The benefits of Webwise
Are there any? To me?
A leading expert on computer surveillance has raised serious doubts over the legality of deals by BT, Virgin Media and Carphone Warehouse to sell their customers' web browsing data to Phorm, a new online advertising company. Professor Peter Sommer, the author of the groundbreaking 1980s book The Hacker's Handbook and a …
If people want an agency, with which they have no commercial or contractual agreement, to see what they are viewing and data mine their "interests" then let them have the right to opt-in.
Everyone else should be locked out (not opted out) from the service - meaning no data is passed and that their page requests are just processed directly without delay.
Lets say that BT & VM press ahead and enable the evil device - it may be over a year before it gets proven to be breaking laws by which tine the operators will have mined enough information on people to go on a big pushed advertising spree at the best, or sell it on to others for linking to bank account details.
How long before the spies of the US get their hands on the mined data and claim all the info (about my money movements around the UK for example) is theirs? (Oh and BTW Phorm please don’t delete the info just send it over to this US IP address).
BT shareholders had better sell up now before the value of their company slumps against a background of lost customers and law suits.
Who else guessed that it would boil down the the marketing department with their seemingly blank cheques and limitless unaccountability getting the jump on legal, security and compliance?
Happens everywhere whilst the security staff are left to clean up the mess, now where's my clue stick?
1.3.1 Lawful interception without an interception warrant
(1) Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which, or which that person has reasonable grounds for believing, is both—
(a) a communication sent by a person who has consented to the interception; and
(b) a communication the intended recipient of which has so consented
Basically - YOU HAVE TO GIVE PERMISSION OR IMPLIED PERMISSION - Think "this call will be recorded for training or other purposes" message when you call a call centre.
However
1.3.3 Lawful interception without an interception warrant
(3) Conduct consisting in the interception of a communication is authorised by this section if—
(a) it is conduct by or on behalf of a person who provides a postal service or a telecommunications service; and
(b) it takes place for purposes connected with the provision or operation of that service or with the enforcement, in relation to that service, of any enactment relating to the use of postal services or telecommunications services.
Initially you have to consent to the operation, unless the operation is "for purposes connected with the provision or operation of that service".
This ALLOWS BT to record your home phone number, the number you have called, and the time of the call. It also allows you to keep a log of incoming IP numbers in relation to "operation of that service ".
However even if the Data Pimping is decided by a court to be not within the provison & operation of the service people can still proberbly get out by :-
1.1.6 Unlawful interception
The circumstances in which a person makes an interception of a communication in the course of its transmission by means of a private telecommunication system are such that his conduct is excluded from criminal liability under subsection (2) if—
(a) he is a person with a right to control the operation or the use of the system; or
(b) he has the express or implied consent of such a person to make the interception.
Basically "ITS OUR SYSTEM WE WILL DO WHAT WE WANT WITH IT". Depends how BT want to throw the wording of public vs private telecoms system.
I personally think they are on dodgy ground..
Oh really? I would invite BT to share their questionaire method with us because I have a hard time believing this statement (I also dislike the "most" because that's conveniently vague).
To me it smacks more of the Ken Livingstone method of surveying (don't ask - just take it from me that "tuning a survey" is a polite way of describing it), so before I believe any statement of the parties standing to benefit from this breach of privacy I'd like to see hard facts.
And yes, this is the one positive side of RIPA - this is principally an intercept because it results in personally identifyable data acquisition, and thus verboten..
One thing however that isn't mentioned in the article is that data is being sent both way. Whilst the ISP might have permission of the customer to look at their data do they have the permission of the website sending them the data too? Once they have the data do they have the permission to store it from the website that owns the data or are they going to modify that data, violate the copyright etc?
I can't see them getting away with this for long before the whole thing collapses in lawsuits and the sharks start to circle as the banks are now discovering.
Sounds just like crap like Hotbar and Cool cursor where they give you some useless "feature" like anti-phishing warnings in exchange for spying and crap ads. Only this time they don't need to use drive-by-downloads to get it installed on peoples computers, they are getting the users own ISP to do it for them.
Once I have turned the service off, that it actually IS and remains off, and that none of my browser traffic is being intercepted surreptitiously? Because unfortunately I simply don't believe a word these fuckers say anymore.
Maybe it's just me but I believe that there no-one, except an infestation of marketing types who believe that the online experience is enhanced due to increased advertising.
BT, Virgin et al will dig themselves into a hole over this.
So here is the link to the FAQ... http://www.webwise.com/how-it-works/faq.html
I find this Q particularly interesting: I delete my cookies regularly, and I want to keep Webwise switched off. How do I do that?
If you regularly delete your cookies and want to ensure that Webwise is permanently switched off, simply add [OIX.net] to the Blocked Cookies settings in your browser.
P.S. El reg, I do love you so, but please learn to link within your articles it's what HTML was designed for... ;) :P
I host a website and any adverts I choose to serve from my website should be left alone: the site depends on them!
This idea sounds like it will rip out the ads the website owner provides - which possibly help fund a free site's existence - and replace them with 'targeted' ads for something else.
It'll kill thousands of small sites when they lose their advertisers, not to mention the problem of a teenager's pr0n-browsing-habits generating dodgy ads on, say, a five year old's view of a Disney page...
Imagine ITV's views on this kind of thing if, for example, a Freeview decoder replaced the ads they broadcast with something else. I'm looking forward to the first court case!
So I can hide my browsing history from the missus, but Virgin may be free to sell this information on ? Disgrace !
I wonder how this stuff gets pushed back though ? I pay the bill, but four very different people use the connection (a man, a woman, a boy and a girl), for different things (tech, pr0n, tech pr0n; shopping; pokemon, pointless sites; kids tv flash games).
"Detailed customer research by BT has shown that once customers are aware of the benefits of Webwise, they are overwhelmingly in favour of the free security features and more relevant advertising during web browsing," it told The Register last week.
Are these the same customers who click on every "You have Spyware, download this FREE anti-virus, anti-spyware, and anti-spam software now" link they come across?
