Top security firm: Phorm is adware

Waiting for Eclipse confirmation...

... I'm waiting for written confirmation from Eclipse whether this is a twinkle in their eye or not.

How's this for an idea?

You create a phishing copy of a site that is signed up to serve Phorm's advertisments, say, oooh off the top of my head FT.com. Now we know that the FT probably don't employ the same sort of protection as, for example, a bank so the phishing site will stay up longer. Now our baddies have a site where they can insert phoney ad's saying

"ALERT ALERT WEBWISE IS OFF - CLICK HERE TO TURN ON"

and your average slack-jawed, pregnant, benefit drawing yokel that seems to more and more common in this jewelled Isle is ripe to be served all sorts of nasty things.

Just an idea....

@Here's an idea....(same poster)

Just occurred to me.....the average yokel wouldn't be going to the FT.com site anyway so that was a bad example, however....how do you know if a site has signed up to Phorm anyway? You can create a phishing site of anything and insert a "Webwise is off" alert and so back to my original hypothisys....

Again, just an idea....

Phorm and ads

As I understand it, Phorm intend to include ads only in webpages of sites which have agreed to their terms, and not any other websites - much like the ads in El Reg pages.

The adprovider may not be El Reg itself, but when you call a webpage it also calls the ads up from the separate adprovider.

Phorm's problem is that in order to individually target the ads to you then they have to know something about you; or if "you" is anonymous then they have to know something about "your" web browsing history - which information they can only reasonably get by illegally intercepting "your" web traffic.

-

As an aside from this, but in re online advertising in general, there is an ambiguity in RIPA which might affect Phorm or even El Reg - there are two possible interpretations of section 2(5)(a). These are known as the "conduct" and "comprised" interpretations. As yet neither has been tested in Court.

RIPA section 2(5)(a) says that conduct is not interception if it is:

"any conduct that takes place in relation only to so much of the communication as consists in any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted:"

Briefly, the ambiguity is whether the "for the purposes..." phrase refers to the "conduct that takes place..", or whether it refers to the "traffic data comprised..".

If "for the purposes... " refers to the "traffic data comprised .." then it would mean that any use whatsoever of traffic data can't ever be interception - but if it refers to the "conduct that takes place .." then it is only lawful to intercept, look at it, or give out, traffic data if it's done in order to facilitate the transmission of that communication (or for other RIPA-acceptable reasons.)

Personally I favour the "conduct" interpretation.

This would not preclude El Reg etc from including advertising; but it would prevent El Reg from telling the adproviders which IP to send the ad to - they would have to pass the ad on themselves from an El Reg IP address.

Which would probably be quite a good thing overall - but might make ad accounting harder. However RIPA is not clear on this point.

Virgin runs away

They finally realised I wasn't going to stop emailing them and sent me this address:

"Hi there,

Thanks for your email to Virgin Media.

enquires of this kind will need to be made in writing to:

customer loyalty manager,

customer concern,

concord house,

concord business park,

threapwood road,

wythenshawe

Kind regards,

Tech Support Agent

The Customer Concern

TeamVirgin Media"

Now it's time to reply to them and complain about the lack of capitalisation.

how to beat them

there seems to be only two ways to beat this,

1:- vote with your feet and migrate to a new isp as soon as the new contract arrives on your screen

2:- everybody block the cookies from phorm / webwise (less effective as your data is still being profiled)

these are the only two options that kill phorms (and the ISP's) revenue stream

any other method puts traffic through the system and provide both phorm and ISP with saleable traffic no matter how rubbish the data generated is

Re: any legal eagles out there

Will I do?

What Phorm and BT plan to do is interception, and it's an offense under section 1 of RIPA unless both the sender and intended recipient of a communication consent to it's being intercepted. In practice this means both the user and the website owner have to consent, and that simply ain't going to happen.

All the "maybe"s in the Home Office guidance have already been discussed to death elsewhere, and a long time ago, with the general conclusion that none of them have any chance at all.

Simon Watkin, who has taken part in many of those same discussions, knows the consensus view well, and I simply can't understand why he'd give out such "maybe" advice - afaik almost no-one else thinks that any of these excuses have any chance whatsoever in Court.

