I don't just want to avoid Phorm....
...I want vengeance. Can we destroy this thing? Botnets, DoS attacks, poisoning the database? Anything is fair game. Let's see the oft-rumored anarchist internet factions use these assholes as target practice.
In a fresh blow to its hopes of winning consumer acceptance, a top three anti-malware firm has said it will very likely include Phorm's targeting cookies in its adware warning database. Trend Micro told The Register: "The nature of Phorm's monitoring of all user web activity is certainly of some concern, and there is a very …
Indeed, if I enter a password for a website, e.g. a blog's admin system or my webmail etc, then that's certainly not a public page that should be able to be read by Phorm (or anyone except me). What about all the people who rely on obscure URLs to hide things. Not good security practice, sure, but they're not intended for public consumption.
as a definitive statement or interpretation of the law, which only the courts can give."
So they'll most likely go ahead anyway, until someone takes the fuckers to court, where they'll most likely employ the usual army of expensive briefs and "experts" to defend their position.
And win.
Back to pen & paper and the scud-mags then!
Mine's the long, dirty, brown Mac (No, the OTHER kind of Mac, fuckwit!)
I've just finished send of my latest email owning VM tech support.
The first reply was just "go away, there's nothing going on" signed by (Your Name)
Second was a link to the original Reg article and signed by (Your Name)
Third directed me to VM Q&A which answered none of my questions but at least "Julian" paid attention to me mocking them for failing at email templates
Fourth reply suggested I used ad-blocker software but did admit that no-one at VM tech support has been told anything about what's going on, but does quote from the Q&A the we "will have the choice to keep their internet experience exactly as it is now"
Until I get an unqualified yes to the following question, I'm going to keep harassing them;
"Will it be possible for me to ensure that none of my data enters any hardware or software system owned by, operated by or supplied by Phorm or any of their aliases or subsidiaries?"
the microsoft definition of adware
Advertising that is integrated into software. Adware is often combined with a host application that is provided at no charge as long as the user ...
www.microsoft.com/security/glossary.mspx
the f-secure definition of adware
A type of Advertising Display Software that delivers advertising content potentially in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions, and therefore may also be categorized as Tracking Technologies. ...
www.f-secure.com/security_center/malware_code_glossary.html
just because the software is on the ISP's server not your PC need i say more
it is an unwanted intrusion to privacy
sign the petition at http://petitions.pm.gov.uk/ispphorm/
and complaint to you isp bt's complaint page is a link on http://www2.bt.com/contactus
I understand that lax business practices have dropped the price for internet connectivity to below cost. Please allow those of us who care to pay 20% above cost instead of being sold to the highest bidder.
Seriously. The policy here is that because they're not charging us enough they decide instead to sell our things without asking? In what universe does that make sense?
of my new 12 month contract I agreed over the phone 3 or 4 days before the phit hit the phan. I have not yet had a response to the question:
"Did the contract I agreed to verbally contain any notification that all my data was going to be intercepted"
Nor have I had a response to the question:
"If you are going to change the terms and conditions of my contract to include a clause along the lines of 'please feel free to intercept all my data and profile me' will I be able to cancel my contract because I would not agree with you doing this with my data"
I havent even had an answer to the question:
"Since I assume you have stitched me up tighter than the manx kippers I brought back from the island last week and I have no way to cancel my new contract without penalty could you please tell me how much the penalty clause is for early cancellation?"
I'll let you know if I get anything other than cut & paste replies.
"Phorm and its ISP partners have all stated repeatedly they believe the system to be 100 per cent compliant with RIPA and the Data Protection Act."
They can believe in the *&%$ing Tooth Fairy, for all I care; it doesn't make them right. What they propose is an illegal wiretap - we shouldn't even be discussing this, we should be screaming for the ISPs' and Phorm's diectors to be arrested if they so much as try it.
I fall for the whole thing and let Phorm monitor my web usage and supply ads related to my surfing habits. Nice. Then the wife gets onto the net for 5 minutes and all she sees is ads for pr0n sites.
Who's she gonna be looking at? Hmmmm? ANSWER THE QUESTION MISTER!!!
Mine's the one that's been slashed and dumped in the garden with everything else I own...
I dont want to pay anymore! I want to pay the same amount of money, and get the service that I should be getting - no interception for any reason ever, unobtrusive traffic shaping (if you really must), 99.999% uptime, UK call centres only.
Anyway, its funny to see Phorm in such denial. "Its not Adware or Spyware!", Phorm says scandalized. "Its useful, its relevant, its.... its...."
Its advertising software, sorry Phorm, you Phail.
Now the question is, as Trend Micro says, is there a better solution to opting out than storing a cookie on your machine? What if I want to remove all traces of Phorm, even including the opt-out cookie? It seems self-defeating, I know, but I dont want any part of Phorm on my computer at all.
PS: can we have an Epic Fail pic? Like the Failboat, or Fail Kitty?
I can see the point of anti-malware reps being miffed at this.
If your whole business model is all about protecting users from being monitored/profiled and spammed with ads, then its kind of annoying when an ISP and former malware criminal team up to implement a near unstoppable system that encompasses every user.
In that case we may as well let all the profilers have our browsing history and fight amongst themselves to inject the ads.
Part of my interest in Phorm is that we switched to BT from Pipex, following the Tiscali move. We went live THE DAY BEFORE Vulture Central broke the news.
We were happy with Pipex, we were happy to be paying more for a good quality connection with Tech Support based in the UK. (Insert tales of woe about telling non-native english speakers "We know it's not the Microfilters - It's at your end, probably the [frobinator]" here )
Then we saw Tiscali's prices for new customers, then we saw the line drops, the speed drops and ultimately the customer drops.
So to all the ISP's: Just sell us a good quality connection at a price that will make you some profit. If it costs you more for UK based tech support, then pass the cost on to us. We Will Pay. Cheerfully. We will gladly recommend you to our friends.
Just don't pimp our data or cut corners when we need help.
Please guys also consider the issue of consent in the following cases:
1.) Private email (under RIPA) - both parties to the email must consent, yes? What steps has Phorm Webwise really taken to ensure that every web-based personal communication tool, from corporate email servers to social networks and charities will be blacklisted from examination, when to the servers it just looks like another webpage? The technical arguments about HTML <form>s are irrelevant as message threads can be reproduced as inline text etc.
2.) Protected non-public content accesed via username and password, under copyright law.
And can someone please get onto the Open Rights Group and offer some technical help over this statement on their front page "Here’s what we’ve been told about the workings of Phorm so far. Phorm assigns a user’s browser a unique identifying number, which, it is claimed, nobody can associate with your IP address, not even your ISP"
Plesae explain to them that, since cookies are transmitted in cleartext, and every packet on the network has the originator's IP address, the ISP can with a simple network sniffer easily create a lookup table of ID vs IP.
This just gets worse every day I read about it.
Even if the default option is opt-in, and some BT/Virgin user has done the opt-in, and the BT/Virgin user reads an email (webmail) I have sent to them (from another internet connection), isn't some law still being broken?
They might have asked the Virgin/BT user for their permission to profile/phorm their communications, but they won't have asked the sender to read/copy/profile/intercept the private/copyrighted email they sent to that user via webmail.
Similar to this:
http://community.zdnet.co.uk/blog/0,1000000567,10007508o-2000331777b,00.htm
One thing that ISPs have to understand is that HTTP traffic is used for many more things than private individuals browsing e-commerce sites. Big companies tend to have this mindset that the internet is all about e-commerce ... of course the bits of it that are of interest to them really are, but most of the rest of it isn't.
There are all manner of private status pages and control panels which people use of their broadband line, not to mention the myriad of automated systems which communicate by HTTP (1).
ALL of this traffic will be captured and analysed by Phorm's system, even if you opt out of having your 'browsing experience' enhanced via cookie.
My vote is a big fat NO.
(1) Although fortunately anything obscured by HTTPS should avoid interception as far as I've read so far.
Has *anyone* had a response from BT about Phorm/scumsuckers/WebWise?
I asked a week ago on their 'it'll all be lovely and won't someone think of the children' page and have yet to have a response. Likewise a question to their laughable technical support address has gone unanswered.
"They can believe in the *&%$ing Tooth Fairy, for all I care; it doesn't make them right"
That actually made me choke on my coffee and fall off my chair, bravo sir! :-D
-----------
Surely if the said ISP's change their T&C's to incorperate this, aren't the user entitled to cancel without penalty as the new T&C's aren't acceptable :-s
TBH I'd be surprised if this takes off, Phorm's share price has nearly halved since this all kicked off - and the more it gets discussed the less viable it appears.
I left BT Intercept (err, I mean Internet) years ago because I NEVER EVER got any response from them when I complained about their crap connection and poor service.
I would be staggered if you are treated any better these days.
One thought, of course, is that if you go down the "opt out" cookie route, you'll get automatically opted back in if you ever clear the cookies from your browser (which I do now and then for no particular reason other than to stop lots of crud building up)
I've got to hand it to the salesmen though; trying to convince their punters that this is all for their own good!
I have been following with interest BTs plans to incorporate Phorm's targeted ad software into the BT Broadband package.
As I do not consider myself to be anyone's "target market" and value my privacy highly, I would be grateful if BT could confirm either:
1. That opting out of the service will mean that none of my traffic will go anywhere near any hardware or software owned, operated or supplied by Phorm or their subsidiaries.
or
2. The substantial change in the Terms and Conditions and Privacy Policy that implementing this system will require will allow me to leave my fixed term contract early with no penalites.
I'm sure they'll enjoy ignoring that.
If you have agreed to a contract over the phone they are supposed to send you written confirmation, and you have seven days from the day after you received it to change your mind. If they don't send you written confirmation you can change your mind within three months and seven days of the verbal agreement - see http://www.out-law.com/page-430#services
I sent an email to the CEO of BT last week and i have recieved a reply today reply below (replaced names with xxxx) sent full emails to elreg.
If BT intercept any data from my password protected http pages I will sue the pants of them for infringment of my interletual property rights the pages are passworded for a reason KEEP OUT !..........
BT can't answer simple questions just keep forwarding you to their webwise page.
Dear Mr xxxxxxx
I am writing in response to your email sent to BT’s Chairman & Chief Executive’s Office and acknowledged by xxxxxxx xxxxxxxx.
I appreciate your concerns regarding the recent publicity about BT’s trial of BT Webwise. However, I would like to assure you that the proposed service is an “opt in” service. There is no intention to automatically intercept your internet connection data stream in order to collect internet usage patterns. Should a customer choose to take advantage of BT Webwise, BT is very careful to ensure that only specific data is collected.
More information, including a comprehensive questions and answers section can be found at http://webwise.bt.com/webwise/help.html. I can assure you that, in spite of your reservations, the information found there is completely trustworthy.
If I can be of any further assistance please do not hesitate to contact me.
Yours sincerely
xxxx xxxxxxxxx
It's interesting to compare the BT Webwise site:
http://webwise.bt.com/webwise/help.html?_faqs=13,14,15,16,17,18#f13
with:
http://www.webwise.com/how-it-works/faq.html
Apart from putting 'BT' instead of 'ISP', these answers are word-for-word the same. So who wrote them, do you think? (Clue: who has been quoting them in interviews?)
But it's OK, they are completely trustworthy. (Except perhaps for the 'Why do I have to opt out?' question, which mysteriously vanished earlier this week; perhaps that wasn't....)
And curiously (i) webwise.com seems to have fallen off Google...though Phorm hasn't, so it doesn't look like a Google backlash
and (ii) only the BT and TalkTalk logos appear on the Webwise site - Virgin is conspicuous by its absence. I hope this means more than just that VM haven't biked over the logo artwork yet....
The first comment is my sentiment. Just for fun I've written a Javascript applet that generates a mix of real and randomly generated web access. I chose Javascript because I can't think of any way an ISP can easily tell the difference between a script in a browser navigating to a page, and me typing.
Anyone know something I don't ?
It to easy to be true to poisoning there database.
We can use there system against them self.
Remember Phorm do not get IP number information. There "so called" privacy is there akiles heal. Well you going to love this.
The only why Phorm can ID users is supposable only by a cookie this is done for "so called" privacy reasons..
Why don't we all use the same cookie. Making sites you go to pointless as 99.9% there system knows about has nothing to do with you.
All for 1 cookie and 1 cookie for all.
I say we should call this Operation Cookie Monster, yes like from Sesame Street.
;)
I think Kevin has a good point here - if I am using Webmail, one interception is taking place of the (http) transmission between the webhost and me; but isn't another interception taking place of the correspondence between the sender of the email and me?
