Changing their Terms of Service?
Sounds like a good way to exploit the get-out clause while you can. Changing ToS means that existing customers can leave without penalty
BT is preparing to test Phorm's advertising targeting technology on 10,000 of its customers this month, to gauge people's reaction to their web browsing being exploited for extra revenue. The trials will begin mid-March and guinea pigs will be drawn from BT Retail's consumer broadband subscriber base. The firm believes …
These types of scumbags always do that, then assume that you have browsed the web page and accepted the change, and even say you must contact in a certain time or you accept.
Send them an e-mail of complaint, then in the blurb that is always after the end of it now, add changes to the contract stating that if they do not reply within seven days they accept these changes.
It will either change your contract to a more reasonable one or get a reply :)
Oh and *always* e-mail your ISP regarding any changes with your contractual change in :)
On your Marks ... get set ... (icon)
"ensure that customers are able to take a fully informed decision"
In order for customers to make a "fully informed decision" BT need to give them -all- the facts which I simply cannot see them doing. There is no way BT will say on the portal page that this "service" contravenes RIPA, DPA, Human Rights, Trespass to Chattels and Computer Misuse Act.
Also there is no way BT are going to tell their customers about the dark history of the Phorm executives.
Furthermore, I don't expect they will tell their customers that even if they opt out all their browsing will still be sent to Phorm who simply "Promise" not to use it.
I definitely don't expect them to inform the customer that under EU anti spam laws BT are required to get people to opt in instead of opting them in by default and giving them the option to opt out (although the opt out option isn't really an opt out).
So "informed" decision? No fucking chance. There interpretation of RIPA is about as flawed as their interpretation of what they claim their customers want.
KICK THEM TO THE CURB
Finally, Chris Williams, could you please contact BT again and see if they are willing to admit that they already trialled this service last summer (illegally). I am seriously considering starting a class action against BT for the trials last summer even though I am not a BT customer.
"Finally, Chris Williams, could you please contact BT again and see if they are willing to admit that they already trialled this service last summer (illegally). I am seriously considering starting a class action against BT for the trials last summer even though I am not a BT customer."
I have asked this question half a dozen times now. The most recent yesterday they were still "looking into it".
I'll keep asking and if I ever get an answer, Reg readers will be the first to know.
I checked my cookies last night, and lo and behold, there was one set by OIX.net, which coincidentally happens to be Phorm's portal.
So, although Virgin claims to be some way away from an implementation, my browsing is already being monitored. Dont worry, I promptly decided to disable all cookies except those for sites I trust, changed to OpenDNS, and even installed Adblocker Plus to prevent me from even seeing these new adverts, if they ever appear. I wish Adblocker Plus was installed with Firefox by default - it must be the best addon I have ever seen. Or better, not seen!
I do hope that BT's new homepage for these guinea pigs explains exactly what they are agreeing to, and why they shouldnt. Perhaps they should link to the discussion on El Reg, for a less biased point of view.
I love the way they call this a "service".
"We're going to monitor your web traffic, analyse it behind you back, serve up advertising that you don't want and never asked for, make money out of it on your behalf, and you'll damn well be grateful"
Wasn't it a little while back when Google (?) were going to introduce something to "improve your browsing experience" with targeted ads.
I appreciate that these companies want and need to make money, but PLEASE don't insult me by trying to convince me that I actually WANT this stuff, because I don't and never will.
"We consider that these steps [above] will meet the legal requirements of RIPA and also ensure that customers are able to take a fully informed decision as to whether to take the service."
But what do they mean by "take the service"? I think this is cruicial - I bet their definition of me taking the service would differ from mine. Are we opting out of the farming process or just the serving of ads based on that farming process? I want the former; I bet they mean the latter.
Is popping up a page when the user is browsing a legal way to obtain consent? Many households have more than one internet user in it and the one seeing this popup are not necessarily the one paying the bill (and hence bound by the contract). Equally, can someone agree to allow that someone else's web browsing is monitored by BT, e.g. their spouse's?