The same software that then shafts your computer right royaly that then takes ages for someone with enough brains not to click on said link to remove?
If only I'd been asked my opinion, I'd have told them where to stick the enitre thing...
"Virgin Media told us today: "Virgin Media is still some way from deploying Webwise. We will roll-out the system once we are completely satisfied that our implementation meets all applicable privacy guidelines _and complies with all data protection requirements._"
Potential violation of RIPA through an unlawful interception is a separate issue to requirements under the Data Protection Act, however."
if there are any DPA personel/UK experts reading , perhaps you might comment on this point please.
if you send a Data Protection Act notice to the ISP stating ' under the DPA act bla bla, i remove the right to export my personal data'
does this have the desired effect of stopping any and all data processing of the DPA covered data outside the UK by 3rd partys they want to sell my property to, and indeed anything else outside the basic supply and billing of the Broadband.
plus the added benefit of putting ISP at odds with exporting the data to their offshore customer care department of course.
also, can anyone clarify the EU rules as regards your ISP supplyed IP address as personal data as this is also relevant as is the EU opt in advertising.
it would be good to have all these matters written up and clarifyed in one place so as to help clear the air and misunderstanding.
not least from the many ISP personel that dont know or consider the DPA important or relevant to their actions and advice they and their line managers etc give.
"Hi there,
Thanks for your email to Virgin Media.
BT, Virgin Media and Talk Talk argue that Phorm's anonymising techniques> will achieve this feat. When discussing Webwise, the consumer brand for Phorm's advertising targeting system, the existing partners all place heavy emphasis on its widely-available and standard anti-phishing features.
Here is the link for it http://www.theregister.co.uk/2008/02/29/phorm_broadband_isp_targets/
I hope the above answers your query, however, should you need further assistance, please don't hesitate to contact us again.
Kind regards
(Your Name)
Virgin Media Technical Support Centre"
The original question was "How do I opt out of this?" and, yes, the muppet did leave in the (Your Name) part instead of putting his own in. I particularly enjoyed pointing out that the article they linked to has a stream of comments complaining about this idea and the 2nd of which was mine.
" We do not use this information to:
* identify individuals visiting our website; or
* analyse your visits to any other websites (except that we do track you if you go to websites carrying our banner, but we do not identify personal details while we do this); or
* track any Internet searches which you may make while on our website."
http://www2.bt.com/btPortal/application?pageid=pan_privacy_policy&siteArea=pan
So I for one will be leaving for another ISP, citing breach breach of contract.
As for this "detailed custoner research", bollocks. They haven't asked me, although I /am/ in the process of giving them my unsolicited opinion. I somehow can't imagine any group of people answering an honest question, such as "Do you think it's OK if we monitor all your online activities so that we can then embed intrusive advertising and send you spam from our partners" with anything other than a resounding "FOAD".
In keeping with the way these things are done, I suspect it was a focus group asked something like "Is it OK if we use the data that we already have access to anyway, completely anonymously of course, to erm, give you some free chocolate ?"
Bastards.
Hi,
would this counter phorm?
Setting up a EC2 Machine or similar http://www.amazon.com/gp/browse.html?node=201590011
Then encrpyting all my web traffic via ssh and then redirect it to the EC2 machine to serve all my requests?
Alternatively setup a machine in Sweden then create a vpn session to it and then use that machine for all my web traffic?
As it's all encrypted then I doubt they would know what's happening, they would see a very long stream of encrypted traffic. Not sure someone who is more knowledgeable would need to comment on it.
I don't trust the webwise opt out, granted you wouldn't see the adverts but what's to say that your data is being sent to the anonymiser and then onto china?
1.) Surprising how many people suspect [UK] government surveillance spooks have a hand in this. I reckon if anything it will be foreign intelligence of some kind, possibly even commercial. Think of all the confidential business going on unencryped as people bounce emails to home etc etc.
2.) RE: Contracdictory RIPA - the get out clauses only seem to apply to the service provider and it is seemingly implied that there needs to be an element of necessity of interception in order to route the communication, i.e. NOT when they're passing information to a third party. Also I'm guessing the rationale behind the get-out clauses is to allow transaparent caching?
GREAT WORK El-REg - keep it up! Channel 4 News have this story and I can't see it being a case of any publicity is good publicity in this case anyway...
From memory of recent articles:
Google is falling foul of EU privacy laws and is facing sanction unless they take action for recording browsing habits by IP which can be traced back to a person.
Facebook faced a massive revolt and an eventual climbdown over their tracking systems
Its all just a bad idea, wont fly with the regulators, wont please the customers, wont work. I use admuncher to strip out adverts, so i wont benefit from it. I also use CC cleaner to wipe cookies i don't explicitly want / need.
If the marketing men and women want to earn more £ for breaching my privacy they can just sod off unless they are offering me some £ and even then i dont think my goat pr0n habits are for sale. Its my privacy, its not for sale and i expect the powers that be to stamp on folk who disagree especially dodgy spyware companies.
ISP's you have been warned! Some set up a Downing street petition please!
So Phorm's machines proxy the request for you or they are just inserted in the BT route for the data path?
If the former then as an ISP you can simply stick a simple Apache style redirect into your HTTPD config for Phorm IP's informing the customer their browsing may be being intercepted.
Presumably they exempt HTTPS traffic as well??
receiving junk eMails or, indeed, telephone cold calls selling double glazing. I'd rather not but it happens.
I do, however, really mind more than ever such a little tiny bit any website setting out to capture my browsing habits with a view to using them to "condition" my "internet experience". I get very pissed off when they then start to make a profit out of said data by selling it on to potentially unscrupulous 3rd parties or government agencies in a possibly illegal manner.
I know it isn't April 1st and I assume that this isn't a joke?
I can see multiple identities being required here..... but ooops, that's not allowed for law abiding citizens. So, if I try to evade I'm performing an illegal act myself???
So they're just storing info about you in a cookie on your PC and nowhere else - sounds much less worrying than was first thought then. Because Phorm aren't storing any data then data protection is a non issue.
