BT’s (Phorm’s) argument is that if you allow Google to scape your site to appear on Google’s search engine, their definition is that you must also want Phorm to also scape your site. Therefore you can either block Phorm and Google or you must accept both. Phorm / Webwise refuse to have their own User-agent for you to specifically deny.

Google drives traffic to your site but unless you are already a member of the OIX, Phorm will drive traffic away!!!

The other method is that you send your site details to BT and if you can prove you are the site owner and include your personal details (problematic sometimes) they will filter out the site for you. This is not an opt in mechanism it is an opt out. (Can all the worlds websites be aware of this fact and opt out if necessary?)

There is also evidence about that when this web site opt out mechanism is requested by a website owner, the (opt out) site is visited by a multitude of strange bots shortly afterwards and the site mysteriously gets scraped anyhow.

Well – for what google does – I think we all know that. For the source on what Webwise does, I suggest the Phorm web site or any article written by someone from Phorm. That is the whole point of the OIX network. Webwise profiles users browsing, builds a picture of their interests, allocates them a UID and then when they visit an OIX site, serves them targetted adverts. I don’t think that analysis is controversial or disputed by anyone – certainly not by Phorm. It is basically fairly common knowledge.

The objectionable part as far as I am concerned as a website owner, is that OIX is using the data gleaned when the Webwise user surfs MY site, to gather information about their interests. Then when they visit an OIX site, they get adverts for my OIX linked competitors, based on what Webwise gained by copying and scanning MY content while they were on MY site.

My other objection is as a customer of an ISP currently trialling this system. My ISP use DPI to inspect my packets, intercept my browsing without consent, and check my cookies, so that they can determine whether I am a Webwise user or not. All this happens without my consent, and while I am trying to browse to a site such as the BBC site. If that illegal interception decides that I am NOT opted IN to Webwise or haven’t got a cookie for it, then instead of me getting the BBC page, my ISP decides without my consent to hijack my browser’s request for the BBC page and give me a Webwise invitation instead.
If I refuse that invitation then my ISP STILL intercepts my browsing, still redirects my browser requests, still profiles my surfing, but does not pass on the results to Phorm. I have to retain an opt-out cookie or I will get the Webwise invitation again (whether I consent or not), and only by blocking all Webwise cookies can I prevent that page coming up again. But I CANNOT prevent the interception and redirection and inspection of my packets for the purpose of the profiling.

All this is agreed technical stuff. It shouldn’t really be necessary to have to explain it all – as all parties agree on the details. The dispute is on whether it is illegal or not. I say it is. My ISP say it isn’t. They would of course, they are the ones doing it, without my consent.

If I opt-IN to Webwise then the final bit of the jigsaw falls into place – the results of my ISP’s interception, inspection, redirection, cookie setting and cookie forging and profiling is passed to Phorm, so they can allocate me a Phorm user identity, and allocate me an advertising channel, and serve me OIX ads when I visit OIX related websites. But that final bit is the ONLY bit I get to control. All the stuff that my ISP does is done without my consent, whether I am opted in or out. This makes Webwise unique amongst the various behavioural targetting systems – it uses this interception and redirection by the ISP, and the user cannot prevent it happening even if they opt out of the actual ad serving end of the equation that Phorm operate.

@JHorb do you have a pointer to a trusted source on that? Would be an interesting piece of the puzzle.

1) Google benefits web sites by attracting users. Phorm benefits competitors by using the content of web sites visited to decide to serve up ads for competitors who are signed up to Phorm.

On DPI – I don’t agree with your definition of DPI, but putting that to one side, if I took it, then there are definitely other players doing similar things (which was a point that came up during the discussion). That doesn’t make it ok, but it does mean there should be a broader discussion about the techniques and who is using them. The BT+Phorm case will hopefully serve to bring more out into the open.

With regard to the early days of web caching technology, which also ran in to the issue of copyright, that is an entirely different issue.
S.28A of Copyright, Designs and Patents Act 1988 specifically allows the making of temporary copies of webpages in order to view them – this allows your web browser to show a site on your screen. However, there is a limit to this right.

Phorm’s webwise technology is purely for financial gain – serving of advertisements – therefore it cannot be exempt under S.28A of the Copyright, Designs and Patents Act 1988

Again, the evening and the wasn’t specifically about Phorm (I notice no-one has mentioned the other players) and it didn’t aim to be technical. It was about the business and marketing issues (hence IAB there). I suspect we’ll see more regulation of the Internet marketing space in the future, but it is early days.

With regard to comments about copyright, I suggest people check out the early days of web caching technology, which also ran in to this issue.

