A quickie, (or a slowie depending on your interpretation)

Your humble Penguin has been knocking around on computers for let’s say, a fair while. He even remembers the days when you had to put a telephone receiver onto a little box so that it could make lots of little clicking sounds while trying to exchange data across a phone line.

However those days of hideously slow net connections are over as this is the 21st century and everything’s like all fibre optics and stuff so I was surprised to get this little reading while downloading an update for my system.

Virgin-are-shit

Yes, 481 bytes a second, lucky boy that I am. Not that this is the first time, the other week I got an estimate for downloading an ISO image of a Linux distribution of sometime about three weeks later – bless.

According to my ISP they’re connections are faster than a speeding… Well actually they don’t say so this is probably one of those clever bits of marketing like ‘up 1 trillion megabits’ when in reality you’re going to be bumbling along on half a meg, presumably that would be a speeding snail then.

However that said, it has been a very long time since my download speed was measured in bytes. Suffice to say I didn’t get much done that night and opted for an evening playing Age of Empires 2 Conquerors Expansion.

Viva la technical revolution.

Change of ISP on the cards.

Trying not to get too conservative in my old age

*note the small ‘c’ in that title just to make matters clear.

Sometimes in life you can get stuck into a routine. Doing the same things, using the same methods and tools without realising that things have changed and there’s more options available.

Last year I did a little review on the Apple iPhone and found it wanting in many areas to the point that I wouldn’t consider touching one with the proverbial long piece of navigational wood. Just to add, I hadn’t realised at the time that the iPhone doesn’t even do multi-tasking as in being able to do more than run one application at the same time. This is pathetic by anyone’s standards but I digress.

Using the iPhone did however have an impact on me. It spurred me into wanting to see what is technically possible with my own Nokia E65 mobile phone. Could check but can’t be bothered but just for a bit of perspective, the Nokia E65 predates the iPhone by about a year so it’s in mobile phone technology terms given the pace of change almost ancient now.

I’ll also admit that prior to last November I did what most people use their phones for. Making calls, texting and using it as an MP3 player. The odd photo but I’m not so fussed about such things.

What I really wanted to try out was mobile internet access and have a little poke around what other third party applications were knocking about for my phone.

After a week or so Mrs Penguin finally gave in to my pleas of getting a data plan added to my mobile phone contract. (Please note, it is highly recommended that before you try any application for your mobile that uses any kind of data connection that you get one of these plans otherwise you may find your bill to be rather hefty the following month).

With a newly acquired data plan in hand I ventured out into the world of mobile browsing and it’s fair to say that coupled with a change in circumstances and a more hectic lifestyle it has fitted in rather neatly to having less time to sit at my PC.

Like most people who like to keep up on current affairs I’m heavily dependent on my RSS feeds to stay up to date with the latest news. Sometimes being all over the place the availability of these news feeds wherever I am is now a must.

All Nokia smart phones come pre-installed with the default Nokia browser which is a very good feature rich and fast browser. However the feeds feature is abysmal.

After much searching around for a suitable application I came across Opera Mini. I used to use Opera as my main web browser on my PC many years back but for some reason forgot about it after Firefox really started to get going but when it comes to mobiles, Opera are certainly producing the best browsing applications around at the moment.

Opera do another browser, the full Opera Mobile which I will download when I get my next phone but for the time being Opera Mini suits my core demands, that of a very nice feed reader.

I thought I’d do a couple of screenshots from my mobile to emphasise the point. Here’s the main start screen:

opera-mini-screenshot-home

It’s got what you need straight away, quick web search function, a straight to URL function, bookmarks (which I don’t use at present) and a link to the feeds. The GUI is nice, it can easily flip from vertical to horizontal format and there’s plenty of options to configure it the way you like.

On to the feeds:

opera-mini-screenshot-feeds

A nice simple list that’s bold if there’s stories unread and a click takes you to another screen which renders the actual content of the feeds meaning there’s often no need to even visit the actual site at all.

Opera Mini works in a slightly different way to most mobile browsers. Instead of rendering the pages on the phone itself which in terms of processing power is pretty puny, it connects via Opera’s servers in Norway which render the pages in a mobile friendly way that then port that back to the phone.

The upside of this is that web pages fit neatly to the screen size of the phone as you can see here:

opera-mini-screenshot-overview

Although on a normal desktop browser the text of this blog fills the whole centre column, it is re-rendered to fit the screen resolution of the phone and a quick click zooms in to the actual text meaning that there’s no need for left and right scrolling, just up and down.

Anyway, that’s my tip for the day. If you’re the busy always on the go type who needs to keep up with those feeds then I’d highly recommend Opera Mini.

It does work on almost all mobile phones that run the Symbian S60 (Nokia phone operating system), Windows Mobile on them there Motorola’s and Blackberry’s although a word of caution on Blackberry’s. Check with your operator first as use of Opera Mini because it ports traffic outside of Blackberry’s own system may not be covered by a Blackberry data plan. Apparently a few people fell foul of that on O2 last year although no word as to what the current position is.

