The Phorm storm
Update: An interim Privacy Impact Assessment (PIA) has now been published by Phorm. You can read it here [pdf]. The PIA, produced by 80/20 Thinking Ltd, predicts the media and public backlash against Phorm, and leaves several questions unanswered, including “Can an external attacker gain access to the required information to re-link [an] individual [with their] unique identifier?”. This document, which is dated 10 February 2008, anticipates the publication of a full PIA “in March 2008″. As yet none has been forthcoming.
Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial a new technology called Phorm, which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet.
Here’s what we’ve been told about the workings of Phorm so far. Phorm assigns a user’s browser a unique identifying number, which, it is claimed, nobody can associate with your IP address, not even your ISP. It then uses information about your surfing habits, gathered by searching the URLs you request and the websites you visit for key words, to assign that unique number to various “channels” (for example “golf”, “travel” or “handbags”). When you visit a website which has a “Phorm please put an ad in here” tag, Phorm serves an ad from a channel where your unique number appears.
Phorm says that it does not write data about the content you are viewing to disc in “the production system”, getting rid of it as soon as the operation to assign your unique number to a channel is complete. In a separate system (used for “research and debugging”) that data is stored for 14 days, then deleted.
Despite some significant investigative work, in particular from The Register and the Political Penguin blog, several technical questions remain unanswered. The confusion is compounded by a Privacy Impact Assessment of Phorm that was conducted by 80/20 Thinking Ltd, whose core staff includes the director of Privacy International, Simon Davies. Davies has gone on record stating that “Phorm does advance the whole sector of protecting personal information by two to three steps”. Yet despite the focus on Davies’ involvement, the privacy impact assessment conducted by 80/20 is yet to be published.
On top of this, question marks are beginning to appear over Phorm’s compliance with the law. Can ISPs’ employment of Phorm comply with the Data Protection Act? Is intercepting traffic in this manner an offence under section 1 of RIPA (the Regulation of Investigatory Powers Act)? The Information Commissioner has issued a statement (pdf) saying his office is making inquiries – but is this enough?
A petition asking the Government “to stop ISPs from breaching customers’ privacy via advertising technologies” has now collected over 2,500 signatures. Phorm could, as Simon Davies has claimed, represent an advance in online privacy. But because it is being applied to target ads at us, based on activity we have not asked and may not want to be tracked – the websites we visit – it is not surprising that people are shouting “keep your mitts off my bits!”.
Until we know exactly how Phorm works – and across whose networks our data will flow – speculation about the privacy implications of Phorm will only continue. The ISPs involved with Phorm, as well as the company itself, should take their lead from the Government, who last week published the controversial and critical Crosby Review of ID cards after much delay. They should publish 80/20’s impact assessment and full details of how Phorm will work now and let us see for ourselves the real privacy implications of Phorm.
Some resources:
- BBC Q&A on Phorm
- Register Interview with Phorm
- Phorm and privacy explained (by Phorm) - Flash video
- BadPhorm campaign
- Ernst and Young audit of Phorm - pdf
- BT help pages for “Webwise”, their proposed use of Phorm
- 80/20 Privacy Impact Assessment of Phorm - forthcoming?
March 12th, 2008 at 11:58 am
I think it’s important to not that, as we’ve seen with the AOL search data debacle, just assigning a random unique number is not enough to anonymise the data.
In thinking about the sites I visit, for example del.ico.us or flickr, where my username is embedded in the URL, it doesn’t seem like it would be too hard to figure out who I am.
March 12th, 2008 at 1:09 pm
Something I have yet to see on the Phorm debate (and as a Virgin media customer I will be a sufferer from the added delays) is who actually gets to use this information. If they (who?) are targeting advertisements specifically to match someone’s browsing habits does this mean that only the sites who buy Phorm information will use this or do the ISPs concerned plan on removing a website’s chosen adverts and replacing it with their own? They already do this with adverts on satellite television channels …
March 12th, 2008 at 1:53 pm
I find Phorm’s Patent Application particularly worrying as it states that the technology they use is easily capable of reading IP addresses, form fields (and by implication, user names and passwords) and virtually anything that is not on an encrypted https page. We only have their assurance that they are not going to look at this information in any future applications. Considering their CEO’s past record in internet security grey areas, it is like putting a reformed alcoholic in charge of an off-licence.
