FIPR: ICO gives BT 'green light for law breaking' with Phorm

Jobs for the boys

The ICO won't upset the apple cart. They have long been proven to be useless at their job and why should they start the development of a spinal cord on something as wide ranging and far reaching as this. It makes sense to bury your head and pretend it was someone else. Despite the remit of the company [Phorm] saying they are going to use financial information (from their data protection listing) and depiste the fact the ICO is the data police.

They won't risk annoying the govt, the home secretary (And we know she is useless) backed it so why shouldn't the ICO.

I am not surprised.

Can we have another government please... This ones broke, corrupt and defunct.

DPA is about more than storing personal data

The DPA also refers to processing personal data, not just storing it. In order to strip it out of their input stream, Phorm must process it even if they throw it away. Anyone using the DPA daily care to point out where my logic is wrong?

Privacy for all

Note that it's now emerged that any website operator can read the Phorm user ID cookie if he wishes.

So Phorm have inadvertentely/deliberately/incompetently (* delete as appropriate) introduced a global method of uniquely identifying evey user out there. It's like embedding your MAC address in every request...

Way to go, guys - nice to know that your technology is all about "enhancing privacy".

ICO=

Internet

Confuses

Overlord!

When will these phuckwits get the message.

Good;

"Surfer" - Internet

Bad;

"Surfer" - Phorm - Internet

Simple.

Phuck me!!

I'm getting my MAC code from BT today.

I wonder how many other customers BT are losing due to Phorm?

RIPA?

So what do we need to put on all our websites to make it clear to Phorm that we don't want them using OUR material to make money for them which is what it boils down to in the end.

I've seen "RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION" But is that enough.

Or do we all need to email Phorm and their scummy ISP associates with a formal notice informing them that they have NO rights to scrape websites that we run - and then list the websites that we own?

Failing that I'll just have to sign my own SSL cert and move all my sites to HTTPS!

I am Elvis Presley

""[Phorm] assure us that their system does not allow the retention of individual profiles of sites visited and adverts presented, and that they hold no personally identifiable information on web users. Indeed, Phorm assert that their system has been designed specifically to allow the appropriate targeting of adverts whilst rigorously protecting the privacy of web users.""

Hmm - if I tell the ICO that I'm actually Elvis Presley re-incarnated I'd hope they'd not just take my word for it.

The ICO should not just take Phorm's "assurance" that it doesn't do things. I'm sure the average psychopath assures people that they're perfectly safe.. just because they say something doesn't mean it actually is true.

Its the one with all the Rhinestones

Re: DDOS

A DDOS attack on webwise would not have any effect. The webwise site the ISP 307s to is sitting in the little black box within the ISP so is protected from high traffic volumes.

If they had not put webwise into the ISP, 10 million UK customers and a few more 10s of millions from around the world all being 307ed to the real webwise DNS would have been more effective than any DDOS attack at collapsing the system.

Big Telco in activity profile thieft?

I've been thinking about this:

My web browsing, is user generated content, thus it is a product created directly by my activity.

Think of it in the sense of "usage as a business" I'm using the model of a telemarketing company:

A telemarketing company buy their Telephone/Internet Service from Big Telco,

the telemarketing company then build up Profile Data ('target market information' as a result of Telephone/Internet Service activity.

The Big Telco then purchase the Profile Data produced by the telemarketing company. DATA COSTS MONEY. (any marketing company will tell you that)

Big Telco then use the Profile Data in whatever marketing application they have planned as they have bought typically LIMITED USAGE RIGHTS to that data

Big Telco would be unable to carry out their marketing application without buying the data as they wouldn't have the Profile Data.

Now my clickstream belongs to me, its my activity, it is certainly not the automatic property of Big Telco, what the Webwise/Phorm device proposes is the ILLEGAL DATA HARVESTING of my Click Stream thus robbing me of the ability to use or sell that Profile Data else where.

This is a DATA RIGHTS STING, Big Telco appear to be trying to get the jump on the population, to take ownership of a product of peoples activity, infringing on peoples human rights to privacy at the same time.

This is disgusting, this needs to be stopped.

Can this be brought to the European Commission?

it is astonishing, I read the ICO whitewash and couldn't believe what I was reading, what on earth is the Home Office doing green lighting illegal activity?!?

anybody know if this can get stamped on by the EU?

This makes me feel SICK.

DO. NOT. WANT.

Phuming Mad

So, I'm crazy enough to opt in to have my browsing habitually monitored for the benefit of advertising companies...

My wife pays the bill to BT. Is she opted in as well? And my son? Both use my computer.

It would be *THEIR* personal information that would be intercepted/processed, not just mine, and how the phuck would Phorm know the difference?

I still don't get it

Call me dense, but I still just don't get the fundamental business model here.

