"For tests of this nature, regulatory authorities are not normally consulted."

"It's OK, I'm just running a test of whether I can burgle your house, so I don't need to check whether it's legal."

No, you are denying it. To refute it you would have to prove it false.

To refute something is to provide convincing arguments and/or evidence to the contrary. To deny something is simply to say "I don't think it's true."

Politicians and managers have been lying about refuting things for years now, just because it makes them sound better. Same with "sea change" (oh, so fish have eaten the eyeballs of the NHS, have they?).

"I suppose I am refuting it"... classic. Idiot.

Oliver.

Good little update, especially about internal issues at BT.

Interesting to note too, in Nov 2006 121Media were still called 121Media... not Phorm.

(121Media - prev AdIntelligence - changed name again to Phorm in May 2007)

I know because I was asked informally what I thought of it (peopleonpage) and my response was:

"it looks like it could ether may a lot of money or land people in prison, I'd leave it well alone"

I can also tell you that the BT representative who showed it to me said that it seemed too much of a risk and that he would advise against it. I wonder where he is now?

...will be how they keep the Phorm away from the NHS backbone...

There surely can't be 10,000 BT customers left in the UK who either don't know about this or are too dumb to care about the possible consequences.

Surely?

Please refute this, somebody.

If you're only "testing" someone out for sex. Without permission.

Nice one BT.

And the Russians are going through my trash. Jeez, guess some people need a good conspiracy to feel alive?!!!

"...will be how they keep the Phorm away from the NHS backbone..."

And how will they not collect and profile health and booking info from all of the people booking appointments through choose and Book.

When will BT be called to book and prosecuted.

PHORM has recently stated that they do not have database servers outside of the UK, however I remember that the original BT presentation leak did refer to them. From this it can be seen that the data from original covert "trials" is already outside of UK law and our control. BT Retail should to be prosecuted for espionage and made to pay compensation to cover potential future ID theft cost to everyone they sold out. In addition the wholesale section of BT should be returned to the tax payers as they have abused our trust and released our personal data to a foreign power.

Has anyone heard any news from VM recently about their involvement with Phorm?

Its the Old Boys Club again! The BT execs, Home Office management - they probably still drink in the same pub together. No wonder the Home Office has helped BT defend itself, they are practically party to the offense.

My guess as to what will happen is that, in true UK Old Boys Club style, nothing will happen to BT. Nothing at all. Vivienne Reding, of the EU, will put pressure on the UK to prosecute, who will protest at the outside interference and continue doing all the nothing they like. BT will surreptitiously launch Phorm under a new name, but will "consult" with the Home Office beforehand, not because they care, just so that they can dot the i's and cross the t's, and claim to Joe Public that this is not illegal and in fact something worth having for more relevant advertising and increased security.

Mark my words, it will happen.

"We don't believe this is illegal. We have sought extensive advice, both internally and externally, and prior to conducting this trial... It's not illegal."

Emma Sanderson finds it impossible to speak on that subject without them. A bit of insurance you see.

Boffins are precise in their language. BT execs are not.

Pissup, brewery

Brewery, pissup

etc.

You shouldn't make such accusations. It was never proved.

Too late! Phorm are hosting webwise.bt.com on behalf of BT. This means that they had access to the BT cookie that contains my BT username. Originally this site was hosted in the US, now it appears to be back in the UK but still hosted by Phorm. I believe BT may have now changed their cookies not to store the user name in clear text but Horse...Stable...

"Today BT's spokesman said invitations would be issued "soon". He refused to elaborate, citing fears the project would become a "hostage to fortune". ®"

In other words, they are hoping for a big enough gap between the negative publicity and when they actually have to ask 10,000 people for permission that not too many of them say no.

So far as I can tell, Bruce Schneier has been publicly slient on the subject of Phorm.

For anybody that doesn't know who Bruce Schneier is, then this is his mini-bio from his Crypto-gram newsletter (formatting mine to highlight the 2nd sentence);

"Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms.

He is the Chief Security Technology Officer of BT (BT acquired Counterpane in 2006), and is on the Board of Directors of the Electronic Privacy Information Center (EPIC).

He is a frequent writer and lecturer on security topics. See <http://www.schneier.com> blog/newsletter)."

While I'm not expecting him to put his employer in 'The Doghouse' section in his newsletter (however justified), I am surprised that he can't bring himself to even mention Phorm. And why hasn't he been asked for a quote by the likes of El Reg? Bruce is usually happy to comment on *most* matters security related in his Crypto-gram newsletter.