Of course, while Simon is very good at words, and is to some extent good at the laws he's had written - though he didn't write RIPA itself - he's fairly darn clueless about the internet (and cryptography) in general.

I know Simon quite well, so I'm not going to suggest that he may have been bribed - I think he's a straight arrow as far as that might go - but he does seem to have been eating Phorm's PR cookies. :(

To recap: there are three possibilities which might make targeted online advertising, with the targeting being based on observing the target's webtraffic, lawful:

*First "maybe", that it's not interception because no "person" is involved if it's done by machine. That's nonsense, the ISP or Phorm is a "person" as far as the Act goes. In a very similar case, the ICO has said that automated virus scanning is interception (but legal interception under 3(3)). It is also contradictory to s.16. This "maybe" argument is garbage.

*Second "maybe", that it might be lawful interception under 3(3), which says interception is legal if it's done for the purposes of the telecommunications service, ie the transmission of communications.

This is how virus scanning is legal - your computer is considered to be part of the system when it is being used to communicate, and protecting it from viruses is necessary in order to ensure the communications get through. There is a similar, but weaker, argument for spam filtering being lawful under 3(3).

However Phorm/BT looking at your webtraffic is not done in order to help transmit your communications, it's done in order to target advertising, so this argument is garbage as well.

*Third "maybe", that it would be lawful interception if both parties consent to the interception - this is correct - but in practice it's almost impossible to get consent from both parties.

Getting consent doesn't mean that someone doesn't object - it means that both parties, the sender and the intended recipient, have actively consented to the interception.

For the user side T+C's won't do it, because the user will often not the person who agreed to the T+C's, and also because such a term in the T+C's for a ISP service contract is almost certainly not enforceable.

Even getting express consent from individual users, as opposed to the owner of the connection, is problematical - suppose you want to allow a guest to use your account? The guest has not consented. You may well be partly responsible for the subsequent interception.

From the webhost side, getting consent - well, Phorm/BT would have to ask each website publisher. The "implied consent" in Simon's advice is consent to download, not to intercept, and there is no implied consent to download for many web pages anyway.

So, while it's not garbage, this "maybe" just isn't going to work - getting consent is just too hard to do.

query to BT complaints, their reply and my reply back

very long but the full story so far, i have left only the bt CS person first name in and mine (as it is on my posts anyway)

the interesting one for me is you can permantly opt out by blocking the cookie,(so trend and co can safely remove the cookie without opting you back in) but will that show up in there stats as a opted out user

below are the emails

Chris,

Thanks for your reply

But You have failed to answer my question regarding if I opt out is my traffic still passed to the profiler, nor the question about assumed automatic opt-in

If it is I still have major concerns regarding privacy as you can not guarantee the profiler can not be updated to look at the opted out traffic but just not serve adverts

And I have big , big prolems with any data passed to a company whose roots are one of the biggest original adware / crudware companies on the net, like many I do not believe leopards can change their spots

Another point is as AOL found that out last year when it released a ton of anonymised search requests with the user IDs replaced by random numbers; it had to withdraw the list in haste as it became embarrassingly obvious that users could be identified from that information alone.

So by using a random number in a cookie will still enable users to be identified from the data passed from the profiler to the phorm server and so privacy is not guaranteed

The anti-phishing is a duplication of the function in IE7 and I believe also part of the norton security suite you provide, so I see little value add from that service, the only thing the users will see is an increase in targeted advert from the businesses signed up to OIX which was the adware rubbish form used to push, how many adverts are going to be for uk based businesses (very few I suspect) and due to the high rate of fraud and phishing on the web people are naturally sceptical of any popup and highly unlikely to purchase via them, this I doubt is of little concern as BT will only get revenue from allowing the adverts to be served and not from any form of pay per click on the actual poup-ups

Please inform your managers that the customer base is not happy with this, people are not going to put up with popups, adverts or other junk on their screens (we get enough junk in the post)and many will hopefully vote with their feet

The only way I will stay a BT broadband customer is if you can guarantee opted out traffic does not go via the profiler at all and it is an assumed automatic opt-out, this is the position that car phone warehouse is taking and looks like the same with virgin media (if they actually go ahead, which is not looking likely)

Car phone warehouse are (rightly so) of the opinion webwise / phorm will fly or fail on its merits and if customer find it usefull, not on wether you can bully customers into accepting it to obtain additional revenue

One final question how will you know if the trial is successful, I assume it will be by webwise telling you the percentage of users opting in and out, and who will audit those figures and confirm they are correct?