March 12th, 2008 at 2:19 pm
As the owner of a private,(advert-free) Members only webforum, I am horrified that the Phorm software will be able to gain (unauthorised) access to the forums via members ISP’s. The forums contain a lot of personal information relating to to the forum members, including ‘keywords’ that the phorm software scans for in webpages. Furthermore, names and members aliases are also deemed personally identifying information - how does the Phorm software recognise which words are personal info, and which are not?
I have a total bot exclusion in place on my forums through a robots.txt file. Will the Phorm software recognise and respect my forum (and members) wish for privacy? NO.
Phorm say users will have the option to opt-out. Will webowners and forums also have that option? NO.
Why should I pay to buy a security certificate to make my forums https? Anyway, we have still to be reassured that https pages will not be intercepted by Phorm software - Phorm says its software ignores any data entered on https pages, however, to ignore it, it has to first process it.
There will be many website owners and administrators who are concerned about the security of information placed within members only areas of their websites, and who will wish to stop Phorm or anyone else intercepting this information. Yet why has Phorm not addressed this? Why have the media ignored this aspect - especially considering the recent publicised spate of confidential information being ‘lost’.
So many questions, so few answers . . . .
March 12th, 2008 at 2:52 pm
why is it i dont trust Ernst and Young ?
Is this the same Ernst & Young involved in the enron Scandal
Is this the same Ernst & Young involved in the WorldCom Scandal
Is this the same Ernst & Young involved in teh sprint Scandal
Is this the same Ernst & Yong involved in The ‘Late Trading’ and ‘Market Timing’ Mutual Funds Scandal
To name but 4 of many.
Was this Privacy audit done under UK or USA law?
OH USA law… Why was that is UK law too tough?
why is it i dont trust ernst and young given its past reputation ?
read here : http://www.forbes.com/2002/05/21/0521topnews.html
here : http://www.albetzreporting.com/cs_worldcom.html
and here: http://www.sundaytimes.lk/070204/Fin…mes/ft309.html
March 12th, 2008 at 2:53 pm
edit:
that last link should be
http://www.sundaytimes.lk/070204/FinancialTimes/ft309.html
March 12th, 2008 at 3:00 pm
I really dont see how Phorm can ever be anonymous:
Phorm say the whole thing is annonymous and they cant track who you are and what you do yet in the privacy report carried out by ernst and young published here :
http://webwise.bt.com/webwise/EY_Phorm_Exam.pdf
Page 7 states that you can send for a copy of information that phorm holds about you. Errr wait they know who you are ? they can track you from the information gathered from your surfing habits ?
Phorms history is also very interesting ! Phorm had a spyware complaint against it:
“Back in 2005, when Phorm operated under the 121Media banner, CDT filed a complaint (pdf) with the Federal Trade Commisssion over distribution of what it considered spyware. 121Media later withdrew its rootkit software ”
http://uk.biz.yahoo.com/14022008/323/phorm-exclusive-ad-platform-deals-bt-talktalk-virgin-media-update.html
An important bit here is the phrase
“The ISPs will also get Webwise, a free software tool which offers greater consumer protection from fraud and phishing scams by warning customers if they are browsing fraudulent websites.”
Two small things 121media used to get you to download its spyware by embedding it in a free program sound familiar ??
In an interview with The Register (http://www.theregister.co.uk/2008/03/07/phorm_interview_burgess_ertegrul/), Mark Burgess of Phorm was asked…
“So if I’m opted out, data passes straight between me and the website I’m visiting? It doesn’t enter Phorm’s systems at all?”
His response was…
“What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us.”
The Data Protection Act does not give the ISP exemption simply because the data sent by THE isp to Phorm isn’t used. If the ISP send my data to a third party for marketing purposes without my consent you will be in breach of the act regardless of how or if Phorm chose to use or ignore the data.
STOP THIS PHORM NONSENSE NOW !!!! the fact its even been allowed to get this far just shows how lapse the laws have become in this country. Legalising spyware/adware is just madness
March 12th, 2008 at 3:07 pm
Its important to note its not just your web surfing that’s vulnerable to Phorming.
Microsoft Office products, when they request content from the web, do so using the same ‘user agent’ identifier as Internet Explorer.
In non technical terms, this means Phorm can’t differentiate between web requests from Microsoft Office, Open Office, and Internet Explorer.
Consequently, if you open an email in Outlook with embedded images for example, or a Word office document with web content in, the requests that your office software sends to the web will be indistinguishable from Internet Explorer.
Assuming Internet Explorer is on Phorm’s white list, Phorm could know which email newsletters you receive, when/if/how often you read them. It could know which Word documents from which companies you had opened and read.
