Again they appear to have the Data Protection Act and RIPA confused.

If they keep personal info, then they would be contravening the DPA.

The act of intercepting a telecommunication is illegal under RIPA. Whether any info, personal or otherwise, is stored is utterly irrelevant.

I read the BBC's news report today about Cambridge University's findings.

In that BBC coverage, a spokesdroid for Phorm said: "The Regulation of Investigatory Powers Act (RIPA) was drafted in the earliest days of the internet. It is not designed to criminalise legitimate business activities."

Even that simple statement is disingenuous empty spin - or more precisely it is completely wrong.

Firstly, K(u)nt and his odious PR drones obviously know nothing about the internet's history.

The RIPA Bill was introduced in the House of Commons on February 9, 2000 and received Royal Assent on July 28. That means it was drafted and debated during 1999 (although probably conceived the year before).

So they are saying that the year 2000 is "the earliest days of the internet." I think not!

Licklider had the idea in the early 1960s; ARPAnet went live in December 1969; the term 'internet' for a global network of networks was coined in 1974; the first TCP/IP WAN launched in January 1983 (when ARPAnet moved from Network Control Protocol to TCP/IP); the NFS network was made available to commercial users in 1988; CERN introduced Berners-Lee's HTTP and the World Wide Web in 1991; and the Mosaic browser was launched a year or so later.

Secondly, I concede that RIPA does not appear to be "designed to criminalise legitimate business activities." But Phorm's projected activity is not "legitimate business": it is an unauthorised interception of traffic as defined by Section 1 of RIPA and as such is illegal.

Moving on to the Wikipedia issue, I am sure El Reg readers take much of what appears there as manipulation by vested interests. So no surprise there!

It is no surprise, either, that pro-Phorm entries are traced to an IP address range assigned to BT.

Nor am I surprised that BT says: "It's nothing to do with BT PR. We haven't been involved with amending any Wikipedia entry on Phorm." After all, BT has consistently been deceitful and dishonest and secretive about Phorm. So why should we believe them now? They are habitual liars.

Phuck ophph Phorm.

Aux armes, citoyens.

"Phorm has assured me that their system is very good for my bank balance, that is to say, very good for the consumer."

Come on, the ICO plainly ignored FIPR for no good reason. Phorm is illegal, its about time the ICO said so.

lol nothing will stick, they'll just "prove" that they weren't "intercepting" anything.

Remember, the government want Phorm like access, the police want Phorm like access and the companies want Phorm like access.

The sheep will suck it up, and those who don't will rant and rave and look like paranoid crazies or just leave the country.

My advice, start looking for a new place to live. If nothing else at least nearly anywhere else is cleaner then this cesspit.

The ICO won't upset the apple cart. They have long been proven to be useless at their job and why should they start the development of a spinal cord on something as wide ranging and far reaching as this. It makes sense to bury your head and pretend it was someone else. Despite the remit of the company [Phorm] saying they are going to use financial information (from their data protection listing) and depiste the fact the ICO is the data police.

They won't risk annoying the govt, the home secretary (And we know she is useless) backed it so why shouldn't the ICO.

I am not surprised.

Can we have another government please... This ones broke, corrupt and defunct.

The DPA also refers to processing personal data, not just storing it. In order to strip it out of their input stream, Phorm must process it even if they throw it away. Anyone using the DPA daily care to point out where my logic is wrong?

The first message is slightly wrong, you don't have to store personal information for something to fall under the DPA you simply have to processes it. Further more if the personal information you are processing is sensitive (health info, religious or political views, sexuality, trade union membership etc) then you require explicit rather than simply implicit consent

Internet

Confuses

Overlord!

When will these phuckwits get the message.

Good;

"Surfer" - Internet

Bad;

"Surfer" - Phorm - Internet

Simple.

Because the Phorm system redirects everything to webwise.net, a DDOS attack on that website will kill several ISPs customers stone dead. Let battle commence.

Note that it's now emerged that any website operator can read the Phorm user ID cookie if he wishes.

So Phorm have inadvertentely/deliberately/incompetently (* delete as appropriate) introduced a global method of uniquely identifying evey user out there. It's like embedding your MAC address in every request...

Way to go, guys - nice to know that your technology is all about "enhancing privacy".

I'm getting my MAC code from BT today.

I wonder how many other customers BT are losing due to Phorm?

In agreement with the first AC in this thread. I don't so much care whether data is stored or not, its the interception with the possibilities that leads to that has me concerned. I am far more concerned that a company might tap my communications. Once tapped what they do with it is a matter of trust and this company is far beyond trust worthy, but thats a mute point. I don't want my data anywhere near a third party.

Of the three major ISP's talktalk are the only one so far to confirm (via the members discussion forum) that their implementation will be opt in and will mean that for anyone who does not opt-in their data will never go phorm equipment or software. So far they have yet to confirm an implementation.

On top of that they recently announced a royal screw you to the BPI by saying they will fight the 3 strikes and your out rule for file sharers. Slight caveat being that they do shape p2p traffic.

I for one switched to talktalk from bt a few months ago (saving 20 quid a month in the process) and have to say nothing so far is making me regret that decision. I would be away from bt faster than the proverbial rat given current happenings.

Whether they do or not there is still interception going on with no explicit consent from both parties. Which according to the Clapham Omnibus test is against the law as defined by the RIPA.

Also the ICO might wish to head on over to http://www.un.org/Overview/rights.html and take a look at Article 12... it's a document with which they ought to be familiar.

Having read the missive from our wonderful guardians I thought I would ask them a few simple questions such as 'Will BT/Phorm be asking my permission to intercept communications between my website and my customers' and 'if I choose not to join this intercept process will my network traffic be routed around Phorm's intercept system or will it be passed through on the promise they will not peep'.

Will update if I ever get a reply

So what do we need to put on all our websites to make it clear to Phorm that we don't want them using OUR material to make money for them which is what it boils down to in the end.

I've seen "RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION" But is that enough.

Or do we all need to email Phorm and their scummy ISP associates with a formal notice informing them that they have NO rights to scrape websites that we run - and then list the websites that we own?

Failing that I'll just have to sign my own SSL cert and move all my sites to HTTPS!

""[Phorm] assure us that their system does not allow the retention of individual profiles of sites visited and adverts presented, and that they hold no personally identifiable information on web users. Indeed, Phorm assert that their system has been designed specifically to allow the appropriate targeting of adverts whilst rigorously protecting the privacy of web users.""