I know google et al scan email for keywords to target advertising, but I have agreed to this in the signup T&Cs, that doesn't give the ISP or Phorm the right to use my email contents for advertising. And if the email comes from a person using another ISP host then doesn't he/she have to consent too?
Fancy a laugh at the expense of the investors?
http://www.iii.co.uk/investment/detail?code=cotn:PHRM.L&display=discussion&it=le
Enjoy.
In response to one of the investors whining - "But what have they got to hide?"
Paris says - "well nothing...obviously..I'm for sharing!"
"I can assure you that, in spite of your reservations, the information found there is completely trustworthy."
Oh, that's ok then. We all feel like a bunch of idiots now, imagine, an ex-spyware company misusing the fountain of private information given to them from our ISPs... silly us.
<coughs> lying-t*ssers </coughs>.......
A flame, to cleanse BT!!
Tuesday March 11, 10:47 AM
" LONDON (Thomson Financial) - Phorm Inc (LSE: PHRX.L - news) said it is not aware of any undisclosed commercial reasons for the recent movement in its share price, as it issued a statement to clarify 'some misconceptions which we are taking steps to address' on privacy issues.
The company has been criticised in recent weeks over concerns that its technology, which categorizes web-surfing habits in order to target online advertising, compromises user privacy."
BTW the shares ended up down -11.60% at closing.
Let's presume I'm a retarded cabbage and actually stick with an ISP that shoves this down my throat without joining a class action suit against them. Presume.
So this magic cookie that is the basis of my having opted out of the Pharm scam... Where is it? It can't be on MY PC. Well, it could be I suppose, but what happens when I run my small suite of anti-malware/virus/adware and optimization tools which routinely delete all cookies (with my blessing)? Does this magic cookie go away? Am I now opted in by default? Do I need to go opt out after every system cleansing?
I call shenanigans. Boo-urns.
this too has an even greater negative effect on the Phorm share price.
I'm not usually one to gloat over another's misfortunes. However, I will make an exception in the case of Phorm. I will raise a glass when they crash and burn.
I am lucky not to use any of the ISP's due to be infested by Phorm. And I have much respect for my ISP. They are not cheap but do provide an excellent service and a UK based support center.
Respecting ones rights to privacy as I do, I sympathise with the victims of Phorms bad practice. And wish you well in dissuading your respective ISP's from this gross invasion of privacy, or finding an alternative provider you can trust.
Good luck with this.
Re the Home Office letter:
Paras 6 and 8 seem to confirm the view that Phorm are doing interception as defined under RIPA.
Para 9, I am guessing, applies to the non-processed data from opt-outs. But I don't think it is sound; the filter belongs to the 'person' (Phorm), and even though the person elects to do nothing with it, they could have processed it, so it has been made available to them. You'll notice that Phorm talk about 'our servers' at the ISP, and not about 'our software' on the ISP's servers.
Para 13 makes it clear that *both* ends must consent to the interception, for it to be authorised. So the subsequent OIX use for ad serving is entirely legal. But that is then what the letter goes on to talk about.
Instead, it should be considering the data collection at the ISP; *I* might consent to my end of a session with 'WebHost', but unless WebHost also consents, we have unauthorised interception.
The argument in para 15, for possible implied consent by WebHost, can be rapidly dismissed. Until I contact WebHost, they have no knowledge that a message is coming, and so cannot possibly have consented to its being intercepted unless they have issued some sort of blanket permission for this, in advance; and such permission could hardly be an implied permission.
We then hardly have to consider the second leg, where WebHost reply to me and the communication is again intercepted, without their knowledge. However, if we must, I need only point out that if what WebHost provide is a paid-for, password-protected, service, then the presumption of any implied consent to interception must also fail.
Re paras 16-18, I'd suggest that the lawful interception under 3(3) doesn't apply, as the Phorm data collection is clearly additional to the services needed to provide the ISP service. (Indeed, if it wasn't, then I couldn't be posting here now). And it's stretching the definition to breaking point to interpret it otherwise.
However, if what Phorm are planning is allowable under 3(3), then no sender or receiver permissions would be required. and the recommendation in para 20 would be just that - a recommendation. But it seems clearly wrong that this should be so, and para 20 should be enforceable in law, in my view.
Para 21 remains wrong about being able to assume the implied consent of web hosts. Especially, I would imagine, rival advertising services.
Para 22 I find wrong as well. However, I then have a difficulty in that the spam-blocking service provided by my other ISP, and which I have cheerfully opted into, would also seem to me not to be lawful interception under 3(3). And if not, I very much doubt that the spammers have given their consent, implied or otherwise, under section 2.
Anyone help me square this circle?
I own and operate Spamblocked.com and Kryptonite Hosting, and I explicitly, categorically, and without reservation *deny* to Phorm, OIX, and any other third party who is not an end-user's ISP or legitimate search engine permission to intercept and/or profile traffic sent by my server(s) ins response to the end-user's query. I further deny permission for such traffic information to be conveyed to any such third party.
below is lifted from BT's webwise faq page
it seems to infer that there are both opt out and opt in cookies and if it can't put a cookie on the machine (because you have blocked them) it seems to assumes opt out from below
About use of cookies in BT Webwise
What happens if I delete my cookies?
You will receive a new cookie from your Internet service provider (ISP) when you go online. You will need to choose again whether to turn BT Webwise on or off. You should return to www.bt.com/webwise and turn it on or off as necessary. [X]
Why does BT Webwise use cookies?
This is so that we can send relevant advertising without learning a customer's identity. [X]
I delete my cookies regularly, and I want to keep BT Webwise switched off. How do I do that?
If you regularly delete your cookies and want to ensure that Webwise is permanently switched off, simply add "www.webwise.net" to the Blocked Cookies settings in your browser. Up-to-date versions of both Internet Explorer and Mozilla Firefox have this capability. [X]
Not sure how it'll work when the service goes live, but they are supposedly ignoring certain browsers that will break with redirection.
So, grab this: https://addons.mozilla.org/en-US/firefox/addon/967
tools -> modify headers -> Add -> 1st box: "User-Agent" 2nd box: "Kent Ertugrul of phorm is a spunk bubble" (without the quotes in both boxes).
Also check configuration -> always on
Now go to http://whatsmyuseragent.com/ and you should see a nice message: "Your User Agent is: Kent Ertugrul of phorm is a spunk bubble"
Hopefully, you should also never see a redirect in your traffic when they switch this service on. Eagerly waiting with a packet sniffer to test it though.
that the general public wised up to this "ISP Internet Takeover" stunt and everyone:
set their wireless access points open,
installed cookie modifying firmware on the router
and enabled local node file sharing server facilitys,
the wireless access would auto-hop between access points (and ISP's), set to hop every few minutes, and log-on was all managed seamlessly by a piece of software not unlike "devicescape"...
needless to say all adverts were blocked at the access points and the ISP's stunt left them hated by their subscriber base as they clawed for the last remaining "exploitable ignorant".
...t'was all most strange, but it worked.
Internet Service Providers NOT Advertisement Service Providers
DO. NOT. WANT.
..now then about that 'test' privacy breach?
(originally posted over in 'Mobile' : http://www.theregister.co.uk/2008/03/12/mobile_phom/ )
I see phorm.com has now got links to lots of news stories about them. Strangely enough there are no links to this site! Based on the performance of their share price again today this PR company's doing an outstanding job. :-)
To reiterate my stance on this "service" - phuck off Phorm. DO NOT WANT!
I see a number of people saying BT are going to make this Opt-In based on the email a reader got from the BT CEO Office. Please re-read the email because that is not what was said at all and interpreting it as such is very dangerous and will come back to bite you on the ass.
The BT email states the Trial will be opt-in not the full launch of the service. Given the statement by the Home Office, there is no doubt that BT will make this system opt in by default by simply changing their Terms and Conditions once they go to full launch.
So please when reading information regarding this scandal calm down, take a deep breath and read it slowly, instead of just washing over it and interpreting the information as something it is not.
Also on RIPA, I find it disgusting that the Home Office does not understand RIPA. RIPA requires explicit consent from both parties for an interception to take place, so the Home Office's bullshit about implied consent is exactly that, bullshit.
There is no doubt whatsoever that this "service" is in breach of RIPA and is a criminal offence (why do you think the Home Office didn't commit to their statement in the first place and instead as a bootnote offset their responsibility to the courts?). This was clearly a paid stooge in the Home Office or some close friend/associate (possibly even investor) of execs/stakeholders of one of the companies involved (Phorm, BT, Virgin, CPW you choose).
Given that their share capital was well in excess of £100M before this shit kicking commenced, some people have lost heavily on this and the only people investing that sort of money are ones who have a far reach, the right school tie and friends in high places. Make no mistake, the Home Office statement was a payoff pure and simple, maybe not for money, but at the very least for favours or repayment of an "I owe you one" from some previous political misbehaviour.
Phorm is illegal under RIPA
Auto Opt-In is illegal under DPA
Home Office are talking shit.
Nope. Got ticket and everything. No response from them at all, in fact even their canned response suggests that they can't be arsed :
"We are currently experiencing a very high volume of emails due to increased demand for information and ordering of our range of Broadband products."
In other words, don't hold your breath, your call is not important to us, everything is just peachy.
Cockbadgers. I made my formal complaint on Tue 4, so they've had plenty of time to get round to it IMHO, and tomorrow the serious foot stamping will begin.
Still also waiting on a reply from Trading Standards w/r/t variation of contract Ts&Cs, and a response from my fat lazy useless MP, although since he is basically a NuLabour sock puppet, I'm not expecting much from him. You never know your luck though, and if enough people write to their 'representatives' perhaps at least one of them will find the balls to ask a question in the house, like to see what that would do to Phorm's share price.
Am I experiencing deja va?
If not why is this graph making me think of SCO?
http://www.iii.co.uk/investment/detail?type=&display=chart&code=cotn%3APHRM.L&it=le&timeframe=1m&index=&versus=&linetype=line&Go=Plot+&overlay=&overlay2=&overlay3=&overlay4=&indicator=&indicator2=&indicator3=&indicator4=&chartwidth=500
With all the risks already posed on the internet, do we really need another one? I for one am determined to keep Phorm out of my system - it is my privacy and right to do so and I will not and do not tolerate spyware.
Phorm's stance to opt-out is not even democratic since permission is not even sought BEFORE a cookie is placed on a system. Those who propose an opt-in would get my vote, since then there is a choice and that choice remains with the computer user - not Phorm. However, Phorm has yet to prove to internet users that their so-called opt-out cookie is really and truely opt-out - or is it just going to be partially opt-out or if the opt-out cookie is removed, does this mean the user is automatically opted-in again? No way should Phorm be allowed to drop spy cookies onto private systems without specific authority from the owners and furthermore, the Phorm company has already been caught before, handling spy programs.
Hey Guys,
Given the Home Office statement which states there -may- be an argument of implied consent where no expressed consent exists; can you ask El Reg execs if they plan to add expressed denied consent to their own web site terms and conditions denying Phorm and Phormesque technologies the right to access your content?
Given that El Reg has committed so much time and energy to this story (which is a good thing) it would seem fitting to commit your own website to denying Phorm access under RIPA.
You cant give something to someone when they never asked for it.
Its the same as taking my email and telling me to tell you to stop taking my email.
Opt-out is only valid if you opt-in unless a said person leaves their data out there in the public domain for this purpuse so declaired. Example website put their sites on the public domain so people and search engines use them in a give - take. Not for spammers to look for fax and email adverts in a take take.
"...I want vengeance. Can we destroy this thing? Botnets, DoS attacks, poisoning the database? Anything is fair game. Let's see the oft-rumored anarchist internet factions use these assholes as target practice."
If my ISP adopted this excrement I would certainly want to have a go at poisoning the database and it should be perfectly legal too.
I think I'd compile a list of sites that carry phorm (oix) adverts as it would be unfair to burden sites that have nothing to do with phorm with the bandwidth used, and write a script to automatically opt into phorm (the opt-out is worthless after all) and access one or more sites (and maybe the odd MSN/google search query) to start building a profile, save the phorm cookie to a file and delete the original, then select one of the cookies from the file and restore it and access pages from one or more of the selected sites, then delete the cookie (keeping the copy in the file) and go back to step 1.
It has been claimed that the tracking cookie is just a random number and the profile is based on your last 10 days activity, so it should be possible for one user to create an awful lot of profiles for phorm to keep track of over a 10 day period and keep them active so they don't expire and would help to hide my genuine browsing activity.
