Berners-Lee Rejects Tracking

kernowyon writes "The BBC has an interview with Sir Tim Berners-Lee during his visit to the UK on their website currently. In it, he voices his concern about the practice of tracking activity on the internet — with particular reference to Phorm. Quotes Sir Tim with regard to his data — "It's mine — you can't have it. If you want to use it for something, then you have to negotiate with me.""

It's all nicey

[mapkinase]

...but will it have any effect on powers that are in charge? As for influence on us, most users who know who he is already share this position.

Negotiation done!

[TheGreek]

"It's mine -- you can't have it. If you want to use it for something, then you have to negotiate with me."

"This content is mine; you can't have it. If you want to access it for free, you have to let me track your activity."

Re:Negotiation done!

[toritaiyo]

I think even when the content isn't free they track.

Re:Negotiation done!

[jrumney]

This content is mine

Only it isn't. They are tracking user activity beyond the websites that use Phorm for their advertising, and even if they were to limit it to those websites, there is still dubious data sharing going on which is probably illegal in the UK if it is not opt-in.

Re:Negotiation done!

[Yvanhoe]

It is easy to state a price, but negotiation means that both parties have different prices and different means of pressure. What's our ? We are the first to say that Internet is somehow a jungle where almost anything is fair game. So, how do we defend, technologically ?

Re:Negotiation done!

[Marcion]

Its mine, my precious, get away pesky data-mining hobbits.

Re:Negotiation done!

[mrbah]

"This content is mine; you can't have it. If you want to access it for free, you have to let me track your activity."

That's basically the business model of the current web bubble. None of the services are really free, it's just that you're getting something in return for something you may not have known you had. There's still no such thing as a free lunch.

Re:Negotiation done!

[ShiningSomething]

That's perfectly acceptable. But most sites do not advertise the fact that they are tracking you. They could post prices: you can access this page/site by agreeing to be tracked for the next 48 hours. But they don't.

Re:Negotiation done!

[morgan_greywolf]

"This content is mine; you can't have it. If you want to access it for free, you have to let me track your activity." I prefer: the content is mine. If you want to access it for free, that's okay, just keep my notices intact. If you want to change it or redistribute it, you gotta let everyone else do what I've done for you.

Re:Negotiation done!

[L4t3r4lu5]

For free? I don't know about you, but I pay my ISP £35 a month to access your free content. If your content is of particular interest to me (for instance, an MMORPG) i'll pay you too to access that particular content.
 
What I don't expect is for you to automatically forward all the data i'm paying to access, plus all the data I submit to you as the receiving party (which may be confidential), to a third party, previously linked with less than legal practices, with limited or no choice in the matter, which has no discernable benefit for me.
 
If you think you can get away with that, expect me to give my money and business to a competitor, and to recommend to all I know to do the same.

Re:Negotiation done!

[discogravy]

but note that, like most transactions, this is dependent on how the item in exchange is valued and by whom -- in the beginning of the p2p days, napster was used by some record companies to measure the success of certain albums/songs etc. once they noticed they were actually bleeding, they squashed it and decentralized all the p2p downloads. to get that kind of data now, they'd have to compile it from 10 or 15 sources and still not have a complete picture (oink being the last real bastion of almost cetralized music sharing, other p2p torrent sites sprang up to replace oink, but some users went to usenet no doubt).

Most users will have no problems giving away their info in exchange for services, assuming that a) it's not hard and b) it's nothing they perceive as Really Intrusive. Anyone can fill in "John Smith" on those New York Times registration pages, but asking for an ID #, or a CC # to verify would be harder for people to agree to (although they do that to, if they want in bad enough -- e.g., ebay.com). Considering the amount of data available about most people via their credit card bills, it's mostly academic anyway.

Re:Negotiation done!

It is illegal in the UK under RIPA without the consent of both parties -- the ISP subscriber and web site operator. There's an implied consent for public web content but once a user has some form of authenticated session, it's illegal interception.

The real problem with the Phorm system is that it's purposely designed to grab every users click stream. Phorm are misrepresenting their opt-out cookie, which relates to targeted advertising and not the interception and profiling. The only way Phorm would be legal in the UK is for ISPs to use ACLs and isolate opt-out subscribers from Phorms "anonymous" profiling entirely.