See;
http://www.badphorm.co.uk/e107_plugins/forum/forum_viewforum.php?6
for details.
Phorm must be stopped. Opt in isn’t even tolerable any more.
Otherwise, the only way to opt out comprehensively is to opt out of your ISP. :o(
Pete.
March 12th, 2008 at 3:18 pm
Guide how to confirm you don’t opt into marketing:
http://jguk.org/2008/03/no-online-marketing-opt-in.html
Set’s special doubleclick “do not track” cookie etc.
Cheers, Jon
http://jguk.org/
March 12th, 2008 at 5:09 pm
[...] Phorm advertising system [...]
March 12th, 2008 at 11:04 pm
To Jon Grant…
If you Opt Out in the case of Phorm, afaik and according to what BT and others are saying, your web page views are still crawled over and so they still snoop at your business and classify your interests etc using software created by Phorm.
It may be Phorm software running on an ISPs server, but how does the ISP know exactly what that is doing? And why is this not something we can Opt Out of?
And I presume they will apply software updates from Phorm? How will teh ISPs ensure that is done properly?
remember that Phorm is headed up by a man who was involved in sneeky adware, spyware and “rootkits” to spy on user activity and then use that data to target them with adverts they did not agree to receive.
Still happy to just “Opt Out”??
Sign the petition, we all need to. Then, number 2, make your next job telling your ISP what you think of this move. Phorm is not on!
Imagine, it’s like your letters being opened, scanned, resealed and given to you and opting out is only stopping adverts… what about all those scanned letters… who has access to them? And what about the man/woman doing the scanning? How do you know they are not making two copies, one for them?
Not on. Not on at all I say!
March 12th, 2008 at 11:06 pm
To Jon Grant…
If you Opt Out in the case of Phorm, afaik and according to what BT and others are saying, your web page views are still crawled over and so they still snoop at your business and classify your interests etc using software created by Phorm.
It may be Phorm software running on an ISPs server, but how does the ISP know exactly what that is doing? And why is this not something we can Opt Out of?
And I presume they will apply software updates from Phorm? How will teh ISPs ensure that is done properly?
remember that Phorm is headed up by a man who was involved in sneeky adware, spyware and “rootkits” to spy on user activity and then use that data to target them with adverts they did not agree to receive.
Still happy to just “Opt Out”??
Sign the petition, we all need to. Then, number 2, make your next job telling your ISP what you think of this move. Phorm is not on!
Imagine, it’s like your letters being opened, scanned, resealed and given to you and opting out is only stopping adverts… what about all those scanned letters… who has access to them? And what about the man/woman doing the scanning? How do you know they are not making two copies, one for them?
Not on. Not on at all I say! Bad PHORM!
March 13th, 2008 at 12:26 am
One point of interest for Virgin Media customers: there was a clause in their T & C (which, let’s be honest, very few people ever read!) which said they wouldn’t monitor users’ traffic unless required to by law. Note I said ‘was’; apparently it’s vanished. One has to wonder why…as if we need to.
In the relevant thread on the nthellworld forum, there’s a form letter posted by Rob (one of the Cable Forum team) which you can post to Virgin, telling them you don’t want to know - you’re advised to send it by registered post (as I did today).
This must be stopped. I can’t understand why we’ve heard nothing from the Data Protection Registrar about this. It CAN’T be legal.
March 13th, 2008 at 12:37 am
I just found the link to said letter:
http://www.cableforum.co.uk/board/34492295-post128.html
March 13th, 2008 at 1:07 am
Sleepwalking into a surveillance society…
If details that have been shown and described on The Register (http://www.theregister.co.uk/2008/02/29/phorm_roundup/) are correct, the equipment that ISPs will use for Webwise introduces a ‘Level 7′ passive tap into all users’ connections to the internet. (A passive tap copies data undetectably at the physical hardware level and cannot be circumvented.) In principle this tap would allow an additional copy of datastreams to be made without any tangible record of interception.
Disturbing though this may be, use for widespread surveillance also seems possible using the system directly. The essence of claimed anonymity is based on the use of a random number to index the list of profiles, but this claim rests on the integrity of the ISP.
The Webwise system builds a user profile based on visited websites. It would be straightforward to generate a flag in stored profiles based around keywords such as ‘red mercury’ or ’social security benefit’ or whatever the presumed threat/scare is at any time, in just the same way that a commercial user might be interested in keywords ‘car’, ‘fast’ and ‘powerful’.