A better way would be to use an independent market research company to canvas ALL of the users in the trial with a web based questionaire similar to how microsoft get feedback from my after my partner training courses

when my updated terms and condition are offered to me I shall be reviewing my option to cancelled my contract early depending on whether BT has changed its position with webwise / phorm, which is a shame as I have had good service until this.

Thanks

Peter white

-----Original Message-----

From: Residential Services [mailto:XXXXX@bt.com]

Sent: 13 March 2008 12:55

To: XXXXX@btinternet.com

Subject: Re: I want to complain - I have a general complaint (KMMXXXXXXXX71L0KM)

Dear Mr White,

Thank you for your e-mail dated 12/3/08 regarding Webwise, and the passing of your browsing or personal data to Phorm, and I am sorry for the difficulties you have encountered whilst trying to obtain information on this and for any inconvenience this may have caused.

As per your request for written confirmation, I have supplied you the information in the form of an email as i work from the e-contact queue only.

The data capture is designed to preserve your anonymity and privacy. We will be communicating to all customers during the trial with a page that appears at the start of their browsing session and ask customers to look at amended Terms and Conditions which can be viewed on www.bt.com/webwise. There will always be clear choice in the hands of all of our customers. We also provide them with information on their current status on www.bt.com/webwise, which can be changed with a click of a button.

Your data? is not passed to any third party. On each browser navigation, a ?data digest? is created consisting of URL, search terms submitted to a major search engine, and the top 10 most frequently-occurring page keywords from the page (which are cleaned to remove email addresses, numbers and names). This is matched against a list of advertising product categories. After the match is made, ?data digest? is deleted permanently and immediately. The ?data digest? is never written to disk so it is never stored.

All this processing is done completely within BT?s network. The matching information ? the only information held within the system, is never sent to any system held outside the BT network. You can permanently opt-out by blocking cookies from the domain http://www.webwise.net on each browser you use.

You can check whether BT Webwise is on or off by simply going to http://www.webwise.bt.com/ You?ll be able to see whether BT Webwise is turned on or off on the computer, user account, and browser you?re using at the time. To turn on or off this service, simply go to http://www.webwise.bt.com/ and click ?BT Webwise Off? or ?BT Webwise On?. BT Webwise uses cookies stored on your computer to capture your preference. These cookies are linked to individual computers, user accounts, and browsers, so you will need to switch the service on or off from each computer, user account, and browser you use. If you delete the cookie, you?ll need to reset your preference.

I hope the information provided will assist in helping you with your enquiry, and if you should have any further queries please do not hesitate to contact me again via e-mail.

Thank you for contacting BT.

Yours sincerely,

Chris XXXXX

eContact Customer Service

Ref: XXXX

Original Message Follows:

------------------------

Feedback from: peter white (contact number ) Telephone Number:

Account Number:

Email Address: XXXXXX@btinternet.com

Customer Comments:

i do not wish any of my web browsing (past, present or future) to be profiled or stores for any reason other than as you are require to keep records under RIPA for the fight against terror

i specifically do not consent to any of my web browsing or personal data being passed to phorm or any other similar company.

i do not require the webwise anti phishing product as none of my family use internet banking for the simple reason of its insecurity

i specifically do not want any advertising (targeted or other pop ups other than the single frame advert on my yahoo / bt homepage which i easilly ignore)

i want an immediate assurance in writing of the above

1:- if my terms and conditions are changed to allow any of the above,

2:- if webwise / phorm is rolled out with an assumed opt in

3:- it is proven that even when opted out my web traffic will still be passed via the webwise / phorm profiler

i will have no option but to excercise my right under the change to terms and conditions clause and immediately change ISP

please note car phone warehouse are guaranteeing "opt in" only and segregating their network so opted out users are definitely not passed through the web wise / phorm profiler, and virgin media have not finally commited to rolling this out yet

