The Register has published some diagrams of how the appalling Phorm web advertising scheme will work, Major UK broadband Internet Service Providers British Telecom Retail, Virgin Media and Carphone Warehouse TalkTalk, all seem to have signed a "commercial suicide pact" contract, to abuse their customer's data privacy, without first obtaining their prior informed consent.
Think back to all of the well founded privacy fears about DoubleClick cookies, and about Google keyword searching of all the text of yur emails and documents in your "free" gmail account.
Phorm appears to be a combination of these two direct marketing approaches , except this time it is inflicted on all the web traffic of the unlucky customers of the participating ISPs, via man-in-the-middle attack hardware plugged into their core network infrastructure.
Phorm perpetuate the common misconception amongst advertising weasels, that if your web browser software connects with a particular website, at any time, then that somehow means that you as a person, are positively and genuinely interested in receiving direct advertising related to the vague subject category in which they have arbitrarily categorised that website. They never seem to make adequate allowances for accidental visits to websites, or for visits on behalf of other people, whose consumer preferences do not match those of the regular user of a particular computer. To do so accurately, they would have to compile an individual browsing history.
Even if you believe Phorm's weasel worded hand waving marketing-droid promises about "100% Consumer Privacy", these seem to be impossible to deliver with the architecture described in the BT diagrams, which The Register has published.
Phorm's claims that they will somehow provide an anti-phishing service, cannot be reconciled with their promise that they will ignore https:// SSL encrypted traffic - if they do so, then what real use is their "service" against real phishing attacks on internet banking websites, which all use this ?
How, exactly can any of this be legal ?
Since many people use web based email systems, for example, these ISPs and Phorm should be prosecuted for illegal interception of communications without a warrant signed by the Home Secretary under the Regulation of Investigatory Powers Act 2000 section 1 Unlawful interception, and each of the people responsible should be facing up to 2 years in prison, including those who seem to have already conducted full scale pilot trials of this technology on unsuspecting BT customers.
Criminal liability under RIPA cannot be evaded simply by changing the Terms & Conditions of your civil contract with your Internet Service Provider.
Things to do about Phorm:
- Write to your ISP, and get an assurance that they are not selling your data to Phorm or to anything similar.
- If you are a customer of BT Retail (or of any other BT divisions e.g. BT Business) , Virgin Media or Carphone Warehouse Talk Talk,, then you might like to write to them quoting the very clear The Data Protection Act 1998 section 11:
11 Right to prevent processing for purposes of direct marketing
(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
(2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
(3) In this section "direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
- Complain to the supposedly independent, customer focussed Telecommunication Industry Regulator - Ofcom
2a Southwark Bridge Road
If you have a complaint about a Telecommunications, Broadcast or general issue please call 020 7981 3040, 0300 123 3333 or if you want to complain in Welsh, 020 7981 3042.
- Join and Support the Open Rights Group, who will be campaigning to raise awareness of this issue,
- Subscribe to the BadPhorm - When good ISPs go bad! website for the latest news on this topic.
- Configure your web browser's privacy settings to delete any existing cookies, and to block future cookies from any subdomains and tld extensions of *.phorm.*, *.webwise.*, *.oix.* or *.sysip.*
- Consider boycotting any products or services which are advertised through this Phorm Open Internet Exchange direct marketing scheme.
- Lobby the anti-spyware and anti-virus software companies to protect you from these snooping cookies automatically.
- If you never want to have anything to do with Phorm or Webwise or their OIX network, and you suspect that they might try to intercept other internet protocols which you might be using e.g. SMTP email or Instant messenger chat or peer to peer networks etc, you can try blocking their domain names through your local hosts file, which takes precedence over DNS lookups on most Windows or Unix systems.
The Windows hosts file (which is a text file named hosts, but with no file extension) is usually found at, for example, C:\WINNT\system32\drivers\etc\hosts
e.g. Using a text editor, eg..Notepad, add entries like this with the domain name aliases separated from the numeric loopback IP address, by at least one space or by two tab characters:. Unfortunately you have to enter each subdomain explicitly, without any asterisk wildcards , which do work in the Browser cookie Blocking described above. e.g.
You might need to temporarily change the settings of your anti-virus / anti-spyware protection, which might lock this file from being modified.
N.B. by doing this you will not be able to check the Phorm or Webwise websites for any news about their scheme such as, hopefully an apology and climbdown in the face the opposition from the computer privacy literate section of UK internet users.
- Neither Blocking the cookies nor the DNS lookups in your hosts file will actually prevent the Phorm man-in-the-middle-attack hardware from illegally snooping on your electronic communications, it will just stop you getting the targeted adverts
British Telecom are using this Phorm scheme, which they call BT Webwise, but not, for example, to offer an advertising funded, free broadband service, where the customers would be fully informed about what they are signing up to - they are simply inflicting it, by default, on their existing fee paying customers.
We will be trialling BT Webwise in March before launching for all customers in phases. Please check this page for up-to-date information on BT Webwise.
British Telecom has a FAQ page about their BT Webwise service, which also fails to reassure us about the privacy implications of this technology. They emphasise the supposed anti-fraud feature, which they admit does not actually work very well, without mentioning the advertising revenue they hope to get from interfering with your web page browsing e.g.
I didn't switch on this service. Why do I have to switch it off?
We believe BT Webwise is an important improvement to your online experience -- giving you better protection against online fraud and giving you more relevant advertising.
We realise that you may not want to use the free service, so we've made it quick and easy to switch on and off
The arrogant assumption that everyone should be automatically opted in to this scheme by default, without any consultation or notification, does not engender any trust in their other promises about this commercial snooping and interception scheme.