back to article How Phorm plans to tap your internet connection

Internal BT documents obtained by The Register for the first time provide solid technical information on how data from millions of BT, Virgin Media and Carphone Warehouse customers will be pumped into a new advertising system. It will not be "injecting" anything into your internet connection, as some commenters on our previous …

COMMENTS

This topic is closed for new posts.
  1. Ian

    Hard to see how it's not Interception

    It's Interception, per RIPA.

    There are immense data protection issues.

    Anyone whose computer is taken in a police raid is subject to having the cookie in their browser correlated with the cookie in the Phorm cache.

    There's also a copyright issue: if they're taking responses, any website for which I pay is having its content stolen by a third party. And if I'm paying for content, and it's modified in flight, who's liable?

  2. Ralph B
    Stop

    Commercial Suicide

    BT (and the other Phorm clients) appear to be planning to commit commercial suicide. They are going to so haemorrhage accounts when this news spreads. I struggle to find an example of a more misjudged business decision, based on contempt of their own customers ... maybe when Alta Vista decided to become a portal? Or SCO decided to sue their customers?

  3. Ash

    Dumping Virgin

    I feel like a spammer for saying this AGAIN, but i'm dropping virgin. I'm also using Tor (anonymous IP traffic through proxy and randomised encrypted tunnels) until it happens.

    Shameless linkwhoring? You bet! http://www.torproject.org http://www.badphorm.co.uk

  4. John
    Stop

    Won't this slow down all requests?

    By hijacking all requests, won't this slow down the users' browsing? OK, not by much per click, but what happens when Phorm's servers get overloaded and slow? Will they intercept multiple attempts? What if this F5 thing goes down? Will the users be left without Internet access?

    Or, in other words, is this not just another weak point waiting to cause misery to the user?

  5. The Mole

    Data protection act

    I still can't see how they can get round the data protection act, I can't see how they can argue that your browser profile isn't personal data, it's now considered that your ip address can be considered as potentially identifiying, and even if this isn't the case data contained within the html pages or post data certainly will contain identifiable data. At least some of that data will be "sensitive personal data" (if a user visits lots of gay porn sites, particular religiour websites, logs into trade union websites you can get a good guess at most of the following)

    "In this Act “sensitive personal data” means personal data consisting of information as to—(a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d)

    whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings."

    Schedule 3 (Sensitive personal data) of the data protection act requires that "1

    The data subject has given his explicit consent to the processing of the personal data." there are other permisable justifications but none of these are relevant.

    Based on this I can't see how they can legally function. Now they are going to argue that their annonymizer removes the personal data and it isn't stored...

    however the DPA states:

    ""processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—

    (a) organisation, adaptation or alteration of the information or data,

    (b) retrieval, consultation or use of the information or data,

    (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or

    (d) alignment, combination, blocking, erasure or destruction of the information or data;"

    By this definition the very act of the "Anonymizer" obtaining the information (being forwarded your web request or web page) and then erasing what they consider the sensitive/personally identifying stuff then they are processing the data and therefore fall under the data protection act. This is particularly the case as even if they don't have any personally identifiable data yet they will in all likely hood gain identifiable data in the future

    "“personal data” means data which relate to a living individual who can be identified—

    (a) from those data, or

    (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,"

  6. Anonymous Coward
    Anonymous Coward

    double the data

    its interesting that it appears they force you to send at least two upstream requests "Without a response, the browser resubmits its request for the web page you want to visit. It is again rerouted to Phorm"

    why interesting, well i dont know about BT or the other one ;) (obvously need to advertise more so we can remember the name without refering to TheReg storys all the time LOL) but Virgin Media have a very strict STM in place during prime time.

    what does that mean well, Virgin Media count every single bit you upload including any internal network data and use that to determin your STM upload limits.

    so even if Phorm place their data collecting kit inside the VM internal network behind the UBRs your still being forced to send twice as much browser data as you were before and so reducing your very limited primetime STB allowance ,YES.

    sure you might make the case its not a lot ,but how can you average that amount out, after all your already advised not to download or upload your large datasets (streaming,torrents,family videos etc) during STM hours so your left with heavy browsing as your main entertainment at these times.

    so its reasonable to assume your going to do more browsing at these time yes?, and the Phorm are helping to reduce your data allowance by forcing twice the browser data to get were you need to get once it is activated weather your opted in or out it seems.

  7. Anonymous Coward
    Thumb Up

    Great Work Chris Williams

    Much Appreciated.

  8. Simon Aspinall

    Totally frightening.

    There isnt a chance in the world that a program can work out what is/isnt personal data in a webpage.

    I'm so glad the register is highlighting this. It now needs national press/tv coverage though to really put this into the spotlight.

    Slim

  9. Anonymous Coward
    Alert

    Maybe time...

    Maybe time for someone at the Register to pass along the good news to a few more media organisations?

    I'm sure The Sun or The Daily Mail would be more than happy to condense the complexities of the network architecture down it something more more headline worthy..

    "Massive Internet Data Theft"..

    or

    "ISP Data Protection Fraud"

    Should bring the issue to the attention of a wider audience...

  10. John Bayly
    Go

    When the news of this breaks

    This is really starting to concern me. We keep talking about when the news breaks, but so far it's been on techie sites. There's been no mention of it on BBC (somebody on badphorm.co.uk has mentioned it may be on Watchdog next week), or any other paper other than the Grauniad a fortnight ago.

    I've written to a host of people (the BBC, the Telegraph, Watchdog, Bill Thompson, BT, my MP & 2 peers).

    So far the only response has been from Lord Lucas (not to be confused with the bloke that disappeared). While receiving a reply from a Lord is quite impressive, it's a bit depressing that it's the only response I got.

    Also, BT may be correct, the general public may not give a damn about the privacy issues this raise. One of my housemates didn't think this was a major problem, and thought targeted adds could be good. She only got slightly concerned when I told her about Phorm's past.

    Meanwhile, I'm turning this into a personal crusade.

  11. Mad Dave

    Goodbye VM

    As soon as this is introduced, I'm dropping Virgin Media.

    Why on Earth they would think that I would want to allow shady third parties to get hold of my browsing habits, I've no idea.

    Oh, and as a VM affiliate, I will no longer be generating customers for them.

  12. Dave Bell

    Data Protection Act and Money

    Shouldn't Phorm have a DPA registration covering what they're doing. Has anyone looked for it?

    It must be that the Phorm profiling has to be done in the same data centre as the ISP proxy server would be. And the analysis is going to need some processor power, even if graphics files don't get passed around. From some of the comments about advert revenue that I've heard, is there enough money in the business to pay for the hardware?

  13. LJ
    Flame

    So, another way to cripple them...

    Wait 6 months, until they've had plenty of time to accrue a veritable assload of data on every subscriber....then get 50% of the ISPs' customer base to send them a £10 cheque and a request for all of the personal data they hold relating to their IP address/tracking cookie/broadband account. They have no choice but to comply, yet I 100% guarantee that they won't have enough resource to do the job within the time allowed under the DPA. Either they quadruple their headcount (thus destroying their margins) and go under, or refuse and end up in a class action suit.

  14. E

    Wiretapping

    Does this not violate privacy laws in the UK?

    Also, it is not transparent: how can it be verified that this company is not storing information that can identify people?

    I fail to see how the information collected is all that valuable if anonymized: I think the company's spokes-people and administration are lying.

