An open letter from the people at BadPhorm.co.uk and some of us in the internet
community at large who are concerned about privacy.
Dear Friends,
By now, you will probably have heard about a company called Phorm, which is run
by a person whose name is Kent Ertugrul. Kent Ertugrul used to be the CEO of
another company called 121Media. 121Media were responsible for writing a piece
of software which antivirus companies such as F-Secure classified as malicious
Spyware.
Phorm has more recently developed a system called 'Open Internet Exchange'
(OIX). This system is tightly integrated with the network infrastructure of
participating ISPs, and intercepts all the browsing data from customers as they
surf the web. Naturally, many people in the Internet community are concerned
about this development because of the privacy and technical implications of how
it is implemented.
This letter will not cover in-depth the privacy and technological implications
of OIX technology from a customers point of view. If you wish to have a better
understanding of how this technology works and all the issues it raises, I refer
you to the following websites:
http://www.inphormationdesk.org/
http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/
http://www.fipr.org/press/080423phorm.html
We would like, instead, to address some of the issues which may arise from the
point of view of businesses who have an Internet presence and run their business
on-line. We believe that Phorm's OIX technology has serious implications for
on-line business which may affect them financially and legally.
*Phorm's legality called into question*
Firstly, it is important to note that the legality of Phorm's adware system is
not entirely certain, and businesses which adopt this technology may potentially
be at the receiving end of legal action.
Some security and other IT experts and professionals consider Phorm's adware
technology to be of dubious legality. Richard Clayton, Security expert and
Cambridge professor said this, after reviewing the Phorm system in March:
"Overall, I learnt nothing about the Phorm system that caused me to change my
view that the system performs illegal interception as defined by s1 of the
Regulation of Investigatory Powers Act 2000."
http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/
Nicholas Bohm, General Counsel for the Foundation for Information Policy
Research, said:
"We now know that BT have already conducted secret trials of this technology,
testing the effectiveness of snooping on their customers' Internet activities.
They claim to have received extensive legal and other advice beforehand, but
have failed to give the reasoning on which this advice is based.
"As we pointed out in our letter, the illegality stems not from breaching the
Data Protection Act directly, but arises from the fact that the system
intercepts Internet traffic. Interception is a serious offence, punishable by up
to two years in prison. Almost incidentally, because the system is unlawful to
operate, it cannot comply with Data Protection principles."
http://www.fipr.org/press/080406phorm.html
Amidst a very public controversy and a consumer backlash, in mid-July, the EU
Telecoms and Media Commissioner Viviane Redding sent a letter to the British
government asking it to clarify whether or not Phorm complies with EU privacy
laws.
The details of the letter have not been made public, but the British government
was given until the end of August 2008 to respond.
http://www.itpro.co.uk/605220/eu-questions-uk-government-on-phorm
*Phorm's adware technology may make you lose customers and revenue*
Let's say that you have an on-line business that sells widgets. When someone who
has not opted out of Phorm's adware technology visits your site, Phorm will
profile the keywords on your website and will add certain keywords (such as
'widget') to a profile associated with that person. Phorm now knows that person
is interested in widgets. When that same person visits a website which is using
Phorm's advertising system to serve ads, he is likely at some point to see an
advertisement for widgets being sold at your competitors' website.
You will have worked hard to market your widget site. How many thousands have
you spent on designing the site, writing content, improving the search engine
optimisation (SEO), marketing and advertising? All that money spent on getting
your site and product ranked high in the search engines results (SERPs), natural
or paid, can now being used by some 3rd party to promote YOUR competition and to
display THEIR adverts to every one of your hard earned visitors.
When a person is searching for a product they will not usually impulse buy from
the first site they visit. Even when your page contains all the necessary calls
to action, less than 20% will convert. The better your site, the more it will
have encouraged a person to buy something like your product.
Half an hour later, your visitor may be visiting a site with nothing do to with
your widgets. Suddenly their eye will be caught by an advert offering a similar
product - maybe even selling the same product you are selling. They have had
half an hour to think about buying and click to continue their research into
whether or not to buy the product.
You have done the hard work of investing in selling the product. Someone else
comes and taps them on the shoulder and gets the sale. At least, that is the
selling point of the OIX system.
It does not matter which system you invest in to bring visitors to your site: if
you do not convert the visitor when they arrive, within the very near future
they will be offered the same product on another site. Your site content has
been harvested and is being used to sell someone else's product.
*Copyright issues*
The content that you create for your business web site is valuable. The value is
enhanced by the effort your company invests to describe, present, and promote
your products and services more effectively.
Your content is protected by copyright law.
The data associated with the transactional services you offer your customers,
such as keyword searches, shopping baskets, and quotation/enquiry forms, is
particularly commercially sensitive.
BT, and Phorm, are exploiting that valuable copyright and commercially sensitive
content of online businesses. The financial beneficiary? BT, Phorm and OIX
advertisers... and through them your competitors. BT and Phorm are, in effect,
using your content to create demographic profiles of your customers. Phorm have
no legal right to snoop on it, intercept it, redirect it or profit from it.
The valuable content on your commercial web sites should not be used for this
purpose without your consent (and your customers consent).
But it will be if Phorm/Webwise is implemented by BT.
*Your website's privacy policy*
In order for Phorm's adware technology to keep track of web surfers across the
net, it forges a cookie so that it appears to come from a website which has
already been visited by the person surfing the web. This appears to be illegal:
"Phorm explained the process by which an initial web request is redirected three
times (using HTTP 307 responses) within their system so that they can inspect
cookies to determine if the user has opted out of their system, so that they can
set a unique identifier for the user (or collect it if it already exists), and
finally to add a cookie that they forge to appear to come from someone else’s
website. A number of very well-informed people on the UKCrypto mailing list have
suggested that the last of these actions may be illegal under the Fraud Act 2006
and/or the Computer Misuse Act 1990."
http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/
The implications of this for your website is that you cannot be certain how
cookies, which will appear to come from your website, will be used and what
information they contain. Even if you do not use any cookies, users may
nonetheless be presented with a cookie which appears to come from your website.
This may contradict your privacy policy and web surfers may feel their trust has
been violated.
People do not do business or hand over credit card details to websites which
they cannot trust.
*What you can do*
If you are concerned about BT profiling the users who visit your website,
potentially breaching copyright, and using this data to advertise to your
competitors, write to BT Retail's legal section and tell them that you consider
profiling of this kind is legally actionable:
Chief Counsel Commercial Law (Consumer),
BT Retail,
BT Centre, pp B8D,
81 Newgate Street,
London,
EC1A 7AJ
Write to your MP with your concerns. You can write a letter online by using this
website:
Sign the 10 Downing Street Petition as a private individual:
http://petitions.pm.gov.uk/ispphorm/
Thank you for your time!