BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year. BT Retail ran the "stealth" pilot without customer consent between 23 September and 6 October 2006. The …
Of course, if improvements can be negative then it's perfectly possible to consider the privacy improvement provided by Phorm. No other (known) ad provider examines your browsing habits in quite the same way. I can choose to block other ad providers by barring their cookies and filtering out their URLs, whereas with Phorm that only stops me seeing the results of their snooping, at least according the public information on how they do it.
The biggest April phool around here is Phorm!!
The sooner that crock of retarded Spyware merchants gets off our internets the better - i think right now Comcast seem to be a nicer ISP than BT
Phorm = Phail
Now that's a novel use of an illegal law re RIPA
Revolving doors. Need a revolver.
Nice one again El Reg.
"At the time of this newly-revealed first trial, Stratis Scleparis was the chief technology officer of BT Retail. He hopped across to occupy the same position at Phorm in January 2007. BT has not addressed our question over whether it is comfortable with the role Scleparis has played in the deal."
That accounts for a lot, though it doesn't make matters any better on either side, arguably it makes them worse.
Major employers typically have a corporate policy on the recruitment of staff from suppliers, customers, etc. It isn't always necessary to rule out that kind of career move, but what is generally accepted as necessary is to rule out the possibility of dodgy dealings.
Ben Verwayeen, what is your company's policy on recruitment from suppliers and customers? What processes were followed in the case of Stratis Scleparis's career move? Is any corrective action necessary?
It's quite simple...
...Just don't use an ISP that has had anything to do with Phorm. There are enough others out there to choose from, and *not* using Phorm might even become a selling point.
If you are unlucky enough to be using BT you will probably appreciate the improved performance you will get from another ISP anyway.
Simply by being associated with this spyware company VMs image is already tarnished as they have exposed themselves as no different from the rest of the money grabbing corporates out there prepared to put profit before customer satisfaction... totally opposite as to how they want to be portrayed in the media.
But then I'm presuming Branson needs all the funds he can get to finance his white elephant galactic project.
My recent letter from VM clearly states they are currently progressing with an "opt-out" policy and that they will be as transparent "as possible" with their customers regarding this solution.
Can we or the Reg come up with a list of non-Phorm broadband suppliers so when we all need to jump ship, we already have decent info to hand?
Pots and kettles
Firstly, given your reportage to date, I accept this is not an April Fool story ;)
The important point here is that BT deliberately sought to hide what it was doing. It cynically deceived its customers and was knowingly sailing close the wind in legal terms.
BT cannot be trusted to tell the truth. The company has lied about this issue consistently; why should we accept anything BT says now as true?
Furthermore, BT has shown no signs whatsoever of backing away from Phorm nor from the concept of traffic interception for commercial gain. At least both Carphone Whorehouse and Virgin seem to be re-evaluating their commitment to Phorm.
As to Kent (with a 'u') Ertugrul and his PR people's spin:
"We think it is unethical of the Register to seek to undermine a technology..."
Bloody gall! Pots and kettles. How *dare* they accuse anyone of being 'unethical'
"... that enhances online privacy..."
Bollocks! In fact, it does exactly the opposite as K(u)nt well knows.
"....Phorm's system ensures that ads are served with no data storage ..."
Storage is irrelevent, a red herring. You bastards are intending to intercept my packets and spy on me.
"... something that will benefit readers of the Register and other websites."
No it won't. Not in the slightest. Not in any way imaginable.
This whole sorry saga needs and deserves the widest possible media coverage. El Reg has done a sterling job so far but, sadly, ninety-five per cent of DSL-using Joe Public is technically illiterate and doesn't read The Register. A lot more coverage such as The Guardian's and the BBC's is needed to generate the deluge of complaint that BT so richly deserves; and wallet-voting by switching ISP is the best way to reinforce the point.
Phuck off, Phorm. Do not want.
So - if it's not legal .... we'll just change the Law!
"BT has said it plans to change its terms and conditions accordingly to comply with the law."
... and I for one look forward to NOT accepting the change.
So I'll just take my Mac (code), and leave.
Did I read this right?