Although the tracking cookie used to index to the matching profile is itself anonymous, a link has to be made between the Unique User Identifier (UUID) and the user’s internet address in order that the ‘appropriate’ set of advertisements can be served to opted-in users. The tracking cookie has to be set, and then read for each new website visited. The ISP must therefore at some stage hold details of both the UUID and the address to which it is attatched. (The instructions to set the cookie containing the UUID and to read it go through the ISP to/from the user address.) ISPs, of course, also keep a log which links the internet address to the user at all times; and this log is available to some government departments.
The browser of an opted-out user will, it seems, also be expected to have a cookie containing a UUID. Although, in this case, the cookie would not be used to tailor advertisments from sites that subscribe to OIX, some reports suggest that opted-out users will also be profiled.
As Bill Thomson pointed out recently, (http://news.bbc.co.uk/2/low/technology/7226016.stm), nearly 800 separate bodies are now allowed to request communications traffic data from providers. In the first nine months of 2007 some 250,000 such requests were made.
It’s hard not to wonder that the overall business model for Webwise might be similar to that which was used to finance speed cameras. The installation of cameras and number plate recognition systems was paid for by companies who gather information about traffic flows, registration numbers being discarded after being used to measure transit times between two cameras. Their profit comes from supplying a synopsis of the aggregated pattern to customers who are prepared to pay a premium to avoid congestion. Now, however, the same equipment is also to be used to police speeding; and this process is not anonymous.
The problem with the Phorm/Webwise scheme is not so much that, insidious though it may be, adverts of one sort or another are selected to suit the user’s observed browsing habits; nor that it has been promoted on the audacious basis of default to opted-in; nor even that it might ‘break’ parts of the internet, that it could access and allow confidential information to leak, or that a copy of everything browsed is scanned.
The problem is that it has the potential to be used to enhance the widespread covert surveillance that is already available to governmental bodies. In the furore over opt-in/opt-out and other details, this aspect seems so far to have been largely ignored.
If the government can’t be held to account over its use of personal data then there isn’t much hope of regulating commercial use; neither is there much point. And without informed public debate, there isn’t much hope of remedy. First of all it is the government that must be made accountable.
March 13th, 2008 at 3:20 am
Great post!
Just as a nit-picky stylistic note: We’d typically say they don’t right it to disk, not disc, as the ‘c’ spelling usually means optical media as opposed to magnetic when talking specifically about computer storage.
http://docs.info.apple.com/article.html?artnum=302152
March 13th, 2008 at 3:21 am
Great post!
Just as a nit-picky stylistic note: We’d typically say they don’t write it to disk, not disc, as the ‘c’ spelling usually means optical media as opposed to magnetic when talking specifically about computer storage.
http://docs.info.apple.com/article.html?artnum=302152
March 13th, 2008 at 3:22 am
*karma strikes* figures, botch posting when offering a correction. oh well.
March 13th, 2008 at 12:03 pm
“.. an advance in online privacy.”
Just how is this an advance on no-one intercepts at all?
I do not mind sites recording my presence or preferences but I do object to blanket monitoring. Blanket intercepts are wrong and should be banned just like phone tapping is.
121media has previous phorm in the spytoapplyads-ware market, and its not good.
March 13th, 2008 at 12:18 pm
Phorm claim that the data is not identifiyable, and yet they keep refering to an identification number.
So it is identifyable. catagorised and timestamped.
If phorms database is not secure.. (whos is? - yes its exchange only but…)
With the ID number from a cookie on my pc you could retrive entries from Phorm database by unique ID and obtain the times and catagories viewed.
If you went one step further you could match catagories from the same timestamp and infer they were on the same page, you could then cross reference the catagories with say google to identify the pages viewed and when.
Lets go one step further I can see when my neighbours lights are on, I can cross reference to Phorm timestamps and deduce a possible ID, not only this I can see catagories and interests and possibly by crossreferencing with google determine sites visited.
Yes its definatly ‘an advance in privacy’ yeah right !
March 13th, 2008 at 2:28 pm
[...] anyone even half-awake knows, there has been a storm of protest over Phorm. I won’t reiterate the basic arguments, but I am intrigued by a couple of inconsistencies [...]
March 13th, 2008 at 5:09 pm
Isn’t this just dodging the issue?
Yes Phorum and ISPs are going to be looking at users data but isn’t the real concern the fact they even have that ability?
What we need is to actually use encryption!