Re:Negotiation done!

[poot_rootbeer]

But most sites do not advertise the fact that they are tracking you.

Depends on what you mean by "advertise". A site's Privacy Policy and/or User Agreement will normally state plainly whether the site collects any information about your behavior, and if so how they use that information.

Re:Negotiation done!

[ShiningSomething]

That's true, but I think it should be stated more clearly. Just as credit card companies need to state their interest rates in really large print in their contracts (even if they still try to mislead you).

Re:Negotiation done!

[Irish_Samurai]

Sorry, you're not paying for the data from your ISP. You're paying for the ability to access it using the ISP services. Second, the data you submit to me is part of the technology used to request data from me. You can't get it without telling me where you want to send it. Third, I can enter into any contract I want with whomever I want in relation to what data I choose to serve. You wanna touch my content, on my host, you play by my rules.

Or you just don't come to my server and request my things. Oh, and don't go to any other server and request their data if they have negotiated the same group policy as I have in regards to collecting your observable data. See, we don't have to forward all the data of where you have been to each other, we already know the content on each others sites. We just know in what order and when you requested it. We can figure out the rest on our own.

See, fishing on your computer looking at your files to determine what you have been up to is intrusive. Analyzing server logs across multiple servers to determine behavior is not.

Re:Negotiation done!

[BaphometLaVey]

Don't use them. Go somewhere else. You do not need to defeat a technology, just make it unprofitable by not using websites that employ it.

Re:Negotiation done!

[Sczi]

I think this is getting OT a bit.. as I understand it Phorm runs at the ISP level and then sells the data to content providers. I, for one, am getting really sick of this trend of uppity ISP's trying to get in the racket of playing monkey in the middle with our data. They get their monthly check simply for being a conduit. How about requiring the ISP's in question to call every one of their subscribers and say "we just wanted to inform you that we are going to sniff all of your traffic and sell the data to advertises" and see what kind of response they get.

Re:Negotiation done!

This content is mine

This is not the case. The content is everybody else's; e.g. if the ISP's user was surfing Slashdot, the content could be yours.

If you want to access it for free

This is not the case. The ISPs charge a fee for the Internet connection.

you have to let me track your activity

This is not the case. They allow you to opt-out.

Congratulations, the only thing that isn't completely wrong about your comment is the bit you quoted, and that is because it was written by somebody else.

Re:Negotiation done!

[Bogtha]

probably illegal in the UK if it is not opt-in.

In cases like this, I really don't see the difference between opt-in and opt-out. All the ISPs have to do to make it "opt-in" is include a clause saying that you agree to share your data in amongst the dozens of existing clauses in the terms and conditions when you sign up.

Re:Negotiation done!

[Yvanhoe]

But websites that use them do not advertise it. These trackers are hidden.

Re:Negotiation done!

[Irish_Samurai]

Agreed.

The above post isn't intended to defend, it's intended to lay out how it is. Know your enemy and all that.

BTW, the consumers really don't seem to care that the financial industry has been doing this with their ATM, Debit, Credit, and gift cards for a while now.

Re:Negotiation done!

[Instine]

"Phorm has said its system offers security benefits which will warn users about potential phishing sites - websites which attempt to con users into handing over personal data. "

They just turn EVERY SITE YOU VISIT into a phishing site! Sorted.

Re:Negotiation done!

[coats]

What I don't understand is why the following sort of argument shouldn't work:

The amalgamation of the set of links I follow and the set of queries I make is a literary work that I own, under the Berne copyright treaty. (Note that I'm not talking about the content found at the links but rather the set of links themselves).

Therefore it is my copyright work, and selling it to a third party is copyright infringement to which both civil and criminal penalties should be applied.

FWIW...

Re:Negotiation done!

[Mister+Whirly]

"the inventor of the innernet doesn't like it"

Al Gore doesn't like tracking?

Re:Negotiation done!