I’ll try and do a few more posts about mobile applications in the future because it’s interesting to see how things are developing and how they can impact on the way we do things differently.

A little Twitter added

To your left is a new Twitter feed added into the sidebar. I’m unconvinced at the moment as to whether it will stay there or indeed to what value Twitter is as a concept but I’m just playing around.

Pity the Flash object knocked out the CSS. I’m not a big fan of flash in general but it did look smooth. So for the moment we’re on plain old XHTML.

Sodding spam

Presumably all bloggers will be to some extent familiar with the bane that is spam.

Thanks to a few little bits an bobs set up when this site was in it’s infancy as good as no comment spam has managed to make its way onto the site.

However, the last month or so has seen a distinct upsurge targeting my contact section meaning that for the first time I actually have a few spammy e-mail’s in my inbox.

This isn’t appreciated but from my own perspective, the nature of the spam is quite interesting.

Not your common old comment spam from (insert well known spamming server), nope, this is a full on botnet scenario. Not exactly an outright DNS attack but certainly one utilising plenty of zombie PC’s (all running Windows and Internet Explorer I might add). Quite why my site and Mrs Penguin’s have become the target of a botnet is not known, other sites linking to here who use exactly the same CMS structure haven’t been affected but there you go, must have miffed off some Russians or Chinese. (note, that’s a qualified statement as most of the worlds botnet attacks originate from either of those two countries and is no way to be considered a slur on wither nationalities).

It’s a bit of a problem and vast swathes of IP addresses have been blocked. Sadly these will be to real people who then will not be able to access the site (although they’ll get a polite message and instructions on how to contact me to rectify the problem).

I just thought I’d mention it.

In a similar vein, one particular IP address has been popping up very regularly, every ten minutes to be precise and it’s from FastHosts. Not exactly my favourite company given their policy of rolling over to rich people with well paid lawyers so they’ve been blocked too. In all likelihood it is some sort of aggregating website such as the the copious number of political feed sites that seem to be everywhere these days. I haven’t got a problem usually, the porting of content across the net is fundamental to the direction in which it is going but I’m sorry, every ten minutes is taking the piss. Not even Google pop by that often so whoever it is can hop it.

Open for business (again)

Life’s returning to normal, if normal can be considered to living on 4 hours or so sleep a night and copious quantities of coke and lucozade to get through the days and nights.

Been an interesting few weeks but it’s given me the opportunity to play around with some new things.

First up on the list of priorities was the installation of the Linux variant Ubuntu 8.04 Hardy Heron that came out on 24th April.

For your delectation, here’s a bit of the old YouTubing of my new desktop.

(Note: this is running on a Targa laptop with an AMD Turion Dual Core 64Bit processor, 1024Mb of RAM and a Nvidia Geforce Go 7400 256Mb graphics card. It runs almost as well on my crappy old desktop which is a Celeron D with 512Mb of RAM and a 6 year old second hand Nvidia graphics card that probably has something like 32Mb of RAM)

Update:

Should also mention that any jerkiness, black lines in the clip are purely down to the recording process. It’s actually beautifully smooth and very fast.

Phorm – a personal perspective

Things are as far as I’m concerned pretty much in now. There’s the odd query or question regarding this system that I’d like clarification on but I’m not that fussed.

I’ve tried my best, although admittedly quite skeptical from the start to be fair and listen to what Phorm have had to say.

However, I’ve made up my mind. I am with one of the three ISP’s that are planning to implement this system and it is simple from my own perspective, I’m with Sir Tim Berners-Lee on this one as a consumer. If my ISP’s implement this system, they will no longer be my ISP. They may ‘just’ about get a reprieve if they configure their system in such a way that it constitutes a change in the terms and conditions of customers, that those who are in or out are handled at the ISP’s authentication level and that no part of my data stream goes anywhere near any bit of kit run by Phorm.

I think the problem is thus. It doesn’t matter about opt-out or opt-in cookies or any kind of guarantee that my traffic will not be analysed. It is now simply a matter of principle about what I as a customer want and how I consider the relationship with my ISP.

It’s pretty simple. I pay said ISP for a connection to the internet for a certain amount of bandwidth at a particular speed and they provide it. I don’t want content added, manipulated or impossible to block pop-ups on my screen.

I’ve spent far too much of my time messing around in both a professional and personal context with Windows based machines, hacking (manually in many cases) spyware, adware and viruses off them. I became fed up of spending my time having to deal with systems that worked in a way that meant I didn’t have control over what was going on. That’s why I run Linux, it’s about freedom, control over everything that I want on my system. It’s why I run Firefox because I can customise my web experience exactly the way I want it. Put short, it’s about individual freedom and choice, an underlying principle of the net.

This system and it’s future potential use if expanded to other areas like adverts before downloads or pop-up adverts between page loads isn’t what I want from my web experience.

