Wednesday, August 20, 2008

ISP Targeting: In the EU The Gun Sights Are On Phorm

I'm not suggesting for a moment that the heat is off NebuAd, but in the EU at least the company in the sights of regulators is Phorm. You may recall that Phorm had a positively disastrous time in the UK last Summer when they quietly launched their version of an ISP based ad network with BT (nee British Telecom), Virgin Mobile, and TalkTalk. Well, quietly is not the right word. Secretly is actually the correct term. Or perhaps covertly.

Phorm is the new name developed by a spyware operation called 121Media, which used offers of free secondary utility applications to convince people to download their adware/spyware products. Tomato/tomahto. As with Gator, the early days of this business in particular were loaded with examples of people not understanding that they were allowing 121Media to track their behaviors and field targeted ads. 121Media claimed it was those pesky partners that distributed their software that were to blame for these atrocities. Several millions of Americans including myself will find the story rather familiar -- we downloaded apps that gave Gator permission to field ads to us based upon serving habits. Then, when we realized what we had done, we found Gator all but unremovable.

OK, so Phorm. They changed the name of the company and shifted their focus from getting people to download their offering to getting ISPs to sell them the non PII portion of the info that made ad targeting possible.

Only trouble is, they didn't tell the people that were being tracked in the test. Some 18,000 of them. I don't mean they buried the revelation. They didn't tell them AT ALL, even in an intentionally quiet way.

How was this all discovered? Well, by a reader of, as outlined in this post. Here's an excerpt:

In June 2007, Reg reader Stephen noticed his Firefox installations making suspicious unauthorised connections to the domain every time he visted any website. Naturally worried his machines had contracted some kind of digital infection, Stephen performed a series of exhaustive malware scans, which all came back clean.

He wasn't the only BT subscriber to notice that his browser was making the mysterious contacts around July last year, as this thread archived at shows.

"I spent all weekend wiping my disks clean and reinstalling from backups (four PCs seemed to be affected). I spent a further two days researching and installing all kinds of anti-virus, anti-spyware and anti-rootkit utilities. But even after all that I still have this problem!" Stephen told us at the time.

Having failed to trace the source of the dodgy redirect in his own network, he contacted BT to suggest one of their DNS servers may have been hijacked. BT dismissed the idea, yet the browser requests were still making an unauthorised stop off at

Worried that his business' financial data might be being monitored, Stephen continued to investigate. A Whois search for revealed the domain was registered by Ahmet Can, an employee of a new online advertising company called 121Media. The address is now registered through a third party private domaining agency. 121Media rebranded itself as - you guessed it - Phorm in May 2007.

This is, you'll be unsurprised to learn, indeed the same Phorm that BT, Virgin Media and Carphone Warehouse recently revealed they had agreed to sell their customer's browsing habits to, despite the questions over its links to spyware. For helping Phorm target advertising, the ISPs are set to bag a cut of click revenues.

So, throughout the test period Phorm and BT had a novel consumer communications system.


BT actually called the hijack process by which the system worked a clear incidence of malware.

But then! On 2/14/2008, BT and two other companies announced they had a deal, and that the hijack process was

validated under best industry practices, both through an independent audit conducted by Ernst & Young (View report PDF) and a Privacy Impact Assessment undertaken by Simon Davies, MD of 80/20 Thinking and Director of Privacy International.

Malware...revolutionis[ing] current standards of online privacy and fully protect[ing] the identity of consumers. Tomato...tomahto.

Phorm was paired with an application called Web Wise which was supposed to make people feel OK about the tracking. It was and is a phishing detector.

The British government essentially decided not to deeply pursue whether laws had been broken in the BT test. They issued their opinion that things were okiedokie, but many European web experts disagreed, as outlined in this post on

(Has the US started exporting Bush Administration officials? ;-) We've have loads more folks like this, UK, if you want them. 2 for 1 sale through November.)

Here's a morsel:

"The explicit consent of a properly-informed user is necessary but not sufficient to make interception lawful.

"The consent of those who host the web pages visited by a user is also required, since they communicate their pages to the user, as is the consent of those who send email to the user, since those who host web-based email services have no authority to consent to interception on their users' behalf."

And the EU earlier this summer insisted they do so. Here is the text of the letter that was sent to the Brits by Brussels:

Dear Sir,

I am writing to you in relation to certain issues arising from the past and future deployment by some major United Kingdom Internet Service providers of the technology provided by a company called 'Phorm' to serve their customers with targeted advertisements based on prior analysis of these customers' internet usage.

In March 2008, a number of news items appeared in the media concerning the planned use by United Kingdom ISPs of the Phorm technology. Many of these publications raised issues concerning the impact of this technology on the privacy of Internet users. The information published on the web also included an e-petition submitted to the Prime Minister and a complaint made to the Information Commissioner's Office (ICO). In addition, in early April 2008, BT published a briefing according to which it had performed trials of the Phorm technology in autumn 2006 and summer 2007. In a TV interview, a BT representative confirmed that these trials had been performed without informing the customers affected and obtaining their consent.

The European Commission has already been contacted by Members of the European Parliament from the United Kingdom who communicated the concerns of their constituents regarding the deployment of Phorm technology. The issue has also been the subject of several written parliamentary questions addressed to the Commission by MEPs asking the Commission to comment on the applicability of WU legislation and also to set out its intended action in relation to the previous trials. Finally, a number of individuals have also written to the Commission directly to express their concerns and invite it to intervene in the matter.

