Phorm and deep packet inspection – Email reply from Phorm PR

About Creative Capital, Blog on May 20th, 2009 14 Comments

Carl Morris here.

During the sandpit session at the Creative Capital event in London, we mapped the music business “ecosystem”. Our aim was to take a broad view and figure out the technological, social, cultural, economic, legal and other forces affecting the future of the music business.

Our discussion touched on data collection by private companies so I mentioned Phorm and afterwards wrote a blog post here. I only meant it as a quick intro to the misgivings that some people (notably Open Rights Group in the UK) have about the company and its practices.

My point was that there are different kinds of data collection, not necessarily benign. This is just an example and in general this kind of discussion will continue for a while yet.

On 19th May 2009 I received an email directly from Benjamin Usher of the Phorm Communications Team. I’ve had no dealings with the company before now, neither had I ever written about them. So I can only assume he picked it up on a blog search, as any good PR person would. I’ve reproduced his email below verbatim.

Hello Carl,

I read your blog post on Future Music Lab:
http://www.futuremusiclab.com/participants/phorm-and-deep-packet-inspection/

There are some common misconceptions about our technology which unfortunately have almost become accepted wisdom, and with an area like people’s privacy I think it is important that people know the facts. I hope you agree. In that spirit I wanted to address a few points from your article.

* You write:  ‘it’s not opt-in (unless you go out of your way to choose your ISP)’
Users will be provided with unmissable notice of the service, what it offers, and how it works, so that they can make an informed choice as to whether to participate or not. The most recent BT trial was conducted on a completely opt in basis. As well as being shown the unmissable invitation to join the system, users can check whether the system is on or off, and switch it off or on at any time. This goes way beyond current internet standards on consumer consent.

* You write: ‘You may not feel comfortable with this level of access to your data by Phorm’s clients – which could be companies or possibly government – without your express permission. I think most people are unaware of the ramifications of this, I’ll say that much.’
Phorm does not store the sites users visit. Phorm uses technology that has been designed to avoid storing any information that might identify a customer personally. The service does not store your browsing history, IP address, or any personally identifiable information. The unique design of Phorm’s technology ensures that consumer privacy is protected and that, even under compulsion, no personally-identifying data or detailed browsing data can be retroactively provided to anyone.

* You write: ‘Web creator Tim Berners-Lee says:I want to know if I look up a whole lot of books about some form of cancer that that’s not going to get to my insurance company and I’m going to find my insurance premium is going to go up by 5% because they’ve figured I’m looking at those books.’
Phorm want consumers to be safe online, and we are committed to following the IAB guidelines on behavioural targeting. Phorm does not allow advertising in a number of sensitive categories:
- Tobacco
- Medical
- Alcohol
- Pornography
- Gambling (except National Lottery)
- UK Political Parties
In addition, since Phorm’s system is designed not to store any personally identifiable information, we cannot give or sell it onto any third party. Therefore Sir Tim Berners-Lee’s metaphor would not apply to Phorm’s system.

If you are interested in knowing how Phorm’s service works, I’d be happy to set up a tech briefing for you.

If you or your readers are interested, you can see a short explanatory presentation on how Phorm works here:
http://www.phorm.com/about/introducing/how-phorm-works.html

best regards, Ben

Benjamin Usher
Phorm Communications Team

Mr Usher has given me his permission to publish the above email.

I am aware of security issues but wouldn’t consider that my core speciality. I’d just like to make this available so it’s available for public scrutiny and debate.

One response I have to this is – if users have the option of turning off Phorm, I’m a bit uncertain why they would ever leave it on. Are we to believe the advertising offers are just too compelling to ignore? I’m willing to be educated on this.

This is a group blog written by several music, media and web professionals. Any views I’ve expressed are my own. (Also I know this blog is intended for discussing a range of issues related to music business, not just law or privacy. I’m sure Andre or Tim can let me know if this gets excessive! I can easily continue it on my personal blog.)

Tags: , , , , , ,

14 Responses to “Phorm and deep packet inspection – Email reply from Phorm PR”

  1. ASo says:

    As is ever the case with Phorm and their “privacy revolution” the PR drones (how many PR agencies are you employing now Phorm? Still 5 or have you had to take on even more?) neglect to be fully transparent about their system.

