Blog Update on Phorm for tonight
Just thought I’d post up the questions that I’ve now sent off to Phorm. I’m sure I’ve probably missed something out but feel free to keep posting them in the comments section as they are obviously now regular visitors to my site and I’m sure they’ll answer them.
Incidentally, for the muppet from London (not connected to Phorm) trying to look up my personal identity, yes I did notice what you were up to. However, it did make me realise that perhaps my skepticism regarding Phorm’s system coupled with my technical writings could lead some people to conclude that I had a vested interest in all this so I thought it apt to just put people in the picture. Yes, I’m a techie, yes I know a lot about online advertising, no I don’t work in the business of online advertising nor for any competitor of Phorm. In this instance I am simply a tech savvy geezer who takes their personal online privacy seriously and has misgivings about the potential application of this system by Phorm although I am a fair person who is always happy to listen to both sides in any situation.
Right, here are the questions, might take them a while to draw all the information together as there’s a fair few and some are quite technical so let’s see how they respond.
1. Phorm changed their name from 121 Media Inc as of their AGM on 26 April 2007. What was the rational behind this decision?
2. Can you tell me what the financial position of Phorm was at the end of the financial year for 2007 ie, end of December 2007 as we’re talking US financial years. In particular, what was the annual turnover of the company, it’s gross and net profits/losses and it’s capital value?
3. I understand that you are paying British ISP’s large quantities of money to be able to be able to put your system into their networks. The much quoted figure for your payment to BT is £85million. Can you confirm or rebut this figure and what are the relevant figures for Talk Talk and Virgin Media?
4. If Phorm possess the kind of money you are rumoured to be offering various ISP’s and based on the registered losses of the company for 2005 and 2006, where is this money coming from? Or in the case that the money doesn’t exist but your company has been underwritten in some kind of agreement on assumption of future profitability based on your business model, who’s doing the underwriting?
5. Your site claims that you have already confirmed deals with BT, Virgin Media and Talk Talk, have you confirmed deals with any other UK ISP’s to date and which ISP’s are you currently in discussions with to provide this service?
6. How many employees does Phorm have working for it, encompassing all geographical areas of operation? By this the assumption is that you have employees in the UK and the US or indeed anywhere else in the world.
7. In which countries do Phorm have any kind of fixed operational base or employees?
8. Do Phorm have any operational bases or data communications services in either China or Russia?
9. I’m sure you can understand people’s concerns that a company which on paper only appears to have a virtual and or shared office space in London and an address in Delaware in the US that has previously been identified as a base of operations or indeed simply a forwarding mail service for e-mail spam/scams so I’d like to ask a few questions regarding these two registered addresses.
Concerning your London offices:
10. The company that runs your London address is advertised as offering virtual offices. shared desks for those who rent space there for when they’re needed and also a ’serviced office’ arrangement comprising of staff to answer calls for companies who rent space and to forward on mail. Can you confirm a few things regarding your London set up?
11. Is anyone permanently stationed within these premises or are they operated as a virtual office and temporary for employees taking advantage of the ‘hot desking’ facility?
12. (Determinate on the last question) How many employees does Phorm have permanently based in your London registered address?
13. I don’t expect you to get the tape measure out but what is the rough office space area that Phorm take up in these premises?
Concerning your US office:
14. I know it sounds pedantic, but does this address actually exist or is it simply a mail forwarding service?
15. (Determinate on the last question) How many employees are permanently based in your US registered office?
16. Again, what is the approximate size of this base of operations in terms of office space taken up?
Getting a little bit techie now.
17. It is a common trait of scam operators is to register domain names via proxy domain registrars. Although it is not necessarily appropriate to make assumptions of a company based on the practices of others why have you registered www.phorm.com, www.webwise.com and www.oix.com via the use of a proxy registrar instead of an open registration that is linked to the address of one of your offices be it the one in the US or the one in the UK?
18. You claim that you have been assessed by Privacy International. Can you explain why there is no reference to ‘Phorm’ on their website and if this assessment is available can you tell us both who from Privacy International undertook it and publish a copy?