  15. Mike Moyle Silver badge
    Coat

    Give them SOME credit...

    "Phorm's Open Internet Exchange (OIX)"

    At least they ADMIT that they're being oiks!

    http://www.urbandictionary.com/define.php?term=oik

  16. Tim
    Paris Hilton

    Commercial suicide not guaranteed?

    Do you think this story will break in a big way into the mainstream press, which is what must happen in order for a substantial number of users to switch (and thus the deal to break)?

    Judging by most comments on articles here those of us reading el reg are a group who guard our privacy fiercely and understand technology's impact on the same. What about the man on the Clapham omnibus?

    Paris for obvious non-techie, doesn't-give-a-monkey's-about-privacy reasons.

  17. T.J.
    Thumb Down

    Retail, right?

    They'd better blasted well not be doing this on every account that goes through BT wholesale. Reg, help me out and clarify that??

  18. Damian Gabriel Moran
    Unhappy

    i am attempting to leave virgin right now

    funnily enough i have been listening to the loud holding music and the repeated "Please continue to hold the line and your call..." message for 25 minutes now. A reflection of people leaving or merely a tacic to p*ss off people wishing to quit so they hang up and put it off for another time?

    I am looking forward to the sales numpty as I imagine they will not have a clue what i am talking about when i mention Phorm

  19. Ed

    Sorry...

    I've got some extra bandwidth at home and a spare dual P3 box. I guess I'll go set up a TOR node in honor of you folks on the other side of the pond that just got screwed hard by your ISP.

  20. Anonymous Coward
    Unhappy

    credit card / etc forms going to get double-posts?

    If i've read this correctly, visiting domain.com/page.html will actually result in 2 requests, one from phorm and one from the real browser.

    It also appears that this 'anonymous' request will contain all session-id and other connection specific data.

    So, for non-https stuff, are we going to get double requests from these users now?

    Potential scenarios:

    - I click a link in webmail to delete an IMAP message.. so its /delete.php?id=1

    - Now that item #1 is gone, #2 becomes #1.. but wait.. a second request.. delete the new #1 it says.. so now 2 items are gone.

    Obviously there could be hundreds of scenarios, basically anything which performs per-click non-POST non-https actions, of which over the whole web there are TONS.

    Please, please tell me I've missed something and it won't look to the server as the same user requesting the same page twice with all the ID's and session data intact???

  21. Anonymous Coward
    Flame

    BT = Bloody Tossers

    another excellent reason to never trust these fools

    if anyone is still with them, do yourselves a favour

    and dump there phone and broadband so called service, you will save a few quid and gain a bit of privacy at the same time!

  22. Luther Blissett

    @ Commercial suicide

    Chris's earlier item mentioned BT might get +£85M in 2010. That's very roughly annual subscriptions from about a third of million broadband customers. If Big Media run the story and/or there is litigation or regulation, I can easily see that number leaving BT.

    How can customers be sure they have been "opted out" if they request it?

  23. Frank Bitterlich
    Pirate

    "...responds on behalf of web server"

    "...responds on behalf of web server" - I hope this is all just some sophisticated April Fool's joke. Spoofing the server's response and injecting a malicious cookie into the stream - that's a deception practice commonly used with man-in-the-middle attacks.

    If that is legal in the UK, they've got a mighty problem there.

  24. Nick
    Black Helicopters

    Re: Dumping Virgin

    Ash wrote:

    "I'm also using Tor (anonymous IP traffic through proxy and randomised encrypted tunnels)"

    Yes, Tor is wonderful but it's not a magic bullet. It can slow down your connection and what happens when someone sets up a rogue exit node which sniffs all your traffic:

    http://www.theregister.co.uk/2007/11/23/tor_abuse/

  25. Stu
    Flame

    Question for Phorm CIO

    -Why is everybody being opted IN in the first place? Surely I should be the one doing the opting in, it is part and parcel of privacy law and data protection.

    Opting out by default is one of the major issues here. Secondly, its up to mere trust and ISPs security policies that your opt out choice has even taken effect, the fear that it slipped thru the cracks is always there as your packets still travel thru the filter boxes.

    Peace of mind it aint.

    I agree with Aaron, shady indeed, except ISPs are likely to sign up with them simply for more cash, not only to cover original costs. Its sickening.

    If I'm ever exposed to something like this, I'll be in court with my ISP and these chancers at Phorm quicker than they can filter my packets. I think the law is clear enough for something as blatant as what they do.

  26. Anonymous Coward
    Stop

    Man-in-the-Middle: Compromising Usernames and Passwords

    As well as the unauthorised interception of communications mentioned already, this has considerable implications for those people that use web-sites where HTTP Basic Authentication is used, or indeed, any sites that provide a form-based log-in system that isn't protected by TLS/SSL.

    Until now the biggest assumed safeguard was that it is impractical for an attacker to perform a widespread man-in-the-middle attack. If the ISPs and Phorm are allowed to go ahead using ACE or similar technology, then the ISPs are effectively exposing millions of customers to this form of attack. More-so bearing in mind the pedigree of Phorm.

    Many not-for-profit forums and membership sites don't bother with TLS/SSL because of the relative costs and complexity of implementing HTTPS on their web-host.

    As well as the possibility of the log-in username and password being intercepted and exposed, wouldn't that data be considered Personally Identifying Data under the terms of the Data Protection Act?

  27. Anonymous Coward
    Alert

    How does it work?

    Suppose you are requesting a page under the gmail.com domain (this would work equally well under facebook, meebo, etc):

    1. Browser sends a request for the page under the gmail.com domain

    2. Request is intercepted by ACE based on variables such as the port number, user-agent and content-type headers and forwarded to F5

    3. F5 performs 3 steps:

    (i) it checks for presence of a session cookie. If none exists, it sends the request URL and source IP address to the Anonymizer. The anonymizer is basically a database which stores these items and generates temporary IDs. The temporary ID is returned to F5.

    (ii) it sends the request URL which is tagged with the temporary ID to the Profiler.

    (iii) it sends the request URL to the webserver.

    6. F5 receives the response from the webserver, and does three things:

    (i) it sends the response content, tagged with the temporary ID to the profiler

    (ii) it modifies the response by inserting the session cookie from 3(i) along with a few resources located on the dns.sysip.net domain (actually an iframe and a javascript file)

    (iii) it passes the modified response back to the browser

    8. The browser receives the response and stores the session cookie.

    9. The browser renders the response. In doing so, it will need to resolve the javascript file and iframe located on the dns.sysip.net domain

    10. The browser requests the javascript file/iframe from dns.sysip.net. If one exists, the browser will also send the dns.sysip.net persistent cookie in the request header. This cookie holds the user's webwise preference settings. The request also contains the referrer URL header, which is the same location as in step 1.

    11. The request is intercepted by ACE and forwarded to F5.

    12. F5 does a lookup on the anonymizer by supplying the source IP address and referrer URL from the dns.sysip.net request. The referrer URL is the same location requested in step 1.

    13. The anonymizer returns the temporary ID.

    14. F5 updates the Profiler, replacing the temporary ID from step 13 with the persistent ID from the cookie in step 10.

    Notes

    (a) It is only in step 11 that ACE can tell if you have opted out or not. By this time, both the request URL and the page response have been sent to the Profiler which is apparently located in China.

    (b) This setup modifies every single web page whether or not the user has opted in

  28. Roger Lancefield
    Stop

    Phorm processing?

