Original URL: https://www.theregister.com/2008/03/19/phorm_8020_pi/

Phorm agrees to independent inspection of data pimping code

But what's a privacy group doing in bed with it anyway?

By Christopher Williams

Posted in Networks, 19th March 2008 14:01 GMT

Phorm has agreed to allow an independent software expert to inspect its source code as it continues to battle the firestorm provoked by agreements with BT, Virgin Media and Carphone Warehouse to let it build profiles of their broadband customers' web browsing.

It seems a move by the battered firm to try to win some public trust. The identity of the scrutineer has not been decided, but according to Simon Davies, a privacy campaigner who has become embroiled in the controversy because of consulting work he has done for Phorm, it has to be someone universally respected in UK security circles. "Someone like Ross Anderson or Richard Clayton," he suggested.

Both are leading computer security researchers at the University of Cambridge.

Phorm has tried to deflect scrutiny of its Russian-developed code by emphasising that the profiling hardware will be administered by the ISPs. This has not satisfied web users and website adminstrators who have been up in arms over the technology for three weeks now. More than 7,000 have signed a Downing Street petition against the technology.

Davies, a London School of Economics researcher best known as the founder of the pressure group Privacy International, has come under increasing criticism for his commercial role in the Phorm affair. A Privacy Impact Assessment (PIA) by his consulting company, 80/20 Thinking, has been repeatedly cited by Phorm to defend its system, prompting questions over Privacy International's independence.

It hasn't helped that Phorm itself seems confused over whose opinion it has paid for in the PIA. When The Register first became interested in the story, we were told on more than one occasion that Privacy International itself had praised the technology.

"This could all have been handled much better," Davies said.

Yesterday evening, he personally released the PIA to the media. In it, 80/20 Thinking raises, but does not answer many of the questions that have fired the debate. It reads: "Can cookies lead back to users in any way? Of course it is merely a unique identifier but a unique identifier can still be linked to individuals.

"Can an external attacker gain access to the required information to re-link the individual and the unique identifier?"

The report is dated 10 February, and Davies has since praised the system. Defending himself against criticism on the influential UK-Crypto mailing list, he wrote: "For what it's worth, we do believe the company [Phorm] has created some extremely interesting and privacy friendly technology. And in my view the company has gone above and beyond the norm to expunge personal data from its system."

Like web inventor Sir Tim Berners-Lee, 80/20 argues that Phorm would only be allowable on an opt-in basis. The logic goes that if the "service" is so great, why wouldn't people choose to be part of it? Carphone Warehouse is committed to offering "Webwise" on an opt-in basis. BT and Virgin media are not.

Despite this cautious stance, to many, Davies and Gus Hosein, his colleague in both 80/20 and Privacy International, have an unresolvable conflict of interest when it comes to Phorm. We and others have argued that the emergence of a new technology for monitoring our web browsing habits cannot logically be a good thing for privacy, no matter how many independent bodies assess its safety or who they are.

One anonymous commenter summed up Davies' perceived problem in response to our last Phorm story: "We need citizens rights group to work for citizens, not for privacy-invading spyware scum. They can't do both at the same time, like Simon Davies has done here."

"In the morning Davies, wearing his 80/20 hat, does Phorm consultancy and congratulates it for protecting our privacy. In the afternoon, he puts his 'Privacy Campaigner' hat on."

To them, Phorm's PR line that it actually is good for internet privacy is exactly analogous to Orwell's famous maxim for Big Brother: "War is peace, freedom is slavery, ignorance is strength." And in this context, comparing Phorm's privacy controls to Google's seems a smokescreen. Webwise users will be profiled by Phorm as well as Google, not instead of it.

To muddy the waters further, Davies is a member of the advisory panel of the Foundation for Information Policy Research (FIPR). The think tank gave a massive boost to claims that intercepting web traffic in the way Phorm intends to is illegal under the Regulation of Investigatory Powers Act 2000.

Phorm says it is aware of Davies' role at FIPR, but that it is a matter for him. Speaking on Tuesday, he said his primary concern is the privacy implications of Phorm, rather than its legality. "I'm not a lawyer," he emphasised.

We asked Davies whether knowing what he now knows about Phorm - its history as a rootkit peddler (80/20 was unaware of 121Media's role as developer of PeopleOnPage), and the near-unanimous public view that it can only be a bad precedent for privacy online whether he would have gotten involved commercially. After a long pause, he said: "It's certainly been a steep learning curve."

"On balance, I think it's better to engage. I still talk to the Home Office even though they tried to trash my reputation and relationships over ID cards."

You can read and download a copy of 80/20 Thinking's report here. ®