19. Who has Phorm asked to evaluate the legal position of their technology in respect of both the Data Protection Act 1999 and the Regulation of Investigative Powers Act 2000 and if such a report has been compiled, can you publish it?
A few questions regarding the privacy audit undertaken by Ernst & Young.
20. The report states that your system ignores ‘form fields’ yet you claim that you will be collecting information regarding what people search for on the internet via search engines. The box people write their search queries in is a ‘form field’ which appears to contradict the claim in your privacy audit report, can you clarify this situation?
21. The report states that data will be immediately purged from the system but ‘Research and debug logs may be kept on a separate system for a maximum of 14 days’. What is the nature of this separate system and as Phorm have stated that all the kit will be located within the ISP’s infrastructure how is this data either transferred externally for research and debugging or what is the relationship regarding allowing representatives of Phorm to access ISP data infrastructure if this separate system remains located within their system?
22. It has been claimed that this system would have the ability to throttle an internet users connection if they had opted out of the service but the report claims ‘Do not tie into the authentication systems of our ISP partners’ if this is the case then how would a users connection be able to be throttled if it didn’t know through the ISP’s authentication systems which users had not subscribed to it?
23. The report states ‘We offer an easy, anonymous method for users to opt out of Phorm’s systems if they would rather not receive targeted advertising and content. For as long as a user retains the Phorm opt-out cookie, the system will not collect or store data on their browsing behavior.’ However if this is the case then how does the ISP know who’s online browsing to send to the proxy server for scanning and who’s not to if it isn’t in anyway tied to the authentication systems of the ISP?
24. Following on from this, if a user has an ‘opt-out’ cookie does this mean that somewhere along the line at the ISP level, it checks to see if this ‘opt-out’ cookie is present and if this is the case, what would happen if a user had simply barred all cookies from OIX.NET as per the instructions on your website?
25. The report states ‘Because of inherent limitations in controls, error or fraud may occur and not be detected.
Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the Service or controls, the failure to make needed changes to the Service or controls, or a deterioration in the degree of effectiveness of the controls.’ It is of course standard practice to drop in a get out clause into any evaluation of a system and it’s fair to assess that no system can ever 100% guarantee that things can’t go wrong. However, what is the nature of in such an instance that something went wrong of your liability and or insurance to compensate those affected?
26. A quick break and sartorial comment and not intended in any way to be implied criticism of Phorm but why does such a respected company such as Ernst & Young who go around headhunting top graduates employ someone with such poor English grammar as to start a sentence with the word ‘because’?
27. According to the report the system employed by Phorm does not store data with a sequence of numbers of more that three to avoid picking up credit card details. However many URL’s contain more than three sequential numbers, as these URL’s are passed to Phorm’s proxy server it will store them no matter for how short a period even if it is held in RAM so does the system ignore URL’s with sequences of number of three or more?
The distinctly more techie questions:
28. Can you explain how this relationship with the cookies really works? In the case of having an opt-out cookie provided by Phorm does the ISP actively scan for the presence of this cookie on an individual users PC and if it does how can can it differentiate between any difference in service provision to that PC on a network and another PC that may have an opt-in cookie in terms of providing differential services?
29. Does the system scan all unencrypted HTTP requests including online e-mail services, private social networking sites such as Facebook and if it doesn’t what is the system in place to allow it to differentiate between these sites and other HTTP sites?
30. Leading on from that, the architecture of the system appears to suggest that when a HTTP request is sent to the ISP it is then passed on to a proxy server for analysis. Is content of that URL entered passed on as in the case of various community sites it may contain personally identifiable information?
31. At which point in the ISP’s system is the HTTP request passed on to the proxy server. In particular, is it at the Domain Name Server stage and if so could an end user change the default settings on their router to use another DNS not from their ISP like Open DNS to avoid the sites that they visit being scanned?
32. There are with this system various ‘bits’ of data flying backwards and forwards that are in addition to the normal data flow across an ISP’s network specifically those on the connection between the end user and the ISP. For people on fixed limit connections, will these packets of data be discounted from the limits agreed in their contracts or comprise part of their monthly allowance?
