back to article BT pimped customer web data to advertisers last summer

BT’s servers were secretly passing data on subscribers to its "new" advertising partner as long ago as last summer, though the companies refused to acknowledge any relationship at the time. BT - the UK's number one internet provider - finally revealed the plan earlier this month along with Virgin Media and Talk Talk, which …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    /etc/hosts

    dns.sysip.net 127.0.0.1

  2. LJ
    Stop

    A simple solution?

    Might be interesting to see if one of the affected people could set an entry in their hosts file to point dns.sysip.net (or *.sysip.net) to 0.0.0.0 - it's unlikely that BT are going to trust Phorm to handle all their DNS queries, so dns.sysip.net is probably named so to make people think it's something innocent (or too technical for them to understand).

    Perhaps a public service announcement would be in order?

  3. Billy
    Jobs Halo

    opendns

    Won't pointing to opendns.com (or similar) for your dns requests solve this? I don't know enough about the ins and outs to be sure though.

  4. Justin White
    Black Helicopters

    BIND + Root Servers > ISP Redirect

    Personally, I find it easier to maintain my own DNS cache using BIND9 on a small Linux box I maintain. No need to use the ISP DNS crap in the first place!

    I knew this was a conspiracy! Tinfoil hats around to all!

  5. Jez Caudle
    Go

    Technical details

    I wondered if El Reg could post technical details of how exactly this works.

    If they know where you are going and what you are looking at, how do they then show you ads? Do they rip and replace ads from other sites or wait until you hit a site hosting their adverts - at which point they look up your previous habits and then display loads of "relevant" ads?

    A nice technical article and some possible mitigations would be fantastic.

  6. Greg
    Thumb Down

    Time to say goodbye..

    I have been with TalkTalk for some time now and have been one of the lucky few to not have any trouble with their service. Even if it as easy as changing your host file to avoid this I won't feel happy staying with a company that does business with spyware pushers.

  7. John Bayly
    Thumb Down

    @opendns

    I doubt it, all BT have to do is sniff packets on Port 80. From the packet they can see the Host header along with everything else.

    As they appear to rely on cookies, I'm assuming they'll be injecting a cookie for www.oix.net into every HTTP response. Blocking the www.oix.net cookie (as they suggest if you want to disable the service <cough> permemently <cough>) will only mean that when you request a page containing oix.net adverts, no cookie with the <cough> unique anonymous <cough> ID linking you to keywords will be sent. Hence you will simply receive random adverts.

    Blocking a cookie still means that BT will happily be sending your clickstream data & pages viewed to Phorm, so they still get a wealth of data.

    Time to call BBC radio Oxford and try to get this mentioned in the mainstream media, because this is seriously taking the piss now.

  8. Godwin Stewart

    @Justin White

    "Personally, I find it easier to maintain my own DNS cache using BIND9 on a small Linux box I maintain. No need to use the ISP DNS crap in the first place!"

    Indeed, I've been doing just that ever since Verisign broke DNS with their "sitefinder" stunt:

    http://www.theregister.co.uk/2003/09/16/all_your_web_typos/

    http://www.theregister.co.uk/2003/10/04/icann_demand_sees_verisign_pull/

    http://www.theregister.co.uk/2003/10/16/verisigns_site_finder_is_undead/

    The "delegation only" feature works like a charm :)

  9. Anonymous Coward
    Anonymous Coward

    Re: technical details

    I second that, some technical details please

    not only on how they plan to serve the ads, but there is also no mention of what these requests were

    you mention the browser was making connections to there - no matter what an ISP do they can not make a program on your computer just start connecting to random places. it sounds like he probably noticed it by the status bar showing loading from there or something similar, which would indicate that they are embedding something in to every webpage that is returned. If this is the case then it will certainly break at least some pages (i doubt they have found a flawless way to add arbitrary code to a web page that doesn't break the page in at least some circumstances, particularly with AJAX requests etc which may not be returning a web page to be rendered)

    anyone any ideas as to the technicality of how they got the browser to make an outgoing connection to report on your activities?

    or is it just extremely bad wording claiming "connections" being made, when it's actually just that they set the DNS servers to there (connectionless except for some rare large responses), so that was handling DNS lookups - and they are monitoring just hostnames resolved by you

  10. Anonymous Coward
    Stop

    Virgin Media details

    http://www.cableforum.co.uk/article/377/virgin-media-signs-targeted-ad-deal

    Lets see how easy it is to opt-out

  11. Anonymous Coward
    Anonymous Coward

    <no title>

    One should not need to opt out of this sort of stuff. One should have to knowingly opt in.