Hmm - if I tell the ICO that I'm actually Elvis Presley re-incarnated I'd hope they'd not just take my word for it.

The ICO should not just take Phorm's "assurance" that it doesn't do things. I'm sure the average psychopath assures people that they're perfectly safe.. just because they say something doesn't mean it actually is true.

Its the one with all the Rhinestones

A DDOS attack on webwise would not have any effect. The webwise site the ISP 307s to is sitting in the little black box within the ISP so is protected from high traffic volumes.

If they had not put webwise into the ISP, 10 million UK customers and a few more 10s of millions from around the world all being 307ed to the real webwise DNS would have been more effective than any DDOS attack at collapsing the system.

I've been thinking about this:

My web browsing, is user generated content, thus it is a product created directly by my activity.

Think of it in the sense of "usage as a business" I'm using the model of a telemarketing company:

A telemarketing company buy their Telephone/Internet Service from Big Telco,

the telemarketing company then build up Profile Data ('target market information' as a result of Telephone/Internet Service activity.

The Big Telco then purchase the Profile Data produced by the telemarketing company. DATA COSTS MONEY. (any marketing company will tell you that)

Big Telco then use the Profile Data in whatever marketing application they have planned as they have bought typically LIMITED USAGE RIGHTS to that data

Big Telco would be unable to carry out their marketing application without buying the data as they wouldn't have the Profile Data.

Now my clickstream belongs to me, its my activity, it is certainly not the automatic property of Big Telco, what the Webwise/Phorm device proposes is the ILLEGAL DATA HARVESTING of my Click Stream thus robbing me of the ability to use or sell that Profile Data else where.

This is a DATA RIGHTS STING, Big Telco appear to be trying to get the jump on the population, to take ownership of a product of peoples activity, infringing on peoples human rights to privacy at the same time.

This is disgusting, this needs to be stopped.

Can this be brought to the European Commission?

it is astonishing, I read the ICO whitewash and couldn't believe what I was reading, what on earth is the Home Office doing green lighting illegal activity?!?

anybody know if this can get stamped on by the EU?

This makes me feel SICK.

DO. NOT. WANT.

Call me dense, but I still just don't get the fundamental business model here.

Marketers (whom are uber-data miners by nature these days) will accept from Phorm, that the advertisements are in fact reaching the targeted audience without proof ? Highly unlikely.

If I were paying for targeted ad placements (which I did in a former life), I would demand some proof that the ads could be linked to my actual sales. No ability to prove, no sale.

I'm not giving you (Phorm) good money to do something I could do myself (i.e. advertise my product on specific websites dedicated to the same genre) unless you (Phorm) can prove to me that my customer base increased as a result ... ergo, unless you can match your advertisement base to my customer base in a statistically sound manner, it's just a lot of "wouldn't it be great if" and "theoretical BS".

In order to actually prove some marketable results, they must, by definition be able to track individuals. This is, afterall, going beyond the basics of demographics.

I, as a business consumer, would require verifiable proof, which, by Phorm's explainations, can't possibly exist. I just don't understand how a thinking advertiser would opt in on this in the first place.

If I were in the business of managing your money, you'd expect for me to tell you and illustrate how much money I made for you ... and be able to separate out my actions from yours so that you could compare and contrast the two.

If I were in the business of selling you advertising space, you'd expect for me to illustrate, compare and contrast how that space I sold you resulted in an increase in sales/profits.

In neither case would you be content with "Well, your sales went up because of a reason we can't prove." Or worse, your sales went down for a reason we can't prove.

How the heck are they supposed to tweek these things (this is, in fact what I do for a living) if there's no front-end database of whom saw what ad, clicked on it ... whom saw what ad, clicked on it and made a purchase ?

According to Phorm, there is no way of being able to track and/or report on their success/failure (if you believe their press releases anyway). This business model just doesn't make sense.

Sorry this was so long. I'm just very confused at the seemingly self-voiding of their business proposition. Something just doesn't add up.

I guarantee you ... if this thing goes full-tilt, there will be a ruckas in the coming months about how they did, in fact, store and utilize the particular details of customers ... no responsible data mining could occur without it. Their advertising customers are going to demand proof and Phorm's gonna have to give it ... ergo, they'll have to have the data to back up their claims.

This just doesn't add up. "You want me to buy a service from you based upon your unverifiable word that it works ?" Hey, I've got a bridge in Brooklyn up for sale. Interested ?

Paris because I must be equally as confused.

So, I'm crazy enough to opt in to have my browsing habitually monitored for the benefit of advertising companies...

My wife pays the bill to BT. Is she opted in as well? And my son? Both use my computer.

It would be *THEIR* personal information that would be intercepted/processed, not just mine, and how the phuck would Phorm know the difference?

sounds like the old "one law for the people, another for corporate raiders"

or

some doubleplus ungood double speak.

all data sharing/harvesting/rention done by individuals (pirates) is bad,

all data sharing/harvesting/rention done by corporates (paragons) is good economics and maintiaining the countries techonological edge.,

....Four legs good, two legs bad, unless....

"Comrades!" he cried. "You do not imagine, I hope, that we pigs are doing this in a spirit of selfishness and privilege? Many of us actually dislike milk and apples. Milk and apples (this has been proved by Science, comrades) contain substances absolutely necessary to the well-being of a pig. We pigs are brainworkers. The whole management and organization of this farm depend on us. Day and night we are watching over your welfare. It is for your sake that we drink that milk and eat those apples."

"Animal Farm" the Orwell version, not the "other" version ;oP

You're absolutely correct. We're talking about legal intercept issues here and privacy is NOT a critical element here to create a breach of law.

This means that the ICO is correct (their domain is DPA), but Home Office should intervene as (AFAIK) RIPA is their animal. And it's not small beer either, a RIPA breach of this order is, if I recall correctly, a CRIMINAL offence.

So, nice try for a distraction, didn't work..

It will take years to argue around the legal aspects of RIPA and/or DPA possible breaches ... so I would say people should just move away from any ISP which signs up with Phorm.

Maybe someone might start-up a TOR friendly ISP and advertise (mostly) anonymous Internet access as a Unique Selling Point ??

Apart from the fact that it isn't the *technology* that's the problem (so all statements from Phorm are irrelevant) it's how it's implemented, a point that the ICO seemed to have managed to avoid addressing.

