Thursday, 13 March 2008

Deny Phorm Campaign

First of all, some history...

What is Phorm?
Rather than regurgitate information that is already available, I will simply link to a number of articles on The Register; a popular tech news site who have run an extensive set of articles on the company and the issue at hand.

So firstly here are The Register links:


  1. ISP data deal with former 'spyware' boss triggers privacy fears (25 February 2008)
  2. BT pimped customer web data to advertisers last summer (27 February 2008)
  3. Broadband big boys waiting on data pimping (29 February 2008)
  4. How Phorm plans to tap your internet connection (29 February 2008)
  5. The Phorm files (29 February 2008)
  6. Data pimping: surveillance expert raises illegal wiretap worries (4 March 2008)
  7. BT targets 10,000 data pimping guinea pigs (5 March 2008)
  8. Phorm launches data pimping fight back (7 March 2008)
  9. Dear ISP, I am not a target market (10 March 2008)
  10. CPW builds wall between customers and Phorm (11 March 2008)
  11. Top security firm: Phorm is adware (12 March 2008)

Now for those of you who do not want to read the information in the links above, here is a brief summary.

Phorm are an advertising company with historical links to the malware/spyware industry. The 3 largest ISPs in the UK are in the process of negotiating deals to insert Phorm technologies into their networks for the purpose of tracking customer browsing habits in order to deliver targeted advertising, of which the ISP will get a cut of the profits.

The Key Issues


  • Privacy - Privacy in our private lives and communications are protected under human rights. Privacy of communications is also protected in the UK under Regulation of Investigatory Powers Act (RIPA).
  • RIPA - RIPA requires that in order for an interception of communication without a warrant to be lawful; consent from all parties must be obtained (which includes the person sending the http request and the owner of the web site).
  • Opt In by Default - This is unlawful under the Data Protection Act which states consent must be given before information is processed relating to any person if that information is not required as part of the process to provide a contractual service. It is also not permitted for data about any person to be passed onto a 3rd party without that persons consent.
What the Home Office say

In a statement released by the Home Office it is stated that:
"The implied consent of a web page host (as indicated in paragraph 15 above) may stand in the absence of any specific express consent."
Whereas the Home Office are not sure if Phorm may have an argument under law for implied consent, they do make it clear that such an argument would only be applicable if there is no "specific expressed consent".
(source Home Office Statement)

This Campaign?

Well based on the Home Office information above it seems the easiest way to guarantee that Phorm are making a criminal breach of RIPA is to simply add expressed terms refusing consent for Phorm to intercept any communications between your website and your users.

So that is the point of this blog; to try and encourage web publishers to add terms to their website refusing consent for Phorm to intercept any communications between their website and users.

If we can get enough people to add these terms, it is very likely that criminal charges will be able to be brought against Phorm for interception of communications under RIPA. This is important because it sends a clear message to the corporate world that their customer's personal data is not a commodity and will be fiercely protected.

Due to the negative press over the past couple of weeks Phorms stock prices have fallen dramatically, so please help to Deny Phorm and add terms to your website now.

Alexander Hanff


2 comments:

Anonymous said...

Do you have a sample message that we could plagiarise for our own websites? lazy of me yo ask I know but it may help if everyone used a form of wording that had been checked for adequacy. Thanks.

Nik said...

Is it possible to have a default letter to send to our ISP explicitly opting out of any Phorm information sharing - overriding any future 'implied' consent via cookie opt-in or any other form of surreptitious opt-in.