  12. b shubin
    Pirate

    TOR?

    has it come to this? do we all have to start using encrypted anonymizing proxies, to stop our provider from selling all information about us to a third party, without our knowledge or consent? opt-out indeed. what's the benefit for the profiled?

    doesn't the UK have a Commissioner to handle this sort of thing?

    and i thought the US telcos were slimy.

  13. colin stone
    Black Helicopters

    Watchdog

    I posted a short summery of this story to watchdog, plus links to this site and others.

    I am awating a call back as I was out of my office when the reasercher called.

    Please post your compaint at

    http://www.bbc.co.uk/consumer/tv_and_radio/watchdog/contact_index.shtml

    As it looks like this may be a story that they are likely to cover.

    If nothing else it may expose BT, and others as the skumbags that they are on tv.

  14. Jim Murray
    Stop

    Worse and worse

    I'm not at all sure why Phorm seem to be interested in DNS lookups. From their own description of their technology they appear to have access to all the contents of any non-encrypted HTTP traffic, so what is the need to monkey with the DNS?

    What do they gain from this, other than perhaps using it to obtain some details from those who are trying to evade it's data mining by technical means?

    Where does it stop...

    I'd love to hear from any other BT customers who with experience of Phorm, perhaps it'll shed some light on just how this company is actually going about it. Tails of woe welcome on www.badphorm.co.uk

  15. Anonymous Coward
    Anonymous Coward

    Contact the police if you're a BT customer

    If BT have been intercepting details of your browsing habits then this may be a violation of RIPA http://www.statutelaw.gov.uk/content.aspx?activeTextDocId=1757378

    In particular sections 1(1) and 2(2):

    1. Unlawful interception.

    — (1) It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of—

    (a) a public postal service; or

    (b) a public telecommunication system.

    2. (2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—

    (a) so modifies or interferes with the system, or its operation,

    (b) so monitors transmissions made by means of the system, or

    (c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,

    as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.

  16. This post has been deleted by its author

  17. Joe K
    Stop

    Future class action suits?

    Surely there is some kind of privacy laws being breached here.

    If Facebook can take a kicking from the EU courts for far less than this, i'm pretty sure BT will be hauled into the courtroom soon enough.

    Maybe they think its all too technical for the courts. I'd say that its pretty much the same as them installing a trojan on their customers computers to monitor their browsing habits.

    Or, for the tabloids: "its as if they bugged your house to listen to your conversations, and play matching ads on your TV"

  18. Anonymous Coward
    Alien

    Orange - good guys for once?

    Interesting that several high level Freeserve/Wanadoo/Orange employees (including the ex CTO) have been poached by Phorm recently and Orange have met with them but have (so far) decided not to go with Phorm.

  19. Adam Trickett
    Linux

    Death to Spammers

    It's at times like this I'm glad I run my own DNS server and all my browsers run Adblock and NoScript on Linux platforms. It looks like an investment in learning how privoxy and Squid work are required next.

    A quick nmap of dns.sysip.net shows it currently only appears to be only running http, so it could be as simple as adding it to your /etc/hosts file and/or Adblock/noscript filters and you are safe.

    Spammers are scum, spammers pretending to be legitimate advertisers are sum, and ISP that help them are scum.

  20. Anonymous Coward
    Flame

    The sneaky bastards

    I was just about to dump TalkTalk (for being shite) and I was thinking of going back to BT or possibly Virgin.

    Lo and behold, they're all cavorting with spyware peddlers.

    The sneaky, dirty bastards.

    Well done El Reg and (tinfoil) hats off to Stephen for digging it out. I am really surprised this is legal and I hope they get a good kicking for it.

  21. Tim Schomer
    Paris Hilton

    Big Question..

    (well, for me at least) is this sort of behavior likely to be spread to the smaller ISPs that BT secretly swallowed in the last couple of years (Plusnet is one, I only found out 18 months after it happened!)

    I wouldn't expect any direct communication from them on this, they're useless about giving their bill payers any information they actually need.

    Tim

    Paris 'cos she wouldn't know even if they told her...

  22. Anonymous Coward
    Black Helicopters

    BT Wholesale + LLU

    Does anyone have any idea if this just affects BT Broadband customers, or does it include BT Wholesale customers as well - ie people whose broadband is supplied by resellers.

    I would also be interested to know whether or not people on LLU networks are immune to the sniffing aspect. Although the redirect is done using BT Broadbands DHCP served DNS addresses, the LLU providers traffic still partially goes across BT Wholesales network.