Unless the system is *opt-in* (for all parties of the tcp connection) and when someone is 'opted-out' then their traffic bypasses the profilers then this is an unacceptable situation. I'm a network designer for a living (most recently for BT *hint*) and I fail to see a legal way of doing this.

"We have spoken to BT about this trial and they have made clear that unless customers positively opt in to the trial their web browsing will not be monitored in order to deliver adverts."

Bullshit. They [ICO] have only addressed the proposed trial which BT have clearly stated will intercept *all* traffic even if you opt-out (discarding info is irrelevant to RIPA).

BT have said that they are 'designing' the system to avoid this interception if you are opted-out for the *live* platform. The reason they have yet to give out any networking details around the proposed *live* platform (as they claimed they would do on the BT forums) is probably down to the fact that it can't be done without hitting the same issues they currently have. I know, I design networks for a living remember.

I also know that the BT Retail designers are not part of the general BT design team (which is why this platform probably came as a shock to a lot of internal BT people) and which is probably why it's so half-assed and unworkable. If BT Retail had followed the normal BT internal design procedures then this would have reached the e2e design team and all the things that have been said about this platform would have come to light a long time ago (btw this would have constituted the 'due diligence' which they [BT Retail] have obviously failed to perform).

"BT has also stated that the system does *not store* personally identifiable information, URLs, IP addresses or retain browsing histories and that search information is deleted almost immediately, and is not retrievable."

My emphasis. So it still intercepts it then? Yes? Probably Illegal? Yes.

“We will continue to maintain close contact with Phorm and BT throughout the trial. Clearly the trial should reveal whether this is a service that web users want, whether it is privacy friendly and that users are comfortable with the privacy safeguards put in place by Phorm.”

I'm less concerned about the privacy aspect (which even technical experts will agree they [Phorm] have actually addressed with a lot of diligence) than the *fact* that my data is intercepted and then *something* happens to it.

I don't want my data intercepted at all, not even so it can be discarded, because I believe that would be illegal without a warrant.

Having said all this, I don't think the ICO statement contains any concrete approval or disapproval at this point, although the tone does seem uncomfortably supporting.

If they [ICO] don't stop this then I will change ISP to one who does not allow it. If it should ever become law that all ISP's must run some sort of *filter* - after all pandora's box cannot be closed - then I will simply stop using the internet at any personal identifiable level.

Once they prove they can DPI all our traffic, the ISP's will cease to have any argument against the imposition of filters based on *filesharing/child-porn/<insert bad thing of the day here>*

Oh last thing, the ICO statement mentions 'web browsing' as if that's all the system does. Ho ho ho. I think the FIPR should be given the fangs and the ICO should be put out to pasture.

</rant - phew>

I dont want my browsing intercepted, not because I'm a terrorist or a kiddie fiddler I just dont want anyone sitting on my shoulder as I surf. The whole idea behind the system is wrong, if you want to introduce WebWise, great, if it is so compelling then people will opt in to it but dont Assume that no one will be bothered by you intercepting all their data!

"This means that the ICO is correct (their domain is DPA), but Home Office should intervene as (AFAIK) RIPA is their animal. And it's not small beer either, a RIPA breach of this order is, if I recall correctly, a CRIMINAL offence."

With any luck, Kent will end up in Wormwood Scrubs where he will learn the true meaning of "invasion of privacy" when he first visits the showers.

> And it's not small beer either, a RIPA breach of this order is, if I recall correctly, a CRIMINAL offence.

So you're saying that BT broke the law in their trial run. Therefore shouldn't one or more of BT's managers be spending some time with Bubba?

And if the Home Office won't prosecute, aren't they failing at their duty to uphold the law and thus breaking the law themselves?

Can't someone go to BT's HQ and execute a citizens arrest on the chairman?

“We will continue to maintain close contact with Phorm and BT throughout the trial. Clearly the trial should reveal whether this is a service that web users want, whether it is privacy friendly and that users are comfortable with the privacy safeguards put in place by Phorm.”

Of course, this does mean that the 10'000 user's targetted will be selected from computer numpties who click yes on everything ("Would you like to download this Virus", " oo, erm, yes please"), BT employees and Phorm Representitives... Nice one!!

Incidentally:

vi·rus

3. a corrupting influence on morals or the intellect; poison.

4. a segment of self-replicating code planted illegally in a computer program, often to damage or shut down a system or network.

Do business ever think anybody will conduct money / data transfers or anything on else on the net ever again once they know a bunch of spyware merchants of dubious origin have the ability (should they wish) to intercept their data.

It is the end of online transactions as we know it. I know https is different from http - but I will no longer feel safe with Kent and his Russian cronies 'guarding' my packets of data.

Get rid of Phorm NOW!

My understanding is that breaching RIPA is a criminal offence punishable by up to 5 years in prison for each offence (up to 2 years if tried in magistrates court). Of course one attempt to report the 2007 trials to the police met with stonewalling as they refused to issue a Crime Reference Number.

Others, including myself, have also tried to start a new petition on the downing street website calling for either the Police, Home Office, or Crown Prosecution Service to start an investigation into the 2006 and 2007 trials, Not surprisingly these have all been rejected (sometimes for the arguable issue of duplication, once even rejected claiming that its outside the Prime Ministers and Governments powers).

One rule for the people and another for big business. Its disgraceful.

Regardless of legality in the UK under DPA and RIPA, it still isn't legal in France where my servers sit, and where my intellectual property is hosted.

Now I can't wait for the moment Phorm starts *intercepting* *my* intellectual property and make money out of it.

I'm so sueing and claiming damages.

From personal experience I've found those in the ICO to be an idle lot who will do anything which involves producing reams of pre-formatted paragraphs, but nothing which involves doing any actual effort or work.

The only surprise is that they managed to get out any comment before Christmas. Must be a record.

I promise that I do not have any children, haven't broken the law and feel completely healthy and furthermore promise that I shall not change my circumstances in the future (despite the fact that I am on record as saying otherwise). Therefore I shall be witholding the part of my Council Tax that pays for education, policing and healthcare.

Together we can both share the efficiencies of me not paying for a service I am not using. Moving forward, I shall also be investigating the reduced government administration overhead that might be leveraged through opting out of taxation altogether.

How can showing adverts targeted at me (using personal data) to other people I share a computer with not be a breach of my human rights? BT might as well put 'This is what X has been looking at' posters up around my house!

