The Law, Phorm, and Behavioural Advertising using Communications Data


Phorm's mass surveillance is a criminal industrial espionage/personal surveillance scam. This page is an attempt to explain in laymans terms how and why Phorm's business model is illegal.

The content of this page is based on UK/European law, but other countries will have broadly similar rules.

I am not a lawyer (I'm a technologist). If you want legal advice, consult a lawyer, but my career requires that I understand and comply with the laws that govern technology and telecommunications.

For more detailed legal opinion see Nicholas Bohm's "Legal Analysis", and Nicholas Bohm/Joel Harrisons joint work "Profiling Web Users Some Intellectual Property Problems".

Where's the Damage?

Phorm is an industrial espionage and personal surveillance scam, using the content of private/confidential communications to gather commercial intelligence (or 'SIGINT').

Unlawful communication surveillance for advertising and personal profiling results in the following damage...

  • Loss of personal liberty, and freedom to communicate privately/confidentially without encryption
  • Economic damage to businesses that use unencrypted communications, particularly to present a web site or correspond with customers and suppliers via email
  • Damage to content creators through loss of income, and abuse of their creative works
  • Collapse in confidence in the privacy/security/integrity of the telecommunication network, resulting in encryption, or decreased use
  • Increased cost of business associated with encryption

Illegal Interception

In many countries, including the UK, monitoring communications on a public telecommunications network is a heavily restricted activity... usually limited to the Police and Security Services, and only when a serious crime is suspected.

That is because communication surveillance is intrusive, anti-democratic, and economically damaging.

Intercepting, monitoring, eavesdropping, tapping communications requires legal authority, or consent from both parties to the communication.

Phorm technology is used to monitor the Internet communications between web sites, and their visitors. The visitors are profiled, and targeted with adverts. Web sites lose trade to their competitors, as a consequence of industrial espionage.

Because Phorm don't have a legal authority, or consent from both parties to the communications, they are breaking the law when they monitor communications.

UK Regulation of Investigatory Powers Act 2000

European Privacy in Electronic Communications Directive 2002/58/EC

Copyright Infringement

A web site is a creative work. It may include literary work in the form of the web page text. It may incorporate computer programs in the form of HTML and Javascript code. And very often will also include a database of products, services, or content.

Creative works (and particularly computer programs and databases) are Intellectual Property, and protected by Copyright law, requiring anyone making a copy to obtain a licence in advance from the creator.

In the UK, as many other countries, commercially exploiting Copyright material without a licence (for example, by selling pirate DVDs) is even a criminal offence.

Because ISPs using Phorm technology make copies of the content of web sites, duplicate web pages, and sell the results of that process to Phorm without licence.. they are infringing Copyright (and even committing criminal offences).

UK Copyright, Designs and Patents Act 1988


Pretending to be someone or something you're not, for gain, is called fraud.

For example, if you telephone your bank, you expect your bank to answer the phone. But what if a crook answers the call instead, claiming to be your bank? That's a fraud.

When you request a web resource, Phorm pretend to be the web site you want to visit, in order to insert a 'phorged' tracking cookie into your web browser and/or redirect your requests to their server instead. That's fraud.

UK Fraud Act 2006

Trademark Infringement/Passing Off

Trademarks are 'symbols that distinguish goods and services in the marketplace (like brand names and logos)'. A  trademark and associated reputation is a valuable asset.

By pretending to be the web sites you want to visit, Phorm are exploiting trademarks without licence... and even setting 'phorged' tracking cookies on their behalf.

Because Phorm don't have a licence to use the world's trademarks, that is trademark infringement.

UK Trade Marks Act 1994

Computer Misuse

In the UK, the Computer Misuse Act makes it a criminal offence to gain access to a computer program, or modify data held on a computer without authorisation.

During the trials of Phorm's products in 2006, 2007, and 2008 and without authorisation, Phorm interfered with the operation of hundreds of thousands of computers by covertly inserting Javascript code into web pages, manipulating the behaviour of web browsers, and causing the affected machines to store 'phorged' cookies' or redirect requests to Phorm's servers.

Computer Misuse Act1990

Data Protection

In Europe, data protection legislation prevents businesses processing sensitive personal data without explicit consent.

During BT's 'stealth' trials of Phorm's products in the UK in 2006, 2007, and 2008... hundreds of thousands of people in the UK had their private and confidential communications data processed without their knowledge or consent. BT and Phorm even attempted to deceive customers into believing that the trials were not operating.

The communication data would have included acutely personal information, such as communications relating to health, political opinion, religious belief, or sexuality.

Because BT/Phorm did not obtain explicit consent before processing that data... they violated data protection legislation.

UK Data Protection Act 1998
European Data Protection Directive 95/46/EC

Communication Privacy

European communication privacy law distinguishes between traffic data (information used to route, or bill for communications) and the content of communications.

Telecom companies are allowed, with consent, to use traffic data for marketing purposes. The legislation does not allow them to use the content of communications.

Because BT/Phorm processed the traffic data and content of communications, without notice or consent, they broke the law.

UK Privacy in Electronic Communication Regulations 2003

European Human Rights

The European Convention on Human Rights states that;

    Article 8 Right to respect for private and family life

    1. Everyone has the right to respect for his private and family life, his home and his correspondence.

European Convention on Human Rights


Thanks for visiting Dephormation.

Protect your right to communication privacy, security, and data integrity.
Protect your valuable web site content.
Stop Phorm.