Looks like he was on the dark side all along...

Even before the trials began, they knew that if sucessfull, they would eventually deploy it. And when it is deployed, or rather before deploying/implementing, they would have to ask for government permission. So by foregoing the need for such permission, they risked, back then, wasting huge amounts of resources (time, money, etc) for something that could eventually be trashed? Their logic really flies-off the window.

The only thing that could save their project from being trashed is that the whole procedure in implementing and maintaining such project strictly adhere to any and all laws and procedures that involves privacy. Unfortunately for them, their project reeks of death and decay ..errr.. oh so many violations.

Unfortunately I can't refute your statement, only deny it, and then not entirely convincingly.

If you like, I could move the goalposts, get in bed with the cabinet and give you a winning smile!

"it looks like it could ether may a lot of money or land people in prison, I'd leave it well alone".... By Alex Posted Monday 11th August 2008 12:42 GMT

Alex,

That was probably the catalyst which launched the Phish, as people with a lot of money don't land in prison, they flee abroad and seek political asylum if they think they are going to do hard time for crime.

However, it must be realised that Phishing is Ubiquitous in Digital Networks, it is just the Nature of the Beast and the Greed in Man but it does also allow for the Free Placement of Increased and Increasing Value Goods and Services as opposed to being only thought of providing Malicious Services. Patterns of Behaviour do not give absolute results of extrapolated future action.

And if someone is Phishing out of their Depth in SMART Waters, they can be Groomed and Played to Provide whatever you Need whenever you Hook them and Drag them into the Water and into the Deep.

And all those gurning about the outrage are just so upset, because they probably have dirty little secrets to hide which may now be very well known. And the Technology does render the Pompous Posturing Political Prig who would think to be a leading light, something of a Pathetic Candle to Communications Pathfinder Beams.... Lighting the Way with AI Shining ITs Path.

Use IT Better in Better Betas would render ITs Abusers Naked for All to See as Inadequate and they can be Prosecuted for Not being Fit for Common or General Purpose.

Look, let's name names, right? This isn't a failure of *collective* responsibility (these things rarely are), there are always *individuals* responsible (though having them called to account is as rare as hen's teeth).

The CTO at BT Retail at the time of the denied trial is now the CTO at Phorm. What are the chances he bears some responsibility?

http://www.phorm.com/about/exec_scleparis.php

Ex-Home Office minister (and ex-Andersen staffer) Pat Hewitt is now a non-executive director at BT, though wasn't at the time of the denied trial (was she still at the Home Office at that time????). Might she also be expected to "do the right thing", as non-execs are supposed to do?

Even better: McKinnon can use it in his defense: he was only testing their security...

I assume that you'll be volunteering for the next phase of BT trials then?

Well when the cabinet want to leave (or are thrown out/sacked) they will want a nice cushy job to go to. I mean, the pension is nowhere NEAR enough to compare with a CEO's pension of a company with 200,000 employees like the Civil Service!

Please! Someone think of the MP's!!!

Bollocks to all this..can BT confirm data integrity when it comes to home workers? If I was working at a Bank or Fund Managers or anything similar with people frome home coming in from BT ADSL, I would be very worried about confidential data being captured by Phorms deep packet inspection.

As an IT Admin, I would be getting written BT statements confirming that business ADSL isnt being tracked, not the opt out cookie rubbish but actually on a different backbone.

I reckon that BT would rethink this if they realise that IT deparments around the country are dropping their ADSL services because confidential business matters could be picked up by Phorm.

Joke: Cause thats what OfCom really is

I just this moment got off the phone from Virgin media and asked them about Phorm.

The lady I spoke to went quiet and put me on hold.

Her answer was along the lines of 'Yes we do use phorm, but it's just a general thing and doesn't target you personally'.

I asked if I could opt out but was told "No."

Finally when asked if it records any personally identifying information she also said "No."

Pirates because well, frankly, they operated for personal gain in spite of the rules as well.

'Pat Hewitt is now a non-executive director at BT, though wasn't at the time of the denied trial (was she still at the Home Office at that time????)'

Not quite, she was busy screwing the NHS into the ground with Connecting For Health.

You'd have thought that would have been a full time job, but not for Patsie Hewitt - she still had time to threaten Channel 4 News for revealing that MTAS was publishing personal data on a public website. It's that sort of care for the public which must have had BT banging on the door waving bank notes in her face.

[Projected scenario:] "IT deparments around the country are dropping their ADSL services because confidential business matters could be picked up by Phorm."