As the interception occurs within the ISP's network it does matter what you do to your PC if you allow unencrypted web request then they will be profiled. There are only two ways to stop this
1. Use a tunnelling protcol to step over the compromised network of your ISP
2. Move to an ISP that guarantees that they will not use PHORM or similar technlogies
If the ISP's continue with the OPT-OUT based service then if you block the PHORM cookie in any way you are opted in by default. If accept the opt out cookie then your data still goes to the profiling server within your ISP but they say it is ignored.
Also for those people thinking of waiting it out here is a snip from Professor Peter Sommer's report to the home office
20. Targeted online advertising services should be provided with the
explicit consent of ISPs' users or by the acceptance of the ISP terms and
conditions. The providers of targeted online advertising services, and ISPs
contracting those services and making them available to their users, should
then - to the extent interception is at issue - be able to argue that the
end user has consented to the interception (or that there are reasonable
grounds for so believing). Interception is not likely to be at issue where
the user's browser is processing the UID and material informing the
advertising criteria.
In other words if you accept the ISP TOC then you have agreed to the interception. Full document here http://cryptome.org/ho-phorm.htm
Vote with you feet and add your name to the petition to the PM here http://petitions.pm.gov.uk/ispphorm/
Apparently they've made it an "opt-in" service, but that's only half the battle... Even if you don't opt in, and if I understand how the whole mess works, they will still be able to gather content metrics on your browsing pattens, which I think is a crock of crap.
That's still interception and tapping, as far as I'm concerned. That's just as bad as going into the central office and plugging into random punch downs and listening to conversations, but not knowing exactly who is doing the talking.
I don't know if Phorm has established a foothold over here in the US yet, but I'd be the first American to willingly contribute to a UK legal fund to fight these suckholes from spreading their disgusting tripe anywhere else!
Good catch....
http://www.iii.co.uk/investment/detail?code=cotn:PHRM.L&display=discussion&it=le
I've discussed this subject at length with none technical folks who all seem to be of the opinion, "nothing to hide/nothing to fear". I feel the way to tackle this bunch is to talk up the webmail angle, as when this argument is run, bingo ...... suddenly they realise what I'm saying and somehow becomes relevant.
Anyone with an account on the aforementioned server may just want to continue singing from the hymn sheet....
Actually reading up their comments does make feel somehow...... dirty, the wording is just the same as "pump and dump" spam.
Has anyone noticed the similarities of Phorm's Webise to 121media's previous spyware material?
You will be forced to use their software that includes a new webwise toolbar attachment because if you opt out you will no doubt suffer slower speeds as your isp prioritises its Webwise users. That's common business sense and their traffic shaping will play a big role in this.
I've mailed Bt over a dozen times over this Webise spyware business but they have not replied. I've phoned their customer services dept to arrange cancellation of my account without penalty but they passed on my request to higher office who have again also refused to get back to me.. I just want out of this mess but they won't let me go..
Webwise is a dangerous path for any isp to follow because when it enevitably goes wrong they might face the biggest clean up bill in internet history and even closure because the warnings were all there right at the beginning.
Bt are currently testing the Webwise installation in Kingston on Thames and it appears they are also testing it on behalf of all the other isps as well. However I am convinced Bt will very soon announce that Webwise has failed these tests and that Bt will no longer continue merging with the Phorm proxy server because of this..
Bt really should not be discussing any kind of mergers with a crook like Kent Ertegrul a guy that should have been imprisoned for his evil activities against so many decent law abiding internet users. The law courts should be the ones discussing the millions in compensation claims he should pay instead before banging him up where he belongs..
By accepting the Terms and Conditions and giving your ISP permission to intercept your communications you may actually be opening yourself up to criminal liability under RIPA.
As mentioned a multitude of times, consent is required from all parties for the interception of communication; by communicating with someone else with the knowledge that there is going to be an interception without the consent of the other party(ies) you could be deemed as complicit. All sort of cans of worms could be opened such as aiding and abetting; conspiracy and entrapment.
You could also be opening yourself up to Copyright Infringement offences such as Secondary Infringement and Vicarious Infringement. BT et al should be reminded that Copyright Infringement becomes a criminal offence where commercial gain and profit are involved; and since this is a profit based system (the ISPs get a cut of the advertising revenue) it seems to fall under criminal copyright law.
I am not aware of any case law in the UK which covers these points explicitly (but that doesn't mean it doesn't exist) however, there is case law elsewhere in the world. If I remember correctly there has been at least one case lost see:
Kelly v. Arriba Soft Corporation (336 F.3d 811(CA9 2003))
http://netcopyrightlaw.com/pdf/kellyvarribasoftjudgement03182004.pdf
It should be noted that even in the case of Perfect 10 vs Google (which was originally judged in favour of the Plaintiff (Perfect 10) and then overturned on appeal) Google only managed to get the the ruling overturned on Fair Use arguments. Fair Use arguments don't work in the Phorm situation because there are differences. Google Images only created a derivative works in the form of a thumbnail which then linked directly back to the websites they came from. Phorm is copying the entire page using an illegal wire tap, so I don't think they could use the same arguments of Fair Use.
See also:
http://www.jurpc.de/aufsatz/20020029.htm (in German sorry)
which basically covers the situation regarding caching of websites in Europe with regards copyright law and reinforces that it is actually Copyright Infringement under European Law.
See also:
http://www.archive.org/iathreads/post-view.php?id=119669
The above stemmed around Archive.Org (aka WayBackMachine) and the courts accepted that the Plaintiff had a case for the court to hear with regards breach of contract, based on the Terms and Conditions she had on her website which were breached by Archive.Org when they cached her pages.
Obviously Archive.Org settled out of court so no judgement was ever received, but they did acknowledge the infringement in their press release.
My advice to website owners who do not wish to have their pages intercepted and copied by Phorm systems (or indeed any other such systems) would be to add some Terms and Conditions to your website explicitly refusing the right to copy the pages and would then be covered under copyright law, contract law and RIPA as I understand it. If the Home Office want to try and throw around the implied consent argument, then it cuts both ways. Phorm accessing the website are bound by your Terms and Conditions through the same implied consent and would therefore be in breach of contract should such terms as "Phorm may not access or copy this website under any circumstances" appear in those terms. So potentially, a lot of popular forums could make a boat load of money from suing ISPs and Phorm for Copyright Infringement and Breach of Contract and even possibly bring criminal charges since the infringement is being used for commercial and financial gain.
Even if there is a slightest chance that my statements above are correct, they are reason enough alone, not to allow the interception of your communications.
So in the words of Nancy Reagan "Just say No!" [to Phorm]
I put up a blog on blogger.com highlighting these articles, summarising the main issues and requesting web site owners to add terms to their web sites denying consent for Phorm to intercept communications between their web sites and users.
It is my belief that these terms alone should be enough to make Phorm breach RIPA with regards to consent from parties.
I have called the blog Deny Phorm because we -all- have the right to Deny Phorm access to our communications, users and content providers alike.
You can find the blog here:
http://denyphorm.blogspot.com/
Ok, Reg, how about you send a nicely worded email ato everyone on your database asking if we believe Phorm should be allowed to be implemented and spelling out what Phorm is.
If we don't agree, how to lodge our complaint with the official body. Maybe a link to complain and a sample wording.
El Reg has all of our email addresses. We can then forward that email on to everyone we know asking them to pass it on too. Lets take PHORM down on this issue. WE DO NOT WANT OUR DATA SOLD. Viral marketing is needed to kill the beast.
I've been thinking about phorm's claim to anonymise user data using random numbers and I've conclude that it's completely bogus. Let me lell a little story to show why...
"An evil king had 10 servants. They were loyal servants, but one of them (a ginger-haired man) had earned the king's displeasure. The king decided to remove him, but to execute a man just for being ginger was a bad act, even for this king, so he devised a cunning plan. "One of my servants has been stealing from me", he declared, "We will investigate and punish the offender". But to protect the privacy of the innocent, the investigation would be done anonymously.
So he gathered his servants and made each one pick a number at random. Then he drew a cookie on each servant's arm and wrote the servant's number inside the cookie. He then instructed each servant to write their number on the door of their room. Being loyal servants, they did this.
The king then called the head of his secret police. Publicly, the king said "Go and search the servants' rooms and if you find stolen goods, tell me the number written on the door" (but privately, the king told the policeman not to look for stolen goods, but to find evidence of ginger hair). In due course, the policeman returned and declared "Room number 7 belongs to the culprit". The king thanked the policeman and arranged for him to meet with an unfortunate accident.
The king then mounted a guard on the door of his palace. When the servants reported for duty, their cookies were checked and servant number 7 (the ginger-haired one, of course) was taken out and shot."
I trust you see the connection with what your ISP and phorm are doing.
So was anonymity really achieved by the random number technique? I would say no. Definitely not.
As far as the secret police (phorm) are concerned, there is a bogus claim to anonymity. The policeman who scanned each room didn't know which servant it belonged to. The information was then deleted (the policman killed) and the only information that remained was that room number 7 contained stolen goods (or ginger hair, actually). But clearly this didn't protect the innocent ginger servant from the consequences of his data being abused. So the claim to anonymity is completely fake.
The reason is that the king (ISP) retained the ability to link random numbers back to servants (users) by inspecting cookies. In reality, phorm holds the randomised data and the ISP holds the method of linking random numbers back to users. Neither of them acting alone holds personally identifiable information, but acting in concert they do. The data are not anonymised.
To summarise: I believe the Data Protection Act applies to this case because personally identifiable information is being held. The information is about "advertising preferences" (or whatever phorm extracts) and the link to an individual exists because phorm and the ISP are acting in concert and the ISP can match the so-called random numbers against the cookies presented by users (it not only can do this, it *has* to do this in order to deliver the adverts).
Phorm is not using random numbers. It is using numbers that can be (and are) traced back to users. It's a fraud.
Wonder if someone can come up with a standard letter for us to send to phorm/Bt/TT/VM/a.n.other ISP as webmasters?
"I hereby state that I give NO permission for phorm, or any company associated with their OIX platform, to process (or view) my data in any way. Any interception (not just processing) by systems involved in the OIX offering is therefore illegal under UK privacy laws"
Or similar, should make it very interesting. My mother uses one of my colo boxes for her email, and she's on VM... That sounds like they are going to get themselves into trouble.
Just a quick question. Does anybody know how I as a web host can detect if one of my users is coming in from via a Phorm wire-tap? Will there be odd IP ranges to look out for (perhaps not, seeing as the Phorm wire-taps are within the ISP)? Given that Phorm seem to have some mechanism for injecting a cookie into my domain, does this mean I can find it with Javascript?
As a British citizen domicilled in Sweden with servers located outside the UK, and the other party to conversations between my website users and my servers, I would really like to see what BT and Phorm make of the privacy laws here... I've already sent letters to Phorm, BT, Virgin Media and Talk Talk informing them that I do not give permission for such monitoring of my conversations on my Swedish operated servers and that they must cease and desist.
I've already got the Read Receipt from BT's company secretary on whom notices should be served. It'll be difficult to argue they've not received it.
As each page on my websites is generated by scripts, and personalised for each visitor, that makes them a private communication, especially the areas protected by usernames and passwords.
Excellent, now the home office is involved. (Queue image of trembling boots and a scary home secretary... Who is it now anyway?)
Not that I expect any action, as it is a government agency, but at least people somewhere in the hallowed halls of antiquity are beginning to take notice.
**Dons tin foil hat.**
Why is that, helping the general populace out at a time of company underhanded ness.
Or
The petition and ruccus caused by this and other sites?
I quite liked bethere when I used it in a previous house, so I contacted them to ask them about Phorm, to hlpe me make a decision in future. This is their response:
Thank you for contacting us.
We are not a part of the Phorm system and we are not even planning to be, so there will be nothing to worry about.
Regards,
Be Team
So, assuming this isnt the same kind of like that BT spouts, I think they at least, are in the clear.
I thought of something else though - what if someone wrote a program, that created random Phorm cookies, and made random requests. Distribute this program to a few addresses, and suddenly Phorm's database becomes far less relevant - it will now contain lots of redundant and useless information. Although, I guess it doesnt stop them profiling people.
There is a non-zero cost associated with running the Phorm system. If there's no return (no-one clicks on the ads), then eventually the companies will stop doing it.
Therefore if the system can be "stressed", and at the same time made to be less effective, it'll start showing up as a negative on the companies' bank statement.
Given the throughput that this needs to support to not affect the customer's "browsing experience", we're not looking at a single small server.
If I were to set this up, I'd be looking at a pair of BIG L7 "interceptors", probably 4 profilers, running load balanced, and then probably a clustered backend DB to keep track of so many cookies. That's going to need to be separated into 2 racks at least (each containing the L7, 2 profilers, and one of the DB nodes), and from previous experience with hosted equipment, they're going to want full racks.