Did I read this right? 18,000 customers? Sorry I really can't believe this article Chris. You must have got something wrong. I can't believe a household name would stoop to such aruably criminal lows in the search of advertising revenues.
What are the implications? BT has been working with Phorm since 2006 we know from El Reg and The Guardian. Phuck me this seems really VERY serious...
Phorm Free ISP's
There is already a list growing at http://www.badphorm.co.uk/e107_plugins/forum/forum_viewforum.php?11
Wow, no really WOW
The deeper we get into this the worse it gets. Even I never saw this coming and until the end of the second page I was beginning to believe it might be a very clever April Fool but now I am left staggering.
I submitted a petition on the PM website on Friday evening to call for the PM to demand the Home Office initiate criminal proceedings against BT for the 2007 Trials which they recently admitted to and was shocked yesterday to find out it had been rejected for unfathomable reasons.
You can see the petition text and the email I got from the PM web team on the following link:
I am also currently investigating the possibility of filing for a High Court injunction to prevent Phorm technology being deployed in the UK with any of the 3 ISPs under RIPA; anyone who has any feedback they wish to give on that please contact me.
And in closing, Wow.
PS.. You need a Gobsmacked icon ElReg
It takes a Liberal Democrat to put forward a balanced view of the internet and to question the integrity of BT and the likes.
Just a shame they'll never get in, we're stuck with either Corrupt Cameron or Zombie Brown.
If only people would vote for parties that actually have some moral fibre and care more about the people that vote them in than the big companies that sponsor their campaigns and offer them silly money after they leave Parliament.
In light of the RIPA comments from legal experts, and even the offical gov advice suggests that this system will only be legal if users are opted in then I can't see how BT can fail to end up in court regarding this.
Any legal peeps around care to enlighten those of us who regularly have to use "IANAL"?
/Paris 'cus she knows about stickin' it up her...
I wish this were an April Fools joke...
"We think it is unethical of the Register to seek to undermine a technology that enhances online privacy - Phorm's system ensures that ads are served with no data storage - something that will benefit readers of the Register and other websites.
In the interests of balance, we would like the Register to reflect the improved privacy environment Phorm provides over the other major online ad targeting companies detailed in the attached table."
You just cant make this up. El Reg being irresponsible by exposing a spyware scam to the Net? You know, attempting to portray your product in a positive light is one thing. This.... This is stupidity. This is from the mouth of Mr-I-Dont-Know-How-To-Do-PR (and my product sucks anyway).
Seriously, we have two options - have our internet usage monitored for the sake of advertising revenue we will never see, or.... Nothing. Or no monitoring. Which sounds like its a better deal for privacy? The jury is out on this one.
It still amazes me what people will do, and what they will convince themselves of, for the sake of money. This is a system that uses people like cattle to make more money for the ISPs and the advertisers by invading our privacy, and yet Phorm defends it as if it could cure AIDs and cancer. How? How can you not admit that your product is immoral at best, illegal at worst. How can that not make sense to you?
Jesus Kent's comments make me want to bitch slap his face.
What is the implication on commercial confidentiality?
There must be one or two folk out there who "work from home". OK, a lot will have VPN connections, but not all.
Can somone from the cognoscenti please have a guess as to what the security implicaitons for a company and it's intellectual property are if one's outworkers are having their traffic intercepted to and from, say, internet and their company's internet accssible intranet sites (honest guv, we aren't actually reading anyfink)
Typically, the arrogance we expect from these parasites, they assume they have some god given right to our data in the same way that the ad boys seem to think its ok to up the volume in ad breaks (leading to a universal muting of ALL ad breaks in our household), the sad thing is they cant see they are WRONG.
From my reading in various places, side-stepping reasonable questions is standard practice for this company, just one more reason NOT to trust them. The fact that they have targetted the UK is significant given that Phorm pretty much have thier roots in the US, maybe they knew that was too big a market to try to fool first off with some very vocal privacy advocates - clearly the hope was to slip it under the radar here and then be able to point to its UK operations as proof of the "value" of this, and considering I have anti phishing in all my browsers Im still trying to work out how letting a proven malware provider anywhere near my traffic provides ME with any value.
