Feeds

back to article BT's 'illegal' 2007 Phorm trial profiled tens of thousands

BT's covert trial of Phorm's ISP adware technology in summer 2007 involved tracking many thousands more customers without their knowledge than previously reported, it's emerged. Erroneous reports earlier this month suggested that a total of 36,000 broadband lines had been eavesdropped upon during the two trials. The Register had …

COMMENTS

This topic is closed for new posts.

Page:

Alert

If they feel...

they have to ask this time, what's changed?

(Apart from the fact that the cat's out of the bag!)

If they broke the law when they carried out these previous 'trials', then a judicial application of three nails with a hammer should be applied to BT at least.

(Is there ANY investigation running/pending on this, or are the "authorities" turning a blind eye? Time to ACT, OFCOM!)

Damn, I'm glad they're not my ISP.

0
0
Silver badge
Thumb Down

Ahhh the old "Opt-In"

Which will go along the lines of.

Send email to BT Email address 90% proberbly don't use.

e-mail will say "We are trialing a great new...wonderful...benifit...exciting....blah blah blah....If you don't wish to take part, please reply to this email, otherwise we will presume you want to opt in"

90% don't read email (or never reply to unknown senders) and therefore "Opt-in" by default.....

0
0
Paris Hilton

BT and Phorm

Either BT carried out a criminal act or they did not. If they did, I require the CPS whose wages I pay to prosecute them. If the issue is in doubt then let us have a court determine this. As Vince Cable famously remarked; "The Prime Minister has gone from Stalin to Mr Bean in a fortnight", but even Mr Bean must be able to see this is an important issue which would be relatively easy to clarify.

Paris, of course, because this is perfectly clear to her.

0
0
Coat

A new definition of small!

Well at least I know how to respond to BT next time they whine about my bandwidth use, I'll just say it is quite small really. They when they argue I'll point out I'm merely using their definition of small and surely they can't complain about such a small amount of traffic, it barely affects anyone......

Mine's the one with broadband access...!

0
0
Flame

Law on Opt-In/Opt-Out?

Is there actually any law on what opt-in or opt-out actually mean and what is required/allowed as notification in either case? As far as I am concerned Opt-In should mean I am considered not to be in unless I specifically request to be, Opt-Out should mean in unless specifically requesting not to be in. No response should never be considered implicit approval for an opt-in, since if no response implies you are included I would think that makes the process by definition opt-out!

Seems that Phorm and BT need to learn exactly what Opt-in and Opt-out actually mean in English as opposed to PRinglish!

0
0
Stop

EXPLICIT opt-in

BT and Phorm have been told that any op-in must be EXPLICIT, in other words they can not opt-you in without you confirming that you agree to be opted in.

Not answering an email or BT putting it into revised T&Cs is not an explicit opt-in.

0
0
Anonymous Coward

Wholesale?

So, were BT Wholesale customers affected?

Most small ISP's just resell BT Broadband wholesale packages, which presumably go through mostly BT kit?

0
0
Anonymous Coward

disgraceful

Potentially a minimum of 108,000 criminal violations of RIPA and what does our government do? Nothing. Labour ex-minister Patricia Hewitt sits on BTs board. Nothing will be done. Apparently BT and Phorm have a government license to ignore UK and European laws.

Move along. Nothing to see here.

0
0
Silver badge
Unhappy

@ Stu Reeves

Ofcom say Phorm should be an explicit opt-in. This means that BT *should* have phorm *off* unless they receive an explicit communication from a customer saying they want Phorm *on*.

Sending an eMail saying we will switch it on unless we hear from you is still an opt-out.

Of course, whether BT will abide by Ofcom's ruling and whether Ofcom has the balls to make Phorm / BT do a real opt-out is another matter.

As to how BT describe Phorm to get customers to opt-in, well, that's another issue relating to Ofcoms testicular dimensions. IMHO they *should* be forced to describe exactly what Phorm will be doing, top of page. We all know, however, that it will be buried in the small print that nobody reads.