Direct lift from the webwise website for BT they're nicely selling it as an internet security package and after this hard sell that you NEED webwise then they tell you it's going to spam you with adverts so they can make even more money than the already ludicrous prices they charge you each month for their broadband packages.
Hopefully packages such as adblockplus and spybot will be able to block this stuff. However i'm a little confused as to how they intend to display the adverts will they simply spam you with popups or are they planning on basically mapping over existing ads so if a page with google ads is loaded will instead of it showing google ads start displaying BT's ads?
This could have a pretty major impact on people who rely on revenues from advertising to keep their sites and communities alive
BT Webwise helps to increase your protection against online fraud and make your Internet browsing more relevant.
BT Webwise automatically increases your protection against online fraud by checking against a list of known fraudulent and untrustworthy websites. When you visit any website on the list, you'll receive a warning, so you can choose whether or not to visit it. It's another way BT is helping to protect you online.
'Targeted' adverts are a red herring, tho there have to be concerns about adverts targeted at the adult male of the house being served up to the preteen girl who happens to use the same computer.
The issue is that irrespective of the "opt out", Phorm's servers (which currently seem to be in China) will scan your web traffic and webmail. If you opt out, they'll still gather it even tho they promise not to process it.
And what happens when Phorm's servers are hacked? Which /will/ happen, sometime, it always does. 10 million of us will start getting 'targeted' spam.
So actually, anybody using the connection (I'm guessing whoever happens to use the web first on the day they flick the switch) can agree to your data being used in the trial....
Not necessarily the account holder; and I'm guessing the person who has the legal rights to change things.
Now you try doing anything over the phone if you're NOT the account holder, it's virtually impossible!
Could someone in the know (therefore making the work easy to the point of being inane) make everyone's life a whole lot easier and list the sections / sub-sections of RIPA, DPA, etc which this practice breaches?
It'd make things a whole lot easier for us mere plebs who don't speak legalese to get the desired effect. A few hundred letters mentionin "Section 11 (Sub. 1) of the DPA states..." etc, with "... begin Class Action proceedings..." somewhere in there would probably get them listening.
Have they checked with the websites whose web pages their going to decorate with their adverts? When an advert appears will it be obvious to the reader who is responsible for presenting it? If Tesco have an advertising contract with BT, do they get to add their adverts to pages from Asda's website?
I'm two months into an 18 month contract with BT Broadband and there's no WAY I'm going to stick with them if this gets rolled out nationwide.
I'd love for someone in the know to produce a legal letter we could all use as a template to send to BT to kill this outrage stone dead.
The relevant sections of RIPA and DPA have already been cited in previous articles on this issue. European Convention on Human Rights (in fact pretty much all Human Rights legislation) clearly states all people have the right to privacy in their private lives and communications (note communications is the important part here).
Trespass to Chattels is a civil tort allowing you to sue anyone who installs software on your computer without your explicit permission (cookie can be deemed as software) although it is more commonly used for property other than computers; and finally Computer Misuse Act basically covers the same points as Trespass to Chattels but is specifically written for computer use and if I remember correctly makes such action a criminal offence.
I am too busy at the moment to go routing through the relevant legislation to give you exact sections, but you can read them all on www.opsi.gov.uk
I've seen this referred to a lot when people have worried about the tracking of their Internet activity. I can see that since it only handles DNS it can hardly track what you're doing as an individual, but it's putting control of what sites you see in someone else's hands who's trying to make a swift buck or two out of their business. What makes them any more scrupulous than BT?
Happy to be edumicated... :)
There's a nice Europeran Directive from 2003 on telecommunications that specifically covers this. It says that if the telco does something that breaks the law with regards to the directive (such as BTs actions here) then all the contracts with their customers they are doing that action with are automatically voided so contract length becomes irrelevant. Furthermore the customers may sue the telco for damages, things like the cost of moving to another ISP.