This government is becoming really scary - Gordon 'Stalin' Brown is selling our human rights down the river for some abstract concept of 'the greater good' that a huge number of electorate disagree with. Well, that's BT on my boycot for life list (along with Nestle and Shell), and Labour are almost there as well.

dont just sit there thinking oh this is bad, get off your arse and send a f#king letter... Email just wont do, this is important people.. FFS more people want Leed's point back, whatever they are?! . this is fast becoming a non issue...

Gang rape is legal only if your properly registered corporate gang who do their tax returns...

Just had another petition rejected on the Number 10 website. Response below, apparently the upholding of the law is outside the Prime Ministers powers or remit.

Judge for yourselves:

Hi,

I'm sorry to inform you that your petition has been rejected.

Your petition was classed as being in the following categories:

* Outside the remit or powers of the Prime Minister and

Government

If you wish to edit and resubmit your petition, please follow

the following link:

[Removed]

You have four weeks in which to do this, after which your

petition will appear in the list of rejected petitions.

Your petition reads:

We the undersigned petition the Prime Minister to: 'Request

that the home office investigate criminal behaviour by BT and

Phorm in 2006 and 2007.'

In 2006 and 2007 BT instigated trials of a system called

Webwise (then Pagewise) this system involves intercepting

Broadband Users web requests and response and processing them

to build up a profile of the end user.

The interception of the users web request without the user and

the websites explicit consent is on offence under the

Regulation of Investigatory Powers Act.

As the trial was conducted in secret by BT and BT are

"reluctant" to give further information about the trial it is

necessary for the Home Office to investigate what interceptions

took place and to bring about prosecutions on behalf of the

effected parties.

This is not a petition against the implementaion of Phorm by

BT, Virgin Media or Talk Talk. To register for that petition

use the following link:

http://petitions.pm.gov.uk/ispphorm/

-- the ePetitions team

If the BT & Phorm are looking for 10,000 volunteers to see how many people would be interested in using this technology there is a list of just over that many people here:

http://petitions.pm.gov.uk/ispphorm/

Maybe they could canvass these people to see just how popular the more relevant advertising feature would be........

BT says the trials in 2006 and 2007 were legaland were not in breach of RIPA or the DPA, as a consequence they did not need to inform the customers nor amend the terms and conditions of the service.

HOWEVER, before WebWank goes live, BT says it must amend the terms and conditions of the service. Presumably to protect themselves from the wrath (hah!) of the DPA and RIPA.

So which is it? Legal or illegal?

Well my DPA request is in the post to BT. I'm awaiting their response with interest.

the problem is how would the website owner know if the traffic was being profiled (intercepted) as any change to the data that is returned to the client is performed inside the ISP network?

the only thing a site onwer can do is check for the opt-in cookie and display an alternate page that says "pages not supplied to users that have opted into phorm !!" in big red letters

Peter White

The only way to boycott is to go with Virgin media... and weren't they intending on using phorm too?

Why? Well becouse phorm is implemented at the exchange... and we all go through BT exchanges.

My analysis of the secret trials in 2006/2007 is that multiple laws were broken as outlined below:

Regulation of Investigatory Powers Act 2000

Secret trials = no consent from either party to intercept.

Privacy and Electronic Communications (EC Directive) Regulations 2003

Secret trials = no consent from either party to intercept or process.

Data Protection Act 1998

Secret trials = no consent to process personal data, even anonymising is processing

European Convention on Human Rights

Right to privacy of correspondence

Human Rights Act 1998

Right to privacy of correspondence

Computer Misuse Act 1990

Knowledge and Intent to "Hinder" access and "Impair" operation

Fraud Act 2006

Masquerading as the intended destination (Phorm's "special machine") for the purpose of gain (revenue from advertising)

Torts (Interference with Goods) Act 1977

Trials inserted javascript programs into web pages which then took resources to process (see Ebay vs Bidders Edge) = trespass to goods/trespass to chattels

The Council of Europe's Convention on Cybercrime

Covers this issue very comprehensively

Copyright, Designs and Patents Act 1988

Copying a website for commercial purposes, see cases against Google and Archive.Org

I am in the process of writing my dissertation based around all of the above legal arguments, it will be publicly available under Creative Commons once it is finished.

Bottom Line?

BT trials in 2006/2007 can only be seen to have been criminal offences under multiple Acts as well as leaving BT liable for litigation under Tort law.

ICO?

They have a duty to investigate BT's secret trials for the unauthorised processing of personal data (irrespective of what was done with it "after the fact") under DPA and PETR

Home Office?

They have a duty to investigate BT's secret trials on multiple counts under RIPA, CMA, Fraud Act 2006.

Other stuff?

Any case which is initiated in a court of law (either criminal or civil) can also attach complaints under Human Rights Act 1998 irrespective of the fact that BT are not a public body. A judgement from a court -MUST- be compatible with ECHR and HRA as a court is a public body as explicitly defined in the Convention and the Act.

Possible EU Action?

Definitely. Council of Europe's Convention on Cybercrime is a mandatory convention, European Court of Human Rights may be applicable for breaches of ECHR and HRA. EU Copyright Directives and Data Protection Directives may also be relevant.

That's -my- opinion and it is such a strong opinion I have decided to study for a Masters in Law next year in order to help prevent this dogmatic attack on the fundamental rights of our society.

Phorm CEO (Kent) wants to talk to me on the telephone according to message I got from his PR team, but given the misquoting of Dr. Richard Clayton on their Blog this weekend, they can whistle.

I agree - write to your MP - or email them, get them sending questions to each other, point out to your MP that all their web mails will get diverted through Phorm.

letters and emails and constituents are the main interface between themselves and reality for a lot of them and a few letters can have a surprisingly large effect - so let them know their voters are angry.

You can mail them from here

http://www.theyworkforyou.com/

to make official complaint to the fuzz. They will not usually investigate criminal offence without one.

How about it ElReg!!

Those who had the good idea to set up an on-line petition to call for the government or various government bodies to investigate BT for breaching criminals laws could set up a petition here:

http://www.petitiononline.com/

At the very least, it would be highly embarrassing and a huge PR blow to have ten thousand signatures from the public asking for the directors of your company to be investigated from crimes and possibly locked up if found guilty!

Just to clarify a little for people who aren't aware of how 'BT' is structured..