a very unhappy customer who is likely to be looking for alterantive ISP shortly

regards

peter white

If the ISPs want people to use PHORM they should provide FREE internet access

I have not uses virgin media and so I wont comment upon them

Bt however have for the past year and a half have been trying every dodge to sqeeze more money out of their customers, first they resell their customers bandwidth via BTFON now want to sell the user's data too. BT charge over the odds for their service and outsource the call centres to indian so removing revenue from this country. It is clear that BT do not like the people in this country at all they go out of their way to screw us at every turn, PHORM is just another example of BT Business practices.

Ofcom who are supposed to protect communication customers rights are clearly being directed by BT, I say this as BT can and do what ever they like without repercussions, who speaks for the customers protection not ofcom they speak for BT. There is evidence that BT trialed PHORM last July against BT's own privacy policy, why has this not been investigated by any goverment department?

Why is BT Wholesale (the people who charge the line rental) allowed to have a monopoly on communications outside of every city.

I will tell you why, it is because your goverment is not interested in the people only in companies and there interests.

The tax payer has to shell out when big businesses cockup see Northern Rock, LLoyd's names etc is this money well spent? I ask as I do not understand what possible benefit to me comes from giving £20Bn of our money to fat cats who gambled and lost.

The Pimps here are not PHORM they are just the middlemen, no it is BT and the Governement's policies that are the real pimps and we are just whores who have to pay for someone to screw us

ripa.. something else others haven't thought about

I sent this to chris, but I thought I'd mention it here.

Under the RIPA, interception is unlawful without the consent of both the browser and the website.

The Phorm "service" is acting as, effectively, a proxy at the heart of things, so where does this place all of the corporate and WAP proxies? Surely they break the RIPA, maybe not on the browser side (since the employee/customer would have signed a contract stating that their electronic communications would be logged and tracked) but I'm willing to bet that the websites they are caching haven't been contacted in order to gain their permission.

Does this mean that evidence collected using the proxies in disciplinaries and dismissals aren't legal? What about the "web experience" when using WAP and 3G connections?

Certainly an Interesting question.

Phorm share price

I don't think it's that bad it's going back up a bit. That's what markets do, over react then correct.

This month, it reached a peak of around 3300, reached a brief low of 1800 and spent most of the last week bouncing around 2000, and now is back at 2250. So it's still lost around 32% of it's value. That's a significant correction in anyone's books.

@alphaxion

The proxies are there for the purpose of providing you with the access to the internet - therefore they are covered by RIPA as part of the connection.

If they start skimming the proxies for a purpose other than to provide you with an internet feed, that would be a different matter.

Hmmm

I was wondering if BT, Virgin, et al, might not be hoping to get an undisclosed secondary benefit by making people like us go away to another ISP anyway... typically techies are the higher-end usage people and we're most likely to be the troublemakers with the Phorm interceptions.

If they get rid of the top 1% of bandwidth users then they can skimp on investment, cut services and get even more profit per user from the remaining rump of those who use their 8mbps, 40GB per month £25 connections to download two emails a day and read up on their soaps.

Finally, I wonder what the RIPA situation would be if I changed my business's website to specifically deny BT, Virgin, et al, permission to profile my website.

graham

The proxy our department runs in the company isn't there to provide people with net access, it's to restrict certain sites and to be used against people who use the net too much or for inappropriate content.

Also, I believe that some of the WAP proxies are capable of injecting ads into the stream to (tho I haven't heard of any making use of this "functionality").

LOL at the www.iii investors

you cant be serious, the class of replys on that so called investers site are so dumb its a wonder they have any cash left to invest in anything werthwhile, never mind drive this Phorm stock up for so long.

how come the better posters here and elsewere didnt join that thread and put these so called investors right?

i dont know anyone could invest in something and not even read and undertand a patent, or at the very least try and gain some basic insight into how it might work and the implications as regards the laws it must follow.

an example quote from there:

http://www.iii.co.uk/investment/detail/?display=discussion&code=cotn%3APHRM.L&it=le&action=detail&id=3947835

"zoiezoie:I know very little about this company and the technology, but the fact that there has been so much public opinion about it recently then I feel it must have something that someone will buy..."

