What's the story with Phorm, NebuAd, and other behavioral targeting firms that track user data from inside the world's ISPs? In some cases, even the ISP can't tell you. In February, the Silicon Valley-based NebuAd deployed its deep-packet inspection technology on a Middle America ISP known as WOW!, formerly WideOpenWest. The …
Does that make sense?
"which is not the number we use internally to identify the user anonymously"
so they can identify users? so do they store user information or not? and now this spyware variant has it's own industry standard!
Game over then
If it's okay in America it'll be standard ISP practice worldwide within six months.
Question: Are newsgroups still free of tracking? I see it now, a new, better internet with no ads, video, Flash or crap. Leave the world wide web for the masses and return to the text based world of dot alt.
Well, it was fun while it lasted.
This has got to be stopped!
Seemingly it's not enough that your ISP charges you a fee to connect to the new-fangled interweb, no, they then want to pimp your surfing data to earn a little extra on the side.
Greed. Nothing more, nothing less.
Oi ISP! No!
Charge me the right price for my interweb connection and leave my bloody data alone! If you want to sell me a cheaper "data pimped connection" do it up-front, be honest, don't do it secretly & don't hide behind the bloody altered T's & C's of my existing contract.
Now it has happened on the other, slightly more litigious, side of the pond, do I see a class action suit inthe offing? hope so. This has got to stop. Now.
Mine's the one with "Phuck orf Phorm" on it. :-)
Phorm, NebuAd, all the same
All share a complete lack of disregard for their customers, and it seems that WOW!, like the BBC, has no problems lying to its customers about spyware.
This is why I have my cookies set to session only, and sometimes even use a whitelist - if I dont approve your domain for cookie setting, you never set cookies.
Hopefully MS and Mozilla can make this setting the default for all new browser installations. How the advertisers will cry when users are made to be explicitly aware of cookies - or have them deleted when they close the browser.
It appears that (moral) standards within the industry are being lowered due to incompetence at board level.
Its an IT marketer/salesman's wet dream, offer a board the chance to make loads of money using their existing kit with little to no effort and there's no danger of being asked any difficult questions as the board haven't a clue how their systems actually work or what the legal issues could be!
Driven by a greed for big easy profits and unwilling to appear stupid by asking questions they fear they should know the answer to has lead them all into bed with a commonly known datamolester!
a word of advice for all you top brass out there: "The only stupid question is the one that isn't asked"
...now let the witch hunting commence!
@ game over then
But do you REALLY think it'll take as long as 6 months.
Time to take a long, hard look at all of those cookies methinks.
Neil, I'll have a "Phuck Off Phorm" jacket too, thanks
one more thing...
they say that when America sneezes the world catches a cold, well it appears that the ISA's in the dear old US of A has a particularly nasty virus...
...now one thing the US does have is lawyers, lots of them, lets hope that they manage to set a precedent for protecting the privacy of everyone rather than profits for the ISP's.
If that happens, and the general public are able to (financially) hit back at their unscrupulous Internet Service Providers then the killing fields over here could see the bloated hulk that is BT further broken up and possibly even brought back under public control.
VIVA LA PRIVACY REVOLUTION!
There's a war on, its your life they are selling, fight for it.
So, lets see if I get this right, even if you opt out your browser still talks to their server, they check if you're a refusenik and then decide not to track you.
So the setting is browser based, not connection based. I have to do it for every browser on every computer using the connection. Brilliant.
Even then I'm taking it on trust they're not tracking me because my browser is still checking with them before it goes where I point it.
And that slows down the whole net experience. Ever time I start the browser, (or even every time I load up a pae, depending on their implementation) it first goes to them.
Industry standard my a*se. Here's an idea, just don't mess with traffic from opted out connections. Or don't do it at all. I can't see a single person would opt in if they understood what was going on.
Mission creep in action
I notice that WOW! admit to not having a clue how the tracking techniques have changed since they agreed to deploy them. Just the sort of mission creep we've been saying will happen with Phorm.
Case proven I think.