ALL pages on the web should support SSL or some other form of encryption, this would stop ISPs looking at content wouldn’t it?
(Note I tried to use SSL for this page but I got sent to some supporters web form, come on ORG let us encrypt our traffic to you!)
March 13th, 2008 at 10:53 pm
what concerns me is that even if we can opt out at home, what about work? How many people know who their employers ISP is? I know my employers and unfortunately it’s BT.
Companies should alert their staff if they remain opted in to Webwise as if not then people who check their webmail/facebook/forums etc in their breaks (cough cough) could unwittingly be exposing themselves or rather their data to Phorm.
March 14th, 2008 at 12:48 pm
My rant letter to BT:
“I am concerned about BT’s trial of Phorm. I need assurances that my account will not be used to sell my browsing habits to a third party such as phorm. This is a violation of RIPA Regulation of Investigatory Powers Act 2000 (c. 23)In particular sections 1(1) and 2(2):1. Unlawful interception.??? (1) It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of???(a) a public postal service; or(b) a public telecommunication system.2. (2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he???(a) so modifies or interferes with the system, or its operation,(b) so monitors transmissions made by means of the system, or(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.” I would like to opt OUT of any of my browsing data going to any third party, particularily Phorm. If any of my information, data or habits is given to a third party then I would like my account closed. For now I would like an assurance that my details will not be shared. Regards”
BT’s reply:
“Thank you for your email regarding your BT account. I am really sorry that you have had to contact BT about your personal information and can understand any annoyance this has caused you. Unfortunately, I am unable to access your account without your Telephone number and your account number. The reason I need this is for security purposes. In light of this, If you could reply with the said information as well as a brief summary of how I can help I will gladly assist you further. I apologise as this is clearly not the response you were waiting on, but let me assure you, upon receipt of the relevant details I will assist you further. Yours sincerely, Philip McManuseContact Customer ServiceRef: 16073590 British Telecommunications plc Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no. 1800000. This electronic message contains information from British telecommunications plc which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email immediately. Activity and use of the British Telecommunications plc email system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes. For BT’s privacy and security policy for web and email usage, for pricing information, and for our terms and conditions, please visit http://www.bt.com.”
March 15th, 2008 at 9:29 pm
Do the Internet Providers really want a new word in the English Language.
“PHORMSTORM”
A Biblical Size plague of flies from within the ISP & a corresponding plague of Ravenous Locusts from irate Personal Internet Servers who have been stepped on by a questionable AD Provider.
There is no place inside any ISP for this type of system which compromises not just their own users but all internet users.
These internet providers are stepping on a “BASIC HUMAN RIGHT” the right to communicate with others without being constantly monitored & or spied upon!
(Communicating through Tor to partially cover my tracks, YES I HAVE THE MISFORTUNE TO BE ONE OF THE USERS INSIDE SUCH A COMPROMISED INTERNET PROVIDER!)
March 16th, 2008 at 12:04 am
[...] The Phorm storm >> The Open Rights Group Blog Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial a new technology called Phorm, which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet…. (tags: advertising privacy phorm ISP article) Subscribe in a reader [...]
March 16th, 2008 at 4:45 pm
before it disapears, you might want to grab this page for your legal case you might see fit to bring later!
http://www.beta.bt.com/bta/forums/message.jspa?messageID=14251#14251
“Adam Liversage
Posts: 32
Registered: 11/1/04
Re: BT Webwise technical trials to begin from mid-March 2008 [Q&A thread]
Posted: Mar 14, 2008 9:58 PM in response to: Peter N Reply
SYSIP.NET ISSUE - UPDATE
BT can confirm that we conducted a very small scale technical test of a prototype advertising platform on one exchange in June 2007.
The test was specifically conducted to evaluate the functional and technical performance of the platform.
Absolutely no personally identifiable information was processed, stored or disclosed during this trial.
As with all Service Providers, it is important for BT to ensure that, before any potential new technologies are employed, they are robust and fit for purpose.
Adam
”
‘The Other Steve’ here, makes several Phorm points clear enough (thanks)
http://news.digitaltrends.com/news/story/16035/phorm_creates_a_storm
“Reader Comments
The Other Steve on Mar 13th, 2008 at 6:34 AM
A few problems with that statement from Phorm. Firstly, their assertion that their technology complies with RIPA is based on an opinion offered by Simon Watkin of the Home Office covert investigation policy team.