It’s being marketed on the basis of providing two core enhancements to people’s web browsing. Anti-phishing technology that doesn’t seem to have any tangible benefits outside of what is already present in most good (or not good) browsers and ‘more relevant advertising’. From my perspective this is no benefit to me. I can spot a phishing site a mile off despite how clever it might be.

I don’t click on online adverts, I never have and never will because the internet for me is about finding things. If I’m after information or a particular product I’ll go out and look for it myself, adverts for me are nothing more than a waste of bandwidth.

Now if my ISP wanted to offer me a service that blocked all advertising I might well be up for that. It would save them bandwidth and costs and my web experience would be enhanced and if I could sign up to that as an individual customer, it be part of my terms and conditions then it would be great. I wouldn’t get any adverts that I’m not going to click on anyway, the ISP wouldn’t waste bandwidth serving me up adverts from sites because I’m not going to click on them anyway and the website publisher isn’t losing revenue from their adverts not being presented on my screen because, and I think I’ve mentioned it before, I’m not going to click on them anyway; everyone’s a winner.

I started a post last week about the dynamics in the market that are driving this situation, didn’t get it finished but will endeavour to this week.

Meanwhile, it’s interesting to note two things. Firstly the amusing revelation that Phorm, a company that it’s fair to say has a distinct competitor position to Google, uses Google’s services to monitor what people are saying about them online and secondly that no matter to whom I have discussed this issue, techie or non-techie, not a single person has said to me, yes, more relevant advertising, that’s exactly what I’ve been after all these years to enhance my web experience.

More answers from Phorm

Phorm have finally got back to me with answers to most of the remaining 33 questions that I asked.

I’m going to add a few notes below various answers, they’ll be in brackets in bold.

Q20. The report states that your system ignores “form fields” yet you claim that you will be collecting information regarding what people search for on the internet via search engines. The box people write their search queries in is a “form field” which appears to contradict the claim in your privacy audit report, can you clarify this situation?

A20. This could be clearer: we obtain search terms from GET submissions to known search engines. All other form fields are ignored.

Q21. The report states that data will be immediately purged from the system but “Research and debug logs may be kept on a separate system for a maximum of 14 days”. What is the nature of this separate system and as Phorm have stated that all the kit will be located within the ISP¹s infrastructure how is this data either transferred externally for research and debugging or what is the relationship regarding allowing representatives of Phorm to access ISP data infrastructure if this separate system remains located within their system?

A21. This item is a hangover from the previous attestation and needs updating. Logs contain only system health and error information. Browsing data is not included.

Q22. It has been claimed that this system would have the ability to throttle an internet users connection if they had opted out of the service but the report claims “Do not tie into the authentication systems of our ISP partners” if this is the case then how would a users connection be able to be throttled if it didn¹t know through the IS’¹s authentication systems which users had not subscribed to it?

A22. We do not tie into the ISP’s authentication system. Phorm cannot and has not claimed to throttle data. This was a speculation in an article, not originated by Phorm or the ISPs.

Q23. The report states “We offer an easy, anonymous method for users to opt out of Phorm¹s systems if they would rather not receive targeted advertising and content. For as long as a user retains the Phorm opt-out cookie, the system will not collect or store data on their browsing behavior.” However if this is the case then how does the ISP know who¹s online browsing to send to the proxy server for scanning and who¹s not to if it isn?t in anyway tied to the authentication systems of the ISP?

A23. The ISP’s system inspects the cookie and handles the user accordingly. This is browser-based and does not require integration with the authentication system.

Q24. Following on from this, if a user has an “opt-out” cookie does this mean that somewhere along the line at the ISP level, it checks to see if this Oopt-out” cookie is present and if this is the case, what would happen if a user had simply barred all cookies from “OIX.NET as per the instructions on your website?

A24. If you block cookies from webwise.net (renamed from oix.net) you will be treated as if opted out. We are advertising this method as one that survives cookie cleaning, but it is not supported in all browsers.

Q25. The report states “Because of inherent limitations in controls, error or fraud may occur and not be detected.
Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the Service or controls, the failure to make needed changes to the Service or controls, or a deterioration in the degree of effectiveness of the controls.” It is of course standard practice to drop in a get out clause into any evaluation of a system and it¹s fair to assess that no system can ever 100% guarantee that things can¹t go wrong. However, what is the nature of in such an instance that something went wrong of your liability and or insurance to compensate those affected?

A25. This is the auditor’s disclaimer, not ours – and I am not a lawyer! But seriously, it’s hard to imagine an event that would require us to compensate anyone. If, for example, someone hacked into our system to get access to the data, they would be very disappointed: we simply don’t have the data — only product categories, a timestamp and a random number. Our safe, as it were, is empty. The AOL / Netflix accidental disclosure of masses of personal data could not happen with our system.

Q26. A quick break and sartorial comment and not intended in any way to be implied criticism of Phorm but why does such a respected company such as Ernst & Young who go around headhunting top graduates employ someone with such poor English grammar as to start a sentence with the word “because¹?

