much ado about nothing
Install Firefox, add NoScript, be done with it
More than ten million customers of the UK's three largest ISPs will have their browsing habits sold to a company with roots in the murky world of spyware. The deal has sparked fears over privacy, but today Phorm, the firm behind the new advertising system, strongly rejected such concerns. BT, Virgin Media, and Carphone …
I know what will happen though, the big 3 will send some obscure email about some minor alterations to your T&C's, just click here to accept, don't worry about reading them after all, this will help to keep you more secure online...........
Personally I go to a lot of trouble to not see any advertisements on the web. I don’t want people tracking my every move (I know, I know, they do already) and then using that information to make money for shareholders rather than investing in backhaul and network upgrades so I might be able to get close toe the Up to 8Mbps service I have paid for!
Now then, before we get into a debate about pr0n, I surf for it. However, I am not sure that I want my children to get "relevant advertising" based on my pr0n surfing habits when they use our shared Virgin media connection.
In other words, my Internet Connection has more than one user connected to it and whats relevant to me may not necessarily be relevant to other users in the household. In fact, it may be detremental to other users in the household.
Mines the one with "hustler" written on the back.
That makes me glad I am not a customer of one of those three ISP's.
Funny though, I thought the data protection act said "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."
Surely if they are gathering this information for compliance purposes they can't just decide they want to sell it?
I really can't see this sort of thing being used in the suggested "3 strikes" system at all. Either as a way of flagging up people looking at/for torrent sites, or as a way of identifying people who might be up to no good (based on a variation of the old security principle of "if you don't sign up to have your colon probed by a bulldozer, you're obviously hiding something up there!").
It's nice when your broadband supplier tells you about this sort of rubbish before going ahead with it....
OK, may be a silly question, but what amount of data will they be sending through in these targetted ads????
If you have an "Unlimited" (cough cough) broadband with a "fair usage policy" (cough cough), when these adverts that are being sent to you push you over this (usually ridiculously low) limit, how will the ISP respond to your breaking their fair usage policy?
Also, my wife browses the net quite a bit, and I sure as hell dont want adverts for makeup, perfume and other womanly things popping up when I'm trying to read El-Reg.
Mines the tinfoil jacket, hat, glove and scarf set..........
oh dear.... another person with their head buried in the sand and does not understand risks. I bet you don't lock your doors, don't have a password on your PC and happy to let anyone search through your house and wallet because you haven't got anything to hide.
Isn't ignorance bliss......
Call me cynical, but I can almost picture the scene:
Commercial 1: Will it make us a lot of money?
Legal 1: Will it make us a lot of money without being explicitly against the law?
Technical 1: How long do we think until a data breach?
Commercial 2: How much money will we have made by then?
Legal 2: How much would we get done for?
Technical 2: Are we just going through this process to make it look like we actually care about the customer when in fact it all comes down to how much money we can make out of it seeing as it's actually technically feasible?
I have to say I love how they claim that it's a new gold standard. Yes, it's better than previous iterations, but here better only means "not as bad". In a similar vein chocolate money wrappers are a new gold standard. And there's only a thin veneer separating them from something brown.
BT say: "We are comfortable with having their computers installed in our operations"
I say I'd rather be with an ISP that didn't invite a rootkit pusher to plumb servers into its network.
And I'd rather get my anti-phishing software from somewhere other than a spyware developer.
In fact I'd like to know a little more about the webwise software.
Is its real purpose to tie a click stream to a browser/user rather than just a connection? What sort of due diligence has been done on the code? At the very least I'd want to see the source (unobfuscated, with English rather than Russian comments).
Note that the opt-out appears partial and highly misleading. Opting out requires a cookie - clear your cookies and you're opted back in. Worse still, this only opts out of the ads (which are easily blocked anyway) Phorm still get your browsing history.
I’m still trying to work out whether, as well as spying on us, the ISPs will be directly injecting the adverts into the web pages or if that’s going to be left to participating websites. Modifying passing traffic is something that’s already cropped up in the USA. Have a look at the University of Washington’s Web Integrity Checker.
The problem with cookies is that I block nearly all websites, and, for those lucky enough to have me accept theirs, they still get regularly purged. While you can get sophisticated cookie managers to help preserve necessary cookies, if I were to accidentally lose my precious one from Phorm, the spying would start again. Plus, they have to spy on my traffic to see if I consent to them spying on my traffic! This has to be an explicit opt-in, done from the MAC or other unique identifier from the modem.
