A leading expert on computer surveillance has raised serious doubts over the legality of deals by BT, Virgin Media and Carphone Warehouse to sell their customers' web browsing data to Phorm, a new online advertising company. Professor Peter Sommer, the author of the groundbreaking 1980s book The Hacker's Handbook and a frequent …
The benefits of Webwise
Are there any? To me?
If people want an agency, with which they have no commercial or contractual agreement, to see what they are viewing and data mine their "interests" then let them have the right to opt-in.
Everyone else should be locked out (not opted out) from the service - meaning no data is passed and that their page requests are just processed directly without delay.
Lets say that BT & VM press ahead and enable the evil device - it may be over a year before it gets proven to be breaking laws by which tine the operators will have mined enough information on people to go on a big pushed advertising spree at the best, or sell it on to others for linking to bank account details.
How long before the spies of the US get their hands on the mined data and claim all the info (about my money movements around the UK for example) is theirs? (Oh and BTW Phorm please don’t delete the info just send it over to this US IP address).
BT shareholders had better sell up now before the value of their company slumps against a background of lost customers and law suits.
I imagine that the Government (who would doubtless benefit from a tap into this data stream) would simply change the law to suit themselves, as happens every time HRMC lose a court case.
Who else guessed that it would boil down the the marketing department with their seemingly blank cheques and limitless unaccountability getting the jump on legal, security and compliance?
Happens everywhere whilst the security staff are left to clean up the mess, now where's my clue stick?
Difficult Call- Contradictory RIPA
1.3.1 Lawful interception without an interception warrant
(1) Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which, or which that person has reasonable grounds for believing, is both—
(a) a communication sent by a person who has consented to the interception; and
(b) a communication the intended recipient of which has so consented
Basically - YOU HAVE TO GIVE PERMISSION OR IMPLIED PERMISSION - Think "this call will be recorded for training or other purposes" message when you call a call centre.
1.3.3 Lawful interception without an interception warrant
(3) Conduct consisting in the interception of a communication is authorised by this section if—
(a) it is conduct by or on behalf of a person who provides a postal service or a telecommunications service; and
(b) it takes place for purposes connected with the provision or operation of that service or with the enforcement, in relation to that service, of any enactment relating to the use of postal services or telecommunications services.
Initially you have to consent to the operation, unless the operation is "for purposes connected with the provision or operation of that service".
This ALLOWS BT to record your home phone number, the number you have called, and the time of the call. It also allows you to keep a log of incoming IP numbers in relation to "operation of that service ".
However even if the Data Pimping is decided by a court to be not within the provison & operation of the service people can still proberbly get out by :-
1.1.6 Unlawful interception
The circumstances in which a person makes an interception of a communication in the course of its transmission by means of a private telecommunication system are such that his conduct is excluded from criminal liability under subsection (2) if—
(a) he is a person with a right to control the operation or the use of the system; or
(b) he has the express or implied consent of such a person to make the interception.
Basically "ITS OUR SYSTEM WE WILL DO WHAT WE WANT WITH IT". Depends how BT want to throw the wording of public vs private telecoms system.
I personally think they are on dodgy ground..
"Most customers like this" - really?
Oh really? I would invite BT to share their questionaire method with us because I have a hard time believing this statement (I also dislike the "most" because that's conveniently vague).
To me it smacks more of the Ken Livingstone method of surveying (don't ask - just take it from me that "tuning a survey" is a polite way of describing it), so before I believe any statement of the parties standing to benefit from this breach of privacy I'd like to see hard facts.
And yes, this is the one positive side of RIPA - this is principally an intercept because it results in personally identifyable data acquisition, and thus verboten..
What about the data being sent by websites to the customer?
One thing however that isn't mentioned in the article is that data is being sent both way. Whilst the ISP might have permission of the customer to look at their data do they have the permission of the website sending them the data too? Once they have the data do they have the permission to store it from the website that owns the data or are they going to modify that data, violate the copyright etc?
I can't see them getting away with this for long before the whole thing collapses in lawsuits and the sharks start to circle as the banks are now discovering.
Profile built up on your computer and not Phorm's?
Where? How do I delete it? Can I edit my father in law's to make it look like he's interested in goat porn?
