Web users angry at ISPs' spyware tie-up
Jim Armitage06.03.08
Broadband Internet providers BT, TalkTalk and Virgin Media have hit a storm of anger from customers since teaming up with a pioneer in much-hated "spyware" technology.
Last month, the three internet service providers, with 9 million households between them, signed up to software from an AIM-listed business called Phorm, run by colourful American tycoon Kent Ertugrul.
Phorm monitors what content surfers browse on the Net. It will then send to those individuals ads which match the interests they have shown through their browsing. Advertisers pay Phorm a fee, which it shares with the ISP.
Phorm says the customer's identity is "anonymised" so advertisers would not be able to tell who they are.
But the IT community is up in arms, dubbing the practice "data pimping," and is still worried about being spied upon. A website, badphorm.co.uk, has been set up specifically to attack the move.
Professor Peter Sommer, author of The Hacker's Handbook, claims it is illegal. He argues that it is an interception of a public communication which is in direct contravention of the Regulation of Investigatory Powers Act 2000.
Ross Anderson, Professor of security engineering at Cambridge University, said: "The message has to be this: If you care about your privacy, do not use BT, Virgin or TalkTalk as your Internet provider."
Anderson said that, historically, anonymising technology had never worked. Even if it did, he stressed, it still posed huge privacy issues. He gave the example of a woman who had had an abortion without telling their partner. If she had surfed websites like Mothercare or other baby-related retailers and advice centres while making up her mind about the termination, her family's computers might suddenly start receiving baby ads, creating suspicion from the husband or boyfriend.
Phorm counters that it will not collect data on sensitive areas like adult or medical data.
Ertugrul said: "I'm not the Prince of Darkness I'm made out to be. The people who have criticised Phorm just haven't seen it. What we are doing will bring greater privacy and fewer rubbish ads people aren't interested in."
He stressed that, unlike Google and other search engines, Phorm would not be storing any details of websites visited or searches made. All it retains is the general category of the sites - for example, fast cars.
The Information Commissioner is investigating, having been approached by Phorm. BT, TalkTalk and Virgin Media said they had done due diligence on Phorm and were happy with the privacy situation.
Users are also worried about the background of Phorm itself. It, and Ertegrul, were pioneers of software known as spyware, which monitored customer's websurfing and made unwanted pop-up ads appear on screen.
Phorm's PeopleOnPage spyware, which it calls "adware" was notoriously difficult to eradicate once a PC was infected.
Ertegrul said: "Look, it is undeniable that we were in the adware business. But three years ago we shut it down and closed off all that revenue simply so we could address the perception issue. It is obviously a challenge now to get people to understand who we really are."
If the websites and university lecture theatres are anything to go by, he has an uphill climb.
To see more of the raging debate, with varying degrees of paranoia, see badphorm.co.uk, theregister.co.uk or the ukcrypto mailing list.
Reader views (4)
Here's a sample of the latest views published. You can click view all to read all views that readers have sent in.
It is my understanding that the explicit permission of a web site owner/administrator will be required for any profiling where that web site has any form of user access control. This includes username/password, persistent cookies or any other form of technology that establishes a right for a specific user to access the contents.
I don't see how either the ISP or Phorm will be able to obtain that informed, explicit consent for such profiling from a web site.
Therefore, the legality of all encompassing profiling must be in question.
Certainly I, as a web site administrator for multiple domains, refuse permission for Phorm or its partners and agents to profile any access to those web sites under my control.
- John Doe, Guildford, UK
There is another side to this.
We have an "opt-out" for the customer (albeit an unsatisfactory one in many people's opinion), but what about the web site owner?
I do not have some wonderful expensive system that tells me whether or not a visitor has opted in or not - all I can detect, using the normal tools supplied by my web host, is their IP address.
I do not want the contents of my site used in any way by Phorm, and I am not techie enough to get involved in clever scripts or whatever to implement some kind of Phorm detection system. Furthermore, in view of what has already gone on, I am not going to trust any reassuring statements from Phorm or the ISPs, so I will be taking the easy way out. I have compiled a list of known BT IP addresses, and they will all be blocked suggesting that they change to a more reputable ISP.
Techie types will, of course, know how to spoof an IP address to get round this, but I figure that anyone fool enough to stay with BT after this caper won't be that clever.
None of my sites are commercial, so I don't have any paying customers to lose by this action - BT, of course, do, but that's their problem.
- Gordon Goody, Willesden, London NW10
As far as I can see at no point in Phorms history have they not been involved in untrustworthy, deceptive and either possibly illegal or borderline illegal activities.
Look at the 2005 complaints to the FTC by the Center for Democracy and Technology in the US, or the Canadian Internet Policy and Public Internet Center who were filing similar complaints to Canadian legal authorities at the same time.
They then withdrew their software for fear of prosecution, changed their name from 121media to Phorm and adapted their spyware software to work within an ISP, in this case BT.
They then conducted possibly(probably) illegal secret trials in 2006 and 2007 with BT which profiled tens of thousands of BT customers.
Phorm cannot be trusted with the interception of your data. Anyone who is a BT customer will be asked to trial a service called WEBWISE in the near future. If you opt-in to the trial, every web page you visit will be intercepted, analysed and a profile will be created for you.
- Seriously Concerned, London