More websites need to start offering secure connections. I’m going to ask again for https://www.theregister.co.uk/ please. In the mean time... Tor, Relakks, JoDonym/JAP/AN.ON, etc. etc. while I consider moving to a smaller ISP who have more respect for privacy.
I have BT Business Broadband. I'm wondering if the selling of my data will allow me to terminate my 12 month contract early.
Then I thought, who else can I get my broadband from... the only other provider I know of in my area is Virgin (was NTL). Sky and TalkTalk and I think even Pipex use the BT infrastructure and I reckon data would still be sold by BT.
Is this anti-competitive ? My MP is an ex-BT researcher (I live in Ipswich) and they are a major local employer... so I doubt he'd give me any support...
What can any of us do about it ? Were the comments under the title "much ado about nothing" accurate and what are the consequences?
Need to run Spybot to disinfect your ISP. They have been sneeking spys into your PC for years and those in the know run antispy software. Where as more ordinary PC users (who do not read Reg) suffer.
By placing the spy inside the ISP they have really taken control. Imagine having your HTML scrutinized and modified as you surf the web. If the optout/optin is by Cookie then they can better identify the user. Each user on a home router would have a different cookie since that's via the browser.
I expect my ISP to simply be a pipe to whatever Internet server I am looking at. I do't expect the content to be filtered and coloured on the way. If they do start doing that then I can see sites offering https versions just so you know you are getting the real thing.
As with everything, the ordinary simple person will be directly affected in the intended way and the few smarter people will work around this. We are all a bit ordinary and simple at something and they usually get us. My weakness is those letters that come through the post saying I may already have won £1,000,000. Get me every time.
Where are the Phorm adverts?? Without the adverts how can they tweak anything, especially to gain more than an extra 80 million in ad revenue?? (e.g. Say 10% improvement, they'd need 800 million in ad revenue to BT customers, yet you've never heard of them I think, I certainly haven't).
There 'Open Internet Exchange' page seems to be only a flash presentation and an email address. Can't see why anyone would apply, they don't even give hard numbers.
"With offices in New York, London and Moscow, Phorm (AIM: PHRM, PHRX) is a Delaware, US incorporated company, publicly listed on the London Stock Exchange's Alternative Investment Market (AIM) since 2004."
Yet it offers lots of money to ISPs to hand over their users surfing data and ISPs just ignore their duties under the law and hand it over? Must have been some serious cash down for that.
Where does that money come from if it doesn't have a successful advertising network business? Unless there is some major advertising network behind this, then that company cannot 'tweak' it's target adverts to make them more relevant as it claims.
So I reckon it's a Total Information Awareness data mining projects.
Delaware? You mean like Tepper Aviation?
Well done BT, you've finally hammered in the last nail in the coffin. You want to spy on my browsing habits and sell this information on top of all the 'free' crap you keep trying to push at me - 'free' that is apart from the much higher fees than charged by your competitors.
I'm off to another ISP, mine's the one with the 'Sod off BT' logo on the back.
Well that's interesting Phorm.com is a domain-by-proxy (hidden registration details) website.
It's incorporated in Delaware.
It's traded as AIM shares in London (looks like $US proxies for the Delaware company but I'm no expert, I wonder how they got listed?).
Their Open Exchange site OXI.com comes out as 18.104.22.168 and appears to be a Chinese web server according to Dnsstuff.com
First up, ISPs already sell vast quantities of customer data to companies such as Hitwise ('online user intelligence' company). I have a gut feeling from the numbers involved that at least one of the big players like BT has to be onboard, and they hand over your entire surfing habits from first log-on to final (f)log off.
Secondly, I do see that it's not great, but behavioural targetting of online ads is already there - ads are served to you based on which sites you visit. Admittedly, it's usually within a particular content network, but as Google becomes more insiduous, that content network covers more and more of the web. And then an ad is served from a third party ad-server to your PC.
Point is, the parts are already there, kind of, and while the combination of them is not particularly a good thing, it was always going to happen, IMO.
I hope all the people who complain here will also complain to their relevant ISP. And also to their MP and the data commissioner. If not - it's just hot air.
The same goes for those who are getting hot under the collar but do nothing.
I've just written to the acting CEO of my ISP. It's not that much hard work.
With the recent articles about the financial effect on ISPs of the BBC on-line programmes, it seems pretty obvious what it's about. Not making loads of money, just staying afloat. Still a mistake, it will just put off for a few more months the evil day when they have to be honest about capacity.