Marketers (whom are uber-data miners by nature these days) will accept from Phorm, that the advertisements are in fact reaching the targeted audience without proof ? Highly unlikely.

If I were paying for targeted ad placements (which I did in a former life), I would demand some proof that the ads could be linked to my actual sales. No ability to prove, no sale.

I'm not giving you (Phorm) good money to do something I could do myself (i.e. advertise my product on specific websites dedicated to the same genre) unless you (Phorm) can prove to me that my customer base increased as a result ... ergo, unless you can match your advertisement base to my customer base in a statistically sound manner, it's just a lot of "wouldn't it be great if" and "theoretical BS".

In order to actually prove some marketable results, they must, by definition be able to track individuals. This is, afterall, going beyond the basics of demographics.

I, as a business consumer, would require verifiable proof, which, by Phorm's explainations, can't possibly exist. I just don't understand how a thinking advertiser would opt in on this in the first place.

If I were in the business of managing your money, you'd expect for me to tell you and illustrate how much money I made for you ... and be able to separate out my actions from yours so that you could compare and contrast the two.

If I were in the business of selling you advertising space, you'd expect for me to illustrate, compare and contrast how that space I sold you resulted in an increase in sales/profits.

In neither case would you be content with "Well, your sales went up because of a reason we can't prove." Or worse, your sales went down for a reason we can't prove.

How the heck are they supposed to tweek these things (this is, in fact what I do for a living) if there's no front-end database of whom saw what ad, clicked on it ... whom saw what ad, clicked on it and made a purchase ?

According to Phorm, there is no way of being able to track and/or report on their success/failure (if you believe their press releases anyway). This business model just doesn't make sense.

Sorry this was so long. I'm just very confused at the seemingly self-voiding of their business proposition. Something just doesn't add up.

I guarantee you ... if this thing goes full-tilt, there will be a ruckas in the coming months about how they did, in fact, store and utilize the particular details of customers ... no responsible data mining could occur without it. Their advertising customers are going to demand proof and Phorm's gonna have to give it ... ergo, they'll have to have the data to back up their claims.

This just doesn't add up. "You want me to buy a service from you based upon your unverifiable word that it works ?" Hey, I've got a bridge in Brooklyn up for sale. Interested ?

Paris because I must be equally as confused.

orwellian dystopia?

sounds like the old "one law for the people, another for corporate raiders"

or

some doubleplus ungood double speak.

all data sharing/harvesting/rention done by individuals (pirates) is bad,

all data sharing/harvesting/rention done by corporates (paragons) is good economics and maintiaining the countries techonological edge.,

....Four legs good, two legs bad, unless....

"Comrades!" he cried. "You do not imagine, I hope, that we pigs are doing this in a spirit of selfishness and privilege? Many of us actually dislike milk and apples. Milk and apples (this has been proved by Science, comrades) contain substances absolutely necessary to the well-being of a pig. We pigs are brainworkers. The whole management and organization of this farm depend on us. Day and night we are watching over your welfare. It is for your sake that we drink that milk and eat those apples."

"Animal Farm" the Orwell version, not the "other" version ;oP

ICO statement

Apart from the fact that it isn't the *technology* that's the problem (so all statements from Phorm are irrelevant) it's how it's implemented, a point that the ICO seemed to have managed to avoid addressing.

Unless the system is *opt-in* (for all parties of the tcp connection) and when someone is 'opted-out' then their traffic bypasses the profilers then this is an unacceptable situation. I'm a network designer for a living (most recently for BT *hint*) and I fail to see a legal way of doing this.

"We have spoken to BT about this trial and they have made clear that unless customers positively opt in to the trial their web browsing will not be monitored in order to deliver adverts."

Bullshit. They [ICO] have only addressed the proposed trial which BT have clearly stated will intercept *all* traffic even if you opt-out (discarding info is irrelevant to RIPA).

BT have said that they are 'designing' the system to avoid this interception if you are opted-out for the *live* platform. The reason they have yet to give out any networking details around the proposed *live* platform (as they claimed they would do on the BT forums) is probably down to the fact that it can't be done without hitting the same issues they currently have. I know, I design networks for a living remember.

I also know that the BT Retail designers are not part of the general BT design team (which is why this platform probably came as a shock to a lot of internal BT people) and which is probably why it's so half-assed and unworkable. If BT Retail had followed the normal BT internal design procedures then this would have reached the e2e design team and all the things that have been said about this platform would have come to light a long time ago (btw this would have constituted the 'due diligence' which they [BT Retail] have obviously failed to perform).

"BT has also stated that the system does *not store* personally identifiable information, URLs, IP addresses or retain browsing histories and that search information is deleted almost immediately, and is not retrievable."

My emphasis. So it still intercepts it then? Yes? Probably Illegal? Yes.

