BT Phorm trial leak rekindles row

BT Phorm trial leak rekindles row

Summary: Documents leaked of a 2006 secret ad-serving test show BT should be prosecuted, argues a University of Cambridge security expert, though BT says it is perfectly legal

TOPICS: Networking

The appearance of a leaked document about a test of ad-serving technology performed by BT in 2006 has led to calls for the company to be prosecuted.

BT confirmed to on Friday that the leaked documents were genuine. The documents give details of a test between September and October 2006 of 18,000 BT customers which trialled ad-serving technology by 121Media, which has since become Phorm.

The documents show BT customers were not made aware of the tests, and that their web traffic was being intercepted, according to Cambridge University computing expert Richard Clayton, who called for BT to be prosecuted.

"This appears to document a secret trial snooping personal traffic, processing data, and serving up adverts without anyone's consent," said Clayton. "BT should be prosecuted, as it seems they committed a criminal offence."

The BT document states: "The trial involved approximately 18,000 users with a maximum 10,000 concurrently active on the system during the network's peak period, and was operated on a 24/7 basis. All users were unaware they were participants in the trial."

As BT had not obtained permission from users, website owners or search companies to redirect data, Clayton argued BT had intercepted the data illegally under the Regulation of Investigatory Powers Act 2000.

"Under the Regulation of Investigatory Powers Act, you need permission from both ends of a communication to intercept," said Clayton. "BT was snooping on traffic to see which keywords were in it, in the system they describe."

Technical details of how the ads were served showed users were assigned a unique identifier, and the identifier's browsing habits were observed. Clayton argued that tracking a unique identifier (UID) browsing for cars, then serving up a car insurance advert, was "personal data" being processed, and therefore contravening the Data Protection Act.

"It's breaking data-protection principles for a user to be unaware of that process," said Clayton.

BT on Friday said it sought legal advice before initiating the tests, and insisted no personal data had been processed.

"BT can confirm that we conducted a very small scale technical test of a prototype advertising platform in 2006," stated the company. "The test was specifically conducted to evaluate the functional and technical performance of the platform. Absolutely no personally identifiable information was processed, stored or disclosed during this trial."

BT added that it was planning to conduct a technical test "soon".

Topic: Networking

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Phorm/Webwise/ISP commercial piracy ,why wont you authorise the comments

    iv submitted comments as regards this news item, iv also been told that several other people have tryed to submit coment but to date they have not been published and linked into this story, WHY?

    are you trying to subvert the Anti Phorm comments for some unspoken reason?

    to re state the facts as they are known at this time

    Deep Packet Interception On YOUR Broadband wire.
    Kent and his payed top 5 PR teams/3rd partys are very fond of trying to bring Google into disrepute, however while Google may offer you many free and Personally useful Options in return for your Informed and Explicit Consent to use YOUR datastream WHILE you're using these services,
    BT and Phorm/webwise are doing something totally different, its not rocket science, read up on it "Deep Packet Inspection/Interception".

    in effect , your paying your ISP for a Broadband connection, and (in this case) BT are accepting free Deep Packet Interception kit from Phorm to wiretap that paid-for Broadband connection to intercept your datastream and that of any website owners copyrighted content for profit.

    This DPI kit sits directly on the other side of your Broadband wire, and YOU can NOT stop each and every bit of your data being pushed though that DPI kit, that is then collected, processed and finally then ,and only then, anonymised, or thrown away as its deemed to contain no valuable data to their profit line at the time.

    the part no one wants to talk about OC, they will be collating all this data in to an
    unlawful derivative work.

    and they will not be paying a single penny to the owners of that copyrighted data for the use of that or the unlawful derivative work made from it.

    under UK and EU law (and US law i assume), an "unlawful derivative work" is made without consent of the website content owner, or the ISP end user (should they refuse to take part in any trials, their datastream is still collected.and processed at the DPI, but dont then get sent and see the ads onscreen) for commercial profit, and without paying you any due fees then owed for unlawful use of your data property.

    apparently these are some of the laws broken by not getting Express/Explicit, and informed consent of both parties (end user AND the website content owners)or paying the profits of this unlawful derivative work to the owners of the content.