Hold on a sec
(And this applies to Phorm, too)
If you opt out by setting a cookie (fair enough), how does that cookie get sent to the intercept server? Your browser won't send it unless it's communicating with the domain it belongs to, so the intercept machine will pick it up for sites which actually host the adverts, which means that Phorm, et al, must surely _always_ do the intercept?
..are just not good enough.
On various machines I have my browsers set up to delete all cookies on exit. Does this mean I have to actively opt-out every time I want to fire up a browser and visit a web-site?
The people behind these schemes are simply conniving and scheming to find the best way of ensnaring as many unsuspecting 'users' as possible while retaining the spurious ability to claim that they offer an opt-out.
At least Demon Internet in the UK have no plans for using Phorm - at least for the time being..
"We are not using Phorm and currently have no plans to do so.
Mark Gracey - Content Regulation Manager, THUS plc
Only one avenue left...
... Start setting fire to exchanges.
Is Wow Part of BT
Does BT have shares in WOW as they seem to be doing the same thing.
industry standard c*ntyness.
Wonderful argument. "Everyone else in our industry (both of them) use the same sharp (and probably illegal) business practices as we do. So it's OK"
Or even more simply "This is an industry packed with c*nts, we also, are a pack of c*nts. Get over it already."
That sounds horribly familiar, these are the very same PR tactics deployed by our very own hapless would-be data pimp Kent "stop shorting my stock!" SpunkWeasel.
It's almost eerie, isn't it ?
<-- There is no icon to express to what I'm feeling just now, YMMV
BT & Phorm
Having been with BT since the first trials, I've never had a reason to look elsewhere, their broadband has been good enough and I've rarely had contention issues meaning fast(ish) connections and OK latency.
In January I was called by BT, much like a fair few other customers, and offered a reduction of £4 per month to stay. With no intention of leaving I accepted... Then the Phorm news broke.
I'd resigned myself to waiting until the T&C update when I'd get a chance to grumble at them and get out of the contract. Thankfully, I received an email on Sunday notifying me that my new contract (negotiated in January) was due to start next week. This meant I could still walk away :)
The first BT "retention" guy knew nothing about Phorm and was clearly not willing to believe that BT would do such a thing. 20 minutes later after taking the guy through articles here and elsewhere, including the Guardian as that was the only one of my sources he'd hear of. He then said a mangler would call me back yesterday with my MAC. Yesterday came & went.
Called back today and got another "retention" guy. Same story, he didn't really believe me so I gave him links again... He had a quick read and said "that's not your problem, it's only for commercial broadband". I disabused him of that idea. Then he came out with "all other ISPs monitor you anyway so what's the problem?"
He'd have spent ages trying to keep me until I asked him "Am I out of contract?" "yes" "well give me my MAC".
Goodbyeeee BT, hello Zen.
Phorm always does the intercept. The reason (see Richard Clayton's analysis at lightbluetouchpaper.org) is that even when it can't serve targeted advertising, it can still collect data on the browsing habits of the population as a whole, which it can then dredge to its heart's content and sell on ad infinitum.
But consider how potentially useful and/or lucrative it could be in an election to know what impact specific websites and blogs are having on opinion-forming. And how this might be useful for creating a more perfect illusion of democratic choice.
Opt-out cookies are not enough.
This calls for a firefox plugin
I am quite sure that there is a way to very effectively destroy the value of this 'product' by producing an equivalent to 'Track Me Not' for firefox and other competent browsers. Track Me Not runs in the background sending junk searches to Google to overwhelm their search logging data about you with junk, thus rendering it worthless.
Please Please Please, open sourcey folks knock us up a Firefox plugin that spews carefully constructed disinformation to these systems and fills their databases up with worthless rubbish. You never know, if enough people install it the capacity of these systems to record and store could be exceeded in some sort of DoS event, now wouldn't that be a shame....
Re:Game over then
As long as you use a simple news reader, news is still fine.
First rule of u***** is don't talk about u*****.
That's exactly the reason why something like Phorm is so loathed.
Targetted adverts are (to me, and I believe most people) totally irrelevant to the issue. I don't care if the adverts are random or all are based on me being a sad techy nerd.