2 racks in a server room (rental, power, cooling, maintenance) is not going to be cheap if there's no income.
>So they'll most likely go ahead anyway, until someone takes the fuckers to court, where they'll most likely employ the usual army of expensive briefs and "experts" to defend their position.
Maybe so but unlawful interception of communications is a criminal offence so there could be people at the top of these companies being arrested.
True.
Although, I guess such an attack wouldnt be legal, and would probably lead to banned subscribers.
But, if the ISPs dont pull out because of negative press alone (and lost subscribers), I wouldnt be surprised if something like that were to arise.
@Stephen Baines
I'm very interested in cases like yours. As you say, you dont give permission for your conversations to be intercepted, so in order to be legal, BT Webwise would need to block your site to prevent interception. Something has got to give - I imagine BT's execs will realize its too much of a nightmare to implement solely because of the interception.
Hopefully Phorm's stock will bottom out some more, and hopefully its founder will lose everything he ever invested (including a lot of time!), and will come away a little wiser.
...being with Tiscali 'Cheap 'n' Cheerful' ISP doesn't seem so bad. I may suffer occasional 6pm slowdowns (usually having dinner anyway) and unintelligible customer support but I'm not being spied upon and my family and partner have no idea how much p0rn I actually look at... (One Night In...[pic])
Just had a look at their site and they reckon that they will replace ads with theirs, am I missing something? If someone has paid for an ad to go on a web page and it is replaced by a third party then it is like fly posting and surely breaching some law.
Meanwhile does this mean that all traffic has to go through this link? Tantamount to saying that all cars in the world have to go through the Dartford Tunnel on every journey?
I get more confused everyday!
Apart from that there is another site that have a copyright notice from 2000 which grabs the trade mark Phorm (php-net) are they the same people?
I do a lot of automated web scraping (just for my own purposes; occasionally cheekily but I'm not a scumbag and don't hammer servers or peddle scraped data or grub around for email addresses - just thought I'd better be clear about that for starters!). I'm planning on tweaking this to poison Phorm's database; obviously my automated jobs don't say very much about my preferences and interests. I was thinking, add a couple of random fetcher jobs as well to occasionally fetch a random page and spider around a little. It might even be possible to switch the ID in the cookie now and then - with any luck you might hit someone else's ID and poison the records about them, too, although I'm less sure that this would work.
It's not foolproof of course - they could probably spot this easily enough if they were keen - but if a lot of people started doing this it could make their database relatively worthless. The same trick would also be a little irritation for doubleclick and the like.
I may hack together the random fetcher / spider / cookie poisoner as a standalone application and see if anyone else fancies chipping in a small amount of bandwidth to this 'project' at some point in the near future. To have any real power the poisoner would need to be running in several places. A kind of voluntary botnet. If it really caught on it could really dent this spy-ad industry.
Of course I can't really do that much about Phorm myself as I'm on Plusnet. I know they're owned by BT but Plusnet assure me they aren't involved in this (so good news for Plusnet customers out there assuming that's accurate).
I do know some big scary lawyers who do pro bono work.
But they need to think that there is a case, and that they can win, as well as concluding that this is a good use of their time.
RIPA is a good start, but if the ISPs change their T&Cs does it apply ?
I assume the reason for BT's silence is that someone senior has just realised they are doing this logging anyway, so why split the rake off with Phorm ?
Given that ISPs keep being pushed by the government to log web access, I can't see it as very hard for them to write scripts which use this data for commerical ends.
I'd just like to point out that many existing email systems (especially business ones) already append a legal statement to each message along the lines of:
"This message is for the intended recipient only...
...if you receive it in error, you must not act on its contents...
...bla bla bla"
If such messages are being sent or received via an HTTP connection, they would potentially be intercepted by phorm's system. There is clearly no implied consent for others to read such messages - so that interception would be illegal. If you wanted to be sure, you could easily add an explicit statement to prohibit interception by ISPs.
Actually, I would suggest that everyone adds such a statement to their email signatures. It's an easy way of getting lots of prohibition statements into the system. It's also a good way of spreading the word about this problem, especially if you include a link to web sites like El Reg.
RIPA does apply as it requires consent from all parties, so the web host would have to give their consent as well. The Home Office have cast a shadow of doubt over whether Phorm breaches RIPA or not (probably unintentionally) by stating that there might be an argument for implied consent where expressed consent does not exist. note how they say "may" and how they offset the interpretation of the law to the courts.
Of course the consequence of their statement for Phorm, is the acknowledgement that expressed terms which refuse consent by the web host would constitute a breach of RIPA should Phorm or an ISP intercept communications between themselves and their users.
See http://denyphorm.blogspot.com/ for details on a campaign I have started to encourage web site owners to express denied consent in Terms on their websites.
I've always thought email signatures were pretty useless, perhaps until now.
I sent an email to Neil.Berkett (CEO of Virgin Media) complaining about Phorm.
I got a response which I read in webmail. The content was pretty useless, but his email signature may or may not have been something like the following:
------------------------------------------------------------------------------
Save Paper - Do you really need to print this e-mail?
Visit www.Vxxxxxxxxxa.com for more information, and more fun.
This email and any attachments are or may be confidential and legally privileged and are sent solely for the attention of the addressee(s). If you have received this email in error, please delete it from your system: its use, disclosure or copying is unauthorised. Statements and opinions expressed in this email may not represent those of Vxxxxx xxxxxa. Any representations or commitments in this email are subject to contract. Please note that we are migrating our email addresses to a company wide address of "@xxxxxxxxxxx.xx.xx". If you are sending to a Txxxxxxx or nxl email address your email will be re-directed.
Registered office: 1xx xxxx, xxxxx. Registered in England and Wales with number xxxx
==============================================================================
Having noticed the number of concerns from posters who like to look at a bit of p0rn and are therefore (legitimately) concerned about being swamped with ads for p0rn sites, here's another thought.....
If I have a habit of accessing sites about something mainstream like cars, PC equipment, or whatever, its arguable (just) that having information about my browsing habits used to service me with ads for sites about cars, PCs etc etc is frightfully handy....
And were I a single chap living alone and somewhat find of one handed reading material, I might find ads from p0rn sites quite agreeable.
Not so however if I were a married man and my wife (how embarrassing) or children (far far worse than embarrassing) were to access my PC and be exposed to such stuff.
I'm a transgendered person. That's not a life style, nor a sexual quirk, but simply a condition that I am not responsible for. I frequently access sites that are designed to provide advice, support, and information for people like me. However, were anyone to enter the word 'transgender' into any search engine such as Google and I can pretty much guarantee that a significant proportion of the sites listed in the search result will have titles like 'Thai Ladyboys' or 'Chix with Dix' or similar tasteful stuff. I have no interest in such things. As a libertarian I dont find them particularly offensive, but I dont want to see them.
So - this bunch of bottom-feeders not only have the potential to seriously impact my personal privacy (which, given my circumstances, is particularly important to me for obvious reasons), but also to bombard me with unsolicited material of a distasteful nature.
I believe that's called Spam
And I'm expected to pay an ISP to actively collude with that?
I dont think so.
They only replace the adverts on sites that have signed up to the service; if you run a site with Google Ads (for example) they're not going to steal your revenue stream.
The Phorm party line is that this is going to be wonderful for the user, because more targeted adverts will mean companies need to place fewer ads. Which says to me "companies are going to pay a premium for a Phorm-served ad".
At which point, automated reloading of Phorm-associated sites, frequent cookie recycling and similar techniques to poison the waterhole will be pretty effective in killing the whole process. Advertisers aren't completely stupid; they won't pay a premium if they're not seeing escalated returns for their money.
Warner I agree with you, but you are missing one point. This isn't just "personal data" we are talking about, as defined by the data protection act this is "sensitive personal data" as your surfing habits will reveal details such as sexuality (if you start looking at gay porn sites), trade union membership (must be some that don't use https to log you in), medical conditions/religious belief/ethnic origin/political opinion (if you subscribe or view regularly to a website about a particular condition/religion/ethnic origin/political party).
The requirement of the DPA is that explicit consent is required for processing of sensitive personal data, in my view automatic opt-in would therefore be unlawful even if they attempted to gain it by telling you there T&Cs have been updated - without positive action from the subscriber it can't be classed as explicit consent.
I have just spoken to Customer Services at Virgin Media and after being passed around to half a dozen different people I finally goit someone to check and they tell me that it is already in place and I cannot opt out! The women said to opt out I need to use firefox!?
Well I'm going to cancel and go with zen.
I'm pretty sure that was just Customer Disservice being stupid. Because if they arent, they lose any possibility that Phorm is legal under RIPA.
The thing is, as I see it, is if the customer is offered the choice, it could be argued that forms consent. If you dont, then they cant legally intercept your traffic. If I were you, I'd phone them up, ask to speak to a supervisor, and tell them that unless you are given the option to opt, you will a) switch to a different ISP, b) sue them. Hopefully such threats will jog their memory.
I'd also say that Phorm should have a bigger problem with websites. Now that website traffic can be intercepted, I imagine websites wont be too keen on the idea. Anything could be exposed, and Phorm has no right to intercept. As far as I understand RIPA, it requires consent from both parties, not just one.
With all due apologies...
At first they came and only wanted me to accept adverts. I said nothing.
They came and only wanted to catch child-pornsters. I said nothing.
They came and only wanted to catch copyright criminals. I said nothing.
They came and only wanted to assure my safety. I still said nothing.
Finally there was only me left, I could say nothing.
If this gets in, where will it stop? This is merely the start of exactly what the MPAA/RIAA and the government's war on Internet filth merchants and terrorists, want. An easy way to track the habits of every internet user, what where, how and why?! Fantastic! Adverts my arse! The adverts is a slightly easier way to sneak this nasty insidious tech in early for a far more nefarious purpose! Average Joe Public won't care about a bit of advertising being tailored made to his preferences.
It has to be stopped now!
This did make me laugh though.
"Kent Ertegrul a guy that should have been imprisoned for his evil activities"..."before banging him up where he belongs"...
Hmmmm, very painful! However I'd derive great pleasure in watching it happen to that low life.
@Vishal Vashist
As far as I know, no. You would need to embed special javascript into your pages to make them fetch the phorm ads - the adverts wont be inserted unless you have agreed to it.
But that makes me wonder if the system can be abused. Say we get the script someone is thinking of writing, that makes random requests using random cookie IDs. And we change it to make random requests a particular page hosting a Phorm advert, retrieve the URL that the Phorm advert leads to, and request it. Unless they have some other protection, this will net the website owner some cash. Done hundreds of times per second with multiple willing bots, and....
Even if the website is chosen without the owners knowledge (ie the scripters are not in league with the site owner, and thus do not stand to benefit) they can create havok as now Phorm needs to work out what is a legitimate request, and therefore eligible for money, and what is not.
Phorm will compete for advertising space on Websites under the name of Open Internet Exchange (OIX). To the website owner the only difference that they will see will be that, supposedly, there will be more clicks on the adverts displayed because they will be more accurately targeted at the end user, and therefore they will get more revenue. Phorm say that they will not carry adverts for pr0n, gambling, religion,etc. They claim that because adverts will be better targeted this will result in fewer 'irrelevant' adverts, or even fewer ads overall, as advertisers switch from high volume low cost advertising to low volume highly targeted advertising. I'm not so sure; if advertising generally becomes more effective then I would expect the amount of advertising to increase. But there we are, if it wasn't for the 'small' matter of them having to record and process every web page you access, the overall browsing experience would be pretty much the same. In fact my guess would be that hardly anyone would notice. Of course it would be very easy for Phorm to introduce pop-ups, pop-unders, and all the other intrusive advertising paraphernalia that seem increasingly to blight the web, but then again so could any other advertiser.
So the real issue is the interception of all your browsed pages by your ISP, and the possible abuse, accidental or deliberate, by Phorm or others, of the data and knowledge they have accumulated. In the UK there are laws
IMO Phorm are not going to give two hoots about the quality of data collected they make there money from marketing people who belive that the ads are targetted, and hence pay premium rates. Afterall marketing is all about perceptions and assumptions, not facts.