BT keep sending me spam, even though I am not a BT customer. Every time I click on the 'unsubscribe' button the web page I am taken to lets me enter my email address then fails 'page not found' How very convenient (for them)! - and no, it is not phishing. Simply, if they can't be relied on to implement their own simple opt-out system for spam, how can they be relied on in this?
All my machines at home have been set to block oix.net's cookies at all times, joining every other advertising address I've found. I'll also keep an eye out for any other strange new ones in case they decide to stick in a few other domain names to get round blockers.
If I understand how this works, this means that they won't be able to consistently match my surfing history... Or am I mistaken there? Do they tie it to IP addresses mapped to BT usernames?
In Firefox, if you set the Cookies to Keep Until: Always Ask, you get to see what cookies are being set, and you can decide whether to accept permanently (eg for forums, or this site) or just for the session. This latter option is great for messing with people like OIX and Doubleclick as it keeps sites working smoothly but stops profiling.
Some relevant bits of the Data Protection Act 1998
Part 1 Section 1
"personal data" means data which relate to a living individual who can be identified-
(a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
[Your ISP is a good example of this. On it's own it's nothing, when someone has access to your BT account details like ermm...BT then it's personal.]
"processing" in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available.
The Data Protection Principles [There are 8 but you can Google for the Act itself]
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met [e.g. you've given your consent], and (b) in the case of sensitive personal data [i.e. medical info, gender or ethnicity etc], at least one of the conditions in Schedule 3 is also met [e.g. you've given EXPLICIT consent and it's not carried out for profit].
[Breach of the Principles is ultimately enforceable by court order to cease processing and a possible fine, although the maximum fine is only £5K and BT probably think it's worth the risk that of couple of fines versus whatever they're making from the Phorm deal]
INTERPRETATION OF THE PRINCIPLES
The first principle
1. - (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is DECEIVED OR MISLED as to the PURPOSE or purposes for which they are to be processed. [my emphasis]
2. - (1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless- (a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph 2. - (3) The information referred to in sub-paragraph (1) is as follows, namely-
(a) the identity of the data controller, (b) if he has nominated a representative for the purposes of this Act, the identity of that representative, (c) the purpose or purposes for which the data are intended to be processed, and (d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
[This should be a useful starting point for the Data Protection Act - there's probably more stuff I could include but I should actually be working]
In some respects you are correct we have no "official" label for class action, however, the principle of a class action in UK law does exist as far as I am aware. And by principle I mean a collaborative lawsuit brought against a defendant(s) from multiple plaintiffs.
As for TV, I watch very little TV at all and even less American TV.
The point has flown straight over your head and out of the window hasn't it. Blocking the cookie makes zero difference in this case. The cookie is used merely for profiling and for opting out, whether the cookie exists or not, all your browsing will still be sent to the Phorm servers they just "promise" not to use it.
Please make an effort to read the many articles on this issue which are linked too at the bottom of this story. Telling people to block the cookies is only likely to lull people into a false sense of security when in reality, cookie or no cookie all your browsing are belong to Phorm.
From http://webwise.bt.com/webwise/how-it-works.html :
"BT Webwise automatically checks every website you visit against our list of known fraudulent or 'phishing' websites — including websites you may visit by accident. Our list is constantly updated and sites that appear on it will trigger a warning notice before you reach them, so you can choose whether or not to continue. "
The better way is to go to http://www.mvps.org/winhelp2002/hosts.htm and install the MVPS hosts file (which works on Windows, Mac OS/OS X, and Linux incidentally, although you're on your own for installing it on non-Windows machines as far as MVPS is concerned).
The hosts file contains a "list of known fraudulent or 'phishing' websites" as well as other malicious sites, and completely prevents your computer from ever contacting those sites, by redirecting any attempt to reach them right back to your own computer. Any attempt to reach (for example) www DOT almoso3h DOT com (which has attempted in the past to install Trojan-PSW.Win32.VB.cl on visiting computers) will simply return a "host unreachable" response.
