Internal BT documents obtained by The Register for the first time provide solid technical information on how data from millions of BT, Virgin Media and Carphone Warehouse customers will be pumped into a new advertising system. It will not be "injecting" anything into your internet connection, as some commenters on our previous …
Hard to see how it's not Interception
It's Interception, per RIPA.
There are immense data protection issues.
Anyone whose computer is taken in a police raid is subject to having the cookie in their browser correlated with the cookie in the Phorm cache.
There's also a copyright issue: if they're taking responses, any website for which I pay is having its content stolen by a third party. And if I'm paying for content, and it's modified in flight, who's liable?
BT (and the other Phorm clients) appear to be planning to commit commercial suicide. They are going to so haemorrhage accounts when this news spreads. I struggle to find an example of a more misjudged business decision, based on contempt of their own customers ... maybe when Alta Vista decided to become a portal? Or SCO decided to sue their customers?
I feel like a spammer for saying this AGAIN, but i'm dropping virgin. I'm also using Tor (anonymous IP traffic through proxy and randomised encrypted tunnels) until it happens.
Shameless linkwhoring? You bet! http://www.torproject.org http://www.badphorm.co.uk
Won't this slow down all requests?
By hijacking all requests, won't this slow down the users' browsing? OK, not by much per click, but what happens when Phorm's servers get overloaded and slow? Will they intercept multiple attempts? What if this F5 thing goes down? Will the users be left without Internet access?
Or, in other words, is this not just another weak point waiting to cause misery to the user?
Data protection act
I still can't see how they can get round the data protection act, I can't see how they can argue that your browser profile isn't personal data, it's now considered that your ip address can be considered as potentially identifiying, and even if this isn't the case data contained within the html pages or post data certainly will contain identifiable data. At least some of that data will be "sensitive personal data" (if a user visits lots of gay porn sites, particular religiour websites, logs into trade union websites you can get a good guess at most of the following)
"In this Act “sensitive personal data” means personal data consisting of information as to—(a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d)
whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings."
Schedule 3 (Sensitive personal data) of the data protection act requires that "1
The data subject has given his explicit consent to the processing of the personal data." there are other permisable justifications but none of these are relevant.
Based on this I can't see how they can legally function. Now they are going to argue that their annonymizer removes the personal data and it isn't stored...
however the DPA states:
""processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data;"
By this definition the very act of the "Anonymizer" obtaining the information (being forwarded your web request or web page) and then erasing what they consider the sensitive/personally identifying stuff then they are processing the data and therefore fall under the data protection act. This is particularly the case as even if they don't have any personally identifiable data yet they will in all likely hood gain identifiable data in the future
"“personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,"
double the data
its interesting that it appears they force you to send at least two upstream requests "Without a response, the browser resubmits its request for the web page you want to visit. It is again rerouted to Phorm"
why interesting, well i dont know about BT or the other one ;) (obvously need to advertise more so we can remember the name without refering to TheReg storys all the time LOL) but Virgin Media have a very strict STM in place during prime time.
what does that mean well, Virgin Media count every single bit you upload including any internal network data and use that to determin your STM upload limits.
so even if Phorm place their data collecting kit inside the VM internal network behind the UBRs your still being forced to send twice as much browser data as you were before and so reducing your very limited primetime STB allowance ,YES.
sure you might make the case its not a lot ,but how can you average that amount out, after all your already advised not to download or upload your large datasets (streaming,torrents,family videos etc) during STM hours so your left with heavy browsing as your main entertainment at these times.
so its reasonable to assume your going to do more browsing at these time yes?, and the Phorm are helping to reduce your data allowance by forcing twice the browser data to get were you need to get once it is activated weather your opted in or out it seems.
Great Work Chris Williams
There isnt a chance in the world that a program can work out what is/isnt personal data in a webpage.
I'm so glad the register is highlighting this. It now needs national press/tv coverage though to really put this into the spotlight.
