More than ten million customers of the UK's three largest ISPs will have their browsing habits sold to a company with roots in the murky world of spyware. The deal has sparked fears over privacy, but today Phorm, the firm behind the new advertising system, strongly rejected such concerns. BT, Virgin Media, and Carphone …
After talking to BT ...
I've had a look at the Q & A, this one caught my eye:
I didn't switch on this service. Why do I have to switch it off?
We believe BT Webwise is an important improvement to your online experience — giving you better protection against online fraud and giving you more relevant advertising.
We realise that you may not want to use the free service, so we've made it quick and easy to switch on and off. [X]
From a legal point of view, shouldn't the default be "Opted out", or is it because it's (supposedly) synonymous with security that they can turn it on be default.
Also, they seem very keen on solely using cookies to remember whether Webwise is switched on or off, which probably means that the moment you clear your cookies it'll be switched on (for your security of course).
"With offices in New York, London and Moscow, Phorm (AIM: PHRM, PHRX) is a Delaware, US incorporated company,"
Delaware and Florida are both extremely corporate-friendly and consumer hostile. I will not do business with incorporation in either State; in the event of a dispute, I know in advance that the courts will side with the corporation.
Tracert I have an explanation for...
Ahh, now I see, it's that DNS pointing to a server in China:
www.oix.com 188.8.131.52, Fasthosts, Gloucester
BUT oix.com 184.108.40.206, China
The tracert fails because the chinese server only does not route properly. Their DNS:
oix.com IN A 220.127.116.11 172800s (2d)
oix.com IN NS ns1.phorm.com 172800s (2d)
oix.com IN NS ns2.phorm.com 172800s (2d)
So why would the have an A record to a chinese server in that domain. Perhaps it is an innocent carry over from a previous owner? Lets see, perhaps a previous owner was a Chinese company:
Wayback machine says it was owned by a Canadian link page Oshawa ON (Later Interlinks last May 16th 2007).
So does the oix.com domain, so I assume it was correct when it was owned by that links page. Since it resolves to the same server.
GET. TOR. NOW.
Never mind conspiracy stuff, black-hat-hacking, whistle-blowers and victims of oppressive regimes - *this* is all it takes to make my mind up for me: The network's good enough nowadays; I'm switching to Tor for *all* my browsing as a matter of routine. I don't need perfect security that will protect me from the CIA, I'm not actually engaged in terrorism, but for the lower-grade requirement of "Stop my nosy bastard ISP snooping all my traffic", Tor is *perfect*.
Virgin, you utter scum. This is not like having a transparent web proxy that forwards my requests without examination or alteration. This is an ILLEGAL WIRETAP; it is *no* different at all from listening in to all my phone conversations to see what I'm talking about, and the fact that you're only doing it so you can tell advertisers the content of my conversations is no excuse.
I'm off to research the wiretap and telecomms carrier laws, then I'm going to report them to the police.
I know absolutely nothing about it.
Just rung virgin media call centre. The rep knew 'nothing about it'. He checked his intranet, nothing there, so I directed him to this article. He seemed surprised, and said he'd pass it on to his 'customer liason officer', or the like.
We'll see what a call in a few days yeilds...
Black hat not black helicopter
The more you dig the more it looks like black hat rather than black helicopter.
Surely the ads currently benefit the websites - in many cases keeping them in existence for the benefit of anyone that wants to use them (for cheap or free)? If the ads are being provided by the ISP instead (which we already pay for) how long before the websites revenue starts drying up and we either lose content or pay more for it? That benefits us *how* exactly?
(On a side note, what's the betting that the first site to get forced adverts is BBC iPlayer?)
Open Internet Alliance is a discarded attempt before OIX as the logo is similar and they host the records.
Sysip is interesting , it is the same premise as phorm, they tracked queries with a userid and cookie, then served ads through a hidden iframe back to the user and redirected. This was part of the 121media spyware.
Um, people ARE aware that FireFox does this already aren't they?
Um, are people are aware that *every* page browsed by Firefox users is sent to Google first? :(
It's for validation that the page is not spyware/forgery/etc, before the page actually gets loaded by the browser.