  23. Anonymous Coward
    Alert

    Un-anonymizing Anonymous Data

    Depending on how this is implemented, it's hard to see how anonymous the end user can expect to remain.

    The blurb states that adverts will be linked to keywords in both the page title and page content of sites visited by the user.

    If Phorm has access to raw HTML streams, e.g. via "anonymized" dumps of some sort from the ISPs transparent proxy or routers, then this will be very dangerous as next time the user visits a social networking site, unencrypted mail, eBay, anything which displays their real name will be cached alongside the "anonymous" id, creating a link to the real life person.

    Obviously there are many other ways of implementing this without access to raw streams, but if the ISPs and Phorm do not come clean ASAP with intimate technical details, then a fair few people will have cause to write to the Information Commissioner with very real cause for concern that identifiable information is being sold without permission.

    I urge all concerned with this to fully disclose how this system will work to pre-empt public concern.

  24. Sam

    Bearing in mind what happened to Sony

    I hope far worse happens to all those scum involved in this...I want to pull fucking heads off right now!

    Dear El Reg, what about a nice security article for the masses, with instructions for workaround options?

    Preferably in about ten minutes.

    I'm switching to copper foil hats with an earth braid.

  25. Anonymous Coward
    Dead Vulture

    Its worse than you think..

    ..details here www.badphorm.co.uk

    DNS changes will not protect you. The optout only asks them not to use the data they have already connected.

    Is it a crime to copy data on its way TO you as opposed from you? Thats what they are doing. Its not clear to me whether this can be construed as 'intercepting communications' . Presumably they are preparing there legal arguments now, which is why BT and Virgin are being so secretive about it.

    If nothing else given the spyware and crookery provenance of Phorm who can have any confidence in their assurances? Phorm is a US company based in 'Dodgy Delaware' and its OIX ad servers are in China somewhere. So they can tell whatever lies they like about privacy and security and no-one can hold them to account. BT and Virgin should try to look beyond their greed and see just how horribly exposed they are too.

  26. Ash

    @Joe K

    Or, for the tabloids: "its as if they bugged your house to listen to your conversations, and play matching ads on your TV"

    ---

    No, it's as if they bugged your telephone line, sent your conversations to a firm run by a guy who used to illegally bug phone lines to pick up your credit card numbers, played you audio adverts over your phone line in the middle of a conversation, then said "your data is safe because we say so."

  27. Anonymous Coward
    Dead Vulture

    Or opened all your letters...

    ... and added some junk mail after reading the contents.

  28. Anonymous Coward
    Pirate

    not only opened your datastream

    But added unwanted crap in there.

    The next likely scenario is : you pull up a page for a car manufacturer , only to see an ad for another manufacturer.

    Or,f you pull up a page for something , it gets replaced by something else. After all , they can replace one element in the stream with another now ... ( based on your surfing habits of course )

    This is clearly TAMPERING with the information stream. Class action lawsuit anyone ?

    I als op wonder what the 'default surfing habits will be' for a new user ? Purple pills ? Lottery tickets ? We all know that's why people use the internet anyway. If they monitor email streams (thats text after all. and especially if you use a web based interface) they also pick up all these keyword in all the spam messages you get, so it won't be long before you get ads for all the stuff that is now beeing pushed through spam as well....

    Even a grounded copper foil hat won't help. We're talking lead-lined , faraday cage, steel reinforced 10 meter thick contrete hats now ....

    i got my scisor sready to cut the incoming ethernet cable intot the house ... let them try pushing their crap through my cut cable ...

  29. Claire Rand
    Flame

    linked to what exactly?

    assuming there are several people using a computer how do they identify the user?

    if its a user specific cookie that identifes you, and contains the 'dont track' bit so if you block cookies you're 'opting in' so to speak...

    thinking bout what happens when little jonny sees an advert 'targetted' at his dad from all them sites with pictures of ladies on.

    sue the bastards for all they are worth?

    I'm 'offended' etc.

    or how long before theres a firefox extension that just randomises the cookie? sort of 'track this...'

    ho hum.. still theres always TOR etc, this could work wonders for making people start encrypting connections.

    oh and since i run a TOR relay would this mean i get ads 'targetted' based on other users preferences?

    i think they will have trouble unless they provide a way to opt out once and for all, without the thing turning itself back on right away.

    def like the firefox extension idea, this crap has been tried before, not at the ISP level though, hasn't worked yet.

  30. Anonymous Coward
    Jobs Horns

    Who clicks?

    I've never met anyone who has clicked on an ad, targeted or not. Most make some effort to block them, often just out of spite. So how does anyone make money from these things? Do they no longer count click-throughs? Is the idea now just to get some form of presence out there like a newspaper ad?