I've sent them three emails so far asking how to opt-out of this. The first reply just gave a link to the Reg article that detailed how dodgy the scheme is:
"BT, Virgin Media and Talk Talk argue that Phorm's anonymising techniqueswill achieve this feat. When discussing Webwise, the consumer brand for Phorm's advertising targeting system, the existing partners all place heavy emphasis on its widely-available and standard anti-phishing features.
Here is the link for it http://www.theregister.co.uk/2008/02/29/phorm_broadband_isp_targets/"
Then they recommended that I call their 25p per min tech support line! When I email them again to point out that they had made no attemp to answer my question, I got this:
"Unfortunately, I do not have enough information from your e-mail to diagnose the problems you have been experiencing or locate your account.We need a clearer view of your computer's activities prior to this problem occurring. Can you please email again with a few more details about the problem. I will then be in a better position to help you.
I need to know the following:
<<insert technical questions here: no more than 4 unless its essential>> "
Both emails were signed:
Virgin Media Technical Support Centre"
They can't even use a fucking email template properly! The fact that I pointed this out to them in my second email leads me to believe they are just seeing the word "Phorm", opening up a template and hitting send. If I don't a satisfactory answer from the third email, then I'm phoning them up and that'll *really* make the cunts sorry - I have honed my belittling speech to perfection.
It's not about protecting my privacy anymore, it's about punishing VM and it's staff.
The issue of the 'opt out' is seriously bothering me with regards to how vague it sounds. I found someone claiming to work for Phorm who was posting on a blog for Labour Councillor Bob Piper. Anyway I originally asked:
"Would you care to explain how the 'Opt Out' works ? I suspect that by opt out what is really meant is that a machine will not be targeted with adverts. Can you really explain exactly how the opt out process works in a technical manner and not by just referencing the website you can go to to click 'opt out' as this explains nothing. Most importantly, if someone has decided to opt out, will any data what so ever be sent from the ISP network across to the Phorm network for any form of processing ?"
And got this answer from 'techteam':
"When you opt out -- or switch the system off, it's off. 100%. No browsing data whatsoever is passed from the ISP to Phorm. We should be clear that the Phorm servers are located in the ISP's network and browsing data is not transmitted outside the ISP. Even if you are opted out websites will still show you ads (as they do now) but these will not be adverts from the OIX system and they will not be relevant to your browsing."
It's till hasn't made me any more happy about this whole situation, and I've no idea who this person is or if they are even legit, but the full details can be found here:
No, no, and NO! The cookie is just a mechanism for building a profile for your browsing habits; it means they have a way of saying "Oh, but WE don't hold ANY data about you! It's ALL on your computer!" This does NOT stop them actually RECEIVING the data from the ISP (the bit which everyone is up in arms about)!
Anyway, by their own description of how the service works, blocking cookies would result in your choice to "opt-out" being voided, as that choice is ALSO stored in a cookie. Note that choosing to "opt-out" only stops them serving targeted advertising, not being sent your data.
This is they key issue in the debate, and why i'm so adament to get the right sections in the DPA, RIPA, Human Rights Act's to beat Virgin Media (my ISP) over their engorged head. I'll be visiting Citizen's Advice at the weekend, and seeking advice from one of these "No Win, No Fee" solicitors to see if their is a case. Just so happens I know one... ;)
Unfortunately nothing will happen unless the majority of the customers of these ISP hear about it.
By far and away the majority of people affected will have no idea what it is all about and will be taken in by the idea of safer browsing.
You have to realise that most of BT/Virgin/Talk Talk's customers are not technically competent and have no idea that the so called benefit can be had for free without the drawback of being spied upon.
The only way something will happen is if this gets to be featured on mainstream TV i.e.BBC/ITN News. I have just contacted the BBC News website asking why they have not covered the story - I suggest you all do the same. If enough pressure is applied hopefully they will sit up and take notice. Another thing to do is to contact your local MP with the story.
This has to be made public before the 10,000 user trial starts for there to be any chance of a user backlash.