[Mister+Whirly]

It doesn't matter. How many software agreements have you clicked the "I agree" on without reading the entire thing (or any of it at all)? Having a privacy policy that is easy to find on a site is as clearly stated as you are going to get. If people don't care if their information is tracked and how it is used (and that is about 95% of the internet which is why fighting tracking is an uphill battle) it doesn't matter how clearly it is stated. It is just like when they made the warnings on cigarettes bigger. I'm pretty sure that the problem isn't most people don't know cigarettes are harmful to your health, and if only the lettering were bigger they would somehow obtain this knowledge. The fact is that smokers do know cigarettes are bad for you, but don't care and smoke anyways.

Re:Negotiation done!

[Mister+Whirly]

"BTW, the consumers really don't seem to care that the financial industry has been doing this with their ATM, Debit, Credit, and gift cards for a while now."

I was going to say the same. I know someone who is freaky about personal information issues, then I come to find out he has a couple "rewards" cards from various retailers. When I tried to explain to him that all those cards do is collect information about his habits for retailers, he laughed and called me "paranoid". Yet he searches through his logs religiously to get rid of any "tracking cookies". Hilarious stuff.

Re:Negotiation done!

[MacDork]

This content is mine; you can't have it. If you want to access it for free, you have to let me track your activity.

Uh, no I don't... My web browser controls what is loaded in a very fine tuned manner. When I load a page at slashdot.org, I only load what I want.

My browser didn't load those 'mc' and 'uid' quantserve cookies that are tracking people everywhere online from slashdot to hotornot.com. I did however load, store, and will later use the Slashdot.org cookies. I have granular control over all my cookies, and they are one click away.

At my command, my browser also blocks swf files, other known ad sizes, and blocks data entirely from known bad guys like doubleclick. If something does slip through, eliminating it is a simple control click away. The PERL wizards will appreciate that I can blackhole data based on regular expressions in URLs. Any domain, path, file extension... I can nuke it. It's certainly much more powerful than a hosts file.

My browser also blocks the popups that other browsers like Safari miss... If I need something that didn't get though, there's a little icon for everything that was blocked in the form of cookies, popups, images, etc on the status bar at the bottom of my window. Images and SWFs are a grey box. Hover and it tells me the domain. Click and it loads. Everything is one click away.

I can even change all of those settings on a domain by domain basis. My browser gives me complete control over what I load and what gets displayed. My browser even makes it simple to snatch images from websites like flickr that attempt to block me from saving images. I just view page info and there's an list of every image on the page. No more hunting through page source to find a image. Click the display button to see it. Click the save button to keep it.

I don't even have to load your front page to use your site in many cases. In my url bar, I type "google macdork site:slashdot.org" and I get a google search for "macdork site:slashdot.org." I can do the same with yahoo, msn, ebay... I can shortcut any search box on any site with one click simplicity. Why should I have to be subject to Yahoo's front page and their latest "Top 10 ways to spend your money" list and other info-tainment-mercials, when I just want to use their search engine without the distraction? For sites with different parameters like the RIAA Radar I can dictate which parameters are used in the search, so "riaakey" shortcut does a keyword search while "riaaart" does an artist search.

You two can bicker about who has "the power" in the arrangement, but reality dictates that you do not define what I can and cannot do with the data your web server spews at me. My browser is in control of that. You're only able to dictate your terms to people who use limited, crappy browsers. The entire ad based internet is based on that assumption. For people like myself however, I am able to view "your" content on my terms unless you decide to shut your site down. If anyone is wondering by now, I use Omniweb. Registered user since 2004. (^_^)

Re:Negotiation done!

[Naurgrim]

Fine. There's a million other websites that have the same or better content. I'll go to one of them.

Re:Negotiation done!

[anthonys_junk]

All the ISPs have to do to make it "opt-in" is include a clause saying that you agree to share your data in amongst the dozens of existing clauses in the terms and conditions when you sign up.

...and all I have to do is keep my hosts file reasonably up to date and substitute a blank gif for anything requested from an adsite.

Homer for windows is a lightweight localhost webserver that accomplishes the same thing: http://www.funkytoad.com/content/view/14/32/

Re:Negotiation done!

