Facebook's privacy chief today urged customers of BT, Carphone Warehouse and Virgin Media who are unhappy about their ISP's plans to work with Phorm in monitoring and profiling web use to "make their feelings known". Chris Kelly was speaking at the e-Crime Congress in London this morning. Asked for a response to the open letter …
Does Chris Kelly understand?
I wonder if Facebook understood the question asked them by ORG?
Chris Kelly doesn't seem to understand what his users are asking. They want to know what steps FACEBOOK might take to prevent Webwise/Phorm from scraping the Facebook content (including the private Friends pages which Webwise will be profiling and snooping on).
Of course we would rather that the ISP's didn't deploy Phorm/Webwise, and we would rather Webwise had the courtesy to ASK websites for active informed consent BEFORE crawling all over their intellectual property and private information - but there is action that these very large sites can take - they can make their feelings known. They can indicate what THEY think about Webwise visiting their sites, stealing their private data, and commercially exploiting their commercial property, and that of their customers.
Mr Kelly - if BT roll out Webwise, there will be over 4 million Webwise infested customers out there on the internet, and when they come to Facebook, and look at their private Friends pages, with perhaps YOUR private data on, Webwise will come with them, copying, scraping, profiling, and summarising. Whether you like it or not. What are you going to do to protect YOUR customers? Don't just leave it to the ISPs. That's been the problem with this whole DPI interception business - no one seems willing to take a stand to enforce the law, or to protect privacy. Not the government, not the ISPA, not the IAB, not OFCOM, not the ICO, not the IPO, not the police. What about Facebook? How will you use YOUR power and influence? Your customers will make their feelings known, but what about YOU?
How do I get my domain added to Phorm's list of traffic it will not intercept?
Phorm and the IAB
Quote: "Yesterday Phorm said it was signed up to the same industry-written good practice principles as the recipients of the Open Rights Group's letter. The firm's CEO Kent Ertugrul recently branded opposition to its technology "neo-Luddite retrenchment"."
Can we hold Phorm to those principles, i.e. only collecting surfing data off Phorm's own domains and only off their own OIX-publisher partner websites?
I don't see anyone objecting to Phorm running its OIX businesses (although its earlier connections with rootkits being downloaded as part of its ad network does raise some questions about ethics and trust).
What everyone does object to is snooping via deep packet inspection systems and collecting data off non OIX-partner sites, collecting commercially sensitive data about site visitors and using some other business's data to sell advertising real estate on OIX-partner sites.
FaceBooks' Chris Kelly seems to be missing the point entirely if he thinks that customers complaining to ISPs or opting out of having relevant adverts displayed in any way protects the content of FaceBook members who may not even know anything about the UK ISP systems and their desire to snoop on every web page via DPI systems.
Phorm should be asking FaceBook members (not visitors to FaceBook) if Phorm can use their content, including personal details, during the profiling process. And FaceBook should be helping to spread awareness amongst its members.
Or, FaceBook should just protect the copyright and privacy of its members and tell Phorm to stay out of FaceBook.
Having Phorm snooping on all the personal content held on FaceBook is enough to put FaceBook out of business if members no longer have any confidence in the privacy of their data.
Here's an idea...
How about websites employ some sort of proper encryption on the data they transmit, using something like PGP. Users concerned about their privacy can upload their public key to the likes of facebook for instance and all data is encrypted prior to being sent. A plug-in/addon for the browser then takes care of the decryption at the user end (hopefully) resulting in the user never noticing. Yes, I admit it would put extra load on the servers but I guess that its only text that Phorm intercepts (not analysing images) so it wouldn't be too bad. Besides it would only be a temporary measure until the likes of Phorm and their ilk are put out of business.
Of course websites would need some way of knowing if others AREN'T using encryption and would not allow them (even your friends) to access your page and inadvertantly hand Phorm your information.
Anyone got any thoughts?
To prevent interception/snooping
(If you believe Phorm's description of how they work) just turn on HTTPS and turn off HTTP. Completely. Encrypt everything. You probably should anyway, you know. There are all sorts of problems with unencrypted connections. The worst are those hypocritical sites which ask for an e-mail and password over HTTP and still claim to respect your privacy/security.
Maybe Facebook wants to use Phorm?
One reason they might be very reluctant to actually come out and say it's bad is simply that one day they hope to utilise the Phorm data for advertising purposes, but currently they're in too much hot water elsewhere to actually publically admit it...?
With regards scraping the data - that is an interesting point as most of the focus so far seems to have been on picking out the URLs you visit and profiling you based on that rather than analysing the actual content. The latter could be a lot harder as they need to filter out only port 80 packets (generally), and then try to fit them together in a useful way.
Curious point on the encryption, but virtually impossible to implement since you'd block out the majority of your users without them understanding or caring why. No commercial web site is going to want to do this.
Once and for all: The Luddites were right!
Mine's the one with the history book in the pocket...
I agree with Steven Knox. For a website with so much personal information like Facebook, the only thing going over plain HTTP should be a 301 redirect to the HTTPS site, for many many different reasons, not least Phorm.