    The commercial world's battle to insinuate itself into our every digital transaction continues apace.

    I've already paid BT handsomely for my connection to the Internet, thank you. Will *definitely* be saying hasta la vista to them if/when they introduce this.

    I feel I should write a letter to BT customer service (perhaps sending a copy to their legal department) demanding to know in unequivocal terms (i.e. not encoded using UTF-marketing-b***ocks) whether or not they have handed over any of my data to Phorm or to any other third party without my knowledge or permission.

    Aaron Crane, would you care to share your provider's name? (You might want to provide some "affiliate" details, if you have any, for I suspect you'll be drumming up a significant amount of new business for them).

    For all BT's faults (no pun), I never expected them to exploit their customers in this way. As for Phorm, it's going to be a case of "talk to the Adblock Plus".

    Oh, and another thing, what's the difference between flogging "anonymized" HTTP data and "anonymized" voice data? That is, how long before the latter is also contemplated (or admitted to)?

    And finally.. would be very interested to hear the opinion of anyone with legal training comment on the data protection points raised by The Mole in his/her comment above.

  29. Paul James

    Permission to export data

    "(a) It is only in step 11 that ACE can tell if you have opted out or not. By this time, both the request URL and the page response have been sent to the Profiler which is apparently located in China."

    Doesn't permission have to be obtained to send personal info to a foreign country?

  30. Concerned User
    Thumb Up

    Q: If they use a cookie for opt-out, how does this work if i switch pc?

    if i opt-out of this service, i demand that it stick to my account, even if i have more than one PC, or clear my browser cookies, or get a new PC, etc.

    How will they handle this? I will not permit someone to track my internet history.

    The Cisco ACE doesn't seem to have any subscriber awareness, how would it remember that i am opted out? Does this mean BT is going with the 'send it all the way to the anonymiser'? method? This means i have all the extra latency and chance for failure even having opted out?

    What about non-HTML traffic like windows update or YouTube video? Is all my large file transfers over HTTP going to this device?

  31. Damian Gabriel Moran

    back again

    I wonder if Virgin Media's cock up a few months back when a lot of us were left without internet access for about a day has anything to do with this. Before the blackout I used to get 4 or 5 items of spam in my inbox per day, it now averages about 150

    oh no I have become a conspiracy theorist!

  32. Jeff Deacon
    Unhappy

    @ Re: Dumping Virgin - By Nick

    "Tor is wonderful but it's not a magic bullet. It can slow down your connection and what happens when someone sets up a rogue exit node which sniffs all your traffic"

    As things get progressively more evil on this interweb thingy, perfection cannot be achieved. Each of us will have to decide for ourselves what is the least worst option that suits our own circumstances. What was the quote from the CEO at Sun? Something like "Privacy is dead, get over it"?

  33. Anonymous Coward
    Black Helicopters

    What if you're using it for work, and the work's for one of Phorm's Competitors?

    Gulp!????

  34. Tom Chiverton
    Stop

    J. H. C.

    "inserting the session cookie from 3(i) along with a few resources located on the dns.sysip.net domain (actually an iframe and a javascript file)"

    So not content with stealing all my web traffic, they're also going to *mangle* the web page in some sort of unpredictable way ?!?

    I am so glad my ISP, Zen, have done the decent thing and promised to have nothing to do with them.

  35. Charity Worker

    Children's charity has safety concern

    I run a children's charity and when away from the office I and my staff and volunteers often reply to children's emails using a webmail account.We have a large number of BT accounts which we all use at home and in the office.

    Is it possible that this system will allow BT to see our webmail pages, including the email addresses of vulnerable children, their names and other highly confidential data?

    I have taken this up with the Information Commissioner because it would be highly unacceptable for a charity to divulge any information at all on data protection grounds and allowing total strangers access to children's details would get us into an enormous amount of trouble.

    Apart from anything else, everyone who works with children has to be CRB checked and if these web pages could be seen by anyone, or stored where strangers had access to them, it would make a nonsense of the safeguards put in place to protect young people.

    I'd be interested in BT and Phorm's response on this one.

  36. Rob
    Flame

    DPA registration

    Phorm UK Ltd is registered with the ICO. The address given is 222 Regent Street London W1B 5TR, which appears to be an accomodation address...

    I won't bother pasting the whole entry, you can look it up at http://www.ico.gov.uk/ESDWebPages/search.asp

    but the crucial part appears to be Purpose 2, "Advertising Marketing & Public Relations For Others" which, among the list of data subjects includes "END USERS". Whatever that means....

  37. Anonymous Coward
    Anonymous Coward

    That's f**ing scary

    Even if they are recording the URLs visited, why exactly would they need a copy of the return page? (With the cookie matched to the page).

    If it was a public page they could simply visit the URL themselves, if it's not a public page then they have no business accessing that page data.

    That's deeply troubling, I can't believe OFCOM and the data protection registrar haven't stepping in already. Let alone the police.

  38. Peter Fairbrother

    Interception and RIPA

    If this statement:

    "The website reruns the content you want, which is again intercepted by the ACE. A copy of the page contents is sent to the Profiler,"

    is correct then that would be interception under RIPA, irrespective of whether "you" can be identified or not.

    Interception is defined in RIPA as "making any of the contents of a communication available to a person other than the sender or recipient".

    Afaict it would also be a criminal offense in this case, as none of the lawful interception exemptions in RIPA would apply.

    In general, under RIPA ISPs are allowed to look at as much of the traffic data (URLs etc) as they need to in order to deliver the message, without this looking being interception; and they are also allowed to look at as much of the content as is necessary in order to provide their message-passing service.

    Think of the Post Office - the first looking is like reading the address, the second is like opening an undeliverable letter in order to find where to send it. The Post Office can open a letter under these circumstances, but not for most other reasons.

    The situation regarding IPSs is very similar. The latter kind of looking is interception, but not all interception is illegal, and it could be lawful interception if it's necessary in order to protect or perform their message-passing service - for instance it's how virus scanning and perhaps spam filtering are allowable, though spam filtering is a bit problematic - your computer is considered to be part of the network as far as virus scanning goes, so looking at content in order to protect it against viruses is okay, and there is an argument that spam filtering is necessary as email services would not be possible without spam filtering.

    BT and Phorm are persons btw, in the meaning of the Act, and it would still be interception if BT made content available to itself for processing. It doesn't matter whether the looking is done by machine or by hand, whether BT or Phorm does it, or whether they do any anonymising, it would still be interception and illegal as it is not necessary in order to provide the message-passing service.

    There are several other steps in the process described which might also be interception, but it's hard to tell from the limited information available - for instance, when the URLs are sent, how much of the URL is sent? Anything after the third slash (the one after the domain name) is considered content, not traffic data, and making content available to another person would be interception, and illegal interception to boot.

    I'm not well up in them, but the process described also appears to involve many breaches of the Computer Misuse and the Data Protection Acts.

  39. Someone

    Re: "...responds on behalf of web server"

    It appears unfortunately that impersonation is only illegal if it’s done to commit a criminal offence. For domain names that contain registered trademarks, it may constitute ‘passing off’. I’m also left wondering if, under certain circumstances, it could fall under ‘fraud by false representation’ as defined by the new Fraud Act.

  40. Anonymous Coward
    Black Helicopters

    Maybe I'm just too cynical

    But at what point do we, as consumers, get so angry at the suck holes who are essentially collecting intelligence and are perpetrating counterintelligence on us, in order to either sell us more "blue pills", tv's, crap cellular services or what-have-you?