[VanessaE]

How about: "You put your content on a public, open system designed to give everyone access to it. I am not, cannot be, and WILL NOT be forced to download something I don't want from your website, and I sure as hell WILL NOT let you forceably retreive something from my machine. If you don't want me seeing what you've put online, then put it behind an account/password mechanism, encrypt it, hide it, whatever. PERIOD."

Re:Negotiation done!

[stavros-59]

...and all I have to do is keep my hosts file reasonably up to date and substitute a blank gif for anything requested from an adsite.
The Phorm interception is done at hardware at the ISP on the first hop. It won't matter what is in your hosts file. Phorm will get to read and store the opt-out information under the current proposals. All you will miss by using a cookie for "opt-out" is the placed ads. I appreciate that "The Register" is not a regular technical resource around here, but on the issue of Phorm they have done a lot of work to bring this to the attention of users. It is UK ISPs that are first on the list. The Phorm Files

Phorm have form as 121Media. 121Media were the developers and installers of PeopleonPage, ContextPlus spyware and the Apropos rootkit. None were easily removed by commercial software and users flooded malware removal forums for help in removing their malware.

They stopped doing that in 2005-2006 to move to this model of forced data interception and forced contextual advertising.

Much of the development of their software is done in Russia as it was for their previous "commercial" malware offerings.

Their Open Exchange site OIX.com resolves to 203.93.173.3 and seems to be a Chinese web server. Traceroute carried out from your location will always stop at a point somewhere near. If you are in Belgium, for example, the final hop will be in Belgium. If you are in Australia it stops at www.telstra.net/cgi-bin/trace?oix.com

Your relationship with your ISP should not be subject to third party operations at hardware level. It's not too different to the (possible non-car analogy) mail exchange opening your mail before they forward it to your house to check if you might need an alternative insurance offer. This may be coming to an ISP near you, would you know if it wasn't getting some public airing in the UK?

Re:Negotiation done!

[anthonys_junk]

The Phorm interception is done at hardware at the ISP on the first hop. It won't matter what is in your hosts file.

OK, as per usual I didn't do more than skim TFA, but when my hosts file is pointing to 127.0.0.1 my ISP doesn't see a request for ad-related sites at all, because it never leaves my machine... there is no "first hop" as such

I do understand that the ISP may sell data about my slashdot, goatse etc. viewing to Phorm, (which is disgusting and deplorable, TOTALLY agree with you) but how can they serve ads to me if they never receive an http request?

You have to negotiate, and I'm very expensive.

[apathy+maybe]

I agree with ol' Tim. An ISP's job is to provide a pipe for the Internet, charge for usage, and stay out of the way. That's all.

Unless I want them to do something else. And tracking me is not something I want. That's right, spam filtering is something else that I want to be "opt-in", and content filtering, and every other bloody sort of filtering.

Actually though, I would be happy if they paid me, but for one week at a time. For that one week I'll happily browse Goatse, Goatshe, Tubgirl etc. (images downloaded, but not displayed, I'm not that crazy). Any real browsing I'll do via my own encrypted proxy set-up at my webhost.

Basically, I'm not the target audience for tracking.

Anyway, it's great to see this sort of issue on mainstream media. Now just to get the 'normal' people to read it...

Re:You have to negotiate, and I'm very expensive.

[Goffee71]

The trouble is that everyone wants helpings of everyone elses' pies. Phone hardware makers now bolt services and content on their phones, phone service companies sell TV, Apple sells music, so why shouldn't ISPs want to wander off the reservation into the lush green 'services' pasture?

Re:You have to negotiate, and I'm very expensive.

[maxume]

Did you think about what 'ISP' stands for before you wrote that?

Re:You have to negotiate, and I'm very expensive.

[perturbed1]

I thought he would but Mr. Ertugrul doesn't sound like such an idiot actually. See this interview. http://www.mefeedia.com/entry/recent-posts-blip-tv-beta/7018654/ I am starting to think that there is something to it. I'd rather have the ISP know something about some random number then real with all those cookies.

Phorm .....

[wwwillem]

Sure this isn't a typo?? :-)

Re:Phorm .....