Seems to me that it behooves all El Reg readers to send *written* memos regarding Phorm up the managerial ladder above them. "Are we making sure that our valuable propietary information cannot be compromised by BT & Phorm?"

Shareholders also need notification, which perhaps can be done most easily by posing a formal question on the matter at corporate annual meetings.

Paper is essential because "oh, the mail server must have deleted it as spam, I never saw it" is then no longer a viable excuse for ignorance.

Be sure to keep two paper copies, one in the expected file, and another one hidden under a drawer in case the file copy is quietly destroyed.

Something I haven't seen mentioned in the Phorm debate yet is that they are overwriting adverts in web pages with their own 'relevent adverts' so effectivly stealing the advertising space from the web host.

It's exactly the same as plastering your own poster up on a billboard over the top of someone elses, it's the digital equivilant of flyposting, which is illegal.

Notice how the Virgin logo has vanished ftom the webwise.com home page? Significant? As a VM customer, I sincerely hope so.

http://www.webwise.com/

I've just phoned Virgin Media (150, option 4, hold for an operator), and the lady I spoke to hadn't heard of Phorm - seem there still are those who haven't!

She went off to ask someone else, and told me that they are NOT using it, and that it was BT that had used it but had had some trouble (ha!) and that VM are definitely not using it and have no plans to do so. I asked her if that was the "official line", and she confirmed yes.

Anyone else want to call them and see if they get the same answer?

It really is disgraceful. Anyone else would be looking at jail time for this.

As a friend once said to me:

BT Wholesale = Generally better educated & highly intelligent staff - Top Grade management, More technically qualified and skilled workforce.

BT Retail = Staff who didn't make it into into Wholesale, good, honest but generally a lower grade workforce, Very poor Management (Dead man's shoes command structure).

Would that explain anything?

Oh all right then...

I told you so ... there thats better!

Any company that has an "value-added services" department deserves suspision in my book. The added value is for who's benefit?.......

Chris, are you sure about that? Phorm is indeed a heap of dingos kidneys, but afaik it doesn't overwrite *other people's* adspace, it relies on gullible advertisers buying premium-priced Phorm adspace, which then either displays generic ads if being viewed by de-Phormed folk on sensible ISPs, or for folk with malPhormed ISPs it (allegedly) displays highly valuable "specially personalised" ads based on "anonymised, non personally identifiable" (oxymoron alert) surfing profiles etc. Go read Phorm's own bs on "OIX" for more info. Or for a different viewpoint, read Alex Hanff's white paper.

The Guardian was, originally, going to be one such gullible advertiser. They aren't any more [1]. I don't know about the other "launch partners" (which included ft.com and a handful of lesser known names)..

[1] http://www.theregister.co.uk/2008/03/26/guardian_phorm_uturn/

http://phormwatch.blogspot.com/2008/07/entity-relationship-diagram-of-bt-and.html

Boycott them.

In the late 1970s I used to enjoy an occasional pint with three telecomms engineers from the local exchange (which I visited when they had an open day). One of them was apparently authorised to set up phone taps, a process which in those days involved a yellow twisted pair wire clipped to the line. In the main he did the same sort of work as his mates, though his pay came via the Home Office; and he had presumably signed up to the Official Secrets Act.

What happened after privatisation and the introduction of System X and Zircon I don't know. But authorised snoop channels are still required, to deal with both wiretaps for which a warrant has been issued and in addition the hundreds of thousands of requests for data that are made annually under RIPA.

The equipment which was installed for the behavioural marketing tests allowed, in principle at least, wholesale access to tens of thousands of subscribers' data. This wasn't a botnet with keyloggers or whatever installed on the machines of hapless people who didn't protect themselves. It had the potential to intercept large amounts of data wholesale with little chance of detection because it took place at provider level. It involved the installation of equipment in exchanges. And this was a very different matter than, say, the Perl scripts used by Gary McKinnon to access supposedly unauthorised information. It was interception at a level not much different from the government's passive taps.

(http://www.theregister.co.uk/2008/08/09/mckinnon_ufo_cyberterror_analysis/)

It could have been expected that the Home Office would know about these tests as a result of their overall programme to monitor communications. Alternatively, if they really didn't know, then there is a strong argument that a culpable failure of national security measures occurred.

While my opposition to Phorm is implacable, fairness demands that your assertion that Phorm overwrite other people's ads be refuted. They only overwrite their own general ads with targetted ads, whenever a Phorm-phriendly luser is detected.