@craig

"Finally, I wonder what the RIPA situation would be if I changed my business's website to specifically deny BT, Virgin, et al, permission to profile my website."

its been said time and again in several places, thats exactly what web masters should be going.

along side end users sending a Data Protection Act Notice to their ISP (and now Phone companys http://www.theregister.co.uk/2008/03/12/mobile_phom/ )

removing any and all rights to collect,process or export any of their personal data outside the basic contracted supply and billing of their connections.

is it really that much trouble to write the letter and send it registered post to your data controller to protect your rights into the future and nullify any UK T&C that might try and auto-insert such concent (not that a T&C is infact an _explicit_ concent of course).

@ Lol at investors

"how come the better posters here and elsewere didnt join that thread and put these so called investors right?"

1) There is a 48 hour delay on activation of forum accounts, a speed bump, if you will.

2) Technical arguments will not work on the technically illiterate.

Keep watching the skies ;-)

Good morning! Wake up and smell the coffee.

No doubt all the people on here who have been whinging about their privacy will have been reassured by the clamour from outraged MPs protesting on their behalf. And how come these same people missed the re-branding exercise that now means that the 'K' in 'UK' stands for Klondyke. The gold-rush is on and the panhandlers are mining for your data in the entrepreneurial spirit espoused by your government.

Now that you've enjoyed the coffee, please turn over and bite the pillow while you enjoy the delights of rampant capatilism.

Shafted again.

re: "educating" the iii users

I would post on there and tell them the facts (tho is seems they just plain don't want to know, they can't see past the money symbols int heir eyes), but the place demands a user sign up and I can't be arsed to give them my email address!

Duty to report crime

BT's previous secret trialing with Phorm would seem clear prima facie evidence to suspect that a crime was committed under RIPA. It is sufficient that someone suspects a crime may have been committed to report it to PC Plod for further investigation. While anyone can report a crime, in this instance someone who has logs of BT's activity last year would be better placed to report it. It is also open to bring private prosecutions in criminal matters, but that would a looking a long way into the future. No amount of BT talk of T&Cs and how it intends to operate the system in the future changes what it may have done in the past.

I don't really understand the business model

I realise I'm probably slightly more technically inclined than an average user, but i have never, and will never, click on an internet ad. As far as i'm concerned all the ads are a blight on the net there simply to take advantage of naive users. In fact, like me, pretty much every firefox user uses adblocker to strip them out now. Its popularity should give Phorm an idea of the general feeling people have towards ads, i'm pretty sure that if IE8 supports user plugins, adblocker will be ported and no-one will ever see an ad again.

Even the reg drives me mad having to use IE at work, when i have to sit for 30secs staring at the header while all the ads load before the rest of the page gets displayed.

@I don't really understand the business model

> [Adblock's] popularity should give Phorm an idea of the general feeling people have towards ads

Apparently Phorm doesn't care in the slightest - not when there are users to be exploited and money to be made.

As was said in one of their warm-n-fluffy pronouncements (I'm paraphrasing), this is an exciting service designed to help the poor befuddled user by providing ads. which Phorm claim would be of interest - and all at the simple and painless expense of tracking browsing habits using closed & proprietary software.

Naive or just plain ol' predatory - it's in there somewhere.

Data profiling - the dummies' guide: Part one

The time has come to separate out the wood from the trees with regard to ISPs, profilers, data packets and advertising networks.

First point to consider is that the marrying of user profiles and adverts has been going on for a few years. The big difference between now and a few weeks ago was that everyone bought into the "it's OK because I am getting a good service" spiel without any knowledge or understanding of the privacy aspects. Ever noticed how easy it is to do a search on a mobile phone and be offered businesses nearby matching your query? - isn't this one of the selling points of the iPhone?- not yet available(?) in the UK but coming soon. More on this below.

Back to the ISPs and a little background technical information.

Data packet inspection systems: this is hardware which sits within the routing system at the ISP. Simply, data packets are the clear text (including cookies) sent from your browser to the ISP to identify your request. The ISP sends this data packet on via DNS and routing servers until it meets the server which hosts the data requested. The host server sends the response data packet back to the ISP who returns it to you. And you see your request being displayed in your browser.

