Well done El Reg!
Great work being done here.
We've had a busy time digging into the deals signed by BT, Virgin Media and Carphone Warehouse to report your browsing habits to Phorm, a new advertising company. Here's the fruits of our labour, lovingly collected for your perusal. There are tales of the secret trials conducted on tens of thousands of BT customers without …
I run a BT broadband router with NAT, and sometimes several people sharing the connection. Hence they look to the outside world to be a single computer/user.
How can I be sure that inappropriate advertising content will not be delivered by this system? Others have raised the spectre of "adult" advertising being presented to children. What guarantees have we that the advertising with comply with the various UK-specific laws and codes of practice?
I would suggest that pre-watershed TV standards would be a good start. Are Phorm's customers prepared to follow British rules when they push adverts at customers of British ISPs?
A search for Phorm or Webwise on the Privacy International website shows 0 hits so what exactly are they supposed to have endorsed?
While the use made of the information for advertising may (or may not) be as Phorm describes, what prevents them from doing anything else with it? What ongoing oversight is there? (none?).
If these companies are so sure that the data is being anonymised, perhaps we should put it to the test.
Suggest prior to setting the ball rolling with Phorm, they should run a competition, open to anyone, to see whether someone can piece together details from what they intend to send to Phorm and play pin the tail on the customer.
If it's completely safe then there'll be no problem. They could offer the equivalent of an entire years worth of profit from their deal with Phorm, safe in the knowledge that nobody will win the prize.
I just had a look at http://www.badphorm.co.uk. It seems the Phorm software was developed by the russian Lebedev Institute which has links to the russian security services. Combine that with OIX servers in china and you have the makings of a tense modern day techno-thriller involving the KGB (yes I know they've changed their name) and the PRC security services.
If anyone had written such a book/script last year, it would have been laughed at for being too far fetched. There could be an interesting twist of a back story where the UK government had decided it was no good at this modern internet data thingy and decided to subcontract the job of surveillance to people who knew what they were doing.
As I said earlier, it's too far fetched to be true.
..Mine's the one with the RFID tags hidden in the lining.
Having said that, thankfully none of the ISPs I deal with are involved so I can't do that myself...
There is one good thing to come out of this - I've just setup a TOR server on my colo box as part of my complaint (I've also chucked a message on the forum for my ISP), so there's no another 3TB/month available to TOR directly as a result of this debacle.
Seriously, police should march them out of board rooms and off golf courses in handcuffs come Monday morning.
They can waffle on about reviews and anonymisers all they want, the very fact that your browsing history is routed to a computer called the "Profiler" located in CHINA is reason alone to sound major alarm bells here.
So will the profiler look at my bank details to see if i can afford a shiny new car or HD telly and so give me an ad for one?
Serious questions need to be answered here. Fuckers.
One thing occured to me on the way home - using TOR isn't necessarily going to help.
With the collection being cross-ISP, the vulnerability is NOT the one that TOR was designed to protect against. Indeed, the ability of the "exit points" to monitor your traffic is one of the stated limitations of TOR - it means that if anyone runs a server at the end of a line provided by one of the compromised ISPs then sessions could be "nobbled".
I wonder whether China's looking at this and thinking "Why didn't we do that?"
A reply from virginmedia customer support( edited to reduce tedium)
I am sorry that the information that we are going to start using phorm
has worried you, here is some information to help give you a better
understading in regards to what this is.
A safer experience
Webwise will help customers avoid scams, such as 'phishing' - this is
where someone pretends to be a well known brand, like a bank, but is
looking to steal confidential information. [SNIP..]...identity theft. In this way Webwise helps to secure our customers' privacy.
A more relevant browsing experience
Another great thing about Webwise is that it can help reduce irrelevant
advertising. As customers browse web pages, Webwise looks at things like
search terms, and learns what topics might be of interest. This is done
without collecting any personal information, so once again their privacy
is protected. These topics are then used to help filter out adverts that
might be irrelevant - instead they'll simply see an advert that will
match a topic they're are more interested in.