THEY have undermined thier own "product" by secrecy and deception. Im sure if the Reg staffers were minded to do a "hatchet job" on Phorm this would have been far worse for them
Kreepy Kent can go Phormicate himself!
FAO: Phorm Team
Phorm team, can you please answer the following questions which I've asked of you a few times.
If you don't store any browsing histories, how come the OIX website says:
"...For example, Travel advertisers will be able to target messages to anyone seeing the keywords "Paris holiday" either as a search or inside the text of any page with timing of three times in an hour..
...Advertisers create customised channels using behavioural keywords - keywords derived from searches, URLs, and contextual analysis of pages visited, with recency and frequency"
In order to know the frequency someone visits a page you are going to have to record the URL's visited against their profile complete with a list of times they visited it too, so you can tell if they visited it in the three hour example mentioned above.
So how does your system know what time a page is visited and the amount of times a page is visited by someone if it doesn't actually store the URL of the page?
Many sites have Terms & Conditions which explicitly deny data mining, extraction etc. of their content. Many of these sites are also copyrighted.
Bearing in mind that some ISP's are in talks to crackdown on copyright theft (Virgin & the BPI) and it seems to be another big thing at the moment, could yourselves or the ISP's installing your system be held accountable for copyright theft? It could be argued that you are profiting by mining this copyrighted data which doesn't belong to you or the person viewing the page to build your profiles.
If I was to own or have a website then I certainly wouldn't give you permission to mine my content so you can profit from it.
Finally, can you guarantee that the data your systems hold or process will NEVER be able to identify a living person by any means whatsover?
If so, how?
Thanks Phorm - Phanks!
not being a legal bod...
can BT customers demand to know (via freedom of information?) if they were within the trial that was not a trial but actually was and if they were can they then take legal action against BT and Phorm using RIPA as their consent was not given?
Just a thought
Since the majority of ISP's are provisioned through BT Wholesale, and since they clearly have truth issues, what are the chances that, since all the data will have to through through BT exchanges and BT infrastructure to go via the ISP that all that will be profiled by Phorm too?
Just a thought, I'm not sure of the technical aspects as I've never worked for an ISP.
Shocked and Appalled
So BT ran a trial which involved intercepting the communications of 18,000 customers, and gifted the information that was intercepted to a third party adware/spyware provider without even seeking consent?
Someone in BT and Phorm needs to spend time in prison to think this over.
Its just appalling.
If Virgin have done this, I'll be joining Alexander in demanding prosecutions against them too.
Phorms claims not to identify users are obviously false. Their cookie is named 'UID', abbreviation for User Identifier... ie an identifier for a user. And the claim they don't store anything... of course they do... its called a profile and its linked to a specific user via a user id.
Their note must be an April fools day gag.
Guess what Mr Ertegrul...
It's not The Register who is stirring the negative sentiment against you. It's US, free citizens, who prefer NOT to be profiled. Bollocks to your excuses, to your reasoning; you are trying to make money off my browsing habits, you pay ME, not my ISP. The cheek...
Here's to a nice fat lawsuit against BT and Phorm for breaching RIPA in 2006.
It Gets Better
How the hell can Phorm dare to lecture anyone after being dumped by The Guardian for a lack of values? We're talking about a company which has behaved unethically, unprofessionally and dishonestly.
I'm stunned at the revelation that "That means all 18,000 test subjects were always opted-in without their knowledge."
I always expected the unacceptable from BT but this leaves me stunned. There's often some degree of vested interests and old boys' network in business but this is obscene.
BT Broadband Contract
The article states "BT has said it plans to change its terms and conditions accordingly to comply with the law".
Can a customer refuse to accept the change and therefore terminate their contract and move to another ISP ? I'd move if someone could confirm. I'm not sure Zen Internet could cope with the demand though :(
El Reg, don't let them off the hook
Please please keep on them and don't let them fob you off. If they hadn't broken the law they would certainly be quick to say so. If they have broken the law then someone should be prosecuted for it - why should they get away with it? Please keep on them and don't take a sidestep for an answer.
time to make a stand
Given the potential breach in law that has ocurred in 2006 where you could allege a wire tapping offence took place against 18,000 customers. Would it not make sense for some good lawyer type to effect a UK equivalent high class action case on behalf of those 18,000 people?