A26. Hmm. Perhaps grammar is different in the US? ‘Think Different’ (adverb vandalism!) springs to mind.. (btw we all use Macs so no slight intended to the great Mr Jobs)..

Q27. According to the report the system employed by Phorm does not store data with a sequence of numbers of more that three to avoid picking up credit card details. However many URL¹s contain more than three sequential numbers, as these URL¹s are passed to Phorm¹s proxy server it will store them no matter for how short a period even if it is held in RAM so does the system ignore URL¹s with sequences of number of three or more?

A27. Would you say the data was stored on an ethernet cable (for no matter how short a time)? We are clear that this kind of raw data is never stored on disk and is deleted from memory in real time. The system is not proxy-based – data capture is offline.

(A bit of a master class in avoiding the actual question. No data isn’t stored in an ethernet cable, don’t be daft we’re not talking about length of storage, we’re talking about does the system ignore URL’s with a sequence of numbers of three or more. A simple yes or no answer would have been sufficient).

Q28. Can you explain how this relationship with the cookies really works? In the case of having an opt-out cookie provided by Phorm does the ISP actively scan for the presence of this cookie on an individual users PC and if it does how can can it differentiate between any difference in service provision to that PC on a network and another PC that may have an opt-in cookie in terms of providing differential services?

A28. The ISP does not scan the PC: the cookie is detected in HTTP requests sent by the PC. On this basis the requests can be handled differently. This is browser-specific and so the sharing of a network is not important.

(I’m curious on this point. If the network is truly irrelevant and this is wholly browser based. Are Phorm saying that even in for example companies or home users with more than one computer that may run more than one web browser that each individual browser will have to be configured manually. If so, what additional costs are going to be incurred by companies and organisations to send techies round to block every single browser. Or is this not quite factually accurate in that cookies could be barred at either the router or server level and all computers behind that would be protected?)

Q29. Does the system scan all unencrypted HTTP requests including online e-mail services, private social networking sites such as Facebook and if it doesn¹t what is the system in place to allow it to differentiate between these sites and other HTTP sites?

A29. We maintain a list of webmail sites and we do not analyze their pages. In any case the content of all sites is protected by the way the system works:
it takes a ‘top 10’ of the repeated keywords from the page and matches them against a list of advertising categories, then throws the keywords away. The categories (“Channels”) are policed to ensure they do not contain personal information or match sensitive behaviours such as medical or porn. This means that unless a word from a page is a) repeated b) is one of the top 10 and c) is found in a legitimate list of advertising keywords, then it is ignored. This means that personal information cannot be matched and it passes unnoticed by the system.

(This is interesting. The basic answer is no the system can’t differentiate between private areas of non-encrypted HTTP sites so it will scan people’s web-based e-mails, private areas on social networking sites and from my own personal perspective, the backend area of my blog. Configuring this as having a list of site’s not to scan, presumably popular ones like Google Mail, Hotmail and Yahoo is no guarantee because the number of web based e-mail systems, forums, social networking sites, web based company intranets and blogs run in to the millions. At the very least this list should be made public and anyone should be able to add their site, forum, company intranet or blog to it. That does of course mean additional costs in terms of time for the people who have to do this. I wonder if there’ll be any compensation forthcoming?)

Q30. Leading on from that, the architecture of the system appears to suggest that when a HTTP request is sent to the ISP it is then passed on to a proxy server for analysis. Is content of that URL entered passed on as in the case of various community sites it may contain personally identifiable information?

A30. Please see A29 above.

Q31. At which point in the ISP¹s system is the HTTP request passed on to the proxy server. In particular, is it at the Domain Name Server stage and if so could an end user change the default settings on their router to use another DNS not from their ISP like Open DNS to avoid the sites that they visit being scanned?

A31. The system is not proxy-based – data capture is by traffic mirroring, so changing DNS will have no effect..

(So this pretty much seals the argument that there is in effect nothing whatsoever that an end user can do to stop this system apart from blocking/using an opt-out cookie).

Q32. There are with this system various “bits” of data flying backwards and forwards that are in addition to the normal data flow across an ISP¹s network specifically those on the connection between the end user and the ISP. For people on fixed limit connections, will these packets of data be discounted from the limits agreed in their contracts or comprise part of their monthly allowance?

A32. That is a matter for your ISP, but the amount of data is tiny.

Q33. As far as can be concluded from the technical data available, when a website is returned from the ISP to the end user it will have custom Javascript embedded into it to update information on the cookie held on the users computer. As a web publisher myself, have you had any kind of evaluation undertaken as to the legal position regarding copyright as although people may see exactly the same, they will be receiving code that the original author did not intend and are you going to offer an opt-out system for web publishers that do not wish for this code to be embedded into returns from their sites?

A33. The only way that Phorm javascript (aka an ad tag) will appear in a publisher’s page is if they have put it there because they are working with us.