    The fat man with the horns seems appropriate.

  31. Morely Dotes

    @ AC

    "no matter what an ISP do they can not make a program on your computer just start connecting to random places."

    Of course they can. DHCP allows the ISP to tell your computer which DNS servers to use, and if you have not specifically entered your own choice of DNS servers, then BT will be able to push whatever they like down to you - which means that, if they so choose, *every single Web request* will be forwarded to a transparent recording proxy, and the data returned to you as if you were deliberately using Network Address Translation. In other words, if you use BT's DNS servers, they have total control over where your computer connects.

  32. Anonymous Coward
    Anonymous Coward

    Computer Misuse

    Surely the redirection might be considered to be a breach of the Computer Misuse Act, since no one gave authority ?.

  33. N Silver badge

    hosts

    Agreed, AC

    dns.sysip.net 127.0.0.1

    in hosts file, along with about 10,000 other crap ware sites!

    I hope that as more people realise what a heap of crap BT are, they will migrate away from them

  34. Anonymous Coward
    Black Helicopters

    Patent application for this one...

    I love the patents system. Could this be it? Names KENT THOMAS ERTUGRUL as inventor and 121Media as applicant. Published in Sep 2007.

    "TARGETED CONTENT DELIVERY FOR NETWORKS"

    http://v3.espacenet.com/textdoc?DB=EPODOC&IDX=WO2007108818&F=0

  35. Armitage
    Happy

    Tor?

    im a little rusty on the subject but does Tor encrypt from the browser (firefox) all the way to the exit node so in theroy all the isp would see is encrypted data?

  36. Someone

    How could I have been so stupid?

    I’ve been wondering about the name ‘Phorm’. It’s only just hit me. I’m guessing it comes from:

    PHishing by web fORM

    That would make it an out-and-out in-your-face bad-taste joke. (I know it’s a bit rich for me to comment, given the name I chose to follow the word ‘By’.)

  37. Danny Silver badge

    Information Commissioner

    The Information Commissioner can take action against these companies.

    http://www.ico.gov.uk/complaints/data_protection.aspx

  38. Anonymous Coward
    Anonymous Coward

    Will they tell the police too?

    I once carelessly did an image search for pictures of horses and have therefore viewed illegal images on the internet. I am concerned that this may become public knowledge.

  39. ChessGeek

    And the next step...

    ...in this mess will be for BT, et al, to contract with the credit companies to match your buying habits to the ads you've been served.

    Those who don't buy what's advertised to them like good little puppies will then see their broadband bills go up to cover "loss of revenue".

  40. BitTwister

    @BT Wholesale + LLU

    > does it include BT Wholesale customers (...) broadband is supplied by resellers.

    Unlikely, I would hope, since BT would be treading all over their agreement with the reseller and that should certainly raise interesting legal issues (beyond those already raised!). Since this seems so far to be BT acting directly as the ISP (plus some resellers who have decided to play along), I think it would only affect BT customers who pay BT directly as their ISP. Unfortunately, more resellers may also join in after being approached by BT.

  41. Mark de Roussier

    Time to pin down your ISP...

    In the light of Ertegrul's claim to be 'talking to all UK ISP's', perhaps it's time for everyone to start asking their ISP what their position is with respect to Phorm. I've just squirted a query at the corporate PR droids for mine, though I'm not expecting much. Maybe El Reg could get the Pimply Faced Youth to stop surfing the pron and get on the phone...

  42. Anonymous Coward
    Anonymous Coward

    Retail or Wholesale

    This only affects BT Retail.

    It sits in their service layer along with various other management tools.

    I've met one of the folks at Phorm and I couldn't say I felt I could trust him.

  43. Joe K
    Happy

    Mitigation

    OK, let's see mitigation includes:

    1.Tweaks hosts file.

    2.Wear the tin hat. (mine is x-heavy duty)

    3.Wear the copper foil hat. (cost prohibitive, something about inflation)

    I was wondering if there is anything that would actually work?

    Can checking the 'opt out' box, assuming there is one, guarantee anything?

    Why is it the company can do things I would be arrested for?

  44. Chris Donald

    I'll be leaving them then..

    If they are going ahead with this, why the hell should I pay for their service.

    Anyone know if using Tor would screw this up for the assholes?

