Blog Another quickie
Plans for tutorials scrapped for a day or so because Phorm have been in touch regarding clarifications and inviting me to ask them questions about their system. Which if I get satisfactory answers to will save me a lot of time regarding writing tutorials.
So although I can think of loads of questions that I’d like to ask I thought in the spirit of openness and public participation I’d open this one up.
I’ll get round to sending off the questions some time tomorrow (Wednesday) so you haven’t got long.
You can do this in two ways. Drop a comment on this post or if you want to do it a bit more privately, send me a mail via the contact section.
(Note to those new to the site, there’s been lots of you over the past few days. When submitting comments it can take a while, just wait for the page to reload. This is because there are lots of little bits of script going on to filter out spam and other unwanted nasties. If it’s the first comment you send then you’ll have to wait for it to be moderated before it will appear so bear with me, I have a busy day tomorrow. Oh, and please no profanity, I understand some people feel very passionately about this issue but lets try and keep it civilised, inquisitive but also informative).
1) Ask Phorm how exactly they think that they are exempt from the criminal offence (penalty up to 2 years in prison) of illegal interception of communications under the Regulation of Investigatory Powers Act 2000 Part 1, especially, but not exclusively, regarding web front ended email communications ?
Here
2) How can they prove to the sceptical public, that not accepting or blocking a www.oix.net cookie, will not just simply prevent them from being served “personalised” adverts, but will positively guarantee that their web pages are not ever sniffed and anlalysed by their man-in-the-middle attack hardware ?
3) If they want to salvage what little of their business reputation remains, will they consider actually re-engineering their hardware and their marketing hype promises about “anonymisation” and “100% Consumer Privacy” to actually provide proper anonymised web cache browsing of the internet, which hides the consumer’s real IP address and browser variables, etags etc. from web sites ? I might actually be willing to allow targeted advertising from OIX partners, if that were to be the case, if this facility could be simply switched on through a cookie, or just by my web proxy configuration software e.g. the Foxy Proxy plugin for Firefox ?
Can you ask how the opt out works. If it’s a cookie surely it will be removed every time I clean up my machine and what about people with more than one pc at home, do they have to opt out on all machines being used? Also, like previously mentioned can you ask them to clarify the process i.e if I opt out are they still filtering my traffic and simply not inserting javascript at the final phase or am I really opting out of the whole caboodle. Finally, could you aks them just how they think the public is going to buy into this whole concept? I mean the news hasn’t really broken in the mainstream media but already they are getting a tough time and all the people I talk to about it are pretty taken aback. Oh and Good work by the way.
A Phorm spokesman “said Privacy International had given the technology the thumbs-up.” (on http://www.theregister.co.uk/2008/02/25/phorm_isp_advertising/page2.html if you want to check it). I’ve searched the PI website and found no mention of Phorm or any approval from PI. Ask them to publish these comments from PI and the name of the person who, in their capacity as a PI representative, made them.
Why has the system not been audited and reported on by an independent and recognised technical expert? An accountancy house report doesn’t fill me with any confidence at all.
Why isn’t the system opt-in rather than opt-out? I’ve already refused Virgin Media permission to pass on any personal information about me or my internet activity to any third party. What provisions a have you made for people who want no part of any involvement with Phorm?
Hi Jamie,
I’m part of the Comms team at Phorm and I’d like to clarify the involvement of some of the guys from Privacy International with Phorm. Simon Davies (director, Privacy International, managing director 80/20 Thinking, the consulting wing of PI) and his team conducted a Privacy Impact Assessment on our technology and systems.
Here’s what Simon (a 30 year veteran of the privacy debate and leading global privacy advocate) had to say: “In our view, Phorm has implemented privacy as a key design component in the development of its system. In particular, Phorm has quite consciously avoided the processing of personally identifiable information.”
The 80/20 Thinking team will be working with us on an ongoing basis throughout the year and will be producing the full Privacy Impact Assessment report shortly. I’d be happy to share it with you when it comes out. If you’d further information just drop me a line.
Best wishes
Radha
@ Radha,
To be honest I don’t care what your privacy guy says. I find the thought of a third party skimming off all my web traffic to see what I do and hopefully make some money by modifying the page I requested to target me an add abhorent. I look forward to joining the class action lawsuit against my ISP when the time comes. Although to be honest when BT and the like realise the scale of the opposition to this I think they’ll drop it like the dead turkey it is. If I was you I’d get my CV up to date. Oh and by the way, how do you sleep at night?
Firstly, consultants paid to do this kind of work will of course be completely unbiased about their paymaster.
Secondly, according to a communication from PI copied to comments at The Register, PI management have been trying to get Phorm to take down the claims from their web site from some time. Apparently the members of PI who did this consultancy in their spare time do not speak for PI. So quite soon Phorm will have to stop saying that PI has okayed their system when it becomes clear what actually happened. The barefaced cheek of these guys is breathtaking.
Hi Rod,
You may not agree, but I think it matters that we have been audited by one of the country’s leading privacy advocates. It matters a lot. Simon Davies has spent the best part of three decades railing against invasions of privacy and he can see how our system could be considered a Privacy Enhancing Technology.