Like getting Hotbar from your ISP
Sounds just like crap like Hotbar and Cool cursor where they give you some useless "feature" like anti-phishing warnings in exchange for spying and crap ads. Only this time they don't need to use drive-by-downloads to get it installed on peoples computers, they are getting the users own ISP to do it for them.
Who makes sure that...
Once I have turned the service off, that it actually IS and remains off, and that none of my browser traffic is being intercepted surreptitiously? Because unfortunately I simply don't believe a word these fuckers say anymore.
Maybe it's just me but I believe that there no-one, except an infestation of marketing types who believe that the online experience is enhanced due to increased advertising.
BT, Virgin et al will dig themselves into a hole over this.
No link, again...
So here is the link to the FAQ... http://www.webwise.com/how-it-works/faq.html
I find this Q particularly interesting: I delete my cookies regularly, and I want to keep Webwise switched off. How do I do that?
If you regularly delete your cookies and want to ensure that Webwise is permanently switched off, simply add [OIX.net] to the Blocked Cookies settings in your browser.
P.S. El reg, I do love you so, but please learn to link within your articles it's what HTML was designed for... ;) :P
re: Difficult Call
1.3.1(a)&(b) would seem to suggest that you would need permission from both ends so even if I opted in to this system, the website I was browsing would also need to opt in to having it's communications intercepted before it was permissible.
gothicform is right
I host a website and any adverts I choose to serve from my website should be left alone: the site depends on them!
This idea sounds like it will rip out the ads the website owner provides - which possibly help fund a free site's existence - and replace them with 'targeted' ads for something else.
It'll kill thousands of small sites when they lose their advertisers, not to mention the problem of a teenager's pr0n-browsing-habits generating dodgy ads on, say, a five year old's view of a Disney page...
Imagine ITV's views on this kind of thing if, for example, a Freeview decoder replaced the ads they broadcast with something else. I'm looking forward to the first court case!
Does this mean free pr0n ?
So I can hide my browsing history from the missus, but Virgin may be free to sell this information on ? Disgrace !
I wonder how this stuff gets pushed back though ? I pay the bill, but four very different people use the connection (a man, a woman, a boy and a girl), for different things (tech, pr0n, tech pr0n; shopping; pokemon, pointless sites; kids tv flash games).
Our survey says...bye bye to BT???
"Detailed customer research by BT has shown that once customers are aware of the benefits of Webwise, they are overwhelmingly in favour of the free security features and more relevant advertising during web browsing," it told The Register last week.
Are these the same customers who click on every "You have Spyware, download this FREE anti-virus, anti-spyware, and anti-spam software now" link they come across?
The same software that then shafts your computer right royaly that then takes ages for someone with enough brains not to click on said link to remove?
If only I'd been asked my opinion, I'd have told them where to stick the enitre thing...
The law on unintended consequences
Anyone prepared to run the book on how long it is before other organisations/individuals/hackers are reading your preferences off your Phorm cookie?
remove the right to Export your data
"Virgin Media told us today: "Virgin Media is still some way from deploying Webwise. We will roll-out the system once we are completely satisfied that our implementation meets all applicable privacy guidelines _and complies with all data protection requirements._"
Potential violation of RIPA through an unlawful interception is a separate issue to requirements under the Data Protection Act, however."
if there are any DPA personel/UK experts reading , perhaps you might comment on this point please.
if you send a Data Protection Act notice to the ISP stating ' under the DPA act bla bla, i remove the right to export my personal data'
does this have the desired effect of stopping any and all data processing of the DPA covered data outside the UK by 3rd partys they want to sell my property to, and indeed anything else outside the basic supply and billing of the Broadband.
plus the added benefit of putting ISP at odds with exporting the data to their offshore customer care department of course.
also, can anyone clarify the EU rules as regards your ISP supplyed IP address as personal data as this is also relevant as is the EU opt in advertising.
it would be good to have all these matters written up and clarifyed in one place so as to help clear the air and misunderstanding.
not least from the many ISP personel that dont know or consider the DPA important or relevant to their actions and advice they and their line managers etc give.
Thanks for your email to Virgin Media.
BT, Virgin Media and Talk Talk argue that Phorm's anonymising techniques> will achieve this feat. When discussing Webwise, the consumer brand for Phorm's advertising targeting system, the existing partners all place heavy emphasis on its widely-available and standard anti-phishing features.
Here is the link for it http://www.theregister.co.uk/2008/02/29/phorm_broadband_isp_targets/
I hope the above answers your query, however, should you need further assistance, please don't hesitate to contact us again.