  45. Anonymous Coward
    Unhappy

    @Morely Dotes

    if it is merely sing their DNS servers, then there is no opt out, there are no cookies - so it can't be that from the description

    and in addition there was mentioned that the browser showed connecting to there, which indicates making a request to a URL on that hostname

    there is also the fact that the system is listening on port 80 for HTTP, but not on 53 for DNS (although port 80 is immediately closed after being accepted for me, i assume as i'm not on a participating ISP... yet)

    of course that hostname showing up anywhere means that the request was directed to it for something other than DNS purposes (you can't direct a DNS lookup to a hostname, chicken and egg problem - and it wasn't a reverse DNS lookup as no programs do those for that type of request, plus a reverse DNS lookup returns a completely different generic hostname)

    which would indicate the browser making a request to a URL on that hostname - the only way it would do that is if either the user went to that URL, or a page they were loading had a reference to that URL in it, obviously not the former so the latter - which would mean having to modify every page returned to include whatever reference they are using (a javascript inclusion, loading a transparent invisible picture, whatever), which having tried to do such a thing before (obviously on a smaller scale for different purposes) i have had to conclude is impossible to do in a way that doesn't break at least something (what about where a response contains just the text "DONE" in an AJAX request? and various other scenarios)

    any even basic research on what was happening from an effected connection would involve a packet sniffer, which would say exactly what was going where and what it was returning - which is why i expected such information to be easy to get from supposedly technical people (as apposed to "well i saw a hostname with 'dns' in it") about the only thing that can be ruled out is that it is in any way DNS related (due to firstly the fact that it showed in the browser, which has no idea which DNS servers your system is set to use when it calls API functions, and secondly the fact that it states that opt-out is for a single browser - which just monitoring DNS packets would only be able to tell you the users IP Address and the hostname they looked up not a specific browser, only way to tell a specific browser is using the HTTP cookies from a HTTP request)

  46. Richard Williams
    Thumb Up

    Own DNS

    I agree with Justin - I run a Windows 2003 box in my case that is my movie/music repository and a DNS server. Works great for me, I don't have to touch the ISP's DNS at all. Of course companies running even Windows small business server are required to have DNS for Active Directory. So in that instance as long as you go into the DNS Server and remove any forwarders (ie your ISP's DNS Servers) this provides the same.

  47. Anonymous Coward
    Alert

    @computer misuse

    If you use their software to install/setup your broadband, as most people would, then they get you with the licence agreement because as you know, everyone reads those.

  48. colin stone
    Pirate

    Charity Adverts

    Some internet adverts are useful, sites like everyclick.com use advertising to raise funds for charity. In fact the charity I run makes a good chunk of its income through everyclick. visit us at http://costellokids.com

    My big worry is that such great systems of fundraising will be damaged as people move towards Tor and other systems.

    I block 99% of advertising, yet for EveryClick and a few other sites I allow there adverts as I know how important they are.

    I have not yet figured out how to allow Tor to allow advertising of my choice.

    Does anybody here have experiance of products such as ghostsurf? Would this also be as secure as Tor?

    I also wonder how long it will be before the security companies build blocking technology into the AV/Firewall products. Which will put an end to this stupid project by the ISP's.

    My big worry is privacy for the work we do, as webmail is used by many of our members, and myself as it is so quick and easy to access. So if keywords are being used, from webmail pages, then there is a possible risk to the people we support, and by the nature of our e-mail it would be very easy to identify individuals. This is scary and I have contacted the information commissioner about this, as well as writing to my ISP's compliance officer.

    I no longer have any trust in my ISP. The worry is that like all Bandwagon's all UK ISP's will quickly jump on.

    It is a bad time for UK internet users and the privacy of all.

  49. Anonymous Coward
    Anonymous Coward

    Light relief

    Wow. I'd like to see some technical details as well.

    Here's some light relief. BT started spamming me a couple of months ago (web design and review services, for some reason), using an address I gave them for online account access. This got so annoying a few days ago that I tried to opt out. The opt-out link was dead, so I had to email them. The 'mailto' link didn't work either - not sure why, maybe Thunderbird gets confused when it sees a subject - so I manually constructed the (empty) email, using the 'mailto' address and subject.

    A couple of minutes later, my mail is returned - BT has rejected it as...

    *spam*.

    Try again, with a body, still rejected as spam. Ring up the advertised 0800 number, shout at somebody, who politely tells me that he'll talk to his sales manager.

    Got another spam from BT today.

  50. Adam
    Black Helicopters

    There's little point in ...

    ... running your own DNS/Proxy etc, as all those requests still go through the ISP's routers on UPD port53/TCP Port 80 respectively and can be redirected/stored or whatever without you knowing anything about it.

