Dear Friends,

By now, you will probably have heard about a company called Phorm, which is run by a person whose name is Kent Ertugrul. Kent Ertugrul used to be the CEO of another company called 121Media. 121Media were responsible for writing a piece of software which antivirus companies such as F-Secure classified as malicious Spyware.

Phorm has more recently developed a system called 'Open Internet Exchange' (OIX). This system is tightly integrated with the network infrastructure of participating ISPs, and intercepts all the browsing data from customers as they surf the web. Naturally, many people in the Internet community are concerned about this development because of the privacy and technical implications of how it is implemented.

This letter will not cover in-depth the privacy and technological implications of OIX technology from a customers point of view. If you wish to have a better understanding of how this technology works and all the issues it raises, I refer you to the following websites:

http://www.inphormationdesk.org/

http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/

http://www.fipr.org/press/080423phorm.html

We would like, instead, to address some of the issues which may arise from the point of view of businesses who have an Internet presence and run their business on-line. We believe that Phorm's OIX technology has serious implications for on-line business which may affect them financially and legally.

Phorm's legality called into question

Firstly, it is important to note that the legality of Phorm's adware system is not entirely certain, and businesses which adopt this technology may potentially be at the receiving end of legal action.

Some security and other IT experts and professionals consider Phorm's adware technology to be of dubious legality. Richard Clayton, Security expert and Cambridge professor said this, after reviewing the Phorm system in March:

"Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000."

http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/


Nicholas Bohm, General Counsel for the Foundation for Information Policy Research, said:

"We now know that BT have already conducted secret trials of this technology, testing the effectiveness of snooping on their customers' Internet activities. They claim to have received extensive legal and other advice beforehand, but have failed to give the reasoning on which this advice is based.

"As we pointed out in our letter, the illegality stems not from breaching the Data Protection Act directly, but arises from the fact that the system intercepts Internet traffic. Interception is a serious offence, punishable by up to two years in prison. Almost incidentally, because the system is unlawful to operate, it cannot comply with Data Protection principles."

http://www.fipr.org/press/080406phorm.html


Amidst a very public controversy and a consumer backlash, in July, the EU Telecoms and Media Commissioner Viviane Redding sent a letter to the British government asking it to clarify whether or not Phorm complies with EU privacy laws.

The British government was given until the beginning of August 2008 to respond. The deadline has since passed, and as of mid August, no response has been forthcoming.

http://www.itpro.co.uk/605220/eu-questions-uk-government-on-phorm


Phorm's adware technology may make you lose customers and revenue

Let's say that you have an on-line business that sells widgets. When someone who has not opted out of Phorm's adware technology visits your site, Phorm will profile the keywords on your website and will add certain keywords (such as 'widget') to a profile associated with that person. Phorm now knows that person is interested in widgets. When that same person visits a website which is using Phorm's advertising system to serve ads, he is likely at some point to see an advertisement for widgets being sold at your competitors' website.

You will have worked hard to market your widget site. How many thousands have you spent on designing the site, writing content, improving the search engine optimisation (SEO), marketing and advertising? All that money spent on getting your site and product ranked high in the search engines results (SERPs), natural or paid, can now being used by some 3rd party to promote YOUR competition and to display THEIR adverts to every one of your hard earned visitors.

When a person is searching for a product they will not usually impulse buy from the first site they visit. Even when your page contains all the necessary calls to action, less than 20% will convert. The better your site, the more it will have encouraged a person to buy something like your product.

Half an hour later, your visitor may be visiting a site with nothing do to with your widgets. Suddenly their eye will be caught by an advert offering a similar product - maybe even selling the same product you are selling. They have had half an hour to think about buying and click to continue their research into whether or not to buy the product.

You have done the hard work of investing in selling the product. Someone else comes and taps them on the shoulder and gets the sale. At least, that is the selling point of the OIX system.

It does not matter which system you invest in to bring visitors to your site: if you do not convert the visitor when they arrive, within the very near future they will be offered the same product on another site. Your site content has been harvested and is being used to sell someone else's product.

Copyright issues

The content that you create for your business web site is valuable. The value is enhanced by the effort your company invests to describe, present, and promote your products and services more effectively.

Your content is protected by copyright law.

The data associated with the transactional services you offer your customers, such as keyword searches, shopping baskets, and quotation/enquiry forms, is particularly commercially sensitive.

BT, and Phorm, are exploiting that valuable copyright and commercially sensitive content of online businesses. The financial beneficiary? BT, Phorm and OIX advertisers... and through them your competitors. BT and Phorm are, in effect, using your content to create demographic profiles of your customers. Phorm have no legal right to snoop on it, intercept it, redirect it or profit from it.

The valuable content on your commercial web sites should not be used for this purpose without your consent (and your customers consent).

But it will be if Phorm/Webwise is implemented by BT.

Your website's privacy policy

In order for Phorm's adware technology to keep track of web surfers across the net, it forges a cookie so that it appears to come from a website which has already been visited by the person surfing the web. This appears to be illegal:

"Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990."

http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/


The implications of this for your website is that you cannot be certain how cookies, which will appear to come from your website, will be used and what information they contain. Even if you do not use any cookies, users may nonetheless be presented with a cookie which appears to come from your website. This may contradict your privacy policy and web surfers may feel their trust has been violated.

People do not do business or hand over credit card details to websites which they cannot trust.

What you can do

If you are concerned about BT profiling the users who visit your website, potentially breaching copyright, and using this data to advertise to your competitors, write to BT Retail's legal section and tell them that you consider profiling of this kind is legally actionable:

Chief Counsel Commercial Law (Consumer),
BT Retail,
BT Centre, pp B8D,
81 Newgate Street,
London,
EC1A 7AJ

Write to your MP with your concerns. You can write a letter online by using this website:

http://www.writetothem.com/

Sign the 10 Downing Street Petition as a private individual:

http://petitions.number10.gov.uk/ispphorm/

Thank you for your time!