Top security firm: Phorm is adware

In a fresh blow to its hopes of winning consumer acceptance, a top three anti-malware firm has said it will very likely include Phorm's targeting cookies in its adware warning database.

Trend Micro told The Register: "The nature of Phorm's monitoring of all user web activity is certainly of some concern, and there is a very high chance that Trend Micro would add detection for the tracking cookies as adware in order to protect customers.

"Obviously, as with other adware/spyware Trend Micro would need to constantly monitor things like... how aware users are that they are being tracked and whether the user has the ability to completely opt out of the service."

If Trend adds detection for Phorm then millions of home computers running a scan using its protection software would get a warning that their ISPs have dropped either a Phorm opt-in or an opt-out cookie onto their systems.

The statement comes as the debate over Phorm is focusing on the question of consent and interception. At present, Phorm says that an opt-out will be available via another cookie, which has not satisfied some web users who want their traffic to have nothing to do with the firm.

In response to Trend Micro, it said today: "The Webwise system is certainly not adware. We welcome the chance to brief Trend Micro on our privacy enhancing technology and why it would be inappropriate to classify it in any other way."

PC Tools, another large anti-malware firm, based in Australia, echoed Trend Micro's concerns for its customers' privacy and security. It said in a statement:

If our research confirms that Phorm places an opt-out cookie on the desktop PC, we will evaluate if it safe to remove it without re-opting the customer back into the Phorm tracking mechanisms.

If the cookie cannot simply be removed but we can find a reliable method to detect the Phorm service, and the Phorm service was evaluated and identified using our threat matrix, we will then endeavour to alert our customers of its existence.

Naturally we encourage all companies involved in handling, monitoring or storing personal information, such as web-surfing behaviour, to prominently disclose whether there is information being supplied or used by a third-party. Ideally any service with privacy implications should require users to consciously opt-in after they know all the facts.

PC Tools is a significant player in consumer desktop security because its Spyware Doctor software is bundled with the Google Pack. We are waiting for responses from Symantec and McAfee, the two largest anti-malware vendors.

It seems Virgin Media boss Neil Berkett could be gearing up to take the same stance on its deal with Phorm as Carphone Warehouse boss Charles Dunstone.

Berkett this morning responded to a customer email asking if he planned to require customers to explicitly opt-in to the ad targeting network with: "I am reviewing this again this evening."

Carphone Warehouse has stated that its 2.6 million broadband subscribers will be asked if they want to opt-in, and that an opt-out cookie won't be necessary to avoid profiling. The firm is working on a new implementation of the Phorm system that ensures data is never intercepted and mirrored to the profiler server.

Phorm has said data from opted-out customers would be completely ignored by the profiler under the normal deployment, which is administered by the ISP, but the fears of many are not allayed by such guarantees. BT is yet to answer our question about why mirroring but not profiling customer browsing does not constitute an interception under the Regulation of Investigatory Powers Act (RIPA) 2000.

Also in the last 24 hours, the Home Office advice on RIPA and ad targeting, used by the ISPs to help approve Phorm, has emerged. Written by department official Simon Watkin, like Professor Peter Sommer's assessment published here last week, it puts emphasis on the question of consent for the interception. Read the whole thing here.

In his conclusion, Watkin writes: "Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions."

Professor Sommer said the technical details revealed over the past two weeks suggest that liability for compliance with RIPA lies with the ISP, since it will operate the profiler and carry out the interception.

The Home Office document raises another question of consent, however: that of whether website owners consent to the ISP to profile their pages for keywords (the Phorm system does not propose to inject targeting advertising on websites that are not members of its Open Internet Exchange). Watkin argues that by publishing them online, website owners are implying consent for an interception, which is the stance taken by Phorm and its partners. He writes: "The implied consent of a web page host may stand in the absence of any specific express consent."

Sommer disagreed: "There is a distinction to be made between the fact that a website is available and there is thus a consent for anyone and everyone to view the contents (the argument used by web-scraping sites that offer price comparisons, for example) and the fact that any specific person has requested a specific web-page at a particular time - which is the communication being intercepted."

On this basis the ISPs would need consent to intercept from every web page you visit, he said. "I think the Home Office interpretation fails at this point, and where a website carries a password for access yet still uses HTTP there is no consent for an interception whatsoever."

Phorm and its ISP partners have all stated repeatedly they believe the system to be 100 per cent compliant with RIPA and the Data Protection Act.

In the intro to his advice, Watkin cautions: "[This] should not be taken as a definitive statement or interpretation of the law, which only the courts can give." ®