    Cookies? They'll be of no use for DNS traffic (coz it doesn't use cookies) and is unlikely to be of much use for HTTP traffic. Cookies are tied to a site, and unless you are sending a request to that site (either through your location bar, or via a web page downloading an advert from some third-party site) the cookie won't be sent.

    I'm with Virgin at the moment (until I get Sky TV/Broadband installed next week - no more Virgin/Phorm, but probably a whole new set of problems!) and I know they use an 'transparent proxy'. This is a proxy that all HTTP traffic goes through without you having to set a proxy setting on your machine. You can tell it's there because if you create a web page that simply displays all the http headers it receives as part of a request from a browser, it shows the 'X-Forwarded-For:' header with my IP address. This is added by the proxy so the web site knows where the request originally came from. The IP Address the web server thinks the request came from (in this case 129.188.8.162 - no reverse DNS lookup for this IP address) is the IP address of the transparent proxy.

    I once asked NTL to turn this off. I was told to call back and speak to a higher-tier engineer who could do this for me. It sounded hopeful, so this is what I did. When I spoke to the engineer though, he proceeded to try to tell me how to remove proxy settings from IE (as if I'd use IE - yuck)! A bizarre conversation followed, while I tried to explain what I actually meant, including asking the engineer to go to the page displaying the headers, and him getting confused because he thought it was some sort of error page. Doesn't say much about NTL engineers. He eventually understood, and then said it couldn't be turned off for individual users.

    The prospects of turning this Phorm tracking/logging off for individual users is also unlikely. That would require some major additional processing from some routers, and a system for controlling the config of said routers. As that would be expensive and entirely counter productive to what they are trying to achieve. I think they are more likely to rely on legal arguments to justify what they are doing. Unless they back down from sufficient negative publicity, the only way this is going to end is in court.

  51. Anonymous Coward
    Stop

    "like all Bandwagon's all UK ISP's will quickly jump on."

    All UK ISPs are not the same. Better ones do still just about exist but the price may not be what you're accustomed to. Pop over to ADSLguide's ISP forums and at least two ISPs I looked at have already had senior staff saying they won't touch Phorm with a bargepole. One of them (Zen) is expecting to issue a formal PR statement to that effect Real Soon Now.

    More worryingly for me, the two BT subsidiaries I currently deal with (Metronet, Plusnet) have not as yet made any public statements on the subject. So looks like I may be off to IDnet or Zen soon...

  52. Chris Williams (Written by Reg staff)

    Questions for Phorm

    Hi everybody.

    Thanks for your input on this. I'm arranging to meet up with Phorm ASAP to try and get some answers on some of the technical points that have been raised here. If there's anything specific people would like me to put to them, please post a comment. Thanks,

    - Chris

  53. Anonymous Coward
    Alert

    Here are some technical details - from last summer's experiment

    http://www.spikelab.org/blog/btProxyHorror.html

    Which includes, amongst other logged details the triggered request and the script embedded in the page that triggered it.

  54. Anonymous Coward
    Gates Horns

    Yes ask them

    If they have ever been in trouble with the law for related?

  55. Anonymous Coward
    Thumb Up

    Hide your browsing history in plain sight?

    Someone on the Digital Spy forums posted this link which might help.

    http://mrl.nyu.edu/~dhowe/trackmenot/

  56. Anonymous Coward
    Black Helicopters

    Yes please ask them...

    1.) Do they receive just headers (then presumably have to visit the sites themselves to get the keywords) or a full HTML stream from the ISP

    2.) In either case, what safeguards are in place to prevent de-anonymyzation of anonymous data e.g. through real names displayed in pages, or if they don't receive a full stream, only headers, then names still exist in POST/GET variables

    3.) How does this diverting of a communications stream not fall foul of RIPA, since it is widely accepted that HTTP can and is used for personal communications. Whatever safeguards are in place, surely it contravenes RIPA if the data is being passed on to t a third party

    4.) Will the data leave the UK?

    5.) Have they spoken to the Office of the Information Commissioner and if so, what do they think?

  57. Anonymous Coward
    Boffin

    BT's response

    BT have an internal security mailing list and this article has been posted about this morning, but no-one has mentioned that they have any direct knowledge about it (unsurprisingly perhaps) but the general consensus could be summed up by the tla : WTF !?

  58. Richard Lubomski
    Alert

    Phorm.com gives a little...

    looking at the root of the problem (i.e. Phorm.com) their site speaks of the OIX (Open Internet Exchange) and Webwise... and provides a link telling you how to disable Webwise:

    http://www.phorm.com/about/faq.php - look under 'For Consumers'

    this redirects you to the Webwise site; on the 'You can choose' page, it states whether webwise is enabled by your ISP...

    http://www.webwise.com/privacy/can-choose-NA.html

    This page speaks of an 'anonymous cookie' that tells the system in question to ignore your system....