(Just a note and I’m open to categoric denial that this will be included within the envisaged system planned with ISP’s but this is the relevant bit of the patent:
“[0035] At 206, the method includes ISP-initiation of context reading of the response data received in response to web page requests. The ISP-initiation of the context reading function may be performed by causing the context reader to be applied from the ISP to requested web page data. In particular, in FIG. 3, context reader 40 may be stored in a memory location at ISP 14, for example on a server (e.g., a proxy server) or network appliance that manages traffic through the ISP. In the present example, context reader 40 is a javascript that is embedded or injected by the ISP into response data 122, for example by the proxy server. As a result, the javascript (context reader 40) is embedded into web page 34. In typical implementations, the script is embedded into each of a plurality of pages that are requested by the client device.”)

Q34. In the case of partner advertising companies that will have Javascript embedded into their sites to search for profiled data from the cookie located on an end user¹s computer. How can you protect from that site linking up both the contained profiled data from the cookie and the users IP address if they run another statistical package that logs IP addresses thus allowing others to link profiled data to IP addresses which is one of the claimed privacy gold standards of your system?

A34. Need to clarify the question: is it about advertisers or publishers? If you browse to a website you give them your IP address directly.

(There are two elements to this question. The first is quite simple and is based on this particular part of the patent description of the technology, “[0028] Regardless of the particular data in browsing information 42, or the manner in which it is collected, the browsing information may be reported out to advertising server system 18 via Internet 12. System 18 is configured to receive browsing information 42 and use such browsing information to select context-specific advertising content 80 (such as advertisement 82) to be returned to the browser that generated the browsing information.” It means that on encountering a site with Phorm’s javascript embedded into it such as a partner advertiser, that Javascript will take the profiled information from the cookie, send it to an advertising server somewhere. As it says via the internet this model appears to suggest it is not within the ISP although I’m happy to accept you’ve dropped this approach but people will simply have to trust Phorm’s word on that. That advertising server then sends profiled advertising to the site for the end user to see. So at this point, what is to stop a partner advertiser running a malicious code to both extract profiled data and then hook up this information with the end users IP address. It must be noted that Phorm’s system has been specifically designed to take the IP address out of the loop, so why leave this possibility open.)

Q35. You state that the only information that will be collected are search term phrases and categories but according to the technical aspects of the patent application for your technology it allows for the collection of almost any kind of information including IP addresses. To what extent has the system been modified to disallow it from collecting such information that it is capable of and how can you guarantee that in the future it may not be modified to do so?

A35. The patent envisages many applications, most of which have not been implemented. The current system has no disabled functions waiting to be enabled, and your best guarantee about future systems is that they will be handled with the same transparency as this.

(I’m not going to be sarcastic but I’m sure some people may possibly find the statement on transparency amusing)

Q36. In the case of categories, the patent application states that innumerable categories and sub-categories thereof can be created. You give examples of things like travel, sport, cars etc. Do you intend to openly publish the categories and sub-categories thereof that your system is scanning people¹s web browsing for?

A36. Some categories (“Channels”) will be private for reasons of commercial confidentiality, but many will be open (and created under a wikipedia-like environment). However, ALL channels will be vetted for compliance, and will not contain personally-identifiable information or senstitive material.

Q37. What is the geographic location of the proxy server? Is it located within the ISP¹s network or externally?

A37. The system is not proxy-based – data capture is offline. Browsing data is all processed within the ISP network.

Q38. If the proxy server is located externally, where is it (nearest town will do, or in the case of these being more than one, nearest towns)

A28. Please see Q37 above.

Q39. If the proxy server is located within the ISP¹s network then what is the procedure for updates and reconfiguration or fixing if it goes wrong? In particular will someone from Phorm have the ability to remotely connect to this proxy server to change settings or is it a case that Phorm will have staff based within every ISP “minding the box” who will make changes/fix things as and when they arise?

A39. Support arrangments will depend on the ISP contract.

(I think it’s important to note that this question hasn’t been answered. It is of course highly important. How and in what way Phorm are able to access, change or reconfigure their equipment within ISP’s. A simple “we’re going to have remote access or not” would be handy. Or “we’re going to have our own staff based within the ISP to do this under their supervision” or “we’ll have no one at all with access to this kit in the ISP’s and we’ll just advise their staff” would be far more enlightening).

Q40. If the proxy server exists outside of the ISP¹s network and data is merely transmitted to it so that it can analyse web pages and return custom Javascript how does this conform with the provisions of RIPA?

A40. Please see A37 above.

Q41. So we can have an understanding of the capabilities of your system, can you tell us what make and model of hardware is going to form the proxy server set-up?

A41. No, sorry, that would be commercially confidential.

Q42. If it has, why has this service been set up as an “opt-out” service rather than an “opt-in” service. If the benefits to the consumer were so compelling then surely everyone would wish to “opt-in” to it would’¹t they?

A42. We are offering user a choice. They can opt out or in at any time. It’s worth noting that the very first thing you will see when you go online after the technology has been deployed is a full-page notice and at that point you can decide to opt out. In line with our commitment to transparency, you will see banner ads saying that Webwise is on. So if you don’t want it, you will be able to click on these ads and switch them off.

