BT admits misleading customers over Phorm experiments
BT has admitted that it secretly used customer data to test Phorm's advertising targeting technology last summer, and that it covered it up when customers and The Register raised questions over the suspicious redirects. The national telecoms provider now faces legal action from customers who are angry their web traffic was …
"BT denied any testing and said customers whose DNS requests were being redirected must have a malware problem."
Well duh, of course I have a malware problem. You fuckers are selling me out to the Godfather of spyware.
Mines the one with "I'm with stoopid (Virgin Media)." on the back.
Tim Berners Lee plastered all over the BBC TV, Radio and online saying NO.
Serious legal questions are raised over the Home Office "guidance".
It's all about trusting people with our data, now BT admit to a COVER UP.
Phorm - a company reporting 11.6m operating LOSS last year, with invasive technology of which some have questioned the legality...
END THIS NONSENSE NOW - SIGN THE PETITION - WRITE TO YOUR MP - TELL YOUR FRIENDS AND FAMILY. STOP SPYING AND STEALING OUR DATA...
IT'S NOT YOURS!!
I hate it when people use this term as it is meaningless. "Significant due diligence has been carried out" ... either the "due" amount of diligence has been taken or it hasn't. Obviously in this situation it wasn't otherwise this whole storm of badness would not be happening to BT and Phorm right now.
Seems extremely unlikely that only one exchange of the five thousand or so broadband-enabled exchanges was involved *in any way* the trial, because to do so would require shall we say "unusual" changes to the way BT's broadband systems work.
BT Retail's broadband service is based on BTwholesale's BT CentralPlus product which afaik only BT Retail uses, so other ISPs customers needn't be too concerned yet, apart perhaps from Plusnet customers who have chosen to use BT -based Plusnet's RIN option (and they've been offered a free ticket back to the classic Plusnet network).
Maybe the full data gathering and analysis process was only applied to punters on one exchange? Aiui BT CentralPlus can use the phone number for authentication, rather than the usual username/password stuff, so maybe that was used as a selection criteria... presumably phone numbers aren't classed as personally identifiable in this picture (maybe they lose the last few digits at some stage of the process, that would be perfectly OK, right????)
Phorm still sucks bigtime and it's nice to see BT have been caught out bigtime.
How about asking them to admit that they shape and throttle traffic. That's one myth that BT CS reps are still denying despite overwhelming evidence to the contrary. (That and if you ask for your MAC code they offer to ensure you get your full traffic speeds, but oh not, it's not because they'll un-shape you).
...is a technology not going to be used to make a profit at the expense of those who require that technology?
The internet is meant to be a global network of computers that allows everyone to connect to everyone (within reason, of course). At what point does the very fact that you are connected mean you automatically have to be a source of revenue for your broadband provider? They already get our money each month. If that's not enough, they shouldn't sell access at that price. If they want more money, they most certainly should not be simply taking our data and pimping it to anyone who'll pay for it.
I look forward to the day when the internet is "just there" - ubiquitous, and left alone to help people, not stiff them for every penny they can get.
If I ever find out that they've been sucking down my data, I'll join in the lawsuit against them.
Take them down!
"We have carried out significant due diligence in this area"
Really ? And which part of the due diligence process suggested that it would be a fine idea to illegally intercept and redirect peoples traffic, then tell massive whoppers about it ?
Which part of the process suggested that it would be a great idea to do business with Kent Spunkbubble, a man so sleazy that when you look up the word 'sleazy' in the dictionary it has a picture of his face, and who heads up a company well known for invasion of privacy and is universally loathed by the technical community ?
Which part of the process suggested that it would be a great idea to bet the farm on the novel and untested legal concept of "implied explicit consent" ?
And which part suggested that it would be a really cool idea to fuck things up so badly that you would have to implement your corporate stock buy back policy in order to prop up your share price ?
Clearly, BT have a very unique definition of the word 'diligence' .
"and informed consent from our customers will satisfy the necessary legal requirements."
It's far from clear that this is in fact the case, or that so far, BT are defining 'informed consent' in a way that would be recognised by normal human beings as being reasonable.
I believe that BT have already received several large shipments of Phail. There are plenty more where those came from. Bastards.
I am currently using an unlimited download domestic account with BT with which I am happy as regards speed and reliability . This is a leave at any time deal ( as the contract has run out ) and costs £8 a week.