“We will continue to maintain close contact with Phorm and BT throughout the trial. Clearly the trial should reveal whether this is a service that web users want, whether it is privacy friendly and that users are comfortable with the privacy safeguards put in place by Phorm.”

I'm less concerned about the privacy aspect (which even technical experts will agree they [Phorm] have actually addressed with a lot of diligence) than the *fact* that my data is intercepted and then *something* happens to it.

I don't want my data intercepted at all, not even so it can be discarded, because I believe that would be illegal without a warrant.

Having said all this, I don't think the ICO statement contains any concrete approval or disapproval at this point, although the tone does seem uncomfortably supporting.

If they [ICO] don't stop this then I will change ISP to one who does not allow it. If it should ever become law that all ISP's must run some sort of *filter* - after all pandora's box cannot be closed - then I will simply stop using the internet at any personal identifiable level.

Once they prove they can DPI all our traffic, the ISP's will cease to have any argument against the imposition of filters based on *filesharing/child-porn/<insert bad thing of the day here>*

Oh last thing, the ICO statement mentions 'web browsing' as if that's all the system does. Ho ho ho. I think the FIPR should be given the fangs and the ICO should be put out to pasture.

</rant - phew>

Phorm & BT just dont get it

I dont want my browsing intercepted, not because I'm a terrorist or a kiddie fiddler I just dont want anyone sitting on my shoulder as I surf. The whole idea behind the system is wrong, if you want to introduce WebWise, great, if it is so compelling then people will opt in to it but dont Assume that no one will be bothered by you intercepting all their data!

@ Peter

"This means that the ICO is correct (their domain is DPA), but Home Office should intervene as (AFAIK) RIPA is their animal. And it's not small beer either, a RIPA breach of this order is, if I recall correctly, a CRIMINAL offence."

With any luck, Kent will end up in Wormwood Scrubs where he will learn the true meaning of "invasion of privacy" when he first visits the showers.

Information On Space Travel = A Holiday to the Bahamas

“We will continue to maintain close contact with Phorm and BT throughout the trial. Clearly the trial should reveal whether this is a service that web users want, whether it is privacy friendly and that users are comfortable with the privacy safeguards put in place by Phorm.”

Of course, this does mean that the 10'000 user's targetted will be selected from computer numpties who click yes on everything ("Would you like to download this Virus", " oo, erm, yes please"), BT employees and Phorm Representitives... Nice one!!

Incidentally:

vi·rus

3. a corrupting influence on morals or the intellect; poison.

4. a segment of self-replicating code planted illegally in a computer program, often to damage or shut down a system or network.

who gives a f#k

dont just sit there thinking oh this is bad, get off your arse and send a f#king letter... Email just wont do, this is important people.. FFS more people want Leed's point back, whatever they are?! . this is fast becoming a non issue...

Gang rape is legal only if your properly registered corporate gang who do their tax returns...

Powerless Prime Minister

Just had another petition rejected on the Number 10 website. Response below, apparently the upholding of the law is outside the Prime Ministers powers or remit.

Judge for yourselves:

Hi,

I'm sorry to inform you that your petition has been rejected.

Your petition was classed as being in the following categories:

* Outside the remit or powers of the Prime Minister and

Government

If you wish to edit and resubmit your petition, please follow

the following link:

[Removed]

You have four weeks in which to do this, after which your

petition will appear in the list of rejected petitions.

Your petition reads:

We the undersigned petition the Prime Minister to: 'Request

that the home office investigate criminal behaviour by BT and

Phorm in 2006 and 2007.'

In 2006 and 2007 BT instigated trials of a system called

Webwise (then Pagewise) this system involves intercepting

Broadband Users web requests and response and processing them

to build up a profile of the end user.

The interception of the users web request without the user and

the websites explicit consent is on offence under the

Regulation of Investigatory Powers Act.

As the trial was conducted in secret by BT and BT are

"reluctant" to give further information about the trial it is

necessary for the Home Office to investigate what interceptions

took place and to bring about prosecutions on behalf of the

effected parties.

This is not a petition against the implementaion of Phorm by

BT, Virgin Media or Talk Talk. To register for that petition

use the following link:

http://petitions.pm.gov.uk/ispphorm/

-- the ePetitions team

I just had a thought........

If the BT & Phorm are looking for 10,000 volunteers to see how many people would be interested in using this technology there is a list of just over that many people here:

http://petitions.pm.gov.uk/ispphorm/

Maybe they could canvass these people to see just how popular the more relevant advertising feature would be........

@money will flow

the problem is how would the website owner know if the traffic was being profiled (intercepted) as any change to the data that is returned to the client is performed inside the ISP network?

the only thing a site onwer can do is check for the opt-in cookie and display an alternate page that says "pages not supplied to users that have opted into phorm !!" in big red letters

Peter White

@AC

I agree - write to your MP - or email them, get them sending questions to each other, point out to your MP that all their web mails will get diverted through Phorm.

letters and emails and constituents are the main interface between themselves and reality for a lot of them and a few letters can have a surprisingly large effect - so let them know their voters are angry.