Maybe time for someone at the Register to pass along the good news to a few more media organisations?
I'm sure The Sun or The Daily Mail would be more than happy to condense the complexities of the network architecture down it something more more headline worthy..
"Massive Internet Data Theft"..
"ISP Data Protection Fraud"
Should bring the issue to the attention of a wider audience...
When the news of this breaks
This is really starting to concern me. We keep talking about when the news breaks, but so far it's been on techie sites. There's been no mention of it on BBC (somebody on badphorm.co.uk has mentioned it may be on Watchdog next week), or any other paper other than the Grauniad a fortnight ago.
I've written to a host of people (the BBC, the Telegraph, Watchdog, Bill Thompson, BT, my MP & 2 peers).
So far the only response has been from Lord Lucas (not to be confused with the bloke that disappeared). While receiving a reply from a Lord is quite impressive, it's a bit depressing that it's the only response I got.
Also, BT may be correct, the general public may not give a damn about the privacy issues this raise. One of my housemates didn't think this was a major problem, and thought targeted adds could be good. She only got slightly concerned when I told her about Phorm's past.
Meanwhile, I'm turning this into a personal crusade.
As soon as this is introduced, I'm dropping Virgin Media.
Why on Earth they would think that I would want to allow shady third parties to get hold of my browsing habits, I've no idea.
Oh, and as a VM affiliate, I will no longer be generating customers for them.
Data Protection Act and Money
Shouldn't Phorm have a DPA registration covering what they're doing. Has anyone looked for it?
It must be that the Phorm profiling has to be done in the same data centre as the ISP proxy server would be. And the analysis is going to need some processor power, even if graphics files don't get passed around. From some of the comments about advert revenue that I've heard, is there enough money in the business to pay for the hardware?
So, another way to cripple them...
Wait 6 months, until they've had plenty of time to accrue a veritable assload of data on every subscriber....then get 50% of the ISPs' customer base to send them a £10 cheque and a request for all of the personal data they hold relating to their IP address/tracking cookie/broadband account. They have no choice but to comply, yet I 100% guarantee that they won't have enough resource to do the job within the time allowed under the DPA. Either they quadruple their headcount (thus destroying their margins) and go under, or refuse and end up in a class action suit.
Does this not violate privacy laws in the UK?
Also, it is not transparent: how can it be verified that this company is not storing information that can identify people?
I fail to see how the information collected is all that valuable if anonymized: I think the company's spokes-people and administration are lying.
Give them SOME credit...
"Phorm's Open Internet Exchange (OIX)"
At least they ADMIT that they're being oiks!
Commercial suicide not guaranteed?
Do you think this story will break in a big way into the mainstream press, which is what must happen in order for a substantial number of users to switch (and thus the deal to break)?
Judging by most comments on articles here those of us reading el reg are a group who guard our privacy fiercely and understand technology's impact on the same. What about the man on the Clapham omnibus?
Paris for obvious non-techie, doesn't-give-a-monkey's-about-privacy reasons.
They'd better blasted well not be doing this on every account that goes through BT wholesale. Reg, help me out and clarify that??
i am attempting to leave virgin right now
funnily enough i have been listening to the loud holding music and the repeated "Please continue to hold the line and your call..." message for 25 minutes now. A reflection of people leaving or merely a tacic to p*ss off people wishing to quit so they hang up and put it off for another time?
I am looking forward to the sales numpty as I imagine they will not have a clue what i am talking about when i mention Phorm
I've got some extra bandwidth at home and a spare dual P3 box. I guess I'll go set up a TOR node in honor of you folks on the other side of the pond that just got screwed hard by your ISP.
credit card / etc forms going to get double-posts?
If i've read this correctly, visiting domain.com/page.html will actually result in 2 requests, one from phorm and one from the real browser.
It also appears that this 'anonymous' request will contain all session-id and other connection specific data.
So, for non-https stuff, are we going to get double requests from these users now?
- I click a link in webmail to delete an IMAP message.. so its /delete.php?id=1
- Now that item #1 is gone, #2 becomes #1.. but wait.. a second request.. delete the new #1 it says.. so now 2 items are gone.
Obviously there could be hundreds of scenarios, basically anything which performs per-click non-POST non-https actions, of which over the whole web there are TONS.
Please, please tell me I've missed something and it won't look to the server as the same user requesting the same page twice with all the ID's and session data intact???
BT = Bloody Tossers
another excellent reason to never trust these fools
if anyone is still with them, do yourselves a favour
and dump there phone and broadband so called service, you will save a few quid and gain a bit of privacy at the same time!
@ Commercial suicide
Chris's earlier item mentioned BT might get +£85M in 2010. That's very roughly annual subscriptions from about a third of million broadband customers. If Big Media run the story and/or there is litigation or regulation, I can easily see that number leaving BT.
How can customers be sure they have been "opted out" if they request it?
"...responds on behalf of web server"
"...responds on behalf of web server" - I hope this is all just some sophisticated April Fool's joke. Spoofing the server's response and injecting a malicious cookie into the stream - that's a deception practice commonly used with man-in-the-middle attacks.
If that is legal in the UK, they've got a mighty problem there.
Re: Dumping Virgin
"I'm also using Tor (anonymous IP traffic through proxy and randomised encrypted tunnels)"
Yes, Tor is wonderful but it's not a magic bullet. It can slow down your connection and what happens when someone sets up a rogue exit node which sniffs all your traffic:
Question for Phorm CIO
-Why is everybody being opted IN in the first place? Surely I should be the one doing the opting in, it is part and parcel of privacy law and data protection.
Opting out by default is one of the major issues here. Secondly, its up to mere trust and ISPs security policies that your opt out choice has even taken effect, the fear that it slipped thru the cracks is always there as your packets still travel thru the filter boxes.
Peace of mind it aint.
I agree with Aaron, shady indeed, except ISPs are likely to sign up with them simply for more cash, not only to cover original costs. Its sickening.
If I'm ever exposed to something like this, I'll be in court with my ISP and these chancers at Phorm quicker than they can filter my packets. I think the law is clear enough for something as blatant as what they do.
Man-in-the-Middle: Compromising Usernames and Passwords
As well as the unauthorised interception of communications mentioned already, this has considerable implications for those people that use web-sites where HTTP Basic Authentication is used, or indeed, any sites that provide a form-based log-in system that isn't protected by TLS/SSL.
Until now the biggest assumed safeguard was that it is impractical for an attacker to perform a widespread man-in-the-middle attack. If the ISPs and Phorm are allowed to go ahead using ACE or similar technology, then the ISPs are effectively exposing millions of customers to this form of attack. More-so bearing in mind the pedigree of Phorm.
Many not-for-profit forums and membership sites don't bother with TLS/SSL because of the relative costs and complexity of implementing HTTPS on their web-host.
As well as the possibility of the log-in username and password being intercepted and exposed, wouldn't that data be considered Personally Identifying Data under the terms of the Data Protection Act?
How does it work?
Suppose you are requesting a page under the gmail.com domain (this would work equally well under facebook, meebo, etc):
1. Browser sends a request for the page under the gmail.com domain
2. Request is intercepted by ACE based on variables such as the port number, user-agent and content-type headers and forwarded to F5
3. F5 performs 3 steps:
(i) it checks for presence of a session cookie. If none exists, it sends the request URL and source IP address to the Anonymizer. The anonymizer is basically a database which stores these items and generates temporary IDs. The temporary ID is returned to F5.
(ii) it sends the request URL which is tagged with the temporary ID to the Profiler.
(iii) it sends the request URL to the webserver.
6. F5 receives the response from the webserver, and does three things:
(i) it sends the response content, tagged with the temporary ID to the profiler
(iii) it passes the modified response back to the browser
8. The browser receives the response and stores the session cookie.
11. The request is intercepted by ACE and forwarded to F5.
12. F5 does a lookup on the anonymizer by supplying the source IP address and referrer URL from the dns.sysip.net request. The referrer URL is the same location requested in step 1.
13. The anonymizer returns the temporary ID.
14. F5 updates the Profiler, replacing the temporary ID from step 13 with the persistent ID from the cookie in step 10.
(a) It is only in step 11 that ACE can tell if you have opted out or not. By this time, both the request URL and the page response have been sent to the Profiler which is apparently located in China.
(b) This setup modifies every single web page whether or not the user has opted in
The commercial world's battle to insinuate itself into our every digital transaction continues apace.
I've already paid BT handsomely for my connection to the Internet, thank you. Will *definitely* be saying hasta la vista to them if/when they introduce this.
I feel I should write a letter to BT customer service (perhaps sending a copy to their legal department) demanding to know in unequivocal terms (i.e. not encoded using UTF-marketing-b***ocks) whether or not they have handed over any of my data to Phorm or to any other third party without my knowledge or permission.
Aaron Crane, would you care to share your provider's name? (You might want to provide some "affiliate" details, if you have any, for I suspect you'll be drumming up a significant amount of new business for them).
For all BT's faults (no pun), I never expected them to exploit their customers in this way. As for Phorm, it's going to be a case of "talk to the Adblock Plus".
Oh, and another thing, what's the difference between flogging "anonymized" HTTP data and "anonymized" voice data? That is, how long before the latter is also contemplated (or admitted to)?
And finally.. would be very interested to hear the opinion of anyone with legal training comment on the data protection points raised by The Mole in his/her comment above.
Permission to export data
"(a) It is only in step 11 that ACE can tell if you have opted out or not. By this time, both the request URL and the page response have been sent to the Profiler which is apparently located in China."
Doesn't permission have to be obtained to send personal info to a foreign country?
Q: If they use a cookie for opt-out, how does this work if i switch pc?
if i opt-out of this service, i demand that it stick to my account, even if i have more than one PC, or clear my browser cookies, or get a new PC, etc.
How will they handle this? I will not permit someone to track my internet history.
The Cisco ACE doesn't seem to have any subscriber awareness, how would it remember that i am opted out? Does this mean BT is going with the 'send it all the way to the anonymiser'? method? This means i have all the extra latency and chance for failure even having opted out?
What about non-HTML traffic like windows update or YouTube video? Is all my large file transfers over HTTP going to this device?
I wonder if Virgin Media's cock up a few months back when a lot of us were left without internet access for about a day has anything to do with this. Before the blackout I used to get 4 or 5 items of spam in my inbox per day, it now averages about 150
oh no I have become a conspiracy theorist!
@ Re: Dumping Virgin - By Nick
"Tor is wonderful but it's not a magic bullet. It can slow down your connection and what happens when someone sets up a rogue exit node which sniffs all your traffic"
As things get progressively more evil on this interweb thingy, perfection cannot be achieved. Each of us will have to decide for ourselves what is the least worst option that suits our own circumstances. What was the quote from the CEO at Sun? Something like "Privacy is dead, get over it"?
What if you're using it for work, and the work's for one of Phorm's Competitors?
J. H. C.
So not content with stealing all my web traffic, they're also going to *mangle* the web page in some sort of unpredictable way ?!?
I am so glad my ISP, Zen, have done the decent thing and promised to have nothing to do with them.
Children's charity has safety concern
I run a children's charity and when away from the office I and my staff and volunteers often reply to children's emails using a webmail account.We have a large number of BT accounts which we all use at home and in the office.
Is it possible that this system will allow BT to see our webmail pages, including the email addresses of vulnerable children, their names and other highly confidential data?
I have taken this up with the Information Commissioner because it would be highly unacceptable for a charity to divulge any information at all on data protection grounds and allowing total strangers access to children's details would get us into an enormous amount of trouble.