(Just to note that didn’t actually answer the question of why is this not ‘opt-out’ by default?)

Q43. Some of the ISP’?s already quoted by your company as having signed up to this service have issued statements on their site pointing to the benefits of the anti-phishing technology of the system to make the internet safer for users. Can you tell us what additional protection against phishing Phorm’?s technology adds in terms of security to the end user that is not already present in the two most commonly used browsers, Internet Explorer and Firefox?

A43. Being network based, it covers people who do not have the latest browser versions, or have not enabled the anti-phishing features, or have misconfigured it.

(OK, I know this is sarcastic but the answer is presumably sod all benefit to the end user whatsoever unless you’re completely stupid in which case you’re probably best off not using the internet in the first place).

Q44. Leading on from the last question, if Phorm or through it’?s partners have additional knowledge of phishing sites that the maintainers of Firefox and Internet Explorer do not, then why do Phorm and their partners in the altruistic nature of trying to make the internet safer for everyone simply hand over this knowledge to Microsoft or Mozilla or indeed try and sell it directly?

A44. We use commerical providers for our anti-phishing feeds. Some are the same as those used by Google and Microsoft, some are different and have different coverage.

(Note no answer to if you have additional knowledge of phishing sites why don’t you just give them away or sell them on).

Q45. The patent pending application for the technology behind this system gives an instance of if for example an end user wants to download a large file, say a music file then the system has the ability to send an advertisement ­ presumably a pop-up that would be akin to a television advertisement before the download takes place. Thus attempting to extract advertising revenue to offset the higher bandwidth that the user may be consuming. Can you confirm that such a capability of this system will not be implemented?

A45. The system does not have the capability at the moment, and if the ISPs are able to gain a reasonable revenue from participating in the online ad market through Phorm, then it should never be necessary.

(If this was a politicians answer then it would be ripped apart. The key phrase is ‘at the moment’ akin to the often stated ‘we have no plans to’ or ‘I cannot envisage a situation where we might do this’. OK, to be fair to Phorm they’ve got to leave themselves open to doing more things in the future but it seems fairly clear in the second part of the answer that if the ISP’s don’t make enough out of the current arrangement we could well be seeing adverts before downloading files, or the other possibility as laid out in the patent application, pop-up advertising between page loads. Pop-ups that presumably could not be stopped).

Q46. When I inadvertently left a bit of Javascript active in my blog post when I copied and pasted the technical elements of your system I noticed some interesting behaviour when my page loaded. When the page was loading it looked elsewhere for information. Although I accept it was probably a test server and will not have the capabilities of a production grade operation, it delayed the load time of my site. With that in mind, as far as I can tell it was looking for information from an external source. If this was a working system in place and I came across a partner advertisers site with your system’s Javascript embedded, where would it look for information? My reading of this is that the Javascript would look for, profiled information on the cookie on my computer then port that information to another server which would then provide the targeted advertising and insert it into the page that is loading. If this is the case, where is this server going to be located and if it is a core server system of Phorm how does this not only send information to an external location outside of my ISP but if the connection is direct between my browser and this server not allow for the possibility of both the profiled data on my cookie and my IP address to be put together?

We’ll get back to this week with an answer

(Just to note, it’s very similar to question 34 that additional clarification was requested for).

Q47. Will Javascript be embedded into every page that I load irrespective of whether I opt out of this system or simply block cookies from OIX.NET?

A47. Phorm ad tags contain javascript but they will only appear in a page where the website has placed them there. If you are opted out, you will not see a relevant ad, but you are likely to be shown the original, probably less relevant ad by the website anyway.

Q48. Can you confirm or categorically deny that your system was trialled in 2007 with BT?

A48. No.

(I’m not sure whether this is a ‘no we didn’t trial the system with BT in 2007’ or ‘no we can’t confirm or deny it’. Anyway, according to here, here, here, and here. So the answer is yes, it was trialled with BT in 2007 without customers being informed which is presumably why some of them are now planning to sue BT.

Q49. Can you tell us when this system is due to go live with the three ISP’?s already mentioned on your site to have signed up for this?

A49. No, the ISPs will be communicating directly with their customers so look out for the messages…

Q50. Can you tell us when the Javascript will begin to be embedded on you partner advertisers sites (Guardian and Financial Times)?

A50. No, but it’s worth pointing out the “javascript” is nothing more sinister than an ad tag, similar to most others on the market. The difference is in Phorm’s ability to serve a relevant ad into the space on the page.

Q51. Will you be making public and publishing a list of partner advertising sites?

A51. The PR team may!

Q52. Can you tell us at what time various ISP’?s will be running trials on this system prior to full scale implementation?

A52. No, they will be communicating directly with their own customers – does this mean you have more that one ISP yourself?

(Not quite sure what the question about me having more than one ISP is about but no, why would I?)

