More than ten million customers of the UK's three largest ISPs will have their browsing habits sold to a company with roots in the murky world of spyware. The deal has sparked fears over privacy, but today Phorm, the firm behind the new advertising system, strongly rejected such concerns. BT, Virgin Media, and Carphone …
much ado about nothing
Install Firefox, add NoScript, be done with it
Surely this should be opt in?
I know what will happen though, the big 3 will send some obscure email about some minor alterations to your T&C's, just click here to accept, don't worry about reading them after all, this will help to keep you more secure online...........
Personally I go to a lot of trouble to not see any advertisements on the web. I don’t want people tracking my every move (I know, I know, they do already) and then using that information to make money for shareholders rather than investing in backhaul and network upgrades so I might be able to get close toe the Up to 8Mbps service I have paid for!
Now then, before we get into a debate about pr0n, I surf for it. However, I am not sure that I want my children to get "relevant advertising" based on my pr0n surfing habits when they use our shared Virgin media connection.
In other words, my Internet Connection has more than one user connected to it and whats relevant to me may not necessarily be relevant to other users in the household. In fact, it may be detremental to other users in the household.
Mines the one with "hustler" written on the back.
That makes me glad I am not a customer of one of those three ISP's.
Funny though, I thought the data protection act said "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."
Surely if they are gathering this information for compliance purposes they can't just decide they want to sell it?
Nothing from Virgin....
.. but then, they still haven't informed their customers that they have officially started traffic shaping either!
I really can't see this sort of thing being used in the suggested "3 strikes" system at all. Either as a way of flagging up people looking at/for torrent sites, or as a way of identifying people who might be up to no good (based on a variation of the old security principle of "if you don't sign up to have your colon probed by a bulldozer, you're obviously hiding something up there!").
It's nice when your broadband supplier tells you about this sort of rubbish before going ahead with it....
"Nothing to Hide"
Only those with something to hide will be bothered by this.
Theres enough adverts on the telly, which is why I try not to watch it...
OK, may be a silly question, but what amount of data will they be sending through in these targetted ads????
If you have an "Unlimited" (cough cough) broadband with a "fair usage policy" (cough cough), when these adverts that are being sent to you push you over this (usually ridiculously low) limit, how will the ISP respond to your breaking their fair usage policy?
Also, my wife browses the net quite a bit, and I sure as hell dont want adverts for makeup, perfume and other womanly things popping up when I'm trying to read El-Reg.
Mines the tinfoil jacket, hat, glove and scarf set..........
Phorm read lto much like ...
Porn and Pharmacy. Do they make advertising for that?
Like shooting Phish in a....
Regardless if the user opts in or out the data will still be sent to Phorm.
More info: http://www.badphorm.co.uk/
re: "Nothing to Hide"
oh dear.... another person with their head buried in the sand and does not understand risks. I bet you don't lock your doors, don't have a password on your PC and happy to let anyone search through your house and wallet because you haven't got anything to hide.
Isn't ignorance bliss......
Commercial, Legal & Technical due Diligence
Call me cynical, but I can almost picture the scene:
Commercial 1: Will it make us a lot of money?
Legal 1: Will it make us a lot of money without being explicitly against the law?
Technical 1: How long do we think until a data breach?
Commercial 2: How much money will we have made by then?
Legal 2: How much would we get done for?
Technical 2: Are we just going through this process to make it look like we actually care about the customer when in fact it all comes down to how much money we can make out of it seeing as it's actually technically feasible?
I have to say I love how they claim that it's a new gold standard. Yes, it's better than previous iterations, but here better only means "not as bad". In a similar vein chocolate money wrappers are a new gold standard. And there's only a thin veneer separating them from something brown.
disingenuous at best
BT say: "We are comfortable with having their computers installed in our operations"
I say I'd rather be with an ISP that didn't invite a rootkit pusher to plumb servers into its network.
And I'd rather get my anti-phishing software from somewhere other than a spyware developer.
In fact I'd like to know a little more about the webwise software.
Is its real purpose to tie a click stream to a browser/user rather than just a connection? What sort of due diligence has been done on the code? At the very least I'd want to see the source (unobfuscated, with English rather than Russian comments).
Note that the opt-out appears partial and highly misleading. Opting out requires a cookie - clear your cookies and you're opted back in. Worse still, this only opts out of the ads (which are easily blocked anyway) Phorm still get your browsing history.
