BT’s servers were secretly passing data on subscribers to its "new" advertising partner as long ago as last summer, though the companies refused to acknowledge any relationship at the time. BT - the UK's number one internet provider - finally revealed the plan earlier this month along with Virgin Media and Talk Talk, which …
Might be interesting to see if one of the affected people could set an entry in their hosts file to point dns.sysip.net (or *.sysip.net) to 0.0.0.0 - it's unlikely that BT are going to trust Phorm to handle all their DNS queries, so dns.sysip.net is probably named so to make people think it's something innocent (or too technical for them to understand).
Perhaps a public service announcement would be in order?
I wondered if El Reg could post technical details of how exactly this works.
If they know where you are going and what you are looking at, how do they then show you ads? Do they rip and replace ads from other sites or wait until you hit a site hosting their adverts - at which point they look up your previous habits and then display loads of "relevant" ads?
A nice technical article and some possible mitigations would be fantastic.
I doubt it, all BT have to do is sniff packets on Port 80. From the packet they can see the Host header along with everything else.
As they appear to rely on cookies, I'm assuming they'll be injecting a cookie for www.oix.net into every HTTP response. Blocking the www.oix.net cookie (as they suggest if you want to disable the service <cough> permemently <cough>) will only mean that when you request a page containing oix.net adverts, no cookie with the <cough> unique anonymous <cough> ID linking you to keywords will be sent. Hence you will simply receive random adverts.
Blocking a cookie still means that BT will happily be sending your clickstream data & pages viewed to Phorm, so they still get a wealth of data.
Time to call BBC radio Oxford and try to get this mentioned in the mainstream media, because this is seriously taking the piss now.
"Personally, I find it easier to maintain my own DNS cache using BIND9 on a small Linux box I maintain. No need to use the ISP DNS crap in the first place!"
Indeed, I've been doing just that ever since Verisign broke DNS with their "sitefinder" stunt:
The "delegation only" feature works like a charm :)
I second that, some technical details please
not only on how they plan to serve the ads, but there is also no mention of what these requests were
you mention the browser was making connections to there - no matter what an ISP do they can not make a program on your computer just start connecting to random places. it sounds like he probably noticed it by the status bar showing loading from there or something similar, which would indicate that they are embedding something in to every webpage that is returned. If this is the case then it will certainly break at least some pages (i doubt they have found a flawless way to add arbitrary code to a web page that doesn't break the page in at least some circumstances, particularly with AJAX requests etc which may not be returning a web page to be rendered)
anyone any ideas as to the technicality of how they got the browser to make an outgoing connection to report on your activities?
or is it just extremely bad wording claiming "connections" being made, when it's actually just that they set the DNS servers to there (connectionless except for some rare large responses), so that was handling DNS lookups - and they are monitoring just hostnames resolved by you
has it come to this? do we all have to start using encrypted anonymizing proxies, to stop our provider from selling all information about us to a third party, without our knowledge or consent? opt-out indeed. what's the benefit for the profiled?
doesn't the UK have a Commissioner to handle this sort of thing?
and i thought the US telcos were slimy.
I posted a short summery of this story to watchdog, plus links to this site and others.
I am awating a call back as I was out of my office when the reasercher called.
Please post your compaint at
As it looks like this may be a story that they are likely to cover.
If nothing else it may expose BT, and others as the skumbags that they are on tv.
I'm not at all sure why Phorm seem to be interested in DNS lookups. From their own description of their technology they appear to have access to all the contents of any non-encrypted HTTP traffic, so what is the need to monkey with the DNS?
What do they gain from this, other than perhaps using it to obtain some details from those who are trying to evade it's data mining by technical means?
Where does it stop...
I'd love to hear from any other BT customers who with experience of Phorm, perhaps it'll shed some light on just how this company is actually going about it. Tails of woe welcome on www.badphorm.co.uk
If BT have been intercepting details of your browsing habits then this may be a violation of RIPA http://www.statutelaw.gov.uk/content.aspx?activeTextDocId=1757378
In particular sections 1(1) and 2(2):
1. Unlawful interception.
— (1) It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of—
(a) a public postal service; or
(b) a public telecommunication system.
