In the meantime and with respect to taking this a little off-topic, I need to switch supplier anyway and one consideration is asdl24. If anyone has any comments on them I’d be grateful to hear them. They claim not to block any ports or throttle traffic but perhaps best of all one can buy their service on a month-by-month basic rather than the year long or more obligation imposed by most, if not all, the corporate players. Long term fixed contracts never particularly inspire confidence in me.

Your points regarding VPN Graham are certainly food for thought and ought to be something I should experiment with. Many thanks for sharing your aforementioned scenarios on this subject.

1) A virtual ISP. With peering arrangements at a couple of internet exchanges, like a real ISP, but no infrastructure: just the endpoints of a VPN. Users would sign up with any ISP (even a RIP-violating one) and then use a VPN connection tot he Virtual ISP. Of course, the user would be paying extra but they would be confident that the only interception that could be happening would be in the virtual ISP and they would be competing on the basis that they do not intercept.

2) Small groups. There is nothing to stop a small interest group (say ORG and members, No2ID might set up another one, a group of friends might set up another one, etc.) renting a server (physical or virtual) somewhere on the internet (maybe not even in the UK) and using it as a VPN endpoint. Of course, they would be dependent on the co-lo provider not to be intercepting but it would be easy enough to change to another server. This could be quite cheap: one or two servers shared between a small number of people.

In other words, I think that the ISPs are shooting themselves in the foot. ISPs (and telco’s) are absolutely DESPERATE to not just be commodity bit-pipes. They want to provide value-added servcies (to differentiate and to have a profitable revenue stream). And there ARE services that people value and will pay for — for example, some people (no one reading this blog, but some people) who would value ISP-based content filtering. Others may value advertising-sponsored TV content. Others might welcome a way to charge internet purchases to their phone bill. Etc.

But, if the ISP goes too far, as BT is doing with Phorm, then users will switch to something like a VPN and, all of a sudden, the ISP is cut out completely — literally all they are providing is a bit-pipe. They have then lost that customer completely from their value-added propositions.

Personally I do have a server on the Internet and I do use a VPN (this is partly because I sometimes use an unencrypted, WiFi-based rural broadband service so anyone could intercept my traffic listen in). At the moment I only use the VPN for mail, I let web traffic go directly, but a small configuration change on my router would send all my traffic over the VPN.

I could be wrong, but isn’t it mandatory for ISPs to keep logs which hold details of all connections that are made and to provide these on request to government departments? Some ethical views hold that it is no one’s business but one’s own to know with whom one communicates and when; this is an aspect of freedom of speech and some still hold that it is an essentially private matter.

Bill Thompson has pointed out that a huge number of requests are already made for details of communications traffic data (’Are the watchers being watched?’, http://news.bbc.co.uk/2/low/technology/7226016.stm) The BT diagram of Phorm/Webwise equipment published by The Register (http://www.theregister.co.uk/2008/02/29/phorm_documents/)
shows passive taps installed in the hardware that connects users to the internet.

There would not need to be much ‘function creep’ for a system like Webwise to be profiling users for all manner of purposes, with a tap on every connection. If something like this isn’t already in place, the only way to stop it would be to make the government accountable. For unless the government can be made accountable then neither can anyone expect commercial organisations to be.

Phorm are on record as stating that they do not use the IP address for tracking, the Logon Name usually contains Personally identifiable names, so that means the Main Tracking system would more than likely be the ISP MAC ADDRESS WHICH IS UNIQUE TO THE CUSTOMER!
(Hashed or otherwise this is still a vulnerability for the User, but I digress…)

The Real Kicker is the structure of the WWW & how things are linked up.
The Customer’s ISP can use the MAC they have assigned to install Webwise, but the “MAIN TELCO HAS THE MASTER MAC” which is released to other ISP’s on their lines in order to connect!

Therefore any Customer who is switching ISP from “BT etc” may still be capable of being tracked through this “MASTER MAC by BT /PHORM etc”.
Since their MAC Addresses have probably already been (hashed??) fed to the Webwise Interceptor there is “NO guarantee that the former BT Customers data” is not still being routed through the Webwise System!

***Phorm Release this Information & or Release the Information about the safeguards you have put in place.***

Bottom Line the MAIN TELCO “could” depending on their Router Configurations still track all their Users & “other ISP’s Users” connected to the MAIN MAC ADDRESS!!!

In fact it’s probably long overdue we left these corporates to their easily-pleased-middle-of-the-road consumers and head for something more bespoke.

I concur wholeheartedly with Sir Tim Berners-Lee’s statement. A vote of no confidence as exercised by taking our business elsewhere is the only language these businesses will ever understand.

Having a somewhat deep understanding of IP networks I strongly suspect that one or the other of the two parties will be able to make some link to potentially sensitive information using the limited information in their possession.

Ultimately the ISP has access to the raw data streams, and is highly likely to have attached to their network other monitoring equipment such as passive taps (for law enforcement and network troubleshooting) and/or DPI (deep packet inspection) switches for traffic management. Since the Phorm Unique User ID (UUID) is carried unencrypted on its network, it is able should it be so compelled to make the link between IP address and UUID, and from billing records from IP address to real person/physical address.

So the ownership of the profile must rest with Phorm, however the system in its entirety must be capable of delivering adverts back to the end user, so the ISP must provide a facility to channel content back to the end user which is dependent on the profile owned by Phorm without disclosing the IP address of the customer to the Phorm servers.

Given what we know of the system to date, and making some assumptions, I can see a couple of potential areas where information “leakage” might occur. The ISP may learn a small bit about its customer in each transaction with the Phorm server, e.g. the customer is interested in the Conservative party or is being send adverts for a right-wing newspaper.

Also, the Phorm servers may learn something about the user; either in the terms garnered or in the temporal relationship between the profile lookup and the advert “image” ultimately server to the customer. For example, the lookup will precede the rendering of the advert, and analysis over time will make it fairly easy to narrow down the IP address to which adverts are being server.

For the benefit of fairness, the above argument uses some speculation and assumption, but the examples I highlight are not beyond the realms of possibility and reinforce my belief that such a system will be very difficult to validate from a DAP perspective.

You cannot get away from it “Slaves” whether at Home,Work or trying to Relax, so sit back & enjoy!

I sent a DPA notice to Virgin, withdrawing all permission (not that I ever gave them any!) to pass on any of my details or datastream to any third party - and all I got in response was an email pointing me in the direction of *their* website explaining Webwise, and a letter from Customer Concern about my “complaint”!

Plus, anyone who uses IE7 or Firefox doesn’t even *need* Webwise; both have spam and phishing protection built-in, as well as ad blockers. Ten years ago web users might have fallen for this, but we in the UK are a bit more clued-up now. We’re not having it. I’d sooner trust Sir Tim Berners-Lee than a known spyware & rootkit peddler. Hell, I’d sooner trust a politician! If Virgin do this, I’m off; I use online banking services, and I am NOT taking such a needless risk as trusting an ISP which spies on its own subscribers and consorts with the creator of PeopleOnPage. No way.