Paris, because her insertions are not as well controlled as Phorm's

Having just recently been kicked off the BT Beta forums by a company desperate to keep as many of their customers in the dark about Webwise as possible, it gives me a great deal of pleasure to see the way the FOI procedure is gradually unravelling the spider's WEB of obfuscation that has been spun around this whole topic for over two years, by those who even now are wriggling and squirming and umming and erring, to try and conceal the true facts.

Given the recent fairly robust response by the Information Tribunal in slapping down attempts by DBERR to conceal information about commercial lobbying from the public, we will be looking forward to full disclosure of that "commercially sensitive" information that is being currently witheld by the Home Office.

I'd also like to know what people like Bruce Schneir from BT Global have to say, whether they still work for BT or not, and another question - when did the BT's Head of Information Security, John Regnault find out about this plan, and what was his advice. Was his advice sought prior to the covert trials?

BT Group have denied reports of rifts within the organisation - so can these two individuals give us statements please?

We've been watching BT watching us. And we know more than you think we do.

... is that they are all of a sudden absolutely shit-scared that some of them are going to get banged up for this. Because they're starting to believe that it might actually happen.

It's a bit premature to declare victory yet, but note well: the enemy's morale is falling and we have them on the run.

If you want Bruce Schneier's opinion, you can always ask him:

http://www.schneier.com/contact.html

From the BBC

"In her questions Baroness Miller has asked about the issues surrounding Phorm and the technology it employs.

In one question she asked if the government has issued advice to net service firms about getting consent for web-watching ad systems or what needs to be done to let people know their web habits could be monitored.

In response the government said it was up to net firms to decide if a service they provide was within the law. "

... and if they're not, the authorities will do sweet F.A.

> Today BT's spokesman ... refused to elaborate, citing fears the project would become a "hostage to fortune".

Gawl darnit Mr. BT-spokesman, you use your tongue prettier than a twenty dollar whore.

The only damage-in-the-future fortune that could befall you (BT) is in the finding out through further FOIA requests even more "inconsistencies" behind your (BT's) public spinning. Take a lead from PR-savvy American companies: Militate against any potential PR disaster by publishing the *complete* (and verifiable) data on the who / what / when / where / how for all of your (BT's) unknown trials. Mitigate the current fallout from the known trials by doing the same. You (BT) could just come clean, take your chances in court, and move on. (Then sin no more, yes?)

It's too simple, really. If you (BT) did nothing wrong, then you (BT) have nothing to hide. It's the post-facto lying, not the original sin, that'll get you (anyone) in the pokey every time.

/s/ A Yank helping to fight terrorism beyond our shores.

x-El-Reg-audience: Irony and sarcasm thresholds exceeded; proceed at your own risk.

If you can refute, can you also 'fute'?

for dawkings sake. they're guilty. we all know they're guilty. even they know they're guilty.

"when did John Regnault find out about this plan, and what was his advice. Was his advice sought prior to the covert trials?"

I would hazard a guess about the same time as Bruce, i.e when the story broke on El Reg.

Also, I wouldn't read too much into the silence from Bruce's corner. From what I've heard about him he (or John) are probably the main reasons this turd of a technology hasn't been deployed yet. Time will tell.

Wasn't there a Police Officer who was only testing his new nena car with the dash cam on? wasn't his defence that he was only testing too?

I'm off to test bank security...

How are we to know this when we don't get to see even WHEN they are doing this?

Trust them that this time they are telling the truth? Trust them to not change without telling us?

If this was true, surely there'd be an AdBlock pattern to block ALL Phorm ads (the only way we're able to opt out).

So what is it?

You'll be fine so long as you explain that you were just testing your gun.

I went for 150, option 2 I think then picked that I'm going to disconnect option, was complaining about being mis-sold something else.

Bizarrely, it turns out I wasn't mis-sold anything, instead the 2 change-your-options people I had previously spoken to just didn't know that you could get on demand separately from XL TV.

After fixing me up with what I wanted the lady did say that Phorm was being used though. The variety of information given by the phone peoples is somewhat worrying.

In July I emailed all five MEPs for the Eastern District, receiving replies from two of them. These suggested that I first contact my MP. I had already emailed him in May. In reply, he sent me a copy of a letter from Jacqui Smith from which I quote the second paragraph that may be of interest. 'The Home Office has considered the issue of Targeted Online Advertising in general without specific regard to any particular application, The Home Office came to the conclusion that it might be possible for Targeted Online Advertising services to be lawful under the Regulation of Investigatory Powers Act 2000 (RIPA). It might also be the case that Targeted Online Advertising is delivered in a way that is not considered interception as defined by RIPA. It does rather depend on how those services are offered and how they work. I should point out that we are, of course, unable to provide a definitive statement of the law, which only a court could give.' Unquote. I emailed three of the MEPs with Chris Williams article from El Reg of 11 August. In the meantime I have received a letter from the office of Viviane Redding stating that any interception would contravene ECHR and that her office is keeping a close eye on HM Government.

wont, per say, stop them from monitoring your browsing. THAT'S the real issue.