There is a setting in Firefox that is supposed to disable this (Edit -> Preferences -> Tell me if the site I'm visiting is a suspected forgery), but even if turned off this doesn't actually stop it happening.
Check your firewall logs for connections to sb.google.com. Then try and disable it. They still occur. :-/
It's the spying
Ads can be blocked. However even if you opt out your webpages are still going through their system and looked at.
you're missing the point, they cant sell your data if you remove that right today.
it seems everyone's getting all wound up on how to not see these adverts.
you're missing the point, they cant sell your data if you remove that right.
it's not about receiving or not the adverts, its about the three ISPs knowing full well they cant release your Data Protection Act covered personal data, its already clear that the IP your given is your personal data.
somewhere in your T&C,email or whatever, the ISPs have to ask for your permission to process, export and whatever else they wish to do with that personal data.
the simple answer is to fill in a generic UK DPA request that removed the ISPs right to Export,Sell, or otherwise process your data to the 3rd party or outside the very limited scope of supplying your broadband connection and billing for the service.
anyone with a legal background from http://www.consumeractiongroup.co.uk/forum/broadband-other-internet-issues/
or any other legal reader here up for writing that generic DPA rights letter and posting it here or elsewhere so the affected readership can simply print it out and send to their ISPs Data Protection registrar/Officer under registered post for legal proof later.
Would they sell lists of the phone numbers that you have called?
Is this really any different?
Re: people ARE aware that Firefox...
Not quite. First of all, the option you're describing is located under Tools->Options (Security tab) for FF under Windows (maybe you use a Mac or Linux?). If you look at the panel controlling this feature, you'll see below the "Tell me if the site I'm visiting is a suspected forgery" checkbox, there are two option buttons. The first one (which is selected by default) is "Check using a downloaded list of suspected sites", and the second one, which you have to select, is "Check by asking Google for each site I visit".
If you have the first option selected, which most people will have, nothing is sent to Google. That only happens if you actually select the second option. And I've just tested and verified this on our firewall logs. So - nice try at spreading a bit of anti-FF FUD, but no dice.
Do our contracts allow this?
Do our contracts allow ISPs to sell data to third-parties? Surely we're paying for a connection, and any details about our activity, whether anonymised or not, should be covered under Data Protection and not shared, sold or given away without our permission.
And what royalty payment are the ISPs planning on giving us? Obiously, no reduction in fee, no payment, just more money for themselves.
Against EU Rules?
Weren't the EU just last week telling search engines they are not allowed to retain search histories with IP data? How is this any different? I think we need an Early Day Motion to prevent this from happening, anyone chummy with an MP?
Virign might meet the men in black
Mm virgin might need to rethink how it applies this to business users , as the majority of local government authorities use Virgin business for nice fibre and big phat pipe connections.
It is illegal to for any unauthorised outside body to monitor any form of communication by any means, although they would not be able to pin it down to any specific users I am sure MSP’S, MP’S, MEP’S, Councillors and Ministers will all be happy to share their browsing habits with virgin.
GIVE IT BACK
Give the interweb back to us geek, i remeber many years ago when the interweb was new that none of this crap really exsisted, unless you was in the really dark bowels of the net. But now thanks to government and the money grabbing halfwit dumass ISP's the tweb is open to all the 819'ers and other crims. Yay well done for inventing cyber crime you pratts.
Paris has more brains that the plonkers running the interweb. I nicer boobs.
"He said Privacy International had given the technology the thumbs-up."
Has anyone actually asked PI about this? Not that I would doubt the word of an ex-adware peddlar.
It seems that every day there's another gormless corporation that wants to tap into "new money" and make a profit where there's nothing really to sell out but people's security.
It wouldn't be so bad if you could really be assured that it's just marketing information being gathered but how can you trust a company that has a history of spamming?
I realise that it's part of the "modern" world that everyone wants to make money from nothing, but it's getting beyond of joke. Our lives are already dictated by people who gamble on a ficticious value of what a company or commidity is worth, but to sell something as nebulous as information is just crazy...
It's all a big con game anyway.
