EU Investigates Phorm's UK ISP Advertising System

MJackson writes "The European Commission has opened an infringement proceeding against the UK after a series of complaints by Internet users, and extensive communication with UK authorities, about the use of Phorm's behavioural advertising system, which uses Deep Packet Inspection (DPI) technology, by internet service providers. Phorm works with UK ISPs to monitor what websites you visit for use in targeted advertising campaigns, though its methods have raised more than a few fears about invasions of privacy. Similar services in the USA have caused an equal level of controversy."

Phorm according to the BBC

[auric_dude]

The BBC has potted history of Phorm & BT's actions in the UK. http://news.bbc.co.uk/1/hi/technology/7619297.stm http://news.bbc.co.uk/1/hi/technology/7959099.stm http://news.bbc.co.uk/1/hi/technology/7988154.stm http://news.bbc.co.uk/1/hi/technology/7998009.stm and on top of that my ISP has stated that they will not use Phorm or anything Phorm like.

Objecting to Phorm

I'm still reading all the essays Canada's deep packet inspection education site, but this one seems very topical:

Objecting to Phorm

Bonus - Phorm's 'essay' submission (but more like marketing drivel):

Phorm: A New Paradigm in Internet Advertising

Re:Google

[onion2k]

With Google you can block it by switching off cookies if you don't trust Google's opt out option. With DPI at the ISP level you can't. You have no control over what they're monitoring (save for doing something like using an encrypted tunnel to a proxy outside of the ISPs view). That's a pretty significant difference.

Re:Google

[arkhan_jg]

Google only records what information you give them when you use their services directly; when you search on google or use gmail or the like. The EULA for the service explains what is done with your data. This is explicitly allowed under the Data Protection Act (as it should be - otherwise apache logs would be illegal!) once you leave their site though, the logging ends.

Phorm collects detailed information on all your browsing traffic without your knowledge or consent, and then shares it with third parties, again without your knowledge or consent - take the BT trial, where people didn't even know it was running, let alone opt-in.

There's a good argument that Phorm breaches the Regulation of Investigatory Powers act here; as a non-governmental body (i.e. not specifically authorised to intercept traffic) they don't have the right to intercept and record the traffic of users without it being explicitly opt-in - it can even be argued that such recording requires the opt-in of both parties, i.e. the websites that people visit need to agree too.

Depending on what they do with the data specifically, and who it gets passed to, they may well be in breach of the Data Protection Act too.

ISPs have to record certain communications information under the Interception Modernisation Program, to be provided upon request to local and national governmental bodies. Phorm definitely doesn't qualify under that either.

As the owner of a website funded by adverts

[buro9]

I'm extremely concerned by Phorm.

Effectively it gives the ISP the ability to remove the adverts that fund 60% of our costs and replace them with adverts for which they would receive the entire revenue stream.

My site is funded by adverts (60%) merchandise (30%) and donations (10%).

I'm fairly sure that the community would step up and purchase more stuff and donate more, but I don't think it's realistic that this could be sustained, whereas the advertising revenue is reasonably constant.

I believe that if Phorm becomes ubiquitous that I would have to question seriously how to find the website, and would probably have to remove all adverts and to seek to have the costs covered exclusively through other means. As I'm unsure of the feasibility of this, I would have to say that in my case the loss of that revenue would threaten my ability to continue running the site, especially under the risk of redundancy in the near/mid future.

I've already implemented the Phorm opt-out cookies, and written to my local MP (who couldn't care less from the generic response I got), so it's great to see the EU step up where the UK seems to have failed.

Re:As the owner of a website funded by adverts

[arkhan_jg]

Opting out is done via browser based cookie according to the ISPs that have implemented it so far. Every single browser you use on every single pc on every single account will have to be opted out manually, and re-opted out every time with changes.

*All* webtraffic you send via your ISP (that's not say, in a vpn) will go through phorm's systems at the ISP, overhead and all. If there's an opt-out cookie set, they suppposedly ignore that traffic for classification purposes. They also supposedly ignore personally identifiable information like bank websites, but that's bound to have flaws.

My guess is that, even with an opt-out mechanism, Phorm will make it sufficiently intrusive to opt-out so that people will eventually tire of opting out and will find themselves opted-in.

Yes, I believe that's the idea.

Here's the diagram of how phorm supposedly works, by basically masquerading as the website you actually want.

Note, the UID assigned to you does not come from a local cookie in the initial request - it's assigned by phorm. They then give you a tracking cookie based on your UID or the opt-out cookie, process the request and dump it to the profiler (where it's used or not based upon the opt-out) then remove the tracking cookie at the end. Next request, they give you a new tracking cookie based upon your phorm ID - the phorm ID itself is assigned outside the cookie mechanism, so can't be user account/browser based.