However, all of my data going through a pimp's machine, a pimp who has lied constantly about their product, is another matter. We have been lied to repeatedly, and are still expected to believe that they won't profile the data anyway or do anything else with it.
The ISP Trojan Horse
Doesn't this resemble Jim Carry's Batman character? "I'm sucking everyone's data". Cue maniacal laugh.
I really hope all the ISPs involved get in big trouble for this, who thought it was a good idea?
...and scumbags who need to read an effing dictionary at that - "which is not the number we use internally to identify the user anonymously"? If you "identify the user", even with a reference number, then they are no longer "anonymous", you retard.
Opt out is insufficient anyway, even if it were on a per connection basis rather than the phoney opt-out discussed here that's dependent upon each machine on a connection opting out and STILL sends your traffic to NebuAd, just like Phorm want to do here. If they want people to accept this, then it must be explicitly opt-in - and by explicit I mean they tell you what they are doing, ask for your informed consent, and if you don't give it, they LEAVE YOUR CONNECTION AND TRAFFIC THE FUCK ALONE. Of course, the lying thieving rat-bastard scumbags who run operations like Phorm and NebuAd know that if they ever DID seek such consent, they'd be told to fuck off and die. That's why they have to build their "business" upon deceit, evasions and outright lies.
I swear, the only thing less edifying than the spectacle of watching these fucking parasites weasel their way out of giving straight answers or lie when they DO answer is watching the supine ineffectuality of our own government who forced that abortion known as RIPA onto us, told us it was for our own good, and then when confronted with a clear and inarguable breach of it by Phorm and BT, a clear opportunity for them to actually use it to PROTECT THE PEOPLE THAT THEY FOISTED IT ON, the people that they said it was there to defend, respond with a "couldn't give a monkey's" shrug and a "not my department, mate".
PHUCK 'EM ALL, the Cretinous Useless Negligible Tossers!
I may be alone in this, but I don't think I've ever clicked on an ad that I wasn't incentivised for clicking...
It doesn't matter how targetted they are, if I'm on the web and suddenly see an ad for a new joystick, even if I was thinking of getting a joystick, I'm not going to click on the ad. Before purchasing anything online, I google it, check reviews for various options, compare prices, etc. With all this information here, why would anyone impulse buy, and yet that is what the ads are trying to encourage.
I may have clicked on information based ads - but only if they weren't clearly labelled. The companies placing ads presumably want us to spend our money with them - and in my case at least, it's not gonna happen.
But then, there must be some people who do follow ads and buy anything they see. They're probably the same people who make it worthwhile for spammers to send billions of emails out - someone must be buying the product. What we should really do is find these people and ban them from the web...
@ The Cube - Firefox
It's been done.
The Dephormation Add On ensures that your decision to permanently opt out of Phorm profiling cannot be undone in Firefox.
Why you should be concerned about Kent Ertugrul and Phorm
Optionally, the Add On can also alert you to sites using Phorm/ Webwise/ OIX profile based advertising.
With each page you view in your browser, a Phorm 'opt out' cookie is set automatically, and the Phorm UID cookie is randomised. Even if you delete all your cookies regularly.
Note that Dephormation cannot protect a wide range of popular desktop applications like iTunes, Google Earth, other browsers such as Lynx and Internet Explorer, instant messaging applications, remote desktop tools, Microsoft Office, Open Office, RSS/ATOM feed readers, or external images embedded in HTML email.
Blacklist their cookie domains
Hopefully someone like SpyBot will start adding these surreptitious tracking cookie domains to their blacklists.
Third Party Cookies
So it looks like this service uses 3rd party cookies to opt you out. I block those to /avoid/ some of those services which profile browsing, but now it seems that one would have to enable them (and profiling) to opt out of the ISP type snooping.
Really looking forward to a colo so I can vpn all my internet traffic to a datacenter - I imagine that one of those could actually lose customers if they implimented something this backwards and wrong.
Re:The Cube - Firefox
I think what The Cube was angling for was something a little more sophisticated than randomly scrambling the Phorm UID cookie. Phorm will be able to pick that up.