Internet advertising revenue, I mean. The sooner the advertising space purchasers realise this, the sooner the Net can start to find a way of funding itself.
Where does this all stop?
If they manage to get away with this, which protocol will be next? Could it be SMTP?! After all, it’s normal to scan incoming and outgoing email to stop spam and viruses. They could add to your ‘anonymous’ profile by using all the keywords spotted there.
@ Not much of a problem...
You're missing the point, you can block the adverts but that isn't going to stop every URL you visit and every keyword you google from being sent to a third party, widening your exposure and IMHO contravening data protection law. Your argument is akin to saying it's okay to use a shonky net cafe to log into you online bank if you close your eyes as you type in the password!
This data is NOT anonymous, well certainly not for everyone, my URL history would identify me in a jiffy. And the idiots trotting out the unthinkably banal and cliched "if you've got nothing to hide" argument need to start thinking - there are several things YOU DO WANT hidden such as pin numbers, passwords and your email address.
Honestly, it's not just giving one more company access to your data, it's giving anyone who advertises through them access to your browser, and in a world where you can get owned by a malformed JPG or Flash file I don't want these people being able to target my computer by keyword, what if the keywords they use are crafted to find vulnerability.
Sadly I live in a shared house and the BT broadband isn't in my name, and even if it was I strongly suspect they won't let you cancel your contract over this. I feel like I'm getting F'd in the A here :-[
"sux the ass end of a donkey"
"Phorm says an opt-out could work by accepting a cookie from its website"
So, having there merd on your PC is some form is opting out hu?, it seems I have gone to another planet.
And Telewest (errr Virgin Media) can sux the ass end of a donkey if they think I will stay with them should they go ahead.
(I am a 8+ year vet of telewest/virgin).
Is it a big issue?, hell I have not bought games I like because they collect ad info from me. Trust is earned, the hard way, and none have even tried to start earning it yet.
I want a new icon at the bottom of the comment editing bar, one with a middle finger, the sad face is not enough.
i'll ask around..
cos i work for one of the afformentioned ISPs.
and yes, this is the first i've heard too.
a-feckin-stounding what some of the asshats will do if you're not looking..
anonymous? damn straight!
It is much worse than you seem to realise....
The entire content of every web page you retrieve will be sent by your ISP to Phorms servers along with your IP address. This includes the text of any webmail you may use - hotmail, gmail, etc; forums you may browse, Facebook, chat, etc etc. and there is nothing you can practically do to stop it. All safeguards over how this data is processed and/or stored and/or sold on are entirely voluntary by Phorm and could easily be changed at anytime. The 'opt-out cookie' is simply a tag asking Phorm not to do anything with the data it has received, again entirely up to them how they respond to it. How greedy are the ISPs in their obscene haste to jump at this? How murky is it that its implementation is being camouflaged with the worthless 'Webwise' offer? and How stupid are we to let them get away with it, as regrettably they will...
Where are the Phorm adverts
"Where are the Phorm adverts?? Without the adverts how can they tweak anything, especially to gain more than an extra 80 million in ad revenue?? (e.g. Say 10% improvement, they'd need 800 million in ad revenue to BT customers, yet you've never heard of them I think, I certainly haven't)."
Businesses sign up with OIX.com to participate and have their advertising space 'tweaked' by Phorm. So they don't replace non-participants ads (not too popular!) nor do they include additional ads. Some major apparently respectable companies are already signed up with OIX, for example FT.com . Over at the Motley Fool there are numerous threads with eager investors licking their lips....
This is just like the post office opening all your letters ...
... and adding some junk mail leaflets based on what they read. Hmm, now why didn't I think of that first?
estimate of $45 billion for Internet advertising,
they have seen the US reports and expext it to be the same growth here perhaps
"Internet Advertising: Up 25%
TechCrunch notes that the Interactive Advertising Bureau has a preliminary estimate of $21.1 billion for U.S. Internet ads in 2007, a 25 percent increase over 2006.
Meanwhile, the Kelsey Group puts U.S. Internet advertising at $22.5 billion for 2007 (IDC, as previously reportedby TechCrunch, is at the high end with $25.5 billion).