Virgin Media Technical Support Centre"
The original question was "How do I opt out of this?" and, yes, the muppet did leave in the (Your Name) part instead of putting his own in. I particularly enjoyed pointing out that the article they linked to has a stream of comments complaining about this idea and the 2nd of which was mine.
" We do not use this information to:
* identify individuals visiting our website; or
* analyse your visits to any other websites (except that we do track you if you go to websites carrying our banner, but we do not identify personal details while we do this); or
* track any Internet searches which you may make while on our website."
So I for one will be leaving for another ISP, citing breach breach of contract.
As for this "detailed custoner research", bollocks. They haven't asked me, although I /am/ in the process of giving them my unsolicited opinion. I somehow can't imagine any group of people answering an honest question, such as "Do you think it's OK if we monitor all your online activities so that we can then embed intrusive advertising and send you spam from our partners" with anything other than a resounding "FOAD".
In keeping with the way these things are done, I suspect it was a focus group asked something like "Is it OK if we use the data that we already have access to anyway, completely anonymously of course, to erm, give you some free chocolate ?"
Would this be a work around
would this counter phorm?
Setting up a EC2 Machine or similar http://www.amazon.com/gp/browse.html?node=201590011
Then encrpyting all my web traffic via ssh and then redirect it to the EC2 machine to serve all my requests?
Alternatively setup a machine in Sweden then create a vpn session to it and then use that machine for all my web traffic?
As it's all encrypted then I doubt they would know what's happening, they would see a very long stream of encrypted traffic. Not sure someone who is more knowledgeable would need to comment on it.
I don't trust the webwise opt out, granted you wouldn't see the adverts but what's to say that your data is being sent to the anonymiser and then onto china?
1.) Surprising how many people suspect [UK] government surveillance spooks have a hand in this. I reckon if anything it will be foreign intelligence of some kind, possibly even commercial. Think of all the confidential business going on unencryped as people bounce emails to home etc etc.
2.) RE: Contracdictory RIPA - the get out clauses only seem to apply to the service provider and it is seemingly implied that there needs to be an element of necessity of interception in order to route the communication, i.e. NOT when they're passing information to a third party. Also I'm guessing the rationale behind the get-out clauses is to allow transaparent caching?
GREAT WORK El-REg - keep it up! Channel 4 News have this story and I can't see it being a case of any publicity is good publicity in this case anyway...
Do These people not read the news or something?
From memory of recent articles:
Google is falling foul of EU privacy laws and is facing sanction unless they take action for recording browsing habits by IP which can be traced back to a person.
Facebook faced a massive revolt and an eventual climbdown over their tracking systems
Its all just a bad idea, wont fly with the regulators, wont please the customers, wont work. I use admuncher to strip out adverts, so i wont benefit from it. I also use CC cleaner to wipe cookies i don't explicitly want / need.
If the marketing men and women want to earn more £ for breaching my privacy they can just sod off unless they are offering me some £ and even then i dont think my goat pr0n habits are for sale. Its my privacy, its not for sale and i expect the powers that be to stamp on folk who disagree especially dodgy spyware companies.
ISP's you have been warned! Some set up a Downing street petition please!
Ummm id I undertsand this right?
So Phorm's machines proxy the request for you or they are just inserted in the BT route for the data path?
If the former then as an ISP you can simply stick a simple Apache style redirect into your HTTPD config for Phorm IP's informing the customer their browsing may be being intercepted.
Presumably they exempt HTTPS traffic as well??
I don't really mind...
receiving junk eMails or, indeed, telephone cold calls selling double glazing. I'd rather not but it happens.
I do, however, really mind more than ever such a little tiny bit any website setting out to capture my browsing habits with a view to using them to "condition" my "internet experience". I get very pissed off when they then start to make a profit out of said data by selling it on to potentially unscrupulous 3rd parties or government agencies in a possibly illegal manner.
I know it isn't April 1st and I assume that this isn't a joke?
I can see multiple identities being required here..... but ooops, that's not allowed for law abiding citizens. So, if I try to evade I'm performing an illegal act myself???
re: Downing Street petition
"ISP's you have been warned! Some set up a Downing street petition please!"