    While its true that users will be given the option to opt-out that only applies to the advert serving side of the system. Even if users opt-out their internet traffic will still be illegally intercepted by the Phorm provided equipment sitting at the heart of the Internet Service Provider network.

    Phorm are so transparent about engaging with their critics that they launched a smear site against campaigners which has been almost universally ridiculed by those in the press. The irony of Phorm claiming to be pro-privacy and anonymouse while also launching a website to smear and identify their critics is apparently lost on them.

    Who are you going to believe and trust? Phorm with their history in spyware and rootkits or Sir Tim Berners Lee, the inventor of the World Wide Web. Easy decision for me.

  2. [...] then received an email from Benjamin Usher of the Phorm Communications Team, essentially correcting me on three points I’d [...]

  3. phormaverse says:

    I’m afraid Mr Benjamin Usher of Phorm is mistaken in his claims. Firstly he says, “The most recent BT trial was conducted on a completely opt in basis.”. No, Mr Usher that is not true. BT intercepted the communications of triallists without asking consent, and irrespective of the response they made to the Webwise invitation page, whether they opted in or out of receiving advertising, they could NOT opt out of having their communications intercepted and profiled.The BT Webwise FAQs made that clear (and still do). Users can NOT switch off the “system” at any time. They can only opt out of the ad-serving. It is very tiresome that Phorm are continuing to promote this falsehood that users can switch “the system” off. They can’t.

    Secondly – that claim about “unmissable notice” – I’m not sure why that term is used. The DPA legislation refers to either “informed consent” or “explicit informed consent” depending on the type of data being processed. Unmissable notice has no legal meaning whatever. Anyway – your “unmissable notice – the BT trial Webwise invitation – was deemed legally non-compliant by the ICO, who said, “Shortly before this pilot began they sent us a copy of the ‘invitation’ page on the basis of which customers would choose whether or not to take part in the pilot. We made clear to BT that we had strong reservations about the nature of the explanation provided, largely because it concentrated on security advantages rather than on the targeted advertising.” And then of course there is RIPA, but that’s a whole new EU infraction story.

    Sorry Mr Usher – you need to check your facts and the law. And stop the use of weasel words with wriggle room. I know what BT did. And it doesn’t match with what you are saying. Please go away and find a model for your targeted advertising which complies with the law of the land. Other firms manage it. And when you describe the Phorm/ISP/Webwise interception/profiling/copying/ad-serving system, please do so accurately.

  4. mADSLug says:

    “The most recent BT trial was conducted on a completely opt in basis.”
    But only for the advertisements – no mention anywhere of the interception for which RIPA requires the consent of both parties to a communication. No opt in for interception: that had already happened by the time you got the uninvited pop-up.
    “Phorm does not store the sites users visit.”
    Phorm allow advertisers to select URLs which are converted into ‘advertising channels’ and the essence of the content into 10 more channels: they store the channel not the URL or content, allowing advertisers to target specific visitors to specific websites by channel. When channel = URL then it is hard to claim that they don’t store data on sites users visit.
    As for Sir Tim, perhaps he too finds difficulty understanding the risks of medical insurance premiums when ‘Health & Fitness’ is one of the prime advertising channels.
    A tech briefing would be great. Pity they refused to consider doing so at either of the town hall meetings and have not opened up the source code for the DPI processing.

  5. Pete says:

    So much to take issue with in that email its hard to know where to begin.

    >Users will be provided with unmissable notice of the service

    People who operate websites won’t be given any notice at all. Their unencrypted but private communications with their visitors will be intercepted and exploited without consent.

    >The most recent BT trial was conducted on a completely opt in basis

    In the most recent trial, user communications were intercepted to present an advertisement for the ‘webwise’ system. Communications were intercepted regardless of a user’s preference.

    Thereafter, those users who declined were forced to perpetually retain an opt out cookie indicating that they did not wish to participate.

    Being forced to retain an opt out cookie isn’t an opt in at all, its an opt out.

    Ben skipped over the trials Phorm/BT conducted in 2006 and 2007, in which neither the user nor web sites they visited were invited to consent. Those trials affected hundreds of thousands of people. Phorm weren’t so concerned about consent then.

    Phorm is mass personal surveillance, mass industrial espionage, and copyright infringement on an epic scale.

    >Phorm does not store the web sites users visit

    Advertisers get a different story. They are told they can target users by specific URLs.

    Phorm receive the URLs you have viewed verbatim; you have to trust Phorm that they won’t store that data (now, and in the future).

