Thanks to all...

[Ian Batten]

On 16 Apr 2008, at 05:41, Peter Fairbrother wrote:
>
> Because saying it's good, or saying it's bad, is just pandering to  
> the Phorm PR machine.

No.  It's pandering the BT/CPW/VM PR machine.  Phorm can sell products  
to whomever they like, and those products may or may not be legal in a  
given jurisdiction.  We're discussing --- and as several people said  
last night, fruitlessly, as none of us are judges --- UK legality, but  
their product is almost certainly legal to use in the USA at least.   
It's also clearly legal to develop, manufacture and possess their  
product in the UK.

Let's assume for a moment that all your and everyone else's legal  
theories are true: that the Phorm product contravenes DPA, RIPA, CMA,  
PECR, the Fraud Act and --- indeed --- can be used for sleeping with  
the wife of the heir to the throne while setting light to her mother- 
in-law's dockyards.  Who would be committing these offences?  Phorm?   
I can clearly use access to Cisco routers to breach RIPA, but you'd  
have a hard job getting John Chambers in court for it.

No, I think the elephant in the room (to quote Simon Davies) isn't  
legality or illegality.  It's who would be committing the putative  
offences, and in every case it's the ISPs.  And the ISPs have less  
skin in the game (no Webwise == no Phorm, whereas the ship of BT state  
will sail inexorable on with or without Phorm, shedding perhaps a  
couple of eager young pups in Retail as it goes) and far more things  
to worry about legally (they're big, UK based companies with  
shareholders, assets and directors who don't like trouble).  And  
although children might be able to claim that they were talked into it  
by a big boy who ran away, multi-billion pound companies are assumed  
to be quite able to figure this stuff out for themselves (due  
diligence: BT made a point of how much of it they'd done).

Ethereal is capable to carrying out several criminal acts, RIPA most  
particularly (we've had this in the `hacking tools' debate).  If  
someone actually does use it to carry out a criminal act, they do so  
at their peril.  There are very, very few cases in UK law where the  
manufacturer of a product which is capable of being used for illegal  
acts, or indeed whose primary purpose is the commission of illegal  
acts, can be held liable in a civil court, and I'm not offhand aware  
of any cases in a criminal court.

If BT, CPW and VM wish to breach RIPA and the DPA, they do so at their  
peril.  And they can't then claim they were seduced into it by that  
lothario Kent (who went a bit non-linear on the `everyone's up to it,  
so why shouldn't we?' riff, but actually seemed like a rather decent  
chap).

Let's be clear.  I think Phorm's marketing proposition is questionable  
(that's for the market, though) and I think that what Phorm require  
ISPs to do for Phorm's business to operate is unconscionable and, I'm  
convinced (I not a lawyer) illegal.  I think the lack of Network Level  
opt-out is technically and morally dubious, and that Phorm's inability  
to answer simple questions about opt-out for children is telling.    
But I think the legal and operational responsibility lies with the  
ISPs, who --- unlike Phorm --- have not engaged with customers or  
campaigners (those following the PR disaster on the BT Support Forums  
will attest to this).  The ISPs will operate it.  The ISPs will  
provide the data.  The ISPs are the people who will breach RIPA (if  
anyone is).  The ISPs are the people who will breach the DPA and the  
PECR (if anyone is).

Someone from Phorm made a telling comment at the after-party.  That  
people think that their product is immoral, but because that's not  
enough to stop them with they reach for technical and legal  
alternatives.  I'm not sure they're entirely right, but I think  
there's something in that: `we' don't like this, `we' don't want it,  
so `we' want it stopped.  The law is handy, we think, although geeks'  
track record as lawyers isn't that great.  R. vs Stanford teaches me  
the lesson that a career in the ISP trade doesn't teach you enough  
about RIPA to win a court-case.

But Phorm will be stopped dead in their tracks by (a) ISPs refusing to  
implement and/or (b) Advertisers staying away and/or (c) Website  
owners staying away and/or (d) critical numbers of users opting out.   
Phorm can be as legal as driven snow, and satisfy every campaigner,  
but without a lot of user data being taken off by ISPs in order to  
allow advertisers to place adverts on websites, the whole thing  
crumbles into dust.

I thought Phorm made a valiant effort last night.  I think their offer  
for people to donate free security consulting is bogus (and unwise,  
given the similarity of their name to Steorm, the last company who  
tried that line).  I think their rapid adoption of ad hoc solutions to  
every objection smacks of Irving Langmuir's fifth point, and I think  
that they are hanging a long-term business on the particular  
happenstance of current browsers' reaction to a 307.

My impression --- and I'll write more about the meeting once I've  
recovered from not getting home until gone two --- was that they  
genuinely believe they have a money-making scheme, and genuinely  
believe that what they're doing is acceptable with a few tweaks. Sure,  
Kent got a bit messianic at points, and his claim that absent Phorm  
the Internet goes bankrupt is nonsense: races to the bottom are hard  
to break until the first plane hits the ground, but a market in which  
the entrants are ``Broadband for 15 quid, but we profile you'' and  
``Broadband for 25 quid, we respect your privacy'' is the sort of  
thing markets are best at deciding, and the history of advertising  
supported telephony is nasty, brutish and short.

The people we should be engaging with are the ISPs, without whom this  
all fails.  And they, notably, weren't there.

ian