What is needed is more publicity so that the general public hear about Phorm and reject it. Its all very well the knowledgeable few rejecting it and pissing off to other ISPs, but as the majority of BT and Virgin broadband users are clueless with regards to technical issues and will swallow BT's "Webwise will protect you" bullshit it is, unfortunately, likely that BT and Phorm will get away with it.

Trouble is the mainstream media, and their readers, are more interested in which celebrity is getting into which other celebrity's knickers than with an issue that could result in all of their web activity being spied upon by a notorious spyware pusher.

0
0
Alert

RIPA

It seems that RIPA can be used by just about anyone to spy on anyone - look at the example of local councils spying on families to make sure their children live in the correct school zone. Hell, if you look in your next box of honeypuffs you'll probably find a note giving you permission to spy under RIPA.

BT are probably confident that they haven't infringed the law because as a major supplier to the UK government and defence agencies they have probably been given carte blanche to spy on anyone. It would explain why they are so smug.

We need a new icon for Phorm

0
0
Boffin

Service with a "Crocodile" Smile

As I now understand it, not only was an illegal data mining operation in place during the summer of 2007, conducted by BT on behalf of Phorm, who then went on to reward a certain individual from high up in BT with a position in Phorm; not onlydid the two companies then embark upon a liteny of misinformation to try and smoke-screen this illegal inteception on countless (and the correct word literally is *countless* now) consumers without their consent; not only is this scam reliant on using up a subscribers bandwidth (least we forget that there are still people out there who operate on a pay-as-you-go or a capped allowance) in order to broadcast profiled advertising; not only... BUT also there appears now to have been a deliberate attempt by the instigators and protagonists of this nasty little debarkle to deliberately decieve and otherwise bear a false witness when they were questioned by the regulating authority... they twist and turn like a twisty turny thing and in conclusion I find myself admitting that, given what has already come to light, 121media really wasn't THAT bad. What we see here is the ultimate and logical endpoint of the privatisation of what I used to refer to as the "telephone service"... Someone PLEASE put this abomination out of its misery, and use the prisons for what they were built for.

0
0
Pirate

Customer care at its worst

BT are doing a great job of gaining customer confidence - NOT !

Skull and cross bones... because Pirates also dig holes :D

0
0
Paris Hilton

Permission

Ok, if they have to ask permission next time for a trial run, presumably those who have been following this story will refuse to take part. The problem is how many actually know about all of this. My wife asked me what I was reading the other day and I told her about all the stuff that was going on with Phorm and their trial. That was the first she heard of it and she was rightly shocked. No one in her office even knew it existed.

I have this horrible feeling that, as on-the-ball as all of the reg readers are, we make up a pretty small group compared to everyone who has a net connection to the big 3. If enough people opt-out, then their service to ISPs becomes worthless, but I don't anticipate enough people doing that without some kind of major headlines in all the national press. I just can't see this stuff on the front page of the Sun and the Daily Mail or any national newspaper really. Even on the big news websites, unless your looking for this story, it doesn't jump out at you. I used to do user support for BT and a few of the other main ones. I have a pretty good idea of what their main customer base is like and they are not a group that will change ISPs over this. Especially if their connection is 'free'. The only way to stop it is if it's deemed illegal. If the opt-out they have isn't cookie based they good for us as our web traffic will not be processed. But that also means it's totally legal and they will stick it in the T/C. If that happens Phorm will win by the force of customer indifference.

Paris because I suspect she's quite an average sample.

0
0
Anonymous Coward

oh what a tangled web..

"We asked a Phorm spokesman why it doesn't believe people have the right to know how likely it is they were part of a secret test. "We're just not going to disclose that," he said. "They were BT customers and you have to ask BT about that.""

Er, hello, the correct answer to the question "was someone the trial?" is that phorm don't know. phorm don't know because they only have anonymized data from BT, no?

0
0
Ian

Exchange level?

"Documents seen by The Register suggest that Phorm tests were performed at exchange level."

Does that mean even if you don't subscribe to BT's ISP yet use their telephone exchange to access another ISP you could've been hit?

0
0
Stop

costs?