There are a sea of issues to be tackled with regard to this technology – the arguments and counter arguments are not converging. For people who want to know more, there are plenty of links to follow here, and there are better places to discuss specific companies.

It is good to have a taste of the debate, and people can and should check out the issues for themselves – that was the point of the NMK session and of this post.

the ‘agreement’ process has no effect on copyright, and very little effect with respect to interception.

The reason being the user does not own the copyright work they see in a browser, and cannot grant Phorm or BT (or anyone else) a licence to copy it and process it.

Take this blog for example. I don’t own it (you do at a guess). I can’t grant Phorm or BT (or anyone else) a licence to copy it, because the copyright belongs to you. You have the exclusive right to make copies & adaptations of your work, and the right to licence others to use your work. Without a licence, they have no right to hold a copy (hence copyright infringement).

Similarly, users might consent to interception, but they can’t represent the web site with which they are communicating. So interception is not lawful. Its hard to imagine any situation where any online business would consent to private communication interception when it would support competitor’s advertising.

The Crown Prosecution Service are currently considering a case against Phorm & BT. You might want to keep an eye open. Copyright infringement and unlawful interception were among the complaints included. The European Commission are also actively following the case; the trials in 2006 and 2007 contravened Article 8 of the European Convention on Human Rights (‘Everyone has the right to respect for his private and family life, his home and his correspondence’).

Pete.

ISPs are full of black boxes – routers, firewalls. Shouldn’t the same apply to them?

@Pete is CORRECT these DPI Systems DO have the Capacity to “scrape” WEB Pages!
(Look at the Leaked 2006 Trial Document!)

The “Mirroring” System is exactly that the “Whole of the WebPage” & the Users Inputed Data is processed for Keywords!

You also need to look at the Details of the Current BT Trial.
The so called Unavoidable WebPage the Triallist is presented with is a “Browser Hijack” the Profiler has to be sending it so even before the Triallist has given permission the Triallists Web Surfing has been connected to the Profiler via a Layer 7 Switch & will remain there until the ISP/Phorm System decides not to include the Triallist in the IP Pool.
(Whether or not the Web Surfer accepts the Offer?)

Not Really a choice is it for either the Web Surfer or the Websites Visited.

I am still waiting after 9 months to see if ANY INDEPENDENT Security & Privacy Audit has done on this Profiler!

It is Gifted to the ISP by Phorm, but the Source Code is CLOSED SOURCE & Upgradable Online by Phorm.(See the leaked 2006 Trial Report for those details).

What is a “Black Box” Apparently Programable by a “Third Party” doing INSIDE any ISP.

In the case of BT it also has Critical National Communications Security Implications!

On the copyright piece, that has definitely changed with the new agreement process. We’ll see what the courts rule, however rulings based on the first BT trial may not even answer the question, since the sign up process has changed since then. If there a legal ruling you can point to re: 2006, 2007. Would be good to cite.

It is absolutely 110% accurate )

Ask Mark Burgess of Phorm;

narcosis(Q) If the keyword analysis process is offline then in order to scan for keywords would you not have to have a copy of webpage in order to analyze it offline ?
MBurgess(A) Yes, a mirrored copy is analyzed.

Phorm uses DPI to make a literal copy of private web page transmissions, without a copyright licence, and without consent to intercept private communications from both parties.

What Phorm or the ISP then do with the data they get from their process doesn’t make any difference. It is still illegal to operate in the UK. And it was illegal in 2006 and 2007.

@bluecar1 and Pete I agree with you on the issue of ‘trust’ and that was a big part of the discussion. Either the IAB or a regulator needs to oversee/validate what is going on.

On the DPI piece, I think you are using a looser definition, which (for me as an Internet Technologist) is confusing. DPI is generally carried out with dedicated processors at high speed. That contrasts with Application Proxies. They are different sorts of technology. DPI tends to be more passive than an application proxy.

@P I read those papers during my research (and many others have cited them). It just looks odd that they are on a site with nothing else.

@Jonah please read the article, then read the work of Ian Brown of the Oxford Internet Institute (he has done a good job of creating reasoned and accurate arguments against form). The surfer accepts and agreement before using Phorm (at least in the current trials – as I understand it, BT did not do this in the initial trials).

Form the record, I am not a supporter of Phorm, but if regulation is going to be effective, reasonable argument that is supported by facts will be key. Inaccurate assertions just dilute the credibility of the arguement. This is an important debate, although no one has touched on how this will work in the business environment, or how it should be regulated.