    >no personally-identifying data or detailed browsing data can be retroactively provided to anyone

    Kent Ertugrul claims the data passes ‘the publish test’. So we asked him to publish the data, but for reasons unknown he declined.

    Evidence from other supposedly anonymous datasets is that with sufficient data accumulated it is possible to determine someones identity.

    The user id Phorm assign to you is more personally identifying than your name, your address, or your telephone number (all of which might be shared). Your unique user id is personal to you (globally).

    >Phorm want consumers to be safe online

    Phorm may comply with the data protection act (though they didn’t bother to register until 2008 after the trials) but that isn’t the same thing as respecting privacy.

    In Phorm’s DPA registration they state that they process personal data, and trade that data with ‘traders in personal data’, who may be located ‘worldwide’.

    If Phorm don’t store personal data they don’t need to register under the data protection act. If they don’t exchange that data with traders in personal data worldwide, they don’t need to register that intention either.

    So I think Sir Tim’s fears are well founded.

    As time goes by the pressure for scope creep will grow; Phorm as it stands is the thin end of a very ugly abd unpleasant wedge that will deprive us all of the right to communicate privately.

    The people in BT/Phorm who conducted trials of these systems in 2006 and 2007 must face prosecution.

    And Phorm must never be operated on UK soil again.

  6. pingus says:

    Until Phorm or the ISP, whoever is in charge of the equipment this week, obtain the permission of BOTH the webuser and the website owner/creator BEFORE any interception takes place then the system is illegal. The rights of the copyright holder ie the website owner MUST be respected according to the law.
    The Phorm system has not been deemed to be compliant with the law by any government department or office. I have personally checked with the Home Office, Ofcom, the ICO, BERR and the IPO none of whom have confirmed Phorm’s claimed statement of compliance

  7. fiddling frog says:

    Hi Carl
    I’m a professional musician too, so I’m very pleased to see that you are aware that Phorm poses a threat to privacy. It also poses a threat to copyright, and a threat to struggling small businesses, like would-be music producers.
    Here’s how Phorm works:
    - You run a website for your brand new state-of-the-art recording studio, say called “Morris Minor Recording and Music Production”.
    - Users visit your website and browse your virtual studios and equipment, endorsements etc
    - All the time they do this YOUR website is being copied by the Webwise system and YOUR copyright is being infringed.
    - The Webwise system creates a profile on YOUR potential customer and then YOUR potential customer gets targeted advertisements about “Philharmonic Spectacular Recording Suites Inc – Studios in all major cities!!!”
    - The Webwise system is taking the information from YOUR website to profile YOUR potential customers and sells that information to the bigger players, which could in effect cause you a loss in your business, taking YOUR potential customers away from you.”

    Re opt-in/out, what Mr Usher failed to tell you was that whether you opt-in or opt-out ALL your data still passes through the Phorm-supplied equipment operated by the ISP. And if you block the relevant domain WEBWISE.NET in your HOSTS file, then you don’t get any internet access whatsoever.
    He also fails to tell you that the Information Commissioner told BT that their 3rd Trial Invitation page failed to satisfy the ICO’s conditions for providing customers with fully-informed consent.
    Beware of what anyone from Phorm says.

  8. Fanjita says:

    I don’t have time to discuss the 2nd and 3rd points right now, but the first is a pathetic rebuttal.

    The system is still opt-out – therefore your point still stands. Every sample page we’ve ever seen that presents the option to the victim to disable Phorm has been highly disingenuous, stopping just short of actually making the “please turn this off” button invisible, and making very minimal efforts to present a clear and balanced picture of what the victim is actually signing up to.

    And let’s not forget that the various advice that has said that Phorm *could* be legal has insisted that it must be opt-in. Opt-out just does not cut it.

  9. Jim Murray says:

    Phorm’s ‘communication team’ are well known for monitoring blog postings, news articles and just about everything else said about Phorm online – I suppose that is their job and they seem to be pretty good at it.

    Unfortunately their ‘corrections’ also need correcting since they rather helpfully omit certain important points.

    One the subject of opt-in vs opt-out they are being far from clear. Phorm’s technology as trialled relies on a browser cookie to record the user’s preferences. There are obvious problems with this :

    - Programs which use the web (port 80) and don’t support cookies will be blocked from accessing the internet. All they’ll ever get is Phorm’s ‘choice page’. Yes, Phorm claim they will use the browser’s version-string to detect these situations but as many applications use the IE engine (though not all of it’s functionality) that’s highly problematic.