Having looked at Ernst & Young’s Phorm Service Privacy Examination Report, I’m even more worried. It states that “Phorm Service uses only NonPersonally Identifiable Information (‘nonPII’), such as search terms, URLs and keywords.” It’s that ‘keywords’ word that’s most disturbing, as it’s not just URLs. Presumably that means keywords taken from the contents of web pages, not just information from headers. If so, that’s going to mean anyone who uses webmail that only uses HTTPS for authentication and not encrypting the contents of emails (and that’s most of them) is going to have all their emails scanned as well. I believe that’ll include situations where it’s not obvious that HTTP is being used, such as accessing Windows Live Hotmail directly from Outlook (Express) using WebDAV.
I still feel like I’ve dropped into a bad dream or alternate reality and that this isn’t actually happening.
doesn't this get in the way of those who already fund their websites with ads from google and the like, the people who create webpages and earn their living from the ad revenues.
I can't get too high and mighty about such things as I always use adblock, but then I'm not the one who's willing to roll over for the music business and it's dubious intellectual-property-being-supreme matra.
That's right. Though GET queries appended to URL's can be pretty revealing in themselves. Phorm claim that they will be stripping out number sequences of more than three digits (which incidentally or otherwise means they get postcodes), but the fact that they are stripping these out means that at some stage they have the whole content.
Well I have just received my MAC code from my current ISP with the intention of moving to Virgin. I won't be doing that now.
Do we not pay enough? Do they really feel it's a good idea to open us up to such risks by selling our data? I feel like we're being treated like the man in the restaurant that sends the food back. Expect it to come back with an new and unusual flavour. (note to self: must remember to tip my mobile phone company).
Who else is there to sell our data and thrust advert spam in out faces? Perhaps Belkin would like to update my router to do this? And PC vendors. They could just cut out the middle man and provide machines that have spyware as a factory default build.
BT offer online backup services to its customers. Do that analyse this too? If not, why not? Surly their shares must take a kicking on this revelation. They're missing a prime opportunity to rake more money off the back of its cattle. Sorry, I mean customers.
I find it hard to believe that companies like this act is such an irresponsible manner just because the letter of the DPA doesn't prohibit their actions.
1. Already mentioned - Firefox
1a. with NoScript. Good for blocking other advertising sites too (e.g. doubleclick.net)
1b. or with Adblock and a custom filter. How long before the standard filters include it?
2. opendns.com, open an account and set up an IP block. You will also need to update your router and/or NIC DNS details to use the OpenDNS servers.
The good thing about opendns.com is it will work whether you use IE or not. If you set the router to use OpenDNS, all computers on the network can take advantage of the blocking. If you have a laptop and manually set the DNS servers, you can have the protection follow you wherever you are though you also need to setup dynamic-DNS.
It's not very often that things stop me in my tracks, but fuck me, this has. It'll be interesting to hear what the poor TSA on the other end has to say. The report also begs the question "have they been selling our clickstream data already". I haven't been able to find a copy of BT Broadband's T & Cs, if anyone knows where they're hidden, please share.
Finally, I found this side (good pun too) http://www.badphorm.co.uk, there's not much on it as it was registered 4 days ago, but it'll be interesting to see what appears on it.
How exactly is this to be done? I don't see anything in the article describing that.
The inference is that the ISPs will be analysing TCP/IP packets, but unless they're injecting adverts into the responses, which would have a lot of implications in terms of trespassing on the user's communications and search engine usage, as well as the sheer horsepower required, I don't understand how the user is going to see the adverts.
I suppose it could involve transparent HTTP proxies operated by the ISPs.
It sounds more like a browser toolbar add-on that is installed by customised browser installations from sign-up CDs and so forth. That would be easier for users to avoid.
That still doesn't explain how the adverts are going to be delivered or how they might interfere with the sites the user is visiting.
As it is anonymous I doubt it is using the user's email address to send adverts to them, either.
I wonder if it is Microsoft Windows and/or Internet Explorer only?
From Phorm's website-
"Phorm technology does not view any information on secure (HTTPS) pages, and ignores strings of numbers longer than three digits to ensure that we do not collect credit card numbers, phone numbers, National Insurance or other potentially private information."
They capture the data stream then parse and extract the data of interest to them, promise to ignore the sensitive stuff, then inject 'more relevant' adverts. For the user, the carrot/ smoke is the anti phishing panacea, Webwise, for the ISP it's $$$$.
Seems a fair trade, compromise all your subscibers and we'll give you 30 pieces of silver.