BT Retail is effectively a customer of BT Wholesale (the same as Tier-2 ISP's are customers of BT Wholesale).

As this sorry mess was put together by BT Retail, it is unlikely in the extreme that BT Wholesale would dare put this kit in line with their infrastructure (and thus in-line with Tier-2 ISP connectivity).

In fact, I don't even think BT customers using business products would be affected by this (so far). I may even just change my DSL to a business line and pay for it from my company (but with another ISP of course - it might be easier to obtain injunctions and pursue legal matters if from a business rather than an individual).

</2p>

Any good links to get going?

No it isn't, although BT's earlier comments about who was or wasn't involved in the earlier trial may have led you to think that. But they were being misleading. The criminal behaviour inside BT comes from BT Retail, whose Chief Technology Officer left to go to Phorm (as CTO). As you do.

If you are with one of the many BT-based ISPs from AAISP to Zen and many others in between, connectivity between you and the ISP is provided by BT Wholesale, a (separate, so they say) part of BT, distinct in economic and technical terms from BT Retail.

If BTwholesale do get caught doing this kind of thing it will seriously upset the smaller quality-focused ISPs (e.g. Zen have said "no Phorm here"), but maybe the quality market is so small that BTw won't care...

.... is there anything these f**kers won't do?

And now the ICO has more or less said:

'Phorm has told us they'll be good boys and only use the illegally intercepted and analyzed packets for good things that everyone wants, so it's all ok'

I guess this is a slight step back - keep fighting!

"a thinking advertiser"

I rest my case.

Under intenational copyright agreements, the data in any packet passing over the internet could be protected by copyright law. Creative Commons, GPL, and the like are founded on that copyright protection, and give specific licenses for the use of the content and the creation of derivative works.

There is arcane legal argument which might apply to what Phorm are doing. They are taking a possibly copyrighted work, and, through a mechanical process, creating some sort of derivative work. Because it's a mechanical process, not creative, it may not be copyrightable in some countries.

But they may be in breach of a creative commons license by the creation of a derivative work for commercial use.

For instance: http://creativecommons.org/licenses/by-nc-nd/3.0/

Has anyone seen the size the Webwise FAQ list has grown to?

Anyone would think they're getting the questions directly from the Reg.....

I notice they haven't got "What does BT think of Phorm previously being responsible for some really insipid rootkit crapware and being registered in virtual offices?"

Paris - Because there are some things even SHE won't do for money.

PS - Still waiting on a reply back from BT to my question about getting out of the contract early when they change their T&C's.

As usual, this and most other schemes that impose on privacy is about money. The ISP gets paid to allow Phorm by Phorm, Phorm gets paid by advertisers who think direct targetting is better.

So as well as going against the ISPs and the Govt for a legal challenge, how about going after the advertisers? Without their money in Phorm, the whole house of cards collapses.

Id suggest a pre-emptive campaign, with a whole bunch of people [eg the petition signers] signing a pledge that any company advertising through Phorm will be boycotted by them until the company apologises and withdraw the paid adverts.

It's not the perfect answer, obviously law courts and very expensive suits will be, but it could be a way to slow things down until we can get rid of the whole kit and kaboodle.

Surely the above mentioned (and others) must be worried to about this interception because Phorm has also direct access to searched terms and everything else that is part of their business model.

Given that Phorms webwise is highly illegal on many counts and since the Google, MSN etc. have a lots of financial clout available to prevent Phorm using the illegal tapping that will steal their marketing data, how come the inactivity on their part?

They could become heroes again. Please think about it.

Injunction please.

This is a copy and paste

Terms and conditions for your residential customer service agreement

With your permission, we may monitor email and internet communications, including without limitation, any content or material transmitted over the services.

G Your details and how we look after them

1. You must give us promptly and accurately all the information which may be needed so that we and Virgin Media Payments can perform our respective obligations under this agreement. You must also tell us immediately if any of your details change.

"READ THIS BIT SLOWLY "

2. By having the services we provide installed in your home and/or by using them you are giving us your consent to use your personal information together with other information for the purposes of providing you with our services, service information and updates, administration, credit scoring, customer services, training, tracking use of our services (including processing call, usage, billing, viewing and interactive data), profiling your usage and purchasing preferences for so long as you are a customer and for as long as is necessary for these specified purposes after you terminate your services. We may occasionally use third parties to process your personal information in the ways outlined above. These third parties are permitted to use the data only in accordance with our instructions.

3. We may also, subject to your consent, use your personal information to contact you with information about special offers and rewards. We and other Virgin companies (e.g. Virgin Atlantic) may also, subject to your consent, use your personal information to contact you with information about their products and services including special offers from them, and we may disclose your personal information to other Virgin companies and sub-contractors and agents for these purposes. But don't worry, we won't share your details with companies outside the Virgin group for marketing purposes without your consent.

This is hidden 3/4 of the way down the page .

So VM can phorm you already

Is this why they have been so quiet on the subject ?

also VM had a lot of network problem's LAST SUMMER with slow connections etc .WERE they trying phorm on the sly?

Am I the only person not bothered by this and believes that there is nothing truely "private" any more?

I spend my days living my life expecting that someone somewhere is making a note or record of what I'm up to, and to be honest, I really don't care and I don't lose any sleep over it.

>Id suggest a pre-emptive campaign, with a whole bunch of people [eg the petition signers] signing a pledge that any company advertising through Phorm will be boycotted by them until the company apologises and withdraw the paid adverts.

I think that's a genius idea!

Why don't you start one on:

http://www.petitiononline.com/

Or, if forum users want to help me think of a pledge, I can start one myself.

A new petition has been created calling on the Prime MInister to ask the Home Office to investigate BTs illegal trials:

http://www.petitiononline.com/BTRipa/petition.html

To think I gave up crime 40 years ago because big brother told me it was wrong and now that same big brother is promoting crime. ..

I'm going back to selling dope and I'll be pushing it on you through Webwise.....

Hehehe...

Bad show from the ICO but hardly surprising. The government have given them fewer teeth than the proverbial hen and under-resourced them to boot. So it's not too strange that they've become institutionally spineless. Anyone who's dealt with them in the past will already know that.

A setback maybe, but I've been encouraged today by suddenly realising that most commercial websites are going to be seriously opposed to Phorm. No doubt brighter sparks than me have already spotted this, but let me spell it out anyway...