33. As far as can be concluded from the technical data available, when a website is returned from the ISP to the end user it will have custom Javascript embedded into it to update information on the cookie held on the users computer. As a web publisher myself, have you had any kind of evaluation undertaken as to the legal position regarding copyright as although people may see exactly the same, they will be receiving code that the original author did not intend and are you going to offer an opt-out system for web publishers that do not wish for this code to be embedded into returns from their sites?
34. In the case of partner advertising companies that will have Javascript embedded into their sites to search for profiled data from the cookie located on an end user’s computer. How can you protect from that site linking up both the contained profiled data from the cookie and the users IP address if they run another statistical package that logs IP addresses thus allowing others to link profiled data to IP addresses which is one of the claimed privacy gold standards of your system?
35. You state that the only information that will be collected are search term phrases and categories but according to the technical aspects of the patent application for your technology it allows for the collection of almost any kind of information including IP addresses. To what extent has the system been modified to disallow it from collecting such information that it is capable of and how can you guarantee that in the future it may not be modified to do so?
36. In the case of categories, the patent application states that innumerable categories and sub-categories thereof can be created. You give examples of things like travel, sport, cars etc. Do you intend to openly publish the categories and sub-categories thereof that your system is scanning people’s web browsing for?
37. What is the geographic location of the proxy server? Is it located within the ISP’s network or externally?
38. If the proxy server is located externally, where is it (nearest town will do, or in the case of these being more than one, nearest towns)
39. If the proxy server is located within the ISP’s network then what is the procedure for updates and reconfiguration or fixing if it goes wrong? In particular will someone from Phorm have the ability to remotely connect to this proxy server to change settings or is it a case that Phorm will have staff based within every ISP ‘minding the box’ who will make changes/fix things as and when they arise?
40. If the proxy server exists outside of the ISP’s network and data is merely transmitted to it so that it can analyse web pages and return custom Javascript how does this conform with the provisions of RIPA?
41. So we can have an understanding of the capabilities of your system, can you tell us what make and model of hardware is going to form the proxy server set-up?
42. If it has, why has this service been set up as an ‘opt-out’ service rather than an ‘opt-in’ service. If the benefits to the consumer were so compelling then surely everyone would wish to ‘opt-in’ to it wouldn’t they?
43. Some of the ISP’s already quoted by your company as having signed up to this service have issued statements on their site pointing to the benefits of the anti-phishing technology of the system to make the internet safer for users. Can you tell us what additional protection against phishing Phorm’s technology adds in terms of security to the end user that is not already present in the two most commonly used browsers, Internet Explorer and Firefox?
44. Leading on from the last question, if Phorm or through it’s partners have additional knowledge of phishing sites that the maintainers of Firefox and Internet Explorer do not, then why do Phorm and their partners in the altruistic nature of trying to make the internet safer for everyone simply hand over this knowledge to Microsoft or Mozilla or indeed try and sell it directly?
45. The patent pending application for the technology behind this system gives an instance of if for example an end user wants to download a large file, say a music file then the system has the ability to send an advertisement – presumably a pop-up that would be akin to a television advertisement before the download takes place. Thus attempting to extract advertising revenue to offset the higher bandwidth that the user may be consuming. Can you confirm that such a capability of this system will not be implemented?
46. When I inadvertently left a bit of Javascript active in my blog post when I copied and pasted the technical elements of your system I noticed some interesting behaviour when my page loaded. When the page was loading it looked elsewhere for information. Although I accept it was probably a test server and will not have the capabilities of a production grade operation, it delayed the load time of my site. With that in mind, as far as I can tell it was looking for information from an external source. If this was a working system in place and I came across a partner advertisers site with your system’s Javascript embedded, where would it look for information? My reading of this is that the Javascript would look for, profiled information on the cookie on my computer then port that information to another server which would then provide the targeted advertising and insert it into the page that is loading. If this is the case, where is this server going to be located and if it is a core server system of Phorm how does this not only send information to an external location outside of my ISP but if the connection is direct between my browser and this server not allow for the possibility of both the profiled data on my cookie and my IP address to be put together?
