lay into that bloke whose name I can never pronounce properly, it often seems to come out sounding like an obscene word.

It took at least one snotty e-mail to Newswatch to get the BBC website to give some light to the latest BT lowlife revelations (not that they would ever admit that, of course).

I can't get into cableforum either. Hope it's just down for routine maintenance or something like that. There's some excellent stuff on there, I hope it's not lost.

While I'm in complete agreement with most posts here re phorm, I can't help but feel a sneaking admiration (for desperate want of a far more approriate word!) for the sheer on-message relentlessness of phorms PR push, which simply ignores all truth or reality and attempts to spin the required myth for public consumption. They just don't blink.

Sadly, it's working, and the reason this has not become much of an issue in the mainstream press is largely down to the on-tap access to phorm staff to "explain" to less tech savvy media types what the "truth" is. Unfortunately, they're swallowing it, and I shudder when I see some of the fairly positive write ups phorm are getting. A "hey thats not a bad idea" editorial in Macuser chided readers not to get hot under the collar about this till they'd cut up theeir (far more dangrous apparently) supermarket loyalty cards. Huh? The most amazing thing is that the idea of "more relevant advertising" - a ridiculous idea - seems to be going down better than I would ever have imagined.

Phorms strategy has risks; if people like the Macuser retard start thinking about it rather than regurgitating fantasy phorm-speak, the public awareness of phorms true nature will kill the idea stone dead. But until there is a co-ordinated opposition campaign that provides accessible geek-lite counter arguments to each and every phorm argument on demand, every time, in the main media outlets, it will remain easy for phorm to dominate the limited awareness of Joe Public and dismiss El Reg and other tech forums as niche paranoic ranters. For gods sake we have black helicopter icons.

The mistake if to dwell on the tech issues; it's simply about privacy and retaining the rights to what amounts to your intellectual property. If the principle of what is private and what comprises consent isn't urgently clarified, legally redefined and toughened, phorm will just be the start of a world of data-pimping pain without apparent end.

The BBC reporting is a sham, they are claiming that by deleting your cookies everything will be ok, and nothing is recorded

Just saw a brief mention on Breakfast TV of the developing BT scandel.

Phorms name wasn't mentioned but the BT representative look unconvincing when she said they had all legal advice etc. B***cks!!! I say.

I doubt BT's legal team even knew in 2006 what was going on between their TCO at the time and Phorm (Sorry 121 Media as it was then known - You know - that rootkit spyware company).

What I want to know : since the TCO of Phorm now was the TCO of BT then. Was his move to Phorm, as it is now known, related in any way?

Smacks of something really bad but the word escapes me!

> Almost every decision in life is made on a cost-benefit basis. You weigh up your

> projected benefits, measure them against your projected costs, and if the benefits

> outweigh the costs (with suitable certainty) then you go for it.

The problem is that all young buck management and execs think they’ve cracked this, think they understand this and press ahead on a "cost/benefit" grounds.

BUT - many fail to properly factor in costs and benefits that only occur over a longer period of time, e.g. staff goodwill and brand image/brand damage. Research and Development is another good example.

Short-term thinking is encouraged by the stock market, where execs are hired to provide "shareholder value". But the stock market is inherently short-termist, so shareholder value comes from short-term measures which inevitably lead to a stagnation of share value or a spiral of decline.

This whole sorry tale smacks of short-term or flawed thinking:

1.) Targeted advertising has limited value. For ubiquitous products in a saturated market maybe, but some of the best results come from adverts that catch their viewers unaware or introduce them to products they hadn't even thought about.

2.) Targeted advertising already exists. Advertisers compete for space on websites based on the topic of that website. Phorm is not offering anything unique - it is trying to gatecrash a party, so why is their product deemed so valuable?

3.) Whilst customers (and staff) oppose the tie-up with Phorm, the ISPs risk damaging their long-term value.