What I'm wondering is whether OFCOM will take action against BT for this? If they do, then surely it will be a fine, which will then be passed onto customers (possibly even telephone users without a computer). This country is going backwards.

Also, so many non IT people I have told about this seem not to care until I put the thought in their minds that if Phorm dont tell everyone the truth in every interview how do we know they dont collect credit card information?

0
0
Joke

The next move...

will be to pre-empt any "Spying" headlines in the tabloids by attempting to promote the 'look, if you're not doing anything that you shouldn't be / are ashamed of / want your wife/husband/partner to find out about / illegal, then what's your problem? / what have YOU got to hide?' type line.

Now THAT'S the kind of storyline that the rabid lunatics that run some of our tabloids LOVE!!

(Hope I'm not tempting fate here!)

0
0
Unhappy

@ Blasmeme

Absolutely right, reg readers etc are a very small minority, 95%+ of BT users will get the email, offering to opt in to 'Free Online Security' and will give the go-ahead, most people don't/won't understand the pandora's box they are opening by allowing the equipment into the exchange, and what it could be used for in a few years time as paranoia tightens its grip on the country.

0
0
Anonymous Coward

@John Edwards (et al)

I agree there should be a court case to settle this, but I think it unlikely the CPS will take it on. Ideally on of the larger city civil law firms should take on representation of a single, or group of, identifiable BT customers who have had their traffic intercepted. That would provide standing for a civil action which I believe would ultimately have a greater effect on the companies. Assuming the customers won (which looks likely) and were awarded even a small package of compensation it would open the door to all other incepted customers to clamour for the same compensation.

0
0
Bronze badge

@ Ian

It could do, depending on how they did it. However, I would say its unlikely.

Most people use BT copper for the last mile, if they were doing it this way I doubt that Phorm would have bothered with getting anybody other than BT.

0
0

@ tony& AC

Wow... Slow down a second...

I dont agree with Phorm, but taking credit card info and abuse for spying on us? Thats a bit far, and VERY tabloid. Calm down, and stop trying to frightne people. As I said I dont want phorm, and am not happy about it, but I dont think they are going to start stealing my bank infomation.

0
0
Pirate

It's worse than that, he's dead Jim

@Stu Reeves

"Which will go along the lines of.

Send email to BT Email address 90% proberbly don't use.

...

90% don't read email (or never reply to unknown senders) and therefore "Opt-in" by default....."

Nope, this is not how they plan to do it. Not at all. From the BT 'Webwise' (Phorm) FAQ :

"The trial invitation will be presented through a special web page that will appear the first time those customers start a web-browsing session after BT Webwise becomes available. At this point, those customers invited can choose to click YES, NO or Find More to get more information"

http://webwise.bt.com/webwise/help.html

So in fact they plan to offer the 'choice' (e.g of having your traffic illegally intercepted with or without paid ad support ) by hijacking your browser session (via a 307 Redirect, I would guess, given the technical detail we've seen so far), and presumably this is the only page you will see until you select one option or the other, a choice which will (still) be recorded and enforced by cookies, because poor widdle BT haven't been able to develop a non cookie opt out 'solution' yet.

I wouldn't care to guess what's on the "Find More" page, but I'll bet there _isn't_ an option to search Google for Phorm.

Informed consent, my hairy ass.

And isn't hijacking my browser a prima facie violation of CMA S1(1) ? Or even S3(2) ? Even if you _are_ my ISP.

0
0
Flame

Ipso facto

"BT has claimed that it has no way of telling which of its customers it Phorm profiled" -

Isn't that in itself potentially illegal, because it has no way of fulfilling a data-subject access request?

0
0

does this mean.......

that phorm actually know who the people were?

"We asked a Phorm spokesman why it doesn't believe people have the right to know how likely it is they were part of a secret test. "We're just not going to disclose that," he said. "They were BT customers and you have to ask BT about that.""

it souids to me that they "could" disclose the names, but there not going to. I thought this process was ment phorm didnt know who these people were? this sounds worse and worse.....

0
0
Stop

OPT IN / OPT OUT not the issue

In previous reports it appeared that PHORM/BT would have access to all communications over the circuits in question, so the whole opt in/opt out question is really foolish.

