Broadband big boys waiting on data pimping

First of all

Zen??? You are all being very bloody naive if you think just because Zen say something that it is actually true (or any other company for that matter). Zen made very bold public statements about FuPs, Throttling and Bandwidth Caps for the 4 years I was with them claiming it would -never- happen with Zen, then ADSLMax came along and Zen introduced what has to be seen as one of -the- worst FuP/Throttling/Cap systems ever witnessed on the internet where they cut you off if you got 1byte over your cap and hold your connection ransom to expensive PAYG top up tariffs. If you don't want to pay their ransom, you get no internet, period. Whereas most sane ISPs simple throttle your connection down to a slower speed until you either pay them more money or your next billing cycle starts. So Trust Zen? No thanks after 4 years of being a fan boy only to have that trust destroyed by their lies I would rather remove my testicles with toe nail clippers.

Secondly...

Phorm clearly -has- to at least use IP data in order to deliver their ads; how quickly the world seems to forget that in the last 2 weeks (pretty sure it was just in the last 2 weeks) the EU have categorically stated that IPs are personally identifiable and must not be used to track. The Register itself ran an article on the EUs attack on search engines for retaining search data against IP for exactly the same thing Phorm are trying to do (more appropriately target ads). This move by the 3 ISPs to use Phorm is quite simply illegal, there are no ifs or buts, it breaks a number of laws.

1: RIPA - Yes this breaks RIPA, an Act that normally breaks us is for once proving useful.

2: DPA - Yes this contravenes DPA which states that data collected by a company (as data controllers) is only permitted to be used specifically for the purpose of your contract/service with them and may not be passed on to 3rd parties.

3: Human Rights - The right to privacy in our home lives and communication very clearly this activity contravenes such rights.

4: I am pretty sure that EU antispam law (although I can't remember the exact title of it) requires that people "Opt In" as opposed to being automatically opted in with a chance to opt out. This is why all the forms for credit applications and consumer level services etc. have changed over the past couple of years to get explicit consent to pass details on to third parties as opposed to explicit refusal. These check boxes used to have something like "If you do NOT want us to share your data with 3rd parties please tick this box" which has now changed to "We may at times share your data with partners and other members of the BT Group please tick the following box if you consent to this." (BT is used merely as a placeholder).

So lets quit with all the crap and actually deal with this in the appropriate way, the courts. BT have already been shown to have trialled this service without receiving the consent of their customers first, which means they have already broken the law and a class action should be started to hold them accountable.

Seriously, it is about time you lot grew some God damn bollocks instead of just whining in comments to news, on blogs and in forums. I have never been more ashamed to be British than I currently am. These companies only get away with this type of illegal behaviour because YOU (as in a national WE) allow them to. You all complain but can't be arsed to do anything real about it and then wonder wtf this shit happens in the first place.

WAKE THE HELL UP!

Here's how it works

(I think, having read all the blurb on the Phorm site...)

1. All your browsing (URLs, content but not https) is routed via Phorm's server. Presumably due to bandwidth requirements it's physically there in the ISP datacentre (like a wiretap).

2. Phorm's server sends a unique cookie to your browser, analyses your web traffic and "categorises" that browser in real-time based on your surfing habits (actually 3x an hour, maybe). It then associates your browser ID with your assigned "category".

3. The OIX database (ad server?) then watches for that cookie ID and injects "relevant" ads into your http data stream based on your current category - either replacing existing ads or even inserting new ones (not entirely clear on this). It may also pass on your cookie ID and category to third parties to that they can do the advertising directly.

So no, forget any swanky DNS tricks or ad blocking. What the ISPs appear to be doing is allowing a trusted (hah!) third party access to all your surfing content. Phorm claim this "cannot be used to identify you because it's anonymous and we ignore phone numbers and email addresses and IP addresses". Bo||ox. Just one snapshot of a non-https gmail session is enough to identify anyone...

To me this appears to be in blatant contravention of TalkTalk's privacy policy, which states that they will not disclose personally identifiable information to thrid parties except in a very specific set of circumstances.