Blocking cookies from oix.com would effectively turn off this functionality - no need for an opt out.
@ Matthew
No, as has been said countless times (and in this article) the Phorm ads will only appear on websites which have signed up to the Phorm service.
Tell your friends, tell your family, tell the people at work and the man on the bus (ok maybe not him he's looks a bit weird). I work in Data Proetction and Freedom of Information and this story gives me the willies! How dare they.
I'm no expert on RIPA but I'd have to say that even under plain old DPA 1998 they're on highly dubious ground. 'Excessive use' anybody? Transfer outside the EEUA possibly? What we have to remember is that the people that we really need to communicate this message to won't be able to set up intricate workarounds, aren't interested in the whys and wherefore's. Keep it simple - EVERY WEBSITE YOU VISIT ONLINE IS INTERCEPTED AND TRACKED BY BT AND PHORM.
Most people on BT broadband will see the email, go "huh?" and forget it. Really. There will be no mass migration, no outrage, no shareholder revolt. Why would most people bother, even if they had any clue what was going on (which they won't because the comforting words from their ISP won't tell them).
No-one seems to be willing to answer the question about what happens when more than one person is sharing and internet connection?
I dont have kids using my internet connection but I know several people who have.. so, for the sake of argument, lets pretend I have
How will phorm ensure that adverts based on MY browsing habits aren't delivered to my kids, and to turn it round ensure that I don't get bombarded for adverts based on my kids browsing habits?
Agreed, which is why I've been telling everyone I know. And everyone (except for a housemate) was appalled.
I've spent a decent amount of time writing to various places to try getting an article in a website for the masses. The problem is that most media outlets don't appear to give a shit.
<rant>
This is another example of the the media deciding what we should know and care about. At least people in China,North Korea, etc know they can't make a difference. We are taught from the word go that we can choose how the country is run. This is just another prime example of how this is bullshit.
</rant>
My boyfriend is actually a deputy editor at a national broadsheet. I've been hopping about this since it broke on Feb 14 and he keeps telling me it's a.) difficult to explain the more alarmist elements without getting into detailed technical arguments that will lose the readers and b.) difficult to research without a real tech-focussed reporter and c.) not really target audience. Obviously they will report it if/when any action is announced by regulators or someone launches civil legal proceedings.
On another slant - everyone is focussing on data privacy and protection, but there's one technical argument that shouldn't be overlooked. I know of at least one proprietary system that (ab)uses port 80 (HTTP) and html in order to allow remote clients to connect to head office. It uses port 80 and pseudo html so the connection can be routed via most proxys. If the system is broken by spurious unexpected content such as cookies being injected then who's at fault? You could argue the system developers were short sighted but you never expect your data stream to be tampered with, do you?
I got a reply to my email, to avoid any legal problems, I wrote this myself.
We have been pushing for Phorm to remove this content for quite some
time now. PI does not work for companies, nor do we endorse products.
Two of PI's staff members, in a private venture, advised Phorm of the
serious risks that their technology raised. We are pushing for Phorm
to disclose this risk assessment.
To avoid any conflict of interest, we have notified our Trustees and
International Advisory Board of this activity.
The reality is that PI's accounts are so weak that we must often fund
ourselves through other ventures.
Keep well...
ISPs won't want to miss out on this money making scheme. all they will odo is create a two tier system. If you are ok with ads then you only pay current rates and by paying this rate you opt-in. If you want to keep your browsing secret you will have to pay "enhanced" rate of propbaly 3 times this. :(
I just opened a ticket to opt out and here is the reply:
Thank you for your e-mail dated 3rd March '08. It has been logged under the reference number BLAH BLAH BLAH. As I understand from you e-mail, you want to opt out of BT Phorm.
I regret to inform we, being the broadband technical helpdesk, do not have the adequate resources to terminate your BT Phorm subscription. Hence, issue needs to be taken care of our dedicated BT Broadband Technical Helpdesk on 0845 600 7030 (open 24 hours / 7 days). They would investigate into the matter and if necessary, they would transfer the call to our Yahoo! Helpdesk.
For any further assistance please do not hesitate to contact us or use our BT Broadband Self Help web site http://www.bt.com/broadband/help
Thank you for using BT Total Broadband Support
BT Total Broadband Support
Notice the phrase "Your BT Phorm Subscription" I don’t remember subscribing? By the way the incorrect spelling and grammar have been left in place!
Yay! and they're even using the correct Registerese - 'data pimping'. Let's make sure that Phorm, BT and 'data pimping' become part of daily conversation:
http://www.channel4.com/news/articles/science_technology/concerns+over+data+pimping+deal/1703547
Now I wonder if they'll run the story on the television news?
Those are fair points that you've made. Point (a) is the one I really have to agree with. It took a bit of effort to explain to my housemate (he's the type that tries to login when "his bank" email him).
I have just found that it's been mentioned on Channel 4's new website:
http://www.channel4.com/news/articles/science_technology/concerns+over+data+pimping+deal/1703547
Regarding the Proprierty system you mentioned, not only could they be breaking it (I imagine that inserting cookies into the response could break checksums too), they are eavesdropping on something that is not supposed. (Using their highly dubious logic that our HTTP streams are theirs to snoop)
This webwise nonsense is a complete joke. Switch to OpenDNS and you get warned about phising sites for free without OpenDNS having to examine all your data. This Phorm lark is pure evil. I'm a VM customer, does anyone have the great Beardy one's contact details. I think a number of concerned customers complaining to him directly about how his integrity and brand image will be damaged by this might achieve something.
Arturo Toromolusco
No... comment! But forgive me I've been totally rebuked for ev en mentioning using my partners name in trying to publicise this. But seriously so many people on here have mentioned writing to the likes of the BBC, and I myself have written to several news outlets, and the only people running the story (and duly crediting El-Reg) are Channel 4 News:
http://www.channel4.com/news/articles/science_technology/concerns+over+data+pimping+deal/1703547
Spread the word!