2. (2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—
(a) so modifies or interferes with the system, or its operation,
(b) so monitors transmissions made by means of the system, or
(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,
as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.
This post has been deleted by its author
Surely there is some kind of privacy laws being breached here.
If Facebook can take a kicking from the EU courts for far less than this, i'm pretty sure BT will be hauled into the courtroom soon enough.
Maybe they think its all too technical for the courts. I'd say that its pretty much the same as them installing a trojan on their customers computers to monitor their browsing habits.
Or, for the tabloids: "its as if they bugged your house to listen to your conversations, and play matching ads on your TV"
It's at times like this I'm glad I run my own DNS server and all my browsers run Adblock and NoScript on Linux platforms. It looks like an investment in learning how privoxy and Squid work are required next.
A quick nmap of dns.sysip.net shows it currently only appears to be only running http, so it could be as simple as adding it to your /etc/hosts file and/or Adblock/noscript filters and you are safe.
Spammers are scum, spammers pretending to be legitimate advertisers are sum, and ISP that help them are scum.
I was just about to dump TalkTalk (for being shite) and I was thinking of going back to BT or possibly Virgin.
Lo and behold, they're all cavorting with spyware peddlers.
The sneaky, dirty bastards.
Well done El Reg and (tinfoil) hats off to Stephen for digging it out. I am really surprised this is legal and I hope they get a good kicking for it.
(well, for me at least) is this sort of behavior likely to be spread to the smaller ISPs that BT secretly swallowed in the last couple of years (Plusnet is one, I only found out 18 months after it happened!)
I wouldn't expect any direct communication from them on this, they're useless about giving their bill payers any information they actually need.
Paris 'cos she wouldn't know even if they told her...
Does anyone have any idea if this just affects BT Broadband customers, or does it include BT Wholesale customers as well - ie people whose broadband is supplied by resellers.
I would also be interested to know whether or not people on LLU networks are immune to the sniffing aspect. Although the redirect is done using BT Broadbands DHCP served DNS addresses, the LLU providers traffic still partially goes across BT Wholesales network.
Depending on how this is implemented, it's hard to see how anonymous the end user can expect to remain.
The blurb states that adverts will be linked to keywords in both the page title and page content of sites visited by the user.
If Phorm has access to raw HTML streams, e.g. via "anonymized" dumps of some sort from the ISPs transparent proxy or routers, then this will be very dangerous as next time the user visits a social networking site, unencrypted mail, eBay, anything which displays their real name will be cached alongside the "anonymous" id, creating a link to the real life person.
Obviously there are many other ways of implementing this without access to raw streams, but if the ISPs and Phorm do not come clean ASAP with intimate technical details, then a fair few people will have cause to write to the Information Commissioner with very real cause for concern that identifiable information is being sold without permission.
I urge all concerned with this to fully disclose how this system will work to pre-empt public concern.
I hope far worse happens to all those scum involved in this...I want to pull fucking heads off right now!
Dear El Reg, what about a nice security article for the masses, with instructions for workaround options?
Preferably in about ten minutes.
I'm switching to copper foil hats with an earth braid.
..details here www.badphorm.co.uk
DNS changes will not protect you. The optout only asks them not to use the data they have already connected.
Is it a crime to copy data on its way TO you as opposed from you? Thats what they are doing. Its not clear to me whether this can be construed as 'intercepting communications' . Presumably they are preparing there legal arguments now, which is why BT and Virgin are being so secretive about it.
If nothing else given the spyware and crookery provenance of Phorm who can have any confidence in their assurances? Phorm is a US company based in 'Dodgy Delaware' and its OIX ad servers are in China somewhere. So they can tell whatever lies they like about privacy and security and no-one can hold them to account. BT and Virgin should try to look beyond their greed and see just how horribly exposed they are too.
Or, for the tabloids: "its as if they bugged your house to listen to your conversations, and play matching ads on your TV"
No, it's as if they bugged your telephone line, sent your conversations to a firm run by a guy who used to illegally bug phone lines to pick up your credit card numbers, played you audio adverts over your phone line in the middle of a conversation, then said "your data is safe because we say so."