[owlnation]

Sure this isn't a typo?? :-)

The summary could have been written in clearer English, however, that is not a typo. RTFA.

Re:Phorm .....

[wwwillem]

RTFS . . . . read the f***ing smiley !!

And yes, I read the article before posting.

free internet?

[rucs_hack]

Quite honestly, if they want to track my internet usage, and exert some control over my online experience, then they can.

In return, I want high speed internet access to be provided free of change, with no download limit.

Sound fair?

Re:free internet?

Quite honestly, if they want to track my internet usage, and exert some control over my online experience, then they can.

In return, I want high speed internet access to be provided free of change, with no download limit.

Sound fair? Except they still wont let you use bittorrent.

Re:free internet?

[stavros-59]

English company? Some sort of English thing? Won't affect anyone anywhere else? Think again.

They hold a USA patent for this technology http://www.freshpatents.com/Targeted-advertising-system-and-method-dt20060921ptan20060212353.php?type=description

The patent is discussed in some depth www.politicalpenguin.org.uk/blog/p,295

This is a US patent and Phorm is registered in Delaware.

Renegotiation done!

[BaphometLaVey]

I will allow you to track it and to use it in house, but the moment a third party touches it or you attempt to sell it, I want a share of the profits.

Also, if you make me pay a subscription fee (or like slashdot, if I was to choose to), and you STILL sell want to sell my data, I also want a share of the profits.

I also want a list of all the organisations you supply my information to and I also do not want them to be able to resell it without observing the above conditions: I get a share in the profits, I get to see who the sell it to, people they sell it to have to... etc

This is the only way I would be happy to allow tracking.

Re:Renegotiation done!

[TheGreek]

This is the only way I would be happy to allow tracking.

Unless you can get the content provider to agree to your terms, you'll either have to do without the content or start an escalating game of technological cat-and-mouse.

Re:Renegotiation done!

[BaphometLaVey]

Online, I can't think of anything I could possibly need or have needed that I couldn't have found somewhere else.

Capitalism, done right, feet voting.

If they asked for DNA samples, would you say sure? Course not, there is a line, probably somewhere in between the current state of things and DNA sampling that is a reasonable compromise. If they thought they could get away with pushing for DNA samples, they would do it. Why shouldn't we push our end?

Re:Renegotiation done!

[ShieldW0lf]

Unless you can take "your" data and keep it in your pocket, you can't own it. All you can do is sic tax-paid thugs on people for doing things with data that you don't like, and then only if there are arbitrary rules in place that say you can do it.

Tim, you're a dickhead. If you want to enforce what people are doing with bits and bytes that you claim are your own, why don't you go grab a stick and enforce it yourself rather than fucking with the legal infrastructure.

Re:Renegotiation done!

[plague3106]

Because the legal infrastructure needs to be setup to make everyone play by the same rules, just like with property rights. And I do own the data; I generate it uniquely to me, and it's that uniqueness that matters to companies trying to sell me things. I create the data by living, making conscience choices about what I read, just like an author does by making conscience choices about what he writes and how he words something. Besides, they want information about me, so it must be valuable... why should I not profit from restricting who can see or use it?

Re:Renegotiation done!

[Some_Llama]

"Unless you can get the content provider to agree to your terms, you'll either have to do without the content or start an escalating game of technological cat-and-mouse."

but this is the internet, WE decide what content is worth "consuming", a content provider denying access to their "content" would be shooting themselves in the foot?

Re:Renegotiation done!

[ciscoguy01]

I will allow you to track it and to use it in house, but the moment a third party touches it or you attempt to sell it, I want a share of the profits.

Also, if you make me pay a subscription fee (or like slashdot, if I was to choose to), and you STILL sell want to sell my data, I also want a share of the profits.

Your position is too easy. Mine is more like "I charge $4600 a month to allow such tracking, if you don't agree and won't pay then your only recourse is don't track me at all."

As to content providers wanting such tracking in exchange for their content, there are *plenty* of websites I won't read. Like most that use flash or obnoxious content. Their little corners of the internet will be ghost towns as far as I'm concerned. Wait for them to come crawling for the traffic. Without traffic they make no money. We all know it too.