Don't worry, they won't see any more adverts than they currently do,
they'll just be more relevant. [SNIP...]
Protecting customers' privacy
Webwise has been designed from the ground up to protect our customers'
privacy and anonymity. As the system only learns about topics of
interest, it does this anonymously, ensuring their privacy is completely
Neither the web addresses, nor search terms they use are stored. They
are purely matched to an advertising topic and then discarded.
Webwise doesn't store their internet (IP) address or keep track of their
browsing. The system or advertisers won't know who you are or the
websites they've visited.
No personally identifiable information such as email addresses,
surnames, street addresses, or phone numbers are ever gathered.
No sensitive or personal financial information, such as credit card
numbers, login IDs, passwords or bank account numbers are ever gathered.
We found that this system met our high standards for simplicity and
privacy - so customers' privacy is assured. These privacy standards were
also verified independently by Ernst & Young who conducted a detailed
audit of the whole process and Webwise solution.
Customers won't be forced to take up Webwise, so they'll be able to keep
their internet experience as it is now...
That last phrase leaves it deliberately ambiguous as to whether or not users will be required to Opt In or Opt Out -I wrote back to Virgin Media to request clarification on this point.
...that is on the BT and Phorm sites. Of course the point is that whatever Phorm SAY they are doing now or whatever they showed E&Y IN THE PAST there is no ongoing supervision to ensure that they don't just change their minds or just pass the information on to their spyware purveying friends. BT and VM actually have no idea what else will happen to our data, no way of checking and no possible way of changing what is being done should they not like it. At the moment they are just happy to take their 30 pieces of silver and run. It is utterly despicable but why do I suspect that once Brown and his goons wake up this their first reaction will be 'hmm how can we get a copy too'....
"So will the profiler look at my bank details to see if i can afford a shiny new car or HD telly and so give me an ad for one?"
It's far more likely that a Phorm employee will set up a direct deduction from your bank account to a bank in China, Joe.
I'd give up online banking immediately, if I were a customer of one of these three subsidiaries of the Red Chinese Army.
Remember the SETI project - loads of computers spending spare processing time wading through data?
Could some bright spark could come up with a 'Phorm-Feed' project? Spend night and day firing off spurious URLs to small data sources, filling their wretched database with completely meaningless data?
it will be opt out, and in such a way you have to keep opting out, otherwise there is no money in it.
the requirement to have a cookie to say 'opt out' is evil, since thats soooo easy for anti spy programes to nuke accidentally, then you forget to reset it.
with adblock etc I'd never see the ads but i object tot he tracking
data protection act?
Will it be possible for users to identify Phorm-selected ads?
If so, could an Adblock filter be written to *highlight* those ads?
And if that came together, how long would it take to devalue Phorm if [a large number] of VM/BT/TT users clicked on every Phorm-served ad whenever they were fortunate enough to see one?
Every ad. Every time.
Just wondering, like.
Here it is, should anyone be interested:
Yes, I realise the irony of starting a group on facebook, a site which is notoriously shady in terms of privacy issues etc., but it is a powerful social tool after all. I just hope facebook members glance up from their lame Vampire/Werewolf fight applications long enough to notice something important going on.
We do not use this information to:
identify individuals visiting our website; or
analyse your visits to any other websites (except that we do track you if you go to websites carrying our banner, but we do not identify personal details while we do this); or
track any Internet searches which you may make while on our website.
I have a BT connection and luckily the name on the account has been mispelled and thus I will know when and if such data is released to a thrid party to send me email or mail spam. Are BT saying that they are NOT disclosing data ?. If I receive anything under the mispelling I will be looking deeply into it and will contact the Register.
To use your analogy... There's a story (I believe it is true, but don't guarantee it) that a letter was delivered "to the girls sitting on the back of the 6:30 bus from 'A' to 'B'". The postman never knew who the girls were, but got the message to them... In the same way that phorm won't know who you are, they will know that you're interested in hairy german bottoms - and therefore send you appropriate messages.