I've started looking for a more ethical ISP, they''ll also lose phone and TV subscriptions.
 From the E&Y report-
"Because of inherent limitations in controls, error or fraud may occur and not be detected."
"That still doesn't explain how the adverts are going to be delivered or how they might interfere with the sites the user is visiting."
They will be delivered in the usual way, via web publishers. Just as Google uses search queries and page content to target text advertising, Phorm will use browsing history to target banner ads from advertisers that have signed up to the Open Internet Exchange on websites that have also signed up.
It won't "interfere" with sites as such, but offer them a way to serve you ads that you're supposedly more likely to click on, which means more money for the publisher.
Do a traceroute on oix.com from wherever you are. I've tried one in France, one in Belgium, one in Germany and one from USA, all of them tracert fine for most sites, but oix.com always stops IN THE COUNTRY I'M TRACING FROM.
e.g. try DNS stuff:
Stops at theplanet.com 22.214.171.124 Dallas Texas.
The France query stops in Paris, the Belgium one in Belgium... you get the idea.
Perhaps they've built a super fast network with all the end points in each of those countries, and the network blocks pings.... seems very very odd to me. I can tracert to other servers from most of those locations.
e.g. from Colt (UK)
Stops after 2 hops, at colt!
Stop in telstra.
Anyone care to name the network that blocks each of these end points and who owns it?
Premium rate support number to report faults to an offshore call center muppet who reads a script without understanding a thing - Strike one!
Traffic shaping - Strike two!
All my proxy logs are belong to a scummy adware company - Strike three!
Virgin, you're out of here! Please leave your contact details in the bin on the way out.
Of course, these logs are now advertising data and not communications data so any agency will be able to hoover them up and de-anomimize them without warrants or oversight. That VPN to Relakks in Sweden is looking more attractive by the day.
Pass my coat. It's the one with "You can only shaft me so many times without giving me a reach around" on the back.
Only those with no capability of being honest with themselves believe they have nothing to hide.
For example: Your bank account number, your credit card numbers, the names and ages of your children, and their locations at various times of the day, how much CO2 your automobile produced this month, the interest rate on your mortgage, the current state of your indebtedness (up-to-date, past due, etc.), your medical history...
Only the abysmally ignorant, or the absolutely dirt-poor think they have nothing to hide.
I love the black helicopter angle. So the ISP goes, "cool! advertising money, nice, thank you, here is your info feed". But there is no advertising, it's part of TIA (Total Information Awareness, BBC1 Sunday 9pm The Last Enemy) which is part of the bigger NWO (New World Order - see Alex Jones Infowars) plan.
It's the marrage between government and big corporations. So quicker than getting a law passed that forces the ISP to hand over this live data (see RIAA and Music Copyright ledgeslation requiring ISPs to inform on Downloaders) you simply pay them for it! Very smart. It would be a good (I mean evil) plan to pass some laws as well.
But I digress into the land of TV fiction and Internet conspiricy theorys....
As per title. BT own Plusnet, Metronet, and the Brightview brands (Waitrose, Madasafish?).
Is the ridiculousness in this article confined to customers of BT Retail, or does it extend its tentacles to the other BT-owned ISPs?
If it does include them, I suspect a few folks will be looking for their MACs (I'll be looking for two, as will a few folks I know).
Vote with your feet, it's really that simple.
Never hook up with an ISP that ties you in for longer than 3 months.
Leave them behind, go somewhere where this doesn't happen, my ISP rocks and is not signed up to this BS, can't tell you who it is though because my service might degrade with more subscribers :P
Ditch the bastards after pinning a great big 'FU' to their foreheads!
I'm still digging away here and hitting dead end after dead end. Take a look at their 2004 financials, they paid $1.3 million to US media company Conductive LLC.
"The results for 2004 include commissions paid to Conducive LLC, a US on-line media agency, of $1.3 million (2003: $82,383), under a joint venture arrangement through which they acted as our sales office in the US and facilitated the receipt of revenue, in exchange for a proportion of the income generated."
I do a search ["Conducive llc"] and get 3 results, none of which are it. Don't you think that's strange for a USA *online* media agency?
Lots of things are bugging me about this company. The financials show a sea of red ink, the oix.com server resolves to China, the trace routes stop dead in each country I try them, I check the few details I can find and hit dead ends. Yet they get $30 million in funding?
The links from 121media.com
Have a look at that zdnet blog.