There will of course be revenue carved off to The ISP based on adds served by users, and of course to get around the DPA Legalities The ISP will Buy and run the Servers from Phorm (they will operate a maintainance agreement with Phorm) that way no data leaves the ISP as they own the kit, the servers will be connected to the net to retrieve and serve adverts and tell Phorm how much is served so the ISP gets paid. (Kent thinks this is ok as the data does not leave the ISP. I think this is bad beacuse they are intercepting/injecting it all. no choice!) This setup does not take due regard of RIPA.
and unless the ISP's start offering free broadband I dont think anyone is going to want to be monitored like this without more benefit. google deserve my data as they provide excellent service to me. phorm do not serve me. (not the right type of adds benefit! sometimes I like odd ads they remind me of other things. and whats wrong with car ads on car sites? - oh but he mainly looks at car sites but they are expensive so advertise on this cheaper news site he reads also..)
Today I will mainly be getting Phorm Ads, as its been my priority this week, and fortunatly my ISP is not even entertaining the idea. I love my 24mbit adsl2+Thankyou be*ings.
with all the fraud and dodgy dealer on the net, who in there right mind is going to click on one of these adverts and actually buy anything, very, very few people in their right minds
its a bit like the nigerian 419 scam, pump enough ads and you will hook a few suckers.
the real test will come when people start buying from any of these ads and see if the goods turn up or worst still their card maxed out by fraudulent transactions
will the ISP or PHORM be giving and fraud protection from buying from any of these adverts
let me take a micro second to think and come up with a BIG FAT NO!!!
You create a phishing copy of a site that is signed up to serve Phorm's advertisments, say, oooh off the top of my head FT.com. Now we know that the FT probably don't employ the same sort of protection as, for example, a bank so the phishing site will stay up longer. Now our baddies have a site where they can insert phoney ad's saying
"ALERT ALERT WEBWISE IS OFF - CLICK HERE TO TURN ON"
and your average slack-jawed, pregnant, benefit drawing yokel that seems to more and more common in this jewelled Isle is ripe to be served all sorts of nasty things.
Just an idea....
Just occurred to me.....the average yokel wouldn't be going to the FT.com site anyway so that was a bad example, however....how do you know if a site has signed up to Phorm anyway? You can create a phishing site of anything and insert a "Webwise is off" alert and so back to my original hypothisys....
Again, just an idea....
As I understand it, Phorm intend to include ads only in webpages of sites which have agreed to their terms, and not any other websites - much like the ads in El Reg pages.
The adprovider may not be El Reg itself, but when you call a webpage it also calls the ads up from the separate adprovider.
Phorm's problem is that in order to individually target the ads to you then they have to know something about you; or if "you" is anonymous then they have to know something about "your" web browsing history - which information they can only reasonably get by illegally intercepting "your" web traffic.
-
As an aside from this, but in re online advertising in general, there is an ambiguity in RIPA which might affect Phorm or even El Reg - there are two possible interpretations of section 2(5)(a). These are known as the "conduct" and "comprised" interpretations. As yet neither has been tested in Court.
RIPA section 2(5)(a) says that conduct is not interception if it is:
"any conduct that takes place in relation only to so much of the communication as consists in any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted:"
Briefly, the ambiguity is whether the "for the purposes..." phrase refers to the "conduct that takes place..", or whether it refers to the "traffic data comprised..".
If "for the purposes... " refers to the "traffic data comprised .." then it would mean that any use whatsoever of traffic data can't ever be interception - but if it refers to the "conduct that takes place .." then it is only lawful to intercept, look at it, or give out, traffic data if it's done in order to facilitate the transmission of that communication (or for other RIPA-acceptable reasons.)
Personally I favour the "conduct" interpretation.
This would not preclude El Reg etc from including advertising; but it would prevent El Reg from telling the adproviders which IP to send the ad to - they would have to pass the ad on themselves from an El Reg IP address.
Which would probably be quite a good thing overall - but might make ad accounting harder. However RIPA is not clear on this point.
They finally realised I wasn't going to stop emailing them and sent me this address:
"Hi there,
Thanks for your email to Virgin Media.
enquires of this kind will need to be made in writing to:
customer loyalty manager,
customer concern,
concord house,
concord business park,
threapwood road,
wythenshawe
Kind regards,
Tech Support Agent
The Customer Concern
TeamVirgin Media"
Now it's time to reply to them and complain about the lack of capitalisation.
there seems to be only two ways to beat this,
1:- vote with your feet and migrate to a new isp as soon as the new contract arrives on your screen
2:- everybody block the cookies from phorm / webwise (less effective as your data is still being profiled)
these are the only two options that kill phorms (and the ISP's) revenue stream
any other method puts traffic through the system and provide both phorm and ISP with saleable traffic no matter how rubbish the data generated is
Will I do?
What Phorm and BT plan to do is interception, and it's an offense under section 1 of RIPA unless both the sender and intended recipient of a communication consent to it's being intercepted. In practice this means both the user and the website owner have to consent, and that simply ain't going to happen.
All the "maybe"s in the Home Office guidance have already been discussed to death elsewhere, and a long time ago, with the general conclusion that none of them have any chance at all.
Simon Watkin, who has taken part in many of those same discussions, knows the consensus view well, and I simply can't understand why he'd give out such "maybe" advice - afaik almost no-one else thinks that any of these excuses have any chance whatsoever in Court.
Of course, while Simon is very good at words, and is to some extent good at the laws he's had written - though he didn't write RIPA itself - he's fairly darn clueless about the internet (and cryptography) in general.
I know Simon quite well, so I'm not going to suggest that he may have been bribed - I think he's a straight arrow as far as that might go - but he does seem to have been eating Phorm's PR cookies. :(
To recap: there are three possibilities which might make targeted online advertising, with the targeting being based on observing the target's webtraffic, lawful:
*First "maybe", that it's not interception because no "person" is involved if it's done by machine. That's nonsense, the ISP or Phorm is a "person" as far as the Act goes. In a very similar case, the ICO has said that automated virus scanning is interception (but legal interception under 3(3)). It is also contradictory to s.16. This "maybe" argument is garbage.
*Second "maybe", that it might be lawful interception under 3(3), which says interception is legal if it's done for the purposes of the telecommunications service, ie the transmission of communications.
This is how virus scanning is legal - your computer is considered to be part of the system when it is being used to communicate, and protecting it from viruses is necessary in order to ensure the communications get through. There is a similar, but weaker, argument for spam filtering being lawful under 3(3).
However Phorm/BT looking at your webtraffic is not done in order to help transmit your communications, it's done in order to target advertising, so this argument is garbage as well.
*Third "maybe", that it would be lawful interception if both parties consent to the interception - this is correct - but in practice it's almost impossible to get consent from both parties.
Getting consent doesn't mean that someone doesn't object - it means that both parties, the sender and the intended recipient, have actively consented to the interception.
For the user side T+C's won't do it, because the user will often not the person who agreed to the T+C's, and also because such a term in the T+C's for a ISP service contract is almost certainly not enforceable.
Even getting express consent from individual users, as opposed to the owner of the connection, is problematical - suppose you want to allow a guest to use your account? The guest has not consented. You may well be partly responsible for the subsequent interception.
From the webhost side, getting consent - well, Phorm/BT would have to ask each website publisher. The "implied consent" in Simon's advice is consent to download, not to intercept, and there is no implied consent to download for many web pages anyway.
So, while it's not garbage, this "maybe" just isn't going to work - getting consent is just too hard to do.
very long but the full story so far, i have left only the bt CS person first name in and mine (as it is on my posts anyway)
the interesting one for me is you can permantly opt out by blocking the cookie,(so trend and co can safely remove the cookie without opting you back in) but will that show up in there stats as a opted out user
below are the emails
Chris,
Thanks for your reply
But You have failed to answer my question regarding if I opt out is my traffic still passed to the profiler, nor the question about assumed automatic opt-in
If it is I still have major concerns regarding privacy as you can not guarantee the profiler can not be updated to look at the opted out traffic but just not serve adverts
And I have big , big prolems with any data passed to a company whose roots are one of the biggest original adware / crudware companies on the net, like many I do not believe leopards can change their spots
Another point is as AOL found that out last year when it released a ton of anonymised search requests with the user IDs replaced by random numbers; it had to withdraw the list in haste as it became embarrassingly obvious that users could be identified from that information alone.
So by using a random number in a cookie will still enable users to be identified from the data passed from the profiler to the phorm server and so privacy is not guaranteed
The anti-phishing is a duplication of the function in IE7 and I believe also part of the norton security suite you provide, so I see little value add from that service, the only thing the users will see is an increase in targeted advert from the businesses signed up to OIX which was the adware rubbish form used to push, how many adverts are going to be for uk based businesses (very few I suspect) and due to the high rate of fraud and phishing on the web people are naturally sceptical of any popup and highly unlikely to purchase via them, this I doubt is of little concern as BT will only get revenue from allowing the adverts to be served and not from any form of pay per click on the actual poup-ups
Please inform your managers that the customer base is not happy with this, people are not going to put up with popups, adverts or other junk on their screens (we get enough junk in the post)and many will hopefully vote with their feet
The only way I will stay a BT broadband customer is if you can guarantee opted out traffic does not go via the profiler at all and it is an assumed automatic opt-out, this is the position that car phone warehouse is taking and looks like the same with virgin media (if they actually go ahead, which is not looking likely)
Car phone warehouse are (rightly so) of the opinion webwise / phorm will fly or fail on its merits and if customer find it usefull, not on wether you can bully customers into accepting it to obtain additional revenue
One final question how will you know if the trial is successful, I assume it will be by webwise telling you the percentage of users opting in and out, and who will audit those figures and confirm they are correct?
A better way would be to use an independent market research company to canvas ALL of the users in the trial with a web based questionaire similar to how microsoft get feedback from my after my partner training courses
when my updated terms and condition are offered to me I shall be reviewing my option to cancelled my contract early depending on whether BT has changed its position with webwise / phorm, which is a shame as I have had good service until this.
Thanks
Peter white
-----Original Message-----
From: Residential Services [mailto:XXXXX@bt.com]
Sent: 13 March 2008 12:55
To: XXXXX@btinternet.com
Subject: Re: I want to complain - I have a general complaint (KMMXXXXXXXX71L0KM)
Dear Mr White,
Thank you for your e-mail dated 12/3/08 regarding Webwise, and the passing of your browsing or personal data to Phorm, and I am sorry for the difficulties you have encountered whilst trying to obtain information on this and for any inconvenience this may have caused.
As per your request for written confirmation, I have supplied you the information in the form of an email as i work from the e-contact queue only.
The data capture is designed to preserve your anonymity and privacy. We will be communicating to all customers during the trial with a page that appears at the start of their browsing session and ask customers to look at amended Terms and Conditions which can be viewed on www.bt.com/webwise. There will always be clear choice in the hands of all of our customers. We also provide them with information on their current status on www.bt.com/webwise, which can be changed with a click of a button.
Your data? is not passed to any third party. On each browser navigation, a ?data digest? is created consisting of URL, search terms submitted to a major search engine, and the top 10 most frequently-occurring page keywords from the page (which are cleaned to remove email addresses, numbers and names). This is matched against a list of advertising product categories. After the match is made, ?data digest? is deleted permanently and immediately. The ?data digest? is never written to disk so it is never stored.
All this processing is done completely within BT?s network. The matching information ? the only information held within the system, is never sent to any system held outside the BT network. You can permanently opt-out by blocking cookies from the domain http://www.webwise.net on each browser you use.
You can check whether BT Webwise is on or off by simply going to http://www.webwise.bt.com/ You?ll be able to see whether BT Webwise is turned on or off on the computer, user account, and browser you?re using at the time. To turn on or off this service, simply go to http://www.webwise.bt.com/ and click ?BT Webwise Off? or ?BT Webwise On?. BT Webwise uses cookies stored on your computer to capture your preference. These cookies are linked to individual computers, user accounts, and browsers, so you will need to switch the service on or off from each computer, user account, and browser you use. If you delete the cookie, you?ll need to reset your preference.
I hope the information provided will assist in helping you with your enquiry, and if you should have any further queries please do not hesitate to contact me again via e-mail.
Thank you for contacting BT.
Yours sincerely,
Chris XXXXX
eContact Customer Service
Ref: XXXX
Original Message Follows:
------------------------
Feedback from: peter white (contact number ) Telephone Number:
Account Number:
Email Address: XXXXXX@btinternet.com
Customer Comments:
i do not wish any of my web browsing (past, present or future) to be profiled or stores for any reason other than as you are require to keep records under RIPA for the fight against terror
i specifically do not consent to any of my web browsing or personal data being passed to phorm or any other similar company.
i do not require the webwise anti phishing product as none of my family use internet banking for the simple reason of its insecurity
i specifically do not want any advertising (targeted or other pop ups other than the single frame advert on my yahoo / bt homepage which i easilly ignore)
i want an immediate assurance in writing of the above
1:- if my terms and conditions are changed to allow any of the above,
2:- if webwise / phorm is rolled out with an assumed opt in
3:- it is proven that even when opted out my web traffic will still be passed via the webwise / phorm profiler
i will have no option but to excercise my right under the change to terms and conditions clause and immediately change ISP
please note car phone warehouse are guaranteeing "opt in" only and segregating their network so opted out users are definitely not passed through the web wise / phorm profiler, and virgin media have not finally commited to rolling this out yet
a very unhappy customer who is likely to be looking for alterantive ISP shortly
regards
peter white
We (peeps in Virgin NGs) discovered last night that content in Microsoft Office applications, and Open Office present the same 'user agent' as Internet Explorer.