PS: The service does not appear to be live yet on TalkTalk (you can for yourself by going here: http://www.webwise.com/privacy/can-choose-NA.html). You might want to keep checking, and be sure to let your ISP know what you think about this.

Information Commissioner

As soon as I heard about my ISP (Virgin) and the other two of the "big three" getting into bed with Phorm I contacted the ICO by telephone and had a very useful conversation with one of the ICO reps. They mentioned I was the first to raise the question of the "legality" of this "service" with them and they asked me to write to them with as much information as I could provide: which I have done.

When I receive their report I will forward a copy to the Reg.

Splat

As an aside, there is a satire by the Roman playwright, Terence, called Phormio in which there is a character (of the same name) described as a 'scheming parasite'. How very nearly apt.

I think people are getting a little over excited...

...about this. If anyone uses a Tesco's Clubcard then it's much the same thing.

It sounds to me like it's just about giving you more targeted adverts as you browse which is hardly the crime of the century. Use an ad blocker if you don't want to see the ads.

Not sure?

If they inject adds into a web page are they breaching the copyright of the web page / web site .Also are they in breach of the spam control laws by sending you averts that you don't request?.

random si good

''One little script constantly downloading (but not rendering) random web pages should be enough to make the collected data worthless and the increased traffic would piss the ISPs off too.''

It seems that me that that is the best option to date since Phorm won't have any statistically relevant information so either they will send random stuff and that would be funny or they would realise that you're feeding them an inhuman number of pages per second and they would just give up. In any case, in makes you a little more anonymous. I guess something of the sorts doesn't already exist but it could be pretty simple to make, I guess.

Anyonw know of any of this sorta shite is going on in Canada (If for example, Videotron sold out even more than usual ?)

Does anyone know where this information is being sent.

Does anyone know the exact url or ip address this information will be sent to or served from. Because if so why not do the simple thing to stop these ad's coming through to you, by adding a entry in your host file that points to 127.0.0.1. That way the ad's should not then reach your pc.

Bill cos his a devil like phrom

How it works

There's no 'injecting' going on here. Adverts on most websites are currently served from one of a handful of advertising networks (Tradedoubler, CJ etc). What Phorm are doing is allowing these ad networks to direct adverts at a particular user using knowledge of previous websites they have visited and adverts they have clicked on etc.

So the content of the website isn't being altered and the website owner has placed and configured the adverts themselves. As Phorm themselves say:

'The user doesn't see more advertising, just more relevant advertising.'

It really is no big deal. And for the people saying that they don't want their web surfing to be monitored and logged, I'm afraid this has always been the case and always will be. You'd be better of visiting a library if you're not happy with this concept.

No way to opt out

Forget about the ads. There is NO way to opt out of the interception of traffic unless the page you are looking at is delivered over https (a very small percentage of pages)

No matter what your preferences are for targeted advertising, ALL of the contents of EVERY page you visit WILL be copied off the wire and sent to Webwise/Phorm servers, which are apparently located in China.

This includes the contents of any cookies being sent, the headers of every page, the contents of any form submissions, any postings to message boards, online forums, web chats etc. and any private webmail you are reading.

There is no way to opt out of this. You can only opt out of receiving the advertising.

@ Mark

Not quite. When you go to Tesco, the data stays with Tesco and their privacy policy (presumably) does not allow them to sell data on your shopping habits to third parties. Plus, the Data Protection Act requires them to take care of this data.

In this case, the ISPs are unilaterally allowing a third party to come in and snoop your surfing habits and sell this private data to who knows. In the contract with your ISP, I would be very surprised if you agreed to give them permission to sell/pass on your surfing habits to third parties.

That is the problem here: they are doing something with YOUR private data without your permission. They are specifically not allowed to do this by law.

@ Jon

Yes, an https proxy should should do it.

According to Phorm, "[the] technology does not view any information on secure (HTTPS) pages"

More here: http://www.phorm.com/about/faq.php

And another thing ...

