back to article ISP data deal with former 'spyware' boss triggers privacy fears

More than ten million customers of the UK's three largest ISPs will have their browsing habits sold to a company with roots in the murky world of spyware. The deal has sparked fears over privacy, but today Phorm, the firm behind the new advertising system, strongly rejected such concerns. BT, Virgin Media, and Carphone …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    much ado about nothing

    "PageSense Javascript can be embedded by a variety of partners..."

    Install Firefox, add NoScript, be done with it

  2. Andy ORourke
    Thumb Down

    Surely this should be opt in?

    I know what will happen though, the big 3 will send some obscure email about some minor alterations to your T&C's, just click here to accept, don't worry about reading them after all, this will help to keep you more secure online...........

    Personally I go to a lot of trouble to not see any advertisements on the web. I don’t want people tracking my every move (I know, I know, they do already) and then using that information to make money for shareholders rather than investing in backhaul and network upgrades so I might be able to get close toe the Up to 8Mbps service I have paid for!

  3. Anonymous Coward
    Coat

    Great.....

    Now then, before we get into a debate about pr0n, I surf for it. However, I am not sure that I want my children to get "relevant advertising" based on my pr0n surfing habits when they use our shared Virgin media connection.

    In other words, my Internet Connection has more than one user connected to it and whats relevant to me may not necessarily be relevant to other users in the household. In fact, it may be detremental to other users in the household.

    Mines the one with "hustler" written on the back.

  4. Peter Leech Silver badge

    Err...

    That makes me glad I am not a customer of one of those three ISP's.

    Funny though, I thought the data protection act said "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."

    Surely if they are gathering this information for compliance purposes they can't just decide they want to sell it?

  5. Anonymous Coward
    Thumb Down

    Nothing from Virgin....

    .. but then, they still haven't informed their customers that they have officially started traffic shaping either!

  6. Kyle
    Thumb Down

    Greeeeeeat....

    I really can't see this sort of thing being used in the suggested "3 strikes" system at all. Either as a way of flagging up people looking at/for torrent sites, or as a way of identifying people who might be up to no good (based on a variation of the old security principle of "if you don't sign up to have your colon probed by a bulldozer, you're obviously hiding something up there!").

    It's nice when your broadband supplier tells you about this sort of rubbish before going ahead with it....

  7. Dunstan Vavasour
    Coat

    "Nothing to Hide"

    Only those with something to hide will be bothered by this.

  8. Graeme Hill
    Coat

    Theres enough adverts on the telly, which is why I try not to watch it...

    OK, may be a silly question, but what amount of data will they be sending through in these targetted ads????

    If you have an "Unlimited" (cough cough) broadband with a "fair usage policy" (cough cough), when these adverts that are being sent to you push you over this (usually ridiculously low) limit, how will the ISP respond to your breaking their fair usage policy?

    Also, my wife browses the net quite a bit, and I sure as hell dont want adverts for makeup, perfume and other womanly things popping up when I'm trying to read El-Reg.

    Mines the tinfoil jacket, hat, glove and scarf set..........

  9. Anonymous Coward
    Anonymous Coward

    Phorm read lto much like ...

    Porn and Pharmacy. Do they make advertising for that?

  10. Anonymous Coward
    Stop

    Like shooting Phish in a....

    Regardless if the user opts in or out the data will still be sent to Phorm.

    More info: http://www.badphorm.co.uk/

  11. Ian Peters

    re: "Nothing to Hide"

    oh dear.... another person with their head buried in the sand and does not understand risks. I bet you don't lock your doors, don't have a password on your PC and happy to let anyone search through your house and wallet because you haven't got anything to hide.

    Isn't ignorance bliss......

  12. Richard
    Pirate

    Commercial, Legal & Technical due Diligence

    Call me cynical, but I can almost picture the scene:

    Commercial 1: Will it make us a lot of money?

    Legal 1: Will it make us a lot of money without being explicitly against the law?

    Technical 1: How long do we think until a data breach?

    Commercial 2: How much money will we have made by then?

    Legal 2: How much would we get done for?

    Technical 2: Are we just going through this process to make it look like we actually care about the customer when in fact it all comes down to how much money we can make out of it seeing as it's actually technically feasible?

    *cough, shuffle*

    I have to say I love how they claim that it's a new gold standard. Yes, it's better than previous iterations, but here better only means "not as bad". In a similar vein chocolate money wrappers are a new gold standard. And there's only a thin veneer separating them from something brown.

  13. Anonymous Coward
    Anonymous Coward

    disingenuous at best

    BT say: "We are comfortable with having their computers installed in our operations"

    http://www.thisismoney.co.uk/investing-and-markets/article.html?in_article_id=430955&in_page_id=3

    I say I'd rather be with an ISP that didn't invite a rootkit pusher to plumb servers into its network.

    And I'd rather get my anti-phishing software from somewhere other than a spyware developer.

    In fact I'd like to know a little more about the webwise software.

    Is its real purpose to tie a click stream to a browser/user rather than just a connection? What sort of due diligence has been done on the code? At the very least I'd want to see the source (unobfuscated, with English rather than Russian comments).

    Note that the opt-out appears partial and highly misleading. Opting out requires a cookie - clear your cookies and you're opted back in. Worse still, this only opts out of the ads (which are easily blocked anyway) Phorm still get your browsing history.

  14. Rob

    @ Graeme Hill

    Spot on! As I was saying to SWMBO the other week, one of the reasons I read books, in preference to other entertainment, is that the book is pretty much the only medium left that isn't constantly trying to sell me shite!

    Where's the NLRA icon?

  15. Someone
    Coat

    Unbelievable

    I’m still trying to work out whether, as well as spying on us, the ISPs will be directly injecting the adverts into the web pages or if that’s going to be left to participating websites. Modifying passing traffic is something that’s already cropped up in the USA. Have a look at the University of Washington’s Web Integrity Checker.

    http://vancouver.cs.washington.edu/

    The problem with cookies is that I block nearly all websites, and, for those lucky enough to have me accept theirs, they still get regularly purged. While you can get sophisticated cookie managers to help preserve necessary cookies, if I were to accidentally lose my precious one from Phorm, the spying would start again. Plus, they have to spy on my traffic to see if I consent to them spying on my traffic! This has to be an explicit opt-in, done from the MAC or other unique identifier from the modem.

    More websites need to start offering secure connections. I’m going to ask again for https://www.theregister.co.uk/ please. In the mean time... Tor, Relakks, JoDonym/JAP/AN.ON, etc. etc. while I consider moving to a smaller ISP who have more respect for privacy.

  16. Ian

    Sorry you have passed your usage allowance.

    You're not allowed to use the internet for what you want as we decided to use up all your usage allowance this month spamming you Flash based ads that you never actually wanted but that we profit from.

    Yours,

    The Management.

  17. Dunstan Vavasour
    Happy

    @Ian Peters

    Um, the coat icon was meant to signal irony. For a fuller analysis of "nothing to hide", I recommend: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565

  18. Anonymous Coward
    Stop

    HELP

    I have BT Business Broadband. I'm wondering if the selling of my data will allow me to terminate my 12 month contract early.

    Then I thought, who else can I get my broadband from... the only other provider I know of in my area is Virgin (was NTL). Sky and TalkTalk and I think even Pipex use the BT infrastructure and I reckon data would still be sold by BT.

    Is this anti-competitive ? My MP is an ex-BT researcher (I live in Ipswich) and they are a major local employer... so I doubt he'd give me any support...

    What can any of us do about it ? Were the comments under the title "much ado about nothing" accurate and what are the consequences?

  19. Wayland Sothcott

    We need spybot antispyware for ISPs

    Need to run Spybot to disinfect your ISP. They have been sneeking spys into your PC for years and those in the know run antispy software. Where as more ordinary PC users (who do not read Reg) suffer.

    By placing the spy inside the ISP they have really taken control. Imagine having your HTML scrutinized and modified as you surf the web. If the optout/optin is by Cookie then they can better identify the user. Each user on a home router would have a different cookie since that's via the browser.

    I expect my ISP to simply be a pipe to whatever Internet server I am looking at. I do't expect the content to be filtered and coloured on the way. If they do start doing that then I can see sites offering https versions just so you know you are getting the real thing.

    As with everything, the ordinary simple person will be directly affected in the intended way and the few smarter people will work around this. We are all a bit ordinary and simple at something and they usually get us. My weakness is those letters that come through the post saying I may already have won £1,000,000. Get me every time.

  20. Anonymous Coward
    Anonymous Coward

    Where's the adverts? CIA or FSA front company,

    Where are the Phorm adverts?? Without the adverts how can they tweak anything, especially to gain more than an extra 80 million in ad revenue?? (e.g. Say 10% improvement, they'd need 800 million in ad revenue to BT customers, yet you've never heard of them I think, I certainly haven't).

    There 'Open Internet Exchange' page seems to be only a flash presentation and an email address. Can't see why anyone would apply, they don't even give hard numbers.

    "With offices in New York, London and Moscow, Phorm (AIM: PHRM, PHRX) is a Delaware, US incorporated company, publicly listed on the London Stock Exchange's Alternative Investment Market (AIM) since 2004."

    Yet it offers lots of money to ISPs to hand over their users surfing data and ISPs just ignore their duties under the law and hand it over? Must have been some serious cash down for that.

    Where does that money come from if it doesn't have a successful advertising network business? Unless there is some major advertising network behind this, then that company cannot 'tweak' it's target adverts to make them more relevant as it claims.

    So I reckon it's a Total Information Awareness data mining projects.

    Delaware? You mean like Tepper Aviation?

  21. Mad as a Bat
    Coat

    bye BT

    Well done BT, you've finally hammered in the last nail in the coffin. You want to spy on my browsing habits and sell this information on top of all the 'free' crap you keep trying to push at me - 'free' that is apart from the much higher fees than charged by your competitors.

    I'm off to another ISP, mine's the one with the 'Sod off BT' logo on the back.

  22. Ash
    Stop

    Last Straw

    I'm dropping you, Virgin Media.

    I'm writing the email as soon as I get home telling you why, the letter will follow afterwards, and i'm hitting Tor until it's cut off. You're getting NOTHING from me EVER again.

  23. Tom
    Thumb Down

    "We are aware of Phorm's background and are comfortable ...

    with the size of the cheque."

  24. Anonymous Coward
    Anonymous Coward

    OIX.com is Chinese

    Well that's interesting Phorm.com is a domain-by-proxy (hidden registration details) website.

    It's incorporated in Delaware.

    It's traded as AIM shares in London (looks like $US proxies for the Delaware company but I'm no expert, I wonder how they got listed?).

    Their Open Exchange site OXI.com comes out as 203.93.173.3 and appears to be a Chinese web server according to Dnsstuff.com

    I'm suspicious.

  25. Anonymous Coward
    Coat

    Ye-es... but

    First up, ISPs already sell vast quantities of customer data to companies such as Hitwise ('online user intelligence' company). I have a gut feeling from the numbers involved that at least one of the big players like BT has to be onboard, and they hand over your entire surfing habits from first log-on to final (f)log off.

    Secondly, I do see that it's not great, but behavioural targetting of online ads is already there - ads are served to you based on which sites you visit. Admittedly, it's usually within a particular content network, but as Google becomes more insiduous, that content network covers more and more of the web. And then an ad is served from a third party ad-server to your PC.

    Point is, the parts are already there, kind of, and while the combination of them is not particularly a good thing, it was always going to happen, IMO.

  26. Tony W

    Do something!

    I hope all the people who complain here will also complain to their relevant ISP. And also to their MP and the data commissioner. If not - it's just hot air.

    The same goes for those who are getting hot under the collar but do nothing.

    I've just written to the acting CEO of my ISP. It's not that much hard work.

    With the recent articles about the financial effect on ISPs of the BBC on-line programmes, it seems pretty obvious what it's about. Not making loads of money, just staying afloat. Still a mistake, it will just put off for a few more months the evil day when they have to be honest about capacity.

  27. Tom
    Thumb Down

    benefit?

    "Net users will benefit from more relevant advertising"

    I have never wanted to see an advert while I'm using the internet, so how is making advertising 'more relevant' going to be a benefit to me? I'll still ignore them.

  28. Someone

    It gets worse

    Having looked at Ernst & Young’s Phorm Service Privacy Examination Report, I’m even more worried. It states that “Phorm Service uses only Non­Personally Identifiable Information (‘non­PII’), such as search terms, URLs and keywords.” It’s that ‘keywords’ word that’s most disturbing, as it’s not just URLs. Presumably that means keywords taken from the contents of web pages, not just information from headers. If so, that’s going to mean anyone who uses webmail that only uses HTTPS for authentication and not encrypting the contents of emails (and that’s most of them) is going to have all their emails scanned as well. I believe that’ll include situations where it’s not obvious that HTTP is being used, such as accessing Windows Live Hotmail directly from Outlook (Express) using WebDAV.

    I still feel like I’ve dropped into a bad dream or alternate reality and that this isn’t actually happening.

  29. N
    Thumb Down

    I dont believe it!

    This is wrong and companies like BT should know better.

    Ive nothing to hide & wouldnt use BT anyway.

    Torpark anyone?

  30. Paul Fleetwood
    Pirate

    If they're injecting ads into webpages

    doesn't this get in the way of those who already fund their websites with ads from google and the like, the people who create webpages and earn their living from the ad revenues.

    I can't get too high and mighty about such things as I always use adblock, but then I'm not the one who's willing to roll over for the music business and it's dubious intellectual-property-being-supreme matra.

  31. Anonymous Coward
    Coat

    Opted-out or not -- Phorm will still get your data

    And they promise not to use it -- honest!

    And they promise not to be hacked -- honest!

    And they promise you won't be identified -- honest!

    Oooh! I feel all safe & cosy now!

  32. Jack Moxley
    Thumb Down

    Virgin Media

    Well thats 'nother bloody isp I have to leave.

  33. poh

    re: It's not just URL's

    That's right. Though GET queries appended to URL's can be pretty revealing in themselves. Phorm claim that they will be stripping out number sequences of more than three digits (which incidentally or otherwise means they get postcodes), but the fact that they are stripping these out means that at some stage they have the whole content.

  34. Anonymous Coward
    Unhappy

    Too bad Virgin

    Well I have just received my MAC code from my current ISP with the intention of moving to Virgin. I won't be doing that now.

    Do we not pay enough? Do they really feel it's a good idea to open us up to such risks by selling our data? I feel like we're being treated like the man in the restaurant that sends the food back. Expect it to come back with an new and unusual flavour. (note to self: must remember to tip my mobile phone company).

    Who else is there to sell our data and thrust advert spam in out faces? Perhaps Belkin would like to update my router to do this? And PC vendors. They could just cut out the middle man and provide machines that have spyware as a factory default build.

    BT offer online backup services to its customers. Do that analyse this too? If not, why not? Surly their shares must take a kicking on this revelation. They're missing a prime opportunity to rake more money off the back of its cattle. Sorry, I mean customers.

    I find it hard to believe that companies like this act is such an irresponsible manner just because the letter of the DPA doesn't prohibit their actions.

  35. Anonymous Coward
    Anonymous Coward

    @Tony W

    Does the data commissioner take complaints from the great unwashed?

  36. Jonathan Flack

    Opt-in

    Europe has an Opt-in policy towards this sort of stuff does it not? So how can they opt you in if you did'nt explicitly ask to be signed-up. Can they just add you by changing the T&C's of the contract?

  37. Anonymous Coward
    Anonymous Coward

    Not much of a problem...

    1. Already mentioned - Firefox

    1a. with NoScript. Good for blocking other advertising sites too (e.g. doubleclick.net)

    1b. or with Adblock and a custom filter. How long before the standard filters include it?

    2. opendns.com, open an account and set up an IP block. You will also need to update your router and/or NIC DNS details to use the OpenDNS servers.

    The good thing about opendns.com is it will work whether you use IE or not. If you set the router to use OpenDNS, all computers on the network can take advantage of the blocking. If you have a laptop and manually set the DNS servers, you can have the protection follow you wherever you are though you also need to setup dynamic-DNS.

  38. John Bayly
    Thumb Down

    Time to have a chat with BT

    It's not very often that things stop me in my tracks, but fuck me, this has. It'll be interesting to hear what the poor TSA on the other end has to say. The report also begs the question "have they been selling our clickstream data already". I haven't been able to find a copy of BT Broadband's T & Cs, if anyone knows where they're hidden, please share.

    Finally, I found this side (good pun too) http://www.badphorm.co.uk, there's not much on it as it was registered 4 days ago, but it'll be interesting to see what appears on it.

  39. Anonymous Coward
    Alert

    What's the technical mechanism?

    How exactly is this to be done? I don't see anything in the article describing that.

    The inference is that the ISPs will be analysing TCP/IP packets, but unless they're injecting adverts into the responses, which would have a lot of implications in terms of trespassing on the user's communications and search engine usage, as well as the sheer horsepower required, I don't understand how the user is going to see the adverts.

    I suppose it could involve transparent HTTP proxies operated by the ISPs.

    It sounds more like a browser toolbar add-on that is installed by customised browser installations from sign-up CDs and so forth. That would be easier for users to avoid.

    That still doesn't explain how the adverts are going to be delivered or how they might interfere with the sites the user is visiting.

    As it is anonymous I doubt it is using the user's email address to send adverts to them, either.

    I wonder if it is Microsoft Windows and/or Internet Explorer only?

  40. Bob W
    Thumb Down

    re: it gets worse

    From Phorm's website-

    "Phorm technology does not view any information on secure (HTTPS) pages, and ignores strings of numbers longer than three digits to ensure that we do not collect credit card numbers, phone numbers, National Insurance or other potentially private information."

    They capture the data stream then parse and extract the data of interest to them, promise to ignore the sensitive stuff, then inject 'more relevant' adverts. For the user, the carrot/ smoke is the anti phishing panacea, Webwise, for the ISP it's $$$$.

    Seems a fair trade[1], compromise all your subscibers and we'll give you 30 pieces of silver.

    I've started looking for a more ethical ISP, they''ll also lose phone and TV subscriptions.

    Bob W

    [1] From the E&Y report-

    "Because of inherent limitations in controls, error or fraud may occur and not be detected."

  41. Chris Williams (Written by Reg staff)

    Re: What's the technical mechanism?

    "That still doesn't explain how the adverts are going to be delivered or how they might interfere with the sites the user is visiting."

    They will be delivered in the usual way, via web publishers. Just as Google uses search queries and page content to target text advertising, Phorm will use browsing history to target banner ads from advertisers that have signed up to the Open Internet Exchange on websites that have also signed up.

    It won't "interfere" with sites as such, but offer them a way to serve you ads that you're supposedly more likely to click on, which means more money for the publisher.

    - Chris

  42. Anonymous Coward
    Anonymous Coward

    Do a trace route from whereever you are, ALARM BELLS

    Do a traceroute on oix.com from wherever you are. I've tried one in France, one in Belgium, one in Germany and one from USA, all of them tracert fine for most sites, but oix.com always stops IN THE COUNTRY I'M TRACING FROM.

    e.g. try DNS stuff:

    http://www.dnsstuff.com/tools/tracert.ch?domain=oix.com

    Stops at theplanet.com 74.53.59.130 Dallas Texas.

    The France query stops in Paris, the Belgium one in Belgium... you get the idea.

    Perhaps they've built a super fast network with all the end points in each of those countries, and the network blocks pings.... seems very very odd to me. I can tracert to other servers from most of those locations.

    e.g. from Colt (UK)

    http://traceroute.colt.net/

    Stops after 2 hops, at colt!

    Australia

    http://www.telstra.net/cgi-bin/trace?oix.com

    Stop in telstra.

    Anyone care to name the network that blocks each of these end points and who owns it?

  43. Paul Stimpson
    Coat

    Three strikes

    Premium rate support number to report faults to an offshore call center muppet who reads a script without understanding a thing - Strike one!

    Traffic shaping - Strike two!

    All my proxy logs are belong to a scummy adware company - Strike three!

    Virgin, you're out of here! Please leave your contact details in the bin on the way out.

    Of course, these logs are now advertising data and not communications data so any agency will be able to hoover them up and de-anomimize them without warrants or oversight. That VPN to Relakks in Sweden is looking more attractive by the day.

    Pass my coat. It's the one with "You can only shaft me so many times without giving me a reach around" on the back.

  44. Morely Dotes

    @ Dunstan Vavasour

    Only those with no capability of being honest with themselves believe they have nothing to hide.

    For example: Your bank account number, your credit card numbers, the names and ages of your children, and their locations at various times of the day, how much CO2 your automobile produced this month, the interest rate on your mortgage, the current state of your indebtedness (up-to-date, past due, etc.), your medical history...

    Only the abysmally ignorant, or the absolutely dirt-poor think they have nothing to hide.

  45. Wayland Sothcott
    Black Helicopters

    TIA FIB CIA MI5 NWO BnQ

    I love the black helicopter angle. So the ISP goes, "cool! advertising money, nice, thank you, here is your info feed". But there is no advertising, it's part of TIA (Total Information Awareness, BBC1 Sunday 9pm The Last Enemy) which is part of the bigger NWO (New World Order - see Alex Jones Infowars) plan.

    It's the marrage between government and big corporations. So quicker than getting a law passed that forces the ISP to hand over this live data (see RIAA and Music Copyright ledgeslation requiring ISPs to inform on Downloaders) you simply pay them for it! Very smart. It would be a good (I mean evil) plan to pass some laws as well.

    But I digress into the land of TV fiction and Internet conspiricy theorys....

  46. Paul Louth
    Thumb Down

    Final nail

    Well if Virgin squeezing my connection whilst using useful net features (VPN connections for example) wasn't bad enough! I am calling them first thing tomorrow to cancel my account.

  47. Anonymous Coward
    Thumb Down

    Does "BT" also mean Plusnet, Metronet, Waitrose, Madasafish...

    As per title. BT own Plusnet, Metronet, and the Brightview brands (Waitrose, Madasafish?).

    Is the ridiculousness in this article confined to customers of BT Retail, or does it extend its tentacles to the other BT-owned ISPs?

    If it does include them, I suspect a few folks will be looking for their MACs (I'll be looking for two, as will a few folks I know).

  48. Steve Foster
    Joke

    Surprised no-one has said it yet...

    ...but this is clearly going to be a disaster as we know Kent Ertegrul has Phorm. (cue groans and peanuts)

  49. CSQuake
    Alert

    VOTE

    Vote with your feet, it's really that simple.

    Never hook up with an ISP that ties you in for longer than 3 months.

    Leave them behind, go somewhere where this doesn't happen, my ISP rocks and is not signed up to this BS, can't tell you who it is though because my service might degrade with more subscribers :P

    Sack them!

    Leave!

    Ditch the bastards after pinning a great big 'FU' to their foreheads!

  50. Anonymous Coward
    Anonymous Coward

    Who is Conductive LLC?

    I'm still digging away here and hitting dead end after dead end. Take a look at their 2004 financials, they paid $1.3 million to US media company Conductive LLC.

    "The results for 2004 include commissions paid to Conducive LLC, a US on-line media agency, of $1.3 million (2003: $82,383), under a joint venture arrangement through which they acted as our sales office in the US and facilitated the receipt of revenue, in exchange for a proportion of the income generated."

    I do a search ["Conducive llc"] and get 3 results, none of which are it. Don't you think that's strange for a USA *online* media agency?

    Lots of things are bugging me about this company. The financials show a sea of red ink, the oix.com server resolves to China, the trace routes stop dead in each country I try them, I check the few details I can find and hit dead ends. Yet they get $30 million in funding?

    The links from 121media.com

    http://www.alexa.com/data/ds/linksin/121media.com?q=link:121media.com

    Have a look at that zdnet blog.

    http://blogs.zdnet.com/Spyware/?m=200605

    "PeopleOnPage.com shows an address in Poland with the name Kent Ertugrul . A Google search for Kent Ertugrul brings up a hit showing him as director and CEO of 121 Media, which is a contextual advertising company according to the website."

    Connected to AproposMedia, do a search. They tell you how to remove the spyware:

    http://www.spywareguide.com/product_show.php?id=625

    Kent is also connected to Phorm.

    "The folks behind ContextPlus, Apropos and PeopleOnPage evidently did not want to be known and there’s little information about them to be found on the internet. The ContextPlus.com domain registration info shows a name and address in Poland. Interestingly enough, the domain history on 2-28-2005 shows the name Apropos with an address and phone number in Kirkland, Washington"

    H-E-L-L-O.... I smell a major story here.

  51. John Bayly
    Thumb Down

    After talking to BT ...

    I've had a look at the Q & A, this one caught my eye:

    I didn't switch on this service. Why do I have to switch it off?

    We believe BT Webwise is an important improvement to your online experience — giving you better protection against online fraud and giving you more relevant advertising.

    We realise that you may not want to use the free service, so we've made it quick and easy to switch on and off. [X]

    From a legal point of view, shouldn't the default be "Opted out", or is it because it's (supposedly) synonymous with security that they can turn it on be default.

    Also, they seem very keen on solely using cookies to remember whether Webwise is switched on or off, which probably means that the moment you clear your cookies it'll be switched on (for your security of course).

  52. Morely Dotes

    Oh dear

    "With offices in New York, London and Moscow, Phorm (AIM: PHRM, PHRX) is a Delaware, US incorporated company,"

    Delaware and Florida are both extremely corporate-friendly and consumer hostile. I will not do business with incorporation in either State; in the event of a dispute, I know in advance that the courts will side with the corporation.

  53. Anonymous Coward
    Anonymous Coward

    Tracert I have an explanation for...

    Ahh, now I see, it's that DNS pointing to a server in China:

    www.oix.com 88.208.248.102, Fasthosts, Gloucester

    BUT oix.com 203.93.173.3, China

    The tracert fails because the chinese server only does not route properly. Their DNS:

    oix.com IN A 203.93.173.3 172800s (2d)

    oix.com IN NS ns1.phorm.com 172800s (2d)

    oix.com IN NS ns2.phorm.com 172800s (2d)

    So why would the have an A record to a chinese server in that domain. Perhaps it is an innocent carry over from a previous owner? Lets see, perhaps a previous owner was a Chinese company:

    http://web.archive.org/web/*/http://www.oix.com

    Wayback machine says it was owned by a Canadian link page Oshawa ON (Later Interlinks last May 16th 2007).

    So does the oix.com domain, so I assume it was correct when it was owned by that links page. Since it resolves to the same server.

    Odd huh?

  54. Anonymous Coward
    Pirate

    GET. TOR. NOW.

    Never mind conspiracy stuff, black-hat-hacking, whistle-blowers and victims of oppressive regimes - *this* is all it takes to make my mind up for me: The network's good enough nowadays; I'm switching to Tor for *all* my browsing as a matter of routine. I don't need perfect security that will protect me from the CIA, I'm not actually engaged in terrorism, but for the lower-grade requirement of "Stop my nosy bastard ISP snooping all my traffic", Tor is *perfect*.

    Virgin, you utter scum. This is not like having a transparent web proxy that forwards my requests without examination or alteration. This is an ILLEGAL WIRETAP; it is *no* different at all from listening in to all my phone conversations to see what I'm talking about, and the fact that you're only doing it so you can tell advertisers the content of my conversations is no excuse.

    I'm off to research the wiretap and telecomms carrier laws, then I'm going to report them to the police.

  55. plastical
    Alert

    I know absolutely nothing about it.

    Just rung virgin media call centre. The rep knew 'nothing about it'. He checked his intranet, nothing there, so I directed him to this article. He seemed surprised, and said he'd pass it on to his 'customer liason officer', or the like.

    We'll see what a call in a few days yeilds...

  56. Anonymous Coward
    Anonymous Coward

    Black hat not black helicopter

    The more you dig the more it looks like black hat rather than black helicopter.

  57. Matt
    Thumb Down

    Benefits

    Surely the ads currently benefit the websites - in many cases keeping them in existence for the benefit of anyone that wants to use them (for cheap or free)? If the ads are being provided by the ISP instead (which we already pay for) how long before the websites revenue starts drying up and we either lose content or pay more for it? That benefits us *how* exactly?

    (On a side note, what's the betting that the first site to get forced adverts is BBC iPlayer?)

  58. peter

    Old domains

    64.246.54.62 ns1.121media.com

    qkilbdr.net

    sysip.net

    121media.com

    oix.net

    openinternetalliance.com

    openinternetalliance.net

    youcanoptin.net

    youcanoptout.com

    youcanoptout.net

    Open Internet Alliance is a discarded attempt before OIX as the logo is similar and they host the records.

    Sysip is interesting , it is the same premise as phorm, they tracked queries with a userid and cookie, then served ads through a hidden iframe back to the user and redirected. This was part of the 121media spyware.

  59. Anonymous Coward
    Unhappy

    Um, people ARE aware that FireFox does this already aren't they?

    Um, are people are aware that *every* page browsed by Firefox users is sent to Google first? :(

    It's for validation that the page is not spyware/forgery/etc, before the page actually gets loaded by the browser.

    There is a setting in Firefox that is supposed to disable this (Edit -> Preferences -> Tell me if the site I'm visiting is a suspected forgery), but even if turned off this doesn't actually stop it happening.

    Check your firewall logs for connections to sb.google.com. Then try and disable it. They still occur. :-/

  60. King TuT

    It's the spying

    Ads can be blocked. However even if you opt out your webpages are still going through their system and looked at.

  61. popper
    Coat

    you're missing the point, they cant sell your data if you remove that right today.

    it seems everyone's getting all wound up on how to not see these adverts.

    you're missing the point, they cant sell your data if you remove that right.

    it's not about receiving or not the adverts, its about the three ISPs knowing full well they cant release your Data Protection Act covered personal data, its already clear that the IP your given is your personal data.

    somewhere in your T&C,email or whatever, the ISPs have to ask for your permission to process, export and whatever else they wish to do with that personal data.

    the simple answer is to fill in a generic UK DPA request that removed the ISPs right to Export,Sell, or otherwise process your data to the 3rd party or outside the very limited scope of supplying your broadband connection and billing for the service.

    anyone with a legal background from http://www.consumeractiongroup.co.uk/forum/broadband-other-internet-issues/

    or any other legal reader here up for writing that generic DPA rights letter and posting it here or elsewhere so the affected readership can simply print it out and send to their ISPs Data Protection registrar/Officer under registered post for legal proof later.

  62. Anonymous Coward
    Pirate

    Would they sell lists of the phone numbers that you have called?

    Is this really any different?

  63. Steve Roper
    Stop

    Re: people ARE aware that Firefox...

    Not quite. First of all, the option you're describing is located under Tools->Options (Security tab) for FF under Windows (maybe you use a Mac or Linux?). If you look at the panel controlling this feature, you'll see below the "Tell me if the site I'm visiting is a suspected forgery" checkbox, there are two option buttons. The first one (which is selected by default) is "Check using a downloaded list of suspected sites", and the second one, which you have to select, is "Check by asking Google for each site I visit".

    If you have the first option selected, which most people will have, nothing is sent to Google. That only happens if you actually select the second option. And I've just tested and verified this on our firewall logs. So - nice try at spreading a bit of anti-FF FUD, but no dice.

  64. Anonymous Coward
    Stop

    Do our contracts allow this?

    Do our contracts allow ISPs to sell data to third-parties? Surely we're paying for a connection, and any details about our activity, whether anonymised or not, should be covered under Data Protection and not shared, sold or given away without our permission.

    And what royalty payment are the ISPs planning on giving us? Obiously, no reduction in fee, no payment, just more money for themselves.

  65. Alexander Hanff
    Thumb Down

    Against EU Rules?

    Weren't the EU just last week telling search engines they are not allowed to retain search histories with IP data? How is this any different? I think we need an Early Day Motion to prevent this from happening, anyone chummy with an MP?

  66. Alexander
    Black Helicopters

    Virign might meet the men in black

    Mm virgin might need to rethink how it applies this to business users , as the majority of local government authorities use Virgin business for nice fibre and big phat pipe connections.

    It is illegal to for any unauthorised outside body to monitor any form of communication by any means, although they would not be able to pin it down to any specific users I am sure MSP’S, MP’S, MEP’S, Councillors and Ministers will all be happy to share their browsing habits with virgin.

  67. Anonymous Coward
    Paris Hilton

    GIVE IT BACK

    Give the interweb back to us geek, i remeber many years ago when the interweb was new that none of this crap really exsisted, unless you was in the really dark bowels of the net. But now thanks to government and the money grabbing halfwit dumass ISP's the tweb is open to all the 819'ers and other crims. Yay well done for inventing cyber crime you pratts.

    Paris has more brains that the plonkers running the interweb. I nicer boobs.

  68. Naich

    PI

    "He said Privacy International had given the technology the thumbs-up."

    Has anyone actually asked PI about this? Not that I would doubt the word of an ex-adware peddlar.

  69. Paul

    Gah!

    It seems that every day there's another gormless corporation that wants to tap into "new money" and make a profit where there's nothing really to sell out but people's security.

    It wouldn't be so bad if you could really be assured that it's just marketing information being gathered but how can you trust a company that has a history of spamming?

    I realise that it's part of the "modern" world that everyone wants to make money from nothing, but it's getting beyond of joke. Our lives are already dictated by people who gamble on a ficticious value of what a company or commidity is worth, but to sell something as nebulous as information is just crazy...

  70. Anonymous Coward
    Anonymous Coward

    It's all a big con game anyway.

    Internet advertising revenue, I mean. The sooner the advertising space purchasers realise this, the sooner the Net can start to find a way of funding itself.

  71. Someone

    Where does this all stop?

    If they manage to get away with this, which protocol will be next? Could it be SMTP?! After all, it’s normal to scan incoming and outgoing email to stop spam and viruses. They could add to your ‘anonymous’ profile by using all the keywords spotted there.

  72. Roger Heathcote
    Thumb Down

    @ Not much of a problem...

    You're missing the point, you can block the adverts but that isn't going to stop every URL you visit and every keyword you google from being sent to a third party, widening your exposure and IMHO contravening data protection law. Your argument is akin to saying it's okay to use a shonky net cafe to log into you online bank if you close your eyes as you type in the password!

    This data is NOT anonymous, well certainly not for everyone, my URL history would identify me in a jiffy. And the idiots trotting out the unthinkably banal and cliched "if you've got nothing to hide" argument need to start thinking - there are several things YOU DO WANT hidden such as pin numbers, passwords and your email address.

    Honestly, it's not just giving one more company access to your data, it's giving anyone who advertises through them access to your browser, and in a world where you can get owned by a malformed JPG or Flash file I don't want these people being able to target my computer by keyword, what if the keywords they use are crafted to find vulnerability.

    Sadly I live in a shared house and the BT broadband isn't in my name, and even if it was I strongly suspect they won't let you cancel your contract over this. I feel like I'm getting F'd in the A here :-[

    Roger Heathcote

  73. Reg Sim
    Unhappy

    "sux the ass end of a donkey"

    "Phorm says an opt-out could work by accepting a cookie from its website"

    So, having there merd on your PC is some form is opting out hu?, it seems I have gone to another planet.

    And Telewest (errr Virgin Media) can sux the ass end of a donkey if they think I will stay with them should they go ahead.

    (I am a 8+ year vet of telewest/virgin).

    Is it a big issue?, hell I have not bought games I like because they collect ad info from me. Trust is earned, the hard way, and none have even tried to start earning it yet.

    I want a new icon at the bottom of the comment editing bar, one with a middle finger, the sad face is not enough.

    -Ano.

  74. Anonymous Coward
    Black Helicopters

    i'll ask around..

    cos i work for one of the afformentioned ISPs.

    and yes, this is the first i've heard too.

    a-feckin-stounding what some of the asshats will do if you're not looking..

    anonymous? damn straight!

  75. Anonymous Coward
    Stop

    It is much worse than you seem to realise....

    The entire content of every web page you retrieve will be sent by your ISP to Phorms servers along with your IP address. This includes the text of any webmail you may use - hotmail, gmail, etc; forums you may browse, Facebook, chat, etc etc. and there is nothing you can practically do to stop it. All safeguards over how this data is processed and/or stored and/or sold on are entirely voluntary by Phorm and could easily be changed at anytime. The 'opt-out cookie' is simply a tag asking Phorm not to do anything with the data it has received, again entirely up to them how they respond to it. How greedy are the ISPs in their obscene haste to jump at this? How murky is it that its implementation is being camouflaged with the worthless 'Webwise' offer? and How stupid are we to let them get away with it, as regrettably they will...

  76. Anonymous Coward
    Dead Vulture

    Where are the Phorm adverts

    "Where are the Phorm adverts?? Without the adverts how can they tweak anything, especially to gain more than an extra 80 million in ad revenue?? (e.g. Say 10% improvement, they'd need 800 million in ad revenue to BT customers, yet you've never heard of them I think, I certainly haven't)."

    Businesses sign up with OIX.com to participate and have their advertising space 'tweaked' by Phorm. So they don't replace non-participants ads (not too popular!) nor do they include additional ads. Some major apparently respectable companies are already signed up with OIX, for example FT.com . Over at the Motley Fool there are numerous threads with eager investors licking their lips....

  77. Anonymous Coward
    Alert

    This is just like the post office opening all your letters ...

    ... and adding some junk mail leaflets based on what they read. Hmm, now why didn't I think of that first?

  78. Anonymous Coward
    Anonymous Coward

    estimate of $45 billion for Internet advertising,

    they have seen the US reports and expext it to be the same growth here perhaps

    http://www.dailywireless.org/2008/02/26/internet-advertising-up-25/

    "Internet Advertising: Up 25%

    TechCrunch notes that the Interactive Advertising Bureau has a preliminary estimate of $21.1 billion for U.S. Internet ads in 2007, a 25 percent increase over 2006.

    Meanwhile, the Kelsey Group puts U.S. Internet advertising at $22.5 billion for 2007 (IDC, as previously reportedby TechCrunch, is at the high end with $25.5 billion).

    The Kelsey Group also provides a global estimate of $45 billion for Internet advertising, which is 7.4 percent of the total $600 billion global advertising market.

    ...

    "

  79. Anonymous
    Alert

    The Information Commissioner's Office 01625 545 745

    Spoke to The Information Commissioner's Office - http://www.ico.gov.uk/ and they say they are 'looking into it'. You can ring them on 01625 545 745, so at least the powers at be are aware of current events.

    So until this story fully unfolds my advice would be to use TOR - http://www.torproject.org/ and take back the some of that privacy and anonymity that our ISP's have so 'kindly' tossed into the bin!

  80. Jeffrey Nonken
    Stop

    @Dunstan

    <blockquote>"Only those with something to hide will be bothered by this."</blockquote>

    Do you undress in front of a window with the lights on and the shades and curtains open? No? Then you must have something to hide.

    Come with us, please. You're under arrest.

  81. Paul
    Alert

    Interception of telecommunications? Personally indentifiabl?

    Alexander has a point.

    Does this count as interception of telecommunications under UK legislation, in which case there could be criminal sanctions available. Private prosecution, anyone?

    Aditionally, given recent research on how easy it is to un-anonymize "anonymous" data, would this count as personally identifiable information? I can't remember the wording of the test for "personally identifiable" from the EU Directive and the UK legislation.

  82. Anonymous Coward
    Alert

    What if...

    .. this is a professional scam to install wiretap-style automated phishing equipment - right there in the ISP data centre? They _claim_ it doesn't grab credit card numbers, but how do we know? Would be a helluva brave move (but maybe easier/more reliable than dishing out spyware...)

  83. Fab54
    Stop

    Never go for big ISP's

    As a general rule I never sign up with big ISP's because they are the target of companies like Phom, wanting the personal data of their customers. And most of the times they'll sell them....for the right price, of course.

    On top of that, they always have this "fair use policy" crap.

    For those looking for a new ISP I'd recommend aquiss.net (and I'm sure there are many more).

    Don't worry I dont work for them ar anything like that, I'm just a happy customer (had to leave two ISP's before finding the right one).

    If your ISP is one of those three, change it! Don't take their crap, even if you have nothing to hide.

  84. brian
    Happy

    Just checked

    My ISP is Zen who say they are not doing this and have no intention of doing this.

    Good news for me then, because I don't fancy the hassle of moving....

  85. andrew ginty

    Has anyone actually spoken to their ISP about this

    I was aghast about this, so I called my ISP, BT to see how to opt out.

    They absolutely assured me that this was not going to happen and that they would write to me first before they handed any such details to a third party.

    So - question - is this B0llocks or have BT forgotten to tell their support people about it?

  86. Simon Davies

    Phorm - the official Privacy International position

    Quite a few comments have been published about claims that Privacy International has "approved" the Phorm technology. As some of these comments are speculative, I'd like to precisely clarify our position.

    To begin, Privacy International does not endorse specific products or services. I can't think of a time in 18 years that we've done so, though we have supported certain technologies, particularly those involving secure encryption, anonymisation and user control. However, as a product, Phorm is not among them.

    Any claim that PI has "endorsed" Phorm is incorrect. This is not because we don't believe the Phorm technology has some benefits. It does. It's because PI simply doesn't conduct that type of endorsement.

    However Gus Hosein (Senior Fellow at PI) and I were asked as part of the new privacy startup 80/20 Thinking Ltd to assess the Phorm technology and processes, and provide a Privacy Impact Assessment. We agreed to do so.

    Our conclusions will be published in due course, but the top level summary is that we felt the process contained a number of innovative privacy features. We were impressed with the effort that had been put into minimising the collection of personal information, and were particularly impressed with the idea that such a system could be established without the need for IP's, retention or profile building.

    We did notify Phorm of a number of danger areas, particularly the notification and consent conditions applied by its ISP partners, however we felt the Phorm process itself warranted praise at a number of key levels. In comparison to, say, the potential of the Google/Doubleclick process, Phorm deserves credit for attempting to create a stronger privacy and anonymisation focus.

    Now, as I've observed in one or two reports such as http://www.newswireless.net/index.cfm/article/3779 this assessment does not provide a get-out from the fundamental questions of "opt-out", intrusion or the general polemic over advertising on subscription ISP services. But then, those questions largely fell outside our brief.

    Our work, plain and simple, was to check whether Phorm's claims were valid. We found that to the best of our knowledge they were accurate, and that the process does what it says on the tin.

    Simon Davies

    Director

    Privacy International

  87. poh

    To Simon Davies

    Do you accept that interception at the ISP, where the Phorm servers get to read your entire HTTP traffic, is inherently vastly more dangerous than the systems used by Doubleclick/Google etc?

    Did you perform a forensic analysis of the the source code of the applications being used by Phorm for scanning and discarding personal data? If not, what exactly is it that you verified?

  88. jon stansfield
    Pirate

    Virgin On The Ridiculous

    First of all, I just want to point out that I am sick and tired of UK isp dishonesty and cannot believe that the law allows us to be treated with what is blatant contempt and the various constant scamming of customers... I signed up as and NTL user 18 months ago after a year of BT misery... NTL changed hands and under Virgin things have gone from bad to worse... Why are UK ISP providers allowed to advertise a 20 meg BB package until recently make no mention of the words "up to" and give customers the impression that its a 20 meg upstream AND download speed? Also why hasnt the law insisted that thier new traffic shaping policies are shown too?

    Not only has Virgin implemented "Traffic shaping" they have also quietly gone about editing the criteria without informing any of its customers. Apparently now they say they are now able to advertise an upgraded XL package so I will have 50 meg BB...

    How can they deliver on 50 megs? They cant sustain the current 20meg service they are selling right now... Any XL user who downloads 3 GB between 4pm and 9pm will be slowed down to a 5 meg speed... Thats also left unmentioned in all virgins advertising... Bear in mind the 3GB limitations here and then take into account that this "Pop-Up / browser hijacking / malware / nuisance / invasion of privacy" scheme will mean that each pop up will eat ur 3GB download as ur isp will throw "All" downloaded kbs into the total as each time u change a page it downloads.... as well as sends back info as well... Now to my knowledge the term "Pop-up" invariably means flash animations with sounds and lots of industrial javascript content that will clog up ur temp folder with lots of bloatware, thats assuming that ur first attempt to close the annoyance by hitting the cross in its corner actually works.... also these things contain tracking cookies too so u will need to flush ur browsers and close ur net to make sure its not secretly running a dll process after being closed down... It may well redirect u to a questionaire or survey page instead asking why u were not interested in the special user related helpful browser spamming as they were trying to "help" u get the most from ur net experience, and it will then harrang u about questions and surveys they want u to help em with so they can improve thier service.... A service which u will have no way to stop recieving... sorta like giving the Jehovas witnesses the front door keys to ur house so they can sell u a new bible with a different cover everyday isnt it?

    ALL THOSE POP UPS WILL BE COUNTED ONTO UR TOTALS BY UR ISPS!!!!!!!

    Will they also be hijacking those kiddie porn freaks with pop ups about cheap flights to Thailand and Gary Glitter comeback concert ticket competitions too? Maybe u will login to ur internet banking and have the same file dll file running a keylogging process so that they can then hit u with more spam as soon as u log out. showing u a flash animation and ur bank details, maybe even a screenie of the pages u viewed whilst u were logged in... Just so they can show u a range of related antispyware products that they think u will want to buy... Sucks doesnt it? Ur thinking that it wont happen arent u? Well rest assured people it can and it will!!

    Isnt it about time that the UK net users regardless of isp affiliation all stood as one and demanded what everyone else in the E.U. already has.... ??? In Paris citizens have free net access as part of thier civil rights, part funded by E.U. grants and its still faster than the U.K. isps BB deals on offer... Why do they get 15meg service totally free paid for with E.U. subsidies to which the UK is giving more than any other country in the E.U.??? The reason is cos the rest of Europes countries would stop hiding thier heads in the sand and make a fuss about it...

    We are the sickmen of the internet in the UK... Until enough of a stink is kicked up about it, do u really think things will change?

    if we simply all sent one email each to our respective area MP using thier related house of commons emails in the same week they couldnt possibly ignore it.... Its no use threatening ur ISP with changing ur provider.. Where u gonna go to? eh?

    BT or Virgin.... all the rest of the isps are franchis isps using thier network so u will get an even worse deal than u had b4.... make a stand and spam ur M.P. or M.E.P. ...

  89. Anonymous Coward
    Anonymous Coward

    @Simon Davies

    Mr Davies,

    A couple of questions....

    1. Were you or 80/20 Thinking Ltd paid for your work at Phorm?

    2. You have signed this post as a Director of PI. Would it not have been more appropriate to sign it 80/20 Thinking Ltd?

    3. What was your brief?

    4. Other less inquisitive articles about this whole subject as quoting you as saying "We were impressed with the effort that had been put into minimizing the collection of personal information." under the banner of Privacy Campaigner. Would it not be prudent to highlight the fact that you were not carrying out your work at Phorm under the guise of a "Privacy Campaigner?"

    5. Phorms website has a blog from Kent Ertugrul. This is a direct quote.

    "We approached leading privacy advocates in the US and the UK, including Privacy International, and asked them what they thought."

    Is this factually correct?

    Whilst I am not questioning the good work you and your organisation carry out in any which way, shape or form - I would still like to know your answers to this questions, as in my view the articles in the mainstream press are using the Phorm marketing blurb and not focusing on the more relevant privacy issues, including the inability to not have data sent to Phorms servers, therefore ridiculing the "opt-out" claims. It is my view that any browsing history, search terms and words I have entered into webmail forms are unique to me, and therefore personal data.

    Regards,

    Anthony

This topic is closed for new posts.

Other stories you might like