"PeopleOnPage.com shows an address in Poland with the name Kent Ertugrul . A Google search for Kent Ertugrul brings up a hit showing him as director and CEO of 121 Media, which is a contextual advertising company according to the website."
Connected to AproposMedia, do a search. They tell you how to remove the spyware:
Kent is also connected to Phorm.
"The folks behind ContextPlus, Apropos and PeopleOnPage evidently did not want to be known and there’s little information about them to be found on the internet. The ContextPlus.com domain registration info shows a name and address in Poland. Interestingly enough, the domain history on 2-28-2005 shows the name Apropos with an address and phone number in Kirkland, Washington"
H-E-L-L-O.... I smell a major story here.
I've had a look at the Q & A, this one caught my eye:
I didn't switch on this service. Why do I have to switch it off?
We believe BT Webwise is an important improvement to your online experience — giving you better protection against online fraud and giving you more relevant advertising.
We realise that you may not want to use the free service, so we've made it quick and easy to switch on and off. [X]
From a legal point of view, shouldn't the default be "Opted out", or is it because it's (supposedly) synonymous with security that they can turn it on be default.
Also, they seem very keen on solely using cookies to remember whether Webwise is switched on or off, which probably means that the moment you clear your cookies it'll be switched on (for your security of course).
"With offices in New York, London and Moscow, Phorm (AIM: PHRM, PHRX) is a Delaware, US incorporated company,"
Delaware and Florida are both extremely corporate-friendly and consumer hostile. I will not do business with incorporation in either State; in the event of a dispute, I know in advance that the courts will side with the corporation.
Ahh, now I see, it's that DNS pointing to a server in China:
www.oix.com 126.96.36.199, Fasthosts, Gloucester
BUT oix.com 188.8.131.52, China
The tracert fails because the chinese server only does not route properly. Their DNS:
oix.com IN A 184.108.40.206 172800s (2d)
oix.com IN NS ns1.phorm.com 172800s (2d)
oix.com IN NS ns2.phorm.com 172800s (2d)
So why would the have an A record to a chinese server in that domain. Perhaps it is an innocent carry over from a previous owner? Lets see, perhaps a previous owner was a Chinese company:
Wayback machine says it was owned by a Canadian link page Oshawa ON (Later Interlinks last May 16th 2007).
So does the oix.com domain, so I assume it was correct when it was owned by that links page. Since it resolves to the same server.
Never mind conspiracy stuff, black-hat-hacking, whistle-blowers and victims of oppressive regimes - *this* is all it takes to make my mind up for me: The network's good enough nowadays; I'm switching to Tor for *all* my browsing as a matter of routine. I don't need perfect security that will protect me from the CIA, I'm not actually engaged in terrorism, but for the lower-grade requirement of "Stop my nosy bastard ISP snooping all my traffic", Tor is *perfect*.
Virgin, you utter scum. This is not like having a transparent web proxy that forwards my requests without examination or alteration. This is an ILLEGAL WIRETAP; it is *no* different at all from listening in to all my phone conversations to see what I'm talking about, and the fact that you're only doing it so you can tell advertisers the content of my conversations is no excuse.
I'm off to research the wiretap and telecomms carrier laws, then I'm going to report them to the police.
Just rung virgin media call centre. The rep knew 'nothing about it'. He checked his intranet, nothing there, so I directed him to this article. He seemed surprised, and said he'd pass it on to his 'customer liason officer', or the like.
We'll see what a call in a few days yeilds...
Surely the ads currently benefit the websites - in many cases keeping them in existence for the benefit of anyone that wants to use them (for cheap or free)? If the ads are being provided by the ISP instead (which we already pay for) how long before the websites revenue starts drying up and we either lose content or pay more for it? That benefits us *how* exactly?
(On a side note, what's the betting that the first site to get forced adverts is BBC iPlayer?)
Open Internet Alliance is a discarded attempt before OIX as the logo is similar and they host the records.
Sysip is interesting , it is the same premise as phorm, they tracked queries with a userid and cookie, then served ads through a hidden iframe back to the user and redirected. This was part of the 121media spyware.
Um, are people are aware that *every* page browsed by Firefox users is sent to Google first? :(
It's for validation that the page is not spyware/forgery/etc, before the page actually gets loaded by the browser.
There is a setting in Firefox that is supposed to disable this (Edit -> Preferences -> Tell me if the site I'm visiting is a suspected forgery), but even if turned off this doesn't actually stop it happening.