Webwise has had a couple of mentions above, so I went to have a look at their site. They claim "to offer [a] combination of security and customization benefits." The security being anti-phishing. Run "by" BT and TalkTalk. On their FAQ page I found this:

"What is Webwise?

"... that is designed to provide a safer, more personalised Internet browsing experience. ... ... Webwise also replaces a website’s generic ads with ones more relevant to your interests, based on your browsing behaviour – while remaining ‘blind’ to who you are. ..."

How it can be "personalised" and "'blind' to who you are" at one and the same time is an issue that has been raised before. Of course at least one of those statements must be a deliberate lie.

What really puzzles me though, is how "replaces a website’s generic ads with ones more relevant to your interests" can be anything other than outright fraud on the publisher of the original web site. Especially if they are paid on click through.

It seems to me to be on the same level as Microsoft's one time "feature" to pop up their own adverts on any page rendered by IE6 regardless of the site publisher's wishes. This is the cause for many to insert the meta tag

<meta name="MSSmartTagsPreventParsing" content="TRUE"> into their pages.

@ I think people are getting a little over excited...

It is for that reason that I choose not to have a Tesco loyalty card, and to shop there using only cash. At the time of writing, these are perfectly legitimate options.

But customers of BT, TalkTalk and VirginMedia are being told in effect that loyalty cards are mandatory, that they come as an integral part of the "service"!

Until ...

... Chris Williams and the rest of the Vulture Central team get back from the pub, sorry, Register Research Institute and Archives with a concise, well researched and relevant exposé into how this works, we won't know anything concrete or lager flavoured.

From my skimming of the patent application mentioned above and the Cable Forum thread on this subject it looks like Paul Barnfather has the closest grasp on what MAY be the actual mechanism

However, his 1st point may not be correct, Phorm state on their website that "Phorm technology does not view any information on secure (HTTPS) pages, and ignores strings of numbers longer than three digits to ensure that we do not collect credit card numbers, phone numbers, National Insurance or other potentially private information." The implication being that they may receive the https pages from your ISP. As to ignoring numbers longer than 3 digits - All your postcodes are belong to Phorm.

A proxy on it's own won't work, https or otherwise.

Tor will work, but will impact on your page loading times, as will JAP

Firefox users can use either TrackMeNot or RefControl to obfuscate the search data being sent Phorm by making it so noisy as to be useless, but the information will still be sent to Phorm by your ISP

The web ads being served by Phorm can be opted out of, but this requires you to have a cookie placed on your machine, if you nuke your cookies during housekeeping you have to go and opt out again (or after about 2 years as the cookie has a roughly 760 day expiry time). This will not stop your information being sent to Phorm by your ISP

As mentioned previously there is a lengthy thread on this at Cable Forums ( http://www.cableforum.co.uk/board/12/33628733-virgin-media-ad-deal-updated-see.html ) if you've got the time to read it

@ not sure & co etc etc

The ads will be selected to be displayed in the space of advertisers already signed up to OIX.COM. So there are other big names knowingly or unknowingly signed up to this - FT.COM for example - who are already buying advertising from OIX.com but who will be able to build simple scripts that parse the contents of your browsed web pages and use that to choose exactly which ad to display in the OIX space. Other adverts will not be affected. So the REAL issue is do we want them to have the content of all the web pages we choose to access. The advertising changes will be minor from our perspective.

DEMON INTERNET IS THE BEST

I have been with Demon for a long while now and cannot fault them in any way. They are as truly unlimited as you can get on a home package nowadays, fair use applies to the top small percentage (3 i think) as calculated over a rolling 10 day period, though it seems imperceptible to me, and I would describe myself as quite a heavy internet user.

Their privacy policy categorically states that they will not hand over your info including IP to third parties (apart from contractors for their own internal purposes which is then immediately deleted) unless under a court order.

They are Faultless in my mind, having had no problems in a couple of years. I have never heard any grumbles from other demon users.