"I'm off to test bank security..." .... By Anonymous Coward Posted Tuesday 12th August 2008 08:07 GMT

If it is anything more than just the usual physical locks on doors and vaults and bars over the windows your testing, then what you will find is that they really are wide open to virtual abuse for they will invariably, at local branch/city branch levels anyway, have no idea about the Virtualised Space in which many who contribute to the Register Knowledge Base.... Work Rest and Play.

In fact, given the Ongoing Exponential Meltdown in their System[s] ...... http://cryptogon.com/?cat=8 .... it would be more probable that there is no security to test and Underground Virtual Forces have taken over Control?

I read somewhere, perhaps even on el-reg, that provided an overview of how Phorm works. IIRC whenever you browse, phorm asks your browser for your phorm cookie, this contains your unique identifier so it can work out your habits from your previous sessions.

So, how about just deleting your cookies. Sure, you won't be "opted-out" whatever that means, but you also won't get ads targetted to your browsing habits, they'll have no data to go on. . It's not like googlemail isn't doing something similar when it displays your email. There's no privacy objection there is there? I'd quite happily sign up to phorm if they, I dunno, gave me an ISP discount of 50% for opting in, there wouldn't be any privacy brouhaha then would there, you're getting a benefit for signing up.

Every one has their price, you just have to decide what yours is. I am currently a BT customer, and their service has been reliable enough to keep my custom. There are plenty of technical work-arounds for phorm (Tor?, VPNs and the like) so I'm not bothered.

"We have sought extensive advice, both internally and externally, and prior to conducting this trial.."

Does she still say this and, if so, can she tell us who and when?

Didn't think so...

"the government said it was up to net firms to decide if a service they provide was within the law"

Seems all right to me, old chap. After all, the government says it's up to us to decide...

You couldn't make it up!

From the last publicised version of how Phorm/WebWise was to work, there are two cookies, one was an 'opt-out' cookie, so by deleting it you would be immediately opting yourself back into the targeted ads system. Another cookie was used to store your profiling info but if you delete that it will be replaced by the Phorm/WebWise system next pass through.

The problem that people should focus on is not the ads themselves, it's the 'man-in-the-middle'-like nature of what Phorm/WebWise does. It sits at the ISP, copying your page requests and responses, sifting them for keywords, which are then used to build a persistent profile.

If you choose not to view on-line ads, or be tracked, then you can take steps to block such actions by the likes of Google, etc, (via AdBlock, NoScript, etc) or use an alternative service (such as Scroogle so not even your IP is tracked), but you cannot avoid the snooping by Phorm/WebWise short of sending all of your traffic encrypted as everything goes through Phorm/WebWise kit at the ISP even if you opt-out.

No real detail has been given about how such data passing through their system is analysed, apart from assertions that they will not keep/use numbers over a certain length (that might be credit cards) and that they cannot view HTTPS traffic. They also promise not to keep data for opted-out customers, although initial reports said the data would still be analysed. There has also been inconsistent data given about how the system works, whether data is actually stored before processing, who will have access to the data at what stage, etc.

Phorm is the new name of a primarily Russian-based company formerly known as 121Media who previously produced software branded as spyware, and a rootkit, which they stopped distributing when the CDT in the US raised a formal complaint for deceptive behaviour.

Do you really want a company like that having access to your data, all of your browsing data, whether you opt-out or not?

Do you also want to use an ISP that has lied about using this system in trials, misled the public as to it's purpose, and now it seems operated without proper legal advice in the early stages?

Follow the money. If Phorm overwrote other people's ads, those other people would detect this, and have something to say about it, and fast.

i.e. it's not something that Phorm could keep secret from people who have a commercial interest in them not doing it.

You are quite right that you and I might not know it was happening, but the overwritten advertisers would.

While I wouldn't put anything past Phorm - or BT for that matter - I do think they are clever enough only to do things they think they can get away with. Not, of course, that they are quite clever enough to know when this will be true....

Re Adblock, though, why would you want to just block Phorm/OIX ads?

I block the lot, no matter where they come from.

Paris, because she can inspect my packet any time she likes