    Regulation of Investigatory Powers Act 2000

    Privacy and Electronic Communications (EC Directive) Regulations 2003

    Computer Misuse Act 1990

    Torts (Interference with Goods) Act 1977

    Copyright, Designs and Patents Act 1998 (see derivative works)

    Data Protection Act 1998 (IP addresses are legally defined as personally identifiable data)

    this basic laymans copyright might be helpful to outline the problems BT have placed themselves in during the prior trials without getting consent.

    and dont forget many websites already have explicit terms against commercial use of the sites webpage content in their notices, potentially including this very site infact.

    you, and indeed any BT executives or Employees might want to be sure to read and understand these two parts as regards commercial piracy of copyrighted works such as the website content owners and the unique datastreams of the end users
    107 Criminal liability for making or dealing with infringing articles, &c (1) A person commits an offence who, without the licence of the copyright owner?
    (a) makes for sale or hire, or
    (b) imports into the United Kingdom otherwise than for his private and domestic use, or
    (c) possesses in the course of a business with a view to committing any act infringing the copyright, or
    (d) in the course of a business ?
    (i) sells or lets for hire, or
    (ii) offers or exposes for sale or hire, or
    (iii) exhibits in public, or
    (iv) distributes, or
    (e) distributes otherwise than in the course of a business to such an extent as to affect prejudicially the owner of the copyright,
    an article which is, and which he knows or has reason to believe is, an infringing copy of a copyright work.


    110 Offence by body corporate: liability of officers (1) Where an offence under section 107 committed by a body corporate is proved to have been committed with the consent or connivance of a director, manager, secretary or other similar officer of the body, or a person purporting to act in any such capacity, he as well as the body corporate is guilty of the offence and liable to be proceeded against and punished accordingly.
    (2) In relation to a body corporate whose affairs are managed by its members ?director? means a member of the body corporate.
  • Sorry you've been having problems posting

    Apologies for the difficulties you've been having posting a comment to Phorm stories. I took a quick glance at your account record, but I can't find a record of previous posts. To sort this out, would you please drop me a line at to tell me when you made the missing post and which browser version you are using? Also, did you submit the post before or after you clicked on the email to confirm your membership? Let me know, and I'll look into the problem.
    Karen Friar
  • thanks Karen

    thanks Karen, it seems to be fixed now and i can post (it was after register confirm) , i covered most of the information i washed the readers to see and know about to get a fair and balanced overview, and i must apologise for coming across as a little irate, that was not my intent.

    some new quotes from other news sources have come to light BTW, perhaps the news team can find the time to really dig down to the real facts and the timelines of the case.

    the point im trying to get the confirmation on is if the Phorm company did infact really meet with the senior ICO official when this 2006/2007 before launch, then how come someone in the ICO
    DID NOT tell Phorm they needed to be on the register to have any access to any potentially personal data etc.

    dont just ask the question, really push it to get a real answer to the questions put, dont just take the PR copy...

    we already know that this so called Home Office advice was nothing like looking at the Phorm case, and mearly a hypothetical case, that MAY BE legal IF, and only IF EXPLICIT, and INFORMED consent were given.

    you can see the HO replys to the Anti-Phorm end users email questions on the Cable Forum thread, you would be wise to read that thread from start to finish as its most Comprehensive and full of potentially effected payed up end users and techs. Florence has the one that helps to clear this up ,free of ambiguities from any Phorm/BT payed 3rd party Non tech spokesmen.

    remember that Phorm DID NOT register with the ICO Data Protection Register until 30 January 2008

    search on "Phorm" here url:
    "BT's Phorm trial - the worst excuse ever
    June 9th, 2008 Barry Collins
    ' "
    BT did not discuss these trials with the ICO as they were technical in nature," the ICO claims in a statement sent to PC Pro. '

    Speaking to PC Pro this morning, Phorm spokesman Alex Laity said the company was always confident the service was lawful. "We are confident that we are fully compliant with all relevant laws," he said. "We did go to the ICO before launch, we did go to the Home Office before launch, we did do due diligence to make sure what we did is fully compliant with the law."