Hellish week

Sitting here with the laptop on the sofa getting prepared to head off for an uncharacteristic early night.

I’m distinctly tired. Done a lot this week but sadly nothing really to do with the blog. Work’s been hard, meetings have been hard and to top it we’ve had the combination of visitors staying for the weekend with the start of the Formula 1 season.

So a brief synopsis is in order.

I’m knackered and need rest.

Still no answers to the 33 other questions that I asked Phorm that I was promised they would answer a week ago and have received further assurances of answers to. I would particularly like this as much of what is important regarding this issue is dependent upon those answers.

I’ve got through the weekend on somewhere around 6 hours sleep having been up all night for the qualifying and race for the Australian Grand Prix while trying to fit in work around it. Suffice to say, very happy with the results so far this season. Lewis Hamilton and McLaren lead the points tables and I’m very much looking forward to next week’s race.

I do have one gripe though. I’m not a big fan of Bernie Ecclestone and this whole concept of ‘night races’ in the Pacific area to fit in with midday European viewers is not my cup of tea either. Personally I like getting up in the middle of the night to watch the race (or simply not sleeping at all) it’s part and parcel of being a dedicated F1 fan.

Apart from that, if F1 fans from the Asia Pacific Region have to get up in the middle of the night to watch the vast bulk of races that are held in Europe then why should they have to do the same for races in their neck of the woods. It is after all a global sport.

That said, they did change the time of the Australian race this year meaning that rather than the convenient stay up late to catch the race at 1am GMT I had to wait till 4am which wasn’t good.

Went to the theatre today. To be more specific the Grand Theatre in Wolverhampton to see the Solid Silver 60’s Show. It’s nice to occasionally remind oneself that there is a world outside of family commitments, politics and techie related stuff. Highlights were of course Dave Dee Dozy Beaky Mick and Titch who were a class act as usual but also Gerry and the Pacemakers. Not sure how well it would go down with fellow Wulfrunians to be caught singing ‘Walk on'(with hope in you heart) but there you go.

A few words

I thought I better pen something, just a few things to clear up and the odd request. It’s been a bit of a funny old week. I’d just like to say a welcome to the 50-odd thousand or so more visitors than I normally get who’ve dropped by in the past week.

I should really point out that this is really a political blog, not specifically a technology blog, although I am of course a techie who writes on occasion about technical/IT issues.

I think I’ve got round to answering or responding to all the comments that were directed towards me and I’ll equally try to get round to replying to all the people who have sent me private messages over the past week but please bear with me. With that in mind, I just need to point out that this website is to all intents and purposes my hobby when I have free time so I apologise if it sometimes takes a while to OK comments or to respond but I am a fairly busy guy.

On a side note, a friend of mine did point out that while all this additional traffic was passing through I should have banged in some Google Ads for the click-through but we’ll leave that matter there shall we. Just to note, this site is funded wholly by myself out of my own pocket personally although it doesn’t really cost that much to run.

Two quick requests. I did mention it before but for new people here, I know how strongly some people feel about this issue but if we could keep it mature, preferably no profanity or unfounded allegations then that would be appreciated. I’ve not yet had to edit the content of a comment on this site since it was set up and I would like to not have to. Related to that, if you wish to post links that are quite long and you know how to write the HTML script for links then please do, it saves me having to go through comments and doing it as it throws some of the CSS on the site out which doesn’t look good.

I was going to do a longer post on this issue tonight but I’ve had to do some work and it’s getting late so I’ll leave it for now and hopefully get it done tomorrow.

Some questions answered by Phorm

I’m just posting up in a main article, answers to some of the questions I asked of Phorm as they were published in the comments section of another post and just in case anyone missed them.

I’m still waiting on answers to the other ones but at least they’ve been good enough to address these so far.

Here you go:

1. Phorm changed their name from 121 Media Inc as of their AGM on 26 April
2007. What was the rational behind this decision?

As we began to grow and hire more people and looked to international
markets, we realised that our name 121Media was a play on words that only
really worked in English and it wasn’t a very good play on words at that.
It’s true that England and America are divided by a common language — often
when we spoke to Americans they called us one-twenty-one media, so we
thought we needed a better name — one that reflected a company that can
help the internet change, or morph, around your interests.

2. Can you tell me what the financial position of Phorm was at the end of
the financial year for 2007 ie, end of December 2007 as we¹re talking US
financial years. In particular, what was the annual turnover of the company,
it¹s gross and net profits/losses and it¹s capital value?

Please see all of our accounts that are published on the website:
www.phorm.com/investors
Also, every market announcement we’ve made to the market is available on our
site. Www.phorm.com/announcements

3. I understand that you are paying British ISP¹s large quantities of money
to be able to be able to put your system into their networks. The much
quoted figure for your payment to BT is £85million. Can you confirm or rebut
this figure and what are the relevant figures for Talk Talk and Virgin
Media?