His opinion ( http://cryptome.org/ho-phorm.htm) is that although the technology does constitute “interception” under RIPA it would be lawful because (although RIPA requires explicit consent from all parties to a communication) permission from the web hosts would be implied by having made their content publicly available.
However, not all web content is public, things like web mail for instance, or private forum access.
Phorm has repeatedly stated that they comply with the DPA, however the ICO has not issued any statement as to weather this is the case, although they are currently investigating the company.
From the publicly available information on the Phorm technology, provided by Phorm themselves, it seems that processing of sensitive information (as defined under Section 2 of the DPA) will take place even if users have opted out of the scheme, since in these circumstances, their web traffic will be still be proxied through the ‘Profiler’.
If this is the case, it’s a clear contravention of the DPA.
Phorm have repeatedly stated that the technology “doesn’t store IP addresses or retain browsing histories”, however the patent covering the t5echnology tells a different story, saying “As explained above, the context reader may be configured to more than just keyword and other contextual data pertaining to a given web page.
The context reader may also include behavioral data (e.g, browsing behavior), other historical data collected over time, demographic data associated with the user, IP address, URL data, etc.” http://www.freshpatents.com/Targeted-advertising-s...
This is clearly at odds with Phorm’s public statements.
Since Phorm are a former spyware distributor (under the name of 121Media they developed the PeopleOnPage browser hijacker http://www.thisismoney.co.uk/investing-and-markets... and had a complaint filed against them with the FTC by the Centre for Democracy and Technology in 2005, http://www.cdt.org/privacy/20051103istcomplaint.pd... ) it isn’t difficult to see why users are seriously unhappy, and will resist the introduction of this technology.
“
March 17th, 2008 at 10:12 am
Checked with my ISP, the PhoneCoop. They say that introducing Phorm is “not something the PhoneCoop is planning to do.”
They may not be the cheapest, but there are advantages of an ISP that is owned by its users…
March 17th, 2008 at 10:46 am
I re-iterate.
There is no place inside any ISP for this type of system which compromises not just their own users but all internet users.
The ISP is guilty of “M.I.T.M /Illegal Wire Tapping” inside a system the Users & the Web Servers contacted can do nothing to mitigate!
Opt-in Opt-out is not the Issue, these Boxes must be removed from ALL ISP locations!
March 17th, 2008 at 1:31 pm
[...] post from either blog. Secondly, the Phorm advertising system has faced hard questions from both Open Rights Group and Sir Tim Berners-Lee over its mysterious user tracking. Phorm hasn’t yet replied properly about [...]
March 17th, 2008 at 3:48 pm
[...] have to agree, I have to understand what I’m getting in return.” The Phorm plan caused major debates online — not unlike the debate that forced social network Facebook to change a similarly intrusive [...]
March 17th, 2008 at 5:28 pm
[...] Berners-Lee has publicly stated that he would change his ISP if it started employing systems, like Phorm, which could track his activity on the internet, or the news that UK digital rights gurus the [...]
March 17th, 2008 at 10:45 pm
There is also an associated & equally dangerous practice being employed by more & more ISPs.
DNS Names (the backbone of the WWW System) are either being redirected first through another DNS alias and then back to the original, or even worse if a User chooses to change their DNS server to avoid this practice the ISP does in some cases intercept this DNS service call & pretend to be the Server the User has asked for & redirects the DNS Anyway.
This will inevitably lead to anarchy on the Net if this practice is also not deemed illegal!
March 18th, 2008 at 12:05 am
explain this DNS re-direct/interception, link to URLs and get this out to the register threads ASAP while its hot.
so, so far, we have fixed line Phorm,mobile phorm like Orange, and now this DNS interception, any more?, get it out there in to the public domain, link it all up and make it understandable to your layman and write the generic DPA and related notices for them to use.
March 18th, 2008 at 1:46 pm
Trojan Horse(s)
What is the Origin, is it something to do with Ancient Greece?
Some Organizations neither listen or learn, are you listening, in particular my ISP!
If you leave them inside the Installed Software may crawl over all your Inner Routers!
March 18th, 2008 at 2:10 pm
I pretty much sure that is dodgy business making by dodgy people audited by dodgy auditing company.
I afraid that there are some secret services behind who will have a simple ability to gather web-profiles on citizens in addition to dna, fingerprints, cctv records etc.
I think that the only way to win over this - to spread truth in mass. To educate public and make this kind of business feel dirty. Then BT, Virgin and other gridy businesses will abandon partnership being afraid to lose money on bad publicity.
