The (almost) complete FAQ
THIS IS A WORK IN PROGRESS. (updated)
Please use the comments to add any questions/answers you feel are relevant and not already covered. The bulk of these questions have been lifted from a recent thread in the Virgin Media newsgroups.
1) Will Phorm be able to see/use HTTP requests for content such as images embedded in HTML email I view in an email client such as Outlook?
Potentially yes. Phorm will have access to all HTTP traffic in at least one of the implementations seen to date.
2) Will Phorm be able to see/use web services/SOAP messages used by applications like iTunes, Windows Media Player, Google Earth, remote desktop, and instant messaging clients?
As for Q1, yes they will. Phorm claim to restrict the data they capture using a whitelist of user-agent strings which should avoid most data of this nature being captured.
3) Will details of my HTTP activity be sent to Phorm, even if I opt out?
At present this is unclear. There are a number of possible implementation scenarios for the Phorm system, in some all data is passed to Phorm at all times while in others this may not be so. Phorm have said that data will not be sent to the Phorm system if you have opted out, however this appears to be contradicted by other reports (eg. the BT diagrams obtained by The Register)
4) Will the 'opt out' cookie expire? If I flush my cookies, will I need to 'opt-out again?
Yes.
5) If I use a browser, or HTTP client application which does not accept cookies, will I be unable 'opt out'?
Yes, however the cookie will be re-set by Phorm (using a different random ID) rendering the borwsing profile created of very limited value.
6) If I use a web mail or forum application, like HotMail, Slashdot, Yahoo Groups, or Virgin Webmail, will Phorm be able to see/use the contents of the emails/messages I read?
Phorm have stated they do not capture the contents of webmail, however they did not provide any detail on how they are able to differentiate between a webmail page and a normal page. Without clarification of this it is difficult to see how Phorm can avoid capturing webmail contents.
7) Doesn't Phorm contravene RIPA?
There is some debate about this. Some opinions suggest that Phorm's technology amounts to unlawful intercepton of communication data (an offence under RIPA). A leading expert on computer surveillance (Professor Peter Sommer, LSE) has given an opinion to this effect which has been published by The Register (http://www.theregister.co.uk/2008/03/04/phorm_ripa/). Phorm claim to have sought advice which contradicst Professor Sommer's opinion.
8) Doesn't Phorm contravene DPA?
Again, this is unclear. The crux of the argument is whether browsing profiles constitute personal data in the terms of the Data Protection Act. This will need to be decided by the Information Commissioner or by a legal test case. Phorm have claimed that they have recieved advice that their system does not contravine the DPA.
9) Doesn't Phorm contravene Human Rights legislation?
That's a question for a lawer - the Human Rights act is a very complex piece of legislation with a very broad reach. It would require an expert to render an opinion and most likely a test case to validate it.
9) Will Phorm see/use personal information if that personal information (such as a name or address) is displayed on the web pages of a web application?
Phorm claim not to, however it is very difficult to see how this can be differentiated from normal page content as there is no standard way to present a name or address on a web page. General consensus so far is that Phorm should be assumed to have/use all information on any web page until they can prove otherwise.
10) Will any data gathered be sent to China or the USA?
Phorm have stated that all data processing will take place within the source ISP's network.
11) Isn't this simply a man in the middle attack?
By the formal definition, no, since Phorm are neither stealing data nor injecting false information into the data stream. Depending on how the connection to the network is made and the capabilities of Phorm's equipment it could however be used to facilitate an man in the middle attack should the security of Phorm's systems be compromised.
12) Where can I see how Phorm integrates into my ISPs network?
http://www.theregister.co.uk/2008/02/29/phorm_documents/ has details for the BT implementation. So far these are the only implementation diagrams found on the web.
13) Where can I find the Ernst & Young audit report on Phorm?
http://www.phorm.com/user_privacy/EY_Phorm_Exam.pdf Bear in mind this audit was carried out against US privacy standards, considerably less stringent that those of the UK or EU.
14) Where can I get details of the rootkit developed by another company founded by Phorm's CEO?
You'll find full details of the PeopleOnPage rootkit here :
http://www.f-secure.com/sw-desc/peopleonpage.shtml
Please use the comments to add any questions/answers you feel are relevant and not already covered. The bulk of these questions have been lifted from a recent thread in the Virgin Media newsgroups.