There are more opportunities to make money for these people in suing BT than BT will make in the first year of operation of this insidious tool.
Failing that all it will take is for one single victim to lodge a police complaint for alleged wire tapping offences to threaten this entire house of cards.
I have never used BT so sadly it could not be me, otherwise Mr Plod would get a visit this afternoon (seriously).
Somewhere our rights need to be honoured and somewhere people need to make a stand. why not here?
Paris, because she knows money when she sees it.
Phorm really are quite the arrogant bunch. First they say they are going to education Sir Tim Berners Lee on the benefits of their system and now they complain about El Reg coverage of all this.
Newsflash for you Phorm. You along with BT have broken RIPA. You have lied countless times. Even your PR team couldnt be honest and initially registered on the cableforum website as PhormTechTeam. You lack credibility and even the tiniest semblence of honesty. We dont believe you. We dont want your spyware. Go away.
A bit ot persistence is required
In the reports of people being arrested because someone thought their mobile phone or whatever was a gun and similar stories the police always say they have a duty to investigate complaints.
Maybe someone based in the UK could call the police and make a complaint against BT. I recall someone already trying but if enough people did so then it might get a bit further.
Similarly with the petition on the PM website especially in light of the 2006 trials.
I..*shudder*.. went to the Phorce, erm Phorm website, had a luck at their press releases. It's amazing that El Reg has probably had more stories on this item than any other news site/paper, yet isn't mentioned once as a source for their Press Archive. In fact all the sources given are basically that sites rehash of the Phorm press releases and some even seem to think its A GOOD THING! IT ISN'T! Makes me worry about the sanity of the "tech" writers for these other sites!Or rather, wonder how much they are being paid!?
It all boils down to what is relevant to the users interests. Or rather, what shit Pharce is trying to make relevant for them. Nothing like burying your head in the sand up to your arse eh Phorm? Hoping the opponents to this "innovation" will go away? Not while there is movement in the fingers of El Reg and it's readers!
Page 1 section 1
1 Unlawful interception
(1) It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of—
(a) a public postal service; or
(b) a public telecommunication system.
BT Group publishes a code of ethics.
Based on their actions, maybe it should say "this space intentionally blank" but what it does say includes:
"The Chief Executive Officer, Group Finance Director, the Director Group Financial Control & Treasury, direct reports to the Group Finance Director and the lines of business Finance Directors will:
* act with honesty and integrity, including ethically handling actual or apparent conflicts of interest between their personal relationships or financial or commercial interests and their responsibilities to BT;
* promote full, fair, accurate, timely and understandable disclosure in all reports and documents that BT files with, or submits to, the U.S. Securities and Exchange Commission or otherwise makes public;
* comply with all laws, rules and regulations applicable to BT and to its relationship with its shareholders;
* report known or suspected violations of this code of ethics promptly to the Chairman of the Audit Committee; and
* ensure that their actions comply not only with the letter but the spirit of this code of ethics and foster a culture in which BT operates in compliance with the law and BT's policies."
Ben, how does the Phorm work fit this ethical policy?
In particular, what about "ethically handling actual or apparent conflicts of interest between their personal relationships or financial or commercial interests and their responsibilities to BT;"?
How does Stratis's career move (which BT and Phorm presumably knew about when BT started trialling Phorm) line up with your ethical policy?
The public want to know. In particular, your longsuffering stakeholders (employees and shareholders) want to know.
re: Damian Gabriel Moran
No, Freedom of Information Act only covers the public sector (and not even all of that). You could however send a Subject Access Request (Data Protection Act) accompanied with a £10 cheque or postal order asking if you were involved with the trials. You need to send the request to the BT Data Controller and I recommend you send it by registered post and print off the delivery notification from the Royal Mail website. They have 40 calendar days to comply with the request before they are in breach of the regulations at which point you can either contact ICO with a formal complaint -or- if you can prove damage you can initiate civil proceedings against them in the county court.
