» Bad Phorm

In recent months, there has been growing discussion online regarding the proposed deal between major ISPs in the UK, such as BT, Virgin Media, and Carphone Warehouse, and a company called Phorm.

The basic premise goes something like this¹:

1. A customer of an ISP signed up for the system types in a URL.
2. The page request is routed through the ISP to Phorm’s servers.
3. Phorm’s servers modify a cookie on the user’s computer.
4. Phorm’s servers forward the request for a URL to the website being requested.
5. The website being requested sends back all the relevant page data to Phorm’s servers.
6. Phorm’s servers “profile” the content of the website.
7. Phorm’s servers relay the page data from the site being visited to the user, along with relevant advertisements based on the site content as well as relevance from prior browsing profiled the same way for that user.

This allows Phorm, and the ISPs contracted to it, to intercept requests for page data, as well as the response from sites, to determine contextual advertisements to display.

This plan sounds good on the face of it, but it’s a plan that’s fraught with some major concerns.

Opt-In vs Opt-Out

When Phorm’s system first came to light, one cause for concern and ire was the stance being promoted by all three of the ISPs in question with regards to user participation. All three of them stated that the Phorm system would operate as an “Opt-out” technique by default - Users would automatically be subject to this method unless they removed themselves from participation.

This differs hugely from the current “ethical” standards adopted by most mass-marketing bodies - the ability of many users to even know they have been “enrolled” in this program, let alone how to disable it by opting out, is very limited from a social awareness perspective. There are good reasons to believe that users will not be made aware they’ve been enrolled in this system as well.

Deception

Over a year ago, users questioned BT about suspicious redirects of their browsers, through servers traced back to Phorm. BT categorically denied any involvement or relationship with Phorm at the time, instead trying to persuade users that the behaviour they were experiencing must be the result of a third-party compromise of the users’ computers. These denials were repeated to The Register, an online IT-related medium.

However, after the announcements by the ISPs and Phorm itself of the proposed commercial agreement to roll out Phorm’s system, BT was finally forced to admit that it had, in fact, run a covert testing of Phorm’s technology, stating²:

“We conducted a very small scale technical test of a prototype advertising platform on one exchange in June 2007. The test was specifically conducted to evaluate the functional and technical performance of the platform.

“Absolutely no personally identifiable information was processed, stored or disclosed during this trial. As with all service providers, it is important for BT to ensure that, before any potential new technologies are employed, they are robust and fit for purpose.”

This is worrisome on several levels, not least of which is BTs avoidance of any explanation as to why it denied this was in progress when asked about it during the summer of 2007.

Also of concern is just who Phorm is - or, more accurately, was. Phorm used to be known as 121Media. 121Media’s reputation is less than exemplary, with their PeopleOnPage application having been classified as spyware.

Questionable Privacy Assurances

Phorm and the ISPs involved have stated that the system itself will not store any personally identifiable information. This may be somewhat disingenius of them however. The system will set cookies and be able to trace a user’s browsing habits - that is, after all, its purpose for serving advertisements tailored to the user’s browsing habits.

Whilst the system itself might not be able to store information, it’s entirely likely that it can be used in conjunction with other logs and analysis performed by the ISPs to track a specific user by account and then cross reference it to browsing habits.

Given that BT has already deceived users about testing this system, its methods, and seems to feel opting users in by default is perfectly acceptable, there are serious question marks over any of its assurances now.

If BT felt it necessary to lie about Phorm in 2007, the question must be whether or not they were concerned their own privacy policies, and the privacy of users, would be a concern - enough they had to conceal the system as long as possible.

Likewise, there are a good number of similarities between the spyware of 121Media and the mechanism Phorm proposes to use, one major difference being Phorm is a deep-packet inspection, sitting astride a user’s connection to the internet itself making it much more effective and impossible to be sure of bypassing. There is insufficient information available on how the system behaves should a user be opted out, other than it disabled targetted advertising - nothing regarding if opting out removes that deep packet inspection itself.

Content Owners

There are pressing concerns for site owners and operators, on several levels, too.

Whilst site owners currently are able to generate revenue from their content if they choose, it is the advertisements they choose, in the locations and manner they choose, on the content they create and own. Most advertisement systems available to site owners permit those owners to filter out advertisers as well, such as competing businesses.

Phorm, however, takes the control away from site content owners. Not only does the site owner have no ability to prevent Phorm advertisements from appearing, it has no control over the advertisements that may show. A website for a small website design company for example may end up with advertisements for competitors being displayed “on” their site, by virtue of Phorm intercepting the transmission of the site content to the user.