There is one, it's here: http://petitions.pm.gov.uk/ispphorm/
for telephone cold calls, you can (in theory) opt out by subscribing to the telephone preference service ( http://www.tpsonline.org.uk/tps/ ).
Perhaps we need a similar service to opt out of Phorm-supplied ads...
Nothing much to worry about
So they're just storing info about you in a cookie on your PC and nowhere else - sounds much less worrying than was first thought then. Because Phorm aren't storing any data then data protection is a non issue.
Blocking cookies from oix.com would effectively turn off this functionality - no need for an opt out.
No, as has been said countless times (and in this article) the Phorm ads will only appear on websites which have signed up to the Phorm service.
The more people....
Tell your friends, tell your family, tell the people at work and the man on the bus (ok maybe not him he's looks a bit weird). I work in Data Proetction and Freedom of Information and this story gives me the willies! How dare they.
I'm no expert on RIPA but I'd have to say that even under plain old DPA 1998 they're on highly dubious ground. 'Excessive use' anybody? Transfer outside the EEUA possibly? What we have to remember is that the people that we really need to communicate this message to won't be able to set up intricate workarounds, aren't interested in the whys and wherefore's. Keep it simple - EVERY WEBSITE YOU VISIT ONLINE IS INTERCEPTED AND TRACKED BY BT AND PHORM.
You people have such touching faith in the mass of users out there.
Most people on BT broadband will see the email, go "huh?" and forget it. Really. There will be no mass migration, no outrage, no shareholder revolt. Why would most people bother, even if they had any clue what was going on (which they won't because the comforting words from their ISP won't tell them).
Just popping by to say that i'm dropping Virgin again :)
Thanks for the RIPA and DPA info; i'll be sure to include that in the letter!
"Where? How do I delete it? Can I edit my father in law's to make it look like he's interested in goat porn?"
More to the point, how can I edit my settings to make it look like I am NOT interested in goat porn?
Detailed customer research by BT
Does anyone every see these types of research? Why do journalists never seem to ask to see them as proof?
But what about the Children?
No-one seems to be willing to answer the question about what happens when more than one person is sharing and internet connection?
I dont have kids using my internet connection but I know several people who have.. so, for the sake of argument, lets pretend I have
How will phorm ensure that adverts based on MY browsing habits aren't delivered to my kids, and to turn it round ensure that I don't get bombarded for adverts based on my kids browsing habits?
Agreed, which is why I've been telling everyone I know. And everyone (except for a housemate) was appalled.
I've spent a decent amount of time writing to various places to try getting an article in a website for the masses. The problem is that most media outlets don't appear to give a shit.
This is another example of the the media deciding what we should know and care about. At least people in China,North Korea, etc know they can't make a difference. We are taught from the word go that we can choose how the country is run. This is just another prime example of how this is bullshit.
I can't think of an end to the mischief that this opens the door to. I can't think of a way of defeating it technically except by encrypting everything sent over HTTP.
I hope that's only because I'm not an expert on the intertubes.
My boyfriend is actually a deputy editor at a national broadsheet. I've been hopping about this since it broke on Feb 14 and he keeps telling me it's a.) difficult to explain the more alarmist elements without getting into detailed technical arguments that will lose the readers and b.) difficult to research without a real tech-focussed reporter and c.) not really target audience. Obviously they will report it if/when any action is announced by regulators or someone launches civil legal proceedings.
On another slant - everyone is focussing on data privacy and protection, but there's one technical argument that shouldn't be overlooked. I know of at least one proprietary system that (ab)uses port 80 (HTTP) and html in order to allow remote clients to connect to head office. It uses port 80 and pseudo html so the connection can be routed via most proxys. If the system is broken by spurious unexpected content such as cookies being injected then who's at fault? You could argue the system developers were short sighted but you never expect your data stream to be tampered with, do you?
@ Pie Man
Your boyfriend's national broadsheet wouldn't happen to be The Grauniad or the FT would it? If so there's a teeny weeny conflict of interest according to the article...
Keep this one going
Thank god this story hasn't been forgotten from last week.
Still no word from the regular media about this, which is shocking, but hopefully the shit will hit the fan this week.
Again, people need arresting for this.
I got a reply to my email, to avoid any legal problems, I wrote this myself.
We have been pushing for Phorm to remove this content for quite some
time now. PI does not work for companies, nor do we endorse products.
Two of PI's staff members, in a private venture, advised Phorm of the
serious risks that their technology raised. We are pushing for Phorm
to disclose this risk assessment.
