Thursday 10 April 2008

Is Phorm a serious threat to search engines?

It occurred to me this evening that given the nature of Deep Packet Inspection it would be a trivial task for Phorm to configure their Layer 7 hardware in such a way that creates a significant threat to search engines.

The technology has the ability to alter the information in the traffic data and so through the use of some fairly trivial regular expressions, the technology could be used to alter search results on their way back to the user. They could potentially insert their OIX partners directly into the top of the search results.

Moreover it would be incredibly difficult to detect (if even possible) that this is happening given the pseudo random manner in which search results are returned by the search engine; at best it would very difficult to detect and even more difficult to prove.

This could have a direct impact on the business models of many search engines including Google, Yahoo! and Microsoft Live Search who are competing in exactly the same markets as Phorm and OIX.

To this end I have emailed Tom Coates at Yahoo! expressing my concerns and have also talked to a close friend who works for Google. I will be talking to another friend who works in Redmond for MS over the next couple of days.

If the major search engines take a consolidated stance on this issue and all implement SSL versions of their search pages; it would go a long way in preventing Phorm building revenue from work which is in essence being done by the search engines.

It is Google's assets which process the search results (at great cost) for Google search pages so why should a company like Phorm be permitted to read and possibly alter the traffic data on the way back to the end users in order to make a profit?

Alexander Hanff

Please use the following link to Digg this post:

Tuesday 8 April 2008


My apologies for not posting to this blog for some time. I have been very busy on other web site forums, blogs etc. fighting this issue and am currently in the process of writing my dissertation (which is on Phorm) so I have had precious little time.

I will hopefully have a chance to add some more information to this blog this weekend.

If anyone would like to discuss this issue you can find me on the following url:

Alexander Hanff

Monday 17 March 2008

Attempt to report a crime

At 19:50 this evening I phoned New Scotland Yard to fulfil my civic duty and report a crime. Based on BT's admission to carrying out secret trials of this technology last summer without obtaining customer consent first, and in accordance to the guidance given by FIPR and the Home Office; I attempted to report BT for multiple criminal breaches of Regulation of Investigatory Powers Act 2000 (RIPA).

New Scotland Yard refused to issue the complaint a Crime Reference Number as they knew nothing about the issue and were "sure higher bodies are dealing with this" (in actual fact they don't know they were just trying to fob me off). They also claim that despite BT's admission reported in the press today; I need to know where the crime took place.

So basically what we need are victims of BT's criminal activities, to come forward and file a complaint with the police themselves. If you know you were part of the secret trials phone your local police station and make it very clear that you wish to file a complaint for criminal breach of RIPA against BT. The crime will have taken place in your local exchange as far as I am aware but we may need some clarification as to where the actual Phorm technology was (geographically) on BT's network before the police will act on these complaints.

So please, if you are a victim, come forward, make the call and start the criminal investigation rolling on BT.

Alexander Hanff

Subject Access Request (SAR)

Do you want to know if you were part of the illegal BT trials last summer? If so you can send a Subject Access Request to BT's Data Controller under the Data Protection Act (DPA). You will need to send a £10 cheque or postal order but they are required by law to respond to the request within 40 days.

You can read the Information Commissioner's Office Guidelines on your rights regarding SAR under the DPA by downloading the following PDF directly from their website:

Subject Access - Guide for Data Subjects

If anyone would like to submit any ideas for Subject Access Request templates please do so. If not I will try to get a template up by the end of the week.

Make sure you send Subject Access Requests as "Registered Post" should you need to issue a complaint against BT for failing to adhere to the SAR within the 40 days.

I have talked to a legal friend of mine and he is going to try to put a template for SAR together by the end of the week for us.

Alexander Hanff

Lavasoft Research Blog

Lavasoft have published a blog article researching Phorm. Quite an interesting read (although they fail to make any mention of RIPA):

Lavasoft Article

Foundation for Information Policy Research

Foundation for Information Policy Research (FIPR) have released a statement to the BBC this afternoon stating they believe that Phorm's technology contravenes the Regulation of Investigatory Powers Act 2000 (RIPA).

As a result they have issued the Information Commissioner's Office with an Open Letter on the legality of these technologies. In it they discuss issues such as the Opt-Out cookie fiasco, issues with regards to explicit informed consent as opposed to implied consent (criticising the Home Office press release in doing so) as well as discussing s1 and s2 of RIPA.

You can read the press release and the open letter on FIPR's website here

Alexander Hanff

BT admit to secret trials.

The Register published and article today confirming that BT did in fact trial this system last summer without seeking the consent of their customers or changing the terms and conditions.

This means that BT have now admitted to a criminal breach of RIPA and as such I urge all people who were effected by the secret trials last summer to seek criminal charges against BT with their local police station.