But added unwanted crap in there.
The next likely scenario is : you pull up a page for a car manufacturer , only to see an ad for another manufacturer.
Or,f you pull up a page for something , it gets replaced by something else. After all , they can replace one element in the stream with another now ... ( based on your surfing habits of course )
This is clearly TAMPERING with the information stream. Class action lawsuit anyone ?
I als op wonder what the 'default surfing habits will be' for a new user ? Purple pills ? Lottery tickets ? We all know that's why people use the internet anyway. If they monitor email streams (thats text after all. and especially if you use a web based interface) they also pick up all these keyword in all the spam messages you get, so it won't be long before you get ads for all the stuff that is now beeing pushed through spam as well....
Even a grounded copper foil hat won't help. We're talking lead-lined , faraday cage, steel reinforced 10 meter thick contrete hats now ....
i got my scisor sready to cut the incoming ethernet cable intot the house ... let them try pushing their crap through my cut cable ...
assuming there are several people using a computer how do they identify the user?
if its a user specific cookie that identifes you, and contains the 'dont track' bit so if you block cookies you're 'opting in' so to speak...
thinking bout what happens when little jonny sees an advert 'targetted' at his dad from all them sites with pictures of ladies on.
sue the bastards for all they are worth?
I'm 'offended' etc.
or how long before theres a firefox extension that just randomises the cookie? sort of 'track this...'
ho hum.. still theres always TOR etc, this could work wonders for making people start encrypting connections.
oh and since i run a TOR relay would this mean i get ads 'targetted' based on other users preferences?
i think they will have trouble unless they provide a way to opt out once and for all, without the thing turning itself back on right away.
def like the firefox extension idea, this crap has been tried before, not at the ISP level though, hasn't worked yet.
I've never met anyone who has clicked on an ad, targeted or not. Most make some effort to block them, often just out of spite. So how does anyone make money from these things? Do they no longer count click-throughs? Is the idea now just to get some form of presence out there like a newspaper ad?
The fat man with the horns seems appropriate.
"no matter what an ISP do they can not make a program on your computer just start connecting to random places."
Of course they can. DHCP allows the ISP to tell your computer which DNS servers to use, and if you have not specifically entered your own choice of DNS servers, then BT will be able to push whatever they like down to you - which means that, if they so choose, *every single Web request* will be forwarded to a transparent recording proxy, and the data returned to you as if you were deliberately using Network Address Translation. In other words, if you use BT's DNS servers, they have total control over where your computer connects.
I’ve been wondering about the name ‘Phorm’. It’s only just hit me. I’m guessing it comes from:
PHishing by web fORM
That would make it an out-and-out in-your-face bad-taste joke. (I know it’s a bit rich for me to comment, given the name I chose to follow the word ‘By’.)
...in this mess will be for BT, et al, to contract with the credit companies to match your buying habits to the ads you've been served.
Those who don't buy what's advertised to them like good little puppies will then see their broadband bills go up to cover "loss of revenue".
> does it include BT Wholesale customers (...) broadband is supplied by resellers.
Unlikely, I would hope, since BT would be treading all over their agreement with the reseller and that should certainly raise interesting legal issues (beyond those already raised!). Since this seems so far to be BT acting directly as the ISP (plus some resellers who have decided to play along), I think it would only affect BT customers who pay BT directly as their ISP. Unfortunately, more resellers may also join in after being approached by BT.
In the light of Ertegrul's claim to be 'talking to all UK ISP's', perhaps it's time for everyone to start asking their ISP what their position is with respect to Phorm. I've just squirted a query at the corporate PR droids for mine, though I'm not expecting much. Maybe El Reg could get the Pimply Faced Youth to stop surfing the pron and get on the phone...
OK, let's see mitigation includes:
1.Tweaks hosts file.
2.Wear the tin hat. (mine is x-heavy duty)
3.Wear the copper foil hat. (cost prohibitive, something about inflation)
I was wondering if there is anything that would actually work?