Check your firewall logs for connections to sb.google.com. Then try and disable it. They still occur. :-/
it seems everyone's getting all wound up on how to not see these adverts.
you're missing the point, they cant sell your data if you remove that right.
it's not about receiving or not the adverts, its about the three ISPs knowing full well they cant release your Data Protection Act covered personal data, its already clear that the IP your given is your personal data.
somewhere in your T&C,email or whatever, the ISPs have to ask for your permission to process, export and whatever else they wish to do with that personal data.
the simple answer is to fill in a generic UK DPA request that removed the ISPs right to Export,Sell, or otherwise process your data to the 3rd party or outside the very limited scope of supplying your broadband connection and billing for the service.
anyone with a legal background from http://www.consumeractiongroup.co.uk/forum/broadband-other-internet-issues/
or any other legal reader here up for writing that generic DPA rights letter and posting it here or elsewhere so the affected readership can simply print it out and send to their ISPs Data Protection registrar/Officer under registered post for legal proof later.
Not quite. First of all, the option you're describing is located under Tools->Options (Security tab) for FF under Windows (maybe you use a Mac or Linux?). If you look at the panel controlling this feature, you'll see below the "Tell me if the site I'm visiting is a suspected forgery" checkbox, there are two option buttons. The first one (which is selected by default) is "Check using a downloaded list of suspected sites", and the second one, which you have to select, is "Check by asking Google for each site I visit".
If you have the first option selected, which most people will have, nothing is sent to Google. That only happens if you actually select the second option. And I've just tested and verified this on our firewall logs. So - nice try at spreading a bit of anti-FF FUD, but no dice.
Do our contracts allow ISPs to sell data to third-parties? Surely we're paying for a connection, and any details about our activity, whether anonymised or not, should be covered under Data Protection and not shared, sold or given away without our permission.
And what royalty payment are the ISPs planning on giving us? Obiously, no reduction in fee, no payment, just more money for themselves.
Mm virgin might need to rethink how it applies this to business users , as the majority of local government authorities use Virgin business for nice fibre and big phat pipe connections.
It is illegal to for any unauthorised outside body to monitor any form of communication by any means, although they would not be able to pin it down to any specific users I am sure MSP’S, MP’S, MEP’S, Councillors and Ministers will all be happy to share their browsing habits with virgin.
Give the interweb back to us geek, i remeber many years ago when the interweb was new that none of this crap really exsisted, unless you was in the really dark bowels of the net. But now thanks to government and the money grabbing halfwit dumass ISP's the tweb is open to all the 819'ers and other crims. Yay well done for inventing cyber crime you pratts.
Paris has more brains that the plonkers running the interweb. I nicer boobs.
It seems that every day there's another gormless corporation that wants to tap into "new money" and make a profit where there's nothing really to sell out but people's security.
It wouldn't be so bad if you could really be assured that it's just marketing information being gathered but how can you trust a company that has a history of spamming?
I realise that it's part of the "modern" world that everyone wants to make money from nothing, but it's getting beyond of joke. Our lives are already dictated by people who gamble on a ficticious value of what a company or commidity is worth, but to sell something as nebulous as information is just crazy...
You're missing the point, you can block the adverts but that isn't going to stop every URL you visit and every keyword you google from being sent to a third party, widening your exposure and IMHO contravening data protection law. Your argument is akin to saying it's okay to use a shonky net cafe to log into you online bank if you close your eyes as you type in the password!
This data is NOT anonymous, well certainly not for everyone, my URL history would identify me in a jiffy. And the idiots trotting out the unthinkably banal and cliched "if you've got nothing to hide" argument need to start thinking - there are several things YOU DO WANT hidden such as pin numbers, passwords and your email address.
Honestly, it's not just giving one more company access to your data, it's giving anyone who advertises through them access to your browser, and in a world where you can get owned by a malformed JPG or Flash file I don't want these people being able to target my computer by keyword, what if the keywords they use are crafted to find vulnerability.
Sadly I live in a shared house and the BT broadband isn't in my name, and even if it was I strongly suspect they won't let you cancel your contract over this. I feel like I'm getting F'd in the A here :-[
"Phorm says an opt-out could work by accepting a cookie from its website"
So, having there merd on your PC is some form is opting out hu?, it seems I have gone to another planet.
And Telewest (errr Virgin Media) can sux the ass end of a donkey if they think I will stay with them should they go ahead.
(I am a 8+ year vet of telewest/virgin).
Is it a big issue?, hell I have not bought games I like because they collect ad info from me. Trust is earned, the hard way, and none have even tried to start earning it yet.