47. Will Javascript be embedded into every page that I load irrespective of whether I opt out of this system or simply block cookies from OIX.NET?
48. Can you confirm or categorically deny that your system was trialled in 2007 with BT?
49. Can you tell us when this system is due to go live with the three ISP’s already mentioned on your site to have signed up for this?
50. Can you tell us when the Javascript will begin to be embedded on you partner advertisers sites (Guardian and Financial Times)?
51. Will you be making public and publishing a list of partner advertising sites?
52. Can you tell us at what time various ISP’s will be running trials on this system prior to full scale implementation?
For starters, go out and buy The Guardian or read online. Front page spread of the TechnologyGuardian supplement.
Secondly, re: Russia:
A little-noticed piece by Mail on Sunday journalist Simon Fluendy:
Link here
Thirdly, the China connection:
Currently just a rumour, and I see in other news groups proponents of Phorm have appeared dismissing the “tin-foil-hat-wearing brigade” as a bunch of alarmist rumour mongers.
Posts to that effect have been removed from a few blogs.
Currently, as of Feb 29th, box OIX domains owned by Phorm (oix.net and oix.com) are registered in New York and point to a single UK server.
I say as of Feb 29th because one argument used by a pro-Phorm poster on The Register to discredit the China rumour is to claim that someone accidentally looked at oxi.com [sic] and the Phorm servers were in China.
It is well known that oix.net, used by Phorm, is registered in New York and uses a Gloucester-based ISP, and the whois record was last updated on 07-Dec.
So what about oxi.com and oix.com (both for completeness)? oxi.com is presumably a typo by the poster, it’s registered and served from NY State, whois record has not been changed since late 2007 and the owner seems a well established firm
However, oix.com IS owned by Phorm, and whois record was last updated 29-Feb-08 AFTER THIS STORY BROKE ON 14-Feb! No proof here, but if Phorm are going to use the .com/.net distinction to counter the China claim what can we draw from the whois record change on 29-Feb-08?!
CHECK THE LAST CHANGED DATES YOURSELVES. No proof, I’ve seen no proof about China.
Just to point you in the right direction regarding a few things. Some of the questions I’ve asked have been deliberately loaded so as to allow Phorm to set the record straight. In particular the question regarding China and Russia.
I too picked up on the allegations claiming the Phorm had servers based in China. I looked and found absolutely no record of this claim that has been circulated. It is important to to be fair and allow Phorm to categorically confirm this not to be the case.
If you read my first post on this issue then you will see that I state that all these domain names of Phorm point to a server near Gloucester.
I have already read the links that you refer to but they indicate no information that I wasn’t already aware of.
On the nature of the registration of the various domain names, it’s good to see that Phorm have now changed these registrations to one that is a lot more open and they are commended for having taken this option.
As regards the actual system and it’s implementation and or what it could potentially be configured to do, this is where I share your concern primarily on the grounds that although even if the system is implemented to only do the stated processes that have been declared, it has the capacity to do considerably more which is why I ask the question regarding this issue. My concern of course is one of operational creep in this area that once such a system is in place, what is to stop it’s capability steadily expanding beyond its original remit because it does allow for the possibility of not just analysing all of people’s web browsing habits but equally to fundamentally change the nature of and the way that individuals interact with the internet on a much wider scale.
Anyway, thanks for your comment, sorry if you’ve misunderstood the nature of some of the questions, most of the questions I already know the answer to or have a very good idea about so the nature of the exercise is to give Phorm the ability to confirm that some of the factually incorrect allegations made against them in some parts of the net are indeed incorrect, such as the China reference and to allow them to expand on areas where people have concerns.
Final point, sorry, not one of the tin foil helmet brigade as a good reading of my past writings will confirm.
Can I send you a reply to me from Privacy International? Email me at the seemingly anonblog email I entered, it works.
O
Who me? Not trying to locate you but your call. You obviously roughly know who I am and I’m not taking steps to hide that, using my work IP address and email domain owned by a registered company and all. Don’t worry - we’re not all after you!