There seems to be an accepted myth that in order to provide relevance online you have to store personal data and / or browsing histories for months on end. Our system does not and cannot do that.
I’d like to clear up a misconception that we insert ads into pages or modify them without consent. Ads served by the OIX will only be shown on websites we partner with.
Re the opt out, if you opt out — or switch the system off, it’s off. 100%. No browsing data whatsoever is passed from the ISP to Phorm. We should be clear that the Phorm servers are located in the ISP’s network and browsing data is not transmitted outside the ISP. Even if you are opted out websites will still show you ads (as they do now) but these will not be adverts from the OIX system and they will not be relevant to your browsing.
I am aware we’re clogging up bob piper’s board so if you have more questions or concerns and if you’d like to be walked through the system in detail please email techteam@phorm.com
Thanks R
Here’s the reply that a Register reader got from PI:
“We have been pushing for Phorm to remove this content for quite some time now. PI does not work for companies, nor do we endorse products.
Two of PI’s staff members, in a private venture, advised Phorm of the serious risks that their technology raised. We are pushing for Phorm to disclose this risk assessment.
To avoid any conflict of interest, we have notified our Trustees and International Advisory Board of this activity.
The reality is that PI’s accounts are so weak that we must often fund ourselves through other ventures.”
(http://www.theregister.co.uk/2008/03/04/phorm_ripa/comments/)
So the question is, who actually did this assessment? From the above, apparently not PI itself, in any official capacity. And yet we have Marc Burgess quoted as saying: “Privacy International have done a privacy impact assessment, and they will be doing spot checks.” (http://www.guardian.co.uk/technology/2008/mar/05/privacy.internet.phorm)
So it seems that Phorm would like us to think that the assessment is more official than it actually is. Oh dear. Anyone still trust Phorm with their data?
Hi, Enjoying your take on this but the post “Phuck off Phorm Part2″ is cutting off in section [0025] - I suspect that the java code is being interpreted by IE7 and cutting the page. (checked the source - yes it is)
Have they already rolled this out in the US? Or are they thinking that using the UK as a test bed would give them an easy ride?
regards
poons
Why, if what Phorm’s spokesperson says is true, does The Register’s 5th March article state:
“…according to a spokesman for Phorm, the way the opt-out works means the contents of the websites you visit will still be mirrored to its system. Profiler hardware (see network diagrams here) will simply not categorise the pages or attempt to serve up target ads…”
Contradiction or misunderstanding?
Also,
What happens to other data requests, i.e. UDP, FTP, etc?
Is this info still mirrored to Phorm, but then they ignore it?
What makes our ISPs trust this Kurt guy in the 1st place, given his terrible reputation?
Finally, how do we get the National Media interested in this?
Obviously those already in bed with Phorm (News International, Grauniad) will be no use.
Maybe what we need to think of is who’s stands to lose out to Phorm financially (google, doubleclick) and use them to lobby for us..
Cheers for the heads up Poons. Hadn’t noticed not being an IE user. Should be fine now.
A lot of noise on the blogs and finally some a good piece in print in Today’s Guardian.
My worry is no so much about Phorm right now but the precedent it sets, how any future software upgrade will change the information reaped, whether the infrastructure and database can be exploited by hackers and whether competing systems, once this type of infrastructure is given the go-ahead, will be implemented without maybe so much care and attention to privacy as Phorm has given.
I’m not so much against Phorm, but the system blueprint itself is inherently dangerous.
Also intrigued about the alleged “China” connection. Several blog posts have been removed, e.g. the first Guardian blog article - poster Iamthelaw (NOT me). I looked into this in depth and currently (as of Feb 29th) whois records show New York registrant and server location uses a Gloucester-based ISP.
Now, interestingly Phorm have been on a charm offensive trying to discredit the vocal IT crowd claiming the original China “misinformation” came from someone with finger-trouble who’d checked oxi.com [sic]. oxi.com is perhaps a typo, owned by a well established NY firm. oxi.net is also unrelated. oix.net used by form whois was last changed Dec 07, HOWEVER, oix.com whois last changed FEB 29 2008! Now I’m sure the China rumour is just that, however since oix.com owned by Phorm has updated the whois record who can prove what it said on Feb 13th BEFORE this story broke?
To Oblonsky,
Yes I agree as regards there have been rumours flying around regarding Phorm that are completely unsubstantiated. The most eminent being connections to China. I too read this rumour firstly on The Register and decided to check it out myself. Like yourself, I found no connection whatsoever and everything pointed to servers near Gloucester.
I did later notice that the registration for oix.com, also webwise.com and phorm.com were registered prior to Feb 29th via an anonymising proxy registrar, ironically as I did the research on the 28th but they were subsequently changed.
I’m more than happy though to accept Phorm’s explanation that this relates more to trying to keep out any information from competitors than to point to anything that might be dodgy.
You could find out the historical data regarding registrations of domain names if you pay for it, but I think in this case it’s not a particularly important aspect.
Mr. Penguin,
Can I please bring your attention to the following two articles:
http://nodpi.org/?p=9
and
http://nodpi.org/?p=10
I’ll get back to you via e-mail mate.