@ Graeme Hill
Spot on! As I was saying to SWMBO the other week, one of the reasons I read books, in preference to other entertainment, is that the book is pretty much the only medium left that isn't constantly trying to sell me shite!
Where's the NLRA icon?
I’m still trying to work out whether, as well as spying on us, the ISPs will be directly injecting the adverts into the web pages or if that’s going to be left to participating websites. Modifying passing traffic is something that’s already cropped up in the USA. Have a look at the University of Washington’s Web Integrity Checker.
The problem with cookies is that I block nearly all websites, and, for those lucky enough to have me accept theirs, they still get regularly purged. While you can get sophisticated cookie managers to help preserve necessary cookies, if I were to accidentally lose my precious one from Phorm, the spying would start again. Plus, they have to spy on my traffic to see if I consent to them spying on my traffic! This has to be an explicit opt-in, done from the MAC or other unique identifier from the modem.
More websites need to start offering secure connections. I’m going to ask again for https://www.theregister.co.uk/ please. In the mean time... Tor, Relakks, JoDonym/JAP/AN.ON, etc. etc. while I consider moving to a smaller ISP who have more respect for privacy.
Sorry you have passed your usage allowance.
You're not allowed to use the internet for what you want as we decided to use up all your usage allowance this month spamming you Flash based ads that you never actually wanted but that we profit from.
Um, the coat icon was meant to signal irony. For a fuller analysis of "nothing to hide", I recommend: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565
I have BT Business Broadband. I'm wondering if the selling of my data will allow me to terminate my 12 month contract early.
Then I thought, who else can I get my broadband from... the only other provider I know of in my area is Virgin (was NTL). Sky and TalkTalk and I think even Pipex use the BT infrastructure and I reckon data would still be sold by BT.
Is this anti-competitive ? My MP is an ex-BT researcher (I live in Ipswich) and they are a major local employer... so I doubt he'd give me any support...
What can any of us do about it ? Were the comments under the title "much ado about nothing" accurate and what are the consequences?
We need spybot antispyware for ISPs
Need to run Spybot to disinfect your ISP. They have been sneeking spys into your PC for years and those in the know run antispy software. Where as more ordinary PC users (who do not read Reg) suffer.
By placing the spy inside the ISP they have really taken control. Imagine having your HTML scrutinized and modified as you surf the web. If the optout/optin is by Cookie then they can better identify the user. Each user on a home router would have a different cookie since that's via the browser.
I expect my ISP to simply be a pipe to whatever Internet server I am looking at. I do't expect the content to be filtered and coloured on the way. If they do start doing that then I can see sites offering https versions just so you know you are getting the real thing.
As with everything, the ordinary simple person will be directly affected in the intended way and the few smarter people will work around this. We are all a bit ordinary and simple at something and they usually get us. My weakness is those letters that come through the post saying I may already have won £1,000,000. Get me every time.
Where's the adverts? CIA or FSA front company,
Where are the Phorm adverts?? Without the adverts how can they tweak anything, especially to gain more than an extra 80 million in ad revenue?? (e.g. Say 10% improvement, they'd need 800 million in ad revenue to BT customers, yet you've never heard of them I think, I certainly haven't).
There 'Open Internet Exchange' page seems to be only a flash presentation and an email address. Can't see why anyone would apply, they don't even give hard numbers.
"With offices in New York, London and Moscow, Phorm (AIM: PHRM, PHRX) is a Delaware, US incorporated company, publicly listed on the London Stock Exchange's Alternative Investment Market (AIM) since 2004."
Yet it offers lots of money to ISPs to hand over their users surfing data and ISPs just ignore their duties under the law and hand it over? Must have been some serious cash down for that.
Where does that money come from if it doesn't have a successful advertising network business? Unless there is some major advertising network behind this, then that company cannot 'tweak' it's target adverts to make them more relevant as it claims.
So I reckon it's a Total Information Awareness data mining projects.
Delaware? You mean like Tepper Aviation?
Well done BT, you've finally hammered in the last nail in the coffin. You want to spy on my browsing habits and sell this information on top of all the 'free' crap you keep trying to push at me - 'free' that is apart from the much higher fees than charged by your competitors.
I'm off to another ISP, mine's the one with the 'Sod off BT' logo on the back.
I'm dropping you, Virgin Media.
I'm writing the email as soon as I get home telling you why, the letter will follow afterwards, and i'm hitting Tor until it's cut off. You're getting NOTHING from me EVER again.
"We are aware of Phorm's background and are comfortable ...
with the size of the cheque."
OIX.com is Chinese
Well that's interesting Phorm.com is a domain-by-proxy (hidden registration details) website.
It's incorporated in Delaware.
It's traded as AIM shares in London (looks like $US proxies for the Delaware company but I'm no expert, I wonder how they got listed?).
Their Open Exchange site OXI.com comes out as 22.214.171.124 and appears to be a Chinese web server according to Dnsstuff.com
First up, ISPs already sell vast quantities of customer data to companies such as Hitwise ('online user intelligence' company). I have a gut feeling from the numbers involved that at least one of the big players like BT has to be onboard, and they hand over your entire surfing habits from first log-on to final (f)log off.
Secondly, I do see that it's not great, but behavioural targetting of online ads is already there - ads are served to you based on which sites you visit. Admittedly, it's usually within a particular content network, but as Google becomes more insiduous, that content network covers more and more of the web. And then an ad is served from a third party ad-server to your PC.
Point is, the parts are already there, kind of, and while the combination of them is not particularly a good thing, it was always going to happen, IMO.
I hope all the people who complain here will also complain to their relevant ISP. And also to their MP and the data commissioner. If not - it's just hot air.
The same goes for those who are getting hot under the collar but do nothing.
I've just written to the acting CEO of my ISP. It's not that much hard work.
With the recent articles about the financial effect on ISPs of the BBC on-line programmes, it seems pretty obvious what it's about. Not making loads of money, just staying afloat. Still a mistake, it will just put off for a few more months the evil day when they have to be honest about capacity.
"Net users will benefit from more relevant advertising"
I have never wanted to see an advert while I'm using the internet, so how is making advertising 'more relevant' going to be a benefit to me? I'll still ignore them.
It gets worse
Having looked at Ernst & Young’s Phorm Service Privacy Examination Report, I’m even more worried. It states that “Phorm Service uses only NonPersonally Identifiable Information (‘nonPII’), such as search terms, URLs and keywords.” It’s that ‘keywords’ word that’s most disturbing, as it’s not just URLs. Presumably that means keywords taken from the contents of web pages, not just information from headers. If so, that’s going to mean anyone who uses webmail that only uses HTTPS for authentication and not encrypting the contents of emails (and that’s most of them) is going to have all their emails scanned as well. I believe that’ll include situations where it’s not obvious that HTTP is being used, such as accessing Windows Live Hotmail directly from Outlook (Express) using WebDAV.
I still feel like I’ve dropped into a bad dream or alternate reality and that this isn’t actually happening.
I dont believe it!
This is wrong and companies like BT should know better.
Ive nothing to hide & wouldnt use BT anyway.
If they're injecting ads into webpages
doesn't this get in the way of those who already fund their websites with ads from google and the like, the people who create webpages and earn their living from the ad revenues.
I can't get too high and mighty about such things as I always use adblock, but then I'm not the one who's willing to roll over for the music business and it's dubious intellectual-property-being-supreme matra.
Opted-out or not -- Phorm will still get your data
And they promise not to use it -- honest!
And they promise not to be hacked -- honest!
And they promise you won't be identified -- honest!
Oooh! I feel all safe & cosy now!
Well thats 'nother bloody isp I have to leave.
re: It's not just URL's
That's right. Though GET queries appended to URL's can be pretty revealing in themselves. Phorm claim that they will be stripping out number sequences of more than three digits (which incidentally or otherwise means they get postcodes), but the fact that they are stripping these out means that at some stage they have the whole content.
Too bad Virgin
Well I have just received my MAC code from my current ISP with the intention of moving to Virgin. I won't be doing that now.
Do we not pay enough? Do they really feel it's a good idea to open us up to such risks by selling our data? I feel like we're being treated like the man in the restaurant that sends the food back. Expect it to come back with an new and unusual flavour. (note to self: must remember to tip my mobile phone company).
Who else is there to sell our data and thrust advert spam in out faces? Perhaps Belkin would like to update my router to do this? And PC vendors. They could just cut out the middle man and provide machines that have spyware as a factory default build.
BT offer online backup services to its customers. Do that analyse this too? If not, why not? Surly their shares must take a kicking on this revelation. They're missing a prime opportunity to rake more money off the back of its cattle. Sorry, I mean customers.
I find it hard to believe that companies like this act is such an irresponsible manner just because the letter of the DPA doesn't prohibit their actions.
Does the data commissioner take complaints from the great unwashed?
Europe has an Opt-in policy towards this sort of stuff does it not? So how can they opt you in if you did'nt explicitly ask to be signed-up. Can they just add you by changing the T&C's of the contract?
Not much of a problem...
1. Already mentioned - Firefox
1a. with NoScript. Good for blocking other advertising sites too (e.g. doubleclick.net)
1b. or with Adblock and a custom filter. How long before the standard filters include it?
2. opendns.com, open an account and set up an IP block. You will also need to update your router and/or NIC DNS details to use the OpenDNS servers.
The good thing about opendns.com is it will work whether you use IE or not. If you set the router to use OpenDNS, all computers on the network can take advantage of the blocking. If you have a laptop and manually set the DNS servers, you can have the protection follow you wherever you are though you also need to setup dynamic-DNS.
Time to have a chat with BT
It's not very often that things stop me in my tracks, but fuck me, this has. It'll be interesting to hear what the poor TSA on the other end has to say. The report also begs the question "have they been selling our clickstream data already". I haven't been able to find a copy of BT Broadband's T & Cs, if anyone knows where they're hidden, please share.
Finally, I found this side (good pun too) http://www.badphorm.co.uk, there's not much on it as it was registered 4 days ago, but it'll be interesting to see what appears on it.
What's the technical mechanism?
How exactly is this to be done? I don't see anything in the article describing that.
The inference is that the ISPs will be analysing TCP/IP packets, but unless they're injecting adverts into the responses, which would have a lot of implications in terms of trespassing on the user's communications and search engine usage, as well as the sheer horsepower required, I don't understand how the user is going to see the adverts.
I suppose it could involve transparent HTTP proxies operated by the ISPs.
It sounds more like a browser toolbar add-on that is installed by customised browser installations from sign-up CDs and so forth. That would be easier for users to avoid.
That still doesn't explain how the adverts are going to be delivered or how they might interfere with the sites the user is visiting.
As it is anonymous I doubt it is using the user's email address to send adverts to them, either.
I wonder if it is Microsoft Windows and/or Internet Explorer only?
re: it gets worse
From Phorm's website-
"Phorm technology does not view any information on secure (HTTPS) pages, and ignores strings of numbers longer than three digits to ensure that we do not collect credit card numbers, phone numbers, National Insurance or other potentially private information."
They capture the data stream then parse and extract the data of interest to them, promise to ignore the sensitive stuff, then inject 'more relevant' adverts. For the user, the carrot/ smoke is the anti phishing panacea, Webwise, for the ISP it's $$$$.
Seems a fair trade, compromise all your subscibers and we'll give you 30 pieces of silver.
I've started looking for a more ethical ISP, they''ll also lose phone and TV subscriptions.
 From the E&Y report-
"Because of inherent limitations in controls, error or fraud may occur and not be detected."
Re: What's the technical mechanism?
"That still doesn't explain how the adverts are going to be delivered or how they might interfere with the sites the user is visiting."
They will be delivered in the usual way, via web publishers. Just as Google uses search queries and page content to target text advertising, Phorm will use browsing history to target banner ads from advertisers that have signed up to the Open Internet Exchange on websites that have also signed up.
It won't "interfere" with sites as such, but offer them a way to serve you ads that you're supposedly more likely to click on, which means more money for the publisher.
Do a trace route from whereever you are, ALARM BELLS
Do a traceroute on oix.com from wherever you are. I've tried one in France, one in Belgium, one in Germany and one from USA, all of them tracert fine for most sites, but oix.com always stops IN THE COUNTRY I'M TRACING FROM.
e.g. try DNS stuff:
Stops at theplanet.com 126.96.36.199 Dallas Texas.
The France query stops in Paris, the Belgium one in Belgium... you get the idea.
Perhaps they've built a super fast network with all the end points in each of those countries, and the network blocks pings.... seems very very odd to me. I can tracert to other servers from most of those locations.
e.g. from Colt (UK)
Stops after 2 hops, at colt!
Stop in telstra.
Anyone care to name the network that blocks each of these end points and who owns it?
Premium rate support number to report faults to an offshore call center muppet who reads a script without understanding a thing - Strike one!
Traffic shaping - Strike two!
All my proxy logs are belong to a scummy adware company - Strike three!
Virgin, you're out of here! Please leave your contact details in the bin on the way out.
Of course, these logs are now advertising data and not communications data so any agency will be able to hoover them up and de-anomimize them without warrants or oversight. That VPN to Relakks in Sweden is looking more attractive by the day.
Pass my coat. It's the one with "You can only shaft me so many times without giving me a reach around" on the back.
@ Dunstan Vavasour
Only those with no capability of being honest with themselves believe they have nothing to hide.
For example: Your bank account number, your credit card numbers, the names and ages of your children, and their locations at various times of the day, how much CO2 your automobile produced this month, the interest rate on your mortgage, the current state of your indebtedness (up-to-date, past due, etc.), your medical history...
Only the abysmally ignorant, or the absolutely dirt-poor think they have nothing to hide.
TIA FIB CIA MI5 NWO BnQ
I love the black helicopter angle. So the ISP goes, "cool! advertising money, nice, thank you, here is your info feed". But there is no advertising, it's part of TIA (Total Information Awareness, BBC1 Sunday 9pm The Last Enemy) which is part of the bigger NWO (New World Order - see Alex Jones Infowars) plan.
It's the marrage between government and big corporations. So quicker than getting a law passed that forces the ISP to hand over this live data (see RIAA and Music Copyright ledgeslation requiring ISPs to inform on Downloaders) you simply pay them for it! Very smart. It would be a good (I mean evil) plan to pass some laws as well.
But I digress into the land of TV fiction and Internet conspiricy theorys....
Well if Virgin squeezing my connection whilst using useful net features (VPN connections for example) wasn't bad enough! I am calling them first thing tomorrow to cancel my account.
Does "BT" also mean Plusnet, Metronet, Waitrose, Madasafish...
As per title. BT own Plusnet, Metronet, and the Brightview brands (Waitrose, Madasafish?).
Is the ridiculousness in this article confined to customers of BT Retail, or does it extend its tentacles to the other BT-owned ISPs?
If it does include them, I suspect a few folks will be looking for their MACs (I'll be looking for two, as will a few folks I know).
Surprised no-one has said it yet...
...but this is clearly going to be a disaster as we know Kent Ertegrul has Phorm. (cue groans and peanuts)
Vote with your feet, it's really that simple.
Never hook up with an ISP that ties you in for longer than 3 months.
Leave them behind, go somewhere where this doesn't happen, my ISP rocks and is not signed up to this BS, can't tell you who it is though because my service might degrade with more subscribers :P
Ditch the bastards after pinning a great big 'FU' to their foreheads!
Who is Conductive LLC?
I'm still digging away here and hitting dead end after dead end. Take a look at their 2004 financials, they paid $1.3 million to US media company Conductive LLC.
"The results for 2004 include commissions paid to Conducive LLC, a US on-line media agency, of $1.3 million (2003: $82,383), under a joint venture arrangement through which they acted as our sales office in the US and facilitated the receipt of revenue, in exchange for a proportion of the income generated."
I do a search ["Conducive llc"] and get 3 results, none of which are it. Don't you think that's strange for a USA *online* media agency?
Lots of things are bugging me about this company. The financials show a sea of red ink, the oix.com server resolves to China, the trace routes stop dead in each country I try them, I check the few details I can find and hit dead ends. Yet they get $30 million in funding?
The links from 121media.com
Have a look at that zdnet blog.
"PeopleOnPage.com shows an address in Poland with the name Kent Ertugrul . A Google search for Kent Ertugrul brings up a hit showing him as director and CEO of 121 Media, which is a contextual advertising company according to the website."
Connected to AproposMedia, do a search. They tell you how to remove the spyware:
Kent is also connected to Phorm.
"The folks behind ContextPlus, Apropos and PeopleOnPage evidently did not want to be known and there’s little information about them to be found on the internet. The ContextPlus.com domain registration info shows a name and address in Poland. Interestingly enough, the domain history on 2-28-2005 shows the name Apropos with an address and phone number in Kirkland, Washington"
H-E-L-L-O.... I smell a major story here.