They need us much more than we need them.

Re:Renegotiation done!

[Score+Whore]

And of course they also create "your data" by placing a website with content you are interested in and allowing you to view it. As much as it's your data, it's their data. As much as you get together with your friends and discuss what you see online, they get together with their friends and discuss who sees them online.

You can't interact with anyone or their website without them having at least as much an ownership of the data as you have.

Just being the devil's advocate here.

Besides, they want information about me, so it must be valuable... why should I not profit from restricting who can see or use it?

I think that pretty much summarizes the position of people who believe in copyright (RIAA, MPAA, etc.)

Re:Renegotiation done!

[plague3106]

And of course they also create "your data" by placing a website with content you are interested in and allowing you to view it. As much as it's your data, it's their data.

No, because just because there may be something of interest on a site doesn't mean I'll actually check it out.

As much as you get together with your friends and discuss what you see online, they get together with their friends and discuss who sees them online.

Well, my friends and I don't profit when we talk about something online. Your whole arguement seems rather one sided to me; they can make money by "discussing" me, but I can't do the same?

You can't interact with anyone or their website without them having at least as much an ownership of the data as you have.

Not true; they own the actual content; I own what I found interesting about it and why.

I think that pretty much summarizes the position of people who believe in copyright (RIAA, MPAA, etc.)

So what? Last I checked, copyright isn't evil, and it is something that exists. Why is it wrong that I should be able to make money off of my data, but they have been able to make money on theirs for years?

Re:Renegotiation done!

[dscruggs]

"I will allow you to track it and to use it in house, but the moment a third party touches it or you attempt to sell it, I want a share of the profits."

"I will give you my content for free, but the moment you make any money off it I want a share of the profits. I'm talking to you, Warren Buffet."

Actually, I hate the practice of seling to third parties too, just pointing out that this is a circular argument.

Re:Renegotiation done!

[ShieldW0lf]

If there's nothing wrong with keeping people in ignorance, then no, copyright isn't evil.

If there's nothing wrong with estranging people from their common culture to the point that they can't sing happy birthday without having thugs show up demanding so much money it shuts your business down, and , then no, copyright isn't evil.

If there's nothing wrong with telling a brilliant inventor that they can't share what they've created with their fellow man, because some group owns that idea, and they've decided not to develop it because it would reduce their power if it existed, then no, copyright isn't evil.

But really, when you get right down to it...

There is something wrong with these things.

Copyright is evil.

Those who defend it are evil too.

Re:Renegotiation done!

[plague3106]

If there's nothing wrong with keeping people in ignorance, then no, copyright isn't evil.

How exactly is copyright keeping people ignorant? Seems to me we have libraries full of books on a huge array of topics. Anyone is free to read them.

If there's nothing wrong with estranging people from their common culture to the point that they can't sing happy birthday without having thugs show up demanding so much money it shuts your business down, and , then no, copyright isn't evil.

Funny, my family has had a lot of birthday parties, yet this has never happened to us.

If there's nothing wrong with telling a brilliant inventor that they can't share what they've created with their fellow man, because some group owns that idea, and they've decided not to develop it because it would reduce their power if it existed, then no, copyright isn't evil.

Oh, I see. You're one of the ignorant people. Apparently you don't know the difference between copyright and patents.

But really, when you get right down to it...

There is something wrong with these things.

Copyright is evil.

Those who defend it are evil too.

Huh. I guess that means our founders were evil. Freedom is slavery I guess.

Until you can figure out the difference between copyrights and patents, shut your mouth, get a job, and move out of your parents basement.

"quotes"

[gardyloo]

I don't know that the usage of "quotes" is correct in that submission (I am seriously wondering if someone with access to a more comprehensive dictionary could find out for me).

    Certainly, "Quoth" would be correct in its place -- but archaic -- or just "Said".