In order to provide the response that is expected from it, the Commission needs to base itself on a clear understanding of the position of the United Kingdom authorities. Several EU law provisions concerning privacy and electronic communications may be applicable to other activities involved in the deploment of Phorm technology by ISPs.

In particular, Directive 2002/58/EC on privacy and electronic communications, which particularises and complements for the electronic communications sector the general personal data protection principles defined in the directive 94/45/EC (Data Protection Directive), obliges Member States to ensure the confidentiality of communications and related traffic through national legislation. They are required to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than the users without their consent (Article 5(1)). The consent must be freely given, specific and an informed indication of the user's wishes (Article 2(h) of Directive 95/46/EC). Traffic data may only be processed for certain defined purposes and for a limited period. The subscriber must be informed about the processing of traffic data and, depending on the purpose of processing, prior consent of the subscriber or user must be obtained (Article 6 of Directive 2002/58/EC).

In the light of the above, we would highly appreciate it if the United Kingdom authorities could provide us with information on (1) the current handling by the United Kingdom authorities of the issues arising from the past trials of the Phorm technology by BT and on (2) the position of the United Kingdom authorities regarding the planned deployment of the Phorm technology by ISPs.

As regards the first issue, according to applicable EU law the responsibility for investigating complaints concerning such trials and determining whether the national legal provisions implementing the requirements of the relevant EU legislation have been complied with lies with the competent national authority(-ies) in the United Kingdom. The Information Commissioner's Office (ICO), which is responsible for enforcing the United Kingdom Data Protection Act 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR), has made a number of statements on Phorm. In its latest published statement of 18 April 2008, the ICO analyses the conformity of the deployment of the Phorm technology with the DPA and the PECR. At the same time, the ICO indicates that it does not have responsibility for enforcing the Regulation of Investigatory Powers Act 2000 (RIPA), which has been invoked by some individuals who question whether the use of Phorm entails an unlawful interception of communications under this Regulation. In this respect, the ICO refers to a statement by the Home Office, which says that it is questionable whether the use of Phorm's technology involves an interception within the meaning of RIPA and that it does not consider that RIPA was intended to cover such situations. The ICO concludes on the issue of RIPA by stating that it will not be pursuing this matter. At the same time, the ICO statement does not include any indication as regards the intentions of the ICO in relation to the investigation of possible breaches of other relevant legal provisions* in the past trials of the Phorm technology.

Second, as regards the issues arising with regard to the planned future deployment of the Phorm technology, there appears to be a certain discrepancy between how it is envisaged by the ICO, the ISPs and Phorm itself. One of the most significant issues in this regard is the way in which customers will express their consent to the application of Phorm technology in their case. While the ICO seems to suggest that the consent of users for the Phorm technology should be on an opt-in basis and also BT seems to confirm this approach, Phorm has indicated that it intends to tackle user consent through providing 'transparent meaningful user notice'.

I would therefore be grateful to receive the response of the United Kingdom authorities on the following questions:

1. What are the United Kingdom laws and other legal acts which govern activities falling within the scope of Articles 5(1) and 6 of Directive 2002/58/EC on privacy and electronic communications and Articles 6, 7 and 17(1) of Directive 95/46/EC?

2. Which United Kingdom authority(-ies) is (are) competent (i) to investigate whether there have been any breaches of the national law transposing each of the above-mentioned provisions of Community law arising from the past trials of Phorm technology carried out by BT and (ii) to impose any penalties for infringement of those provisions where appropriate?

3. Have there been any investigations about the past trials of Phorm technology by BT and what were their results and the conclusions of the competent authority(-ies)? Are there ongoing investigations about possible similar activities by other ISPs?

4. What remedies, liability and sanctions are provided for by United Kingdom law in accordance with Article 15(2) of the Directive on privacy and electronic communications, which may be sought by users affected by the past trials of the Phorm technology and may be imposed by the competent United Kingdom authority(-ies) including the courts?

5. According to the information available to the United Kingdom authorities, what exactly will be the methodology followed by the ISPs in order to obtain their customers' consent for the deployment of Phorm technology in accordance with the relevant legal requirements and what is the United Kingdom authorities' assessment of this methodology?

Given the urgency of this matter I would highly appreciate receiving your reply within one month of receipt of this letter.

Yours sincerely,

Fabio Colasanti

The EU has far stricter definitions of online privacy protections.

The Brits demured from responding, so the EU has since issued a "prewarning" followup letter.

This is beginning to become a rather significant embarassment for the UK government, BT, and Phorm. More as it develops.

If you are looking for more on Phorm, make sure you head over to They are clearly at the forefront of this investigation and issue. After all, they broke the story and typically break every significant development on the topic.

Thanks for reading, and don't forget to write.

1 comment:

  1. Update from the nodpi website, by Alex Hanff:

    City of London Police - Criminal Complaint Update
    August 20th, 2008 News

    I received a communication from DS Barry Murray this lunch time regarding the criminal complaint I made against BT on 16th July. I cannot go into too many details at this time as it is part of an ongoing “investigation” but I can confirm that the issue does now appear to be being taken seriously; I have been asked a series of further questions relating to the issue and have been informed BT will be questioned in early September.

    I will continue to update you all as and when appropriate - in a manner which will not interfere with the criminal investigation.


Because people have been abusing the comment platform to place phony links to deceptive sites, I am now moderating all comments. If your comment is legit and contains a relevant link, it will be published.