BT shows bad phorm in its bid to improve behavioral ad targeting


In my previous post about this subject I went down the precarious route of agreeing with the UK Home Office and the ICO who can’t seem to be able to make up their mind whether Phorm is an illegal invasion of privacy or who should deal with it if it is. Initially they both seemed to side with BT and Phorm (WikiPedia Link) that their software wasn’t doing anything wrong. I read Dr Richard Claytons technical document and figured that both the UK government, the regulators and the lawyers at BT couldn’t be wrong. Technically the system seemed fine and I didn’t fully appreciate Dr Claytons reservations.

After considering the reaction to the post I made and the legal evidence provided by Dr Richard Clayton I have changed my original position. Particularly read section 18, 19 and 20 of the legal document which convinced me beyond doubt that what Phorm are proposing for major ISPs worldwide puts too much temptation in the hands of Phorm/BT.

Technically the Phorm system is not illegal if all parties are aware and give full consent of the practice. Opt-in in other words. This was something that I argued seemed to be the case. The webmasters of various sites gave BT their consent to serve ads based on the behavioral data and Phorm/BT ask all users of their WebWise system to opt-in to the service from their end. Technically, personally identifiable information (PII) is not “supposedly” passed - a simple IP address is what the phorm cookie is tied too. Seems simple enough and this I feel is why the Home office and ICO was fooled (as well I have to say as myself).

Unfortunately it became clear in my discussions with a number of folks who have gone to great lengths to figure out how it works that Phorm is not disclosing what it can do to the general public. Personal information which is passed in a non https way (adding your email to a form, adding a product to a cart, writing a web based email) could also be passed to the Phorm system and tie back to your cookie meaning your UID now has a name, perhaps even address attached. It is then conceivable that if unscrupulous employees of BT/Phorm wanted to, they could extract that individual data for profit.

This is something that no-one has the ability to opt out of if the Phorm system is implemented because you can only opt out of the behavioral ad system.

Additionally BT sought no permission whatsoever for the initial trial run of the service across 16,000 recipients. This is totally illegal (I had difficulty believing this) and has to be punished for the sole reason that Dr Clayton suggests to make an example to others, Google, Yahoo, MS, Any Other Large Enterprise, that people are watching and if they mess with the Data Protection Act (DPA) they will be punished.

Regards the whole discussion.

I now agree with the folks who argued their case with me here and over at CableForum. Many of the problems around privacy are compounded by the complexity of the situation. This particular case requires you know about ISP networks, public based routing, deep packet inspection, cookies, website mirroring, http requests, https requests, SSL certificates as well as a more than average knowledge about the various laws designed to protect data.

I think an opt-in method for Phorm is perfectly Ok, but it will be a very tough sell to consumers.

I said at CableForum that I don’t condone and don’t think any of my peers or colleagues would condone deception and if the online industry is to prosper, consumer privacy has to be the holy grail.

Not only have BT committed PR suicide by first trying to deceive their customers instead of being transparent, they have broken the law and those responsible should face criminal trials. Phorm software deployed in its present state should be banned. Take note my friends in the USA. They’re trying the same with your ISPs.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Information
June 15th, 2008
10 Responses
Feeds and Links
Comment Feed
From This Author
Del.icio.us
Digg
Technorati
Categories
General
Privacy

Other Posts
AVG causes fake traffic - Could spell big problems for Web Analytics
Is this bad phorm? Privacy concerns around BT

Archives


Enter your email address:

Delivered by FeedBurner

Categories

Finnish blogs of note (In English)

Web Analytics Blogroll


Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

Reader Comments

Comment Number:
1
Written by:
Alexander Hanff
Posted on:
June 15, 2008 at 7:05 pm

That’s better, allow me to thank you for taking the time to listen to the arguments, do some more research and post a new article based on your findings.

Alexander Hanff

Comment Number:
2
Written by:
Privacy_Matters
Posted on:
June 15, 2008 at 7:13 pm

Hi again

Thanks for taking the time to look over the report from Dr Clayton, its is an immense piece in regards of the Phorm Saga.

I think I need to add somthing to this statement:

“Take note my friends in the USA. They’re trying the same with your ISPs.”

Phorm are also in advanced negotiation with ISPs across Europe. Somewhere a rough timetable was posted, sorry I don’t have the link, but there was an indication that Phorm would firstly be introduced in the UK towards Q3 of this year, followed closely by the likes of Germany and the US in 2009. Then quickly followed by about another half dozen European Countries.