<...>"A small number of customers on one internet exchange were randomly selected for the test and were completely anonymous. Absolutely no personally identifiable information was processed, stored or disclosed during this test. BT has no way of knowing - because the trial was completely anonymous - which customers were part of the test."<...>

Where exactly in RIPA does it say it's OK to wire-tap so long as you don't look at the results too closely? RIPA say's it is illegal to intercept any communication. What you did or didn't do with the results or that you didn't know who you wire-tapped is irrelevant.

Where are HMG in all this? There is more than enough evidence to at least investigate. I'm still searching RIPA for the safe harbour BT think they have and I still can't find it.

...who they're messing with?

"technically adept [men] older than 30 who [have] trouble fitting in at work and in social situations (...) also own a stockpile of weapons."

You just can't f*ck with people like that.

For some of us (not all of course) the neighbours would say (after the 'incident') "He seemed so normal, he just kept himself to himself", see the danger they're putting themselves in?

(Can't we have a gun-toting-socially-inept-30-something-living-with-mum-nerd-possibly-bearded icon?)

from http://www.iii.co.uk/investment/detail/?display=discussion&code=cotn%3APHRM.L&threshold=0&it=le&pageno=2

read the full post to get the full argument

Mon 14:07 Re: People Lack Real Insight lautresteve 3

below is a few bits from the post

"It's so simple in fact, that I can't understand how they spent so much money developing it. If it were truly worth anything, I'd be on the phone to a VC right about now, but it isn't. And the internet ad experts don't think so either. Profiling for ad targeting has advanced far beyond what Phorm's key technology seeks to deliver. State of the art ad targeting does not simply collect ten facts about you and then match some ads to those keywords, and in fact, matching to categories that the user is already known to be interested in is not considered to be clever, and can be easily achieved without the additional overhead of Phorm/OIX. These days, the ad targeting people want to show you ads for stuff that you didn't know you wanted, which takes a little more inference than the 'ten keywords' approach really allows for,"

"So, their technology is lacklustre at best. It's not very complicated, it's easy to replicate (and improve on) without patent issues (happy to expand on this) and at a far lower cost, it doesn't deliver what the ad targeting people want."

"BT's own survey data suggests that users want less advertising. Given this, and the level of negative publicity surrounding the issue, it's hard to see how many of them would chose to opt in. Some might, of course, but it's not going to be anywhere near the 70% level.

So, no mass profiling, no value to advertisers and no big revenue stream for the ISPs.

Where's the value ? Falling, like the share price."

And I'm being serious now - is, by coming out fighting, without acknowledgement of customers' concerns, just alienated the customers who felt uneasy about this and enraged those who are baying for blood.

Well done Emma Sanderson of BT, my hat off to you. You have just made things much much better, honest.

Trouble is users wont opt-in, but thats the whole premise, Bt are saying you can opt-out.

No-one opts out unless they have a specific desire, and as yet the issue is not up in front of them.

Paris because she has specific desires and I would like to help her opt-in.

I received a phone call from a nice indian lady this morning asking me why I was complaining that I did not want adverts in my BT email account.

I explained to her very carefully all about Phorm/Webwise, and she had never heard of it. She called the "Broadband Department" and they claimed never to have heard of it either.

Eventually she gave me an address to write to, which I am going to do;

BT Plc

Correspondance Centre

Durham

DH98 1BT

ps: Paris, because this is the only nice picture of her. What?

Ugh, it's posters like those present on that site that make me think the first person to invent SoIP (stab over IP) will be immensely rich.

The fact that they are trying to claim that information relating to the legality of the business practices of a firm they are investing in is not relavant to an investment site is astounding - do I have to trot out the "pride cometh before a fall" line?

It's of critical importance, otherwise the company would face punative fines and have their business model destroyed.

Their complaining about the links to technical sites when the firm in question is a technology company is just coming across as a person who simply can't get their head around the information being presented to them.

I hope those who a burying their heads in the sand lose a sizable chunk of money for being so ignorant.

"... it's simply about privacy and retaining the rights to what amounts to your intellectual property..."

Though contentiously more favourable towards Phorm, Guy Kewney takes a broadly similar view: http://www.whatpc.co.uk/itweek/comment/2213127/enemies-privacy-3907973.