This is SO simple, it should be illegal. Those who have allowed this to take place, get as far as it has, should be jailed. SIMPLE

Of course, money talks and power listen, then it seems takes some of the money.

0
0
Happy

Use your MP

Write to your MP and ask a very simple question. Why has no criminal investigation started against BT?

Lots of MPs asking that question of the government should get things moving.

0
0
Dan
Stop

Forget opt-in, opt-out anyway..

I don't trust BT enough (or any ISP for that matter) to make the opt-in option a legitimate one. Don't give them the chance and opt-out anyway just to be safe..

http://www.dephormation.org.uk/

0
0
h

Who was in the trial ?

So if Phorm and BT don't know who was in the trial. How do they know if the trial was a success.

You only do a trial to get results !

0
0
3x2

Whats that I hear?

The silence from the DPP is deafening. Not even an investigation? Strong words? A frown? What exactly does it take to shock these clowns into action?

I must try this defence if I'm caught robbing a bank....

"Well the money my client took was only a tiny proportion of the banks total assets"

Burglary?...

"Well as your Honour will concede, the number of houses my client burgled is statistically insignificant when compared to the total number of homes in the UK"

It can't wait for Tax season.- I'm pulling "an Emma" too.

0
0
Unhappy

@Paul

I'm not flame-baiting here, but how do you know that they won't ?

Ok, so it may not be their official policy, but they cannot assure me that one of their employees will not "backup" some data --and sell them to the credit card black market ?

Even perfectly legitimate businesses have similar problems. I would assume the worst for Phorm and the like.

0
0

Interceptions

@ Paul

Surely however, if the following conditions are true:

1) Phorm deep packet inspects EVERY packet you send/receive.

2) Phorm lie through front/back teeth / arse / every other orifice.

3) Some ppl, myself included use internet banking.

4) Every packet during my internet banking session will be intercepted by Phorm

Do points 2 + 4 scare you at all? Cos they certainly do me!! Glad BT isnt my ISP, or id be offski already.

How can you have even a facade of trust in a company that can and does only lie??

0
0
Linux

Firefox plugin for 307 redirects

I know people keep asking about ff plugins to generate random traffic etc, but can we have one to warn on 307 redirects? Just a pop up box along the lines of "The request you made is being redirected. If you see an unusual volume of these messages your ISP may have signed up to a data pimping solution like phorm.", with an OK/Cancel Request button?

I don't use BT for anything other than the last mile, but I really want to know (and so would my very anti-phorm ISP) automagically if they put one of these boxes in the exchange!

I guess I could just browse using wget :)

0
0
Pirate

@ You only do a trial to get results !

No.

You CAN do a trial to SEE IF ANYONE NOTICES!

0
0
Flame

BTwholesale - *probably* safe, for now

There are technical reasons why it's unlikely that any ISP outside BT Retail was affected by the Phorm trials to date. In brief, Phorm's "service" works best (is simplest to implement) when it has access to customer's traffic in "pure IP" format. Currently if your ISP is a customer of BTwholesale (which is most of them), your traffic is in PPPoA format once it leaves your router, and doesn't get back into "pure IP" format till it reaches your ISP's datacentre. So for now it's not easy for Phorm to get their dirty mitts on your data even if your ISP is a BTwholesale customer (it's not impossible either, but...).

This may change once BT's much overhyped 21CN comes into place - your traffic will go into "pure IP" pretty much once it hits the exchange, but the 21CN implementation details are as yet unclear, and the details are important at times like this.

One exception to this "you're probably safe" is the subset of Plusnet customers who chose to use BT Retail's connectivity after Plusnet became part of BT Retail; afaik they have also been offered an informed choice to move back to Plusnet's Phorm-free "classic" (BTwholesale) network.

All that being said, the same DSL->BTwholesale->ISP architecture means that the tale that the earlier trial was "exchange based" is either a gross oversimplification (possible) or a downright mis-statement (probable?).