Comment Number:
3
Written by:
Pete
Posted on:
June 15, 2008 at 8:03 pm

Once you ‘grok’ Phorm, there is no compromise.

Phorm must never happen, and BT must be prosecuted.

Else what confidence can anyone have that their legal rights will be respected, if the regulators won’t act?

Its dead simple. People who break the law on this scale *must* be prosecuted and *must* go to prison.

Pete

Comment Number:
4
Written by:
Hank
Posted on:
June 16, 2008 at 12:03 am

Great to see you’ve taken all the comments on board. Great also to have you with us all, as one of the many who are taking am active interest in this issue.

Do write more and circulate widely. Kent Ertugrul cannot and must not succeed. There are a growing number of us that simply will not allow it.

STOP. NOW. DO NOT WANT PHORM.

Comment Number:
5
Written by:
Gemma
Posted on:
June 16, 2008 at 12:10 am

Nice one! To be honest I’m lost when it comes to most of this technobabble .. but I like to think I’m savvy enough to know when someones trying to pull a fast one .. and I don’t trust these Phorm pranksters one little bit!

Comment Number:
6
Written by:
Anon
Posted on:
June 16, 2008 at 4:26 pm

Hi Steve,

A big thank you for taking the time to do the analysis :)

I think that Phorm and BT have been cynically playing the opt-out cookie in their reassurances by talking about the targeted ads when everybody else is talking about opting out of the interception by the Phorm profiler. It’s really no surprise that some very smart people are missing the key issue.

With the collusion of a recognised SSL certificate authority, MITM/proxy interception of HTTPS traffic would be possible. Just as we rely on certificate issuers not to issue fraudulent certs, we rely on our ISP’s not to illegally intercept our communications. BT have seriously undermined that trust and the penalties for doing so need to be severe.

Comment Number:
7
Written by:
Captain Blackbeak
Posted on:
June 16, 2008 at 4:56 pm

It is not trivial understanding all the issues involved and I needed to thoroughly read all the tech docs before I could even understand what they were doing. It was only when I read the related legal documents that I got what they were doing wrong.

This kind of product/service is what scares people about trivial things like cookie tracking or log file analysis and is the reason web analytics vendors often get bad press.

I have given my full support in getting the current version of the system banned and prosecuting BT.

Comment Number:
8
Written by:
Kieron
Posted on:
April 28, 2009 at 1:59 pm

I’s refreshing to see a blogger who is prepared to take comments on board and review their position. Interestingly it appears today that Mr Ertugral has claimed that your change in stance has more to do with abusive bullying - of which I can see none in the comments to your original article.

Comment Number:
9
Written by:
MexiCoe
Posted on:
April 28, 2009 at 6:31 pm

Hi Captain Blackbeak.

Phorm are linking to your previous post on their “anti-smear” website as an example of anti-Phorm campaigners having bullied you into changing your position.

http://www.stopphoulplay.com/this-is-how-they-work/

I must say having read the debate on your previous post and now this post that phorm appear to be doing you a disservice and rather insulting your intelligence.

My interpretation is that you changed your position after reading the numerous opinions available. Is that the case or did you feel bullied into changing your mind?

Perhaps you could ask phorm to print a retraction, as they are fond of doing when others publish opinions that dont agree with theirs.

Nick, Fleet, UK

Comment Number:
10
Written by:
Captain Blackbeak
Posted on:
April 28, 2009 at 10:05 pm

Yes, I was bullied. I had a gun pointed to my head and told I would be sleeping with the fishes if I didn’t remove my post! :)

What a load of complete and utter tripe.

I have never backed down from a good argument/debate in my life. The point here was that Phorm was not a good argument and I was poorly informed and made the mistake of blogging about it too early.

It appeared to me in the first place to be a software tool which utilized behavioral marketing. There is nothing wrong with serving adverts based on preference or anonymous behavioral patterns in my opinion.

Phorm however has too much potential to be abused because it has the ability to identify an individual. Simply put PII (personally identifiable information) is in my view the privacy holy grail.

I will ask this site to remove their comments or at least publish the whole story.

I heard today through my friends at the WAA that The Commission has opened an infringement proceeding against the United Kingdom. I am pleased therefore that the EU listened to the complaints and am happy to have spoken out on behalf of the WAA on this matter.