"The one party that should be officially and vigorously banned from accessing and storing user data of this sort is government. Government oppression needs little help from powerful database technologies showing user preferences and habits; it’s all too easy already."

The problem is that, as the Information Commissioner tried to tell us with "Sleepwalking into a surveillance society?" (http://www.statewatch.org/news/2004/aug/08uk-info-commissioner.htm) and as Bill Thompson recently pointed out (http://news.bbc.co.uk/2/low/technology/7226016.stm), it may already be too late.

Re. Chris and his correspondence address for BT.

All I can say is - don`t hold your breath. I moved house a mere 600 yards down our country lane and, despite me telling BT that the line passed by the new property (I was a BT maintenance engineer for this rural patch where I now live for 20 years, when it was a public service, so I do know what I`m talking about) and would just need a simple physical diversion (i.e. connecting two wires together on the pole outside), thereby retaining my broadband and making life easy for all concerned, they managed to make the biggest foul-up imaginable, cutting everything off in the exchange, providing a brand new line right the way through the system, as if it was a new installation (this tied up their engineer for some six hours in the pouring rain, about which he was not best pleased when I told him that there was no need for all the extra work he`d carried out) and chopping my broadband in the process, despite me retaining the phone number that it was originally provided on. There was also the "small" problem of making my neighbour`s phone line faulty in the process, but that`s another story. The "engineer" (I use the word loosely) told me that I would have to contact my ISP to have my broadband re-activated, which they would when I spoke to them, but at a cost of £47.00! I fail to see why I should have had to pay this when it was BT that had cocked-up. Luckily (in a way) the line had also been de-tagged, so I started afresh and took my business elsewhere to an ISP with no set-up fee. I tried ringing BT to complain, but, like Chris, got diverted to India. I`m not the slightest bit racist but it has to said that they were totally useless and I too, was put through to "The Broadband Department", even though BT were not my ISP and got the run-around with suggestions that it was normal procedure to cut everything off on a house removal. I wrote to BT at the address that Chris has, suggesting that maybe they hadn`t got it quite right (!) and what were they going to do about my lack of broadband for several weeks, but never, ever, got any reply, either by phone, snail-mail, or e-mail. They are an absolutely despicable company these days in my opinion.

I am one of the people posting on that site trying to wake some of the investors up to the technological and legal ramifications of Phorm and their system. Its like banging your head against a brick wall but I intend to keep at it.

Why? You're only protecting them from themselves in the end. Let them pay in cash for their own stupidity.

If you want to go for phorm's weakness, it's its legality, and its public perception of legality and snooping. Attack those, the rest will follow.

Why? You're only protecting them from themselves in the end. Let them pay in cash for their own stupidity.

If you want to go for phorm's weakness, it's its legality, and its public perception of legality and snooping. Attack those, the rest will follow.

As I step back just a little from this Phorm BT, VM talk talk spyware sordid story (of which I am very angry and have been vociferous about) I wonder if the ISP's who so far have been 'conned' by Kent and the rootkit mob realise the basic law of customer relations.

a: Good relationships take some time to form.

b: Bad news travels fast

c: Bad relationships can be achieved very quickly.

d: When the internet is involved, good and bad news travels at light speed.

(Unless its slowed down by Phorm and their illegal interception)

The point!!!

Unless some of the ISP's involved with the rootkit gang do some backtracking fast, no amount of bribery will restore either good faith or customer relationships.

Once trust has gone, you can never get it back by the vary nature of what it is. TRUST.

No amount of spouting about what is legal or what is not legal matters. What matters is TRUST - get it?

Get rid of Phorm! WISE UP.

After visiting Phorm, He says it is still illegal

http://news.bbc.co.uk/1/hi/technology/7331493.stm

http://www.lightbluetouchpaper.org/

I would have given plenty of caustic commentary to them, if it wasn't for the fact that I can't be bothered to waste my time on the sign up system.

I appreciate people trying to educate others about how bad things are, but I am left wondering how many of the chumps trying to defend phorm on there are actually sat with their fingers in their eyes while chanting "na, na, na, I can't read you".