To a web proxy (like Phorm) the requests will be indistinguishable from the requests submitted by a web browser.
The practical effect of this is that most popular desktop applications will be vulnerable to profiling by the Phorm profiler too.
Phorm' s oft repeated claim to operate user agent white list is a complete red herring (because all these applications appear to be Internet Explorer 7.0).
Applications like Word 2000/2003, Outlook 2000/2003, Open Office will effectively betray your desktop privacy to Phorm.
For example, the emails you read, and the domains and URLs where they came from.
The content within word processor documents, and the domains and URLs where they originated.
Phorm will not be able to differentiate between Microsoft Office applications during wordprocessing or email operations, and Internet Explorer.
The privacy and personal security risks associated with Phorm are simply too profound to be tolerable, not even as as an opt in model.
For details see
http://www.badphorm.co.uk/e107_plugins/forum/forum_viewforum.php?6
STOP PHORM!
www.dephormation.org.uk
I have not uses virgin media and so I wont comment upon them
Bt however have for the past year and a half have been trying every dodge to sqeeze more money out of their customers, first they resell their customers bandwidth via BTFON now want to sell the user's data too. BT charge over the odds for their service and outsource the call centres to indian so removing revenue from this country. It is clear that BT do not like the people in this country at all they go out of their way to screw us at every turn, PHORM is just another example of BT Business practices.
Ofcom who are supposed to protect communication customers rights are clearly being directed by BT, I say this as BT can and do what ever they like without repercussions, who speaks for the customers protection not ofcom they speak for BT. There is evidence that BT trialed PHORM last July against BT's own privacy policy, why has this not been investigated by any goverment department?
Why is BT Wholesale (the people who charge the line rental) allowed to have a monopoly on communications outside of every city.
I will tell you why, it is because your goverment is not interested in the people only in companies and there interests.
The tax payer has to shell out when big businesses cockup see Northern Rock, LLoyd's names etc is this money well spent? I ask as I do not understand what possible benefit to me comes from giving £20Bn of our money to fat cats who gambled and lost.
The Pimps here are not PHORM they are just the middlemen, no it is BT and the Governement's policies that are the real pimps and we are just whores who have to pay for someone to screw us
I sent this to chris, but I thought I'd mention it here.
Under the RIPA, interception is unlawful without the consent of both the browser and the website.
The Phorm "service" is acting as, effectively, a proxy at the heart of things, so where does this place all of the corporate and WAP proxies? Surely they break the RIPA, maybe not on the browser side (since the employee/customer would have signed a contract stating that their electronic communications would be logged and tracked) but I'm willing to bet that the websites they are caching haven't been contacted in order to gain their permission.
Does this mean that evidence collected using the proxies in disciplinaries and dismissals aren't legal? What about the "web experience" when using WAP and 3G connections?
Certainly an Interesting question.
I do not want Phorm.
However I care not if my ISP offers it as an opt-in.
But let me be clear. I will not opt-in, thus I expect the following
1. No cookie or similar on my PC.
2. No data mirroring or 'feeding' even if its discarded.
So long as points 1 and 2 are held to and no auto opt-in I am quite happy for my ISP to peruse new revenues.
So Virgin media you had better be listening.
-ano
By Dave
"Just sell us a good quality connection at a price that will make you some profit. If it costs you more for UK based tech support, then pass the cost on to us. We Will Pay. Cheerfully. We will gladly recommend you to our friends."
Sounds like you need to be with Zen. UK Support, clueful staff and rock solid connectivity, no shaping, management or other interference, and a stated no way to phorm policy.
Paris, cause even she'd avoid Phorm, she needs no advertising.
I don't think it's that bad it's going back up a bit. That's what markets do, over react then correct.
This month, it reached a peak of around 3300, reached a brief low of 1800 and spent most of the last week bouncing around 2000, and now is back at 2250. So it's still lost around 32% of it's value. That's a significant correction in anyone's books.
I was wondering if BT, Virgin, et al, might not be hoping to get an undisclosed secondary benefit by making people like us go away to another ISP anyway... typically techies are the higher-end usage people and we're most likely to be the troublemakers with the Phorm interceptions.
If they get rid of the top 1% of bandwidth users then they can skimp on investment, cut services and get even more profit per user from the remaining rump of those who use their 8mbps, 40GB per month £25 connections to download two emails a day and read up on their soaps.
Finally, I wonder what the RIPA situation would be if I changed my business's website to specifically deny BT, Virgin, et al, permission to profile my website.
I emailed BT yesterday expressing my concerns about Phorm and received a form Phorm letter back teling me that they wouldn't be scanning my passwords or emails.
Naturally I was enraged; they better not be scanning my f*cking email because that would be a blatant contravention of the DPA.
If I don't see a published retraction of the Webwise/Phorm relationship within the next week I will be leaving BT. I encourage others to write as well, voting with our feet will make them change their minds.
The proxy our department runs in the company isn't there to provide people with net access, it's to restrict certain sites and to be used against people who use the net too much or for inappropriate content.
Also, I believe that some of the WAP proxies are capable of injecting ads into the stream to (tho I haven't heard of any making use of this "functionality").
you cant be serious, the class of replys on that so called investers site are so dumb its a wonder they have any cash left to invest in anything werthwhile, never mind drive this Phorm stock up for so long.
how come the better posters here and elsewere didnt join that thread and put these so called investors right?
i dont know anyone could invest in something and not even read and undertand a patent, or at the very least try and gain some basic insight into how it might work and the implications as regards the laws it must follow.
an example quote from there:
http://www.iii.co.uk/investment/detail/?display=discussion&code=cotn%3APHRM.L&it=le&action=detail&id=3947835
"zoiezoie:I know very little about this company and the technology, but the fact that there has been so much public opinion about it recently then I feel it must have something that someone will buy..."
I don't know, facts don't often get in the way of a good bandwagon! I suspect there may be some concessions on improving the opt-out (though opt-in will still be the default) and then it will be rolled out everywhere as fast as they can. One thing I find strange is that BT and VM decided to go with these shyster's, given their background, when there are several more mature solutions in place already in the US and Canada, which have been slipped in without anyone knowing (oo-er missus).
I am tempted to buy in for a couple of grand myself, can't be worse than my FA Cup accumulator.....
"Finally, I wonder what the RIPA situation would be if I changed my business's website to specifically deny BT, Virgin, et al, permission to profile my website."
its been said time and again in several places, thats exactly what web masters should be going.
along side end users sending a Data Protection Act Notice to their ISP (and now Phone companys http://www.theregister.co.uk/2008/03/12/mobile_phom/ )
removing any and all rights to collect,process or export any of their personal data outside the basic contracted supply and billing of their connections.
is it really that much trouble to write the letter and send it registered post to your data controller to protect your rights into the future and nullify any UK T&C that might try and auto-insert such concent (not that a T&C is infact an _explicit_ concent of course).
"how come the better posters here and elsewere didnt join that thread and put these so called investors right?"
1) There is a 48 hour delay on activation of forum accounts, a speed bump, if you will.
2) Technical arguments will not work on the technically illiterate.
Keep watching the skies ;-)
No doubt all the people on here who have been whinging about their privacy will have been reassured by the clamour from outraged MPs protesting on their behalf. And how come these same people missed the re-branding exercise that now means that the 'K' in 'UK' stands for Klondyke. The gold-rush is on and the panhandlers are mining for your data in the entrepreneurial spirit espoused by your government.
Now that you've enjoyed the coffee, please turn over and bite the pillow while you enjoy the delights of rampant capatilism.
Shafted again.
BT's previous secret trialing with Phorm would seem clear prima facie evidence to suspect that a crime was committed under RIPA. It is sufficient that someone suspects a crime may have been committed to report it to PC Plod for further investigation. While anyone can report a crime, in this instance someone who has logs of BT's activity last year would be better placed to report it. It is also open to bring private prosecutions in criminal matters, but that would a looking a long way into the future. No amount of BT talk of T&Cs and how it intends to operate the system in the future changes what it may have done in the past.
I realise I'm probably slightly more technically inclined than an average user, but i have never, and will never, click on an internet ad. As far as i'm concerned all the ads are a blight on the net there simply to take advantage of naive users. In fact, like me, pretty much every firefox user uses adblocker to strip them out now. Its popularity should give Phorm an idea of the general feeling people have towards ads, i'm pretty sure that if IE8 supports user plugins, adblocker will be ported and no-one will ever see an ad again.
Even the reg drives me mad having to use IE at work, when i have to sit for 30secs staring at the header while all the ads load before the rest of the page gets displayed.
So glad I'm with Zen.
Every aspect of our lives seems to be probed at with or without our consent and this is another step in the wrong direction. Maybe the government don't mind too much as this is the sort of technoligy they want to use to see what we are getting up to!
Anyone see the movie "Brazil" http://en.wikipedia.org/wiki/Brazil_(film)
Have just been to the BT website to see if they are listing anything on Phorm. I asked Emma (their wonderful help assistant) the following questions.....
You asked me:
Who are Phorm?
My answer is:
I'm sorry, but I don't think I understood your last question. Please try rephrasing it and ask me again.
Fair enough, most people on the street wouldn;t have a clue to that one!!!!
Tried a different approach....
You asked me:
will you sell my browsing habits to phorm?
My answer is:
I'm confused. I didn't understand what you just said.
Well, its a fairly simple question!!!!
I then tried the following........
You asked me:
are you a bunch of incompetent pillocks who are going to sell my personal data to a mallware company?
My answer is:
Spyware and adware are small programs that install themselves on your computer. They track your surfing habits and collect personal data that's then sent back to their creators.
BT Yahoo! Anti-Spy is included with all BT Broadband packages. Visit the BT Yahoo! Software centre to download it.
Click here to see a web page with further information.
Not quite the answer we were looking for, but BT apparently know what mallware and spyware are!!!!
Next try.....
You asked me:
how do you think your customers will feel when they realise that all their communications are being ...
My answer is:
I'm sorry but I can't discuss our competitors, I'm only here to answer questions about BT
OK, so are Phorm a competitor or a business partner?
Next try......
You asked me:
Is bt breaking the data protection act by profiling customers and selling this information?
My answer is:
Sorry, I didn't understand that. Please reword your question.
Again, a fairly simple question, and a Yes/No answer would have sufficed.
Final question......
You asked me:
can i sign up to have my data sold to phorm
My answer is:
Click here to sign up to BT.com. All BT customers can manage their bills online - it's free to sign up, and only takes a few minutes. You'll need to let us know your email address and your account number (which you'll find on your most recent BT bill) if you want to manage your account online.
So, the online help service is completely useless, but you can sign up to have your data sold off to a third party company.........
Tinfoil lined parker on the far peg please.........
> [Adblock's] popularity should give Phorm an idea of the general feeling people have towards ads
Apparently Phorm doesn't care in the slightest - not when there are users to be exploited and money to be made.
As was said in one of their warm-n-fluffy pronouncements (I'm paraphrasing), this is an exciting service designed to help the poor befuddled user by providing ads. which Phorm claim would be of interest - and all at the simple and painless expense of tracking browsing habits using closed & proprietary software.
Naive or just plain ol' predatory - it's in there somewhere.
"...I want vengeance. Can we destroy this thing? "
I don't do "internet anarchist" attacks, but..
I've just pointed out to Google that Phorm will be illegally collecting (stealing?) their commercial data, as Google have not consented to Phorm's interceptions, and urged Google to seek an injunction to stop BT doing trials.
I say stealing? with a question mark, as the question of whether it is stealing or something else is legally complicated, but ask yourself - how much would Google charge for that data (if they could legally sell it)?
That this would also likely remove one of Google's potential competitors in the online advertising market - well, Google may see that as a bonus :)
If anyone else with relevant connections would like to urge any of the other big sites to seek their own injunctions .. someone has to pay the lawyers, and the big sites have both the money and the incentive.
The time has come to separate out the wood from the trees with regard to ISPs, profilers, data packets and advertising networks.