0
0
Pirate

@who was in the trail

BT and Phorm will not care about who was in the trial, the trials purpose was to prove the technology works, I.E. can they build a profile, does the profiler work, was there any complains of speed issues and could they inject the adverts

as to who the guinea pigs were, they don't care, all that mattered was proving the technology worked

0
0
Thumb Down

ISPs front webpage

Who ever goes to their ISPs front page?

I can't remember the last time I had occasion to do that.. So how would I even see the opt-in/opt-out info? They would have to enclose it with the monthly bill in the post, requesting that I go to page........ if if I want to opt-in - otherwise it should be NOT opted-in by default.

0
0
Pirate

help wanted for webmasters

can we also have some code we can put in web pages that checks for a phorm opt-in cookie, that those none programmers can use to serve up a page that says "we do not supply pages to users who have opted into phorm" in big red letters

that should be interesting

0
0

BT obviously have something to hide.

Why else would they lie and not offer detail on Phorm? If they were proud of their association with Phorm, they would be upfront and honest.

I also think they do know exactly how many people were affected in the test, but dont want to disclose the information because they can see a lawsuit from a mile away. I mean, being a trial, they need to collect data on how Phorm works.

Can someone make a Freedom of Information Request for this?

0
0
Stop

Someone who'll reply at BT

I fired off an email to BT about what they'd been doing, planned to do etc and was gratified to receive a reply from a young lady detailed to respond to such requests. I'm posting the email address here so those of us that are worried about Phorm can ask questions and get replies from BT. Maybe they'll take notice of the volume of mail, assuming enough of us get in touch (hin, hint). Send your emailed questions to Emma Sanderson at:

emma.sanderson@bt.com

0
0
Coat

Sorry, we lost the disks.....

Today the national advertising company Phorm has reported the loss of 2 disk containing the non-anonymised details of over 250,000 internet users.

'Two disks containing the internet browsing habits information of some of our client ISPs were lost in the post. Due to a server malfunction, the details had not yet been anonymised and were being sent to a third party facility to be prcocessed. The disks apparently never arrived. While we don't normally store any of the data, in order to maintain the service level agreements with our clients, it was necessary to store and send the data to a third party. Phorm takes this loss of data very seriously and we are putting processes in place to make sure that this cannot happen again. We would like to assure our clients that it is unlikely that the information will be used by criminals for any unlawful purpose.'

You know it will happen.

0
0

Opt-in/opt-out

It will probably come in a letter in the post. Which no-one will read. In the six months I've been with BT I have thrown away at least two thick letters with BT's logo on the front because it was too soon for it to be a bill so I knew it would be a glossy leaflet trying to sell me some more crap. Honestly, that sort of behaviour wouldn't be acceptable in a sane society. Imagine if you went into the corner shop, bought a sandwich and a packet of crisps, and ten seconds later one of the staff chased you down the street trying to get you to buy a chocolate bar.

But I digress, however they do it they'll find some way of getting us to opt-in that will be anything but "Do you want us to inspect all your data and give you targeted advertising, y/n?" Phorm's attitude to opt-in resembles a date rapist mentality. "They all want it really - look at how they go around wearing unsecured connections - and everyone knows when they say 'opt-in' they mean 'opt-out'."

0
0
Stop

@ Ian Re: Exchange level?

>>

"Documents seen by The Register suggest that Phorm tests were performed at exchange level."

Does that mean even if you don't subscribe to BT's ISP yet use their telephone exchange to access another ISP you could've been hit?

>>

Everything not cable is at the BT exchange, even those who now have their line rental direct from TalkTalk or any of the many other line resellers.

The way it works is that the connection between your 'last mile' wire cable and the rest of the telecoms system is that it either goes through BT or through a reseller.

For these purposes, even BT Retail is a reseller (of BT Wholesale).

I think, based on the fact that the equipment does a physical connect to various reseller systems, anyone not with BT Retail can be confident that they were not part of the trials.

If anyone can find different, that will be a VERY BIG can of worms.

0
0

Yes - USE YOUR MP

Forget Ofcom on this, they are a toothless tiger and have long, long, long been known to be in the pockets of BT. How the hell do you think BT have been able to get away with all their past misdemeanours time after time?