On the subject of tuning a survey by "Anonymous Coward",
think back to the last time you completed an employee satisfaction survey for your employer, every company I have ever worked for which conducts those surveys always seems to miss out the fundamental questions. Funny, how those surveys *always* show that the employer is doing a good job, and the employees are nearly entirely happy.
The "opt out" doesn't stop phorm snooping the traffic, and therefore it being exposed to interception.
Would you be happy for all your phone calls to be routed through a single building on the Thames near vauxhall (co-inceidently next to MI6's HQ) if you were told that typing something at the start of the call would stop anyone listening?
The network diagrams that el-reg has shown imply that ALL TRAFFIC goes through the phorm devices - regardless of any opt in/out. Therefore all your opt out does is stop them sending you the ads, it DOESN'T stop them seeing your traffic.
Virgin Media Ltd
PO Box 333
Swansea SA7 9ZJ
4.3.08
Sir,
I forbid the collection of data concerning the use of my computer and its connections for any purpose whatever beyond that which is necessary for billing or monitoring for technical faults.
In particular I expressly forbid for passing any of my information to Phorm, (or any like organisation), for any purpose whatever.
This letter may be taken to over-ride any past or future conditions in your End User License Agreement.
Yours faithfully,
Paris because she can cover me any time she likes
Just off the phone with BT to request my MAC code - sadly Im still under contract for 3 months. When I told them why I wanted to leave no one knew what I was talking about. After speaking to customer options I was told BT have not released any press releases and that the one on Phorm's site has nothing to do with BT. Strangely when I asked to speak to someone higher up about the situation no one was available as they were in meetings all day and will be going home after.
You just have to love the communication within BT. Roll on June so I can leave lol
So they are quick to claim that once they know about the *cough* added security features *cough* of the system most of their customers are happy with this. So my next questions are as follows:
1. Were the quizzed customers told that this "value added service" breaks the following laws:
a: RIPA
b: DPA
c: European Convention on Human Rights
d: Trespass of Chattels
e: Computer Misuse Act
2. Were the quizzed customers told that the above laws exist to prevent exactly this type of thing and by giving their consent they are giving BT/Virgin et al a means to contravene important civil rights and legislation?
3. Were the quizzed customers made aware that even if they decide they have had enough of this system so they take the blue cookie to opt-out but in fact all their web traffic is still being intercepted by their ISP and Phorm but they promise not to use it?
4. Were the quizzed customers told about dark and shady past of Phorm Executives with regards Spyware and Malware?
5. Were the quizzed customers residents in the local Coma Ward of their city's hospital?
Incidentally, now with news that the profile is built on the surfers machine, it adds Trespass to Chattels and Computer Misuse Act to the number of laws being broken by this money making scam. Especially if a user opts out and especially if the terms do not specifically state that the service is altering the behaviour of their computer and installing 3rd party software.
I said it once, I will say it again, BT, Virgin and CPW customers need to grow some balls and tackle this through the courts, especially BT customers who were allegedly already caught up in this through the secret BT trials last summer.
Until they grow some balls, nothing will happen and the plans will go ahead.
It astonishes me when I see people making comments (like several in the previous articles) saying things like "If BT go ahead with this I will be leaving them." IF? Leave them NOW. Don't worry about contracts they already boiled their eggs on that one by running secret trials last summer.
The real question is, are any of these companies not scum? Can any of them be trusted in the slightest? If they're offering you a free service, you can bet it's not just to make your life easier.
Would you trust an ex-con that'd been convicted for multiple burglaries to hold on to your house keys?
I have issued a letter to my ISP withdrawing any permission for them to share my personal data with a 3rd party, or ship said data overseas.
I now have plans to have fun.
Each time I get a call from an indian call center a complaint will be raised with the data protection people.
It will be fun to take action at a european level once phorm is implimented.
If I leave and find another ISP all the furure fun will end. So I plan to fight from within an who knows become richer to boot.
Just a thought?
The excuse for Phorm is it is to make surfing safer and stop Phishing.
Errrrr is it not the same ISP's who do bugger all to clean up / block the spam in the first place who are the cause of the phishing in the first place.
Paris because with all the Viagra, and make it bigger cream I will make her very happy
Another BT man commented anonymously on our last Phorm story, to say the firm is telling worried staff via its intranet: "--Others like you feel different.
"We will monitor this carefully and see what the experience in practice will be and evaluate seriously."
If the "BT Man" cannot even express him/herself in standard English (Different/differently), or even in English
"We will monitor this carefully and see what the experience in practice will be and evaluate seriously."
what hope is there for the average Labour government educated semi-literate semi-numerate computer illiterate?
I'm a bit confused here.
BT and other ISPs claim they are common carriers and can't intercept the bits of customers to actively hunt out illegal activities such as the trafficking of paedophile images. Instead, they insist the police get warrants to tap specific data.
But along comes Phorm and all of a sudden common carrier be buggered, BT say it's perfectly possible to intercept data in order to earn money.
If I was in the Home Office, I might be asking questions why BT and other ISPs aren't willing to help crack down on serious crime when they clearly have the tools to intercept paedophile data in real time.
Sigh.
BT and Virgin get money for targeted advertising, and we get... more adverts. Great deal guys.
I'm going to write to Virgin and withdraw permission for them to use my details.
Call me paranoid, but in the past day or two I've noticed odd browsing behaviour. Sometimes, when I request a link, I immediately get told the server cannot be found. If I try again, it works without question. This is even after I switched to using OpenDNS as my DNS.
This whole episode has now soured me on cookies - I now block all cookies, except for those originating from trusted sites. Given that 90% of them are used for tracking and adverts, I couldnt care less.
Lets hope other national news outlets pick this story up - its important that people here what BT, Virgin and CW are willing to do with their private data for the sake of money.
I doubt that "BT know nothing" - they're past the trial stage which means they have already committed breach of contract (read the comments higher up). You can put them on the basis of these press reports in breach of contract (in writing) and ask them what compensation they propose. I doubt you get offers (expect a whole lot of bullshit instead - that's what they pay lawyers the big bucks for) but once you've done that you may then propose they call it quits - the contract no longer exists due to a unilateral breach of conditions on their part so it's going to be rather rich if they still try to hold YOU to its terms.
