Ben Laurie blathering

More Bullshit from Phorm

Phorm continue to sob that us whining privacy advocates are misrepresenting their system

Phorm’s chairman and chief executive, Kent Ertugrul, said yesterday the firm was the victim of misinformation. “What is so strange about this is that if you were to put on a board what we do and what has been written about us and map the two, you would find there is very little correlation,” he said.

I’d be more than happy to compare what I’ve said to what their system actually does, only … when the Open Rights Group nominated me to be briefed by Phorm (in my capacity as both a director of ORG and a subject matter expert) they declined, on the basis that I work for a competitor, despite my assurance that I would not be acting for Google in any way, as is always the case when I do stuff for ORG. But, hey, trust is a one-way street, apparently, if you are Phorm – as one of the surveilled, I must trust them, but that’s no reason they should trust me, is it?

Strangely they were quite happy to brief two of my colleagues in detail, without any NDA – and my colleagues are planning to produce a full, public report of that briefing. With a bit of luck, they’ll have addressed all my concerns, but who knows? I wasn’t there to assist in that process.

Interestingly, they go on to say

“What we would like to do is issue a challenge to the privacy community to select some of their most technically savvy representatives and form an inspection committee. We would be delighted, on a recurring basis, to give those people the ability to spot inspect what it is we do.”

which rather emphasizes one of the core problems with their system: it requires everyone to trust that all this data they have gathered without consent is actually handled as they claim it is handled.

I do hope Phorm will be paying the going rate for this valuable service – but probably I won’t find out because I expect that, despite my obvious qualifications, I will be excluded from such a group. It wouldn’t do to have anyone too expert looking at their system, after all.


  1. Ben, it’s good to see professionals such as yourself and the ORG raising these issues. I’ve been angry for weeks about the protocols impact with all HTTP requests being redirected via the Phorm profiler – just to establish if any opt-out cookies exist!

    I raise one question to Phorm. If they are above board, the system purely is optional and brings value in a safer browsing experience, they have nothing to hide, have no plans for “deeper” data mining and are serious about protecting privacy, why not implement a simple proxy?

    Anyone who wants to have access to safer surfing and targeted advertising can browse via a Phorm proxy. The ISPs can sell the deal via a recommendation, but ultimately consumer’s internet connections are left untouched unless they choose to reconfigure their browsers.

    From the information I’ve read in the Guardian and The Register it’s apparent that Phorm intended to roll this out quickly and quietly in order to get as many customers involved as possible. From Blogs by Charles Arthur (Guardian Unlimited) it seems the involvement of 80/20 Thinking and Ernst and Young came possibly at the request of the ISPs to cover due diligence of data protection issues.

    If I read another claim from Phorm that we, the IT professionals of the UK “misunderstand” how the very internet we helped to develop over the last 14 years works with their “Bullshit” about cookies and safeguards I seriously am in danger of having to purchase a new monitor as a coffee cup is about to go through this one.

    Comment by JDF — 31 Mar 2008 @ 17:45

  2. There are a couple of points that don’t seem to have come up yet in the general discussion about Phorm:

    – If the Phorm “service” rewrites webpages in order to deliver more targetted advertising, presumably a website owner could add additional client side scripting to their pages to report back the difference between the transmitted content and that recieved by the client. By examining this data, the website owner could determine information about a users surfing habits, surfing habits that presumably the end user would not want disclosed to this website. And this is achieved without deploying any kind of malware, purely with an integrity check of their own data. If this is the case (all assumptions at this point I know) then Phorm is intrumental in circumventing an element of that users privacy. Not to mention that if the website in question takes user registration details, then the users surfing habits may have just been tied to a name, something that Phorm claims to be against.

    – Do the owners of websites which have had their adverts made “more relevant” have any recourse against Phorm? To my mind they do:

    – A website which they have put their name to, now has content which they did not supply or authorise, potentially damaging their name or reputation.
    – A revenue stream, perhaps the only revenue stream which keeps the site alive has been diverted elsewhere.

    Comment by leE — 1 Apr 2008 @ 17:20

  3. As a developer I am concerned that sites I build, promote and target at my customers will have my communications to MY customers intercepted so that phorm can find out who my hard won customers are and effectively sell this information to my competitors.

    The Royal Mail don’t open letters sent by businesses to customers to find out what the customers are interested in on behalf of the competition.

    There’s more to this story than just the privacy of customers – there’s also the privacy of businesses to be considered as well.

    Comment by Steve — 13 Apr 2008 @ 11:39

  4. Hi Ben,

    Please could you take a look at this thread over on BadPhorm website regarding a transparent SSL proxy and give us some of your expert opinion how Phorm could abuse it or not as the case may be.

    “Phorm cannot intercept our private SSL communications can they?”

    Comment by BadPhormula — 26 Apr 2008 @ 11:17

  5. […] asked me to comment on a thread over at BadPhorm on SSL […]

    Pingback by Links » Can Phorm Intercept SSL? — 26 Apr 2008 @ 18:24

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress