BT’s servers were secretly passing data on subscribers to its "new" advertising partner as long ago as last summer, though the companies refused to acknowledge any relationship at the time. BT - the UK's number one internet provider - finally revealed the plan earlier this month along with Virgin Media and Talk Talk, which …
Might be interesting to see if one of the affected people could set an entry in their hosts file to point dns.sysip.net (or *.sysip.net) to 0.0.0.0 - it's unlikely that BT are going to trust Phorm to handle all their DNS queries, so dns.sysip.net is probably named so to make people think it's something innocent (or too technical for them to understand).
Perhaps a public service announcement would be in order?
Won't pointing to opendns.com (or similar) for your dns requests solve this? I don't know enough about the ins and outs to be sure though.
Personally, I find it easier to maintain my own DNS cache using BIND9 on a small Linux box I maintain. No need to use the ISP DNS crap in the first place!
I knew this was a conspiracy! Tinfoil hats around to all!
I wondered if El Reg could post technical details of how exactly this works.
If they know where you are going and what you are looking at, how do they then show you ads? Do they rip and replace ads from other sites or wait until you hit a site hosting their adverts - at which point they look up your previous habits and then display loads of "relevant" ads?
A nice technical article and some possible mitigations would be fantastic.
I have been with TalkTalk for some time now and have been one of the lucky few to not have any trouble with their service. Even if it as easy as changing your host file to avoid this I won't feel happy staying with a company that does business with spyware pushers.
I doubt it, all BT have to do is sniff packets on Port 80. From the packet they can see the Host header along with everything else.
As they appear to rely on cookies, I'm assuming they'll be injecting a cookie for www.oix.net into every HTTP response. Blocking the www.oix.net cookie (as they suggest if you want to disable the service <cough> permemently <cough>) will only mean that when you request a page containing oix.net adverts, no cookie with the <cough> unique anonymous <cough> ID linking you to keywords will be sent. Hence you will simply receive random adverts.
Blocking a cookie still means that BT will happily be sending your clickstream data & pages viewed to Phorm, so they still get a wealth of data.
Time to call BBC radio Oxford and try to get this mentioned in the mainstream media, because this is seriously taking the piss now.
"Personally, I find it easier to maintain my own DNS cache using BIND9 on a small Linux box I maintain. No need to use the ISP DNS crap in the first place!"
Indeed, I've been doing just that ever since Verisign broke DNS with their "sitefinder" stunt:
The "delegation only" feature works like a charm :)
I second that, some technical details please
not only on how they plan to serve the ads, but there is also no mention of what these requests were
you mention the browser was making connections to there - no matter what an ISP do they can not make a program on your computer just start connecting to random places. it sounds like he probably noticed it by the status bar showing loading from there or something similar, which would indicate that they are embedding something in to every webpage that is returned. If this is the case then it will certainly break at least some pages (i doubt they have found a flawless way to add arbitrary code to a web page that doesn't break the page in at least some circumstances, particularly with AJAX requests etc which may not be returning a web page to be rendered)
anyone any ideas as to the technicality of how they got the browser to make an outgoing connection to report on your activities?
or is it just extremely bad wording claiming "connections" being made, when it's actually just that they set the DNS servers to there (connectionless except for some rare large responses), so that was handling DNS lookups - and they are monitoring just hostnames resolved by you
Lets see how easy it is to opt-out
One should not need to opt out of this sort of stuff. One should have to knowingly opt in.
has it come to this? do we all have to start using encrypted anonymizing proxies, to stop our provider from selling all information about us to a third party, without our knowledge or consent? opt-out indeed. what's the benefit for the profiled?
doesn't the UK have a Commissioner to handle this sort of thing?
and i thought the US telcos were slimy.
I posted a short summery of this story to watchdog, plus links to this site and others.
I am awating a call back as I was out of my office when the reasercher called.
Please post your compaint at
As it looks like this may be a story that they are likely to cover.
If nothing else it may expose BT, and others as the skumbags that they are on tv.
I'm not at all sure why Phorm seem to be interested in DNS lookups. From their own description of their technology they appear to have access to all the contents of any non-encrypted HTTP traffic, so what is the need to monkey with the DNS?
What do they gain from this, other than perhaps using it to obtain some details from those who are trying to evade it's data mining by technical means?
Where does it stop...
I'd love to hear from any other BT customers who with experience of Phorm, perhaps it'll shed some light on just how this company is actually going about it. Tails of woe welcome on www.badphorm.co.uk
If BT have been intercepting details of your browsing habits then this may be a violation of RIPA http://www.statutelaw.gov.uk/content.aspx?activeTextDocId=1757378
In particular sections 1(1) and 2(2):
1. Unlawful interception.
— (1) It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of—
(a) a public postal service; or
(b) a public telecommunication system.
2. (2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—
(a) so modifies or interferes with the system, or its operation,
(b) so monitors transmissions made by means of the system, or
(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,
as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.
Surely there is some kind of privacy laws being breached here.
If Facebook can take a kicking from the EU courts for far less than this, i'm pretty sure BT will be hauled into the courtroom soon enough.
Maybe they think its all too technical for the courts. I'd say that its pretty much the same as them installing a trojan on their customers computers to monitor their browsing habits.
Or, for the tabloids: "its as if they bugged your house to listen to your conversations, and play matching ads on your TV"
Interesting that several high level Freeserve/Wanadoo/Orange employees (including the ex CTO) have been poached by Phorm recently and Orange have met with them but have (so far) decided not to go with Phorm.
It's at times like this I'm glad I run my own DNS server and all my browsers run Adblock and NoScript on Linux platforms. It looks like an investment in learning how privoxy and Squid work are required next.
A quick nmap of dns.sysip.net shows it currently only appears to be only running http, so it could be as simple as adding it to your /etc/hosts file and/or Adblock/noscript filters and you are safe.
Spammers are scum, spammers pretending to be legitimate advertisers are sum, and ISP that help them are scum.
I was just about to dump TalkTalk (for being shite) and I was thinking of going back to BT or possibly Virgin.
Lo and behold, they're all cavorting with spyware peddlers.
The sneaky, dirty bastards.
Well done El Reg and (tinfoil) hats off to Stephen for digging it out. I am really surprised this is legal and I hope they get a good kicking for it.
(well, for me at least) is this sort of behavior likely to be spread to the smaller ISPs that BT secretly swallowed in the last couple of years (Plusnet is one, I only found out 18 months after it happened!)
I wouldn't expect any direct communication from them on this, they're useless about giving their bill payers any information they actually need.
Paris 'cos she wouldn't know even if they told her...
Does anyone have any idea if this just affects BT Broadband customers, or does it include BT Wholesale customers as well - ie people whose broadband is supplied by resellers.
I would also be interested to know whether or not people on LLU networks are immune to the sniffing aspect. Although the redirect is done using BT Broadbands DHCP served DNS addresses, the LLU providers traffic still partially goes across BT Wholesales network.
Depending on how this is implemented, it's hard to see how anonymous the end user can expect to remain.
The blurb states that adverts will be linked to keywords in both the page title and page content of sites visited by the user.
If Phorm has access to raw HTML streams, e.g. via "anonymized" dumps of some sort from the ISPs transparent proxy or routers, then this will be very dangerous as next time the user visits a social networking site, unencrypted mail, eBay, anything which displays their real name will be cached alongside the "anonymous" id, creating a link to the real life person.
Obviously there are many other ways of implementing this without access to raw streams, but if the ISPs and Phorm do not come clean ASAP with intimate technical details, then a fair few people will have cause to write to the Information Commissioner with very real cause for concern that identifiable information is being sold without permission.
I urge all concerned with this to fully disclose how this system will work to pre-empt public concern.
I hope far worse happens to all those scum involved in this...I want to pull fucking heads off right now!
Dear El Reg, what about a nice security article for the masses, with instructions for workaround options?
Preferably in about ten minutes.
I'm switching to copper foil hats with an earth braid.
..details here www.badphorm.co.uk
DNS changes will not protect you. The optout only asks them not to use the data they have already connected.
Is it a crime to copy data on its way TO you as opposed from you? Thats what they are doing. Its not clear to me whether this can be construed as 'intercepting communications' . Presumably they are preparing there legal arguments now, which is why BT and Virgin are being so secretive about it.
If nothing else given the spyware and crookery provenance of Phorm who can have any confidence in their assurances? Phorm is a US company based in 'Dodgy Delaware' and its OIX ad servers are in China somewhere. So they can tell whatever lies they like about privacy and security and no-one can hold them to account. BT and Virgin should try to look beyond their greed and see just how horribly exposed they are too.
Or, for the tabloids: "its as if they bugged your house to listen to your conversations, and play matching ads on your TV"
No, it's as if they bugged your telephone line, sent your conversations to a firm run by a guy who used to illegally bug phone lines to pick up your credit card numbers, played you audio adverts over your phone line in the middle of a conversation, then said "your data is safe because we say so."
... and added some junk mail after reading the contents.
But added unwanted crap in there.
The next likely scenario is : you pull up a page for a car manufacturer , only to see an ad for another manufacturer.
Or,f you pull up a page for something , it gets replaced by something else. After all , they can replace one element in the stream with another now ... ( based on your surfing habits of course )
This is clearly TAMPERING with the information stream. Class action lawsuit anyone ?
I als op wonder what the 'default surfing habits will be' for a new user ? Purple pills ? Lottery tickets ? We all know that's why people use the internet anyway. If they monitor email streams (thats text after all. and especially if you use a web based interface) they also pick up all these keyword in all the spam messages you get, so it won't be long before you get ads for all the stuff that is now beeing pushed through spam as well....
Even a grounded copper foil hat won't help. We're talking lead-lined , faraday cage, steel reinforced 10 meter thick contrete hats now ....
i got my scisor sready to cut the incoming ethernet cable intot the house ... let them try pushing their crap through my cut cable ...
assuming there are several people using a computer how do they identify the user?
if its a user specific cookie that identifes you, and contains the 'dont track' bit so if you block cookies you're 'opting in' so to speak...
thinking bout what happens when little jonny sees an advert 'targetted' at his dad from all them sites with pictures of ladies on.
sue the bastards for all they are worth?
I'm 'offended' etc.
or how long before theres a firefox extension that just randomises the cookie? sort of 'track this...'
ho hum.. still theres always TOR etc, this could work wonders for making people start encrypting connections.
oh and since i run a TOR relay would this mean i get ads 'targetted' based on other users preferences?
i think they will have trouble unless they provide a way to opt out once and for all, without the thing turning itself back on right away.
def like the firefox extension idea, this crap has been tried before, not at the ISP level though, hasn't worked yet.
I've never met anyone who has clicked on an ad, targeted or not. Most make some effort to block them, often just out of spite. So how does anyone make money from these things? Do they no longer count click-throughs? Is the idea now just to get some form of presence out there like a newspaper ad?
The fat man with the horns seems appropriate.
"no matter what an ISP do they can not make a program on your computer just start connecting to random places."
Of course they can. DHCP allows the ISP to tell your computer which DNS servers to use, and if you have not specifically entered your own choice of DNS servers, then BT will be able to push whatever they like down to you - which means that, if they so choose, *every single Web request* will be forwarded to a transparent recording proxy, and the data returned to you as if you were deliberately using Network Address Translation. In other words, if you use BT's DNS servers, they have total control over where your computer connects.
Surely the redirection might be considered to be a breach of the Computer Misuse Act, since no one gave authority ?.
in hosts file, along with about 10,000 other crap ware sites!
I hope that as more people realise what a heap of crap BT are, they will migrate away from them
I love the patents system. Could this be it? Names KENT THOMAS ERTUGRUL as inventor and 121Media as applicant. Published in Sep 2007.
"TARGETED CONTENT DELIVERY FOR NETWORKS"
im a little rusty on the subject but does Tor encrypt from the browser (firefox) all the way to the exit node so in theroy all the isp would see is encrypted data?
I’ve been wondering about the name ‘Phorm’. It’s only just hit me. I’m guessing it comes from:
PHishing by web fORM
That would make it an out-and-out in-your-face bad-taste joke. (I know it’s a bit rich for me to comment, given the name I chose to follow the word ‘By’.)
The Information Commissioner can take action against these companies.
I once carelessly did an image search for pictures of horses and have therefore viewed illegal images on the internet. I am concerned that this may become public knowledge.
...in this mess will be for BT, et al, to contract with the credit companies to match your buying habits to the ads you've been served.
Those who don't buy what's advertised to them like good little puppies will then see their broadband bills go up to cover "loss of revenue".
> does it include BT Wholesale customers (...) broadband is supplied by resellers.
Unlikely, I would hope, since BT would be treading all over their agreement with the reseller and that should certainly raise interesting legal issues (beyond those already raised!). Since this seems so far to be BT acting directly as the ISP (plus some resellers who have decided to play along), I think it would only affect BT customers who pay BT directly as their ISP. Unfortunately, more resellers may also join in after being approached by BT.
In the light of Ertegrul's claim to be 'talking to all UK ISP's', perhaps it's time for everyone to start asking their ISP what their position is with respect to Phorm. I've just squirted a query at the corporate PR droids for mine, though I'm not expecting much. Maybe El Reg could get the Pimply Faced Youth to stop surfing the pron and get on the phone...
This only affects BT Retail.
It sits in their service layer along with various other management tools.
I've met one of the folks at Phorm and I couldn't say I felt I could trust him.
OK, let's see mitigation includes:
1.Tweaks hosts file.
2.Wear the tin hat. (mine is x-heavy duty)
3.Wear the copper foil hat. (cost prohibitive, something about inflation)
I was wondering if there is anything that would actually work?
Can checking the 'opt out' box, assuming there is one, guarantee anything?
Why is it the company can do things I would be arrested for?
If they are going ahead with this, why the hell should I pay for their service.
Anyone know if using Tor would screw this up for the assholes?
if it is merely sing their DNS servers, then there is no opt out, there are no cookies - so it can't be that from the description
and in addition there was mentioned that the browser showed connecting to there, which indicates making a request to a URL on that hostname
there is also the fact that the system is listening on port 80 for HTTP, but not on 53 for DNS (although port 80 is immediately closed after being accepted for me, i assume as i'm not on a participating ISP... yet)
of course that hostname showing up anywhere means that the request was directed to it for something other than DNS purposes (you can't direct a DNS lookup to a hostname, chicken and egg problem - and it wasn't a reverse DNS lookup as no programs do those for that type of request, plus a reverse DNS lookup returns a completely different generic hostname)
any even basic research on what was happening from an effected connection would involve a packet sniffer, which would say exactly what was going where and what it was returning - which is why i expected such information to be easy to get from supposedly technical people (as apposed to "well i saw a hostname with 'dns' in it") about the only thing that can be ruled out is that it is in any way DNS related (due to firstly the fact that it showed in the browser, which has no idea which DNS servers your system is set to use when it calls API functions, and secondly the fact that it states that opt-out is for a single browser - which just monitoring DNS packets would only be able to tell you the users IP Address and the hostname they looked up not a specific browser, only way to tell a specific browser is using the HTTP cookies from a HTTP request)
I agree with Justin - I run a Windows 2003 box in my case that is my movie/music repository and a DNS server. Works great for me, I don't have to touch the ISP's DNS at all. Of course companies running even Windows small business server are required to have DNS for Active Directory. So in that instance as long as you go into the DNS Server and remove any forwarders (ie your ISP's DNS Servers) this provides the same.
If you use their software to install/setup your broadband, as most people would, then they get you with the licence agreement because as you know, everyone reads those.
Some internet adverts are useful, sites like everyclick.com use advertising to raise funds for charity. In fact the charity I run makes a good chunk of its income through everyclick. visit us at http://costellokids.com
My big worry is that such great systems of fundraising will be damaged as people move towards Tor and other systems.
I block 99% of advertising, yet for EveryClick and a few other sites I allow there adverts as I know how important they are.
I have not yet figured out how to allow Tor to allow advertising of my choice.
Does anybody here have experiance of products such as ghostsurf? Would this also be as secure as Tor?
I also wonder how long it will be before the security companies build blocking technology into the AV/Firewall products. Which will put an end to this stupid project by the ISP's.
My big worry is privacy for the work we do, as webmail is used by many of our members, and myself as it is so quick and easy to access. So if keywords are being used, from webmail pages, then there is a possible risk to the people we support, and by the nature of our e-mail it would be very easy to identify individuals. This is scary and I have contacted the information commissioner about this, as well as writing to my ISP's compliance officer.
I no longer have any trust in my ISP. The worry is that like all Bandwagon's all UK ISP's will quickly jump on.
It is a bad time for UK internet users and the privacy of all.
Wow. I'd like to see some technical details as well.
Here's some light relief. BT started spamming me a couple of months ago (web design and review services, for some reason), using an address I gave them for online account access. This got so annoying a few days ago that I tried to opt out. The opt-out link was dead, so I had to email them. The 'mailto' link didn't work either - not sure why, maybe Thunderbird gets confused when it sees a subject - so I manually constructed the (empty) email, using the 'mailto' address and subject.
A couple of minutes later, my mail is returned - BT has rejected it as...
Try again, with a body, still rejected as spam. Ring up the advertised 0800 number, shout at somebody, who politely tells me that he'll talk to his sales manager.
Got another spam from BT today.
... running your own DNS/Proxy etc, as all those requests still go through the ISP's routers on UPD port53/TCP Port 80 respectively and can be redirected/stored or whatever without you knowing anything about it.
I'm with Virgin at the moment (until I get Sky TV/Broadband installed next week - no more Virgin/Phorm, but probably a whole new set of problems!) and I know they use an 'transparent proxy'. This is a proxy that all HTTP traffic goes through without you having to set a proxy setting on your machine. You can tell it's there because if you create a web page that simply displays all the http headers it receives as part of a request from a browser, it shows the 'X-Forwarded-For:' header with my IP address. This is added by the proxy so the web site knows where the request originally came from. The IP Address the web server thinks the request came from (in this case 18.104.22.168 - no reverse DNS lookup for this IP address) is the IP address of the transparent proxy.
I once asked NTL to turn this off. I was told to call back and speak to a higher-tier engineer who could do this for me. It sounded hopeful, so this is what I did. When I spoke to the engineer though, he proceeded to try to tell me how to remove proxy settings from IE (as if I'd use IE - yuck)! A bizarre conversation followed, while I tried to explain what I actually meant, including asking the engineer to go to the page displaying the headers, and him getting confused because he thought it was some sort of error page. Doesn't say much about NTL engineers. He eventually understood, and then said it couldn't be turned off for individual users.
The prospects of turning this Phorm tracking/logging off for individual users is also unlikely. That would require some major additional processing from some routers, and a system for controlling the config of said routers. As that would be expensive and entirely counter productive to what they are trying to achieve. I think they are more likely to rely on legal arguments to justify what they are doing. Unless they back down from sufficient negative publicity, the only way this is going to end is in court.
Biting the hand that feeds IT © 1998–2017