Wonder whether we can apply the 3 strikes to an ISP? E.g. three random customers each download an illegal mp3 via http.. Each has only one "strike", but phorm has three - can we therefore demand that they get unplugged? ;)
@Damian Gabriel Moran
The FoIA applies to government bodies, not private companies. However, under the Data Protection Act, you should be able to find out if you were within that trial, since they really should still have those records - there's an administrative fee associated with it, but it has to be "reasonable".
To some extent they may be protected by your lack of encryption... It's not illegal to hear something that people say in public if they shout it really loud ;) However, the RIPA doesn't seem to see an internet pipe as a "public place", so it probably isn't covered. No company should be using http/html for remote working without the "s".
There's another article on the reg (can't remember the title at the moment) that includes details of how the infrastructure works. Effectively the data passes through a very small part of the BT network (from a data point of view, rather than physical), and goes immediately out on a dedicated pipe to the ISP. Therefore unless BT are putting the phorm stuff within that small section, it's not relevant... If they DO put it there, then they are likely to be really hammered by the other ISPs. If nothing else, they're increasing the data flowing over the pipe and that's what the other ISPs end up paying for...
re: A bit ot [sic] persistence is required
I am the one who tried to report the 2007 trials to Scotland Yard but they refused to issue a crime reference number because I was unable to provide them with an exact date and place where the criminal act took place (as I am not a BT customer nor ever will be).
So yes, we need criminal proceedings to be initiated which is why I have just refiled the petition on the PMs website with the news of the 2006 trials and again asking the PM to demand the Home Office start proceedings.
I have also started a facebook group to help publicise it here:
(And no I don't need lecturing on the privacy issues surrounding Facebook but thanks anyway).
Oh dear God...
Anybody seriously wish that chemical neutering was legal practice?
Someone with such questionable moral values to actually BELIEVE that this is, in any way, acceptable, legal, or even required, should not be put in charge of impressionable people, their own or anyone elses.
I worry about the state of society.
Is it just the end users that can sue?
Surely the owners of websites surfed to by the guinea pigs were also victims of interception? I guess you'd have a hard time proving (unless your logs go back that far), so just to make it easier, can we use the same formula's the recording industry uses to calculate damages to work out how much BT must pay ;-) ?
The cracks are appearing...
We think it is unethical of the Register to seek to undermine a technology that enhances online privacy - Phorm's system ensures that ads are served with no data storage - something that will benefit readers of the Register and other websites.
This rather intemperate response means they are rattled.
Keep up the pressure, El Reg, BadPhorm, DePhormation, and everybody else who cares about this.
And if you need further encouragement, read:
for a perhaps insufficiently satirical look at where this will all end up if we don't keep up the pressure....
But I am sure we can. And I sincerely hope Kent Ertugrul's phlight back to the USA goes from Terminal 5.
Paris, because her baggage will always follow her around, no matter what
And on that bombshell..Phormgate
Well done Chris & El Reg, real Watergate stuff - or should I say 'Phormgate'. Lets just keep focused on BT and the other ISPs who are the principal villains of this piece.
@ Alexander Hanff
Good luck with the injunction; I think it's the only sensible way to stop this.
As for the No.10 petitions route, does any reader have a single example of this tactic working (i.e. our beloved leaders - past and present - actually taking any notice)?
You know, being democratic?
I thought so.
El Reg - keep it up.
The only Trials BT should be involved with...
Are criminal trials for the potentially millions of counts of breaches of RIPA in both 2006 and 2007. How many webpages do you think 18000 people visited over that 2006 trial period?
<..>UK equivalent high class action case on behalf of those 18,000 people?<...>
They shouldn't have to. Breach of RIPA is a criminal act not a civil one.
Either BT & Phorm have committed a criminal act or they have not. My reading of RIPA say's they have. Time for HMG to step up.
opt in security broken
look at the link
it shows how a dubious website can opt you in without your knowledge, using standard cross site request forgery techniques
so if you visit a site it can put an opt in cookie on your pc without your knowledge
then it is down to whether webwise process the opt out or opt in cookie first
hmm looking more dubious and less secure all the time
Dear HMG Home Office
Dear HMG Home Office,
I recently received details of your new initiative to create new legitimate business opportunities in the hi-tech sector, namely in the Data Raping arena, and I'd like to register my company's interest in the scheme.