I love the internet!

People get a snippet of info and then make the rest up!

No one is going to alter the contents of a web page to insert adverts - the web site publisher has to be in on this too (it explains all of this on the Phorms website). It simply changes the adverts which are served from the ad agency which the particular website is using. It won't affect all websites - it depends who they are using to serve their banner adverts etc.

Websites already do all of this via cookies anyway - this just sounds like a more efficient means. And the data is anonymous as Phorms will never know your personal details.

There really is nothing to see here - move along.

@Mark "There is no injecting going on here"

The Phom website implies otherwise:

"The OIX uses data from ISP pipes to upgrade the generic advertising on websites with more relevant ads. These ads will be viewed by that ISP's subscribers who are most likely to be looking for the advertised product or service based on keyword patterns in their browsing behavior. "

@ Mark - get your facts straight!

Some people have put a lot of effort into researching this and you would do well to study the facts before dismissing them as unimportant. You are right that many adservers dynamically select the ads to display. The difference in this case is that the entire text of the web page will be analysed in order to select the most appropriate ad. However this is till not the main issue. The main issue is that a company with dodgy credentials operating outside of the UK will have a full copy of every web page you retrieve including for example webmail, search terms, form fields which may include personal information, etc. The very fact that they say that they will ignore numbers longer than 3 digits shows that they have access to them and there is no regulatory body to prevent them from for example harvesting social security numbers and passing them to their Russian spyware-pushing friends just as they have previously done under their '121' incarnation .

@ Mark

Yes, having read El Reg's latest analysis you're right - there's no ad "injection" going on here (other than the Phorm cookie, which *is* injected). They seem to be replacing generic OIX ads with targeted ones. So if that is true, it's apparently no worse than DoubleClick.

BUT they are definitely passing your (private) web traffic onto a third party for "processing". Even if they claim to delete this stuff straight away, this is an absolute no-no as far as the Data Protection Act is concerned, and almost certainly violates the ISPs own privacy policy (until they change it, that is...). Even so, you simply cannot pass on copies of private data to a third party for any kind of processing without consent of the individual concerned.

@Mark

Bollocks to that.

The issue of receiving advertising is a red herring. There are two real problems here:

1. Portions of your web traffic are being copied and sent without your knowledge to a third party other than your isp, potentially to another country. These copied packets could well contain items of private information even if the packet which contains it is supposedly anonymous.

2. This system clearly involves some kind of lookup to the third parties servers from the web server where you are requesting a document. Obviously this is going to a - add latency to your web browsing, and b - artificially increase traffic on certain network routes.

@ all the people replying to Mark

Reading his different posts, it sure sounds like our friend Mark is astroturfing for Phorm - conveniently skirting the issue of data collection and harping on the fact that we'll just get more interesting ads.

Let the FUD begin !

Injection a red herring, illegal interception the issue - and how to punish your ISP

Yep, I really dunno how anyone who's been following the story could think they're going to inject anything into your traffic, but that's not the point; this is an illegal wiretap. Your ISP does not have the right to snoop on and forward your traffic to a third party any more than BT has the right to listen to all your phonecalls. The fact that they're only listening in order to find out what you're talking about so they can sell that information to advertisers is not an excuse under the RIPA.

And the best way to get revenge on your ISP is to hit them where it hurts, in the pocket. Closing your account and moving to another provider is one way to do that, but since the ISPs are doing this in order to subsidise their costs, another way would be to keep your account and start using an encrypted anonymiser such as Tor. That way you're still costing them the overheads but you're not giving them any useful data they can sell to defray them.

I do know something about it...

So, I have Virgin their 5 days. Yes, they are doing it. No, its not opt in. Or opt out. There's no opting about it. (Disclaimer: he said that he would check that). He understands my concerns about privacy. However, there are "no pricacy worries". "No private data is collected"...sorry, but the contents of my e-mails are private. He is sorry Virgin hasn't told customers sooner, and offered to file a complaint with Ofcom. I'll leave that one till the next call...