EVERY comment from one of the companies talks about what is stored, not what passes through - quite apart from the security of my data from Phorm, how about my security from someone hacking phorm's network(s) and/or devices?
95% of unencrypted web traffic is now going to be going through some very well defined pinch points that are all running the same software... Perfect for MI6 (if you want to stay within the law) and/or ID fraudsters (if you want to include the not so happy people) and a complete and utter "no NO NO!" to all security advice around. All anyone has to do is see a single email in your gmail/hotmail/a.n.other folder, and the anonymity is all gone.
I've picked the helicopter because I hope, REALLY HOPE, that I'm being paranoid.
We currently run their top whack option with BT Vision but recently the quality and reliability of our broadband (and supplied equipment) has fallen well short of the mark but this is just plain wrong, I wonder what that other Bastien of privacy and advertising thinks about this, has any one heard from google? surely their ads being swapped out isn't going to make them very happy is it?
Where the hell is the Information Commissioner in all this?
As usual toothless and doing NOTHING, probably because not enough people are complaining.
I think one's browsing habits count as personal information and shold NOT be sold without express written permission. The IC should also ensure that such permission is NOT included in ISP Terms and Conditions as this would clearly be an UNFAIR CONTRACT TERM.
I encourage everyone to make a complaint to the IC office at this address:
If I send and receive text messages using my mobile phone, my understanding is that they’re afforded a certain amount of protection from general, unwarranted snooping. Sometimes, I send and receive text messages using a standard web browser to access the web portal of an Internet-SMS gateway provider. If my messages have protection while being routed across the mobile phone networks, why do I suddenly lose that protection when they hit the Internet-SMS gateway?
I don't mind having targeted ads as I ignore all online ads anyway, just a fact of life, like the ad breaks on TV, just ignore them. It is the fact it is happening without me being asked and stored and that ALL my inline activiity is being logged, not just then but for later use.
A cookie is one thing, taking that and storing it is another. And storing it overseas is even worse.
And this might happen using MY BANDWIDTH for the privileage is even worse than that, me paying for them to get more money. Then sending me emails to warn me of a limit I might be exceeding...
This must be a breach of contract.
You want to COMPLAIN to some Government (no)Body who's probably on the payroll / a shareholder of one of these corps?
Seriously, that's why they're getting away with it; everybody's whinging to some ineffectual dullard instead of canning the direct debit on the spot, and pointing out how they're breaching UK and EU privacy law, and their own T's&C's, when they sue for breach of contract.
The EFF exists for this exact reason.
Lot of noise from the personal data crowd, which I understand. Having read the wealth of info here is anyone worried about the content owners?
On first reading, it seems that adverts will be REPLACED or OVERLAYED with OIX adverts. Did I real that right? As a content owner reliant on revenue from advertising on my site is it really going to be that someone is replacing the adverts I chose to show with their own? If so, is this legal? What about the copyright protection? Is this opt-in or opt-out by the site? If I'm opted-in automatically when I own the content I'll be hopping mad to the point of litigation. You can't just go and paste your own adverts over mine and collect the revenue.
I must be reading this wrong. Why has the mainstream press not picked up on this? Has The Register got it's facts wrong?
The Phorm ads will only appear on OIX/Phorm signed up sites. If you're advertising on a site which isn't signed up with OIX/Phorm then your ads should be unaffected.
If your ads are on an OIX signed up site, I guess it's up to you to do a deal with Phorm or the site owner as to the exposure you want.
Aside from complaining to the ISP's, the ICO and OFCOM, lets fill Phorms system with Spam. In the process of writing a script that will be run by Cron to access various sites at regular intervals. Simple case of using wget as I imagine won't know the difference. The only thing to change regularly would be what you 'are' viewing.
Im guessing that all the collected information will be used to create profiles for the most likely target audiences within those not being analysed by Phorm. I.e. those who have ISPs with scruples.
If enough people fill the system with utter rubbish (one min I'm viewing a car site, then I'm viewing a clothes site, then looking at holidays, then credit cards, then back to cars and so on...) then the system won't be profitable to Phorm. Even better, set up a spider and create your own search database ;-) that'll flood their system quite well.