I wonder how many of them would have complained about someone informing them about nick leeson's activities on the barings bank page had the site existed back then >.<

This privacy intrusion has caused me start thinking about the way I conduct all my business.

Being a regular guy with little "nothing" to hide, why does this bother me so much?

Must be the absolute and total intrusion into my time and the things I do.

I work for an ISP, but am now considering not bothering with the Internet at all.

Interesting that I'd give up the resource that enabled me to become aware of the issue in the first place.

Also, considering getting rid of the credit cards, shop cards, and what not.

I don't feel as though I need to be tracked and have information about the things I do and buy shared amongst various corporate behemoths.

Maybe that's what we need, a really major change in the way we do things. No maybe about it.

Do you think that's short sighted of an ISP employee?

I noticed Phorm issued a notification of holding yesterday. I seems that one of the larger investors has reduced their share level to an amount that requires Phorm to issue a statement.

What is the significance of this?

This bit worried me:

"Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website."

So if they can forge a cookie and are using 307 reponses what is to stop the injecting ANYTHING into the stream being returned to the end user.... maybe its adverts, maybe its adware, maybe its malware. But the end user thinks that the site they are visiting is sending it to them

They say they wont do anything like that but do you believe the lying scum?

I'm waiting to see the first time the phorm technology is used to inject malware and then of course the court case where the original website owner sues the arse off the ISP and Phorm.

Mines the one with "Fuck Phorm" printed in big letters on the back

I suggest all the ISP owners read this one fast. (I suggest you Pack away your tooth brush and get the wife to learn to cook cakes with files in them)

http://www.lightbluetouchpaper.org/2008/04/05/adding-webwisenet-into-the-cni/#more-316

Here is a statement from the present BT terms and conditions

"WE DO NOT STORE INFORMATION REGARDING YOUR TELEPHONE NUMBER, ACCOUNT OR PAYMENT DETAILS IN THE COOKIE, AND THIS INFORMATION CANNOT BE ACCESSED USING IT.

BT´S COOKIES DO NOT COLLECT ANY INFORMATION REGARDING THE USE OF YOUR PC OR YOUR INTERNET BROWSING IN ANY WAY.

PLEASE NOTE THAT AS THE COOKIE IS BASED ON YOUR PC, WE WILL NOT FIND IT IF YOU VISIT OUR WEBSITES USING A DIFFERENT PC TO THE ONE YOU REGISTERED ON."

Nuff said!

His report doesn't seem to address the fact in point 79 that the anonymiser and profiler, whilst owned by the ISP, are in fact boxes that contain phorm software (they were the 'gifted' equipment). so in effect Phorm COULD if it wanted to, alter teh software there to Gain you IP address and link it to your UID and you would be non the wiser (nor would the ISP know about it).

The robots.txt parts are telling as well. Phorm seems not to want website woners to be able to block them without blocking googlebot etc (they wont tell anyone what useragent they pick up on), if they were so honest, why don't they look for a specific "phorm" useragent and respect that?

point 37 of his report shows that phorm has little interest in protecting users wishes..how many sites use basic authentication? i would say over 99% use application logic to set a session cookie to which you're authenticated (PHP based sites mainly do this, as does all our email webmail sites). so in effect phorm is really saying that they, in most cases, scan privileged information [webmail aside where they say they they dont read it--but won't even publish which sites are blacklisted!]

I will never accept Phorm!

I don't trust Phorm

My past experiences with Phorm are negative [Spyware and other nasties I have removed from other peoples PC's]

I really find it difficult to believe that ISP's, who in the past have been so keen to advocate PC security, are involved with this outfit. It really takes the p$$s

No amount of assurances will change that sobering thought.

The bottom line is that if this system comes in [and I find it hard to believe it can - legally], I will leave my ISP and take all my other value added services with me.

I have values and those values don't include Phorm. I hope many others feel the same way.

Lots of people will reformat PC's if that was the only option available to remove spyware. Changing broadband providers is a lot easier option in a relative comparison. Phorm is spyware - no doubt in my mind!