WEB USER|DPI PROFILER| WWW (Any Website)
|DPI PROFILER| OIX/PHORM/WEBWISE SERVERS!

Neither the Web Surfer NOR the (WWW)Website has direct contact, the Profiler is handling it ALL!

**Note the Third Party Contact:-**
Call it “Illegal Interception”, a Man in the Middle Attack or a Browser hijacking but the result is the same due to the Equipment in the ISP all the Web Surfers & Websites data is being read & used & if misused or compromised that Entire ISP Customer Base “could” be compromised!

With due respect, you seem to have missed the point regarding interception of copyright material. Yes, if you run a web site AND have signed up to Phorm (OIX), then you can be said to have agreed to have your content intercepted and analysed. The issue with Phorm AKA Webwise is that ALL websites visited have their content intercepted and analysed for the benefit of the few who have signed up to Phorm. THAT is what is so unacceptable.

I’ve no idea, I’m not associated with either the University or Dr Clayton.

Phorm know they exist, they helped write them, did they not tell you they exist?

I suspect they didn’t as the analysis concentrates on the interception techniques, which is something Phorm appear to be keen to deflect attention from. This interception is what is happening within the ISP. It’s currently known as Webwise, specifically BT Webwise for BT, who are running it at the moment

Phorm certainly does use DPI. I guess that’s perhaps where confusion might arise. Perhaps you were unaware that they were using DPI equipment?

“I think you aren’t getting how the commercials work. Phorm requires both the end user and the advertiser to sign an agreement. ”

Phorm works by intercepting the communications between any and all web sites and their customers/visitors, with or without the consent of the web sites.

Phorm then makes a literal and unlicenced copy of the web pages that pass through the ISP, before processing them to create an adaptation (a keyword summary/url/user id bundle), then selling the marketing intelligence so gleaned through this ‘industrial espionage’ to advertisers.

It is not lawful interception at all. That would require the consent of both parties to the communication, and copyright licences from every web site on the net to avoid civil (and potentially even criminal) liability.

Have a look at the FIPR site. Nicholas Bohm (FIPR lawyer) did a very detailed and careful analysis of the legality of interception, and copyright with respect to Phorm. He concluded Phorm was both illegal interception, and a violation of copyright.

I notice you have a copyright statement at the bottom of your page. Good idea ;o)

Were you also aware that Phorm have operated this DPI kit twice already, in 2006 and 2007… profiling tens of thousands of people without their knowledge or consent, and intercepting the private communications between those people and the web site they used?

I agree that there is no interception when the website is hosting the OIX script as the action of hosting the script shows their consent to the web page being used and modified to display adverts. If the only pages that were intercepted were those hosting the OIX scripts then there would be no argument about copyright infringement. 99.9% of sites do not host the OIX script yet the DPI system makes a copy of 100% of port 80 traffic which is then analysed to form the basis of the profile channel analysis.

Don’t you think that there is a little industrial espionage happening here?

Advertisers using the OIX system can target YOUR web page. If you are selling widgets for £x they can list a few keywords and URLs which they know are advertising your widgets and then display an advert for THEIR widget at a discount. Is it right that your competitors should be able to target YOUR widget customers in this way?

Who visits YOUR web page should be confidential to you. Hackers are forever looking for log data so that they can sell this very information. The Phorm/Webwise system is making this data available, in real time, to whoever wants to pay for it. It is a hack, it is a theft, it is copyright infringement. It is the worst thing that can happen to any eCommerce site who has paid a lot of money to bring a potential customer to their widget page.

With the DPI system hosted within the ISP network there is no means whereby the ISP customer can opt out nor can website owners escape having their visitor data harvested. There is no opt-out for anyone and that is the problem.

If all Phorm was doing was offering a better system than that provided by omniture, 2o7, doubleclick, AOL and its various systems, the many others using similar IP/cookie/browser systems and the search engines then it would be just another annoying system to block in the hosts file and reject the tracking cookies. If that were all Phorm/Webwise is doing it would not be seeing any more negative publicity than any of these other systems. And they would be fighting the same battle these other systems have with regard to their offering an opt-out cookie for people who don’t want to be tracked.

If you block the Phorm/Webwise tracking scripts through the hosts file, access to the internet is no longer possible if you are using an ISP hosting the Phorm/Webwise DPI system as has already been discovered by those few people who have suddenly had the Webwise invitation page appear in their browser because their IP address has been rotated into the current Webwise trial and decided to block the browser hijack URLs.