Hmmm, bit harsh there surely. The AC's browsing will still be sent to Pharm but without the cookie there's no easy way to "profile" the AC and there's no way for Pharm/BT/Virgin/etc to target ads at him/her meaning all that Pharm will get is a bunch of websites that someone, somewhere on BT/Virgin/etc's networks has visited.
Assuming they can't profile without the cookie and SSL stuff is secure from them prying into the content then it goes from a major invasion of AC's privacy to something still illegal but probably less directly harmful to the AC.
Reading too many reports of American court cases, then ;-)
There's a Group Litigation Order, but it is opt-in rather than opt-out as a US class action is - it does not automatically include all potential plaintiffs (nor provide the defendants with a once-and-for-all ruling), so you have a bigger recruiting job on your hands. It also leaves all the plaintiffs potentially liable (I suspect jointly and severally) to their own (contingency fees/no-cure-no-pay can't be used) and any defence costs if they lose the case, which could be nasty.
Mind you, I think (IANAL,) this isn't relevant to anything under the Data Protection Act, where it looks like a criminal offence is being committed rather than a civil tort anyway. So you want to get the DPP on the case...
This doesn't mean that I don't think that hanging's too good for them, though...
“The trial invitation will be presented through a special web page that will appear when those customers start a web browsing session,” say BT.
We try and teach people to be wary of strange and unexpected things popping up during web browsing. Now BT are going to do it, and want customers to unquestioningly engage with it!
All BT VM CFW user please install Firefox + TrackMeNot
TrackMeNot Protects users against search data profiling...
Protects users against search data profiling by issuing randomized queries to popular search-engines.
Select all search engines and set the query rate to 1 per minute.
Lets see how good their profiling software is.
Honestly Steve, your response from VM is better than the one I got from BT. Guess my email reached India. they sent me;
I am sorry to learn that you are unable to use BT Webwise properly. I can understand that you are very worried about the security.
However, I would like to mention that BT Webwise helps to increase protection against online fraud and make Internet browsing more relevant. BT Webwise automatically increases protection against online fraud by checking against a list of known fraudulent and untrustworthy websites. When you visit any website on the list they will receive a warning, so that they can choose whether or not to visit it. BT Webwise also personalises the online advertising seen on participating websites by linking it to customer's interests. For example, if you search for a weekend trip to Paris or visits pages related to Paris, BT Webwise would help provide relevant advertising for travel or hotel information. Customers would not see any more adverts than they normally do - they will just be more
relevant. We are trialling BT Webwise in February and March before launching for all customers in phases. BT Webwise is completely free - and does not require any downloads or software installation for it to work. All users are assigned a random user identifier (cookie) to preserve anonymity but to keep the ability to be served relevant ads. BT Webwise does not collect personal information, cannot use it to serve ads, and does not attempt to identify you in any way. BT Webwise uses technology that has been built from the ground up to avoid any information that might identify a customer personally. BT Webwise does not view any information on secure (HTTPS) pages, and ignores strings of numbers longer than three digits to ensure that we do not collect credit card numbers, phone numbers,
National Insurance, or other private information. If the issue persist, then I will advise you to switch off and switch it back on by trying the following link: http://www.webwise.bt.com/
For any further assistance please do not hesitate to contact us or use our BT Broadband Self Help web site: www.bt.com/broadband/help
Thank you for using BT Total Broadband Support.
Which would be fine, I suppose if I had any feeling that they may have read what i sent them;
I am writing to you today due to my grave concerns about BT's proposed 'service' 'webwise' which will be run in conjuction with a company named Phorm. I have numerous privacy concerns with this service, not least that the CEO of Phorm has proven links with malware. I do not trust this company with my data, and certainly do not believe BT should do so on my behalf.
As you are no doubt aware, this issue has been highlighted recently in many technical news forums, including The Register. If BT were to read the comments on the Phorm Related stories they would see that this 'service' is not something that is wanted. I have 'anti-phishing' software included in my browser, and 'webwise' is unlikely to add any further protection.