The Kelsey Group also provides a global estimate of $45 billion for Internet advertising, which is 7.4 percent of the total $600 billion global advertising market.
The Information Commissioner's Office 01625 545 745
Spoke to The Information Commissioner's Office - http://www.ico.gov.uk/ and they say they are 'looking into it'. You can ring them on 01625 545 745, so at least the powers at be are aware of current events.
So until this story fully unfolds my advice would be to use TOR - http://www.torproject.org/ and take back the some of that privacy and anonymity that our ISP's have so 'kindly' tossed into the bin!
<blockquote>"Only those with something to hide will be bothered by this."</blockquote>
Do you undress in front of a window with the lights on and the shades and curtains open? No? Then you must have something to hide.
Come with us, please. You're under arrest.
Interception of telecommunications? Personally indentifiabl?
Alexander has a point.
Does this count as interception of telecommunications under UK legislation, in which case there could be criminal sanctions available. Private prosecution, anyone?
Aditionally, given recent research on how easy it is to un-anonymize "anonymous" data, would this count as personally identifiable information? I can't remember the wording of the test for "personally identifiable" from the EU Directive and the UK legislation.
.. this is a professional scam to install wiretap-style automated phishing equipment - right there in the ISP data centre? They _claim_ it doesn't grab credit card numbers, but how do we know? Would be a helluva brave move (but maybe easier/more reliable than dishing out spyware...)
Never go for big ISP's
As a general rule I never sign up with big ISP's because they are the target of companies like Phom, wanting the personal data of their customers. And most of the times they'll sell them....for the right price, of course.
On top of that, they always have this "fair use policy" crap.
For those looking for a new ISP I'd recommend aquiss.net (and I'm sure there are many more).
Don't worry I dont work for them ar anything like that, I'm just a happy customer (had to leave two ISP's before finding the right one).
If your ISP is one of those three, change it! Don't take their crap, even if you have nothing to hide.
My ISP is Zen who say they are not doing this and have no intention of doing this.
Good news for me then, because I don't fancy the hassle of moving....
Has anyone actually spoken to their ISP about this
I was aghast about this, so I called my ISP, BT to see how to opt out.
They absolutely assured me that this was not going to happen and that they would write to me first before they handed any such details to a third party.
So - question - is this B0llocks or have BT forgotten to tell their support people about it?
Phorm - the official Privacy International position
Quite a few comments have been published about claims that Privacy International has "approved" the Phorm technology. As some of these comments are speculative, I'd like to precisely clarify our position.
To begin, Privacy International does not endorse specific products or services. I can't think of a time in 18 years that we've done so, though we have supported certain technologies, particularly those involving secure encryption, anonymisation and user control. However, as a product, Phorm is not among them.
Any claim that PI has "endorsed" Phorm is incorrect. This is not because we don't believe the Phorm technology has some benefits. It does. It's because PI simply doesn't conduct that type of endorsement.
However Gus Hosein (Senior Fellow at PI) and I were asked as part of the new privacy startup 80/20 Thinking Ltd to assess the Phorm technology and processes, and provide a Privacy Impact Assessment. We agreed to do so.
Our conclusions will be published in due course, but the top level summary is that we felt the process contained a number of innovative privacy features. We were impressed with the effort that had been put into minimising the collection of personal information, and were particularly impressed with the idea that such a system could be established without the need for IP's, retention or profile building.
We did notify Phorm of a number of danger areas, particularly the notification and consent conditions applied by its ISP partners, however we felt the Phorm process itself warranted praise at a number of key levels. In comparison to, say, the potential of the Google/Doubleclick process, Phorm deserves credit for attempting to create a stronger privacy and anonymisation focus.
Now, as I've observed in one or two reports such as http://www.newswireless.net/index.cfm/article/3779 this assessment does not provide a get-out from the fundamental questions of "opt-out", intrusion or the general polemic over advertising on subscription ISP services. But then, those questions largely fell outside our brief.
Our work, plain and simple, was to check whether Phorm's claims were valid. We found that to the best of our knowledge they were accurate, and that the process does what it says on the tin.