A background application that identifies itself as a Phormable browser (IE, Firefox) and, indeed, behaves like one, honouring cookies, redirects, etc, performing non-random, but misdirecting searches would do the trick nicely if it was used by a large number of phormed users and was capable of self co-ordination (via IRC or P2P, maybe).
Phorm would log a lot of interest for subjects and items that, in reality, nobody is really interested in. This would vastly degrade the value of the data they sell and make them a much less attractive proposition.
Not sure of the legality of doing this, but I can't see a problem with running a bot on my own machine that does automated searches on my behalf. Its really Phorm's own stupid fault for snooping in the first place.
Ha ha ha
Let's see, who's the real sucker in this scam?
Customers? No, they're having this intrusive snooping involuntarily foisted on them.
The ISP's? Prolly no; I think (but am not sure) that Phorm et cie pay the ISP's.
Who else <thinks> Aha! It's the advertisers, who as usual have swallowed the marketers' lies hook, line, and sinker.
Guess what? Targeted ads are not effective advertising. I hope some business that contracted with Phorm holds them to their lying promises and sues the pants off Phorm when this whole snoopathon turns out to have no effect on sales.
Incidentally, while I'm on a roll, here's something amusing: google "sumerian cuneiform" (no quotes) and take a look at the amusing ads offering best prices on cuneiform that pop up on the results page. Ha ha ha. So much for targeted ads!
GET YOUR MAC NUMBER IMMEDIATELY AND GO...
I also scrapped BT 4 weeks ago over these hacking issues and got out of the £300 penalty for the remaining 12 months. Now with Zen for the same price and they are absolutely brilliant.
My advice to everyone is 'scrap Bt' over these same hacking issues and find a good user friendly ISP like Zen, you will not regret it and you won't believe how easy it is.. Once you get the Mac code Zen can set up your new account in less than 5 minutes. You can still access your Bt emails after the change over a few days later.
Having left Bt doesn't mean the war is over between us because I can assure you I'm still attacking them for their injustices. I have lodged all my complaints from MP to The Lords about this scam and I have been busy blocking Bt- Wbwise- Phorm-Oix cookies on loads of public computers that I get access to. In fact I will assist anyone and everyone in this country to block all these spyware cookies free of charge until this government starts implimenting the law as it is written.
I use session-only cookies, yet...
....recently, Ive noticed Amazon are recommending stuff that Ive only searched for on ebay.
I thought I was imagining it (or I'd searched Amazon in the same session) until a couple of friends described the same experience.
Seems to me that some companies are trawling cookies for useful marketing data.
what Phorm does
according to the leaked presentation, Phorm is also meant to only detect your opt-out after it gets to their server. ofc. if they then USED that data, even to collect nationwide info, they'd be in deep doo-doo (so Luther Blisset's assertion is wrong)
however, as has been pointed out, that isn't really the point. I don't want my data passing through their hands even if they cross-their-heart-hope-to-die promise not to look at it. Without bothering to look up which ISP of the 3 mentioned has done it, I believe Carphone Warehouse, as well as making their system opt-in, have been scrambling around redesigning the flow of data so that the opt-in/out cookie is read before the data is redirected to the profiler.
I'm on Virgin; I don't have a clue what they've decided to do yet because apart from a half-step away from Phorm ("we're very strongly considering it" as opposed to Phorm's "they're implementing it") nowt has been said yet. If it _does_ come in i'll be moving ISPs sharpish
Wiretapping, by any name is still...
Wiretapping. ANY packet inspection for the purposes other than routing is wiretapping. Yes, you can tap "yourself" to turn off nasty web pages you don't want, but that is at the origin (or destination).
When will someone say it is like having a speech recognition program "listen" to your phone line to "target" advertising to you. If it smells like wiretapping, it probably is!
Get the local district attorney to prosecute them on wiretapping charges. Where is Elliot Spitzer when you need him (groan!).
Re: I use session-only cookies, yet...