Hi PP and all posters,
Firstly thanks for the questions. We are getting onto them now and hope to have all the answers for you by close of play tomorrow or latest at the weekend.
Just quickly re the China question: We do not have any servers in China. The problem is historical: a previous owner of one of our domains had it hosted in china.
I’ll break off now and get back to answering your questions / comments.
Best wishes, R
Meanwhile there’s a video interview with Kent on techcrunch uk. I hope it helps to answers some questions or concerns.
Link here
Hi,
There’s a balanced piece out on the BBC that might be of interest (excerpt and link below).
http://news.bbc.co.uk/1/hi/technology/7280791.stm
Ad system ‘will protect privacy’
By Darren Waters
Technology editor, BBC News website
The tools, developed by US firm Phorm, track users’ online surfing habits.
BT, Virgin and Talk Talk have signed up to trial the technology.
Privacy International (PI) said: “We were impressed with the effort that had been put into minimising the collection of personal information.”
PI’s director Simon Davies and senior fellow Gus Hosein were invited by Phorm to assess its privacy protection measures.
Phorm has said its tools anonymise the data it collects and that users can opt out via their Internet Service Providers (ISPs) at any stage.
Mr Davies told BBC News: “Phorm does advance the whole sector of protecting personal information by two to three steps.
“The problem is that may not be good enough for consumers.”
Balanced!! The most skewed and unprobing piece of journalism by the BBC I’ve seen for a very long time. I can see why Phorm should be pleased by that though.
Let’s just concentrate on one unanswered point, though. Why do Phorm keep saying that PI did the assessment, when PI (proper) are distancing themselves from the PI-related individuals who were actually employed by Phorm?
Can we just a straight answer - did PI officially ensorse this, or not? If not, the BBC will need to correct their story, and Phorm their publicity blurb. Thanks.
Hi Julian,
I had clarified the point yesterday on PP with regard to Simon Davies but cannot unearth. Here goes: Simon Davies, who is Director of Privacy Intl and MD of 80/20 Thinking conducted the Privacy Impact Assessment wearing his 80/20 hat and with his colleague at the LSE, Gus Hosein, who is Visiting Fellow, Information Systems Group. PI do not endorse any companies but in a consulting capacity apply the same intellectual rigour to their assessment of companies and their privacy friendliness or otherwise. Btw we are happy to be included in PI’s assessment of online businesses. I believe the last one was termed as a ‘Race to the Bottom’. We believe that we would be graded positively.
Do mail me or post any other questions you may have.
Just to avoid misinterpretation, please see caps!
Hi Julian,
I had clarified the point yesterday on PP with regard to Simon Davies but cannot unearth. Here goes: Simon Davies, who is Director of Privacy Intl and MD of 80/20 Thinking conducted the Privacy Impact Assessment wearing his 80/20 hat and with his colleague at the LSE, Gus Hosein, who is Visiting Fellow, Information Systems Group. PI do not endorse any companies but SIMON DAVIES in a consulting capacity applies the same intellectual rigour to his assessment of companies and their privacy friendliness or otherwise. Btw we are happy to be included in PI’s assessment of online businesses. I believe the last one was termed as a ‘Race to the Bottom’. We believe that we would be graded positively.
Do mail me or post any other questions you may have.
Thanks - the trouble is that Phorm is creating the impression (inadvertently or not) that PI have officially endorsed it, when only 80/20 have. For example, Marc Burgess is quoted as saying “Privacy International have done a privacy impact assessment…” in http://www.guardian.co.uk/technology/2008/mar/06/internet.privacy.
Note, he doesn’t say 80/20.
I pointed out the mistake in the BBC news article to its author Darren Waters and this has now been corrected. However, the casual reader is probably not going to understand the difference.
Unfortunately this kind of seemingly-deliberate ambiguity simply reinforces the impression of slipperiness, on top of the original concerns about the origins of Phorm in spyware. You guys have got a pretty difficult job turning around that impression, which is not helped by trying to disguise the whole thing as a service to your users. I guess you know that’s pretty cheesy and exploitative. But this is 2008…
Hi Tech Team,
You say above that it was Simon Davies, not Privacy International who said your privacy was OK. On your website, you say “We approached leading privacy advocates in the US and the UK, including Privacy International, and asked them what they thought.”