A request leg and a response leg, both under the control of your ISP and everyone else along the route taken by your data.

ISPs and networks have been recording the content from the data packet inspection systems for years, logging traffic in and out. The content can be assembled and analysed to give an idea of what you are doing every time you turn on your computer.

When required to do so by law, the ISPs are able to supply all kinds of information about the user. This includes but is not limited to your e-mails, chat sessions, banking (even though they only see the encrypted data - urls are in the clear), purchases, etc.

Now a quick look at advertisers.

Google is evil goes the cry. Google (and the other search engines) tracks queries and builds up a profile of its users. Even if you don't use a search engine there are webmaster tools like google-analytics which are also used to track users as they browse the web. In case you miss the visitor tracking tools there are also scripts which deliver adverts across many partner websites: each time you see an advert you are being profiled.

Just in case you missed that: each time you see an advert which has been delivered by a script, you are being profiled.

Those who know about the tracking being done by the search engines and all the rest of the ad networks have not been too worried about that as it is seen as a small price to pay for a free service and it is possible to block the profiling by restricting the way in which the browser uses scripts and by using the host file to divert requests to domains used for tracking. We are happy.

BUT, the advertisers are not happy. They complain to the advertising networks and say that they want a system which does not rely on cookies: they want their adverts delivered and they want a good ROI for their advertising dollar.

Now the data packet inspection systems come into their own.

It is a very short step from collecting the data packets to using the data collected to generate profiling information. Privacy is an issue and different countries have different rules. Not to worry: as part of the data mining the ISP is able to provide an added value service which their users will be so very happy with. A small sacrifice and so like the sacrifice made for the availability of free search.

Here are some examples of services:

When you logon to your ISP, the first thing you see is a report of how much bandwidth you have used. If you have a mobile, your ISP can give you a report on your remaining credit balance or the balance of inclusive minutes available. Webwise will tell us if we are about to visit a phishing site. Wonderful, something useful for nothing.

You will notice that I have not made any mention of all the free wi-fi hot-spots that are springing up wherever there are people with wi-fi connections. Don't forget to disable WEP so that you can use the system. And there are all these T&C that pop up and you are asked to agree to before you use our wonderful free hot-spot. Just click OK else the battery will be flat before you get to the end of the text.

How are these services offered?

This is the simplest part of the whole system. Back to the data packets and the ISP.

Up until now, data packets had only been analysed to created revenues from consolidated demographic data and to calculate the popularity of URLs. Along comes the profiler to analyse data by user and by target market segment and promises of a share of advertising revenue from all the net browsing of their users. No need to e-mail users about new services that they have been surfing for, just pop your ad up onto the screen when they logon (no one will know that they are seeing something different from their neighbour).

But, how to sell the system and get around privacy issues?

The easy option is to give each user an anonymous random ID via a cookie and to provide the profile supplier all the analysed data they require together with the cookie ID. Then, all that is needed is to give the ad networks a script which reads the user's cookie ID, looks up the profile for the user with that ID and displays a relevant ad that matches the target interests.

Giving the user a cookie is easy. The ISP only needs to intercept the data packets and inject a script that will lodge the cookie ID on the user's system before they are delivered the request they made. Once they have their cookie ID, all requests are easily identified with them and the content requested can be analysed by a split system. Simplicity itself.

This is so simple, what if it fails? What about users who delete their cookies or who can't accept cookies? - cable TV downloads and all those handhelds with different operating systems.

Now this also has a simple system. No cookies required. Just an electronic short delay between the response data packet being delivered from the host server to the ISP, analysing the data packet and injecting code into the data packet before being delivered to the user. Warning: the data you are about to download is not permitted as per your T&C. If you continue with the download of pirated content you ....

I think you get the idea. I am sure that the Chinese engineers can explain the identifying of content far better than my simple example.

For the advertiser, the match code is already available in the browser and all that is needed is to match the injected content with their data and the user sees a targeted and relevant advert. And no one is any the wiser. If it is a TV programme that is being watched, rather than the data packet being sent to the TV it is sent to the ad network who now know that the user likes watching programmes about 'summer holidays' or has been surfing on sites promoting holidays. So easy to send a relevant ad or two during the next ad break.