First point to consider is that the marrying of user profiles and adverts has been going on for a few years. The big difference between now and a few weeks ago was that everyone bought into the "it's OK because I am getting a good service" spiel without any knowledge or understanding of the privacy aspects. Ever noticed how easy it is to do a search on a mobile phone and be offered businesses nearby matching your query? - isn't this one of the selling points of the iPhone?- not yet available(?) in the UK but coming soon. More on this below.
Back to the ISPs and a little background technical information.
Data packet inspection systems: this is hardware which sits within the routing system at the ISP. Simply, data packets are the clear text (including cookies) sent from your browser to the ISP to identify your request. The ISP sends this data packet on via DNS and routing servers until it meets the server which hosts the data requested. The host server sends the response data packet back to the ISP who returns it to you. And you see your request being displayed in your browser.
A request leg and a response leg, both under the control of your ISP and everyone else along the route taken by your data.
ISPs and networks have been recording the content from the data packet inspection systems for years, logging traffic in and out. The content can be assembled and analysed to give an idea of what you are doing every time you turn on your computer.
When required to do so by law, the ISPs are able to supply all kinds of information about the user. This includes but is not limited to your e-mails, chat sessions, banking (even though they only see the encrypted data - urls are in the clear), purchases, etc.
Now a quick look at advertisers.
Google is evil goes the cry. Google (and the other search engines) tracks queries and builds up a profile of its users. Even if you don't use a search engine there are webmaster tools like google-analytics which are also used to track users as they browse the web. In case you miss the visitor tracking tools there are also scripts which deliver adverts across many partner websites: each time you see an advert you are being profiled.
Just in case you missed that: each time you see an advert which has been delivered by a script, you are being profiled.
Those who know about the tracking being done by the search engines and all the rest of the ad networks have not been too worried about that as it is seen as a small price to pay for a free service and it is possible to block the profiling by restricting the way in which the browser uses scripts and by using the host file to divert requests to domains used for tracking. We are happy.
BUT, the advertisers are not happy. They complain to the advertising networks and say that they want a system which does not rely on cookies: they want their adverts delivered and they want a good ROI for their advertising dollar.
Now the data packet inspection systems come into their own.
It is a very short step from collecting the data packets to using the data collected to generate profiling information. Privacy is an issue and different countries have different rules. Not to worry: as part of the data mining the ISP is able to provide an added value service which their users will be so very happy with. A small sacrifice and so like the sacrifice made for the availability of free search.
Here are some examples of services:
When you logon to your ISP, the first thing you see is a report of how much bandwidth you have used. If you have a mobile, your ISP can give you a report on your remaining credit balance or the balance of inclusive minutes available. Webwise will tell us if we are about to visit a phishing site. Wonderful, something useful for nothing.
You will notice that I have not made any mention of all the free wi-fi hot-spots that are springing up wherever there are people with wi-fi connections. Don't forget to disable WEP so that you can use the system. And there are all these T&C that pop up and you are asked to agree to before you use our wonderful free hot-spot. Just click OK else the battery will be flat before you get to the end of the text.
How are these services offered?
This is the simplest part of the whole system. Back to the data packets and the ISP.
Up until now, data packets had only been analysed to created revenues from consolidated demographic data and to calculate the popularity of URLs. Along comes the profiler to analyse data by user and by target market segment and promises of a share of advertising revenue from all the net browsing of their users. No need to e-mail users about new services that they have been surfing for, just pop your ad up onto the screen when they logon (no one will know that they are seeing something different from their neighbour).
But, how to sell the system and get around privacy issues?
The easy option is to give each user an anonymous random ID via a cookie and to provide the profile supplier all the analysed data they require together with the cookie ID. Then, all that is needed is to give the ad networks a script which reads the user's cookie ID, looks up the profile for the user with that ID and displays a relevant ad that matches the target interests.
Giving the user a cookie is easy. The ISP only needs to intercept the data packets and inject a script that will lodge the cookie ID on the user's system before they are delivered the request they made. Once they have their cookie ID, all requests are easily identified with them and the content requested can be analysed by a split system. Simplicity itself.
This is so simple, what if it fails? What about users who delete their cookies or who can't accept cookies? - cable TV downloads and all those handhelds with different operating systems.
Now this also has a simple system. No cookies required. Just an electronic short delay between the response data packet being delivered from the host server to the ISP, analysing the data packet and injecting code into the data packet before being delivered to the user. Warning: the data you are about to download is not permitted as per your T&C. If you continue with the download of pirated content you ....
I think you get the idea. I am sure that the Chinese engineers can explain the identifying of content far better than my simple example.
For the advertiser, the match code is already available in the browser and all that is needed is to match the injected content with their data and the user sees a targeted and relevant advert. And no one is any the wiser. If it is a TV programme that is being watched, rather than the data packet being sent to the TV it is sent to the ad network who now know that the user likes watching programmes about 'summer holidays' or has been surfing on sites promoting holidays. So easy to send a relevant ad or two during the next ad break.
Part 2 to follow
OK, I admit that some of the above details could be way off course. That is because it is so hard to find any information.
The data packet inspection systems are real. All that is needed is a parsing script and you can use the data in any way you can imagine.
The delivery of targeted messages before the user views the content they asked for is real.
The deliver of targeted adverts to cable TV users is real.
Now it is time to look at the profile providers.
NebuAd
Looking at the UK Privacy Policy of NebuAd at
http://www.nebuad.com/privacy/uk_servicesPrivacy.php
personal information and the following is not supplied by the ISP:
Email Addresses
Last Names
Street Addresses
Telephone Numbers
National Insurance Numbers
National Health Service (NHS) Numbers
Financial information, including credit card numbers, login IDs, passwords, or bank account
However, data collected does include the following data:
Web pages viewed and links clicked on
Web search terms
The amount of time spent at some Web sites
Response to advertisements
System settings, such as the browser used and speed of the connection
Post code
Sensitive personal data is not stored or used.
Cookies are used to record whether you are opted in or out. They are also used to record how often you have seen a particular advert. NebuAd also process information contained in the server logs when you visit a site: "may include a user's Web request, Internet Protocol address, browser type, browser language, and the date and time of the user’s request" and will be used to facilitate the serving of advertisements that match the user's interests.
Ouch
To summarise: even if you are not having your data collected and profiled by the ISPs NebuAd have signed up with, every page within their partner network is collecting all the data that that search engines and every other ad network has been collecting and that those who know try to block.
FrontPorch
From the FrontPorch web site: "Front Porch also enables Internet providers to leverage their networks to deliver any targeted ad or customer message directly to users’ browsers anytime and anywhere they surf the web."
To summarise: They are in over 3,000 installations in over 33 countries including cable, telcos, internet providers, wireless hot zones, conference networks, airports, shopping mails, sports centres, train stations, resorts, universities, commuter hubs, coffee shops and tourist attractions. FrontPorch works without cookies, using meta data from the browser session to match the user profile to display ads during the current session. They also deliver targeted notifications from ISPs direct to the browser before the requested page as users surf the net - available credit balances and bandwidth notifications being common uses.
With the growing delivery of TV content via the internet, ISPs can now deliver targeted ads to viewers of regular TV programmes.
FrontPorch are running trials with cable and telephone companies in the USA, Australia, Asia and Europe. free-hotspot.jiwire.com shows 126 hot-spot locations for London.
For the technically minded, see United States patent No. 6,442,577.
Suddenly those free hot-spots are not so free - boycott anyone?
Why do I get the feeling that all wi-fi connectors are about to end up in the bin? Do people really turn WEP off just so that they can have free surfing, including checking e-mails, at the hot-spot in their local cafe or coffee shop?
Phorm
I am not going to repeat it all again. Their site shows that advertisers can match on broad market sectors, key words and URL visits. That is a lot more than the information that can be stored in a cookie so your cookie is identifying you with your profiling data, wherever that is stored, via a script hosted on a 3rd party web site. The 3rd party site will be able to track you, even your IP address.
It is difficult enough to believe that the unique cookie and IP address are safe in the hands of the ISP. Who believes that there is a bamboo curtain between the cookie ID and the IP address on the 3rd party site?
For our US and Canada cousins.
Adzilla
The Adzilla site has less information. However, no cookies are required so a real time data packet injection is suspected. The ISP may provide access to personal information (which stays within the ISP) to improve the ad targeting. Ad serving partners use cookies to track your behaviour and user trends. Adzilla will also record the logging information supplied by the browser when accessing servers.
Project Rialto
Even less information available. Stealth as per their site, stealth in reality. A little searching gives a China connection to the CEO.
Back to the ISPs
There is nothing that says that an ISP can't install something that shares data with all the various profilers of the world - it all depends on how much of the non search engine ad dollars they want to get their hands on and how many times they can sell their users' demographics.
What my investigations show is that there is a very small step from the available data packets to earning revenue from the content. It also shows that most users don't realise that the 'service' they are getting is coming at the cost of their privacy. Mobile users will be most under attack with the ISP sharing their location with advertisers - i.e. Google's local search. Yes, search engines are using this to get their ads better targeted too, even if only sniffing our IP address or local hot-spot. And, which social network was looking forward to knowing where members logging on via WAP are so that it can track members? - for the benefit of other members, of course.
I am beginning to understand why the protesters at El Reg are being counted as ignorant fools without any vision of the bigger picture. Only 4,000 have signed the petition. Not even a drop compared with the market.
Today I did a little market research. No one knows about this. Only one said that they may change ISPs because they use the home connection for work via https. One said that they had had so much trouble getting their current ADSL working that they could not think about going through all that again.
Profiling of personal data has already happened all around us and until the last couple of weeks everyone had been very happy with it. Now that there is more information and the process is understand a little everyone has the choice of whether or not to use any of the services that give away data that some want kept private.
Blocking cookies and using the hosts file does not work against data packet injection by the ISP.
Blocking cookies and scripts is just good browsing practice. Redirecting tracking sites to 127.0.0.1 is best practice to preserve privacy. If more people complained about sites that don't work without cookies and insecure browser side scripts there may be more sites that meet the accessibility standards that are required under the Disabilities Act.
You are wrong, Kent et al, if you think I am going to lower my security settings just so that I can view your partners' sites. Well written sites work very well without cookies and insecure scripts.
If every site owner and web host was required to be registered under the DPA there may be a little less sharing of the logging information for monetary gain. My IP address is personal identifiable information. It is bad enough when spammers spoof my e-mail addresses. If anybody did anything illegal while spoofing my IP address, guess whose door would be getting the first knock.
It is all a matter of security. The security of our personal data. Each one of us is our own gatekeeper. The security tools are out there, many freely available.
It is time to shut the gate.
http://petitions.pm.gov.uk/ispphorm/
How many signatures does it take? - will 10 million petitioners please wake up before their life is enslaved?
Phorm Comms team here
Your description of the Phorm system is plain wrong. Phorm doesn't store any personally identifiable information, no IP addresses and no browsing history. That surely is the starting point for any fact based discussion of our system.
We've built the system from the ground up with privacy in mind. We don't know who you are or where you have been - that's something other targeted ad providers would struggle to claim.
Phorm Comms Team (techteam@phorm.com)
"http://petitions.pm.gov.uk/ispphorm/
How many signatures does it take? - will 10 million petitioners please wake up before their life is enslaved?"
OC it might also be said that people dont want their personal names posted on
a public petition, due to privacy concerns, catch 22 and all that.
We have at the top of every page, as the first line after the <head> statement the following, we urge all website/content producers to do the same.
<meta name="ATTENTION" content="Attention: Phorm Inc, All Subsidiary Companies of Phorm Inc, OIX Network, Internet Service Providers using the technologies provided by the former mentioned companies; [sitename] specifically denies permission for the former mentioned companies to intercept any communication between a remote user accessing content on any [sitename] Server and that person's Internet Web Browser, or any other Interface that such a remote user may use to obtain [sitename] data.">
"We don't know who you are or where you have been - that's something other targeted ad providers would struggle to claim."
However, it's possible that an advertiser could discover which web pages its phorm adverts were displayed on, or a web site could discover which phorm adverts were displayed on its pages. This may be trivial, or it may involve tricky javascript, web bugs and browser exploits, but it seems very likely it would be possible.
In that case they have all the information they need in order to discover (approximately over time) the advertising preferences assigned by phorm to a specific IP address.
In other words, you may not know who we are, but thanks to your link-up with the ISP everyone else in the world will be able to find out who we are and what our preferences are. Your "anonymous" system is nothing of the sort.
Phorm Comms team here
...Phorm doesn't store any personally identifiable information, no IP addresses and no browsing history. That surely is the starting point for any fact based discussion of our system.