An individual who works for an organisation is not the same as that organisation. This does seem at best misleading and at worst mendacious. Can you explain? If not, why not?
Will you clarify on your website both that Privacy International have not and will not endorse your product and that you erroneously said that they did? If not, why not?
From the BBC article that Comms Team mentioned above:
“Mr Davies said he remained opposed to services which required users to opt out.
He said: “If firms say this “enhances the user experience”, if that is true and users want it, then make it opt in.”
Do you agree with your expert’s opinion? If not, why not? Will you insist that, in absolutely all circumstances, use of Phorm will require a positive opt-in and not an opt-out? If not, why not?
Will more privacy audits be carried out? Have there been any changes to your system or controls since December 15, 2007?
I need to repeat a comment I made yesterday, which doesn’t seem to have been picked up on.
In the previous blog, Phorm’s tech team stated: “..if you opt out — or switch the system off, it’s off. 100%. No browsing data whatsoever is passed from the ISP to Phorm..”
The Register ( http://www.theregister.co.uk/2008/03/05/bt_phorm_trial/ ) states:
“according to a spokesman for Phorm, the way the opt-out works means the contents of the websites you visit will still be mirrored to its system. Profiler hardware (see network diagrams here) will simply not categorise the pages or attempt to serve up target ads…”
It then notes that this is still classed as interception.
What is the truth Phorm ???
What gets me is why two respected academics from the Privacy and Data Security arena would endorse an infrastructure that appears to me remarkably similar to what I imagine any dictatorship would need to monitor their country’s networks - the very kind of surveillance that their group Privacy International campaign against. Come on guys – how much were you paid for this endorsement?
Sure, Phorm are good guys and safeguards are in place, but this arrangement of tapping into your data stream is the most worrying aspect. Not the specifics of what Phorm are doing, but the inherent intrusiveness of the technology and how a similar platform could be abused.
For the opt-out to be legally watertight, and yes I did just read the DPA, then it needs to take into account the rights of the individual to inform the Data Controller (in writing) at the ISP that they do not want any personal data to be processed above that necessary to provide the service, and the ISPs then have a legal obligation from that point forward not to pass any information outside the normal path necessary to process (i.e. route) the IP stream. Their obligation is rather strict – they must NOT process ANY personal data more than is necessary. So sod cookies, in parallel to the opt-out, opt-in debate, the system must have an opt-out mechanism that does NOT use cookies.
Under the RIPA (and yes, I did just read that too), consent of BOTH parties is needed to legally intercept a private communication outside the provisions of the Act for law enforcement purposes (with some exclusions to allow recording of conversations for personal means amongst others). Since there’s no doubt in my mind that your data stream is a private communication, then Phorm can only snoop when both remote website and individual has opted in.
And anonymous data streams – you try and tell that to my son when he’s asking what an Arab Strap is and why would he need one? Okay, Phorm say they won’t profile adult and some other exclusions, but some curious things can give away your political or sexual persuasions, such as your taste in music (I love Pet Shop Boys and Kylie), films (Sound of Music and, yes, Brokeback Mountain) and newspapers (The Daily Express). To my consternation, all the adverts on my computer were for skin-tight rubberwear bearing Nazi insignia. Why?
And shame on the BBC for their first piece on this. It was nothing more than an advert. Balanced reporting wouldn’t simply say yes some people are pissed off. It would get a view from the people against the system as well as a view from those endorsing the system. Has any ISP come out and said it definitely won’t ever tap datastreams? I don’t know, but surely there’s one and it’s up to the BBC to put this kind of balance.
Just came here via the link from the BBC News article. I had to check several times it wasn’t from ITV News or some other corporate source. Absolutely horrific journalism, and anyone who thinks the media has an inherent left-wing bias should look at that puff piece and think of the opposite.
I hope Privacy International themselves come out on this… they could potentially do a lot of damage to Phorm (and a non-zero amount to the BBC) if they do!