However, IANAL. Get some legal advice, best with a couple of people together. There's nothing a company likes less than collective effort..
However, part II - where else are you going to go? Do you *really* think you'll be able to escape the clutches of anything promises easy earnings? You're in the UK, you know..
Well I've stuck by Telewest/VM for some time now. Through losing Sky1, through traffic management, even through putting up no contest when asked to divulge my personal details to Davenport Lyons so they could attempt to blackmail me.
They've had their 3 strikes, I'm not giving them the option of auto including me into this b******s.
The question is though, who the hell can I move to?
Anyone know what copyright law would have to say about them making a copy of the pages to pass on to phorm?
From a quick read on the IPO site, it does not meet any of the copyright exceptions. If it can be classed as the distribution of an unauthorized copy to a 3rd party, webmasters could possibly put a stop to it.
Would the fact that they are making money from our content (by building profiles from it) make it easier to prosecute? Would those profiles become derivative works?
I know if BT were to host our content right on their servers without permission or sufficient acknowledgement, they would be guilty of copyright infringement whether it was seen by 1 or 20,000 people.
I don't know about UK law, but I suspect in a lot of jurisdictions that server logs are considered "business records" rather than "interceptions".
Whether or not they would be subject to other privacy laws and the like is another question.
I suspect if the good professors interpretation were correct sys admins could not do things like run tcpdump to debug problems. I.e. I think his interpretation is likely too wide and would not stand up, as it would not be in the public interest.
Re: opt-out, opt-in
Opting in would give BT "reasonable grounds to believe" that you have consented to the interception - but not opting-out would not, as failing to object to something is not the same as granting consent, and granting consent, or a reasonable belief that that has happened, is what is required under the Act. And accepting a cookie you never see on your browser is not granting consent!
However, in any case the granting of consent must be done by _both_ parties if it's to make the interception lawful:
Re: What about the data being sent by websites to the customer?
_Both_ the sender _and_ the intended recipient have to agree for consensual interception to become lawful under S.3(1).
I raised this very point with Peter Sommer last week, so I doubt he got it wrong - but perhaps he thinks the data is only looked at if it comes from sites which have agreed to Phorm intercepting it, and only when the customer has also agreed - though that is contrary to the little we have been told of how Phorm operate...
Re: Difficult Call- Contradictory RIPA :
S.3(3) The "purposes of a telecommunications system" - and note, it's a system, not a service or an ISP - are defined in S.2(1) to be the "transmission of communications". There is no "out" here for storing or passing on anything more than traffic data.
S 1(6) is about private telecomms systems - BT is not a private telecomms system as far as RIPA goes. There is no contradiction.
I can't see anything which would or even could make the interception lawful.
in fact I can't see any grounds to suppose what they are doing could possibly be considered not to be interception, or could possibly be considered to be lawful interception - and unlawful interception, unlike most breaches of the Data Protection Acts, is a criminal offense punishable by up to 2 years in prison.
Which is where they belong. All of them. Though whether the wimpy Commissioner, or the DPP, will agree to a prosecution is another matter ..
BTW, if you want to break your contract with BT, Virgin etc - this is good grounds to do so. They are breaking the law. It's also good grounds to sue them .. :)
Perhaps the best way of ensuring that Phorm doesn't get foisted on the customers of BT, Virgin Media & Talk Talk is for those users who have been unfortunate enough to be on the BT pilot to get themselves a packet sniffer to gather evidence of the intercept and then make a formal complaint to the police. Once the directors of Phorm & BT get to spend a night in the cells they may wish to reconsider their plans.
http://www.met.police.uk/computercrime/index.htm might be a useful link for anybody considering doing this.
Previous US & overseas commentators with questions such as "don't you guys over there have data protection" WATCH OUT - Phorm have their sights set on expansion:
ISP Ad Partners NebuAd and Phorm Eye Overseas Expansions (NY Clickz)
http://www.clickz.com/showPage.html?page=3628633
So surely in order to start snooping on everyone they'll have to make a contract change, which it is "assumed" you accept by continuing to use the service? If they do this then you have the option to freely get out of your contract without any charges (it's a clause in most contracts like this that if the terms are changed, you can opt out freely).
Personally I'm happy NOT to be with any of these ISP's. I sign up to the TPS and MPS so I don't get junk mail or "marketing" (i.e. telesales) calls, and all they are doing is exploiting their customers to find other ways of spewing out garbage "targeted" ads at them. Like the "targeted" advertising that arrived offering my dad life insurance 6 months after he had died for example......
They still don't seem to get that if most people WANT something online, they already know how to search for it.
@Pie Man
Your boyfriend can have this copy for nothing:
THE SPY IN YOUR LAPTOP!
UKs major internet companies want to sell your private data to pornographers
“My 10 year old daughter was researching battery farms and up popped a great big cock”, shreiked a distraught mum.
A spokesman for the PM said, "Once he was made made aware of the facts he began to look nervous, but regained his composure to say that it is 'totally unacceptable' that a private company had thought about this before the Home Office."
Paris, because it's happened to her.
Aside from the nastyness of handing over private records, I'm fairly sure if someone was following your everymove you could get them stopped on grounds that they are stalking you....computer or not... you have the right to go about your life without that kind of attention.
Several people have asked "If not BT et al then who?". In the comments on another article on this subject I mentioned that I asked PlusNET if they were going to do this and they gave an unequivocal "No we are not". Despite the fact they are owned by BT.
As for whether wget will get caught, I'm not sure we know enough about the system to say 100%, but from the network diagrams, the wget traffic does at least pass through their equipment, so the Phorm system would seem to "see" your wget traffic, even if it doesn't note it down.
(Black Helis because the subject matter deserves it)
@Jason Tan,
I think sys admins working on a system for a business don't fall under RIPA because of the contract with work, working as part of their job to process lawfully as the company wants. They are in effect colleagues and staff working on data for the company or by contract for that company, legally covered and permitted under law by that contract.