@ Aristotles slow and dimwitted horse

I would sign the petition, but you failed to provide the url.

I've just looked for this e-petition on the http://petitions.pm.gov.uk website, but searching for Phorm, revealed no petitions, and scanning through all 161 petitions in the "Information and communication" category also turned up nothing that seemed to be about this issue.

If there is a petition, could we have the url please? I would create one, but you seem to imply that one should already be there and I don't want to duplicate the effort...

TalkTalk denies any partnership with Phom!

Just got this back from customer services.

I quote:

--

Thank you for your e-mail regarding a possible new partnership between

TalkTalk and Phorm.

I can confirm that TalkTalk is not in any partnership with this company

and all data from our customers accounts is kept confidential and is not

shared with any other company.

--

Interesting, huh?

@ everyone replying to me

Perhaps the reason that I'm not bothered by any of this is down to the fact that I don't regard web browsing as in anyway a completely private activity. I browse at work where my company can easily monitor the websites I visit. I browse at home where Virgin Media log every page I visit and will turn this info over to the police at the drop of a hat.

I'm certainly not going to lose sleep over a company sifting through my web activities anonymously in order to provide me with more targeted adverts, which I think on the whole is good idea and the future of the web as it stands today may even depend on such mechanisms.

Sites such as The Register rely solely on advertising in order to keep running free of charge - they do not run on fresh air. So would you rather have targeted advertising or have to start paying a subscription? You may believe that paying a subscription to The Register is worthwhile, but how much is a fair amount? £10 a year? £25 pounds a year? And how many websites do you regularly visit? That could add up to a lot of £25 subscriptions. If every site started charging a subscription then the web would be a very different place. Being able to dip in and out of websites would become a thing of the past.

I know from personal experience that ad banners produce very little revenue for websites. I also keep reading how apps such as the BBC iPlayer are costing ISPs far more in bandwidth costs than they are charging customers. All of this is going to come to a head at some point and initiatives along the lines of this Phorn one are, I'm afraid, inevitable. In my opinion it's naive to think otherwise.

And no, I am in no way affiliated with Phorn, who from reading the other Reg articles on the subject do sound a little dodgy. But the major companies involved in this will not be doing this lightly as they really do not want to start losing customers (especially Virgin Media!). If people want the internet to remain 'free' then some form of compromise between customers and the ISPs is required and this sort of initiative is really only the start of it.

Good point Mark.

So I guess that you're OK with all your snail mail being copied and sent to an advertiser in China (Anonymously of course. We remove the envelope, so it's anonymous).

Your browsed webpages are already monitored by your ISP. Right. But they have a legal obligation to keep it secret and not to misuse it. Phorm doesn't have any obligation, of any kind, and they'll see all your e-mails and all your visited webpages, including data in forms, all nicely tied together by your "anonymising number". So in less than a week they are bound to have your full name, email adress, street adress and phone number, associated with the complete coordinates of your friends and family, and with the content of the pages you browsed (including whatever you bought, and what it was worth).

Anonymous indeed. If you do use online banking services, they'll also have your full bank credentials (they say that the system "doesn't use" large numbers, not that they won't get them... but not use them. Of course. Plus, even if they truncate large numbers now, I bet that noone is going to notice if it's later changed, during a "routine maintenance" or a "firmware upgrade" for example.) And no-one can do anything to prevent them to re-sell all this information to anyone. Or dry up your bank account themselves, followed by a quick run towards the Cayman Islands.

Actually, it's even worst, because as they operate from China, they might just empty your bank account and get away with it whithout even having to hide. Who is going to analyse their servers to prove the fault?

As for the internet being free, you might find that it's not the case at all. You pay to browse it, you pay each time you access an ad-funded site. That's not the main problem. No-one here pretended that the ads are the major issue (though it's bound to be annoying at least).

Methink you should also buy a few spare Winsta packages, you know, just in case your computer crashed.

And get some KY on the way back, you're gonna need that.