Republished: A bit of info on the Phorm Debacle

Originally published on 5 Mar 2008

The tech news pages are alive with the news that BT, Virgin Media and Talk Talk are planning to sell its customers browsing information to a company named Phorm.

BT claims that the new 'service' Webwise is intended to improve the browsing safety of its users. It includes a list of Phishing sites, and warns users when they attempt to connect to one of the listed sites. Newsflash for you guys: FIREFOX ALREADY HAS THIS FUNCTIONALITY. Its nothing new, and of no real benefit if you already have a browser that does this. It's also not a lot of use if you are wary of emails from institutions that ask for personal details.
Unfortunately WebWise also sends your browsing history (and a copy of everything you send/download on unsecured connections) to Phorms servers where they will profile it and effectively mangle some of the pages you download to include adverts that they believe may interest you.
This mangling will only happen on pages that run adverts from Phorm, not every site will be effected.

So thats a basic synopsis of what WebWise is marketed as, but what are the issues everyone is raising?

WebWise is going to be Opt-out, this basically means that you will be automatically opted in to the system unless you actively log onto the relevant page to disable it. Unfortunately because of the way the system is set up, this will only disable the targeted ads (and probably the anti-phishing list). Your page requests and the responses will still be 'profiled' by Phorms system, and so Phorm will still be able to see anything you view/enter on unsecured pages.

You may think that you don't view/enter anything personal on unsecured pages, but many pages only use secured connections for the login itself. Googlemail is a prime example of a system that uses a secured connection for the login, and then presents the main interface through standard HTTP. Phorm would not be able to see your login, but could read your email if they so wished. If your email contains sensitive information you should be all the more concerned.

Phorm has something of a shady past, including links with malware (Spyware, Viruses etc.) so this is not a company that many people would trust to handle their information responsibly. Yet the ISP's expect you to, especially as there is no way to opt-out of the system fully, apart from changing ISP.

There is no oversight in terms of how Phorm handle your information, so your only assurance that your personal information won't get abused is a promise from a company with a shady background. Even if Phorm's promise is true now, there is nothing to stop them changing their mind later in the day, and neither you or your ISP would know until it is too late.

Sadly the ISP's are all rebuffing complaints from users with a brief explanation of how beneficial webwise will be to customers (The ISP's are receiving fairly large sums for running Phorms hardware on their networks). There is allegedly talk on BT's intranet about how many customers are against the system, but so far all three ISP's are standing their ground.

If you are a customer of one of these ISP's your best bet (assuming you do not like the repercussions of what you have just read) is to contact your ISP (use the make a complaint link) and explain that you do not want your data passed through Phorm's hardware, and that you rescind all prior permission for your ISP to pass any of your details onto a third party, under the Data Protection Act they must comply. There are a few intricasies to the DPA but the message of a user not wishing to participate in the system soon turns into a few, then a few more and eventually the tide may turn. If you feel your ISP is not going to back down, then it is time to find a new ISP and request your MAC code from your current ISP.

They are selling our personal browsing habits to make a quick buck, but given the money they are receiving it will not compensate for the number of customers they are likely to lose.