BT being an ISP is a service, not a sys admin. They provide your internet connection so your data isn't something that they can consider theirs to work with as they see fit. Which includes tracking and selling it on. BT are third party and not colleague or staff. As a service provide you don't expect them to record your phone calls without first telling you or tap your calls in secret without some legal entitiy giving them an order. You can omit from them recording calls by not calling them, you can't omit from being bugged as the police are doing it, but you know they had to ask a judge etc etc.
Imagine a bus driver as part of driving you back and forth on his route also wanting access to your shopping bags and to see what you are carrying. It just isn't done.
This nonsense has to stop.
BT think that it's customers wants this to happen... Rubbish, and the bit about the profile is built up on my PC????
So MY CPU power and my electricity is being used to work out their logic for selling their products, earning them more money, and I don't get a cheaper bill at the end...
JOKE!!! must be a joke... There is a punch line somewhere.
BT are very soon to lose a customer as everything I hear makes me more nervous.
How did you guess it was the Daily Star!
Interestingly, much of this may already be going on in partys of the world (who knows where) using a less technologically-intrusive system but arguably just as worrying:
"Is Your ISP Selling Your Clickstream Data? Do You Have Any Privacy At All?"
http://www.techdirt.com/articles/20070313/213014.shtml
Whoever set up the petition, maybe it should be calling for a Public Enquiry into technologies used by data carriers to profile customers, the privacy of data held and adequacy of current legislation in light of this. A second petition would dilute the first, but maybe put a clear message to parliament?
If you ever want to use bittorent again, dont touch PlusNET with a bargepole - they may not be using Phorm, but thats because they've already invested in the deep-packet inspection monster that is Ellacoya. I wouldnt mind if they throttled your traffic after you hit a certain usage limit, but they do it ALL THE TIME, indiscriminately.
I'm not a heavy user (15G/month) but i want to use the web for What I Want, When I Want - thats why Zen are good for me - i pay for 20G and I use it how i like, none of this 'unlimited' sales bull.
Who really takes data protection seriously?
ICO Website is pretty rubbish searching for the Data Controller for British Telecom. Try it yourself.
Now try the BT website:
You searched All of BT.com for data controller
No results were found from your search.
Suggestions:
* Make sure all words are spelled correctly.
* Try different keywords.
* Try more general keywords.
* If you are searching with three or more words try using just two or try advanced search.
Alternatively, if you're looking for a phone number, you can check The Phone Book online.
Apart from all the other problems, I was especially struck by your quote from BT's FAQ: "Once you have opted out, the opt out cookie prevents any of your browsing from being collected,".
Does that mean that if you have sensible privacy settings which, for instance, delete all cookies at the end of a session, that you have to opt out again at the start of every browser session? That is NOT a reasonable opt-out option. If they're sticking hardware in the stream to get the info, they can bloody well remmeber who has opted out at that level.
If anybody has taken the time to actually read the EY audit, the penultimate paragraph is quite interesting...
"The projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the Service or controls..."
This, to my mind, sounds like them saying that yes, in its present form there is no harm done, but once it is installed and everyone is used to it, they can change the rules to collect private data.
----
A profile of interests is built up on your computer, rather than Phorm's.
----
That being the case set the folder to "read only" - see if that scuppers it?
----
I'm not a heavy user (15G/month)
----
I nearly choked on my Weetabix, or would have done had I read this earlier - to me, 15gGig a month is HUGE. I use less than 2, normally less than 1 unless there's a lot of patching that needs doing; the only time I've used more than 2 gigs in a month was when I was beta testing a new game and had to download it in it's entirety.
What do I use my Internet connection for... Online gaming, a bit of surfing and web development mostly. All of which, unless there's a round of patches, by their very nature transfer quite small amounts of data (when compared to say, streaming/downloading video).
Frankly I'd love it if Virgin Media switched to a pay-per-gig type service - I could potentially save a fortune.
I'm hoping VM realise the shitstorm implementing Phorm could generate once people understand the implications and that they scrap the idea. If not, I'll chip in for the inevitable lawsuit. I've emailed VM and am awaiting a response (surprise).
Now for everyone who says "change supplier then" - realistically, I can't. I live in a flat, I hold the long term lease but the building itself is still owned by the council. To get HDTV I need either Sky or VM. To get Sky I'd have to get the council to allow me to get a dish installed - and they're quite anti-dish so it'll probably not happen.
So my options are.
1: stick with VM for the tv, get a BT phone line installed (as well as the cable one) and pay both VM and BT for phone lines.
2: ditch VM and put up with just the Freeview channels, loose VMs tv/films-on-demand and catch-up tv - get a BT line installed etc.
3: stick with VM
Besides, I honestly think cable is the better technology and I'd rather stick with cable than go back to DSL - at least when I moved into the flat I had a choice of cable suppliers (it was before the NTL/Telewest merger).
AC coz it's all about the privacy, innit?
Had it nailed when he said....
''Hands up all those that work in Sales & Marketing'.....
To which x percent of audiance puts up hands...
'Kill yourselves, I'm not joking, seriously, kill yourselves'
He wasn't joking and he was right, People who work in Sales and Marketing add no value whatsoever to society. They are merely a drain on and a pain in the ass to the rest of us.
With the Phorm thing, you are all wrong- if you bother to actually do your research then you'll get a different picture- Why not be more concerned about the secretive Ellacoya or even Google's 24month profile retention? Phorm doesn't even keep data- its trying to reverse the belief that you have to keep massive detailed profile to advertise or anything else (and I know that you hate advertising but be realistic- its not going away, especially with the 'free broadband' wars pushing profits down and out).
As one of the PI employees sent to look at Phorm (though i'm not allowed to reveal my identity (NDA)- and we feel that 'endorsed' is a bit of a strong word) I had access to their proposed technology and I was impressed with what they are intending to do- it is in my view a step forward in what has been a downhill battle for privacy- not as private as i would want but definitely against the flow of all the other data squirrels.