I am not happy with the idea of PHORM and would wish to leave if it is implemented. Anyone got any alternate ISP recommendations?
Looks like the ISP's are taking some notice, especially about opt out. I got a nice reply last week from BT's MD and the "Director of Value Added Services" who assure me they are reviewing this all the time.
I did put to them the point that has been made on El Reg several times:
If this 'Service' is so compelling then advertise it and allow users to subscribe, only those who subscribe get routed through the profilers and everyone else just gets on with their surfing.
Not had a reply to that one yet, still watching and waiting to see if I need to cancel my new contract with BT
..... for the experts.
Will browsing via TOR, using one of the unholy trinity of ISPs, prevent Phorm from Pharming my Phucking private data?
Equally, will Firefox, with cookies denied, AdBlock Plus and NoScript do the job? I ask because the really clever bits of browser coding are way beyond this surfer.
If the answer to either is yes, then my current broadband provider keeps my business. If not, then they can Phuck Orph.
I wonder what their definition of "one exchange" means, I know for a fact that it can't apply to the common conception of a Telephone Exchange as I have conversed with a few others, all of whom also experienced the "trial" and are at different ends of the compass to me!
STOP THE LIES.
DO NOT WANT.
Opt-out cookies are a sham anyway. Sure it would be trivial for the cookie to be read by the ad server and for it then not to serve ads or, more likely, not targeted ones.
In order for the cookie to be read when the information is gathered something is going to have to be sitting in the middle of all connections, editing the HTML to query the cookie then deciding whether to profile the page. Unless, of course, the ISP and Phorm think it would just be easier to profile everything then sort it out later. Forgive me for not believing that "opting-out" will stop Phorm from seeing my data and IP address.
Nine more days until my new IDNet broadband goes in. Virgin, I'm going to miss you like a hole in the head.
.. led me to believe - yesterday, after a second attempt and several minutes on hold - that Virgin Media had never heard of Phorm and that if they had any intention of subscribing to such a service the Clients (you & me) would be informed and could opt out....
Now, maybe I didn't phrase my question very well or the supervisor contacted was genuinely unaware of the interest generated by Phorm didn't if Virgin Media do sign up and don't give me an opt out I shall be very displeased! They will know about it. Are there any ISPs that have declared they wont pimp client data?
I've forgotten who said it but "the price of freedom is eternal vigilance".
What evidence is there that BT do traffic shaping? Is there a way that the home user (ie me) can find out if his traffic is being shaped?
The more we find out about BT/Phorm, the more it sounds like a dodgy corrupt deal involving slimy businessmen and politicians looking for kickbacks. Why the whole idea has got this far is beyond me, and personally I think BT needs to take some heat for arranging trials secretly and then lying about them.
Personally, I think the consequences for businessmen who engage in fraud or other illegal business activities is not nearly harsh enough. Such crimes need to carry mandatory prison sentences for the decision maker - maybe then businessmen will think twice about selling us down the river, when they have a chance to stay in a free hotel where each room is styled after the Bare Cast Iron look. If what BT did last summer is determined to be a crime, then whoever made the decision to go ahead with it, should spend a few years behind bars.
... is that BT lied. Blatant, deliberate and incidious. Case closed.
Next time they tell you anything at all, remember this day.
http://regmedia.co.uk/2008/02/29/architecture.jpg
If they don't do traffic shaping, what would they need DPI switches for? These are almost certainly unrelated to Phorm/Webwise.
Also guys, don't forget that ORANGE is getting in on the act too, as noted here:
http://www.theregister.co.uk/2008/03/12/mobile_phom/
Now this in the public arena let's get all the b@st*rd$ cashing in on our privacy.
TOR is designed as a privacy tool, not a security tool. People who run TOR gateways are not vetted in any way. To some extent you can trust your ISP, despite Phorm, a lot more than a gateway operator.
Reads the FAQs on TOR and look at this story:
http://www.theregister.co.uk/2007/11/15/tor_hacker_arrest/
This just highlights how important TRUST in your ISP is. STOP LYING, STOP SPYING!
I'm considering renting a Solaris Zone from someone like Sparsezones, or perhaps a similar operation not in the UK for extra safety, and just pointing all my home browsers at an https-ised proxy running remotely. End of problem.