I personally see those people same as Soho brothel owners who can do anything to get rich. I despise them.
March 18th, 2008 at 5:23 pm
This is part & parcel of the same problem we have with Phorm but the ISP DNS Service needs closer monitoring.
See below for some details of what can be done with DNS some legitimate, but some really dodgy trends which are becoming more & more prevalent!
C:\>nslookup http://www.google.com 208.67.222.222
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
Name: http://www.l.google.com
Addresses: 216.239.59.103, 216.239.59.99, 216.239.59.104, 216.239.59.147
Aliases: http://www.google.com
C:\>nslookup http://www.goggogllle.com 208.67.222.222
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
Name: http://www.goggogllle.com
Address: 208.69.32.130 ***Relocated 404 Error to Serve Ads etc!****
********
$$$$This should be a 404 error returned to Browser as below to report not found!!!$$$
*** resolver1.opendns.com can’t find http://www.goggogllle.com: Non-existent domain
*********
C:\>nslookup http://www.google.com 4.2.2.2
Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2
Non-authoritative answer:
Name: http://www.l.google.com
Addresses: 66.249.91.103, 66.249.91.147, 66.249.91.104, 66.249.91.99
Aliases: http://www.google.com
C:\>nslookup http://www.goggogllle.com 4.2.2.2
Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2
*** vnsc-bak.sys.gtei.net can’t find http://www.goggogllle.com: Non-existent domain
C:\>nslookup http://www.google.com 194.74.65.69
Server: ns7.bt.net
Address: 194.74.65.69
Non-authoritative answer:
Name: http://www.l.google.com
Addresses: 66.249.91.147, 66.249.91.103, 66.249.91.99, 66.249.91.104
Aliases: http://www.google.com
C:\>nslookup http://www.goggogllle.com 194.74.65.69
Server: ns7.bt.net
Address: 194.74.65.69
*** ns7.bt.net can’t find http://www.goggogllle.com: Non-existent domain
C:\>nslookup http://www.google.com 217.146.139.5
Server: ns1.de.eu.orsn.net
Address: 217.146.139.5
Non-authoritative answer:
Name: http://www.l.google.com
Addresses: 209.85.129.104, 209.85.129.99, 209.85.129.147
Aliases: http://www.google.com
C:\>nslookup http://www.goggogllle.com 217.146.139.5
Server: ns1.de.eu.orsn.net
Address: 217.146.139.5
*** ns1.de.eu.orsn.net can’t find http://www.goggogllle.com: Non-existent domain
C:\>nslookup http://www.google.com 67.138.54.100
Server: 067-138-054-100.nsi-communications.com
Address: 67.138.54.100
Non-authoritative answer:
Name: http://www.l.google.com
Addresses: 64.233.167.99, 64.233.167.147, 64.233.167.104
Aliases: http://www.google.com
C:\>nslookup http://www.goggogllle.com 67.138.54.100
Server: 067-138-054-100.nsi-communications.com
Address: 67.138.54.100
Name: http://www.goggogllle.com
Address: 67.138.54.98 ***Relocated 404 Error to Serve Ads etc!****
********
$$$$This should be a 404 error returned to Browser as below to report not found!!!$$$
*** 067-138-054-100.nsi-communications.com can’t find http://www.goggogllle.com: Non-existent domain
*********
Notice all the Different Aliases for http://www.google.com depending on the ISP DNS Server, this of course “could be” entirely genuine in order to handle the router traffic, or it “could be” a redirect through one of their own router’s for another purpose?
*****************************
**dns.sysip.net was logged as a BT DNS Server by MY ROUTER last year for example!**
If I had known why at the time I would have kept the log!
****************************
The worrying trend is that some ISP’s have started to redirect the user to a custom page when a webpage is misspelt etc. *See Above*
Even more worrying is that some sites are reporting detections of some rogue ISPs intercepting DNS calls & replacing the call with their own DNS aliases!!
Redirection of DNS is like redirection of your mail, legitimate if done properly by your Service, but redirection or interception is illegal unless due process of law is followed!
****Therefore DNS Servers/ISP DNS Servers need closer monitoring to comply with safe use on the Internet!****
**************************************
BT J’Accuse of redirecting/intercepting my legitimate communications with others, without due consent of Law & I insist you remove all such monitoring devices forthwith, which may still be doing so at present!
**************************************
March 19th, 2008 at 5:25 pm
[...] Telecom ein, ohne dass der User dieses bemerken kann. Exemplarisch sollte hier ein Blogbeitrag auf openrightsgroup.org [...]
