Three major UK ISPs apparently are in advanced talks with a company called
Phorm, intending to let Phorm monitor all unsecured web traffic to and from
their users. The expressed intent is to offer an “improved browsing
experience” through better targeted web advertising, and anti-phishing
protection – thereby “improving” one's internet security. One, BT, has
already trialled the system.
The ISPs and Phorm are remarkably coy about the system, and Phorm in
particular appears to have offered inconsistent explanations of how it all
works. However, it does appear clear that this system provides access for a
private company to an unprecedented amount of data that even the UK
government is not permitted (at least without a court order). Phorm promise
faithfully not to record information such as bank details or telephone
numbers 
Phorm claim the data is summarized and anonymized; regular readers of RISKS
will I'm sure be aware that true anonymization is exceedingly difficult -
and in fact this scheme would give ready access to identities should anyone
take the trouble. Quite apart from being a breach of trust by the ISPs
involved, it appears to drive a coach, horses and a whole army through
protection offered by assorted UK legislation, including the Data Protection
Act, Computer Misuse Act, Regulation of Regulatory Powers Act, etc, etc. It
will if nothing else provide a central point for cracking to obtain
information about these ISPs' users.
Simply put, three of the UK's largest ISPs (Virgin Media, BT and TalkTalk) have decided to sell your private browsing history to an advertising broker. Yes, the entire list of every web page you visit gets sent to Phorm (the broker) in real time, as you click, so they can send you 'targeted advertising'. Naturally the ISP's are not too keen on telling their users this, they'd much rather feed us all platitudes about how it'll help combat phishing and how the targeted adverts will be so much better than the random ones we see today.
BT’s servers were secretly passing data on subscribers to its “new” advertising partner as long ago as last summer.
“The issue is that these ISPs have signed deals to allow a third
party unfettered access to ALL of your web browsing,” wrote clanger9 on
the Guardian's Technology blog.
“Not just the URLs, but the
content as well. The fact that they use this data to provide 'targeted
advertising' and claim to discard it afterwards is irrelevant. All your
browser content, webmail, forum postings, everything is being analysed
by servers owned and controlled by a third party.”
A leading expert on computer surveillance has raised serious doubts over the legality of deals by BT, Virgin Media and Carphone Warehouse to sell their customers' web browsing data to Phorm.
The proposed system has been mentioned in passing in the media – who
in the main regrettably seem to have accepted without further investigation Phorm's
assurances that there's no privacy issue. They've not even noticed that the
so-called “opt-out” won't stop the data scanning, just the ads.
Oh, did I forget to mention Phorm used to be 121Media, of rootkit and
PeopleOnPage fame? And involves servers outside the EU, in China in
particular?
The final word here. Even IF it might just scrape through the legal loopholes, it is morally wrong and will find little support from ISP customers. I think the final word should come from a commenter who said 'ISP's – put down this can of worms and back away slowly'.
References:
http://www.phorm.com/isp_partners/
http://www.oix.com/index.html
http://www.badphorm.co.uk
http://www.pcmag.co.uk/vnunet/news/2211959/open-rights-group-raises
http://www.theregister.co.uk/2008/02/29/phorm_roundup/
http://www.techdirt.com/articles/20080218/024203278.shtml
http://www.guardian.co.uk/technology/2008/mar/06/internet.privacy/
(and note that the Guardian has signed up with Phorm for the
targetted ads scheme)
http://www.theregister.co.uk/2008/02/27/bt_phorm_121media_summer_2007/
[BTW this issue affects Virginmedia, BT and TalkTalk in the UK - around 10
million people iirc. Other ISPs are waiting to jump on the bandwagon.
TalkTalk seem to be back-pedalling, and may be making it opt in, although
there is still major doubt about what /exactly/ is happening.]
HatTip The Risks Digest
UPDATE:
This from Phormwatch who is collecting details of ISP's, Advertising Agencies, Websites and Advertisers using this technology.
List of participating websites and advertising agencies