That’s wrong. We are not paying ISPs anything. More relevant advertising is
more valuable and so the OIX creates value throughout the advertising chain:
websites make more money (including blogs and the ‘long tail’ as what
matters is that an interested person is looking at the site, not what’s on
the site), advertisers get better ROI, consumers see ads that are more
interesting or relevant (eg sales). In addition, the OIX will not serve pop
ups or pop unders. There is a revenue share between the ISP and phorm.
Please see the phorm.com site for a diagram of revenue flows. The figure
from Investec took into account trends in online advertising spend and other
factors.

4. If Phorm possess the kind of money you are rumoured to be offering
various ISP¹s and based on the registered losses of the company for 2005 and
2006, where is this money coming from? Or in the case that the money doesn¹t
exist but your company has been underwritten in some kind of agreement on
assumption of future profitability based on your business model, who¹s doing
the underwriting?

As above. We are not paying the ISPs anything.

5. Your site claims that you have already confirmed deals with BT, Virgin
Media and Talk Talk, have you confirmed deals with any other UK ISP¹s to
date and which ISP¹s are you currently in discussions with to provide this
service?

These are commercially confidential.

6. How many employees does Phorm have working for it, encompassing all
geographical areas of operation? By this the assumption is that you have
employees in the UK and the US or indeed anywhere else in the world.

We have approximately 145 employees worldwide, located in the UK, US and
Russia.

7. In which countries do Phorm have any kind of fixed operational base or
employees?

As above.

8. Do Phorm have any operational bases or data communications services in
either China or Russia?

Yes we have a development team in Russia (we also have dev teams in London
and New York)

9. I¹m sure you can understand people¹s concerns that a company which on
paper only appears to have a virtual and or shared office space in London
and an address in Delaware in the US that has previously been identified as
a base of operations or indeed simply a forwarding mail service for e-mail
spam/scams so I¹d like to ask a few questions regarding these two registered
addresses.

Concerning your London offices:

10. The company that runs your London address is advertised as offering
virtual offices. shared desks for those who rent space there for when
they¹re needed and also a ¹serviced office¹ arrangement comprising of staff
to answer calls for companies who rent space and to forward on mail. Can you
confirm a few things regarding your London set up?

11. Is anyone permanently stationed within these premises or are they
operated as a virtual office and temporary for employees taking advantage of
the Œhot desking¹ facility?

Yes people are permanently stationed here. We have approximately 60 full
time people in London. If you saw the clutter on our desks you would realise
the impossibility of any hot desking 🙂

If you’re in any doubt about whether the offices are real, then do contact
Jack Marshall at ClickZ or Chris Williams at The Register who came to visit
us here.

See the following articles:

Clickz
The Register

12. (Determinate on the last question) How many employees does Phorm have
permanently based in your London registered address?

About 60 noted as above

13. I don¹t expect you to get the tape measure out but what is the rough
office space area that Phorm take up in these premises?

It’s big — enough for 60 people and their clutter. Political Penguin, I
think we’ve invited you to come and see us? If not, then consider the
invitation extended. Email me.

Concerning your US office:

14. I know it sounds pedantic, but does this address actually exist or is it
simply a mail forwarding service?

It exists. It is not a mail forwarding service

15. (Determinate on the last question) How many employees are permanently
based in your US registered office?

I guess about 40 people

16. Again, what is the approximate size of this base of operations in terms
of office space taken up?

Smaller than UK — smaller desks. With those American dividers.

Getting a little bit techie now.

17. It is a common trait of scam operators is to register domain names via
proxy domain registrars. Although it is not necessarily appropriate to make
assumptions of a company based on the practices of others why have you
registered www.phorm.com, www.webwise.com and www.oix.com via the use of a
proxy registrar instead of an open registration that is linked to the
address of one of your offices be it the one in the US or the one in the UK?

Not sure — will get back to you. But I know that ahead of the announcement
we did not want a leak so we were careful not to give our brand names away.

18. You claim that you have been assessed by Privacy International. Can you
explain why there is no reference to ŒPhorm¹ on their website and if this
assessment is available can you tell us both who from Privacy International
undertook it and publish a copy?

I’ve tried to clarify this here and on other blogs, and it’s true that Kent
does refer to PI when in fact the Privacy Impact Assessment was conducted by
Simon Davies of 80/20 Thinking, a privacy consulting firm. Simon is the
director of Privacy International and he and a colleague at Privacy
International, Gus Hosein, conducted the assessment. As I have mentioned
before Simon is known for his unforgiving scrutiny so we felt he was the
best man for the job.

19. Who has Phorm asked to evaluate the legal position of their technology
in respect of both the Data Protection Act 1999 and the Regulation of
Investigative Powers Act 2000 and if such a report has been compiled, can
you publish it?

Consumer privacy protection is of paramount importance for us (remember,
we’ve built a system that stores no data — and it’s been designed that way.
We haven’t bolted on privacy protection as an afterthought. We built the
technology so as we can never know who you are, where you’ve browsed).

Our technology complies with the Data Protection Act, RIPA and other
applicable UK law.