If you sell something on your web site (tractors say), then someone visiting your site is a potential tractor purchaser. But with Phorm, the mere act of visiting your site will alert loads of other tractor sellers that this person is interested in buying a tractor. They'll then bombard that potential customer with competing tractor adverts. That's not at all good for your business.

So pretty well every commercial web site is going to have a bone to pick with Phorm and be pretty keen to stop it scanning their web pages. Since it's directly hitting their bottom line, they should also have a good incentive to put some money into a few court cases (and there doesn't seem to be any shortage of laws to get them under). Multiply that by the number of sites affected and I can see the smiles on the lawyers' faces already.

So while it's depressing that the average home user (and the ICO) might well accept Phorm without a fight, I rather doubt that the commercial world will do so. The problem, however, is how to alert the guys with the money to the fact that someone's after their lunch?

One point in Richard Clayton's report that puzzled me was the revelation that Phorm intend to use the robots.txt file from each web site to decide which pages they should avoid scanning. This has never been mentioned before (despite it being obviously relevant to the question of whether permission to intercept the data has been given) and RC makes a point of saying that Phorm offered no explanation for not mentioning it earlier.

That's decidedly strange.

My interpretation is that the use of robots.txt is a recent addition. It reveals that Phorm (quite rightly) sees itself as very vulnerable on this issue of permission to intercept and is attempting to head off the attack.

However, the robots.txt file is a poor choice and it won't win the argument. Web sites are interested in allowing spidering of their (non-confidential) pages because it gets them a good ranking on search sites. They're much less interested in being scanned by Phorm because that's only good for their competitors (and Phorm). So the robots.txt file isn't fit for Phorm's purpose and any judge worth his salt will see why.

It's also interesting that Phorm won't say what user agent string they use to interpret the robots.txt file. The obvious interpretation is that they don't want to hand you a way of excluding them from your site. But unless they allow you this possibility, any argument that the robots.txt file grants them permission to intercept your data immediately evaporates. What's the point of a file that excludes Phorm from your site if they won't tell you what to put in the file to do that?

Of course, another interpretation is that they don't want to give a user agent string because we'd then all go looking for it in our logs. When we don't find it, we'll conclude that they weren't using the robots.txt file during their earlier trials with BT. And that will remove the only possible defence they might have when this goes to court.

Have you been sleeping? - this has gone way beyond privacy. This is into premeditated criminal activity territory.

The ISPs are spoofing that they are webwise.com for the purposes of reading / writing content to the webwise opt-in / opt-out cookie on YOUR computer.

When a user requests MY website, the ISP is spoofing MY website and setting a cookie in the name of MY website. They then strip out this cookie from the header data sent to MY server so that I am not able to detect the illegal writing onto YOUR computer.

MY privacy statement says that MY website does not set cookies. YOUR browser reports that MY website is trying to / already has written a cookie to YOUR computer. I do not like FRAUD being committed in the name of MY website.

This is against all the security rules set by the developers of cookies. The possibilities that this opens up are too many to put into a short post.

In simple language, what you have at the ISP is:

Spyware: reading content on YOUR computer which they should not have access to.

Malware: writing content to YOUR computer and impersonating another website.

Rootkit: sitting at the ISP over which you have no control but which has control over your hard disk and is able to intercept DNS requests and mislead your browser into believing that the content at the ISP is the server requested.

If the above does not bother you then you really need to educate yourself about your responsibility for security on YOUR computer and the duty of trust that is expected from an ISP.

You may notice that this is before any reference to DPA or RIPA. The processing of your data and the unauthorised interception takes place later in the process which is why the new argument is that DPA does not apply because the data collected was collected illegally so can not be approved under any interpretation of the DPA.

The flames - because the title text says it better than I ever could. A volcano would say it better.

Is there any technical info out there on the Phorm cookie and how I can prevent my sites being viewed by Phorm zombie users?

After a suggestion from a Reg reader I registered this :

http://www.antiphorm.co.uk/

In light of the ICO following the BBC lead in cut and paste of Phorm PR for there publications. The question that I want an answer to is:-

"As Intercepting communications is illegal the bigger question is why is the ICS allowing BT to do yet another trial.

By letting BT test the system, the ICO are aiding and abetting a criminal act. "

I also want to know where is Inspector Knacker in all this.

The BBC and others have reported several times that BT has committed a criminal act.

If a crime is suspected of taking place then Knacker has a duty to investigate.

Yet Knacker who is more then happy to shoot and kill an innocent traveller on the underground, is totally ignoring this matter.

A final question where is PhormPRteam. Have the skumbubbles given up, or are they just re-grouping

"it will monitor BT's imminent third trial of Phorm with 10,000 volunteers"

Hmmmmm.

Er "volunteers" So, BT are actually going to ask permission to snoop with the aid of Phorm this time LOL

Petition to Downing Street passes 10,000 actually 10,001 as of 1 minute ago....

Message:

AdBlock+ = no targeted advertising BTW Phorm... beleive it.

Speak to him on the phone, record the conversation and send it to the Reg to go on as a radio prog.

Thanks for that list of various Acts and Statutes. I have included it in my latest communication with my MP.

This is all getting very technical. It is almost worth going out to buy a few shares in the ISPs just to go along to the AGM and ask some embarrassing questions.

*"Have you been sleeping? - this has gone way beyond privacy. This is into premeditated criminal activity territory."

Every day I read about criminal activity in the news. Every day I realise I am powerless to stop it. I get on with my life.

*"The ISPs are spoofing that they are webwise.com for the purposes of reading / writing content to the webwise opt-in / opt-out cookie on YOUR computer <snip>."

I understand how it works, but again I EXPECT this from web browsing for the same reason above I expect that criminal activity happens. I've lived for years with malware and spyware occurances and expect things will only get worse.

There will be no ITopia in my lifetime.

*"Spyware: reading content on YOUR computer which they should not have access to."

I expect someone somewhere to already have this information and is using it in some profiling or other.

*"Malware: writing content to YOUR computer and impersonating another website."

This already happens whenever someone creates a zero day exploit to upload said content to my machine that goes undetected by my AV.

*"Rootkit: sitting at the ISP over which you have no control but which has control over your hard disk and is able to intercept DNS requests and mislead your browser into believing that the content at the ISP is the server requested."

Again this happens all the time and I expect it will only ever get worse as more and more DNS servers get poisoned.