Yes (other) AC, since this Phorm thing started I've been keeping an eye on what ads I'm served too - since ultimately this is the only failsafe way to tell if you're being tracked. Occasionally I've been turning Adblock Plus off just to see what I get. Needless to say I use only session cookies and also, of late, run TrackMeNot. I also clear all cookies before doing a test.
My conclusion? There seems to be a certain amount of data sharing going on that's not being admitted to. The most notable was visiting the Channel 4 news site and being served an ad directed at a very narrow age group, in which I happen to fall. Impossible to be certain, of course (could just be chance) but the only thing Channel 4 had to go on was my IP address (all cookies cleared beforehand) so it's possible someone might be selling information that links IP addresses to age bands at least, and maybe more.
So where could the info come from? It'd either have to be a site with a business relationship with me, or a data aggregator with a fairly good profile on me who's able to link my IP address to my profile from other sites I've visited recently.
BTW, I went away recently and had a new IP address when I returned. Since then, there have been no targeted ads that I've noticed. I'm watching for when they return and hope this may reveal where the leak is.
Possibly I'm being paranoid, but given what we've heard recently would anyone really be surprised if this sort of thing was rife? If someone wants an interesting research project, a tool to do a statistical test on whether the ads you're receiving are "random" or "targeted" would, IMHO, be of increasing value in the years to come. It's the only objective way to test if all these opt-out promises are being kept. Doing this by hand is hard work and clearly error prone.
"An opt-out flag in a cookie is the industry-standard way of signaling to the system not to track this user."
A pretty crap way of doing it then, given that the sort of person who wants to opt out probably doesn't want any cookie on their machine at all. I think this is what will eventually get the UK side of things - I do not give them permission to store their cookies on my computer and I do not give them permission to eavesdrop on my data. Therefore they have to come up with some other solution in order to remain within the law.
I think Luther Blisset has hit the nail on the head.....
as far as regulatory and parliamentary interest (at least in the UK) is concerned. Full Control of the internet isn't important if you can reliably guesstimate what effect an announcement or process can have. Periodic testing and sampling in a real mass market is better than all the focus groups.
The last thing the state wants is for this process to be removed or made illegal so they definitely will not stop it until they find a better way.
BBC has an article
"Security firms scrutinise Phorm" (see http://news.bbc.co.uk/1/hi/technology/7359024.stm) in which a Phorm spokesman made the following delightful comment:
"He added that any company that blocked the Phorm cookie could consider blocking cookies from other ad-serving companies, such as Google, which gave users no choice to avoid being shown targeted ads."
I don't think he fully understands :-)
Re: BBC has an article
"He added that any company that blocked the Phorm cookie could consider blocking cookies from other ad-serving companies, such as Google, which gave users no choice to avoid being shown targeted ads."
You're right, he wants everyone to be a fool so that he can get rich.
I have been blocking g-cookies, tracking cookies, ad cookies, etc through my hosts file for about 3 or 4 years now which is why some clever fool coming up with data stream injection really p********s me of. Before that I deleted cookies regularly. It is so wonderful having browsers that do all this cleaning automatically now.
"The last thing the state wants is for this process to be removed or made illegal so they definitely will not stop it until they find a better way."
Hmm, must have been reading the Reg in January,
"Let me be clear. The internet is not a no-go area for Government." - Jacqui Smith
Another organisation that discovers best practice recommendations only after the event?
Implied consent, is this real?
Deaf rapist set free today even though the victim was screaming 'NO NO NO'..
This new term 'implied consent' is like a licence to kill..
"industry-standard" does not law make, or make it legal for that matter...
"When we asked NebuAd about its opt-out cookie, the company called it an "industry-standard mechanism."
"Once a user opts out, the user’s surfing habits are no longer being observed by NebuAd," the company told us. "Once a user opts out, NebuAd removes the history on the user and will ignore the user's subsequent surfing habits. An opt-out flag in a cookie is the industry-standard way of signaling to the system not to track this user."
dont the US and canada have laws covering this?, inlawful storing or reading of cookies without consent.
its clear as day, the UK and EU does have these laws, and all these ex spyware/new age ad vendor networks springing up using layer7 kit in unlawful ways to intercept all your copywrited datastreams and collecting and then processing of you potential personally identifyable datastreams to later anonymise exists tostop exactly this so called "industry practice"
again i ask,whats the score in the US and canada?, dont you care they are commercially pirating your property for their own commercial gain?
if its music property, people care, why dont you care about your property...