    I'm interested how this can be made persistent; dumping temp files would surely clear this 'anonymous cookie'??

  59. Brian Wright
    Happy

    @ Sam

    Install and use Hotspot Shield, that encrypts all your data and uses a VPN.

  60. Anonymous Coward
    Anonymous Coward

    BT say its just a rumour

    I spoke to BT business broadband this morning and asked them if there was any truth in the Phorm tie in.

    I was told "that its just a rumour and they had no plans to implement a targeted ad system"

    Make of that what you will.

  61. Chris Williams (Written by Reg staff)

    Re: BT say its just a rumour

    The contract is absolutely real. The fact that BT Business call centres aren't the most on the ball isn't a great shock.

  62. Anonymous Coward
    Alert

    Dodgy Data Brokers, Yes! Governments & Security Services, No?

    Hang on a minute!

    One second our trusty noble ISP's are saying "No!" to the government for access to our web browsing habits for security purposes, the next they are saying "Yes please!" to a very shady rootkit-making private company.

    What the hell is going on?

  63. Andrew Meredith
    Unhappy

    Who turned them down and how do we escape

    Two questions, thanks for asking :-)

    1 - Who, so far, has turned them down flat?

    2 - Is there a way, other than a remote encrypted proxy or some such, of making your web traffic completely byepass their system. I'm not talking about vaig hand waving about collecting it but not doing anything with the data (honest guv); I'm talking about complete opt out so this mob don't even know I'm there.

    I think the answer to 1) would form a good start on an ISP whitelist and 2) could well be the start of a new open source project.

  64. Anonymous Coward
    Anonymous Coward

    phormy people

    I wonder who Chris will get to meet.

    Will it be the charming marketeer Radah Burgess:

    http://www.prague-tribune.cz/2003/4/img/p29_15.jpg

    Or perhaps spysite registrar Ahmet Can

    http://www.spock.com/i/n31ljxhFY/Ahmet-Can.jpg

  65. Sam
    Happy

    The peasants are revolting

    Trackmenot acquired, ta.

    More please.

    As a small skeletal rodent might say, SNHH, SNHH, SNNHH...

  66. Anonymous Coward
    Dead Vulture

    More than just a rumour unfortunately...

    ... this looks pretty damn definite to me:

    http://www.phorm.com/about/launch_agreement.php

    and just look at what it's doing to their share price:

    http://www.ft.com/cms/s/0/b961adc0-daf9-11dc-9fdd-0000779fd2ac.html

  67. John Bayly
    Thumb Up

    @Chris Williams

    Regarding the questions suggested by Pie Man (Posted Thursday 28th February 2008 12:03 GMT), can you ask the ISPs the same questions.

    They're the ones who will be reading our data, and so far the silence has been deafening (from BT anyway).

  68. Andrew Meredith
    Thumb Up

    PlusNET Kosher despite BT connection

    I just had a dialog with PlusNET (one of my ISPs) about this subject and they know of it, they know BT are using it and they do not themselves think it is right for us the customers. They also undertook to seek opinions via their forums before any future decision to change their minds.

    Sounds ok to me :)

  69. Anonymous Coward
    Dead Vulture

    A better plan of attack might be to go after Webwise

    On its website Phorm cites FT.com; iVillage; Universal McCann; MGM OMD Unanimis and APACS as supporters. I bet they don't all know about the dodgy past of the people they are dealing with.

    You might also ask them what aspect of their technology they believe is patentable, as reading their application it all looks pretty straightforward to me. More spin designed to impress investors perhaps?

  70. Anonymous Coward
    Stop

    silly silly silly

    I'd also like to point out that E&Y's 'independent' report reads as totally incompetent...

    Especially as the report states that Phorm does not collect form input, but does say it collects search terms; last time I checked, search terms are usually entered into html forms...

    The "Opt-out" idea is ridiculous, it essentially mandates you send a piece of data with every request saying "ignore me", this is contrary to the more reliable/secure/sane practice of requiring data to opt-in.

    This smacks of being poorly thought through and has a seriously strong likelihood of compliance and legal issues rearing their ugly heads for the ISP.

  71. Anonymous Coward
    Black Helicopters

    Re: BT say its just a rumour

    To the best of my knowledge, BT Business Broadband do not use HTTP proxies, transparent or otherwise, so may not be affected by this "Phorm Storm". I've tested my companies connection and can detect none. I'm guessing from my experience as a system architect that transaparent proxies will be the best point to pipe out the dump to Phorm, so in the strict sense of the reply from BT B.B. it may well be just a rumour!