What we need is a straight prosecution of BT on 108,000 charges of illegal interception of communications contrary to the The Regulation of Investigatory Powers Act 2000

Section 1(1) of RIPA, makes it an offence to intercept, without lawful authority, a communication transmitted by means of a public postal or telecommunication system. (In other words, you need to get a warrant to intercept.)

Proceedings for the offence of unlawful interception, which is punishable by up to two years imprisonment, require the consent of the DPP.

Section 5 (2) of RIPA, provides that the Secretary of State shall not issue an intercept warrant unless he believes that the warrant is necessary on one of the grounds set out in section 5 (3) - these include the prevention and detection of serious crime - and that the conduct authorised must be proportionate to what is sought to be achieved by it.

So Yes, (as what he wrote above) <quote> "Write to your MP and ask a very simple question. Why has no criminal investigation started against BT?"

Write to your MP, your MEP and why not the KGB, CIA, NSA, FBI, or even HRH if you think it will help.

look here:

http://www.theyworkforyou.com/mp/

0
0
Stop

BT/PHORM 2007 Trial

In your article you state "The Register suggest that Phorm tests were performed at exchange level" and you mention the Weston-super-Mare, but I have proof (ie the cookie) that I was in the 2007 illegal trials and I am across the other side of the county in Kent, so it cannot have been limited to one exchange.

0
0
Flame

Who searches for Phorm when offered Webwise?

I did some searches for Webwise - there are lots of results. Mainly courses that help people learn how to use the web wisely. The message is failing and Phorm must be laughing all the way to the bank.

It is time to start using "Webwise" in blogs and postings so that when someone is presented with the Webwise option and decides to do some searching to see what is actually being offered, they find more than just the webwise.bt.com site.

Google loves new news: so get posting this week and when the trail does start there will be loads of information on Webwise available. People need to know that IF they are presented with the Webwise info page when they first log in that their computer has already been hijacked.

The only solution to stopping this thing is if everyone presented with the webwise page starts contacting BT support about why their data stream is being intercepted by a site they did not request popping up into their browser.

0
0
Thumb Up

@ Peter White

Pete, the wonderful guy who wrote the Dephormation FF extension, has put up a demonstration Phorm Speed Trap that you might find interesting.

It's only a work-in-progress until he gets some live data to work on...

http://www.dephormation.org.uk/server/speed_trap/normal/index.html

0
0
Happy

@ Blasmeme

I agree. Someone should inform as many people as possible, One good way is via email. You know the type.

Have you been wired tapped by BT. read below and pass it on to your friends.

That should do it.

0
0
Anonymous Coward

I emailed my MP about the lack of a criminal investigation...

...Got a rather boilerplate reply :-

[QUOTE]

Thank you for your email, Mr Denham has forwarded your concerns to the

minister for response and will contact you as soon as he receives the reply.

Yours sincerely

Mrs C Storrar

Caseworker

JOHN DENHAM MP

SOUTHAMPTON ITCHEN

[/QUOTE]

I'll let you know if anything happens...

0
0

@Steve Renouf

"Who ever goes to their ISPs front page?"

Well, lot's of people, as it happens, but that's not the point.

It won't be on BT's 'web portal', it will simply be the first page that an 'invited user' sees even if they have google or some other search engine set as your bookmark.

Huge difference. This is much nastier.

0
0
Flame

Liars

'BT has claimed that it has no way of telling which of its customers it Phorm profiled and served targeted advertising to.'

Clearly bollocks.

BT must have had some way of identifying users who were unwitting subjects of these trials. Suppose BT customers started complaining about the service, (okay, started complaining the service was worse than usual), BT would have needed to know if these problems were down to Phorm technology or to some unrelated issue, otherwise their engineers couldn't have solved the problem and they'd have no way of making comparison with un-Phormed users.

My DP request is with BT right now asking if I was part of their trial. I look forward to their response; especially if they say they've no idea whether I was press-gang-banged into their trials.

0
0

Page:

This topic is closed for new posts.