Paris cos, well, do I need a reason??
After at first denying any partnership with Phorm, TalkTalk have replied to my complaint, stating:
"I can advise as previously stated PHORM are unable to access any
personal information without your permission. The service they are
offering is called Webwise, although they are able to view your browsing
history, they are unable to recognise who you are through this
Can anybody help with a suitable rebuttal of this nonsense? It's like doublespeak. Surely anybody could be easily identified from their browsing history? What makes Phorm "unable" to the same?
Hope like the rest of us that the media and/or regulators will get the ISPs to clime down?
I totally share your frustration but it seems almost pointless to try and argue what is quite a complex point (but nevertheless important - with wide-ranging implications) with support representatives who aren't that technically/legally trained .
I'm encouraged by the number or people commenting on these stories, write to the Information Commissioners Office, sign the petition http://petitions.pm.gov.uk/ispphorm/, write to the RIPA Commissioner and your MP, write to press and news agencies...
Get the facts into the public domain and hopefully these issues will be tackled by the people who have the power to fix things, not the overworked customer support representatives...
Call me cynical but I bet they are going to do is base their choice of ads to serve you based entirely on your interaction with search sites.
Its going to be a lot easier to identify somebodies interests from their search terms and click-through than anything else.
you could see this as an attempt to undermine google by getting access their raw data.
There are two parties to every communication. They may be able to claim that the user has opted in but the web-site sure as hell has not. If I was google I would sue them to make sure they don't intercept anything from my site.
of course they probably want all the other data as well not to target ads but to sell on. Even anonymised that data is valuable to somebody.
Of course Google and all other search engines profile you, but that is in my mind the right side of the line. You chose to use Google, a free but valuable service, knowing that in return they will serve you adverts and take some interest in your personal data.
In mitigation, you know a.) you can delete your cookie every day or every visit and the link will be lost, b.) Google have a well stated policy not to give your information to anyone else and c.) they only have access to a small portion on information of your web-based activities, namely search.
Contrast this with your ISP, who you most likely pay for a service, who are in a trusted position with access to your entire (non-encrypted) web-based activities and have a legal obligation in most cases not to share personal information and now intend to a.) not only profile you but share this information with a third party and b.) in the process of doing so, potentially interrupt the service you pay for by intercepting private packets in transit between 2 parties without and consent, and injecting additional inforamtion (cookies) without consent into such transmissions. The interception element from a protocols issue is beyond belief, that's why I'm so truly upset about this whole debacle...
A few people have commented on the various Phorm stories relating to when the news may break in the mainstream press and how this publicity will affect the ISPs involved.
I've spoken to a few very well placed friends in the media whove alerted me to their concerns.
Firstly, the issues are too complicated to spin simply to the punters. They can't just say "all your browsing history for sale" without the guys from Phorm and ISPs coming back with a glossy right-of-reply which will knock down the claims and lead the correspondant into detailed technical arguments that will lose the majority of readers.
They're basically waiting for someone to act before they report, e.g. a regulator, a legal challenge from a consumer group etc. Without clear allegations from a sufficiently respectable body there just isn't a story.. apparently.
Secondly, it appears according to this article that many national newspapers are involved in OIX-type advertising:
Phorm could be hear to stay.
One minute it's top of Tech-news with a link on the front page, the next it's nowhere to bee seen? Have the legal brigade been dispatched? For those who don't know it was printed on front page of Technology Guardian supplement this morning (Thursday), so a bit like horse and door and stable and bolted...
Top tech story at the Beeb. Shame that they don't really seem to appreciate just what BT et al and Phorm are proposing. And no mention of Phorms shady past either. Oh and no way of commenting on the article itself.
Lookslike they feel they have to report but aren't looking to start any kind of real debate on the issue.
Paris - because I can't imagine her having much thought for the consequences either. Or much thoughts at all for that matter.
Biting the hand that feeds IT © 1998–2019