"Curious point on the encryption, but virtually impossible to implement since you'd block out the majority of your users without them understanding or caring why. No commercial web site is going to want to do this."
I think you and AC are overlooking simple SSL.
But the real answer is to make anything like Phorm opt-in only. But I don't see that happening because the people with the power to do that are the same people who want to spy on us themselves.
Surely it is in Facebooks own interest to protect their users' data...
...from being exploited by Phorm?
I mean if you run a site like Facebook, that is gifted all that valuable data about its users, surely you'd want to cash in on it yourself, and not allow some jumped up upstart of a company to copy and process it and use it to target advertising at your users when you could be doing that yourself?
I can't see why any site owner would be happy to share visitor data in this way unless they are being paid a fee by Phorm.
According to the law
Phorm's "product" should be opt-in only. I'm still waiting for Phorm to publish the legal advice it claims to have received saying that it's "product" is legal. Drop by https://nodpi.org and see just what Phorm do when people repeat information about them that is already in the public domain.
Hey Kent, I'm a techie. I'm not a Luddite but I am a believer in the right to an individual's privacy. You seem not to be. I don't want you, your company or anyone poking their nose into my private affairs.
Creatures who feed off others are called parasites. If I'm a Luddite in your view then in my view you are a parasite.
Why should Facebook speak out against Phorm...
...when they're just as guilty when it comes to targeted advertising? I'm almost tempted to go and remove my hobbies and interests, just so they don't invade my privacy by suggesting I may want to buy things related to those hobbies and interests.
@Jon Brunson Posted Tuesday 24th March 2009 13:55 GMT
> How do I get my domain added to Phorm's list of traffic it will not intercept?
Email: email@example.com - that's BT's implementation but it _should_ update the Phorm exclusion list to exclude your domain.
If you really want to kill it get EVERYONE to email that address and opt-out with every domain they control - Phorm will have no data to profile and the whole thing will implode.
> I can't see why any site owner would be happy to share visitor data in this way unless they are being paid a fee by Phorm.
Isn't phorm opt out?
so rather than making a big fuss about specific domains being targetted, why don't those who don't want their traffic monitored go ahead and ask the ISP not to monitor them...
yes, I agree that the scheme should be opt in rather than out...
but what is the point of people writting to facebook saying, make sure they don't capture my habits whilst I'm on your site, if everywhere else they go their surfing habbits are recorded.
it's not for domain owners to take responsibility for their users, if the individual users don't want to be a part of phorm they should opt themselves out.
It strikes me that what will kill Phorm is money. Or, to be more precise, lack of money in the right hands. AC @ 25th March 2009 00:47 GMT's remark, quoted by AC @ 25th March 2009 13:16 GMT hits the nail on the head.
The monetary risks of commercial transactions being snooped by Phorm may jam yet another stick in the spokes of Ertugul's wheels.
And why is it that when I read what Ertugul has to say, I have this funny sense of deja vu? Just like I'm reading the distortions and question-dodgings of some NuLiar mouthpiece?
phorm is pants
BT should kiss all there customers, its customary to get a kiss when being shafted.
Phorm gives me a bad case of tourettes.
@DR: Isn't phorm opt out?
I think the complaint facebook users are making is that, even though they may not themselves be with an ISP that uses Phorm , if a single one of their Facebook friends' connections is being monitored by Phorm, then all of their personal information that friend accesses will also be intercepted and processed by Phorm's system.
Phorm will even get to process password protected areas too (phorm only respects the privacy of passwords protected areas of sites where they use the outmoded basic htttp authentication, which practically zero web sites use) unless the site uses full encryption.
@DR: Isn't phorm opt out?
Apparently phorm will only be legal if it is opt-in after being given full and clear details about what it does.
All that aside, the opt out option that is being touted only means they don't push ads based on whatever you have been looking at, they still suck up all your browsing habits and profile you. You have to wonder why they would do that if you have opted out and won't be taking advantage of their targeted advertising. They must be profiling you for another reason.
The space to block...
188.8.131.52/22 <-- phorms ip space. I've already added this to all the sites I maintain. I do not wish to have users of my sites profiled in this way.
Regardless of how it's dressed up, I will never want to see adverts online or on my mobile phone. I go to great lengths to achieve this. Why do these people think everyone hates spam and have filters to get rid of it?
Expect to see their address space added to Peerguardian too if it's not already.
Paris. Because even she has a clue as to whether people want their browsing to be profiled online for someone elses profit or not.
- Review This is why we CAN have nice things: Samsung Galaxy Alpha
- Hey, YouTube lovers! How about you pay us, we start paying for STUFF? - Google
- MEN: For pity's sake SLEEP with LOTS of WOMEN - and avoid Prostate Cancer
- Vid BONFIRE of the MEGA-BUCKS: $200m+ BURNED in SECONDS in Antares launch blast
- Tim Cook: The classic iPod HAD to DIE, and this is WHY