Apart from anything else, everyone who works with children has to be CRB checked and if these web pages could be seen by anyone, or stored where strangers had access to them, it would make a nonsense of the safeguards put in place to protect young people.
I'd be interested in BT and Phorm's response on this one.
Phorm UK Ltd is registered with the ICO. The address given is 222 Regent Street London W1B 5TR, which appears to be an accomodation address...
I won't bother pasting the whole entry, you can look it up at http://www.ico.gov.uk/ESDWebPages/search.asp
but the crucial part appears to be Purpose 2, "Advertising Marketing & Public Relations For Others" which, among the list of data subjects includes "END USERS". Whatever that means....
That's f**ing scary
Even if they are recording the URLs visited, why exactly would they need a copy of the return page? (With the cookie matched to the page).
If it was a public page they could simply visit the URL themselves, if it's not a public page then they have no business accessing that page data.
That's deeply troubling, I can't believe OFCOM and the data protection registrar haven't stepping in already. Let alone the police.
Interception and RIPA
If this statement:
"The website reruns the content you want, which is again intercepted by the ACE. A copy of the page contents is sent to the Profiler,"
is correct then that would be interception under RIPA, irrespective of whether "you" can be identified or not.
Interception is defined in RIPA as "making any of the contents of a communication available to a person other than the sender or recipient".
Afaict it would also be a criminal offense in this case, as none of the lawful interception exemptions in RIPA would apply.
In general, under RIPA ISPs are allowed to look at as much of the traffic data (URLs etc) as they need to in order to deliver the message, without this looking being interception; and they are also allowed to look at as much of the content as is necessary in order to provide their message-passing service.
Think of the Post Office - the first looking is like reading the address, the second is like opening an undeliverable letter in order to find where to send it. The Post Office can open a letter under these circumstances, but not for most other reasons.
The situation regarding IPSs is very similar. The latter kind of looking is interception, but not all interception is illegal, and it could be lawful interception if it's necessary in order to protect or perform their message-passing service - for instance it's how virus scanning and perhaps spam filtering are allowable, though spam filtering is a bit problematic - your computer is considered to be part of the network as far as virus scanning goes, so looking at content in order to protect it against viruses is okay, and there is an argument that spam filtering is necessary as email services would not be possible without spam filtering.
BT and Phorm are persons btw, in the meaning of the Act, and it would still be interception if BT made content available to itself for processing. It doesn't matter whether the looking is done by machine or by hand, whether BT or Phorm does it, or whether they do any anonymising, it would still be interception and illegal as it is not necessary in order to provide the message-passing service.
There are several other steps in the process described which might also be interception, but it's hard to tell from the limited information available - for instance, when the URLs are sent, how much of the URL is sent? Anything after the third slash (the one after the domain name) is considered content, not traffic data, and making content available to another person would be interception, and illegal interception to boot.
I'm not well up in them, but the process described also appears to involve many breaches of the Computer Misuse and the Data Protection Acts.
Re: "...responds on behalf of web server"
It appears unfortunately that impersonation is only illegal if it’s done to commit a criminal offence. For domain names that contain registered trademarks, it may constitute ‘passing off’. I’m also left wondering if, under certain circumstances, it could fall under ‘fraud by false representation’ as defined by the new Fraud Act.
Maybe I'm just too cynical
But at what point do we, as consumers, get so angry at the suck holes who are essentially collecting intelligence and are perpetrating counterintelligence on us, in order to either sell us more "blue pills", tv's, crap cellular services or what-have-you?
If I were even remotely in any of the products some of these idiots are hawking, through email, TV adverts, postal or on a website, don't you think I'd act on them?
Also, the type of data they're conducting "legally" is the same as obtaining ones telephone records AND listening into the conversations. This shit has to stop.
T's & C's
Ummmm Guy's - Data Protection Act? It has no bearing!
They will issue new Ts and Cs which people will have to accept or leave, and let's face it how many will leave? It will be take it or leave it.