*"If the above does not bother you then you really need to educate yourself about your responsibility for security on YOUR computer"

Why?. If there's a problem with my PC I reach for the power switch and go open another bottle of wine and go live in the real world for a while. I make a reasonable endeavour to ensure that my firewall is on and AV is up to date and that I'm fully patched. Beyond that I don't really care. My life is not my PC and peace is only a reinstall away.

*"You may notice that this is before any reference to DPA or RIPA. The processing of your data and the unauthorised interception takes place later in the process which is why the new argument is that DPA does not apply because the data collected was collected illegally so can not be approved under any interpretation of the DPA."

Legality doesn't stop people taking drugs, doesn't stop tax evasion, nor murders, robbery <insert longer list of criminal activity here>. I doubt it will stop people doing the above (and as I've said, they've probably already been doing it for a very long time anyway).

Divulge ALL your personal details now, avoid the rush.

Ohh you started so well

*"Have you been sleeping? - this has gone way beyond privacy. This is into premeditated criminal activity territory."

and then went down hill and turned into one of the sheeple, shame, such potential, lacking in real conviction ;)

YOU could be the person that makes a diference, if only you tryed my friend, perhaps you might give it a go and suprise yourself..... please do..

sorry AC didnt mean to attribute that to Jaowon , my bad.

well said AC.

anyone here a layer, people need to learn about UK Tort law and Injunctions on the cheap as had been talked about for a while now ,you know were A ;)

make a difference, make a friend , and make the effort, it's in everyones best interests surely.

Just because it "happens all the time" doesn't mean we should all bend over and give up without a fight. Street muggings "happen all the time", that doesn't make them right and doesn't mean that the muggers shouldn't be punished.

And, while *you* may be "powerless to stop it", a lot of us are not. At the very least you can give your Phormed ISP (BT, Virgin, Talk-Talk) the finger. I'm moving to Zen, who assured me that they won't use Phorm and believe it to be illegal.

I'm sure someone somewhere already has them :)

Given that BT Retail haven't said which customers were trialled; doesn't this mean that any BT Retail customer can now make a formal complaint to their local police on the grounds that they suspect that they may have been the victim of a breach of the relevent section of RIPA?

If enough people complain to the police then it may force a criminal investigation of BT's activities.

http://www.sothcott.co.uk/phormletter.html

I have placed this on my website for you to read rather than waste space here. We need a spin Icon.

When you're a big organisation you learn to lie in a smart way. I am also in a battle with United Biscuits because the last packet of penguins I bought tested foul. I asked various people to try them and they spat them out. UB wrote back "The samples you forwarded to us have been tasted by several colleagues in our office and also by our taste panel, and it has been confirmed that product was to specification and nothing wrong with the sample could be found".

I know perfectly well that this is ab blatent lie. But note the wording, she did not say she enjoyed them. What's that plausable deniability or something?

Have you noticed that recently the powerful men always get the powerful woman to tell the lies?

Toxic symbol.

Since our beloved leaders feel that BRT are in the right, and IMO are not going to act perhaps it is time to step this action up a notch and head straight to the EC as Alexander Hanff outlined so well above it is not just UK law being infrringed.

Morning all,

-

VM

I've got a Virgin Media business account, and sort out PCs for several neighbours with Virgin residential lines.

I actually spoke to VM's lawyers about Phorm last Friday. After the public drubbing BT got, they seem very anxious to be seen to be doing the right thing.

What I got from the call was:

1) They are still looking at whether or not to implement

2) No trial would be carried out without prior notification

3) They're watching with interest what is happening with regard BT and Phorm

4) They're aware (and concerned) about Phorm's history

5) They aren't planning to implement it on business accounts (though as these pass in part over domestic network I can't see that makes any difference).

Try calling them, voice your opinions... if nothing else it's their time and call cost!

-

General stuff

That the ICO can see no breach of the DPA isn't a shock, but we should probably be writing en masse to the home secretary to ask them to investigate the breach of law vis-a-vis RIPA.

Do it by pen and paper and cc it to your local MP. If you don't get a reply, push it up the scale with a few newspapers, watchdog etc. "Home Secretary fails to look into illegal interception" is just one conceivable headline.

I'm typing my letter this morning. Anyone else joining in?

-

Paris - because even she can understand what's going on

"It is no surprise, either, that pro-Phorm entries are traced to an IP address range assigned to BT."

Actually, you're right ... it's not that surprising. I can't recall offhand what proportion of UK residential broadband users BT has, but it's not insignificant.

Since anyone who had done the tiniest investigation (i.e. clearly not el Reg hack [no surprise there :D]) would be able to see clearly from the whois info that the IP address in question is from the ISP range, this particular conspiracy theory will just have to go by the wayside.

@Chris - I know this sort of story gets you all excited, but try to get at least some facts correct. I'm no fanboy of Phorm's tactics (death's too good for them, IMHO). Nonetheless it would help if you dropped the tabloid urge to throw in as much "damning evidence" as you can (when it clearly doesn't hold water). Just makes this reader think what else you've got wrong (probably quite a lot) ....

Jaowon,

You have done an excellent impersonation of the Sheeple.

I know exactly what you are saying and how it feels. We are all Sheeple about something. Afterall we can't care about everyting, it gets too stressful and we have to get on with our lives. One of the problems is that with not enough people making a fuss about this then those that do have to work harder.

In the big scheme of things Phorm is just some illegal spying supported by big communications companys and our government. I am sure the people who don't want to be spied on will encrypt and the people who do like it will just love the extra security it brings them.

I am not really that bothered about Tibet. It's just a peaceful country run by monks who have been invaded by the worlds biggest nation. Putting out the Olympic Torch looks like a laugh and I am glad the hypocrits who carry the thing are having problems. But do I look bovered?

Now back to Phorm. This is our fight, one we are winning morally but losing in practice. It's gonna take some people dressed as spiderman to get this really noticed.

By the way, remember that other major battle that we the sheeple one a few years ago? They one where they had to paint the speed cameras bright yellow? Guess what, they don't have to do that any more.

This will be the same. Fight them on a legal basis and win, then they just change the law so you lose later. The house of lords has been hollowed out so they can do this.

Don't dispare, fighting is good. Enjoy the fight and feel angry about losing.

They are unidentifiable? I think not.

It has to be an opt in system if allowed at all, there are plenty of people who wouldn't know how to opt out.