I want a new icon at the bottom of the comment editing bar, one with a middle finger, the sad face is not enough.
The entire content of every web page you retrieve will be sent by your ISP to Phorms servers along with your IP address. This includes the text of any webmail you may use - hotmail, gmail, etc; forums you may browse, Facebook, chat, etc etc. and there is nothing you can practically do to stop it. All safeguards over how this data is processed and/or stored and/or sold on are entirely voluntary by Phorm and could easily be changed at anytime. The 'opt-out cookie' is simply a tag asking Phorm not to do anything with the data it has received, again entirely up to them how they respond to it. How greedy are the ISPs in their obscene haste to jump at this? How murky is it that its implementation is being camouflaged with the worthless 'Webwise' offer? and How stupid are we to let them get away with it, as regrettably they will...
"Where are the Phorm adverts?? Without the adverts how can they tweak anything, especially to gain more than an extra 80 million in ad revenue?? (e.g. Say 10% improvement, they'd need 800 million in ad revenue to BT customers, yet you've never heard of them I think, I certainly haven't)."
Businesses sign up with OIX.com to participate and have their advertising space 'tweaked' by Phorm. So they don't replace non-participants ads (not too popular!) nor do they include additional ads. Some major apparently respectable companies are already signed up with OIX, for example FT.com . Over at the Motley Fool there are numerous threads with eager investors licking their lips....
they have seen the US reports and expext it to be the same growth here perhaps
"Internet Advertising: Up 25%
TechCrunch notes that the Interactive Advertising Bureau has a preliminary estimate of $21.1 billion for U.S. Internet ads in 2007, a 25 percent increase over 2006.
Meanwhile, the Kelsey Group puts U.S. Internet advertising at $22.5 billion for 2007 (IDC, as previously reportedby TechCrunch, is at the high end with $25.5 billion).
The Kelsey Group also provides a global estimate of $45 billion for Internet advertising, which is 7.4 percent of the total $600 billion global advertising market.
Spoke to The Information Commissioner's Office - http://www.ico.gov.uk/ and they say they are 'looking into it'. You can ring them on 01625 545 745, so at least the powers at be are aware of current events.
So until this story fully unfolds my advice would be to use TOR - http://www.torproject.org/ and take back the some of that privacy and anonymity that our ISP's have so 'kindly' tossed into the bin!
Alexander has a point.
Does this count as interception of telecommunications under UK legislation, in which case there could be criminal sanctions available. Private prosecution, anyone?
Aditionally, given recent research on how easy it is to un-anonymize "anonymous" data, would this count as personally identifiable information? I can't remember the wording of the test for "personally identifiable" from the EU Directive and the UK legislation.
As a general rule I never sign up with big ISP's because they are the target of companies like Phom, wanting the personal data of their customers. And most of the times they'll sell them....for the right price, of course.
On top of that, they always have this "fair use policy" crap.
For those looking for a new ISP I'd recommend aquiss.net (and I'm sure there are many more).
Don't worry I dont work for them ar anything like that, I'm just a happy customer (had to leave two ISP's before finding the right one).
If your ISP is one of those three, change it! Don't take their crap, even if you have nothing to hide.
I was aghast about this, so I called my ISP, BT to see how to opt out.
They absolutely assured me that this was not going to happen and that they would write to me first before they handed any such details to a third party.
So - question - is this B0llocks or have BT forgotten to tell their support people about it?
Quite a few comments have been published about claims that Privacy International has "approved" the Phorm technology. As some of these comments are speculative, I'd like to precisely clarify our position.
To begin, Privacy International does not endorse specific products or services. I can't think of a time in 18 years that we've done so, though we have supported certain technologies, particularly those involving secure encryption, anonymisation and user control. However, as a product, Phorm is not among them.
Any claim that PI has "endorsed" Phorm is incorrect. This is not because we don't believe the Phorm technology has some benefits. It does. It's because PI simply doesn't conduct that type of endorsement.
However Gus Hosein (Senior Fellow at PI) and I were asked as part of the new privacy startup 80/20 Thinking Ltd to assess the Phorm technology and processes, and provide a Privacy Impact Assessment. We agreed to do so.
Our conclusions will be published in due course, but the top level summary is that we felt the process contained a number of innovative privacy features. We were impressed with the effort that had been put into minimising the collection of personal information, and were particularly impressed with the idea that such a system could be established without the need for IP's, retention or profile building.