You can mail them from here

http://www.theyworkforyou.com/

Legal Issues

My analysis of the secret trials in 2006/2007 is that multiple laws were broken as outlined below:

Regulation of Investigatory Powers Act 2000

Secret trials = no consent from either party to intercept.

Privacy and Electronic Communications (EC Directive) Regulations 2003

Secret trials = no consent from either party to intercept or process.

Data Protection Act 1998

Secret trials = no consent to process personal data, even anonymising is processing

European Convention on Human Rights

Right to privacy of correspondence

Human Rights Act 1998

Right to privacy of correspondence

Computer Misuse Act 1990

Knowledge and Intent to "Hinder" access and "Impair" operation

Fraud Act 2006

Masquerading as the intended destination (Phorm's "special machine") for the purpose of gain (revenue from advertising)

Torts (Interference with Goods) Act 1977

Trials inserted javascript programs into web pages which then took resources to process (see Ebay vs Bidders Edge) = trespass to goods/trespass to chattels

The Council of Europe's Convention on Cybercrime

Covers this issue very comprehensively

Copyright, Designs and Patents Act 1988

Copying a website for commercial purposes, see cases against Google and Archive.Org

I am in the process of writing my dissertation based around all of the above legal arguments, it will be publicly available under Creative Commons once it is finished.

Bottom Line?

BT trials in 2006/2007 can only be seen to have been criminal offences under multiple Acts as well as leaving BT liable for litigation under Tort law.

ICO?

They have a duty to investigate BT's secret trials for the unauthorised processing of personal data (irrespective of what was done with it "after the fact") under DPA and PETR

Home Office?

They have a duty to investigate BT's secret trials on multiple counts under RIPA, CMA, Fraud Act 2006.

Other stuff?

Any case which is initiated in a court of law (either criminal or civil) can also attach complaints under Human Rights Act 1998 irrespective of the fact that BT are not a public body. A judgement from a court -MUST- be compatible with ECHR and HRA as a court is a public body as explicitly defined in the Convention and the Act.

Possible EU Action?

Definitely. Council of Europe's Convention on Cybercrime is a mandatory convention, European Court of Human Rights may be applicable for breaches of ECHR and HRA. EU Copyright Directives and Data Protection Directives may also be relevant.

That's -my- opinion and it is such a strong opinion I have decided to study for a Masters in Law next year in order to help prevent this dogmatic attack on the fundamental rights of our society.

Phorm CEO (Kent) wants to talk to me on the telephone according to message I got from his PR team, but given the misquoting of Dr. Richard Clayton on their Blog this weekend, they can whistle.

So what we want is a website owner

to make official complaint to the fuzz. They will not usually investigate criminal offence without one.

How about it ElReg!!

Setting up an on-line petition

Those who had the good idea to set up an on-line petition to call for the government or various government bodies to investigate BT for breaching criminals laws could set up a petition here:

http://www.petitiononline.com/

At the very least, it would be highly embarrassing and a huge PR blow to have ten thousand signatures from the public asking for the directors of your company to be investigated from crimes and possibly locked up if found guilty!

About other ISP's using BT infrastructure

Just to clarify a little for people who aren't aware of how 'BT' is structured..

BT Retail is effectively a customer of BT Wholesale (the same as Tier-2 ISP's are customers of BT Wholesale).

As this sorry mess was put together by BT Retail, it is unlikely in the extreme that BT Wholesale would dare put this kit in line with their infrastructure (and thus in-line with Tier-2 ISP connectivity).

In fact, I don't even think BT customers using business products would be affected by this (so far). I may even just change my DSL to a business line and pay for it from my company (but with another ISP of course - it might be easier to obtain injunctions and pursue legal matters if from a business rather than an individual).

</2p>

Really...

.... is there anything these f**kers won't do?

And now the ICO has more or less said:

'Phorm has told us they'll be good boys and only use the illegally intercepted and analyzed packets for good things that everyone wants, so it's all ok'

I guess this is a slight step back - keep fighting!

@ StillNoCouch: Oxymoron Alert!

"a thinking advertiser"

I rest my case.

Wow, check the number of Webwise FAQ's now!

Has anyone seen the size the Webwise FAQ list has grown to?

Anyone would think they're getting the questions directly from the Reg.....

I notice they haven't got "What does BT think of Phorm previously being responsible for some really insipid rootkit crapware and being registered in virtual offices?"

Paris - Because there are some things even SHE won't do for money.

PS - Still waiting on a reply back from BT to my question about getting out of the contract early when they change their T&C's.