    Chris: if you get a gig with BT/Virgin/The Other One could you ask them if they plan to write to each customer informing them of their new practice and how they may opt out?

  72. StillNoCouch
    Go

    This is not good

    This is very troubling ... much like "Crossing the Streams" in Ghostbusters kind-of-bad.

    A Delaware company with servers in China ... I can't wait to clear out my Temporary Internet folders before the tainted dumplings start to rot.

    I'm seriously looking forward to hearing more about this. Great Job El Reg !

  73. John Saunders
    Pirate

    HTML injection

    This should be obvious with 'View Source' or moral equivalent and 'Find in Document' for dns.sysip.net . Soon I expect some Firefox/Greasemonkey expert to devise a small Greasemonkey script to remove the offending code. Too bad for IE users. :-)

    This is simply a man in the middle attack. Were this perpetrated by a hacker, it would be a crime. Perpetrated by two corporations, it's good business. Hmm.

  74. Anonymous Coward
    Thumb Up

    Tell TalkTalk what you think

    If you visit their website today you are asked to take a survey during which you get the chance to tell them why you don't want to be a Talktalk customer.

  75. Anonymous Coward
    Black Helicopters

    @ Pieman

    This will be promoted to customers as Webwise - a new feature helping protect you from phishing and spyware - presumably because the bad guys will have all your data already! Buried in the Webwise small print it may hint at the fact that all your data am belong to them. But looking at the BT website it already gives the definite impression that only people who are a bit 'cranky' would want to opt out of Webwise.

    Maybe one answer would be to get Norton et al to classify Webwise as spyware. Hmmm...

  76. Anonymous Coward
    Boffin

    Comparison with Supermarket Loyalty Cards

    This just struck me... When J Sainsbury, Tesco and the others decided they wanted access to personal shopping records they soon realised they'd have to pay for the privilege, and “reward” people with what is effectively a percentage discount on their shopping bill in order to convince them to opt-in. Technically they didn’t need reward cards as most people paid by credit/debit card, but holding wealth of information against a credit card must have seemed politically sensitive if not unlawful (and did give a slight advantage as they could track people’s payment habits too).

    Now the ISPs want in on the personal data gig, but instead of bribing customers to opt-in with some kind of reward, they’re pushing it out to everyone, and not providing any concrete answers as to how to properly opt-out of the data exchange element (not just opt out of the personal adverts).

    Here’s another argument on the Human Rights angle (right to a personal life - on top of RIPA and Data Protection arguments). Two guys live together, one is secretly gay, uses a shared computer but takes step to clean browsing history. Housemate 2 uses the computer and is bombarded with adverts for everything from gay dating to Arab Straps. 2nd housemate knows about targeted advertising and therefore housemate 1’s right to privacy is breached.

  77. trachycarpus

    newnet

    At least one more ISP has said categorically they will not entertain this.

    http://bbs.adslguide.org.uk/showthreaded.php?Cat=&Board=newnet&Number=3281529&page=0&view=expanded&sb=5&o=7#Post3281529

    Hooray for the little guy.

  78. Alexander Hanff
    Thumb Down

    re: "like all Bandwagon's all UK ISP's will quickly jump on."

    This would be the same Zen who issued a PR statement (several actually) claiming they would -never- introduce bandwidth caps, FUPs or throttling and then did exactly that. Zen are about as trustworthy as BT and Virgin.

  79. Anonymous Coward
    Anonymous Coward

    what if

    what if all the users were to put a legal notice of some sort on every web page they make that forbids the processing of said page data in any way for potential profit ?

    would that go some way to protect the users and mess up the Phorm type profit model if enough websites/messageboards did that.

  80. Anonymous Coward
    Anonymous Coward

    paying the users licence fee

    chris, how will Phorm pay the users the licence fee for legal use of their data.

    how do Phorm know how much the users want to charge for the legal use of their data.

    how will Phorm deal with the UK Data Protection Act and the EU laws regarding use of person data including IP addresses.

    what is Phorms data Protection collectors valid and full adress.

    what is the full and valid address of Phorms legal council and to who should it be addressed.

    were should a user submit a UK data Protection act Notice for 'any and all data' held by Phorm to be supplyed by return post in a readable form to the user.

    add any more i may have missed....

  81. DaveTheRave
    Unhappy

    Its out in the open now

    http://news.bbc.co.uk/2/hi/technology/7280791.stm

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019