Sorry, Morse. While TOR should indeed offer you a secure way out of BT's network, it's out of the frying pan and into the fire. There are instances of TOR hosts (who could be anyone from freedom-loving geeks to organised criminals, and you won't know who you're using) running even worse snooping than Phorm offers. As in credit-card scamming. So that's not a solution as I see it.
Firefox cookie disabling may, or may not, cause you to opt-out of tracking. But your data gets sent for processing even if they double promise to honestly not keep the outcome of that processing for later. AdBlock Plus means you won't see any adverts from OIX, but a DNS entry will acheieve the same thing, and it's not about viewing the adverts anyway; it's the tracking to gather the info to target them that is the issue here.
In short, you're screwed. Your only choice is who you trust the most to do said screwing in the least painful manner.
Re: Tor
Possibly. Only if the exit point you leave through is not on a spyware infested ISP will that work. Therefore you've still got a chance of being hit. The docs on the TOR website specifically mention exit point monitoring as a "weak spot".
Re: Anything browser related
No. The ad blocking software will stop the targetted ads, they will NOT stop the data hitting the profiler. Because of the network level that this happens at, any traffic leaving over your ISPs connection that is on port 80 (e.g. normal web traffic) can be monitored.
Phorm, who were starting to recover towards the end of last week, are now losing even more money. First trade this morning leaves their share price down by 5.78%.
Keep up the good work. I expect the litigation and hopefully criminal charges against BT under RIPA from the people who were illegally included in the BT trial last summer will hit their share price even more and hopefully BTs share price to boot.
Remember if you have not signed the petition, do so. If you have not signed the facebook groups do so. For information about Phorm and how you can help check out http://denyphorm.blogspot.com/
Hearing Sir Tim's interview on the 8 o'clock news on Radio 4 sure brightened my day this morning. Looking at the article on Beeb's site indicates that he was only talking about the ISP's profiling in the UK and that he is not yet aware of how much profiling is already happening in America and all around the globe.
Any chance of El Reg getting an interview with Sir Tim and finding out his views on the US, Canada, EU, UK, Asia, Australia profiling which is already happening (NebuAd, FrontPorch, Adzilla, etc): mostly with no more notification than a change to the T&Cs on the ISPs' web sites or pop-up T&Cs when using hot-spots via wi-fi.
It is a relief to see that BT are looking to follow the opt-in only option. Oh to be the fly-on-the-wall to know if that is in response to Sir Tim's comment on privacy or the complete failure of getting enough people to accept Webwise during trials (assuming the stories of trials over the last several days are true). Or the threat of legal action?
I do have questions about opt-in though.
Assuming that they 'hard wire' an opt-in IP address to the profiler. The user is happy opted in for some time. Then decides to opt out while viewing same sites - web mail, banking, forum, etc. Once that surfing is finished, some time later visits a site which reminds the user that they are opted out.
Is there a time lag for 'opt-ins' between opting out and the cessation of data passing through the profiler?
If the user decides to stay opted out, will they continue to be bombarded with reminders that they need to opt back in?
Will all sites that have opted out of allowing their content to be harvested by the profiler need to be able to read some header so that they can pop up a display page to warn visitors that they need to opt out before using the site. Will the ISPs be able to agree on how to do this and will they provide the necessary code to all such web sites together with a grant to cover the cost of installing the code on the site. As not all users have javascript available and not all hosts offer php or other scripting languages, how would this 'header sniffing' be enabled?
Will the profilers be able to read and obey a meta tag banning them from parsing the content - again, will the ISPs be offering webmasters a grant for the added cost of installing this code in all their pages?
Life would be so much simpler if the ISPs decided that the profilers are just too much bother and are going to cost much more in maintenance, overheads and legal battles than they are ever likely to earn in ad revenue.
As I understand it, Phorm will be running their own webvertising network. (I shuddered as I typed "webvertising" - Self Flamage) This will set itself up as competion for (say) GoogleAds.
Which foolish businesses will advertise on this network? Which foolish websites will be looking to carry these adverts? As far as I can see anyone signing up for Phorm's services will be throwing their money away as soon as we get proper opt-in.
I believe that under the DPA it is illegal to use live personal data for testing purposes.
They have a case.
Thanks very much, but not what I wanted to read!
Lewis is pretty pissed off as well......
Seems I may not be the only one to think that "due diligence" is a meaningless term, and annoying when quoted as some form of excuse.
Anyway; I wish these companies would stop talking about opt-out. Opt-out is not applicable when referring to spying of what folk are doing. Opt-in is the only possible area for discussion.
You really need to vpn to your squid box to do it properly. There's nothing stopping BT (or whoever) doing protocol based driversions rather than just port 80. E.g. they could detect http running between X and Y on port 3128, and then bounce that to the profiler.
I'd also recommend the VPN so that it doesn't become an open proxy for all of the BT netblock (assuming you're on dynamic IP)
Other than that, been there, done that - and I'm not even on one of the whoring ISPs ;)
recommend a BB supplier who is open / honest / great techincal support (24x7 based in UK) ???
dead easy one that - go to one of the Entanet resellers (bet there are more than a few on here who use them)
I think you can spot them on here:
http://www.dslzoneuk.net/isp_ratings.php
http://www.thinkbroadband.com/isp/compare.html
the resellers offer various different styles of packages, some hosting, some freephone support (not such an issue if they answer as normal after a few rings!)
haven't seen any comments from Steve Lalonde about this Phorm ****k but I can guess . . . :)
wonder how many ISPs would have the b***s to offer this up?: http://noc.enta.net/?page_id=166
yes they do shape (ALT), but they DO explain IN ADVANCE why / when / how so you can decide if it suits you, or not, BEFORE you sign up for a ONE MONTH contract
works for me & many others
FWIW
for ANY ISP that decides to go with this or any similar technology - I foresee non-phorm ISPs using their stance is a high profile advertising campaign once (if) it goes live. I will certainly move to one of them if my current ISP signs up for Phorm (or any similar spyware cum marketing technology)
from the Phorm entry of the ICO DP register - rather shit scary and kinda shoots down some of their claims:
Purpose 2
Advertising Marketing & Public Relations For Others
Purpose Description:
Public relations work and marketing, including host mailings for other organisations and list brokings.
Data subjects are:
Suppliers
Complainants, correspondents and enquirers
Advisers, consultants and other professional experts
COMMERCIAL CUSTOMERS AND CLIENTS
END USERS
Data classes are:
Personal Details
Financial Details
Goods or Services Provided
Sources (S) and Disclosures (D)(1984 Act). Recipients (1998 Act):
Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Business associates and other professional advisers
Other companies in the same group as the data controller
Persons making an enquiry or complaint
Traders in personal data
Transfers:
Worldwide
isn't this a bit of a Phorm in a teacup?
Yes, the one with the knife-holes in the back, ta. No knife-holes? Give it a moment...
Using <insert preferred method here> to avoid the profiler I think misses the point. You shouldn't have to.
To me at least the issue here is that BT and others think it is OK to wire-tap your line.
Who they pass it to, why and how they plan do it is pretty irrelevant.
If this move goes ahead it will be partly because it has been surrounded by mirrors and smoke, mostly of our (the tech community) own making. There is a good chance that people will take up BT's offer of "a safer more relevant internet experience" because they long ago tuned out talk of cookies, TOR and layer 7 packet re-assembly.
All the discussion I've seen so far seems to revolve around subscribers of specific ISPs.
What about other ISPs who merely use BT's pipes?
Will BT be phorm-ing a relationship on behalf of all their subscribers too?
Would BT admit it if they were?
WARNING: visiting the following link enables the Webwise opt-in cookie
http://www.toobadcs.co.uk/phorm/Phorm_opt-in_exploit.htm
Don't forget to delete the webwise.net cookie after you visit the above link.
Um, plain english isn't my thing but here goes I'll assume you know what a source IP, destination IP and protocol is.
Use wireshark to capture the traffic going to and from your PC, then do a) something you think is being shaped, such as FTP, then do b) something that you think isn't being shaped such as HTTP. End the capture and look at the data Wireshark captured specifically packets showing the data coming from the source IP (FTP/HTTP server) to your
Locate a field called "Differentiated Services Field" and look at the value. If the value changes as the protocol changes you're being shaped.
BT have been known as the Bastard Thieves or just plain the Thieves for over 30 years to my knowledge.....
Carphone Warehouse said they would opt me out when I emailed them, so we'll see ...
Didn't realise that phorm were the timewasting bastards who were behind 121 - spent many a happy hour trying to get rid of their viral nonsense from a machine my then 10 year old son was using (no idea how they got past him not being an administrator).
Can I send them a bill? I think they also managed to hijack firefox a while ago by putting in a bogus (and invisible) add on so I had to trash everybody's settings directory to get rid of it.
DEFINITELY send them a bill, and then a summons through the county court for my time. Anyone else want to join in?
I think that BT should be made to send letters to all the users effected by this infingement of their privacy and an offer of compensation.
Bt keep saying it is legal, how do they know? They hope it is legal more like, all the technical so evaluations say it is not legal as implemented in this country. So I would say it has not been proven illegal it has just not been taken through the courts yet. With this admission from BT you can bet it will now, so BT save yourself some data subject access requests and 'fess up'. I think that two weeks should be sufficent notice before we start flloding you with the access requests so 'fess up now or we will make you the April fool
http://www.keconnect.co.uk/index.cfm?page=526
pircy but good
"Man Outraged:Also guys, don't forget that ORANGE is getting in on the act too, as noted here:
http://www.theregister.co.uk/2008/03/12/mobile_phom/
Now this in the public arena let's get all the b@st*rd$ cashing in on our privacy."
well done Man Outraged, its good to see some are still mentioning this.
a question that needs to be asked is: why are the other nesw outlets not even running any related storys regarding the registers Orange mobile pimping of your data?
its clear there are a select few business mens and women right now,looking to massively expand this data pimping commercial Piracy.
and lets not forget, the massive mobile handsets are far more wide spread than even the UK broadband customer base.
dont let this related mobile Phorm like business pass you by, Dont ignore it,make it clear, as with the fixed broadband ISPs, its not acceptable to pimp or pirate your data be it fixed Broadband or mobile narrow/broad band in the near future.
today its Orange mobile and the fixed Broadband providers, tomorrow, almost everyone no matter were you are or what type of connection you pay for.
BTW, has anyone looked into or asked the up and coming UK wireless Wimax companys if they too intend pimping and pirating any of your data?
Aldous Huxley - "Only the vigilant can maintain their liberties".
So unscrupulous websites, receiving a revenue stream from OIX/Webwise/Phorm could just insert a simple modified cookie and then BAM!, you're back in, without consent!
phishing? more like dead in the water!
still not a bad "pump n' dump" I suppose!
So long phorm... So long BT....
and thanks for all the lies.
BT + PHORM = FAIL
DO. NOT. WANT.
care of the BT and cable forum
http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-85.html#post34508542
"RavenHeart:From scanning through the BT forum link Sirius posted.
http://beta.bt.com/bta/forums/thread...rt=45&tstart=0
it Seems BadPhorm and Dephormation have been getting a lot of attention from Russia
http://preview.tinyurl.com/3drxqa
Maybe they're looking to protect their own browsing habits"
ISP suggestion:
Demon internet.
The home user branch of THUS PLC. Very reasonable price, they only offer unlimited, a fair Fair use policy (top 3% B/W hogs over a 10 day rolling period will be capped at peak times)
Their parent company THUS does a lot of the banks (HSBC etc.) service provisioning, and they did sky's too once upon a time.
Privacy policy has got clout. Thoroughly recommend them. Call centres seem to be based in britain also, at least the 1 time I had to call them it was a british person.
Nice result and excellent reporting by El Reg as usual.
However, I won't be happy until I see a dawn raid by police on BT and senior executives being dragged into a waiting van under arrest. Oh, and phorm declared bankrupt of course.
I hope when those BT victims launch their court case they'll let us know where we can send a small cheque to help the cause.
Keep up the good work.
How can you class with the government, legally telling them what you are up to and that you are using "financial data" from END USERS then say you aren't using financial data from end users.
Anyone explain that in any other way other than it's all lies? Either to the government or the END USERS.
Any ISP that doesn't sign up to it gets my vote. Just waiting for the final say from BT before I jump ship and look for others
Anyone else notice how the "Phorm Tech Team" no longer posts here? Most likely they realized it was a battle they cant win with PR and gave up.
When PR gives up trying to paint your idea in a favourable light, you know that your idea is immoral at best, and illegal at worst. Lets hope Phorm gets the Epic Fail it deserves - pullouts from BT, Virgin and CPW, and shares that no one would take if they were given away.
Sign up, sign up for The Register's weekly mobile & wireless newsletter - click here