@ First rule of U...
Made me properly LOL, thanks for making my morning :-).
@ Nick Palmer: Hear hear, you said really succinctly what I'm thinking.
@ guy who said...
>At least Demon Internet in the UK have no plans for using Phorm - at least for the time being..<
Do Demon offer access to NNTP? I seem to recall the name from my earliest days on the 'net, when they argued with the government about controlling access to various dot alt groups. They refused to self censor though Telewest, aka Blueyonder, now Virgin Media folded immediately - rather like their three strikes and out policy over p2p they've agreed to implement.
Funnily enough I was reading thru' bits of BT's T&C (they should make them illegal, its like trying to read the most boring book in the multiverse), but they seem to have no problems with customers on p2p, just that their speed might/would be throttled during peak hours, which, with p2p doesn't really matter that much. Shame they're getting in bed with Phorm.
@ Nick Palmer
<I swear, the only thing less edifying than the spectacle of watching these fucking parasites weasel their way out of giving straight answers or lie when they DO answer is watching the supine ineffectuality of our own government who forced that abortion known as RIPA onto us, told us it was for our own good, and then when confronted with a clear and inarguable breach of it by Phorm and BT, a clear opportunity for them to actually use it to PROTECT THE PEOPLE THAT THEY FOISTED IT ON, the people that they said it was there to defend, respond with a "couldn't give a monkey's" shrug and a "not my department, mate".>
Actually, they intended to call it RIPOFF, but as usual the NuLabour control-freaks balked at any suggestion of honesty when dealing with the British public. Now that they are preoccupied with shovelling billions of our tax money down the corporate maw of the banking industry in order to prop up their shitty free-market economic policy we might as well get used to the idea that issues such as Phorm spying technology will be conveniently forgotten. Unless...........
Cookies emanating from organizations like Phorm will henceforth be known as Spookies or more appropriately, Brownies. Just to remind the bastards.
don't forget the petition
the petition is at http://petitions.pm.gov.uk/ispphorm/
it now has over 12,000 signature in just over 6 weeks
it is now at number 6 in the table due to number of signatures, and will be number 4 shortly when 2 others above it end in the next few weeks
I like cookies.....especially with chocolate chips......Does the opt-out cookie come with macadamia nuts?
BT's intended trial...
seems to be slipping further and further away now, I wonder if the fact that they were planning on 'inviting' 10,000 to experience having their data pimped has seemed like a negative option now that over 12,000 have independently petitioned the government with out a forced redirect of their browser to
(sign it if you haven't already!)
**** STOP THE PRESS ****
that is, as they say, MINT.
DO. NOT. WANT.
HANDS OFF MY LAYER 7!
did you see this sat in your Uk offices waiting NebuAd
3 criminal charges pending if they continue..
FIPR want the Home Office to withdraw informal advice they issued in February, which FIPR say wrongly concluded the system is lawful, creating “an obstacle to the just enforcement of the law”.
If I ever get hold of Kent Ertugrul I'll be facing criminal charges...
Attention ISP's in UK - You might go to jail
Phorm and VirginMedia
VM is, temporarily, my ISP and I emailed them on 26th April asking for their position on Phorm as I had seen no comment on their web pages. They are obviously off the fence now because their reply confirms that they will be using Phorm-Webwise to enhance my browsing experience and keep me safer on the Internet unquote. They posted a link www.virginmedia.com/customers/webwise.php that I have not looked at yet. Next, I telephoned them to obtain my MAC code and was told that, due to an upgrade presently going on in my area (Norwich, Norfolk) they could not access my account details. Seems a letter was sent 'last week sometime' advising the nature of this upgrade. I can only assume it will have details of Webwise with new Terms and Conditions for me to accept. I have emailed for my MAC code since.
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Leaked pics show EMBIGGENED iPhone 6 screen
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs