I wouldn't mind at all...
...if Orange decided to sell my browsing data for cash, as long as I get the money.
About £17.99 a month ought to cover it.
Phorm, the advertising company that wants to pay your ISP to hand over information on which websites you visit, has convinced the UK's three largest providers to trust it, but regulators and the rest of the industry are less impressed. Phorm's deals already mean it has already snagged more than ten million streams of UK users …
I am in the process of dropping Virgin Media right now.
I will not take up a service contract with anybody who sells my personal information (identifiable or otherwise) to an advertising firm, or any other third party without my EXPRESSED, WRITTEN, INFORMED consent. Adding a clause to your T's&C's doesn't count, as Virgin are finding right now.
I'd rather not have the internet.
Clear enough?
I should certainly hope that everyone uses a proper browser with an up to date ad blocker ..... but the issue here is that some poxy company you have never heard of or trust is getting information about what you do on the internet from the twits you pay to be on the internet in the first place .....
This post has been deleted by its author
... and soon enough, anyone who attempts to circumvent the monitoring of their internet activity by Phorm is obviously a TERRORIST or a PAEDOPHILE and should be locked up indefinitely without trial...
It wouldn't surprise me if Phorm has some covert link to GCHQ.
The fascist surveillence state is continuing to get its tentacles into everyone...
Boycotting the spyware infested ISPs is one way to do it but what happens if they all join up to this sort of scheme or someone bungs UK.gov.com enough 'donations' to make this sort of thing mandatory.
One little script constantly downloading (but not rendering) random web pages should be enough to make the collected data worthless and the increased traffic would piss the ISPs off too.
All we'd need is enough people running it.
I still havn't quite worked out waht they are collecting...
Is it annoymised data of xxxbroadband customers (eg a million people visited el reg) or what each user looks at (userxxx visted uberpornstash.com).
Forgive me I am know nothing of networks but why wouldn't a simple proxy work as all the isp sees is what you ask them to fetch not what you ask the proxy to fetch???
... so if you've got a little free time you'll find the Cable forum thread has lots of relevant info on this - http://www.cableforum.co.uk/board/12/33628733-virgin-media-ad-deal-updated-see.html
OK, it's a 20 page thread, so maybe a "little free time" could be considered and understatement.
@ Aristotle ... and @ Steve - the preferred solutions seem to be using Tor (http://www.torproject.org/overview.html.en) which you can dl bundled with Privoxy, or JAP (http://anon.inf.tu-dresden.de/index_en.html)
@ AC "Easy to ruin their little plan ..." - covered in the above thread by switching to Firefox and using TracmNeNot - http://mrl.nyu.edu/~dhowe/TrackMeNot/
"Simple, it targets your IP address without ever bothering to find out who you actually are. So the adverts it sends back to a certain IP is in line with the WWW requests it receives from it."
Hang on though, aren't IP addresses dynamically assigned by the ISP? So if browsing habits are only stored against the IP wouldn't that mean that I end up being served up ads based on the browsing habits of everone who has been assigned that IP in the past?
A lot of people use the internet to do banking as getting to the actual bank to see a live person is nigh near impossible due to thier opening hours and your conflicting work schedule.
Can they guarantee that with this setup that your bank details are not going to become public domain? If you through your own fault like accessing www.BIGBOOBIES.com get infected with a trojan that highjacks your bank details it is your own fault. But if this highjack happens due to them selling off your info to a third party you should be able to bend them over the proverbial.
Then again they are big business and Gordon does love fresh cream.
I used to be with Plusnet but left after their incredible email problems lead to spammers hacking in and nicking all our webmail email addresses (on my own bloody domain too - still getting several hundred spams a day on it).
Plus the only reason I went BT was that it was free as an "employee benefit" - now that I've been outsourced from BT (sorry - a compulsory-unless-you-want-to-work-in-Ipswitch "voluntary leaver" as BT HR prefer it) then I have nothing to keep me there apart from the couple of quid a month cheaper it is than Zen.
Zen are always marked well on ispreview.co.uk too.
Notice how advertisers - even the ISPs now - always talk about adverts as if they are part of the "Internet experience", rather than an annoying but necessary distraction to the experience, which is what they are? They're victims, in a sense, of a sort of cultish mentality that surrounds advertising; they have the same delusion that a Jehovah's Witness has when he goes doorstepping, that they're doing you a favour.
Anything that starts out as a good way to support business - counting your profits, making sure contracts can't be misinterpreted, telling others about your product - eventually balloons into a monster (accountancy, contract law, advertising) that spends 80% of the time serving itself and only serves actual enterprise by accident.
This has got my back up, I am truly horrified about it.
Are people up for trying to stir up a boycotting campaign?
If non-techies understood what this company was doing, they would probably be equally shocked.
You can't just amend a click-through licence to allow this.
J.
I just wrote to Tiscali stating that IF they join this cr*p I had better be given an Opt In option.
It will make no difference but it made me feel better.
Luckily I have learnt that you should NEVER use ISP provided email, hosting or any service they provide. I can jump ship quickly if they do sign up to this abuse of my privacy.
>> ...why are they hiding so much?
Pure irony. Perhaps your posting name is a good starting point for discussion?
It's actually quite simple. If I search for toys or games with my kids, I don't want to be bombarded with ads for 5 years after the event.
Similarly, if I was to decide to buy my wife some alluring lingerie I wouldn't want to receive ads for rubberised buzzing items.
Heaven forbid the two streams should become confused, and I had to explain to my five year old that it isn't a wobbling laser gun, and, no he can't have one.
"That's all very well if everybody had static IPs but then that would not be anonymous and it's useless targeting dynamic IPs, you'd just get ads targetted at previous users."
I'm pretty sure that they have thought of this, it would not make sense that they would constantly have to redo all their data mining every time a subscriber got his IP changed.... Simplest thing would be the ISP's giving everyone static IP's, but there are bound to be "grey area" methods of keeping people on dynamic IP's while legally being able to pass info to third parties.....
Do YOU trust VM/CW/BT not to sell you down the river to make a quick few quid?
Phorm can just go Phuck themselves.
We all know it'll lead to targetted advertising, lots probably, which is why they've garnered the backing from ISPs they already have - revenue. Makes me glad I'm with Bulldog/Pipex.
If I hear about these Phuck heads convincing Pipex, I'll be off too.
The chancing cnuts.
The 'anonomisation' of IP addresses refers to the intention (yes, intention, not fact) that the ISPs and Phorm will not deliberately produce a dataset that states 'Andy Turner has been looking at leather underwear websites' (as a hypothetical example).
On the automated injection servers, website requests from the IP address associated with your account will be injected with ads for leather underwear and associated items. They will also produce statistics (for future planning) which say things like 'only 2% of customers look at leather underwear sites, and then only on Friday evening'.
This is all perfectly reasonable from a perspective of running and planning the business. See the final paragraph however.
Even if you are on dial-up and get a dynamic IP address, the ISP associates that IP address with your account. Do a DNS lookup on your IP address and you'll find something like 'customer-xyz-townname-region-node.ISP.com'. This record is maintained (with time and date stamps) associated with yoru unique account number, so the ISP can provide it to the 'authorities' if they want to track 'criminal activities'.
I'm on cable broadband and my router (on 24/7) has kept my IP lease active and constant for over a year now on the same IP address. It doesn't matter, the ISP knows who has had which IP address at what time and date.
So, your web surfing activities are associated with your account id and the targeted ads are sent to whatever IP address is assigned to you at the time. Which is why your kids may get ads for 'adult entertainment' or sports cars or whatever. Also if 'the authorities' ever make it illegal to be in possession of leather underwear, they will know who to go looking for.
The 'they' I was referring to was not we poor consumers, it was 'they' - Phorm, BT, VM, etc.
Phorm deliberately obscure their business and technical infrastructure
BT boast about Webwise without mentioning that all your downloaded pages are sent to Phorm
Virgin Media claims no decision has been made, despite the press release on Phorm website
Phorm boasts about E&Y approving their approach but if you read the E&Y report it is so full of caveats as to be worthless
Their OIX ads are served from servers in China
So 'they' feel it necessary to hide - why if everything is legit?
Be very clear about this - the targeted advertising should be no more of an irritant than it is now. The real issue is that every web page you retrieve will be associated with you and every word on it - text, forums, webmail, searches, names, addresses, phone numbers, will be available to them do do with whatever they wish.
Although the internet has grown exponetially since I first started using it in 1995 I read articles like this and wonder that the web really was a much better place to be ten years ago than it is now.
Sure there's more content, broadband video & radio streaming content abounds & stuff but it's arguable that the web has suffered in other ways not only as the corporates have moved in, but also as politicians now feel the need to exert more and more control over what people can do online.
One of the key attractions of internet use remains the freedom to browse independantly, freely, privately without anyone looking over your shoulder or trying to censor, analyse or channel. The recent reaction of MrSpace users to that company's attempt to tamper with that axiom and use personal information to generate marketing income should serve as a warning to ISPs in this case.
If people start to believe that the the Government, foreign governments, advertising agencies and uncle Tom-cobbly are all inspecting thier usage, then the future not only for the internet, but freedom of thought is going to be pretty bleak.
Someone with the cash and inclination sues their ISP for intercepting and altering their data ? For this system to work, the network must force all web traffic to go through a transparent proxy which then alters the pages to insert the ads. The mere interception of the traffic has to be on dodgy legal grounds, modifying the pages even more so.
Mind you, it brings in another defense to various charges - "No Mr BPI representative, I didn't download that tune, it must have been some malware accidentally inserted into my web pages by my ISP !"
Just a thought - Dynamic IPs on their own might not permanently identify you, but your ISP also has access to the MAC address of your modem/router.
Don't forget, this is not some disassociated company out on the 'net doing the data collecting - this is your directly connected ISP, which makes it so much worse because as well as your technical connection data - they also have your personal subscription data (name, address, age, phone number, credit card number).
If they log the right set of connection data, they can very easily re-associate you and your browsing history with each subsequent IP address ... granted its a lot of data, but they're dealing with a lot of money from the advertising revenue.
ok, so the story focuses on the big 6 and everyone says theyll just go to the small names to be safe... trouble is a lot of the small names aere just sticking their name over services bought from the big 6 so they still get your private data either way
looks like its time to break out aircrack again, - who cares what data they collect when its not your name on the bill ;)
I'm not sure how they are doing this but I'm pretty sure that putting a proxy inline to monitor all your traffic wouldn't be viable, the sheer volume of broadband traffic for the possible payoff in ad revenue would destroy the business case before it got off the ground.
Other possibilities are that they are doing some kind of port spanning (think wire tap) of all traffic to some big servers that store & mine all this information offline but that would still be very expensive.
My guess is that they are using information from DNS, (For the non geeks: when you type www.cheesecake.com into a browser firstly your computer asks the ISP what the address of the site is (a very small amount of data) and then you connect to that site and download the huge volume of data)
If they were logging these DNS lookups that would tell you which user (IP address but they can map that back to an account) Requested what site and at what time. This is quite a lot of valuable information without having to add massive amounts of hardware.
So the simple answer is not to use your ISP's DNS (If thats how they are doing it) I recommend opendns (http://opendns.org) its often faster and has some nice value added features all for free.
Note: opendns make their money by feeding you through their link to google for search rather than direct but I'm far happier to trust them than most ISP's.
Let's assume that the term "anonymising techniques" simply means that PHORM will not get neither a name nor address but simply an id provided by your ISP, hopefully not your account id although that would save them some trouble thinking of a different one. This does not strictly speaking give anonymity as there is still a way to link you and your browsing habits but ISPs and their ilk have always been liberal with the English language especially with the word unlimited.
So PHORM has the browsing preferences of id XYZ, when you are online your ISP requests adverts for id XYZ from PHORM. In order for you to see these adverts your ISP has to inject them into the web pages that you are downloading. This brings up a second point of do you really want advertising of any sort from your ISP given that you are paying them for their service already?
PHORM may only be getting URLs with some sort of anonymous user ID number, but it's not going to be hard to identify somebody if you have a list of full URLs they visit, since lots of sites include your id number, if not usernames or email addresses, in stupidly long URLs, e.g. with GET requests.
At the very least if they can find out I'm clicking on links like Yahoo's http://mrd.mail.yahoo.com/compose?To=somebody@gmail.com then they're rapidly going to have a long list of email addresses to spam, and if they can figure out my email address too they can make the spam look like it's from me. This is a paradise for the unscrupulous.
What's wrong with existing advertising ? It seems to work fine when used with a modicum of sense.
I've actually visited some of the sponsors of this site because their product and/or service offerings were what I was here to learn about and research anyway -- I don't know, maybe "relevant" is the operative word.
That's targeted advertising ... hawk software and hardware on an IT related site ... hawk leather under-roos on spanky-vision sites ...
How pretentious and self-absorbed are these 'data miners' to presume that they can gleen a clue what I'm likely to purchase by looking at my browsing history ? I already have a "hot chick" at home. Any advertiser thinking they can sell me another one based upon my surfing proclivities is absolutely out of their minds.
So if I spend a week researching vacation spots and Googling "Aruba Nude Beaches" ... then hit Travelocity ... I'm assuming their data mining experts will kick in the next week with advertisements for burn cream and debt-counseling services as well as STD Clinics near my anonymised location ?
How many yellow thongs do these people think I need ? It's a pointless, profitless intrusion into my privacy and yellow-thong proclivities based upon some marketing brainiac's assumption that he/she can predict my future purchases based upon my browsing history ? WTF logic is that ? Even dumber are the companies that think this stuff actually works in the first place.
Yeppers, this is truly creepy and upsetting. I'll be watching for this state-side for sure ... First, I didn't get my Geoffery b-day card, now this ... what a week !
Paris = If my internet activity influences what I see on my screen, I would rather have a semi-retarded blonde shoved in my face than a thumb-up my arse, a penguin, dead vulture, etc. -- where's the "Hot black chick in yellow thong on Aruban beach" icon anyway ?
This is not just a DNS hack. They are indeed taking a copy of every page via a transparent proxy and analysing the text - you can see a description on their website www.phorm.com including, for example, how an advertiser can set the search criteria to select the targeted ad. Of course this will increase the time you have to wait for your webpages but then again you will 'benefit' from all those lover-ly targeted adds. Are YOU satisfied with the size...etc etc.
...and am trying to get this out into the mainstream media.
To: XXXXXX@itn.co.uk ; XXXXXX@itn.co.uk ; XXXXXX@itn.co.uk
Sent: Friday, February 29, 2008 1:08 PM
Subject: New Story - BT, Virgin Media, TalkTalk sell private browsing history to Phorm
Hi,
I have spoken to Will on the Newsdesk about raising the profile of this story and he suggested contacting yourselves. The basic story is that BT, Virgin Media and TalkTalk have entered into a deal with a company called Phorm to sell private browsing history to an advertising broker (Phorm). I am personally a customer of VM and am now cancelling my contract as I feel this is a massive invasion of privacy, goes against the DPA and RIPA and is possibly against the law. Phorm themselves are an extremely dubious company, have their servers hosted in China, and have possible links with the Russian Security Services. They also have been previously associated with releasing Spyware into the wild.
I am technically competent enough to recognize the implications of what VM have done in making a deal with Phorm and so am voting with my cash, as it were, however I do feel that the average man in the street won't be and so am asking if you would investigate this further and bring it into the public domain.
Further information is here...
http://www.theregister.co.uk/2008/02/29/phorm_broadband_isp_targets/
http://www.theregister.co.uk/2008/02/25/phorm_isp_advertising/
http://www.f-secure.com/sw-desc/apropos.shtml
Regards,
Anthony
Zen??? You are all being very bloody naive if you think just because Zen say something that it is actually true (or any other company for that matter). Zen made very bold public statements about FuPs, Throttling and Bandwidth Caps for the 4 years I was with them claiming it would -never- happen with Zen, then ADSLMax came along and Zen introduced what has to be seen as one of -the- worst FuP/Throttling/Cap systems ever witnessed on the internet where they cut you off if you got 1byte over your cap and hold your connection ransom to expensive PAYG top up tariffs. If you don't want to pay their ransom, you get no internet, period. Whereas most sane ISPs simple throttle your connection down to a slower speed until you either pay them more money or your next billing cycle starts. So Trust Zen? No thanks after 4 years of being a fan boy only to have that trust destroyed by their lies I would rather remove my testicles with toe nail clippers.
Secondly...
Phorm clearly -has- to at least use IP data in order to deliver their ads; how quickly the world seems to forget that in the last 2 weeks (pretty sure it was just in the last 2 weeks) the EU have categorically stated that IPs are personally identifiable and must not be used to track. The Register itself ran an article on the EUs attack on search engines for retaining search data against IP for exactly the same thing Phorm are trying to do (more appropriately target ads). This move by the 3 ISPs to use Phorm is quite simply illegal, there are no ifs or buts, it breaks a number of laws.
1: RIPA - Yes this breaks RIPA, an Act that normally breaks us is for once proving useful.
2: DPA - Yes this contravenes DPA which states that data collected by a company (as data controllers) is only permitted to be used specifically for the purpose of your contract/service with them and may not be passed on to 3rd parties.
3: Human Rights - The right to privacy in our home lives and communication very clearly this activity contravenes such rights.
4: I am pretty sure that EU antispam law (although I can't remember the exact title of it) requires that people "Opt In" as opposed to being automatically opted in with a chance to opt out. This is why all the forms for credit applications and consumer level services etc. have changed over the past couple of years to get explicit consent to pass details on to third parties as opposed to explicit refusal. These check boxes used to have something like "If you do NOT want us to share your data with 3rd parties please tick this box" which has now changed to "We may at times share your data with partners and other members of the BT Group please tick the following box if you consent to this." (BT is used merely as a placeholder).
So lets quit with all the crap and actually deal with this in the appropriate way, the courts. BT have already been shown to have trialled this service without receiving the consent of their customers first, which means they have already broken the law and a class action should be started to hold them accountable.
Seriously, it is about time you lot grew some God damn bollocks instead of just whining in comments to news, on blogs and in forums. I have never been more ashamed to be British than I currently am. These companies only get away with this type of illegal behaviour because YOU (as in a national WE) allow them to. You all complain but can't be arsed to do anything real about it and then wonder wtf this shit happens in the first place.
WAKE THE HELL UP!
(I think, having read all the blurb on the Phorm site...)
1. All your browsing (URLs, content but not https) is routed via Phorm's server. Presumably due to bandwidth requirements it's physically there in the ISP datacentre (like a wiretap).
2. Phorm's server sends a unique cookie to your browser, analyses your web traffic and "categorises" that browser in real-time based on your surfing habits (actually 3x an hour, maybe). It then associates your browser ID with your assigned "category".
3. The OIX database (ad server?) then watches for that cookie ID and injects "relevant" ads into your http data stream based on your current category - either replacing existing ads or even inserting new ones (not entirely clear on this). It may also pass on your cookie ID and category to third parties to that they can do the advertising directly.
So no, forget any swanky DNS tricks or ad blocking. What the ISPs appear to be doing is allowing a trusted (hah!) third party access to all your surfing content. Phorm claim this "cannot be used to identify you because it's anonymous and we ignore phone numbers and email addresses and IP addresses". Bo||ox. Just one snapshot of a non-https gmail session is enough to identify anyone...
To me this appears to be in blatant contravention of TalkTalk's privacy policy, which states that they will not disclose personally identifiable information to thrid parties except in a very specific set of circumstances.
PS: The service does not appear to be live yet on TalkTalk (you can for yourself by going here: http://www.webwise.com/privacy/can-choose-NA.html). You might want to keep checking, and be sure to let your ISP know what you think about this.
As soon as I heard about my ISP (Virgin) and the other two of the "big three" getting into bed with Phorm I contacted the ICO by telephone and had a very useful conversation with one of the ICO reps. They mentioned I was the first to raise the question of the "legality" of this "service" with them and they asked me to write to them with as much information as I could provide: which I have done.
When I receive their report I will forward a copy to the Reg.
...about this. If anyone uses a Tesco's Clubcard then it's much the same thing.
It sounds to me like it's just about giving you more targeted adverts as you browse which is hardly the crime of the century. Use an ad blocker if you don't want to see the ads.
''One little script constantly downloading (but not rendering) random web pages should be enough to make the collected data worthless and the increased traffic would piss the ISPs off too.''
It seems that me that that is the best option to date since Phorm won't have any statistically relevant information so either they will send random stuff and that would be funny or they would realise that you're feeding them an inhuman number of pages per second and they would just give up. In any case, in makes you a little more anonymous. I guess something of the sorts doesn't already exist but it could be pretty simple to make, I guess.
Anyonw know of any of this sorta shite is going on in Canada (If for example, Videotron sold out even more than usual ?)
Does anyone know the exact url or ip address this information will be sent to or served from. Because if so why not do the simple thing to stop these ad's coming through to you, by adding a entry in your host file that points to 127.0.0.1. That way the ad's should not then reach your pc.
Bill cos his a devil like phrom
There's no 'injecting' going on here. Adverts on most websites are currently served from one of a handful of advertising networks (Tradedoubler, CJ etc). What Phorm are doing is allowing these ad networks to direct adverts at a particular user using knowledge of previous websites they have visited and adverts they have clicked on etc.
So the content of the website isn't being altered and the website owner has placed and configured the adverts themselves. As Phorm themselves say:
'The user doesn't see more advertising, just more relevant advertising.'
It really is no big deal. And for the people saying that they don't want their web surfing to be monitored and logged, I'm afraid this has always been the case and always will be. You'd be better of visiting a library if you're not happy with this concept.
Forget about the ads. There is NO way to opt out of the interception of traffic unless the page you are looking at is delivered over https (a very small percentage of pages)
No matter what your preferences are for targeted advertising, ALL of the contents of EVERY page you visit WILL be copied off the wire and sent to Webwise/Phorm servers, which are apparently located in China.
This includes the contents of any cookies being sent, the headers of every page, the contents of any form submissions, any postings to message boards, online forums, web chats etc. and any private webmail you are reading.
There is no way to opt out of this. You can only opt out of receiving the advertising.
Not quite. When you go to Tesco, the data stays with Tesco and their privacy policy (presumably) does not allow them to sell data on your shopping habits to third parties. Plus, the Data Protection Act requires them to take care of this data.
In this case, the ISPs are unilaterally allowing a third party to come in and snoop your surfing habits and sell this private data to who knows. In the contract with your ISP, I would be very surprised if you agreed to give them permission to sell/pass on your surfing habits to third parties.
That is the problem here: they are doing something with YOUR private data without your permission. They are specifically not allowed to do this by law.
The analogy with loyalty cards is a bad one. If you’re buying a packet of extra small condoms and some haemorrhoid cream, you can pay without handing over your Clubcard. You could even pay with cash! Look at these, or possibly even more private, things on the Internet and Phorm may well know.
(While shops do use secure websites, they are often just for the checkout page. Filling your basket is done ‘out in the open’.)
When I go to tesco's and use a clubcard, it is entirely by choice, and is part of a transaction between me and tesco.
What this bunch of ***** is doing, is intercepting communications between 2 parties. (and I strongly doubt that their will be any informed consent).
.....and then, the little blighters actually go on to change the content of the communications.....
The exec's who ok'd this at the respective companies really do think they can do anything they like to their customers.
This is more akin to someone creating a machine that reads your post, "anonymously analysises it" and then shoves leaflets into the envelops and reseals them.
J.
Webwise has had a couple of mentions above, so I went to have a look at their site. They claim "to offer [a] combination of security and customization benefits." The security being anti-phishing. Run "by" BT and TalkTalk. On their FAQ page I found this:
"What is Webwise?
"... that is designed to provide a safer, more personalised Internet browsing experience. ... ... Webwise also replaces a website’s generic ads with ones more relevant to your interests, based on your browsing behaviour – while remaining ‘blind’ to who you are. ..."
How it can be "personalised" and "'blind' to who you are" at one and the same time is an issue that has been raised before. Of course at least one of those statements must be a deliberate lie.
What really puzzles me though, is how "replaces a website’s generic ads with ones more relevant to your interests" can be anything other than outright fraud on the publisher of the original web site. Especially if they are paid on click through.
It seems to me to be on the same level as Microsoft's one time "feature" to pop up their own adverts on any page rendered by IE6 regardless of the site publisher's wishes. This is the cause for many to insert the meta tag
<meta name="MSSmartTagsPreventParsing" content="TRUE"> into their pages.
Its easy to opt out of the clubcard system. If you're buying a family pack of rubber jonnies and you don't want Tesco to know your favourite brand, you don't hand over the card. Or don't get a card in the first place. Or you go to a different shop. How do you opt out if your ISP is giving wholesale access to surfing data to a third party?
You can use blocking software to "opt out" of the targetted spam, but this is just the same as not opening junk mail. The sending company still has your surfing/shopping habits.
This post has been deleted by its author
It is for that reason that I choose not to have a Tesco loyalty card, and to shop there using only cash. At the time of writing, these are perfectly legitimate options.
But customers of BT, TalkTalk and VirginMedia are being told in effect that loyalty cards are mandatory, that they come as an integral part of the "service"!
... Chris Williams and the rest of the Vulture Central team get back from the pub, sorry, Register Research Institute and Archives with a concise, well researched and relevant exposé into how this works, we won't know anything concrete or lager flavoured.
From my skimming of the patent application mentioned above and the Cable Forum thread on this subject it looks like Paul Barnfather has the closest grasp on what MAY be the actual mechanism
However, his 1st point may not be correct, Phorm state on their website that "Phorm technology does not view any information on secure (HTTPS) pages, and ignores strings of numbers longer than three digits to ensure that we do not collect credit card numbers, phone numbers, National Insurance or other potentially private information." The implication being that they may receive the https pages from your ISP. As to ignoring numbers longer than 3 digits - All your postcodes are belong to Phorm.
A proxy on it's own won't work, https or otherwise.
Tor will work, but will impact on your page loading times, as will JAP
Firefox users can use either TrackMeNot or RefControl to obfuscate the search data being sent Phorm by making it so noisy as to be useless, but the information will still be sent to Phorm by your ISP
The web ads being served by Phorm can be opted out of, but this requires you to have a cookie placed on your machine, if you nuke your cookies during housekeeping you have to go and opt out again (or after about 2 years as the cookie has a roughly 760 day expiry time). This will not stop your information being sent to Phorm by your ISP
As mentioned previously there is a lengthy thread on this at Cable Forums ( http://www.cableforum.co.uk/board/12/33628733-virgin-media-ad-deal-updated-see.html ) if you've got the time to read it
Anonymous Coward waiting for a response may well see Christmas first. That office is miles behind after being inundated by complaints from the world and his brother. After the first acknowledgment, any review will simply give the best reason they can think of for taking no further interest. Based on experience.
No good phoning till after the acknowledgment arrives with their all-important reference reaches you either. Their "smart" system can recognise only documentation that has been typed. Anything hand-written is in boxes which they cannot afford staff time to search through.
I've obtained written confirmation from my ISP that they will not indulge in these games. Not sure how reliable it is, but at least they know where I stand.
Aren't ads revenue for many pages, surely by injecting ads they are stealing revenue from people by overwriting the ads they "Host" with their own injected ones without the web page holders permission?
The other way round don't some advertisers PAY to be shown on big web pages who will then be "cut out" by phorm?
The ads will be selected to be displayed in the space of advertisers already signed up to OIX.COM. So there are other big names knowingly or unknowingly signed up to this - FT.COM for example - who are already buying advertising from OIX.com but who will be able to build simple scripts that parse the contents of your browsed web pages and use that to choose exactly which ad to display in the OIX space. Other adverts will not be affected. So the REAL issue is do we want them to have the content of all the web pages we choose to access. The advertising changes will be minor from our perspective.
I have been with Demon for a long while now and cannot fault them in any way. They are as truly unlimited as you can get on a home package nowadays, fair use applies to the top small percentage (3 i think) as calculated over a rolling 10 day period, though it seems imperceptible to me, and I would describe myself as quite a heavy internet user.
Their privacy policy categorically states that they will not hand over your info including IP to third parties (apart from contractors for their own internal purposes which is then immediately deleted) unless under a court order.
They are Faultless in my mind, having had no problems in a couple of years. I have never heard any grumbles from other demon users.
People get a snippet of info and then make the rest up!
No one is going to alter the contents of a web page to insert adverts - the web site publisher has to be in on this too (it explains all of this on the Phorms website). It simply changes the adverts which are served from the ad agency which the particular website is using. It won't affect all websites - it depends who they are using to serve their banner adverts etc.
Websites already do all of this via cookies anyway - this just sounds like a more efficient means. And the data is anonymous as Phorms will never know your personal details.
There really is nothing to see here - move along.
The Phom website implies otherwise:
"The OIX uses data from ISP pipes to upgrade the generic advertising on websites with more relevant ads. These ads will be viewed by that ISP's subscribers who are most likely to be looking for the advertised product or service based on keyword patterns in their browsing behavior. "
The 'generic ads' are placed there by the website publisher. An example is Google ads which reacts to what's on the page. The Phorm ads instead react to who the user is (without using personal details - just your IP).
There is no injecting going on here - the ISPs really would never get away with it even if they thought it was a good idea.
----- Original Message -----
From: XXXX, Anthony
To: strobes@private-eye.co.uk
Sent: Friday, February 29, 2008 3:51 PM
Subject: New Story - BT, Virgin Media, TalkTalk sell private browsing history to Phorm
Dear Mr Hislop,
I am forwarding this email to you to try and raise the profile of this (scandalous, in my opinion) deal in which BT, Virgin Media and TalkTalk have agreed to sell browsing history, web page scans, webmail conversations etc to an advertising broker called Phorm without the user's knowledge or consent. Phorm have a dubious past, they host their servers in China and have possible connections with the Russian Security Services. I hope you feel it is worth further investigation by your esteemed organ.
Regards,
Anthony
----- Original Message -----
From: XXXXX, Anthony
To: XXXXXX@itn.co.uk ; XXXXXX@itn.co.uk ; XXXXXX@itn.co.uk
Sent: Friday, February 29, 2008 1:08 PM
Subject: New Story - BT, Virgin Media, TalkTalk sell private browsing history to Phorm
Hi,
I have spoken to Will on the Newsdesk about raising the profile of this story and he suggested contacting yourselves. The basic story is that BT, Virgin Media and TalkTalk have entered into a deal with a company called Phorm to sell private browsing history to an advertising broker (Phorm). I am personally a customer of VM and am now cancelling my contract as I feel this is a massive invasion of privacy, goes against the DPA and RIPA and is possibly against the law. Phorm themselves are an extremely dubious company, have their servers hosted in China, and have possible links with the Russian Security Services. They also have been previously associated with releasing Spyware into the wild.
I am technically competent enough to recognize the implications of what VM have done in making a deal with Phorm and so am voting with my cash, as it were, however I do feel that the average man in the street won't be and so am asking if you would investigate this further and bring it into the public domain.
Further information is here...
http://www.theregister.co.uk/2008/02/29/phorm_broadband_isp_targets/
http://www.theregister.co.uk/2008/02/25/phorm_isp_advertising/
http://www.f-secure.com/sw-desc/apropos.shtml
Regards,
Anthony
Some people have put a lot of effort into researching this and you would do well to study the facts before dismissing them as unimportant. You are right that many adservers dynamically select the ads to display. The difference in this case is that the entire text of the web page will be analysed in order to select the most appropriate ad. However this is till not the main issue. The main issue is that a company with dodgy credentials operating outside of the UK will have a full copy of every web page you retrieve including for example webmail, search terms, form fields which may include personal information, etc. The very fact that they say that they will ignore numbers longer than 3 digits shows that they have access to them and there is no regulatory body to prevent them from for example harvesting social security numbers and passing them to their Russian spyware-pushing friends just as they have previously done under their '121' incarnation .
This post has been deleted by its author
So, if I run a website supplied with adverts by a company which has a contract with Phorm, those adverts will be matched to Phorm's image of the reader?
If I get adverts from other sources, my reader's activities will still be monitored by Phorm.
Will my webpage and adverts be analysed? It seems that Phorm can't be relying on URLs, thay have to be looking at the webpage content being sent to the user. Is there some way I can tell Phorm to piss off? I might be running a subscription-only news service, and here's the ISP and Phorm taking my product and making a derivative work.
I wonder what happens if I use HTTPS to look at my ordinary ISP web data?
Yes, having read El Reg's latest analysis you're right - there's no ad "injection" going on here (other than the Phorm cookie, which *is* injected). They seem to be replacing generic OIX ads with targeted ones. So if that is true, it's apparently no worse than DoubleClick.
BUT they are definitely passing your (private) web traffic onto a third party for "processing". Even if they claim to delete this stuff straight away, this is an absolute no-no as far as the Data Protection Act is concerned, and almost certainly violates the ISPs own privacy policy (until they change it, that is...). Even so, you simply cannot pass on copies of private data to a third party for any kind of processing without consent of the individual concerned.
Bollocks to that.
The issue of receiving advertising is a red herring. There are two real problems here:
1. Portions of your web traffic are being copied and sent without your knowledge to a third party other than your isp, potentially to another country. These copied packets could well contain items of private information even if the packet which contains it is supposedly anonymous.
2. This system clearly involves some kind of lookup to the third parties servers from the web server where you are requesting a document. Obviously this is going to a - add latency to your web browsing, and b - artificially increase traffic on certain network routes.
Yep, I really dunno how anyone who's been following the story could think they're going to inject anything into your traffic, but that's not the point; this is an illegal wiretap. Your ISP does not have the right to snoop on and forward your traffic to a third party any more than BT has the right to listen to all your phonecalls. The fact that they're only listening in order to find out what you're talking about so they can sell that information to advertisers is not an excuse under the RIPA.
And the best way to get revenge on your ISP is to hit them where it hurts, in the pocket. Closing your account and moving to another provider is one way to do that, but since the ISPs are doing this in order to subsidise their costs, another way would be to keep your account and start using an encrypted anonymiser such as Tor. That way you're still costing them the overheads but you're not giving them any useful data they can sell to defray them.
So, I have Virgin their 5 days. Yes, they are doing it. No, its not opt in. Or opt out. There's no opting about it. (Disclaimer: he said that he would check that). He understands my concerns about privacy. However, there are "no pricacy worries". "No private data is collected"...sorry, but the contents of my e-mails are private. He is sorry Virgin hasn't told customers sooner, and offered to file a complaint with Ofcom. I'll leave that one till the next call...
I would sign the petition, but you failed to provide the url.
I've just looked for this e-petition on the http://petitions.pm.gov.uk website, but searching for Phorm, revealed no petitions, and scanning through all 161 petitions in the "Information and communication" category also turned up nothing that seemed to be about this issue.
If there is a petition, could we have the url please? I would create one, but you seem to imply that one should already be there and I don't want to duplicate the effort...
Just got this back from customer services.
I quote:
--
Thank you for your e-mail regarding a possible new partnership between
TalkTalk and Phorm.
I can confirm that TalkTalk is not in any partnership with this company
and all data from our customers accounts is kept confidential and is not
shared with any other company.
--
Interesting, huh?
... alot of talk all over this but surely the issue pure and simple is that they have not asked. Isn't it always that? Really you'd have thought someone somewhere in some marketing department would have twigged that the same thing happens everytime if you don't ask? Maybe a bit of revenue sharing with the users?
Anyway.... I'd not sign up even with that but I think thats the main problem here.
On the e-petition is there one somewhere? Link or create soon I feel :)
From scouting around I have to say that Phorm looks pretty dodgy to me, but maybe just maybe I'm missing something... :P
Perhaps the reason that I'm not bothered by any of this is down to the fact that I don't regard web browsing as in anyway a completely private activity. I browse at work where my company can easily monitor the websites I visit. I browse at home where Virgin Media log every page I visit and will turn this info over to the police at the drop of a hat.
I'm certainly not going to lose sleep over a company sifting through my web activities anonymously in order to provide me with more targeted adverts, which I think on the whole is good idea and the future of the web as it stands today may even depend on such mechanisms.
Sites such as The Register rely solely on advertising in order to keep running free of charge - they do not run on fresh air. So would you rather have targeted advertising or have to start paying a subscription? You may believe that paying a subscription to The Register is worthwhile, but how much is a fair amount? £10 a year? £25 pounds a year? And how many websites do you regularly visit? That could add up to a lot of £25 subscriptions. If every site started charging a subscription then the web would be a very different place. Being able to dip in and out of websites would become a thing of the past.
I know from personal experience that ad banners produce very little revenue for websites. I also keep reading how apps such as the BBC iPlayer are costing ISPs far more in bandwidth costs than they are charging customers. All of this is going to come to a head at some point and initiatives along the lines of this Phorn one are, I'm afraid, inevitable. In my opinion it's naive to think otherwise.
And no, I am in no way affiliated with Phorn, who from reading the other Reg articles on the subject do sound a little dodgy. But the major companies involved in this will not be doing this lightly as they really do not want to start losing customers (especially Virgin Media!). If people want the internet to remain 'free' then some form of compromise between customers and the ISPs is required and this sort of initiative is really only the start of it.
So I guess that you're OK with all your snail mail being copied and sent to an advertiser in China (Anonymously of course. We remove the envelope, so it's anonymous).
Your browsed webpages are already monitored by your ISP. Right. But they have a legal obligation to keep it secret and not to misuse it. Phorm doesn't have any obligation, of any kind, and they'll see all your e-mails and all your visited webpages, including data in forms, all nicely tied together by your "anonymising number". So in less than a week they are bound to have your full name, email adress, street adress and phone number, associated with the complete coordinates of your friends and family, and with the content of the pages you browsed (including whatever you bought, and what it was worth).
Anonymous indeed. If you do use online banking services, they'll also have your full bank credentials (they say that the system "doesn't use" large numbers, not that they won't get them... but not use them. Of course. Plus, even if they truncate large numbers now, I bet that noone is going to notice if it's later changed, during a "routine maintenance" or a "firmware upgrade" for example.) And no-one can do anything to prevent them to re-sell all this information to anyone. Or dry up your bank account themselves, followed by a quick run towards the Cayman Islands.
Actually, it's even worst, because as they operate from China, they might just empty your bank account and get away with it whithout even having to hide. Who is going to analyse their servers to prove the fault?
As for the internet being free, you might find that it's not the case at all. You pay to browse it, you pay each time you access an ad-funded site. That's not the main problem. No-one here pretended that the ads are the major issue (though it's bound to be annoying at least).
Methink you should also buy a few spare Winsta packages, you know, just in case your computer crashed.
And get some KY on the way back, you're gonna need that.
Brian, my thoughts too. Seems that all the noise is being caused by the new 'meja' kids on the block - the ones only interested in what they can harvest through being an ISP instead of just providing a reliable pipe with minimal control-freakery, period, like Demon do - and always have.
I was with plusnet at the time they started opting everybody in to tiscali unbundling without any form of notice or consent. The customers had to fight them tooth and nail to get an opt out added to profiles.
On top of that, they brought in new caps on bandwidth usage by application as well as overall, pulling a Comcast on not just p2p traffic but also anything that was encrypted, denying all claims of "throttling" and then using the term "management" instead. They prefered instead to ensure that all VOIP calls on their VOIP service got through (killing skype, teamspeak and others).
Before signing up I had phoned them twice and spoken to two different operators to ensure that their "unlimited" service could cope with 100GB/month. Later, when they knocked us all down to 10GB/month, they continually denied ever selling an unlimited package even when people pointed to their own archives.
If you enjoy dealing with a sack of snakes, go to plusnet. If not, there are actually some reputable companies out there offering broadband services. Sure, you wont get it at £10 a month, but it's nice to not be constantly bent over.
@ Pierre
* Snail mail IS a private service. You can not compare this to anything on the internet.
* My email account uses a secure connection (IMAP SSL) - something you should consider for yourself. Also if I access my email account via the web it uses HTTPS. If you will go and use a free mail account then you get what you pay for.
* My bank uses HTTPS - does yours not? Also any fraud liability lies with them - not myself.
@ nickj
How exactly are Phorn abusing free speech? You're free to talk about any subject you want to on the internet - Phorn will just serve you adverts relevant to your discussions ;-)
Putting aside all the data security and privacy issues (im so glad im with Zen). What does this mean for sites current ad's?
For example you goto x site that has ad's on it, no one likes the ad's but they are there to help fund the running costs of x site. What happens with Phorm? does it over write the ad's that currently exist or just ad more? If it ad's more then how does this work for sites where you pay money to disable the ad's? Or do sites have to sign up to Phorm themselves to have targeted ads?
" Is there some way I can tell Phorm to piss off? I might be running a subscription-only news service, and here's the ISP and Phorm taking my product and making a derivative work."
If the report that phorm injects an iframe into the content returned from webserver (which it uses to update it's tracking cookie on your PC) is true, then it should be possible to include a javascript that detects the webpage has been tampered with and flashes up a message to the victim informing them about phorm and that they are not welcome at your site until they find a reputable ISP. Alternatively you could redirect them to an https link.
They have allowed the behavior targeting debate to spin out of their control, leaving the conversation in the hands of privacy evangelicals that represent only a vocal minority. As a result, most consumers and law-makers have concluded that ad targeting is a consumer protection issue.
My recommendation to ad networks, ISPs and portals is to take back the debate. With a modicum of marketing and consumer-friendly product offering, behavioral targeting can become the hero of its age, instead of the defiling villain.
Read the analysis at http://www.BroodingSavage.com