    If I were even remotely in any of the products some of these idiots are hawking, through email, TV adverts, postal or on a website, don't you think I'd act on them?

    Also, the type of data they're conducting "legally" is the same as obtaining ones telephone records AND listening into the conversations. This shit has to stop.

  41. Andrew Underhill
    Pirate

    T's & C's

    Ummmm Guy's - Data Protection Act? It has no bearing!

    They will issue new Ts and Cs which people will have to accept or leave, and let's face it how many will leave? It will be take it or leave it.

    How many times have companies that we pay our money to do that to suit their own ends? Banks, Credit Card companies, BT etc

    :-(

  42. Anonymous Coward
    Anonymous Coward

    "Personal Crusade...."

    I, too, will be taking this on as a personal crusade. I have written to my ISP (Virgin Media) via recorded delivery to clarify exactly what their stance is. I have also started to bug Channel 4 News and Private Eye (see post on another related article) to get at least one of them to pick up on this and get it out into the mainstream.

    Anthony

  43. compuserf

    Breaking the Phorm process

    Ref How Does It Work. So there is a response from dns.sysip.net. If that address is placed in the hosts file pointing to 127.0.0.1 or similar, does the Phorm system fail, or does the browsing fail? Is their material inserted into the page sent to my browser, or just links to appropriate ads as specified by the page owner? How about rejecting cookies from oix.net?

    Protecting my browsing from Phorm is good, poisoning their system with useless data is better. Any simple way to do that?

    Can the browser show which ads are inserted by this so I can ensure I do not accidentally buy that product or service? Or does my hosts file need to be expanded some more?

  44. Chronos Silver badge
    Stop

    What really scares me

    In the architectural diagram, the customer end is labelled "BT Wholesale Access Network". Does this, by any chance, mean that any customer of an IPStream, DataStream or IPStream max reseller, who has no contractual relationship with BT beyond provision of telephone line, will have their data passed on to Phorm?

    Totally unacceptable if this is the case.

  45. Ashley Apps

    Passed this story to the BBC

    I have just passed the link to this news item to the BBC News website with a request they feature it - hopefully it will get wider coverage and shame BT etc to rethink their strategy.

    Oh, and the good news is that my ISP (Zen) have no intention of taking part in this unsavoury practice - so if you are looking for a good ISP look no further than Zen.

  46. Anonymous Coward
    Thumb Up

    @AC How does it work?

    Spot on mate (sound of pennies dropping) that is exactly what happens

  47. Chad H.
    Joke

    all my data went to phorn....

    so wheres mule lousy tshirt? (hint hint cash and carrion guys)

  48. mikus
    Jobs Horns

    Be more concerned about the "passive taps"

    Those passive taps documented there are basically optical taps that divert a percentage of the optical signal off gigabit ethernet (or other optical) medium for the purpose of monitoring traffic. Companies like NetOptics make nice units that sit in-line of a optical data path, and can split the signal up to 5 ways, meaning it can produce up to 5 full copies of every frame sent on their network to every state, government, and various other litigious sources you'd really rather not have your traffic. This is typically how most carriers monitor their network, but also for large ISP's like ATT to silently divert all your traffic to Carnivore-type sniffer boxes so GWB and buddies can sell you out to whoever funds their campaigns.

  49. tom
    Black Helicopters

    Anonymizer Shmanonimizer

    Seriously, this whole "anonymizer" thing is the weak point. Even if it's legit, it doesn't have to stay that way. In just the last year, how many anonymizing services have been "officially" compromised by some form of local law enforcement, without telling the community of users until some time later? I can recall at least two. They started out completely anonymous, and then later became un-anonymous.

    This system is worse than that, because it collects a profile of your surfing habits. Sure, it starts out anonymous, but who says it's going to stay that way?

    a) Law enforcement can step in at any time, demainding "add this identifying information". Or, they can simply add a separate identifying database. Trivial. If you're paranoid, assume this demand comes with a gag order of some sort.

    b) But even if they don't want to do that, what's to stop somebody (anybody, not just the law, who really I'm not that worried about) from fishing thorugh the profiles, and then locating the identifying information after the fact. The *next time* you use your browser, you're identified.

    c) Yes, I said *you*. Now don't you regret that google search for "hacking tutorial"?

  50. Hayden Clark
    Thumb Down

    And I wonder what happens if your browser doesn't support cookies?

    So, will wget no longer work? If the client ignores cookie set requests, it sounds to me like the system loops at stage 1, where it eats the request and feeds you a cookie.

    And what about web services?

    Pillocks.

    As bad as Verisign's DNS failure hijack.

  51. Paul James

    Chinese sensitivities!

    Just a thought - make sure you browse enough things that the Chinese are sensitive to and they might block Phorm's data transfer.

  52. Auz
    Thumb Down

    So they're basically stealing ads from other sites?

    http://webwise.com/how-it-works/faq.html#2

    How does Webwise’s relevant advertising feature work?

    Webwise technology places a cookie (a small file like the ones used on almost every website) on your computer, but this one is anonymous - it has no information but a randomly-generated number.

    Then, as a customer searches and browses online, that behaviour is checked against general advertising categories, like "Travel", "Finance", or "Luxury cars". The only information stored are those categories, discarding all the sensitive information like website URLs and search terms. These categories are set up by advertisers, who want to reach consumers who are most likely to be interested and find the ad relevant.

    ******When the customer’s interests match one of these advertiser categories, the customer sees a relevant ad in place of a generic, untargeted ad.******

  53. Anonymous Coward
    Anonymous Coward

    How about a joint legal action ?

    I would be interested to see a joint legal action being taken. Maybe an injunction to begin with . Anyone interested ?.

  54. Matthew Robinson
    Coat

    Cookie Swapping

    I'm sure that I remember a program under UNIX that exchanged your tracking cookies randomly with other users so that these tracking companies got rubbish not results? Anyone know what I'm talking about or should I be heading towards the coat stand?

  55. peter
    Linux

    MITM

    patronising people?, Host authentication guards against the Man-in-the-Middle Attack, setting up host authnetication while a MITM attack is occuring is pointless.

    I never really thought about it, but now I am aware a MITM attack is occuring I will have to send host authentication through the mail the first time.

    SSL is worse than useless, a script could be put onto silicon for all HSBC customers/Barclays etc to intercept rewrite, pass on , retrieve, rewrite, pass on. without customers ever knowing. 100% MITM is an interesting security situation, in theory you should always do initial setup without using t'internet so you don't end up asking a thief to fit new locks and stamp the keys.

  56. Anonymous Coward
    Thumb Down

    Could this explain.....

    ...why BT have sent me letters and phoned me asking me to commit to them for another 12 months in return for taking £2 a month off my bill? Or am I being cynical?

    I pay for an internet connection and that is all I want. I don't pay BT to build a profile of my activities then use that information to target me with adverts that have the highest probability of getting me to part with my hard earned cash.

    I won't go on about companies wanting their cake and eating it, to be honest I'm getting a bit sick of it now. If they go ahead with this I shall be voting with my feet.

  57. Herby Silver badge

    What if they did this to your phone connection?