1) Will Phorm be able to see/use HTTP requests for content such as images embedded in HTML email I view in an email client such as Outlook?
Potentially yes. Phorm will have access to all HTTP traffic in at least one of the implementations seen to date.
2) Will Phorm be able to see/use web services/SOAP messages used by applications like iTunes, Windows Media Player, Google Earth, remote desktop, and instant messaging clients?
As for Q1, yes they will. Phorm claim to restrict the data they capture using a whitelist of user-agent strings which should avoid most data of this nature being captured.
3) Will details of my HTTP activity be sent to Phorm, even if I opt out?
At present this is unclear. There are a number of possible implementation scenarios for the Phorm system, in some all data is passed to Phorm at all times while in others this may not be so. Phorm have said that data will not be sent to the Phorm system if you have opted out, however this appears to be contradicted by other reports (eg. the BT diagrams obtained by The Register)
4) Will the 'opt out' cookie expire? If I flush my cookies, will I need to 'opt-out again?
Yes.
5) If I use a browser, or HTTP client application which does not accept cookies, will I be unable 'opt out'?
Yes, however the cookie will be re-set by Phorm (using a different random ID) rendering the borwsing profile created of very limited value.
6) If I use a web mail or forum application, like HotMail, Slashdot, Yahoo Groups, or Virgin Webmail, will Phorm be able to see/use the contents of the emails/messages I read?
Phorm have stated they do not capture the contents of webmail, however they did not provide any detail on how they are able to differentiate between a webmail page and a normal page. Without clarification of this it is difficult to see how Phorm can avoid capturing webmail contents.
7) Doesn't Phorm contravene RIPA?
There is some debate about this. Some opinions suggest that Phorm's technology amounts to unlawful intercepton of communication data (an offence under RIPA). A leading expert on computer surveillance (Professor Peter Sommer, LSE) has given an opinion to this effect which has been published by The Register (http://www.theregister.co.uk/2008/03/04/phorm_ripa/). Phorm claim to have sought advice which contradicst Professor Sommer's opinion.
8) Doesn't Phorm contravene DPA?
Again, this is unclear. The crux of the argument is whether browsing profiles constitute personal data in the terms of the Data Protection Act. This will need to be decided by the Information Commissioner or by a legal test case. Phorm have claimed that they have recieved advice that their system does not contravine the DPA.
9) Doesn't Phorm contravene Human Rights legislation?
That's a question for a lawer - the Human Rights act is a very complex piece of legislation with a very broad reach. It would require an expert to render an opinion and most likely a test case to validate it.
9) Will Phorm see/use personal information if that personal information (such as a name or address) is displayed on the web pages of a web application?
Phorm claim not to, however it is very difficult to see how this can be differentiated from normal page content as there is no standard way to present a name or address on a web page. General consensus so far is that Phorm should be assumed to have/use all information on any web page until they can prove otherwise.
10) Will any data gathered be sent to China or the USA?
Phorm have stated that all data processing will take place within the source ISP's network.
11) Isn't this simply a man in the middle attack?
By the formal definition, no, since Phorm are neither stealing data nor injecting false information into the data stream. Depending on how the connection to the network is made and the capabilities of Phorm's equipment it could however be used to facilitate an man in the middle attack should the security of Phorm's systems be compromised.
12) Where can I see how Phorm integrates into my ISPs network?
http://www.theregister.co.uk/2008/02/29/phorm_documents/ has details for the BT implementation. So far these are the only implementation diagrams found on the web.
13) Where can I find the Ernst & Young audit report on Phorm?
http://www.phorm.com/user_privacy/EY_Phorm_Exam.pdf Bear in mind this audit was carried out against US privacy standards, considerably less stringent that those of the UK or EU.
14) Where can I get details of the rootkit developed by another company founded by Phorm's CEO?
You'll find full details of the PeopleOnPage rootkit here :
http://www.f-secure.com/sw-desc/peopleonpage.shtml
Comments
| Webwise Fiendish 18 Mar : 01:15 | |
 Registered: 18 Mar : 01:10 | When I go to webwise to opt out of Phorm I get this message: "Webwise is not available in your area, so it is not possible to switch on or off." Does this mean I can never opt out??? I'm with Virgin Media and I live in London so hardly in a tiny remote area...  |
Comments are locked