To avoid any conflict of interest, we have notified our Trustees and
International Advisory Board of this activity.
The reality is that PI's accounts are so weak that we must often fund
ourselves through other ventures.
ISPs won't want to miss out on this money making scheme. all they will odo is create a two tier system. If you are ok with ads then you only pay current rates and by paying this rate you opt-in. If you want to keep your browsing secret you will have to pay "enhanced" rate of propbaly 3 times this. :(
BT's Response (& implied opt-in)
I just opened a ticket to opt out and here is the reply:
Thank you for your e-mail dated 3rd March '08. It has been logged under the reference number BLAH BLAH BLAH. As I understand from you e-mail, you want to opt out of BT Phorm.
I regret to inform we, being the broadband technical helpdesk, do not have the adequate resources to terminate your BT Phorm subscription. Hence, issue needs to be taken care of our dedicated BT Broadband Technical Helpdesk on 0845 600 7030 (open 24 hours / 7 days). They would investigate into the matter and if necessary, they would transfer the call to our Yahoo! Helpdesk.
For any further assistance please do not hesitate to contact us or use our BT Broadband Self Help web site http://www.bt.com/broadband/help
Thank you for using BT Total Broadband Support
BT Total Broadband Support
Notice the phrase "Your BT Phorm Subscription" I don’t remember subscribing? By the way the incorrect spelling and grammar have been left in place!
Channel 4 site
Yay! and they're even using the correct Registerese - 'data pimping'. Let's make sure that Phorm, BT and 'data pimping' become part of daily conversation:
Now I wonder if they'll run the story on the television news?
Those are fair points that you've made. Point (a) is the one I really have to agree with. It took a bit of effort to explain to my housemate (he's the type that tries to login when "his bank" email him).
I have just found that it's been mentioned on Channel 4's new website:
Regarding the Proprierty system you mentioned, not only could they be breaking it (I imagine that inserting cookies into the response could break checksums too), they are eavesdropping on something that is not supposed. (Using their highly dubious logic that our HTTP streams are theirs to snoop)
Webwise my @rse!
This webwise nonsense is a complete joke. Switch to OpenDNS and you get warned about phising sites for free without OpenDNS having to examine all your data. This Phorm lark is pure evil. I'm a VM customer, does anyone have the great Beardy one's contact details. I think a number of concerned customers complaining to him directly about how his integrity and brand image will be damaged by this might achieve something.
It wouldn't be too difficult to compile a list of companies who utilise the ad brokers/publishers connected to Phorm.
Boycott the lot of 'em.
That Ernst & Young Report
It's just disinformation commissioned in order to muddy the waters.
Accounting firms are like lawyers: they tell the clients what the clients want to hear.
You have been warned.
No... comment! But forgive me I've been totally rebuked for ev en mentioning using my partners name in trying to publicise this. But seriously so many people on here have mentioned writing to the likes of the BBC, and I myself have written to several news outlets, and the only people running the story (and duly crediting El-Reg) are Channel 4 News:
Spread the word!
Tuning a Survey
On the subject of tuning a survey by "Anonymous Coward",
think back to the last time you completed an employee satisfaction survey for your employer, every company I have ever worked for which conducts those surveys always seems to miss out the fundamental questions. Funny, how those surveys *always* show that the employer is doing a good job, and the employees are nearly entirely happy.
The "opt out" doesn't stop phorm snooping the traffic, and therefore it being exposed to interception.
Would you be happy for all your phone calls to be routed through a single building on the Thames near vauxhall (co-inceidently next to MI6's HQ) if you were told that typing something at the start of the call would stop anyone listening?
The network diagrams that el-reg has shown imply that ALL TRAFFIC goes through the phorm devices - regardless of any opt in/out. Therefore all your opt out does is stop them sending you the ads, it DOESN'T stop them seeing your traffic.
This should cover it
Virgin Media Ltd
PO Box 333
Swansea SA7 9ZJ
I forbid the collection of data concerning the use of my computer and its connections for any purpose whatever beyond that which is necessary for billing or monitoring for technical faults.
In particular I expressly forbid for passing any of my information to Phorm, (or any like organisation), for any purpose whatever.
This letter may be taken to over-ride any past or future conditions in your End User License Agreement.
Paris because she can cover me any time she likes