    - No DPI-based system relying on cookies can ever be truly opt-in. Traffic MUST be monitored and intercepted simply to read the cookie in the first place! Only by making the choice at account level and designing the ISP network in such a way as traffic from users who don’t opt-in is NEVER intercepted can true opt-in be achieved.

    On the subject of what Phorm stores or doesn’t store :

    - No, they don’t store browsing history as such. They do however store a profile of a user’s interests. By their very nature such profiles can be extremely revealing, if they weren’t they’d be no use to advertisers, would they?

    - They say they don’t store personal information. That is in the strictest sense true but it’s also grossly over-simplified. Quite apart from anything else, Phorm force upon users a unique identifier which allows Phorm to track them. In certain circumstances that identifier could become available to others, allowing it to be paired with other information and making it identifiable (I won’t go into details of how here, it’s long, technical and boring!).

    Finally, we have the issue of consent. This is probably by far the most relevant to this blog and it’s users since it could potentially impact on revenue streams for them. Consider for a moment the situation of a small, independent music publisher. Their website is visited by a user who has Phorm on his connection. That user’s searches and musical interests are profiled by Phorm, information which Phorm can then use to target that user with advertisements for the publishers (probably far larger) competitors. Advertisements which are _specifically tailored_ to that user’s interests, interests Phorm obtained thanks to the hard work of the small publisher while providing NO BENEFIT OR RECOMPENSE WHATSOEVER to them!

    Does that sound fair? Right? Not to me it doesn’t and not to many others. Phorm is, quite simply, wrong. It’s unwelcome on the internet, unwanted by genuinely informed users and unfair to the majority of small content providers who make the internet what it is today.

    Jim.

  10. HamsterWheel says:

    Well done for posting the response.
    Shows what a lot of misconceptions are being spread by layabout troublemakers.

  11. Epic Phail says:

    Users are unable to provide consent or license on behalf of web publishers. For the Phorm system to be legal under RIPA and statutary copyright law they require the consent of both parties. There can be no assumed consent from website operators with regard to interception of communications once a user has logged into a site.

    The EU has already begun infringement proceedings against our government for their Phailure to act on the BT trials and any ISP foolish enough to deploy Phorm will most definately end up in court. That’s the reality of the situation, no matter what hand waving Phorm PR staffers engage in.

  12. phormaverse says:

    Just a very brief second comment – for any interested reader new to the Phorm debate. Check the comments above and give them marks for politeness and rationality,or personal abuse, then divide them into two columns, pro and anti-Phorm/DPI. It makes interesting reading. It’s a pattern repeated on blogs and forums all over the internet on this particular topic.

  13. Elaine says:

    hello all
    i have been reading about this since i saw a bbc reply on the freedom of information site “what do they know” which i saw this morning, it is here http://www.whatdotheyknow.com/request/bbc_web_sites_and_phorm_opt_out

    it seems like the bbc have been looking at this issue for some time and one man at the bbc describes the technicalities of the phorm system as “evil” which is quite shocking

    the bbc people are obviously looking to stop phorm and there are a lot of comments on the bbc sites and others on the internet where this is being discussed including references to the hamsterwheel person above and a phorm website which is also quite nasty about people who disagree with what phorm is trying to achieve

    i had a search and hamsterwheel is used a few times directly connected with phorm and might be a shareholder who has lost a lot of money
    http://www.google.co.uk/search?q=%22hamsterwheel+phorm%22&hl=en&safe=off&filter=0

    the phorm anti-campaigner website is here but from what i read it is more dodgy spin of pr details whilst it claims to tell the truth
    http://www.stopphoulplay.com/

    so it looks like what capaigners are saying are true while there is a lot of untruth out there from phorm and the people they are paying to spread untrue pr information

    does anyone know of a central campaign against phorm and plans they have for the internet???

    El

  14. Pete says:

    >does anyone know of a central campaign against phorm and >plans they have for the internet???

    You can find other people campaigning against Phorm at Badphorm.co.uk or NoDPI.org.

    Open Rights Group are also campaigning for communication privacy/security/integrity.

    Other useful sites include;
    http://www.inphormationdesk.org
    http://www.donottrustwebwise.org

Leave a Reply