If you were to intercept BT communications and gain access to sensitive intellectual property you can be damn sure that BT would seek criminal charges against you, so why should they not be treated the same.

This is a very very important issue and the quicker criminal charges are brought against BT the quicker the rest of the corporate sector will understand that they cannot break the law for profit. It will also do a good job of stamping a little more life out of the Phorm stock price which is currently down a further 7.29% today (last checked 15:15).

BT are criminals, treat them as such.

Alexander Hanff

Thursday 13 March 2008


I have added a few link lists to the blog which link to Facebook Groups, Digg Articles and other important sites fighting the Phorm War.

Please visit the sites, support the Digg stories and join the Facebook groups. The more publicity we generate around these issues, the more Phorm's share price will drop and the more chance we have of successfully stopping these business practices.

I have also setup an irc chat room on Freenode, details are below:

Channel: #DenyPhorm

Alexander Hanff

More to come

I am away all day tomorrow and won't be able to update the blog until tomorrow night. But rest assured I will be working over the weekend to provide more information and resources. I am currently looking at generating a template set of terms for site owners to use on their sites, which would deny consent for Phorm to intercept any communications between their web sites and their users.

I will also be working on a small tile banner for web site owners to place on their site to show they are supporting the Deny Phorm Campaign.

Some time in the next week I will be looking at setting up a database where Deny Phorm supporters can place their web site details. I will then publish and send and open letter to Phorm and the 3 ISPs currently involved, to make them aware of the database so they can take appropriate steps to prevent their technologies from committing a criminal offence under RIPA.

I have more ideas still being developed but I will provide more updates this weekend.

Anyone who wishes to help with anything, feel free to leave a comment.

Alexander Hanff

Deny Phorm Campaign

First of all, some history...

What is Phorm?
Rather than regurgitate information that is already available, I will simply link to a number of articles on The Register; a popular tech news site who have run an extensive set of articles on the company and the issue at hand.

So firstly here are The Register links:

  1. ISP data deal with former 'spyware' boss triggers privacy fears (25 February 2008)
  2. BT pimped customer web data to advertisers last summer (27 February 2008)
  3. Broadband big boys waiting on data pimping (29 February 2008)
  4. How Phorm plans to tap your internet connection (29 February 2008)
  5. The Phorm files (29 February 2008)
  6. Data pimping: surveillance expert raises illegal wiretap worries (4 March 2008)
  7. BT targets 10,000 data pimping guinea pigs (5 March 2008)
  8. Phorm launches data pimping fight back (7 March 2008)
  9. Dear ISP, I am not a target market (10 March 2008)
  10. CPW builds wall between customers and Phorm (11 March 2008)
  11. Top security firm: Phorm is adware (12 March 2008)

Now for those of you who do not want to read the information in the links above, here is a brief summary.

Phorm are an advertising company with historical links to the malware/spyware industry. The 3 largest ISPs in the UK are in the process of negotiating deals to insert Phorm technologies into their networks for the purpose of tracking customer browsing habits in order to deliver targeted advertising, of which the ISP will get a cut of the profits.

The Key Issues

  • Privacy - Privacy in our private lives and communications are protected under human rights. Privacy of communications is also protected in the UK under Regulation of Investigatory Powers Act (RIPA).
  • RIPA - RIPA requires that in order for an interception of communication without a warrant to be lawful; consent from all parties must be obtained (which includes the person sending the http request and the owner of the web site).
  • Opt In by Default - This is unlawful under the Data Protection Act which states consent must be given before information is processed relating to any person if that information is not required as part of the process to provide a contractual service. It is also not permitted for data about any person to be passed onto a 3rd party without that persons consent.
What the Home Office say

In a statement released by the Home Office it is stated that:
"The implied consent of a web page host (as indicated in paragraph 15 above) may stand in the absence of any specific express consent."
Whereas the Home Office are not sure if Phorm may have an argument under law for implied consent, they do make it clear that such an argument would only be applicable if there is no "specific expressed consent".
(source Home Office Statement)

This Campaign?

Well based on the Home Office information above it seems the easiest way to guarantee that Phorm are making a criminal breach of RIPA is to simply add expressed terms refusing consent for Phorm to intercept any communications between your website and your users.

So that is the point of this blog; to try and encourage web publishers to add terms to their website refusing consent for Phorm to intercept any communications between their website and users.

If we can get enough people to add these terms, it is very likely that criminal charges will be able to be brought against Phorm for interception of communications under RIPA. This is important because it sends a clear message to the corporate world that their customer's personal data is not a commodity and will be fiercely protected.

Due to the negative press over the past couple of weeks Phorms stock prices have fallen dramatically, so please help to Deny Phorm and add terms to your website now.

Alexander Hanff