Could comms team and tech team tell us if they are employed directly by Phorm or are employed by a PR agency acting on Phorm’s behalf?
I’ve been talking to a lot of people about this issue. It seems that the ISPs are keen to push this out and are unconcerned about the thoughts of the enlightened minority who understand the nature and potential of the invasive technology used at the heart of the Phorm system.
There’s not much wrong with the Phorm PRODUCT itself, except it seems their opt-out arrangements are flawed, plus in my opinion the whole system should be opt-in through choice.
Bloggers in The Register are reporting that Talk Talk is reviewing the opt-out mechanism (HTTP Cookies) with Phorm as it’s deficient. This is purely speculative but I really hope it’s true.
The Ernst and Young Privacy Examination Report also commented on the fact that the opt-out cookie could easily be deleted, but it failed to pick up the fact that HTTP cookies are only transmited back to the site from whence they came, as widely reporeted on other blogs, and there’s no such thing as a top-level cookie (I’m no tech expert but I understand their arguments and have read RFC2965, describing cookies, and their arguments seem to hold).
My big question to Phorm tech team is why should we trust the reports you have paid for when you a.) haven’t released the Privacy Impact Assessment (or if you have, please link) and b.) The Ernst and Young report didn’t pick up this potential technical argument about cookies, so what else have they missed?
So I said I don’t have a problem with the Phorm product, but I do have a huge problem with the system infractructure, as leaked to The Register, and noted above to be intrusive and invasive. I assert that such a system is open to future abuse, e.g. an ISP can be alerted when you intend to leave because you are searching for a better deal, or worse, the very same intercept technology could be altered to facilitate a wholesale invasion of privacy.
How can we be sure that safeguards are in place when a.) information hasn’t been released b.) the earlier interviews and press releases were not clear about the role of Privacy International and c.) The one element of the Ernst and Young report that there’s sufficient technical information available to independently assess is flawed. How can we trust the technical operation of the other safeguards have been properly understood?
http://www.bobpiper.co.uk/2008/03/theyve_got_phorm.php
david pip said:
March 7, 2008 8:53 PM | permalink
well well, interesting turn of events.
apparently TechTeam and PhormUKTechTeam are infact as the user on the cableforum thread below puts it “your not infact UKtechteam but rather UKPRteam.”
Link here
“PhormUKTechTeam
Thanks Mick
To be clear, yes I work for an external agency for Phorm - a UK PR agency.
My job is solely to take the information Phorm is making available - the interviews, the Q&As etc and place them into these discussions.
I believe I am totally open about this - my log in name is pretty clear, and the first line of my introduction clearly states who I work for.
It is my job to simply present the facts about Phorm.”
Link here
“popper
while its refreshing to see the truth from your good PR self as regards your workplace, dont you think it would have been better to pick better screens names, as your not infact UKtechteam but rather UKPRteam.
as the Phorm 3rd party UKPRteam, how do you propose to correctly answer the real Tech questions that are in many places and asked by even more people….?
is there also a UKlegalTeam to answer the RIPA/DPA/copyright and several other UK and EU legal questions.
or are the millions of UK ISP users effected by the ISP/Phorm contract going to be left with no other ‘in good faith’ option but to start small claims court proceedings (as was done with the UK banks due to no other ‘in good faith’ options being put forward by the offending banking partys) against the ISPs and Phorm etc.
perhaps to get the answers and rulings to restate the acts in question, and return some balance to the one sided contracts, and once again remove 3rd partys from interfering with the UK consumers?”
Link here
“paul Nolan
I was starting to think TechTeam was a PR agency.
It smacks of a couple of years ago where (allegedly) the then chairman of Southampton FC had a PR agency attempt to Influence the flow of information in an upcoming battle for company ownership on the most popular forum for Southampton FC fans.
but frankly TechTeam and PhormUKTechTeam, as far as we know has no detailed knowledge of the workings of ISP’s data capture Phorms patents, and the like.