March 20th, 2008 at 6:21 pm
UK ISPs using Phorm and other such intercept/profiling technologies without the explicit consent of their customers are acting immorally and more than likely illegally.
It is almost inevitable that countries like Burma, Iran, China & others will seek to acquire Phorm or similar technologies to assist in profiling and targeting legitimate dissenters.
There needs to be a blanket ban on the export of Phorm & similar intercept/profiling technologies to repressive regimes.
March 21st, 2008 at 1:54 pm
Let’s be clear, it is the ISPs who are responsible here, it is they who are potentially breaking the law, Phorm is only (one of several) tools that are available for them to use. Yet they are keeping their heads down while everyone hurls abuse at Phorm - an easy target for sure given their past and their sleazy PR machine - and will no doubt move quickly on to yet another intrusive technology if this one doesn’t work out.
March 21st, 2008 at 4:44 pm
stop the press:
care of the US NY times and LadyMinion at
http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-102.html#post34510801 for first spoting it.
http://www.nytimes.com/2008/03/20/business/media/20adcoside.html?ref=business
“”Quote:
” As you browse, we’re able to categorize all of your Internet actions ,” said Virasb Vahidi, the chief operating officer of Phorm. ” We actually can see the entire Internet .”
The company, called Phorm, has created a tool that can track every single online action of a given consumer, based on data from that person’s Internet service provider.”
what do you make of that then, puts a while new meaning to
official statments such as
“Phorm technology is groundbreaking because it serves relevant advertising (we can have a separate debate about that, but I suspect you’re a realist and believe that without advertising support, lots of sites wouldn’t exist) without storing data: no PII no IP address no browsing histories.”
and all the rest, dont you think?.
i wonder what the UK and EU data commissioners and the courts will make of it,to name but three, comments….
remember people, we have this: tell your friends, use it.
“UK consumers wake up to privacy”
link: http://www.ico.gov.uk/upload/documents/pressreleases/2008/information_rights_press_release_final1.pdf
For a copy of the ‘Data Protection Guide for Dummies’ please go to http://www.ico.gov.uk
Our data protection rights
• An organisation should tell you what it is going to do with your information before you provide any details unless this is obvious
• Your information should only be used for the reason it was collected in the first place (unless you give your consent to your information being used in other ways)
• An organisation should not collect any information which is unnecessary. You only need to provide the basic information which is required to deliver the service required
• Your information should be kept accurate and up to date – if you ask any organisation to make changes to your details, it should do this
• An organisation should not keep your details if they are no longer needed
• An organisation must provide you with copies of all information held on you - if you ask. You can also ask an organisation to stop using your personal information if it is causing you damage or distress or if you wish to stop it being used for marketing purposes.
• An organisation must keep your personal information secure at all times
• An organisation should not transfer your personal details to another country unless adequate data protection arrangements are in place.
and then it goes on to say….
David Smith said: “For any of us to have trust in an organisation we must be confident that our information is held securely and processed in line with data protection rules. If we all regularly start to ask the right questions then organisations will respond to public demand and take the protection of our personal information more seriously. If organisations fail to recognise the importance of data protection they not only risk losing business. They could also face action from the ICO.”
March 21st, 2008 at 4:50 pm
Privacy what Privacy, I now have noted two Entities trying to track me through the Web System using Data that BT /Phorm say they are “NOT” collecting????
I may as well tell them they are at the moment going up a blind alley, but if they find me beware my “BITE” is far worse than my “BARK”!
March 22nd, 2008 at 2:31 am
[...] Phorm….. The Open Rights Group : Blog Archive The Phorm storm stop the press: care of the US NY times and LadyMinion at [...]
March 28th, 2008 at 12:07 pm
[...] that they are selling to BT, Virgin and TalkTalk actually work. Over the last few weeks, the story that three of the UK’s major ISPs are signed up to trial Phorm, which tracks users’ online surfing habits in order to serve them targeted ads, has been met with [...]
April 12th, 2008 at 12:02 am
Gee, why don’t they just install a key logger… seriously we know where the UK government stands don’t we, can you really imagine this government batting an eyelid stopping them, may be even using Phorm as a proxy to catch the ‘bad guys’.
If this does contravene the Data Protection Act 1998 howcome the ISPs are getting away with it and not been sued to date, no one bothered?
Hope I’m wrong…. maybe this is the way that Internet is going, note how it alway’s starts with the big guys, BT and Virgin I mean.