Whilst I am aware that I can download an opt-out cookie, it appears that my traffic (both outgoing and incoming) will continue to pass through Phorm's hardware. This is simply not acceptable. Whilst it is claimed that the information is anonymised, last years debacle with AOL releasing suppsoedly anonymised data shows that this is not always as simple as it seems. Furthermore as there appears to be no system for oversight, and given Phorm's links to malware, I fail to understand why BT expect it's customers to trust that data will be 100% anonymised.
I believe that the proposed system constitutes 'Interception' under the Regulation of Investigatory Powers Act (RIPA), I have not given permission for you as a service provider to 'intercept' my data, except as required to provide the services I am paying you for. Even if BT can claim implied permission, the owners of any websites I am visiting are unlikely to have given permission for a third party to essentially create a copy of their copyrighted material.
For the purposes of clarity, I do not give permission for BT to pass my browsing habits through this system, as a website admin, I do not give permission for packets sent from my server to a conencting client to pass through this system, and I will consider it an invasion of Privacy if either of these are to happen.
I am not interested in targeted advertising, and regularly use the functionality of my browser to block unwanted adverts. This 'service' is of absolutely no use to me, and I wish to know exactly how to fully opt-out. Not just via a cookie, but to opt out any system that may be connected to my network, and to ensure that no traffic from my network will ever pass through Phorm's hardware, whether leased to BT or not.
As a means to reaching that end, please note that the following is a Data Protection Act Notice, as provided by the UK Data Protection Act 1998.
I, Ben Tasker, hereby withdraw permission for BT to pass any of my details, including details of my web traffic to any third party whether inside or outside of the EU, except where it is required by law. I also specifically withdraw permission for BT to pass my details outside of the EU whether to a BT Group subsiduary or otherwise. BT may only use and hold my data as required to fulfil their contractual obligations with regards to the Provision of my BT Total Broadband, BT Fusion Mobile and BT Home Phone services.
If BT should discover that it needs to pass my details outside the EU or to a third party in order to fulfil their contractual requirements, they must obtain my most express permission in writing first.
Thank you for your time, and I must express that I am dissappointed that an ISP such as BT have made decisions that have led their customers to this juncture. I will be considering changing ISP, however if BT can guarantee that my data will not pass through Phorms system (and they must do so in writing) then I will consider remaining with BT. Especially as this is the first issue that has arisen since BT provisioned my line.
Anyone else get the impression they read Webwise and said Right!! Template 1, send, close ticket. Done, who's for coffee?
P.H. Cos at least she would read it, might not understand it.......
I've signed the no.10 petition and am waiting for BT to reply to my query on whether they have been or will be behaving illegally with my data. Still waiting.
Anyway: Some have mentioned here blocking ads using hosts file, squid or privoxy/proxomitron. I recommend against using squid as it can do a lot, including blocking, but that's not what it was designed for. Messing with ACLs is mucky and squid on the whole is a bit of a hairy beast. Go for something designed for the job.
I have to say that using hosts (at least on windows) has problems. First, it slows down page loading as a blocked/hostfiled URL will try to resolve to the local machine and that seems to take a couple of seconds to timeout on my machine (win2k).
2nd, and this is worrying, hosts file can be bypassed. I understand there's a win2k API call to resolve, explicitly ignoring hosts (read of this in link below). But I can confirm that when skype (ver. 220.127.116.11 at least) is online, URLs are resolved to some weird degree, for definite, even if 127.0.0.1'd in the hosts file. It looks like skype is intercepting browser requests. Here's the link to my original query with some thoughtful feedback:
Finally, and perhaps most problematically, I've recently noticed that adverts' text seem to be being served up within the page - not via another URL; actually embedded. I noticed this when, prompted by another story, I checked up the stuff about safari security. I got the page, I also got embedded ads about safari perfume (so much for precise demographic targetting...).
Here's the link although it doesn't seem to be doing the adverts thing today
This last development is going to be hard to tackle using technical means only...