    Draw the parallel. You call up someone, and instead of "hello" from the other side, you get bunches of ads that you may not desire (to say the least). Sounds awful to me. Luckly at the moment, here in the US we don't have such scumbags (I suspect some are close, but that is another comment). If this is so wonderful, why not extend it to the mail, or some such. Instead of getting a nice sealed letter, you get pounds of verbiage in the form of advertisements. To me it looks like they would lose their "common carrier" status and be liable for all sorts of nasty things.

    Yes, there is no privacy.

  58. Legless
    Go

    Downing Street Petition

    I'm based in Oz so I can't start one but can someone set up an electronic petition please?

    Cheers

  59. Anonymous Coward
    Heart

    Mac browser to the rescue?

    With all this talk about scripts and iframes, I have just been looking at my favourite browser and its basic security setting.

    iframes - don't load embedded frames from foreign servers

    images - filter images from other servers

    Javascript - when enabled, allow access to other web pages only within the same domain

    Plug-ins - don't use plug-ins for files from foreign servers

    cookies - default I use is to accept but not use, then

    - don't accept if from a different server than main document

    - always reject illegal / invalid cookies

    The above does mean that I have a lot of empty spaces on a lot of web pages. My guess is that it will also automatically filter out all the nasties that anyone using the phorm advertising system will offer. (It is pretty good at filtering out tracking cookies and scripts)

    The name of this browser? - iCab - available from http://www.icab.de/

    Sorry, only available for the Mac

    On the ISP side, I have been chatting with my ISP, who I have been with for 5 or 6 years now, and they confirm that they do not have anything to do with anything that would enable them to spy on the browsing habits of their customers. The advantage over Zen is the contention ratios and unlimited downloads - at a premium which now seems very cheap. As soon as I have the reseller package set up I will be adding a post to the badphorm site forum. I was going to sign up as a reseller with zen too but their site says that they currently have more requests than they can process.

    If anyone is thinking of moving ISP - it can take up to 10 days to get the MAC number, so now is the time to put in your request.

    Like so many others here, I feel that this is a personal campaign. It's just not British. Its Delaware, Russian and Chinese and the Brits need to stick together to maintain a basic level of civilisation even if the rest of the world is turning to greed and abuse.

  60. Peter Fairbrother

    Re: Interception and RIPA

    Come to think of it, ISPs selling _any_ customer traffic data is probably completely illegal under RIPA.

    It's certainly interception, see RIPA s. 2(5)(a) (even though it might be "just" traffic data, it's still interception unless it's done to "facilitat[e] the transmission of communications by any means involving the use of electrical or electro-magnetic energy"),

    and I can't see how it might be lawful under RIPA.

  61. BitTwister

    @Charity Worker

    > Is it possible that this system will allow BT to see (...) email addresses of vulnerable children (...) and other highly confidential data?

    Even without this system BT or any other ISP would be able to look at or monitor your web connections if it was so minded - an ISP is always the 'middle man' in *all* your net traffic. Obviously snooping this would make a mockery of any ethical or privacy considerations but with BT linking up with Phorm, it apparently now thinks this sort of tomfoolery is a Good Thing.

  62. Anonymous Coward
    Anonymous Coward

    the T&C doesnt override the DPA

    "T's & C's

    By Andrew UnderhillPosted Friday 29th February 2008 21:12 GMT Ummmm Guy's - Data Protection Act? It has no bearing!

    They will issue new Ts and Cs which people will have to accept or leave, and let's face it how many will leave? It will be take it or leave it.

    How many times have companies that we pay our money to do that to suit their own ends? Banks, Credit Card companies, BT etc

    :-(

    "

    your mistaken Andrew,

    what you (and everyone else)need to do is send a 'Data Protection Act Notice' to your ISP data controller,instructing them to stop Exporting, Processing or passing your data to any 3rd party, infact anything outside the very strict actions of supplying and billing for the Broadband service they are contracted for.

    you have the right to remove any and all processing rights granted to the service provider at any time, as its your data and you are the owner of that to do with as YOU please.

    even if its stored on the ISPs computer systems.

    Of Course, if you do infact _remove the ISPs right to Export your personal data_ then it becomes a very BIG problem, as most ISPs use the T&C to ask for permission to Export that personal data to the (indian) Offshore Customer services contracted staff.

    just how that might effect the ISPs cash flow is anyones guess!

  63. Anonymous Coward
    Anonymous Coward

    Have a look at this !!

    If you go here: http://www.ico.gov.uk/ESDWebPages/DoSearch.asp

    and then type in "phorm" (without the exclamation marks of course)

    into the "Name" dialog box it brings up Phorm's Data Controller Registration details. That gives a great insight into what is being planned and note the date of their application.

    Let me give a few clips and pointers from it;

    Purpose 2 Advertising Marketing & Public Relations For Others

    Purpose Description:

    Public relations work and marketing, including host mailings for other organisations and list brokings.

    COMMERCIAL CUSTOMERS AND CLIENTS

    END USERS

    Data classes are:

    Personal Details

    Financial Details

    Goods or Services Provided

    Sources (S) and Disclosures (D)(1984 Act). Recipients (1998 Act):

    Other companies in the same group as the data controller

    Traders in personal data

    Transfers:

    Worldwide

    YOU SEE THE EXTENT OF WHAT THEY PLAN and I would not be surprised to see them step outside the relationships with BT etc at some point (having collected all the data ??) Remember the Electoral Roll that the Councils collect WHICH THEY THEN SOLD , so one cannot believe what one is told at first sight.

  64. Ashley Apps

    Petition submitted

    I have just created a petition on the Number 10 website asking for the government to intervene to stop BT etc. going ahead with this deal.

    Currently being approved.

    If it appears all go along and sign it - pass this on to anyone you know.

  65. Anonymous Coward
    Anonymous Coward

    Internal BT Worries

    I wouldn't normally do the Anonymous Coward thing but .....

    Looking around on the BT Intranet this article has come up a few times and there is definitely some internal worry about the publicity elements. BT Security have also (but not formally) hinted at concerns about the offshoring of this data.

    The standard internal answer is currently:

    "People have wildly different feelings about this

    Actually, if used properly it can be a huge advantage for the customer

    Others like you feel different

    We will monitor this carefully and see what the experience in practice will be and evluate seriously"

    It's down as a priority delivery for Q4 2008.

    For the Wholesale query above this is definitely a BT Retail initiative.

  66. Anonymous Coward
    Thumb Down

    FT has reported on this

    http://www.ft.com/cms/s/0/b961adc0-daf9-11dc-9fdd-0000779fd2ac.html?nclick_check=1

    Linky from FT.com about the share price of Phorm going up 10% after anouncing their deals with BT, VM and TT.

  67. Craig

    Banks!

    I've now asked my two banks, Barclays and the Co-op, to investigate this and make sure that my internet banking is safe now that BT has sold all my data to a company that will intercept, analyse and retain my browsing data, including online banking.

  68. Anonymous Coward
    Stop

    OMG - Are they serious?

    Try contacting VM here http://help2.virginmedia.com/assets/html/customer_feedback/customer_feedback_querytype_1.html

    The best bit is where you get asked for your name, address, account number, address etc AND ITS NOT EVEN AN SSL CONNECTION!!!!

    WTF!