And that is the big issue: Phorm/Webwise breaks the internet and its long established systems. It uses the vists of a web site’s own customers to infringe copyright. Phorm/Webwise is a parasite. Like many parasites it makes itself look attractive to hide its true nature and to woo unsuspecting hosts to help spread its infection around.

You are right in so much that Phorm are not DPI. Phorm is a company that designed their Webwise technology to perform interception of http data at ISP’s to ultimately create profiles for the users they claim they can target with so called relevant adverts.

Webwise operation is no different from the postman opening up all your mail, scanning the whole letter and scanning for predetermined relevant information to be used at a later date. I am sure you are already aware of this.

What about the 10,000 people that are currently supposed to be intercepted currently by BT using their Webwise DPI interception technology? Is that a small scale DPI?

You seem to go to great lengths to promote Phorm as a general advertising company. Does that description sit more comfortably on a whiteboard?

I notice you do not mention anything about 121Media’s past. I would be very interested in your view of the difference between the end objective of 121Media then, compared to the end objective of Phorm now, from an online advert viewpoint.

that is from the users perspective, i am not a privacy group i am writing here as a webmaster and BT broadband customer, yes i post on nodpi, yes i am vocal regarding phorm, but no i am not against behavioural targeted adverts in principle, just when a business model like phorms webwise product being trialed by BT, invades my relative online privacy by looking over my shoulder at all my unecrypted (port 80) web traffic and then analysing it, with my webmaster hat on i object to phorm ignoring my terms of use and copyright as they are not the requestor of the page, them not giving me a robots.txt directive specific to phorm and using my content for their commercial gain to direct my visitors to a competitors website via targeted advertising

yes i also care about where and what data is held, if you have been following the whole story regarding phorm you will have seen the merry dance phorms DNS records have been following to and throw across the atlantic between fasthosts, planet and various other hosting sites, and along with other been documenting this information

i also do not trust phorm to hold no personally identifiable data on myself or my family, as there is no way they can claim to remove 100% of the PII from their systems

also there appears to be an issue with the statement they make about we don’t know where you have been on the net, if you goto http://advertising.phorm.com/ follow it through and then click on “online ad reveloution” onthe 3rd slide it says” these rules are called ‘channels’ and are made up of keywords and URL’s” on the forth slide it goes on to show how an advertisier can specify that for an advert to be shown an advertisier can specify a number of URL’s that the user has to visit in a set period of time

how can they offer that service without tracking a users history and keeping the URL data? so what other direct conflicts of statements issued to advertisers and web users are there?

also if you analyse channels and how they are created, you find some curious statements about data gather and data used, you find that wording about banned channels does not explicitly say banned data is collected , just that channel are not allowed to be created in banned categories, such as guns, sex, medicines etc allowing for mission creep later

there is much wrong with the phorm DPI / ISP level model, and it would be wrong to tar all behavioural advertsisers with the same brush

as i have said , i am not against behavioural targeted adverting as carried out by many respectable agencies, only what i and many others see as a privacy invading, and potentially copyright and interlectual property rights breaching system called phorm / BT Webwise where there is no way for anyone to verify what the system is doing with THEIR DATA

peter

“I think you aren’t getting how the commercials work. Phorm requires both the end user and the advertiser to sign an agreement”

so where is the agreement of the website? phorm claim presumed consent as it is not practical to contact every website? so why do phorm require every website to contact them to opt-out (there it is again opt-out not opt-in) how does a foriegn website know they need to opt-out?

“So your copyright comment is spurious. While you are right that some content is funded through other means, the vast majority is funded by ads, or (As you say) product sales – either directly or via affiliate schemes. ”

i think you over estimate the level of sites that reqiure advertising to survive, as opposed to sites that use advertising as a mean to generate a small amount of extra revenue (the fabled long tail or 80% of sites under the 80/20 rule often quoted)

“None of the discussion touched on using DPI. I don’t think there is a DPI technology that would work at scale yet, but I am sure it is only a question of time. I wouldn’t say Phorm was DPI based”

phorm does use Deep Packet Inspection, first the layer seven switch inspects the header block of every packet and routes packets based on the destination port in this header block

secondly port 80 traffic is then passed to the profiler where the packet of data is examine in detail and the data block scanned for keywords etc

that is as near to perfect definition of DPI as you will get and exactly how phorm / webwise work

peter

@Bluecar1 You need to do some reading on how these systems work. If you are using SSL, your traffic is encrypted and a man-in-the-middle box can not read it.

The more important issue is: What information is stored (and for how long) and is it traceable to an individual user. Another question is where the data is captured. Is it in the home country (and under UK law), or is it non-domiciled. Privacy groups should be campaigning hard on those issues.