Part 2 to follow

Dummies guide: Part 2

OK, I admit that some of the above details could be way off course. That is because it is so hard to find any information.

The data packet inspection systems are real. All that is needed is a parsing script and you can use the data in any way you can imagine.

The delivery of targeted messages before the user views the content they asked for is real.

The deliver of targeted adverts to cable TV users is real.

Now it is time to look at the profile providers.

NebuAd

Looking at the UK Privacy Policy of NebuAd at

http://www.nebuad.com/privacy/uk_servicesPrivacy.php

personal information and the following is not supplied by the ISP:

Email Addresses

Last Names

Street Addresses

Telephone Numbers

National Insurance Numbers

National Health Service (NHS) Numbers

Financial information, including credit card numbers, login IDs, passwords, or bank account

However, data collected does include the following data:

Web pages viewed and links clicked on

Web search terms

The amount of time spent at some Web sites

Response to advertisements

System settings, such as the browser used and speed of the connection

Post code

Sensitive personal data is not stored or used.

Cookies are used to record whether you are opted in or out. They are also used to record how often you have seen a particular advert. NebuAd also process information contained in the server logs when you visit a site: "may include a user's Web request, Internet Protocol address, browser type, browser language, and the date and time of the user’s request" and will be used to facilitate the serving of advertisements that match the user's interests.

Ouch

To summarise: even if you are not having your data collected and profiled by the ISPs NebuAd have signed up with, every page within their partner network is collecting all the data that that search engines and every other ad network has been collecting and that those who know try to block.

FrontPorch

From the FrontPorch web site: "Front Porch also enables Internet providers to leverage their networks to deliver any targeted ad or customer message directly to users’ browsers anytime and anywhere they surf the web."

To summarise: They are in over 3,000 installations in over 33 countries including cable, telcos, internet providers, wireless hot zones, conference networks, airports, shopping mails, sports centres, train stations, resorts, universities, commuter hubs, coffee shops and tourist attractions. FrontPorch works without cookies, using meta data from the browser session to match the user profile to display ads during the current session. They also deliver targeted notifications from ISPs direct to the browser before the requested page as users surf the net - available credit balances and bandwidth notifications being common uses.

With the growing delivery of TV content via the internet, ISPs can now deliver targeted ads to viewers of regular TV programmes.

FrontPorch are running trials with cable and telephone companies in the USA, Australia, Asia and Europe. free-hotspot.jiwire.com shows 126 hot-spot locations for London.

For the technically minded, see United States patent No. 6,442,577.

Suddenly those free hot-spots are not so free - boycott anyone?

Why do I get the feeling that all wi-fi connectors are about to end up in the bin? Do people really turn WEP off just so that they can have free surfing, including checking e-mails, at the hot-spot in their local cafe or coffee shop?

Phorm

I am not going to repeat it all again. Their site shows that advertisers can match on broad market sectors, key words and URL visits. That is a lot more than the information that can be stored in a cookie so your cookie is identifying you with your profiling data, wherever that is stored, via a script hosted on a 3rd party web site. The 3rd party site will be able to track you, even your IP address.

It is difficult enough to believe that the unique cookie and IP address are safe in the hands of the ISP. Who believes that there is a bamboo curtain between the cookie ID and the IP address on the 3rd party site?

For our US and Canada cousins.

Adzilla

The Adzilla site has less information. However, no cookies are required so a real time data packet injection is suspected. The ISP may provide access to personal information (which stays within the ISP) to improve the ad targeting. Ad serving partners use cookies to track your behaviour and user trends. Adzilla will also record the logging information supplied by the browser when accessing servers.

Project Rialto

Even less information available. Stealth as per their site, stealth in reality. A little searching gives a China connection to the CEO.

Back to the ISPs

There is nothing that says that an ISP can't install something that shares data with all the various profilers of the world - it all depends on how much of the non search engine ad dollars they want to get their hands on and how many times they can sell their users' demographics.