Wayland Sothcott makes a good point in saying "It's gonna take some people dressed as spiderman to get this really noticed."

So why not? Lets all pitch up outside Phorm/BT HQ/ICO's office/Trafalgar square identically dressed in "Spy" gear - you know; trilby (with BT logo in the hatband), CIA mac, mirror shades. Bring along conspicuously large notebooks and start writing down behavioural patterns of passing members of the public / BT staff.

I'm sure the odd newsroom could be persuaded to take an interest; take pics, video etc and knock out a press release for later dispatch. Any takers?

(from the BBC http://news.bbc.co.uk/1/hi/technology/7331493.stm)

In response to Dr Clayton's report, a spokesperson for Phorm said: "Our technology complies with all the appropriate UK laws - and we've consulted a range of experts on this.

"The Regulation of Investigatory Powers Act (RIPA) was drafted in the earliest days of the internet. It is not designed to criminalise legitimate business activities - online targeted advertising is an accepted part of the internet landscape today."

This seems to me to be the first admission by BTPhorm that there may be a problem. "Our systems are fine - the law is in error" - interesting defence.

The Problem BTPhorm have is that their current system proposals require an interception even to determine your opt in/out status and even if you are opted out the interception will continue. RIPA doesn't specify duration of interception or care what you do with the results. The interception itself is illegal.

The only way out of the RIPA issue is to make the system truly opt-in. Altering a users proxy (for example) to point to Phorm equipment whilst the rest of the traffic is directed as normal. This still leaves the issue of host site consent of course, communication being a two way process.

Quite un-believable though that HMG have still started no investigation into the

possibility of 18000 (at minimum) prior breaches of RIPA.

Re:

In that BBC coverage, a spokesdroid for Phorm said: "The Regulation of Investigatory Powers Act (RIPA) was drafted in the earliest days of the internet. It is not designed to criminalise legitimate business activities."

Sounds like Phorm are trying to re-invent the law but without Parliament creating new legislation. They appear to be saying "Phorm is a legitimate business activity, and RIPA was developed a long time ago and is not relevant or should not apply to internet activities now"

Firstly, It's for other authorities to decide whether the business is criminal or not not Phorm, secondly, if you're not happy with the law, you don't just go and ignore it, you have to work to get the law changed by appropriate means. The law is created by acts of parliament, not by companies.

I'm no expert on the DPA,

but if it applies to the processing of personal data then it seems to me Phorm is within its jurasdiction.

However, Phorm claim that anything personal, anything that can identify the individual is stripped out, and if I recall the DPA requires that companies only keep personal data for as long as is needed to conduct their business.

So if true, it seems to me that Phorm is not violating the DPA: they're discarding any personal data immediately.

I can see that Phorm violates RIPA, as an unlawful intercept, I'd have to read RIPA in more detail, but I suspect it was intended to prevent companies from 'spying', intercepting and reading and then using information gained from the interception of someone elses data traffic. Phorm doesn't enable that to happen, it processes the intercepted data immediately it is collected and abstracts it away from the raw material collected, it's fully automatic, no human intervention to read, assimilate the intercepted data - they might just get away with it, they could argue that the RIPA wasn't intended for this kind of scenario - and they might be right, as the law was probably written when no-one ever conceived of such a marketing strategy being developed.

Re:" what do we need to put on all our websites to make it clear to Phorm that we don't want them using OUR material to make money for them which is what it boils down to in the end.

I've seen "RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION" But is that enough.

Or do we all need to email Phorm and their scummy ISP associates with a formal notice informing them that they have NO rights to scrape websites that we run - and then list the websites that we own?"

-------

We all know who the ISPs are that plan to use Phorm, whilst it may not be convenient for all, those that can, should ditch the ISP. Vote with your feet.

If the ISP asks why you're terminating your contract with them, tell them.

Phorm is intended to make them money, if they lose enough customers then those ISPs will have to rethink their decision to use Phorm.

I just love Phorm/BT's line about not needing to bother about the legal niceties of the DPA or RIPA because they don't keep any personally identifiable information, and they are doing it "for our benefit".

So, if I ignore the law and smuggle a gun on board a plane, but I don't use it to do any wrong, and I claim that my having a gun makes the other passengers more safe, that must also be fine?

RE: "The only way out of the RIPA issue is to make the system truly opt-in. "

And if the Phorm system is truely made opt-in then its usefulness will be severely limited, as the majority of people won't bother to opt-in. See..donor cards as an example, cold calling, getting you to sign up on during the phone call and not allowing you to wait until the official paperwork comes through the post.

Marketing people know that opting-in isn't a technqiue that works too well, so Phorm's only going to work if it is made an opt-out.

And obsecure the opt-out check box so most people miss it.

I personally want the ISPs to send out a letter to each of their customers with a form to be filled in asking if they want to be opted-in or out of the Phorm scheme, and if the form is not returned within a certain timescale, opt-out is the default.

Better still, ditch the entire system..as I've said elsewhere..vote with your feet

There's the infosec exhibition at Earls Ct later this month. Anyone else here going to that? If so, and I realise this may be a scary suggestion, who's for meeting up for a jar and a chin wag? Get to know your fellow posters and all that nonsense.

If nothing else, a few drinks and the world's wrong seem to be more easily sortable :)

...what the cookie LOOKS like? If there is a cookie set by a Phorm process on my browser, I want basically to use my computing ability to cripple the process in some way. So - what filename will it have, and what can I do to leave it there but prevent it from doing its job?

@can anyone tell me

block cookies from www.webwise.com and it is a permanant opt-out (if you beleive them )

@ DPA and RIPA

DPA does apply as DPA applies to processing of personal data as well as storage and by default you have to process the personal information to remove it, so DPA does apply

peter white

T5 had a Flash Mob. A load of people turned up with something on their T-Shirts, flashed them then dispersed. It used to happen a lot, but then the Anti-Globalist demos used to happen a lot. Or maybe they still do but it's not reported. Only when you actually get close to grabbing the Olympic Torch does anyone notice.

I think meeting at an Exhibition in London and then going for a pint might be good. Do you think it would be OK if I wore a 911 Inside Job T-Shirt ;-)

Well, that's one then. Anyone else interested in meeting up for a pint?

I'll be easy to spot: the chap with the following t-shirt on:

http://www.clarkweb.co.uk/photolib/number.jpg