I own a conglomerate of small enterprises specialising in niche revenue opportunities. By profiling anonymous individuals we can identify those of high net worth whom we can target our product at. Out main product being simple letters offering our services, our main service being NOT writing to the press about profiles showing interest in our sister business selling a large range of man-on-man video materials.
We also have ties to a large network of software developers who are keen to install 3rd party "applications" on our data-raping hardware. Many of these are enterprising individuals whom I'm sure will find great ways to increase revenue once we have total control over users data streams.
Thank you for your interest,
Frances James "Jimbo" Gunn
central resources needed
what we need is a central location to keep all the issues, websites, email addresses and places to write to, to complain so we can maximise and co-ordiate everything against phorm, is anyone aware of a site or blog like this?
we also need standard letters that list the issue we are complaining about to the relevant recipient of the complaint,
one to each of the following
to register your position on phorm and specifically remove permission for them to profile your data or pass it via profiler
to register a complaint with regards to BT, VM, TT and Phorm potentially breaking RIPA and the DPA, even if the user opts in
general complaint, plus info on their comms to constituants and researchers web activity being profiled if using one of the 3 ISP's etc
as it involves BT's breach of RIPA last year during trails of webwise, and potential breaches of RIPA and DPA in the future, and possibly the national security implications of governmet officials web activities being profiled etc
as it could involve european law, in particular human rights act, as right to privacy would be infringed
make more people aware of the potential issues
as local press but more national coverage
have i missed anything??
Look, there's no point in messing about with online petitions. If you are a BT customer and believe your traffic may have been intercepted, contact the Computer Crime Unit of your local police force. For example, if you live in London:
Of course you will first need to provide evidence that your traffic has indeed been intercepted.
Why didn't they come up with an excuse?
BT also refused to reveal where in the national broadband network the thousands of guinea pigs were sourced from.
Surely they could have claimed that they would have loved to reveal where the mugs came from, but they don't hold sufficient information to be able to identify the source?
The powerpoint slide contains lies
.. of course.
It suggests that the "opt out" for major search engines is "deeply embedded". However, anyone who has an anti-malware package on their PC (or otherwise knows how to delete cookies) can "opt out" by preventing the storage of the tracking cookies needed by the other ad-targeting engines to work.
Since the Phorm system is IP-address keyed, and occurs in the network, there is no way to opt out of tracking.
Are the BT Board Asleep on the Job?
So the BT Retail CTO organises secret (and illegal!) trials using their customer's data, in conjunction with a notorious spyware outfit, and between them they perfect a scheme that they think they can get away with. Then when they think they might make a packet, he jumps ship to be CTO of the very company he has been sweethearting at BT's expense, leaving BT to carry the can if the legal implications blow up in their face (as they are doing). Nice move, but would you buy a used car from this man? Makes Nick Leeson look like an amateur!
One of the 18,000
I was one of the people who was entered into the parasitic trial without consent.
I am utterly appalled that the number of other people who also "wiretapped".
This is a disgusting abuse of trust and faith.
What I find most appalling that despite several emails to and from BT Directors I have still not received an apology, just belated confirmation that a test did take place despite being told at the time that there was no such thing happening.
In the words of the mighty Tony Harrison: "It's an Outrage!"
BT, looks like the sh17 is about to hit the Phan!
...looks like we'll be seeing BT + Phorm in the dock then!
Isn't this like
BT having someone listen in to all your calls, taking notes - in case, say, you ask dear old dad what kind of garden shed you should buy? So they can inundate you with adverts for garden centres? I'm sure if that was forwarded as a legitimate business plan it'd get laughed out the office due to being incredibly illegal...
Plus what is the security ramifications? Like online banking? They intercept your username and password, and which memorable information selections you made? Credit card details entered in online shops? Chat text on MSN et al? Could divulge all sorts of snippets on there... OK it is encrypted but that's not the same as "100% safe" is it. And if it is recorded you've got all the time you need to crack it.
Ghastly situation, someone needs a right kicking over this.