  69. Anonymous Coward
    Anonymous Coward

    Point regarding the Data Protection Act 1998

    Just a point that may become relevant. With regards to IP addresses, their argument MAY be that they cannot identify individuals from that IP address and thus they are not "collecting data" in an underhand unlawful way. The counter to that would be (a) Phorm's close relationship with BT etc gives them the possibility to so identify the person sending an http request. Also what if you fill details into a form on the webpage with your name,password etc to log in to an account of yours, IS that data also at risk and/or collected by Phorm ?. (b) I was sued by some who had described himself only as "mickey mouse" and had not used his real name at all. The only way he could be indentified would have been by a Court order forcing ISP to give the details. The Court in the case against myself said that it did not matter that he could only be immediately identified as "Mickey Mouse" the fact was that it was possible (via Court Order) to put 2 and 2 together and get his indentity and thus on that basis the Court gave Judgement to "Mickey Mouse" (i.e. to the name underneath that pseudonym). And yes that did happen in the High Court in London with some dick of a Judge ruling as usual.

    So the point is therefore if applied to this Phorm matter, IF they in anyway have access to IP addresses they ARE then processing Personal Data of INDENTIFIABLE (and that is the key "identifiable") persons.

  70. Anonymous Coward
    Anonymous Coward

    Oh, wouldn't van Vogt's Weapon Shops be wonderful?

    Whenever I read about another despicable scheme such as this one, I remember A E van Vogt's science fiction stories from the early 1950s about the Weapon Shops and their alternate court system for righting wrongs the evil corporations visited on ordinary individuals. Such a wonderful fantasy.

    But we don't have the Weapon Shops; we've got to do the fighting ourselves.

    In this case, I wonder whether the ISPs who plan not to do business with Phorm could be induced to publicize the scheme and use it to attract customers? Yes, I see the problem with that -- long before they got many customers to switch, BT and the Phorm-lovers would drop the scheme and the good guys would be out a lot of money without much benefit.

    I kind of like LJ's idea of letting them run the scheme for a while, then hit them with Data Protection Act requests for a report of all the data held. But that would require getting a lot of the bad guys' customers to act in a coordinated way, and would expose everyone to the dangers of the scheme for a while. Both not so good.

    Keep brainstorming. Some solution may turn up as a result.

  71. Anonymous Coward
    Flame

    So let me get this straight...

    They put a tap into any http stream that goes over the network. From the sound of it a not particularly transparent/passive tap but rather a man-in-the-middle one where they interfere with the exchange of data. Even if they aren't injecting anything like adverts into your incoming traffic this isn't good.

    Any stream they can interpret, they do. They promise to limit their interpretation of the data to make it 'private', though there appears to be no particular mechanism to ensure the interpretation is limited as they have the full range of data to begin with before they chose to filter it. And in any case even filtered data isn't guaranteed to be particularly private.

    And given past history of those involved in the same marketplace their handling of the data is unlikely to be trustworthy.

    You can 'opt out' of the service, but this doesn't stop the data intercept, rather it seems to only affect how 'targeted' any associated advert delivery will be.

    And it seems you have to choose to apply the opt out, limited as it is.

    And even then you have to apply the opt out on every device you use on your connection. And retain the cookie. And hope the opt out doesn't expire after some period of time.

    So while before you had the option to block /delete cookies, adverts, spyware etc. and generally avoid their rubbish, now, even if you continue to do this and never see their ads they'll still continue to have access to your data whatever you do, short of pushing all your http traffic via an encrypted proxy.

    Well, fuck that!

    .

    Tell you what Kent Ertugrul, Virasb Vahidi, Hugo Drayton, Marc Burgess, David Sawday and all the others who are identified with this lovely company; you promise to drop this idea and never even think about harvesting my private data to use for your personal gain and in return I promise the same.

    Because obviously it would be most inconvenient to suddenly find *your* personal data was in the public domain and others were profiting from it.

    Funny, isn't it, how the idea seems less tempting when viewed from the other side?

    .

    Hopefully the various people responsible at the ISPs considering this will suddenly acquire a clue and walk away from this. If they're lucky they'll do it before their recent decisions become career limiting.

    .

    (On another note the bio of a certain Director of Corporate Communications includes the statement 'David holds a BS degree': if you consider the fertiliser angle rather than Bachelor of Science this seems rather fitting given the usual PR activities!)

  72. RW
    Dead Vulture

    @ Stu and "Will it actually work?"

    Stu: "Why is everybody being opted IN in the first place?"

    The answer is obvious: because no thoughtful person would ever opt in.

    Maybe it's just me, but reading these comments made me wonder if Phorm & BT actually know what they are doing. Is there any chance that when this spyware cum snoopamatic thingie gets turned on, BT's internet service will simply stop working? Sort of like a dinosaur with terminal constipation?

    Or is this just wishful thinking on my part?

    Another tactic that no one has mentioned is for those holding BT stock to write the president and ask why they are taking steps that will seriously erode the value of their trademark, alienate customers, and very likely break a number of laws.

    Corporate hotshots HATE to get letters of complaint like that, esp. from shareholders.

    Might be worth buying 1 share of BT just so you can say "I am a BT shareholder."

  73. Anonymous Coward
    Thumb Down

    Scale of System...

    I'd be curious to know the scale of this system... Some of those docs refer to numbered devices, indicating that those diagrams may be more literal than conceptual.

    Cisco reckons it can L7-switch 90 Oracle apps using 4 ACE's, so seeing BT use a pair of 6500E chassis with 2 or 3 in each could be close...

    Hello bottleneck. Hello downfall.

    And nice passive taps. Wonder who's being CC'd that traffic.

  74. Phil A

    Data protection status

    Phorm were registered under the data protection act only a month ago and I'm not convinced it covers what they are planning to do - Purpose 2 is the closest.

    http://www.ico.gov.uk/ESDWebPages/search.asp

  75. Anonymous Coward
    Anonymous Coward

    TOR

    I was going to download TOR the other week, but I decided against it, thinking it would be too much bother. But now, after reading about all this Phorm stuff, I will definatelly be intalling TOR.

    The interesting thing would be what happens if someone ran a TOR exit node with one of these ISP's, Phorm would get to see all what happens on the afforementioned exit node.

  76. teacake

    What about web-mail?

    I've a question. What about pages hosted by those ISPs? I no longer use BT as my ISP but I still have a btinternet.com e-mail address. If I log on via the ISP's web-mail interface, will my pages also get routed via Phorm?

  77. Aubry Thonon

    Data infringement....

    I host a couple of web-sites (personal stuff, nothing earth shattering, but which I retain copyright on). What this article tells me is that Phorm is going to use the contents of my web-site, without my permission, in order to boost their profit (ie, build a browsing profile).

    And I shouldn't sue their a**es because...?

    ...Google at least has the decency of offering me something in return via a decent indexing on their search engine.

  78. Suricou Raven

    Virgin customers stuck.

    What about us heavy P2P users? Virgin is the only ISP left that doesn't enforce an upload limit - and I know its not enforcing, because my connection has been going at full capacity for years without complaint. If I went to any ADSL, I would not only have to cut back P2P, but also change phone number. I use cable phone, and (unsuprisingly) it doesn't support ADSL.

    Perhaps angry ad-vendors will have to start sending their ads via SSL in future, to prevent ISPs replacing them. I am reminded of the way Sky and Virgin, when showing each other's channels, edit out all of the ads for their competitor.

    Finally, dont get too hopeful about customer rebellion. What will most people think of it? They wont know. their private data will be collected, and they wont even be aware of it. Their connections will act in strange ways, but as non-techies they wont know what the usual way is to notice. Slow websites will be blamed on the website.

  79. Anonymous Coward
    Anonymous Coward

    Re: Mac browser to the rescue

    Don't be so smug, all that means is that you won't see the adverts. they will still be collecting you personal data. Also, windows based browsers can do the same.

  80. The Mole

    Re: T's & C's

    Andrew I disagree the DPA does apply. If all that was being transfered was 'personal data' then I agree a quick change to the T&Cs would cover them however as I posted before they can infer things such as your sexulaity and trade union memberships, these both count as 'sensitive personal data' and require explicit content for the processing. It's very unlikely that the courts would accept that a paragraph hidden deep within the T&Cs would count as explicit consent, this is particularly the case where you aren't explicitly agreeing to the new T&Cs just implicitly agreeing by not cancelling your account.

  81. Anonymous Coward
    Anonymous Coward

    @How does it work?

    *****************************************************************************

    [El Reg: PLEASE, PLEASE, your message board software is crap - you need a way to easily start and reply to threads]

    *****************************************************************************

    Question: is it possible for the target website to identify a request that has been hijacked?

    If it's possible, then that website can serve up a warning for the end-user. If even a small percentage of websites detected and warned about hijacked requests, then this would kill Phorm and its ilk stone-dead.

    If you or anyone can come up with some ideas, I'll have a go at hacking this into Joomla.

  82. alistair millington
    Flame

    When does it start.

    ...and how certain is it that those three companies are definitely taking it up????

    If so who is there to move to that is any good?

  83. AreBelongToUs
    Flame

    @How does it work

    I think this link was posted in another thread.

    Javascript toolkit to detect in-flight changes.

    http://vancouver.cs.washington.edu/

    Won't detect intercepts but can let you know if you are seeing what the website intended to send you.

  84. James Haigh
    Black Helicopters

    You can't stop it recording...

    You can't prevent the tracking of your actions.

    *Whatever you do, your online activities will be tracked. All you can do is request that they don't serve you advertising based upon your browsing habits.

    You still get the same number of ads, they are just random ones.

    *But they still record what you do*

    Opting out via any method (publically talking changing your hosts file, or using a different browser, or wearing a tinfoil hat, or refusing cookies, or opting out via their site) only stops them targeting the adverts based on your browsing habits, it does not stop them recording what you do.

    Apologies for repeating the same message others have also made/tried to make, but folks are either ignoring the facts, missing the point, or are being just plain stupid!

    Go to a decent ISP - Zen and PlusNet have both stated they aren't touching Phorm with a bargepole.

  85. Alan Edwards
    Dead Vulture

    No effing way would I accept this...

    a) They get a copy of all data sent in the clear, both requests and content. They *say* they ignore anything private etc, but would you trust them?

    b) Everything gets rerouted through F5 and their anonymiser. As costs go up, there's no guarantee these won't be running on a 486 in Alaska, which will make dial-up look fast.

    After the stink this has kicked off, will the next round of contracts ISPs sign will have clauses that say can't tell anyone you've signed the contract?

    Alan.

  86. Anonymous Coward
    Coat

    I've written to my banks

    I suggest others do the same, it will probably fall on deaf ears but this issue needs to be spread as widely as possible.

    Email I have sent to all three of my banks below:

    "I have just learned via various news sites on the internet that Virgin Media (My ISP) is planning to introduce a new system for delivering tailored adverts to me that is run by a company called Phorm.

    The system involves intercepting my web requests, making a note of certain information and then forwarding the request on. The response from the ultimate website is then intercepted and modified as part of the process before finally sending the page on to me.

    I have a couple of concerns that I thought should be brought to your attention and would be keen to receive comment from [My Bank].

    Firstly, this "service" is effectively a "man in the middle" attack, communications between my home PC and my bank could no longer be considered secure, as my requests are being routed to a 3rd party (currently in China) and your responses are like wise being modified on the return route.

    Secondly, the company in question, Phorm has a history of questionable practices, being the major site that used to provide "popup" advertising, primarily for Porn sites.

    You may ask, why am I bothering you with this. I am interested in [My Banks] position on your internet traffic being intercepted and forwarded to a third party.

    Currently, their are three ISPs that have agreed to join Phorms system these are BT, Virgin Media and Carphone Warehouse. As a bank I would hope that you would lobby and condem this activity in order to help protect our secured communications.

    I look forward to your response"

    Share dealing website next, then my ISPs that provide hosting not comms.

    Mines the one with "Angry Consumer" written on the bank.

  87. Anonymous Coward
    Alert

    Could someone explain...

    In simple terms, what happens with 'secure' data? Will it not snoop https sites? What about non-https sites that I might enter personal information into (such as my email address when posting on a comments board such as this one) will this be sent to Phorm?

    How are they saying this is 'anonymised data' if they can tie it back to my IP address to display the advertising? Presumably if I have a fixed IP address it would be trival to 'de-anonymise' it.

    What happens when there are multiple users from one IP? Will my 19 y/o son browsing porn sites mean that my 12 y/o daughter is now to be subjected to sexually themed ads?

  88. Andy ORourke
    Unhappy

    Dont worry, opting out is easy..........

    I just opened a ticket to opt out and here is the reply:

    Thank you for your e-mail dated 3rd March '08. It has been logged under

    the reference number BLAH BLAH BLAH. As I understand from you e-mail, you want to opt out of BT Phorm.

    I regret to inform we, being the broadband technical helpdesk, do not have the adequate resources to terminate your BT Phorm subscription. Hence, issue needs to be taken care of our dedicated BT Broadband Technical Helpdesk on 0845 600 7030 (open 24 hours / 7 days). They would investigate into the matter and if necessary, they would transfer the call to our Yahoo! Helpdesk.

    For any further assistance please do not hesitate to contact us or use our BT Broadband Self Help web site http://www.bt.com/broadband/help

    Thank you for using BT Total Broadband Support

    BT Total Broadband Support

    Notice the phrase "Your BT Phorm Subscription" I don’t remember subscribing? By the way the incorrect spelling and grammar have been left in place!

  89. Mike Richards

    HTTPS should be okay

    HTTPS uses SSL which uses two forms of encryption to guarantee speed and security. Public key cryptography gives lots of protection from the problems of key distribution, whilst symmetric cryptography - nice and fast - encrypts most of the data.

    When you start an HTTPS session your machine requests a copy of an asymmetric public key held by the remote server. Your computer then generates a unique symmetric session key, a copy of which is then encrypted with the server's public key and dispatched across the net. When the server receives the encrypted session key, it uses its private key to decrypt the session key. From then on all transactions are encrypted with the session key.

    Phorm could intercept the public key - but can't decrypt messages encrypted with that key. It could also intercept the encrypted session key - but again it doesn't have a decryption key. The bulk traffic of the exchange can also be intercepted, but Phorm won't have a copy of that key.

    So HTTPS is safe, but there is plenty of information slopping over the Internet that could cause you lots of damage - from your emails, to just the profile that could be built from watching one of your sessions.

    I am with BT and demanded a full explanation of their plans and how I can possibly trust them again. I'm also threatening them with the DPA, RIPA and Ofcom. I don't expect I'll get a useful response, so I'll be switching ISP RSN.

  90. John Bayly
    Thumb Up

    @Mike Richards

    I'm with you on this. My understanding of HTTPS is that it'll be incredibly hard to read the data without the private key.