Maybe they’re just passing on uniformed propaganda meant to mislead us and stall on complaining to the ISP’s involved.”
why not go over there bob and readers, and see what the cable and indeed BT customers think.
http://www.cableforum.co.uk is probably the best Phorm (and current cable news etc)thread on the net as its got many VM cable and Bt dls members (The Register being your best news outlet for Phorm news OC)
—————————–
“techteam said:
March 8, 2008 10:57 AM | permalink
Hi, it’s the techteam here:
I am part of the techteam (and use the name techteam) at phorm and as noted by our agency above, PhormUKtechteam is the agency. And point taken david pip, we can change the phormuktechteam to ukprteam. (the pr team only posts what the tech team give it, though!)
I am not sure this situation is like the Southampton one. Full disclosure and transparency is key here: the pr agency disclosed the fact they are an agency on a board, up front. As you’ve seen, there’s lots of interest and lots of questions and we try to get to them all. We can’t do it all in house.
To pick up a couple of the more lurid points:
We don’t have links to the Russian security services. We, in common with all major technology companies including Google and Intel, work with Russian programmers. The last two companies are some of the biggest employers in Moscow.
We don’t have anything to do with China. Full stop.
We at techteam do know in detail the systems and we’ve tried to clearly explain the processes. We’ll be putting up diagrams showing data flows including data capture and ad serving on our site next week. Do please write to me at techteam@phorm.com if you’d like to come in and understand the system in more detail.
We do keep saying this and we mean it: we’ve had jack marshall from clickz and chris williams from the register in this week (both favourable coverage), we’ve also had bloggers here and done numerous interviews with them. We’ve also asked Professor Peter Sommer to conduct an indepth review of our technology. He has declined — which makes me think some people just want to object to something without investigating it.
More questions please. I’ve answered some questions on the political penguin site and PP has suggested we post the rest of the answers on our site and he/she will link to it.
Best wishes,
Tech team
“
Perhaps the most troubling aspect of the Webwise project is the introduction of passive taps into the network connection. If the ‘Netsense Architecture Diagram’ shown by The Register (http://www.theregister.co.uk/2008/02/29/phorm_documents/) is correct, all the connections between BT Broadband users and BT’s internet backbone through which they access the internet will go through a passive tap. The function of a passive tap is to split the input data stream in order to provide two or more copies.
It’s not just that advertising profiles will be built up on the basis of users’ observed browsing habits, detestable though this may be. The introduction of the equipment Webwise will use into exchanges would apparently also provide the basis of an option for widespread and undetectable tapping of users’ communications over the network. On the face ot it, it would be relatively straightforward to add fibre to the passive taps in order to take an additional copy of the users’ data and send this on elsewhere, say over a secure data link embedded in BT’s data backbone. This data would contain the user’s internet address. And, like any ISP, BT will have logged, as a matter of course for billing, details of who this corresponds to and where the connection terminates.
From recent Guardian articles it would appear that Phorm had been in discussions with the Home Office some while ago. This might explain why there has so far been no action over BT’s secret experimental tests last year which, taken at face value, seem to have involved illegal interception of data.
It is hard not to wonder that the overall business model is similar to that which was used in the introduction of speed cameras. Significant funding for road cameras was provided by commercial organisations who use number plate recognition systems to assess traffic flows. The registration numbers are, of course, discarded as soon as they have been used to calculate average speed between two cameras along a particular length of road. Processed data based on average speeds is supplied to paying customers, who are advised of traffic jams and how to avoid them. Now, however, the same equipment that provides the commercial service is also to be used as part of the regulatory system, where registration details are no longer discarded, in order to police speeding from measurement of time to travel between two cameras.
If this analysis is correct, it is not just the Webwise system that needs to be scrutinised. It is the plans that the government may have for widespread surveillance of our communications that need to be questioned.
“80/20 Thinking is holding a Town Hall meeting on Phorm this coming Tuesday, 15th April, between 18.30 and 20.30 at the Brunei Gallery lecture theatre, SOAS, University of London.
Details are at http://www.8020thinking.com/events
Please do spread the word as much as possible. The meeting is open and free, but we ask people to notify us if they want to come so we can keep track of numbers. Again, those details are on the 80/20 page.”