Additionally, there is a copyright question to be answered. Phorm’s system, by “profiling” sites to determine the user’s interests, is effectively using that site content for commercial ends - selling advertisements. How does this play when taking the copyrights of the content creators into account? if a site is marked as being licensed under Creative Commons as “NC”, No Commercial Use permitted, is Phorm violating that license by using the content in a commercial manner, even indirectly.

Current advertising systems, such as AdSense, do provide contextual advertisement based on a site’s content, but that is controlled by the content owner - they can choose not to use AdSense and similar system. Phorm denies them that control.

It’s even conceivable, given that Phorm operates through deep packet inspection, that it could be used to display Phorm’s advertisements instead of those I place on my site(s) through AdSense. The data for my web pages passes through their systems, and it could replace the code for my AdSense with their own equivalent.

There are also serious questions regarding private content, such as that behind access controlled areas of web sites. There is no explanation available of what information Phorm retains of websites that are profiled - and if that profiling will analyse website content that was protected behind access control.

Phorm has stated that personal financial information will not be collected, however that is not the only “private” information a user may view. If a website is membership based for viewing stories, for example, will Phorm profile the contents? Given that Phorm appears to perform a deep packet inspection regardless of the user’s settings because of its proposed position astride the user’s connection at the ISPs level, it is not beyond the realms of possibility that it will profile website content that is not public.

Does this qualify as computer trespass or unauthorized access? It’s unlikely any content provider permits Phorm to access private areas of their content without authorization.

Worst, there is no way for content owners to prevent Phorm profiling their site content, short of detecting and blocking access completely to users of the ISPs signed up for Phorm.

If Phorm uses website content to generate revenue without the consent of site owners, are they violating the intellectual property rights of the content owners? It might make for an interesting class-action lawsuit against the ISPs and Phorm for copyright/licensing infringement - especially if a couple of million website owners were the affected class.

I know for certain the content of my sites are not licensed for commercial use, as evidenced by the technical means I use to prevent feed thieves for example.

I certainly haven’t been approached by Phorm or the ISPs concerned to license my content to be used in their advertising services, even though it appears the content of my site(s) will be an integral part of Phorm’s system to deliver contextual advertising.

Government

Phorm’s system is being questioned as being legal under the United Kingdom’s Regulation of Investigatory Powers Act (RIPA)³. It’s likely that this will not be considered a violation, because it isn’t a government or governmental agency that will be performing the monitoring, rather a commercial third party with titular assent by users (the opt-out issue).

This does however risk being used as a backdoor to bypass RIPA by the government. Once the data is collected, it’s there - how much effort would it take for the government to then request access to a user’s browsing habits - information it could not collect legally itself bt Phorm might be perfectly legally able to?

The United Kingdom is already bordering on a police state. It has the most number of cameras watching its citizenry in Europe, as well as the largest DNA database in the world, which contains information on innocent people (including children) based solely on suspicion. People have been convicted of crimes based solely on their possession of material deemed “offensive” by the Government, a clear infringement of the human rights to both privacy and freedom of speech, but such matters are glossed over “for the public good”.

If the UK Government hasn’t considered the potential to exploit a third party’s data collection practices to increase its surveillance of its own citizenry, then they’re fools. If RIPA regulates their ability to snoop on their citizens, a system such as Phorm is the perfect bypass to add to the great centralized database the UK Government is striving towards obtaining on all of its people.

Conclusions

Phorm has far too many question marks over it to be allowed to go into operation yet.

This situation is just as “wrong” as Verisign’s system to hijack redirects to their own search system, and for similar reasons. Whilst this type of situation at an application level is more “acceptable”, since it requires the user to assent to the service, as with Verisign’s redirect system Phorm is an infrastructure layer service that is beyond a user’s ability to control.

Spyware is legally actionable, because it generally is installed on a computer without the user’s informed consent. Phorm effectively takes spyware to a new level, because it bypasses laws designed to protect users from such practices by hijacking their connection path through their ISP, not the user’s computer.

[Updated 4/1/2008 @ 1613]

BBC News Online has an article by Darren Waters, the Technology Editor of the BBC News Online website, stating that a “leading digital rights lawyer” believes BT’s testing of Phorm’s system was potentially illegal.

New Related External Links added

1. Source: The Register - How Phorm plans to tap your internet connection [back]
2. Source: The Register - BT admits misleading customers over Phorm experiments [back]
3. Source: The Register - Data pimping: surveillance expert raises illegal wiretap worries [back]

Tags: BT, Carphone Warehouse, Phorm, Spyware, Virgin Media