Can checking the 'opt out' box, assuming there is one, guarantee anything?
Why is it the company can do things I would be arrested for?
if it is merely sing their DNS servers, then there is no opt out, there are no cookies - so it can't be that from the description
and in addition there was mentioned that the browser showed connecting to there, which indicates making a request to a URL on that hostname
there is also the fact that the system is listening on port 80 for HTTP, but not on 53 for DNS (although port 80 is immediately closed after being accepted for me, i assume as i'm not on a participating ISP... yet)
of course that hostname showing up anywhere means that the request was directed to it for something other than DNS purposes (you can't direct a DNS lookup to a hostname, chicken and egg problem - and it wasn't a reverse DNS lookup as no programs do those for that type of request, plus a reverse DNS lookup returns a completely different generic hostname)
any even basic research on what was happening from an effected connection would involve a packet sniffer, which would say exactly what was going where and what it was returning - which is why i expected such information to be easy to get from supposedly technical people (as apposed to "well i saw a hostname with 'dns' in it") about the only thing that can be ruled out is that it is in any way DNS related (due to firstly the fact that it showed in the browser, which has no idea which DNS servers your system is set to use when it calls API functions, and secondly the fact that it states that opt-out is for a single browser - which just monitoring DNS packets would only be able to tell you the users IP Address and the hostname they looked up not a specific browser, only way to tell a specific browser is using the HTTP cookies from a HTTP request)
I agree with Justin - I run a Windows 2003 box in my case that is my movie/music repository and a DNS server. Works great for me, I don't have to touch the ISP's DNS at all. Of course companies running even Windows small business server are required to have DNS for Active Directory. So in that instance as long as you go into the DNS Server and remove any forwarders (ie your ISP's DNS Servers) this provides the same.
Some internet adverts are useful, sites like everyclick.com use advertising to raise funds for charity. In fact the charity I run makes a good chunk of its income through everyclick. visit us at http://costellokids.com
My big worry is that such great systems of fundraising will be damaged as people move towards Tor and other systems.
I block 99% of advertising, yet for EveryClick and a few other sites I allow there adverts as I know how important they are.
I have not yet figured out how to allow Tor to allow advertising of my choice.
Does anybody here have experiance of products such as ghostsurf? Would this also be as secure as Tor?
I also wonder how long it will be before the security companies build blocking technology into the AV/Firewall products. Which will put an end to this stupid project by the ISP's.
My big worry is privacy for the work we do, as webmail is used by many of our members, and myself as it is so quick and easy to access. So if keywords are being used, from webmail pages, then there is a possible risk to the people we support, and by the nature of our e-mail it would be very easy to identify individuals. This is scary and I have contacted the information commissioner about this, as well as writing to my ISP's compliance officer.
I no longer have any trust in my ISP. The worry is that like all Bandwagon's all UK ISP's will quickly jump on.
It is a bad time for UK internet users and the privacy of all.
Wow. I'd like to see some technical details as well.
Here's some light relief. BT started spamming me a couple of months ago (web design and review services, for some reason), using an address I gave them for online account access. This got so annoying a few days ago that I tried to opt out. The opt-out link was dead, so I had to email them. The 'mailto' link didn't work either - not sure why, maybe Thunderbird gets confused when it sees a subject - so I manually constructed the (empty) email, using the 'mailto' address and subject.
A couple of minutes later, my mail is returned - BT has rejected it as...
Try again, with a body, still rejected as spam. Ring up the advertised 0800 number, shout at somebody, who politely tells me that he'll talk to his sales manager.
Got another spam from BT today.
... running your own DNS/Proxy etc, as all those requests still go through the ISP's routers on UPD port53/TCP Port 80 respectively and can be redirected/stored or whatever without you knowing anything about it.