Obviously you have realised that porn and the 'sensitive' material will not be read- as the system only recognises pre-defined words/matches. i'm depressed that the rest of the tech community are attacking the one thing that I thought they would consider sensible, but they are too paranoid as ever.
Ads will not be unlawfully changed-they'll just earn more for the website owner...
if you opt out then they would not legally be able to even scan your data for wordmatches- that'd be suicide so as a commercial company they wouldn't.
it's not infringing RIPA- they passed an investigation months ago..
In fact almost all the problems that you sheep worriers have are not even slightly founded- its all misinformed- go do proper research not wildly inaccurate speculation
Oh and the whole CHINESE SERVER thing stems from a MUPPET searching for a trace on OXI.com, what a TOOL.
The thing that depresses me most is that you probably won't even believe an analyst like me who has actually researched the system but that is the truly depressing thing about the 'true online community'- they spend so much time worrying where the next threat will come from they attack the wrong threats with the wrong information...
"To get Sky I'd have to get the council to allow me to get a dish installed - and they're quite anti-dish so it'll probably not happen."
Not true. You can get "internal" sky dishes now for exactly this sort of situation. The receiver sits on your window sill.
You basically have no options, if you want to retain your privacy, you need to leave Virgin, it's as simple as that.
You are not the only person to have such knowledge of this subject, although if you really do work for Privacy International then granted you have a priviledged insight to the actual technology being used by Phorm that I don't have access to.
I do however have many years experience designing and developing software systems and tell you that beyond all doubt there will be several software updates. Once the infrastucture is in place it offers yet another opening for either malicious or well-meaning persons either within or outside of the ISP to add a new "feature" to the system.
On a point of law, interception is interception. Discussions with the Home Office or anyone cannot preempt how the law will be interpreted by a court if it is ever tested. From what I know of RIPA it doesn't matter if the end use of the data protects the privacy of the individual, it's the manner that communications were intercepted. Was the interception necessary to route the data? Was only the carrier involved with the interception, and if not, why did the carrier need to involve a third party.
And finally, as a purist from a protocols perspective you shouldn't have the carrier injecting anything that is not needed for the purpose of routing traffic into a transaction between the server and the client. It opens up the system to a whole host of abuses which could include overlay etc. The content of the stream sent by the server is owned by someone, it's not up to an ISP to inject anything, even so small as a cookie, into this stream. Purist I know but without rules and principals we wouldn't have such as rich and wonderful thing as HTTP/HTML etc developed from scratch by mass participation in a relatively short time frame.
Oh, and I still don't see how an organisation dedicated to protecting privacy can argue like you do that a simple profile of interests does not breach privacy just because it's only against selected keywords.
Even seemingly innocuous data such as a person's movie tastes can give away a person's political and sexual persuasions; rights enshrined in Human Rights legislation, as described in the debacle following release of anonymous survey data by Netflix:
http://www.techdirt.com/articles/20071130/114005.shtml
'Robin' an interesting and thoughtful response which may damp down some of the hysteria but many unanswered and worrying issues remain, including:
The deliberate secrecy of BT, VM and TT around their plans and deliberate obfuscating of the page tracking behind the virtually worthless anti-phishing marketing story;
The undeniably shady past of the company principals, re spyware, rootkits and 121;
The overenthusiastic spin on privacy including reference to a PI endorsement - which you admit does not exist - and an E&Y endorsement that is so caveated as to be virtually worthless going forward;
The apparent lack of any ongoing supervision to prevent deliberate or accidental changes to the use made of the collected data;
The fact that all webpage data will be potentially available to phorm/OIX irrespective to what they have demonstrated to you and others for 'day 1';
The fact that the 'opt-out' capability described for webwise does not prevent your data from being collected, only ignored (for the time being);
The concern that unsuitable ads may be targeted at different people using a single computer (not just pr0n!);
The 'Chinese Servers' may or may not be incorrect but in fact nobody knows where the company will operate. (The UK address of phorm is a serviced office block).
While these and other questions remain it is sensible for customers to be concerned and to err on the side of caution. The fact that the phorm approach may be 'less bad' than others is hardly cause for celebration.
i cant beleave it, TheReg rocks and keeps everyones poststs.
however all those law references posts by IATL in that gardian tech thread you posted in today PieMan have all been removed, they dont like truth only their version of the truth apparently.
lucky most if not all the law parts were also placed here by several good users, so if you want some real insight, TheReg is your place to find it.
http://www.ispreview.co.uk/talk/showpost.php?p=198873&postcount=5
"...
we are fully confident that our system complies with the Data Protection Act, RIPA and other applicable UK law
..."
http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-39.html#post34501036
"None :
Well here’s something interesting. Reading the comments here - http://www.politicalpenguin.org.uk/blog/p,297/#comments
Note comment 7 is a response from someone on the tech team at techteam@phorm.com
The part that interested me was this,
“Re the opt out, if you opt out — or switch the system off, it’s off. 100%. No browsing data whatsoever is passed from the ISP to Phorm”
So they say that once opted out that no data passes to Phorm. Interesting. Still don’t believe it, but interesting statement nevertheless.
__________________
Learn more at www.badphorm.co.uk | Get tooled up at www.torproject.org | Complain to Virgin with this template | Sign the e-petition at http://petitions.pm.gov.uk/ispphorm "
To make it easy for non techie's to see what is going on here, let me explain it in the context of a system everyone knows about... the phone system.
Imagine that your TSP (Telecom Service Provider) decides to make some extra money on the side by allowing "Targeted Advertising" in the same way that these ISP's (Internet Service Provider's) are with Phorm.
So here Goes:
You make phone calls to your Wife, your Doctor and your Daughter, with the new service, "The Gold Standard in Privacy" Phrom...
What happens is this:
Each time you call, someone from Phrom taps the line and listens in, they have strict instructions to write down all that you say, except numbers with more than 3 digits (to protect against the accidental collection of social security, telephone and credit card numbers), email addresses and calls to your Bank (if you use your scrambler) and to listen for certain key words (which they say will help them send you targeted advertisements tailored to you).