    Phorm saying they won't listen to HTTPS traffic isn't because they respect your privacy, it's because they can't without an insane amount of computing power.

  91. Anonymous Coward
    Thumb Up

    Virgin Media and Phorm

    I contacted Virgin Media a week ago to ask how to opt out of their scheme. The person on the phone claimed to have no knowledge of Phorm, so he went to speak with his advisor. Several minutes later, he returned to explain that Virgin Media had been forced to share personal details about all of their users due to a court order, which was a way of avoiding my question about Phorm.

    When I mentioned that the deal between Virgin Media and Phorm had been reported on Slashdot, he paused and awkwardly claimed that Virgin "are not going to do that now". Can anyone confirm or deny this claim?

  92. hexacet
    Black Helicopters

    bloody bt

    ah, so thats why theyre calling 3 times aday offering a £2 discount for signing up for another 12 months (so that makes them only 2X more expensive and 6X slower th an BE internet...)

    also speaking of advertising how come El Reg refuses point blank to load when all of double clicks comains are blocked by protowall yet any other site happily loads minus its adverts? - is there some El Reg / double click conspiracy?

    hex

  93. Anonymous Coward
    Black Helicopters

    HTTPS makes little difference

    It might encrypt the packets, but the headers are unencrypted, how else do you think the internet works?

    If no resource except the one you want to visit can interpret the name of the resource you want to visit, how the hell do you think that DNS etc manage to pass you enough hints to get you there?

    Clearly the address of the site you are visiting is available, thus the types of sites you visit can be tracked/stored.

    You gotta get used to the fact that your ISP could see whatever you do already if they invested in the kit to identify the packets individually.

    On the basis that they are looking to record much simpler information about your habits, the kit is relatively cheap (big numbers involved because of the scale/throughput of the kit rather than because of its capabilities)

    Remember the big numbers talked about as headline savings/income for BT in year 1?

    If the system was so simple to bypass, do you think Phorm would be getting such huge investment?

    Would BT be jumping in if it was easy for their customers to negate the usefulness of the system, thereby reducing the size of the cheque?

    Remember that your habits are as useful to advertisers as the ability to target adverts to you is. (They can target ads to you based on the common interests of people visiting motoring sites for example)

    Its bigger than you are realising, and harder to escape.

  94. Anonymous Coward
    Thumb Down

    Paradox?

    What happens when they profile me and find that I absoloutely loathe advertisments?

    What happens when they profile me and find that I'll boycott (and if possible sue) anyone I think is profiling me without my express permission (which I won't give to anyone anyway)?

    Will they stop?

    Will they hell.

  95. Greg
    Stop

    Evil and more evil

    There are two impacts, my personal privacy is lost, and Web sites that rely on ad-generated revenue. I am concerned about both.

    Please join a Web site that opposes this e.g. http://badphorm.co.uk

    I expect Google to be quietly campaigning behind the scenes because of the impact to its business.

  96. Anonymous Coward
    Anonymous Coward

    Same model as speed cameras?

    Perhaps the most troubling aspect of the Webwise project is the introduction of passive taps into the network connection. If the 'Netsense Architecture Diagram' is correct, all the connections between BT Broadband users and BT's internet backbone through which they access the internet will go through a passive tap.

    It's not just that advertising profiles will be built up on the basis of users' observed browsing habits, detestable though this may be. The introduction of the equipment Webwise will use into exchanges would apparently also provide the basis of an option for widespread and undetectable tapping of users' communications over the network. On the face ot it, it would be relatively straightforward to add fibre to the passive taps in order to take an additional copy of the users' data and send this on elsewhere, say over a secure data link embedded in BT's data backbone. This data would contain the user's internet address. And, like any ISP, BT will have logged, as a matter of course for billing, details of who this corresponds to and where the connection terminates.

    From recent Guardian articles it would appear that Phorm had been in discussions with the Home Office some while ago. This might explain why there has so far been no action over BT's secret experimental tests last year which, taken at face value, seem to have involved illegal interception of data.

    It is hard not to wonder that the overall business model is similar to that which was used in the introduction of speed cameras. Significant funding for road cameras was provided by commercial organisations who use number plate recognition systems to assess traffic flows. The registration numbers are, of course, discarded as soon as they have been used to calculate average speed between two cameras along a particular length of road. Processed data based on average speeds is supplied to paying customers, who are advised of traffic jams and how to avoid them. Now, however, the same equipment that provides the commercial service is also to be used as part of the regulatory system, where registration details are no longer discarded, in order to police speeding from measurement of time to travel between two cameras.

    If this analysis is correct, it is not just the Webwise system that needs to be scrutinised. It is the plans that the government may have for widespread surveillance of our communications that need to be questioned.

  97. Anonymous Coward
    Unhappy

    Virgin reply

    Sent an E-mail to Virgin Media asking for clarification as to why my personal details and browsing history is being diverted to a third party in China, which I consider to be an invasion of my privacy. My contract with Virgin is to Provide an access portal to the internet and nothing else. In the same way a person asks BT, Vodaphone, Orange, etc to provide a Telephone line for making Phone Calls. They would not expect all their telephone conversations to be sent to China for recording and dissemination for data.

    Today I received a 'Feedback' questionnaire about my thoughts on their reply, which was a standard item saying basically they thought it would be better for me. The worst part about that is that although Virgin Media is a UK company providing a UK based ISP service and I sent an e-mail to that UK company; the questionnaire has come from the USA, which means Virgin have also sent my message to them as well. The US e-mail small print states:-

    Satmetrix Systems, a leading provider of customer experience management solutions, will be conducting the survey on behalf of Virgin Media.

    Satmetrix Systems does not use this information for any other purpose. If you'd like to find out more about how Satmetrix Systems will use your information, just click on the following link to see their privacy statement: http://www.satmetrix.com/company/privacy.htm. And if you want to contact Satmetrix Systems by mail, just write to them at Satmetrix Systems, 950 Tower Lane, Suite 500, Foster City, CA 94404

    EU Respondents: The data collected from you may be transferred out of the European Economic Area (EEA) to be processed on behalf of and under the instruction of Virgin Media Corporation by a third party data processor based in the USA. Under the United States/European Union Data Protection Safe Harbor Agreement, Satmetrix will only process personal data for the purpose determined by Virgin Media.

    So much for Personal Privacy when Virgin Media send your e-mail messages to them to one country and divert your internet usage history to the largest communist state in the world with a proven history of repression, who at any time can take the data from the companies computers for their own use. BIG BROTHERS are here and one's called Branson!

    Rant over (for now Confused )

  98. Rob Staveley (Tom)

    Phorm in a tea cup?

    If you walk down the street and pop into a sex shop in broad daylight, you run the risk of being seen. So, you get yourself a dirty macintosh and turn your collar up and protect your privacy.

    If you pop into a sex site on the Internet, it is a similar deal. You risk being seen. So you get yourself something to conceal your activities, if you are concerned about your privacy... if it makes you less electable as a member of Parliament.

    Your ISP and therefore Phorm can't snoop SSL (HTTPS). If you read your mail over SSL, your mail is private. Charity Worker, make sure you read your mail over HTTPS. If you browse information that you do not want others to know about or associate with you, make sure it is over SSL.

    In the past nobody much [that you were aware of] was watching your unencrypted activity and you may have been able to kid yourself that you could safely do the equivalent of hanging your house keys on the garden gate. We all need to wise up and be aware of what's public and what's private. That's all.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019