I'm with Virgin at the moment (until I get Sky TV/Broadband installed next week - no more Virgin/Phorm, but probably a whole new set of problems!) and I know they use an 'transparent proxy'. This is a proxy that all HTTP traffic goes through without you having to set a proxy setting on your machine. You can tell it's there because if you create a web page that simply displays all the http headers it receives as part of a request from a browser, it shows the 'X-Forwarded-For:' header with my IP address. This is added by the proxy so the web site knows where the request originally came from. The IP Address the web server thinks the request came from (in this case 18.104.22.168 - no reverse DNS lookup for this IP address) is the IP address of the transparent proxy.
I once asked NTL to turn this off. I was told to call back and speak to a higher-tier engineer who could do this for me. It sounded hopeful, so this is what I did. When I spoke to the engineer though, he proceeded to try to tell me how to remove proxy settings from IE (as if I'd use IE - yuck)! A bizarre conversation followed, while I tried to explain what I actually meant, including asking the engineer to go to the page displaying the headers, and him getting confused because he thought it was some sort of error page. Doesn't say much about NTL engineers. He eventually understood, and then said it couldn't be turned off for individual users.
The prospects of turning this Phorm tracking/logging off for individual users is also unlikely. That would require some major additional processing from some routers, and a system for controlling the config of said routers. As that would be expensive and entirely counter productive to what they are trying to achieve. I think they are more likely to rely on legal arguments to justify what they are doing. Unless they back down from sufficient negative publicity, the only way this is going to end is in court.
All UK ISPs are not the same. Better ones do still just about exist but the price may not be what you're accustomed to. Pop over to ADSLguide's ISP forums and at least two ISPs I looked at have already had senior staff saying they won't touch Phorm with a bargepole. One of them (Zen) is expecting to issue a formal PR statement to that effect Real Soon Now.
More worryingly for me, the two BT subsidiaries I currently deal with (Metronet, Plusnet) have not as yet made any public statements on the subject. So looks like I may be off to IDnet or Zen soon...
Thanks for your input on this. I'm arranging to meet up with Phorm ASAP to try and get some answers on some of the technical points that have been raised here. If there's anything specific people would like me to put to them, please post a comment. Thanks,
1.) Do they receive just headers (then presumably have to visit the sites themselves to get the keywords) or a full HTML stream from the ISP
2.) In either case, what safeguards are in place to prevent de-anonymyzation of anonymous data e.g. through real names displayed in pages, or if they don't receive a full stream, only headers, then names still exist in POST/GET variables
3.) How does this diverting of a communications stream not fall foul of RIPA, since it is widely accepted that HTTP can and is used for personal communications. Whatever safeguards are in place, surely it contravenes RIPA if the data is being passed on to t a third party
4.) Will the data leave the UK?
5.) Have they spoken to the Office of the Information Commissioner and if so, what do they think?
looking at the root of the problem (i.e. Phorm.com) their site speaks of the OIX (Open Internet Exchange) and Webwise... and provides a link telling you how to disable Webwise:
http://www.phorm.com/about/faq.php - look under 'For Consumers'
this redirects you to the Webwise site; on the 'You can choose' page, it states whether webwise is enabled by your ISP...
This page speaks of an 'anonymous cookie' that tells the system in question to ignore your system....
I'm interested how this can be made persistent; dumping temp files would surely clear this 'anonymous cookie'??
Hang on a minute!
One second our trusty noble ISP's are saying "No!" to the government for access to our web browsing habits for security purposes, the next they are saying "Yes please!" to a very shady rootkit-making private company.
What the hell is going on?
Two questions, thanks for asking :-)
1 - Who, so far, has turned them down flat?
2 - Is there a way, other than a remote encrypted proxy or some such, of making your web traffic completely byepass their system. I'm not talking about vaig hand waving about collecting it but not doing anything with the data (honest guv); I'm talking about complete opt out so this mob don't even know I'm there.
I think the answer to 1) would form a good start on an ISP whitelist and 2) could well be the start of a new open source project.
I just had a dialog with PlusNET (one of my ISPs) about this subject and they know of it, they know BT are using it and they do not themselves think it is right for us the customers. They also undertook to seek opinions via their forums before any future decision to change their minds.
Sounds ok to me :)
On its website Phorm cites FT.com; iVillage; Universal McCann; MGM OMD Unanimis and APACS as supporters. I bet they don't all know about the dodgy past of the people they are dealing with.