How many times have companies that we pay our money to do that to suit their own ends? Banks, Credit Card companies, BT etc
I, too, will be taking this on as a personal crusade. I have written to my ISP (Virgin Media) via recorded delivery to clarify exactly what their stance is. I have also started to bug Channel 4 News and Private Eye (see post on another related article) to get at least one of them to pick up on this and get it out into the mainstream.
Breaking the Phorm process
Ref How Does It Work. So there is a response from dns.sysip.net. If that address is placed in the hosts file pointing to 127.0.0.1 or similar, does the Phorm system fail, or does the browsing fail? Is their material inserted into the page sent to my browser, or just links to appropriate ads as specified by the page owner? How about rejecting cookies from oix.net?
Protecting my browsing from Phorm is good, poisoning their system with useless data is better. Any simple way to do that?
Can the browser show which ads are inserted by this so I can ensure I do not accidentally buy that product or service? Or does my hosts file need to be expanded some more?
What really scares me
In the architectural diagram, the customer end is labelled "BT Wholesale Access Network". Does this, by any chance, mean that any customer of an IPStream, DataStream or IPStream max reseller, who has no contractual relationship with BT beyond provision of telephone line, will have their data passed on to Phorm?
Totally unacceptable if this is the case.
Passed this story to the BBC
I have just passed the link to this news item to the BBC News website with a request they feature it - hopefully it will get wider coverage and shame BT etc to rethink their strategy.
Oh, and the good news is that my ISP (Zen) have no intention of taking part in this unsavoury practice - so if you are looking for a good ISP look no further than Zen.
@AC How does it work?
Spot on mate (sound of pennies dropping) that is exactly what happens
all my data went to phorn....
so wheres mule lousy tshirt? (hint hint cash and carrion guys)
Be more concerned about the "passive taps"
Those passive taps documented there are basically optical taps that divert a percentage of the optical signal off gigabit ethernet (or other optical) medium for the purpose of monitoring traffic. Companies like NetOptics make nice units that sit in-line of a optical data path, and can split the signal up to 5 ways, meaning it can produce up to 5 full copies of every frame sent on their network to every state, government, and various other litigious sources you'd really rather not have your traffic. This is typically how most carriers monitor their network, but also for large ISP's like ATT to silently divert all your traffic to Carnivore-type sniffer boxes so GWB and buddies can sell you out to whoever funds their campaigns.
Seriously, this whole "anonymizer" thing is the weak point. Even if it's legit, it doesn't have to stay that way. In just the last year, how many anonymizing services have been "officially" compromised by some form of local law enforcement, without telling the community of users until some time later? I can recall at least two. They started out completely anonymous, and then later became un-anonymous.
This system is worse than that, because it collects a profile of your surfing habits. Sure, it starts out anonymous, but who says it's going to stay that way?
a) Law enforcement can step in at any time, demainding "add this identifying information". Or, they can simply add a separate identifying database. Trivial. If you're paranoid, assume this demand comes with a gag order of some sort.
b) But even if they don't want to do that, what's to stop somebody (anybody, not just the law, who really I'm not that worried about) from fishing thorugh the profiles, and then locating the identifying information after the fact. The *next time* you use your browser, you're identified.
c) Yes, I said *you*. Now don't you regret that google search for "hacking tutorial"?
And I wonder what happens if your browser doesn't support cookies?
So, will wget no longer work? If the client ignores cookie set requests, it sounds to me like the system loops at stage 1, where it eats the request and feeds you a cookie.
And what about web services?
As bad as Verisign's DNS failure hijack.
- Top Gear Tigers and Bingo Boilers: Farewell then, Phones4U
- Breaking Fad 4K-ing excellent TV is on its way ... in its own sweet time, natch
- First Irish boy band U2. Now Apple pushes ANOTHER thing into iPhones, iPods, iPads
- Updated iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
- Hey, Scots. Microsoft's Bing thinks you'll vote NO to independence