We did notify Phorm of a number of danger areas, particularly the notification and consent conditions applied by its ISP partners, however we felt the Phorm process itself warranted praise at a number of key levels. In comparison to, say, the potential of the Google/Doubleclick process, Phorm deserves credit for attempting to create a stronger privacy and anonymisation focus.
Now, as I've observed in one or two reports such as http://www.newswireless.net/index.cfm/article/3779 this assessment does not provide a get-out from the fundamental questions of "opt-out", intrusion or the general polemic over advertising on subscription ISP services. But then, those questions largely fell outside our brief.
Our work, plain and simple, was to check whether Phorm's claims were valid. We found that to the best of our knowledge they were accurate, and that the process does what it says on the tin.
Do you accept that interception at the ISP, where the Phorm servers get to read your entire HTTP traffic, is inherently vastly more dangerous than the systems used by Doubleclick/Google etc?
Did you perform a forensic analysis of the the source code of the applications being used by Phorm for scanning and discarding personal data? If not, what exactly is it that you verified?
First of all, I just want to point out that I am sick and tired of UK isp dishonesty and cannot believe that the law allows us to be treated with what is blatant contempt and the various constant scamming of customers... I signed up as and NTL user 18 months ago after a year of BT misery... NTL changed hands and under Virgin things have gone from bad to worse... Why are UK ISP providers allowed to advertise a 20 meg BB package until recently make no mention of the words "up to" and give customers the impression that its a 20 meg upstream AND download speed? Also why hasnt the law insisted that thier new traffic shaping policies are shown too?
Not only has Virgin implemented "Traffic shaping" they have also quietly gone about editing the criteria without informing any of its customers. Apparently now they say they are now able to advertise an upgraded XL package so I will have 50 meg BB...
ALL THOSE POP UPS WILL BE COUNTED ONTO UR TOTALS BY UR ISPS!!!!!!!
Will they also be hijacking those kiddie porn freaks with pop ups about cheap flights to Thailand and Gary Glitter comeback concert ticket competitions too? Maybe u will login to ur internet banking and have the same file dll file running a keylogging process so that they can then hit u with more spam as soon as u log out. showing u a flash animation and ur bank details, maybe even a screenie of the pages u viewed whilst u were logged in... Just so they can show u a range of related antispyware products that they think u will want to buy... Sucks doesnt it? Ur thinking that it wont happen arent u? Well rest assured people it can and it will!!
Isnt it about time that the UK net users regardless of isp affiliation all stood as one and demanded what everyone else in the E.U. already has.... ??? In Paris citizens have free net access as part of thier civil rights, part funded by E.U. grants and its still faster than the U.K. isps BB deals on offer... Why do they get 15meg service totally free paid for with E.U. subsidies to which the UK is giving more than any other country in the E.U.??? The reason is cos the rest of Europes countries would stop hiding thier heads in the sand and make a fuss about it...
We are the sickmen of the internet in the UK... Until enough of a stink is kicked up about it, do u really think things will change?
if we simply all sent one email each to our respective area MP using thier related house of commons emails in the same week they couldnt possibly ignore it.... Its no use threatening ur ISP with changing ur provider.. Where u gonna go to? eh?
BT or Virgin.... all the rest of the isps are franchis isps using thier network so u will get an even worse deal than u had b4.... make a stand and spam ur M.P. or M.E.P. ...
A couple of questions....
1. Were you or 80/20 Thinking Ltd paid for your work at Phorm?
2. You have signed this post as a Director of PI. Would it not have been more appropriate to sign it 80/20 Thinking Ltd?
3. What was your brief?
4. Other less inquisitive articles about this whole subject as quoting you as saying "We were impressed with the effort that had been put into minimizing the collection of personal information." under the banner of Privacy Campaigner. Would it not be prudent to highlight the fact that you were not carrying out your work at Phorm under the guise of a "Privacy Campaigner?"
5. Phorms website has a blog from Kent Ertugrul. This is a direct quote.
"We approached leading privacy advocates in the US and the UK, including Privacy International, and asked them what they thought."
Is this factually correct?
Whilst I am not questioning the good work you and your organisation carry out in any which way, shape or form - I would still like to know your answers to this questions, as in my view the articles in the mainstream press are using the Phorm marketing blurb and not focusing on the more relevant privacy issues, including the inability to not have data sent to Phorms servers, therefore ridiculing the "opt-out" claims. It is my view that any browsing history, search terms and words I have entered into webmail forms are unique to me, and therefore personal data.