You might also ask them what aspect of their technology they believe is patentable, as reading their application it all looks pretty straightforward to me. More spin designed to impress investors perhaps?
I'd also like to point out that E&Y's 'independent' report reads as totally incompetent...
Especially as the report states that Phorm does not collect form input, but does say it collects search terms; last time I checked, search terms are usually entered into html forms...
The "Opt-out" idea is ridiculous, it essentially mandates you send a piece of data with every request saying "ignore me", this is contrary to the more reliable/secure/sane practice of requiring data to opt-in.
This smacks of being poorly thought through and has a seriously strong likelihood of compliance and legal issues rearing their ugly heads for the ISP.
To the best of my knowledge, BT Business Broadband do not use HTTP proxies, transparent or otherwise, so may not be affected by this "Phorm Storm". I've tested my companies connection and can detect none. I'm guessing from my experience as a system architect that transaparent proxies will be the best point to pipe out the dump to Phorm, so in the strict sense of the reply from BT B.B. it may well be just a rumour!
Chris: if you get a gig with BT/Virgin/The Other One could you ask them if they plan to write to each customer informing them of their new practice and how they may opt out?
This is very troubling ... much like "Crossing the Streams" in Ghostbusters kind-of-bad.
A Delaware company with servers in China ... I can't wait to clear out my Temporary Internet folders before the tainted dumplings start to rot.
I'm seriously looking forward to hearing more about this. Great Job El Reg !
This should be obvious with 'View Source' or moral equivalent and 'Find in Document' for dns.sysip.net . Soon I expect some Firefox/Greasemonkey expert to devise a small Greasemonkey script to remove the offending code. Too bad for IE users. :-)
This is simply a man in the middle attack. Were this perpetrated by a hacker, it would be a crime. Perpetrated by two corporations, it's good business. Hmm.
This will be promoted to customers as Webwise - a new feature helping protect you from phishing and spyware - presumably because the bad guys will have all your data already! Buried in the Webwise small print it may hint at the fact that all your data am belong to them. But looking at the BT website it already gives the definite impression that only people who are a bit 'cranky' would want to opt out of Webwise.
Maybe one answer would be to get Norton et al to classify Webwise as spyware. Hmmm...
This just struck me... When J Sainsbury, Tesco and the others decided they wanted access to personal shopping records they soon realised they'd have to pay for the privilege, and “reward” people with what is effectively a percentage discount on their shopping bill in order to convince them to opt-in. Technically they didn’t need reward cards as most people paid by credit/debit card, but holding wealth of information against a credit card must have seemed politically sensitive if not unlawful (and did give a slight advantage as they could track people’s payment habits too).
Now the ISPs want in on the personal data gig, but instead of bribing customers to opt-in with some kind of reward, they’re pushing it out to everyone, and not providing any concrete answers as to how to properly opt-out of the data exchange element (not just opt out of the personal adverts).
Here’s another argument on the Human Rights angle (right to a personal life - on top of RIPA and Data Protection arguments). Two guys live together, one is secretly gay, uses a shared computer but takes step to clean browsing history. Housemate 2 uses the computer and is bombarded with adverts for everything from gay dating to Arab Straps. 2nd housemate knows about targeted advertising and therefore housemate 1’s right to privacy is breached.
what if all the users were to put a legal notice of some sort on every web page they make that forbids the processing of said page data in any way for potential profit ?
would that go some way to protect the users and mess up the Phorm type profit model if enough websites/messageboards did that.
chris, how will Phorm pay the users the licence fee for legal use of their data.
how do Phorm know how much the users want to charge for the legal use of their data.
how will Phorm deal with the UK Data Protection Act and the EU laws regarding use of person data including IP addresses.
what is Phorms data Protection collectors valid and full adress.
what is the full and valid address of Phorms legal council and to who should it be addressed.
were should a user submit a UK data Protection act Notice for 'any and all data' held by Phorm to be supplyed by return post in a readable form to the user.
add any more i may have missed....
Biting the hand that feeds IT © 1998–2021