What my investigations show is that there is a very small step from the available data packets to earning revenue from the content. It also shows that most users don't realise that the 'service' they are getting is coming at the cost of their privacy. Mobile users will be most under attack with the ISP sharing their location with advertisers - i.e. Google's local search. Yes, search engines are using this to get their ads better targeted too, even if only sniffing our IP address or local hot-spot. And, which social network was looking forward to knowing where members logging on via WAP are so that it can track members? - for the benefit of other members, of course.

I am beginning to understand why the protesters at El Reg are being counted as ignorant fools without any vision of the bigger picture. Only 4,000 have signed the petition. Not even a drop compared with the market.

Today I did a little market research. No one knows about this. Only one said that they may change ISPs because they use the home connection for work via https. One said that they had had so much trouble getting their current ADSL working that they could not think about going through all that again.

Profiling of personal data has already happened all around us and until the last couple of weeks everyone had been very happy with it. Now that there is more information and the process is understand a little everyone has the choice of whether or not to use any of the services that give away data that some want kept private.

Blocking cookies and using the hosts file does not work against data packet injection by the ISP.

Blocking cookies and scripts is just good browsing practice. Redirecting tracking sites to 127.0.0.1 is best practice to preserve privacy. If more people complained about sites that don't work without cookies and insecure browser side scripts there may be more sites that meet the accessibility standards that are required under the Disabilities Act.

You are wrong, Kent et al, if you think I am going to lower my security settings just so that I can view your partners' sites. Well written sites work very well without cookies and insecure scripts.

If every site owner and web host was required to be registered under the DPA there may be a little less sharing of the logging information for monetary gain. My IP address is personal identifiable information. It is bad enough when spammers spoof my e-mail addresses. If anybody did anything illegal while spoofing my IP address, guess whose door would be getting the first knock.

It is all a matter of security. The security of our personal data. Each one of us is our own gatekeeper. The security tools are out there, many freely available.

It is time to shut the gate.

http://petitions.pm.gov.uk/ispphorm/

How many signatures does it take? - will 10 million petitioners please wake up before their life is enslaved?

Dummies guide: Part 2

Phorm Comms team here

Your description of the Phorm system is plain wrong. Phorm doesn't store any personally identifiable information, no IP addresses and no browsing history. That surely is the starting point for any fact based discussion of our system.

We've built the system from the ground up with privacy in mind. We don't know who you are or where you have been - that's something other targeted ad providers would struggle to claim.

Phorm Comms Team (techteam@phorm.com)

the petition

"http://petitions.pm.gov.uk/ispphorm/

How many signatures does it take? - will 10 million petitioners please wake up before their life is enslaved?"

OC it might also be said that people dont want their personal names posted on

a public petition, due to privacy concerns, catch 22 and all that.

As they read every page they can't ignore this

We have at the top of every page, as the first line after the <head> statement the following, we urge all website/content producers to do the same.

<meta name="ATTENTION" content="Attention: Phorm Inc, All Subsidiary Companies of Phorm Inc, OIX Network, Internet Service Providers using the technologies provided by the former mentioned companies; [sitename] specifically denies permission for the former mentioned companies to intercept any communication between a remote user accessing content on any [sitename] Server and that person's Internet Web Browser, or any other Interface that such a remote user may use to obtain [sitename] data.">

NO @Phorm Comms team , pay us our fee

Phorm Comms team here

...Phorm doesn't store any personally identifiable information, no IP addresses and no browsing history. That surely is the starting point for any fact based discussion of our system.

Phorm Comms Team (techteam@phorm.com)

No PCM, thats not the starting point, the starting point would be about paying the users a licence fee for legal use of their data.

@Mr Anony there are more than Phorm out there profiting off your data

while its good to see some initative Mr Anony,the fact is there are more than just Phorm out there profiting off your data without paying you a fee.

for any web master out there, the fact is as a general rule you need to simply refuse collecting,processing, copying or export by any profiling electronic device or software ,nor for profit or fee without explicit written consent and any fees due payed in advance or £20 per page per view.

you get the idea ;)

that profit and fee would also probably also exclude the mobile phone companys that charge by the megabit for free content perhaps ,yeah for fixed fee mobile BB.