Phorm Comms Team (techteam@phorm.com)
No PCM, thats not the starting point, the starting point would be about paying the users a licence fee for legal use of their data.
while its good to see some initative Mr Anony,the fact is there are more than just Phorm out there profiting off your data without paying you a fee.
for any web master out there, the fact is as a general rule you need to simply refuse collecting,processing, copying or export by any profiling electronic device or software ,nor for profit or fee without explicit written consent and any fees due payed in advance or £20 per page per view.
you get the idea ;)
that profit and fee would also probably also exclude the mobile phone companys that charge by the megabit for free content perhaps ,yeah for fixed fee mobile BB.
I've noticed over the last few days whenever I go to one of those god awful one click hosting sites that the bandwidth foe my ip address has been exceeded yet the ip address that they report is completely diffent to the one I actually have.
they all seem to be in the range of 194.72.*.*
looks like the start of phorm to me.
OK, they use the folllwing statements.
Privacy
Their online website explains that rules are defined, such as if a person visits website A and then site B. But in the next breath they state that it does not know where you have been. In their own marketting they confuse the consumer.
Safety (Phishing)
They don`t mention anywhere how they help in this area. They claim safety from phsishing attacks, but actually what they are saying, is 'we will not carry out phishing attacks' they will not reduce attacks from other sources.
So actually this is just marketting crud.
Relevant Advertising
From what I can tell, this is their only value add. I am assuming the 'advertisers' pay. The whole concept over rules to trigger adverts, makes me nervous, if the adverts are delivered by rules, then give me some examples of those rules. I want to know every constraint and dimension that can be applied to the trigger of a specific advert.
Proprietory
They state that their system is proprietory and claim this as an advantage. If they are so confident about their system, and that the actual 'sell' is winning over the ISPs, then release details of the system. I want to see exactly the schema that is saved. I want to see the structure and detail of the rule based triggers, I want to see exactly the events that result in pot-in/opt-out and again what information is stored and used to determine this.
Also one final thing, they don`t use "Names" in their matching, the only way they can commit to this is by storing a DB of names somewhere, to match against so they can be discarded. I bet as part of the opt-in/opt-out I will be asked for my name, age, email etc. This again is against their promises around privacy.
I am very concerned about their 'marketting' hype, I for one am not falling for it, but I know lots of people in my family, who are not so technically minded, and will fall for the marketting, thinking they are getting a great deal.
'Phorm Comms team here
Your description of the Phorm system is plain wrong. Phorm doesn't store any personally identifiable information, no IP addresses and no browsing history. That surely is the starting point for any fact based discussion of our system.'
Apart from the part where you serve the ad, and receive the web page address to serve to (Browsing history) , and where to send it (IP address).
So, are you a liar or simply too incompetent to understand the system you are performing PR for?
>>
Your description of the Phorm system is plain wrong. Phorm doesn't store any personally identifiable information, no IP addresses and no browsing history. That surely is the starting point for any fact based discussion of our system.
We've built the system from the ground up with privacy in mind. We don't know who you are or where you have been - that's something other targeted ad providers would struggle to claim.
>>
Everything says that Phorm does not 'store' any PII.
Storage and knowledge are two very different words. The question is all about knowledge and the ability to use the data regardless of whether or not it is 'stored'.
The problem is that the ISP knows and stores the IP address and the cookie data.
The 3rd party website knows and stores every visitor's IP address. The ad displaying script on the 3rd party website reads and knows the cookie data and can easily read and store the IP address.
Other targeted ad providers admit to knowing and storing IP addresses. Ad networks admit to using all visitor data for tracking and profiling.
What is so special about the 3rd party sites and ad networks used by Phorm that you can claim that the IP address of people who have received a targeted ad is not known to anybody?
I am tired of reading "Phorm doesn't ..." That record is cracked and stuck - time it was thrown away so that everyone can start dancing to a real tune.
As far as I am concerned, if Phorm is providing this service with these guarantees then they must also guarantee that everyone who is involved in enabling Phorm to supply the service is able to offer the same guarantee. The ISP, the advertising merchant, the ad network and the site hosting the Phorm advert scripts and Phorm itself.
Why is it so difficult to answer the question?
Until Phorm and the ISPs can guarantee that the only party who knows the cookie data and the IP address is the ISP and that the database containing that information is encrypted and available only to the ISP and not to anybody acting as their agent nor in any other capacity, then the question has not been answered.
There are a lot of scripts from different people in the chain all asking for that cookie data. I don't care what the legal connection is between all the various parties, I just want to know that every one of them is providing a privacy statement clarifying whether or not they collect IP and/or cookie data.
So far, only Phorm has offered a statement that it does not 'store' that data. Without offering any statement relating to the other parties nor offering any proof that the script which requests the cookie data will not also ask for the IP address. It is just so easy to write scripts that ask for various header data. If anyone clicks on a ad, that IP address just goes marching along to the next website for the advertiser to harvest .....
The web is full of affiliate scripts. Affiliates rely on the networks preserving the cookie data as it goes through various tracking sites on the way to the merchant's site through to the conversion page/script. The preservation of cookie data is the norm. And Phorm are asking us to believe that they don't preserve this cookie data which is the basis of their whole system?
How is it that Phorm is the only party in the whole trail who does not know nor store the user's IP address when reading the cookie data?
Answer the question. The whole question. Not just Phorm's little excuse that it leaves all the privacy exposure risk to the other parties in the chain while Phorm only knows the random ID. Is Phorm honestly telling us that no where in the whole system there is even one server that contains logs recording the passage of any user with a Phorm cookie - either opted in or opted out.
As this is what Phorm are claiming, they are omitting to tell us who is in control of the servers which will be logging that data.
Until there is an answer that offers privacy, the questions are not going away.
Phorm, don't compare yourself to the other targeted ad providers. Until BT got into this game very few people even knew they existed and all targeted ad providers are just as much part of this campaign for privacy as are BT, TT and VM.
It is the investors I feel sorry for. They must be really green when it comes to internet security. Don't they know that for the last year it is the ad networks who have been placing ads which have been hosting the malware that has grown the botnets that are harvesting data through keyloggers. That is why the ads are being blocked by users and browsers, we don't trust ads and the scripts behind them and don't want them anywhere near our browsers.
If some marketing 'guru' thinks that we are going to become happy with the injection of any scripts in the data packets then they are not living in the real world. Who is going to pick up the pieces when a malware script is distributed via the data packets? Even Google can't keep malware scripts out of its adverts and merrily caches all the hacked pages hosting calls to the malware sites.
Come to think about it: the ISPs must be even greener than the investors.
Time to sign that petition.
I was watching that page today and refreshing every now and again. About one signature was being added every 10 minutes. A little stream, soon to be a flood.
I don't use BT as my ISP, however the gym I go to has a couple of internet connected PCs for people to use... Guess who they are with?
I'll have a look at the IP logs for access to my website when I was there - if it turns out that I was phorm'd, then I think I'll be taking legal advice and/or talking to PC Plod.
"I've noticed over the last few days whenever I go to one of those god awful one click hosting sites that the bandwidth foe my ip address has been exceeded yet the ip address that they report is completely diffent to the one I actually have."
Are you saying that you have or have not been offered a phorm cookie during the test period?
Have you done a lookup of the IP addresses? Some in that range belong to BT but there are a lot that don't return bt.com
If you can post more information it will make it easier to look for increased activity on the IP range in logs.
What you are saying tends to suggest a framed proxy (unlikely as you would have seen an odd URL) or masking of the IP address / injection of the data packet when your browser request hits the ISP on the outward leg.
Blocking excessive requests from an IP address is pretty normal server maintenance. If I see 3 or 4 IP addresses within a range that look like they are scrapping or attempting a hack then I block the whole range.
As many sites have scripts which automatically block IP addresses associated with excessive usage, being blocked from some sites could become far more common if IP masking is part of the process.
That will annoy the users.
It will also annoy anybody whose server has a list of approved IP addresses for certain processes. Imagine all those mail users not being able to relay because of incorrect IP address data.
Ahem...
First, would you care to provide a clearer description here? No? Really? What a surprise...
Second, the main problem I have is just your system parsing, in any way, shape or form, any internet traffic of any description requested by my hardware to be served to my hardware via my ISP.
You have:
1) No legal right
2) No moral right
3) No permission from me
So, no matter how clever you think you're being in your methodology, the merest act of parsing the data is unpalettable and if mandatory with an ISP should require that ISP be investigated for gross invasion of privacy.
As a tertiary issue, just how dumb would a hacking group have to be to *not* target your sytem?
You're not actually on the Internet proper until you hit a router port in the ISP's Point of Presence. Until then your traffic may be on a variety of links, even the Internet, but its in a tunnel. A point to point link. So running the Adware at the POP is just like installing it on your computer without the hassles of drive-by installs and background reporting of data. And, yes, the POP knows its you -- they do all this so that they can manage your account (you still have to log in with a user name and password).
I don't see what relevance cookies have to this process. I think they're just added to create some noise so that most punters will think they've got control over the process.
Most ISPs encourage users to load their special software -- its usually some hack on IE -- because it "enhances the user experience" (i.e. loads the computer with crud and tells them what you're doing). Enlightened users regard this as just ISP supplied malware and roundfile their software. Phorm is just moving all this BS to where you can't delete it.
...at the first hop so users cannot avoid it by using the normal tools at their disposal. Neat!!
"We've built the system from the ground up with privacy in mind. We don't know who you are or where you have been - that's something other targeted ad providers would struggle to claim."
The history of the company does not support a new-found enthusiasm for the rights of users. Phorm (aka 121Media) has massive expertise on forced and unwanted advertising. Many volunteer malware removers spent 1000s of hours removing PeopleonPage, ContextPlus and the Apropos rootkit from the machines of users that didn't want it, or need it, but could NOT remove without assistance.
Any interception of the communications between the ISP and their customer is Private and Confidential information that should not be in the hands of a known commecial rootkit developer.
Every day i wake up and see yet another liberty get ripped out from beneath me, we can't even form a mob and burn these crooks at the stake anymore. What is the world coming to?!
The next story i read after this is where politicians get a £2k entertainment system paid for by all of us, i predict...what should be a riot...people will sit on their ever growing fat asses so long as we appear to be safe. The world isn't as cold as the media would have us believe, people hate the west for a reason, we are a bunch of mindless zombies to powers that abuse the world.
Wake up FFS before it's too late! Someone call ET and tell him to bring our balls home
194.72.9.* is the address range and seems to resolve as to
netname: BT-PUBIP-INT
descr: Frame Relay Customer Network
role: BTnet Support
(I'm not sure how much of a whois I can post so I'll leave it at that and anyway you could get the rest for yourselves if you want)
I know some ISPs (for instance NTL) use proxy caches as a way of essentially keeping bandwidth down, but up until recently, ie the last few days, with BT I have never noticed this. Slightly oddly on a message board where I am a moderator my ip address I see is the one I expect to see from BT. The one click host in question is extremely heavily advert laden so I suspect strongly that there is a phorm presence on that site.
I did check out the BT webwise "help site" and it claimed I was opted out of it.
I emailed the support address associated with the IP address to find out what it was all about and so far have yet to receive any reply. I was hoping to be able to report back here tonight but no joy.
This extract from BT Webwise :----
BT Webwise works with most major browsers, including Internet Explorer, Firefox, Netscape and Opera. Safari is not supported by the BT Webwise system and so Safari browsing will not pass through it. BT Webwise has been tested and proven to work with the following:
Internet Explorer 5.5, 6.0, 7.0
Firefox 1.0, 1.5, 2.0
Opera 7.54, 8.54, 9.0
So...just use Safari
From their standard T&C's:
1. By having the services we provide installed in your home and/or by using them you are giving us your consent to use your personal information together with other information for the purposes of providing you with our services, service information and updates, administration, credit scoring, customer services, training, tracking use of our services (including processing call, usage, billing, viewing and interactive data), profiling your usage and purchasing preferences for so long as you are a customer and for as long as is necessary for these specified purposes after you terminate your services. We may occasionally use third parties to process your personal information in this way. These third parties are only permitted to use the data only in accordance with our instructions.
6.By having our services installed in your home and/or by using them you consent to our transferring your information to countries which do not provide the same level of data protection as the UK if necessary for providing the services. If we do make such a transfer, we will put a contract in place to ensure your information is protected.
So the questions are...
1. How long exactly is "for as long as is necessary for these specified purposes after you terminate your services"?
2. Can we see a copy of this "contract in place to ensure your information is protected"?
I will post the answers I get from VM.