To Simon Davies
Do you accept that interception at the ISP, where the Phorm servers get to read your entire HTTP traffic, is inherently vastly more dangerous than the systems used by Doubleclick/Google etc?
Did you perform a forensic analysis of the the source code of the applications being used by Phorm for scanning and discarding personal data? If not, what exactly is it that you verified?
Virgin On The Ridiculous
First of all, I just want to point out that I am sick and tired of UK isp dishonesty and cannot believe that the law allows us to be treated with what is blatant contempt and the various constant scamming of customers... I signed up as and NTL user 18 months ago after a year of BT misery... NTL changed hands and under Virgin things have gone from bad to worse... Why are UK ISP providers allowed to advertise a 20 meg BB package until recently make no mention of the words "up to" and give customers the impression that its a 20 meg upstream AND download speed? Also why hasnt the law insisted that thier new traffic shaping policies are shown too?
Not only has Virgin implemented "Traffic shaping" they have also quietly gone about editing the criteria without informing any of its customers. Apparently now they say they are now able to advertise an upgraded XL package so I will have 50 meg BB...
ALL THOSE POP UPS WILL BE COUNTED ONTO UR TOTALS BY UR ISPS!!!!!!!
Will they also be hijacking those kiddie porn freaks with pop ups about cheap flights to Thailand and Gary Glitter comeback concert ticket competitions too? Maybe u will login to ur internet banking and have the same file dll file running a keylogging process so that they can then hit u with more spam as soon as u log out. showing u a flash animation and ur bank details, maybe even a screenie of the pages u viewed whilst u were logged in... Just so they can show u a range of related antispyware products that they think u will want to buy... Sucks doesnt it? Ur thinking that it wont happen arent u? Well rest assured people it can and it will!!
Isnt it about time that the UK net users regardless of isp affiliation all stood as one and demanded what everyone else in the E.U. already has.... ??? In Paris citizens have free net access as part of thier civil rights, part funded by E.U. grants and its still faster than the U.K. isps BB deals on offer... Why do they get 15meg service totally free paid for with E.U. subsidies to which the UK is giving more than any other country in the E.U.??? The reason is cos the rest of Europes countries would stop hiding thier heads in the sand and make a fuss about it...
We are the sickmen of the internet in the UK... Until enough of a stink is kicked up about it, do u really think things will change?
if we simply all sent one email each to our respective area MP using thier related house of commons emails in the same week they couldnt possibly ignore it.... Its no use threatening ur ISP with changing ur provider.. Where u gonna go to? eh?
BT or Virgin.... all the rest of the isps are franchis isps using thier network so u will get an even worse deal than u had b4.... make a stand and spam ur M.P. or M.E.P. ...
A couple of questions....
1. Were you or 80/20 Thinking Ltd paid for your work at Phorm?
2. You have signed this post as a Director of PI. Would it not have been more appropriate to sign it 80/20 Thinking Ltd?
3. What was your brief?
4. Other less inquisitive articles about this whole subject as quoting you as saying "We were impressed with the effort that had been put into minimizing the collection of personal information." under the banner of Privacy Campaigner. Would it not be prudent to highlight the fact that you were not carrying out your work at Phorm under the guise of a "Privacy Campaigner?"
5. Phorms website has a blog from Kent Ertugrul. This is a direct quote.
"We approached leading privacy advocates in the US and the UK, including Privacy International, and asked them what they thought."
Is this factually correct?
Whilst I am not questioning the good work you and your organisation carry out in any which way, shape or form - I would still like to know your answers to this questions, as in my view the articles in the mainstream press are using the Phorm marketing blurb and not focusing on the more relevant privacy issues, including the inability to not have data sent to Phorms servers, therefore ridiculing the "opt-out" claims. It is my view that any browsing history, search terms and words I have entered into webmail forms are unique to me, and therefore personal data.
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- I KNOW how to SAVE Microsoft. Give Windows 8 away for FREE – analyst
- Geek's Guide to Britain How the UK's national memory lives in a ROBOT in Kew