So they hear that you are talking a lot about "Top Gear" and mention "Audi" and "Bentley" so the Profiler writes down "Expensive Cars" - Not against your name but against a "Number" all of the time you are on the phone talking, the profiler keeps listening and adding to the different categories about you.
They also do the same if your children make a call or your grandparents or if you call your Doctor.
Now as soon as you hang up the Profiler is supposed to destroy the notes he took of the conversation
So all of the following should be destroyed:
The time of the call
The number you called.
The details of the call e.g. who you called and what you talked about.
Your Name and Number.
In return for you very kindly letting the Profiler listen in to your calls you get a SupaDuppaService from Phrom its called WebSpy and its free!
How WebSpy Works:
If the Profiler listening into your calls notices that you have called a dodgy number in Russia, which is suspected of terrible behaviour, (like bugging your phone), then the profiler will shout at you to hang up.
How Phrom Targeted Advertising Works:
From time to time the guys listening into the calls you are making will notice that you have called one of their members numbers.
The member will, without you knowing, pass the Profiler a note asking what you like.
Then the profiler will shout at you to buy a Expensive Car from this guy.
Wow what a great service that is!?
Its certainly worth giving up a little bit of privacy and having someone from Phrom listening in to all your calls isn't it?!
Notes:
"Phorm's systems collect browsing information such as URLs visited, search terms entered, OS version, relevant keywords of a particular page and randomly-generated unique Ids.
Sorry, I am not posting as Iamthelaw. I'm posting as simplepieman as always.
Interesting though that they've been removed. There appears to be a concerted effort of Phorm porponents to discredit the tin-foil-hatters. I have a new CONSPIRACY THEORY!
Interesting also that Robin Zaker above noting that "tools" who accidentally looked up oxi.com [sic] and accientally thought the Phorm servers were in China.
Well obviously oix.net, used by Phorm, is registered in New York and uses a Gloucester-based ISP, and the whois record last updated 07-Dec.
The China rumour is possibly that, a rumour, that Phorm will use to it's strength.
Bootnote:
So what about oxi.com and oix.com (both for completeness)? oxi.com is presumably a typo by Robin Zaker, it's registered and served from NY State, whois record has not been changed since late 2007 and the owner seems a well established firm
HOWEVER, oix.com IS owned by Phorm, and whois record was last updated 29-Feb-08 AFTER THIS STORY BROKE ON 14-Feb! No proof here, but if Phorm are going to use the .com/.net distinction to counter the China claim what can we draw from the whois record change on 29-Feb-08?!
I feel this is an invasion of my privacy and human rights. I have signed the patition aboutt his for Number 10 but feel these ISPs need to do a total rethink on this. The advert I watched about Phorm filled me with so much horror it was as unconvincing as all those Tiscali TV adverts.
This type of thing should be opt-in only not considered you have oped-in since you didn't go and opt-out.
When you get spam emails you never go to the opt-out link since that proves the email address is correct. This is no different I signed upto TPS to stop cold calls over the phone, I use adblocker and regularly check for adware on my pc. My antivirus and firewall both have antiphishing so why do I need the spy on the net trying to target adverts I dont want towards me.
I'd pay more attention to israeli firm allot, they have monsters that even ellacoya get nightmares about.
I still find it rediculous that there is this belief by companies that adverts make the internet experience and that their being relevant to what you are browsing actually enhances this experience.
in the words of the late, great bill hicks (since he was invoked earlier in this thread) "allow me to *bang* pop that fuckin bubble".. adverts are an annoying noise that many people simply filter out (either mentally or thru software) ads and the spam that ensues often detracts from the net and is usually seen as a necessary evil that allows the majority of sites to keep running.
I look forward to a day when we can figure out a mechanism for funding websites without the need to suckle at the teet of the advertising industry.
http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-48.html#post34502306
"Hi all
I work on behalf of Phorm here in the UK. Many of you may already have seen it but of not there is a transcript of last nights live interview with Phorm's CEO at http://www.webwise.com/chat as well as a Q&A session at http://www.theregister.co.uk/2008/03...rgess_ertegrul
Rgds
PhormUktechteam
"
http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-49.html#post34502409
"Hi all
I work on behalf of Phorm here in the UK. Many of you may already have seen it but of not there is a transcript of last nights live interview with Phorm's CEO at http://www.webwise.com/chat as well as a Q&A session at http://www.theregister.co.uk/2008/03...rgess_ertegrul
Rgds
PhormUktechteam"
"down the thread, paul Nolan
...
but frankly TechTeam and PhormUKTechTeam, as far as we know has no detailed knowledge of the workings of ISP's data capture Phorms patents, and the like.
Maybe they're just passing on uniformed propaganda meant to mislead us and stall on complaining to the ISP's involved."
sorry about that
http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-49.html#post34502409
should read
"Thanks Mick
To be clear, yes I work for an external agency for Phorm - a UK PR agency.
My job is solely to take the information Phorm is making available - the interviews, the Q&As etc and place them into these discussions.
I believe I am totally open about this - my log in name is pretty clear, and the first line of my introduction clearly states who I work for.
It is my job to simply present the facts about Phorm."
Come on, there must be a good solicitor who reads this column who cares enough to muster up (for free) a BRILLIANT anti Phorm template letter that we could all copy that we would definitively serve us well in a mailing to our ISP's to get under their skin due to the sheer volume of mailers.
hi chris ;)
it would seem from a RIPA POV pritty simple then.
if they dont get 'explicit consent of ISPs' users' and a website owner were to place a notice on a webmasters pages to the effect of ,they do not allow interception by Profileing electronic devices such as the Phorm system, then any 'Targeted online advertising services' are a no go end of story.
might be advisable to keep an eye on those T&Cs though , dont want your consent auto inserted in there while your not looking do we.
like i keep saying send that DPA notice removing consent for anything outside the basic supply and billing now and in the future, to be sure to override those auto inserted consents.