Re:"quotes"

[CaptainPatent]

Certainly, "Quoth" would be correct in its place -- but archaic Why am I suddenly reminded of "The Raven?" -

So that now to stop the tracking
with ISPs not lending backing
stoping only shy of hacking - hacking at my gateway door
Quoth Sir Berners: "Nevermore"

Phorm's own CEO doesn't even get it

[Scutter]

Kent Ertugrul, chief executive, of Phorm, told BBC News: "We have not had the chance to describe to Tim Berners-Lee how the system works and we look forward to doing that.

You think you need to explain how your tracker works to the father of the internet , and that once you do, he'll be ok with it. Boy, if that ain't arrogance right there, I don't know what is.

Re:Phorm's own CEO doesn't even get it

[Jeff+DeMaagd]

Not only that, he's a CEO. People that keep track of what executives say know better than to trust what they say at face value.

Re:Phorm's own CEO doesn't even get it

[unbug]

Mate, it ain't arrogance, it's certainty. Even if he's the father of the internet his kneecaps are still soft for those non-verbal descriptions.

Re:Phorm's own CEO doesn't even get it

Dude, they were talking about Tim Berners-Lee, not Al Gore (or maybe Al isn't the father of the internet either; he just invented it).

Re:Phorm's own CEO doesn't even get it

[WK2]

The article mentions nothing about Al Gore.

I Agree With Tim

[Ngarrang]

After having read the article, I would have to agree with Tim. Where I go on the 'tubes is none of my ISPs business. And this is not about trying to hide some illicit activity, but a defense of my right to live without being watched everywhere I go. I must say, though, that I am not surprised to see this coming out of England. When are its citizens going to finally stand up for their rights and put and end to all of the cameras and tracking? V's speech begins to come to mind.

Re:I Agree With Tim

[vertinox]

And this is not about trying to hide some illicit activity, but a defense of my right to live without being watched everywhere I go.

Personally, I visit religious sites and political sites all the time in which they are a personal thing. Does my ISP need to know which religion I belong to or who am I going to vote for?

Hell no.

www != Internet

You fail.

Re:www != Internet

[Scutter]

Wow. Yeah. You're right. My blatant error of typing "internet" instead of "www" completely changes everything and utterly invalidates my point! Thanks so much for pointing that out.

Re:www != Internet

[Mister+Whirly]

The "Internet" and "World Wide Web" are not the same thing, and using them interchangeably is incorrect usage. (WWW is just a part of the Internet)

Webopedia
Many people use the terms Internet and World Wide Web (aka. the Web) interchangeably, but in fact the two terms are not synonymous. The Internet and the Web are two separate but related things.

The Internet is a massive network of networks, a networking infrastructure. It connects millions of computers together globally, forming a network in which any computer can communicate with any other computer as long as they are both connected to the Internet. Information that travels over the Internet does so via a variety of languages known as protocols.

The World Wide Web, or simply Web, is a way of accessing information over the medium of the Internet. It is an information-sharing model that is built on top of the Internet. The Web uses the HTTP protocol, only one of the languages spoken over the Internet, to transmit data. Web services, which use HTTP to allow applications to communicate in order to exchange business logic, use the the Web to share information. The Web also utilizes browsers, such as Internet Explorer or Firefox, to access Web documents called Web pages that are linked to each other via hyperlinks. Web documents also contain graphics, sounds, text and video.

The Web is just one of the ways that information can be disseminated over the Internet. The Internet, not the Web, is also used for e-mail, which relies on SMTP, Usenet news groups, instant messaging and FTP. So the Web is just a portion of the Internet, albeit a large portion, but the two terms are not synonymous and should not be confused.

Besides, everybody knows that Al Gore invented the internet...

Re:www != Internet

[Scutter]

The fact remains that you were trying to be a smart son of a bitch and you fucked up. Only a tiny-dick-owner tries to deflect criticism from that.
You are a failure, boy -- man up and cop to how stupid you made yourself look.
 
...says the A.C....

Old Skool - Static

[Gazzonyx]

Perhaps the old hacker trick of lowering your signal/noise ratio via injecting bad/misleading data (somewhere in the flow)? If you can't be very quiet, you can usually benefit from being very loud.

Re:Old Skool - Static

[Yvanhoe]

There was a stuff like that in a Doctorow story about Google becoming evil and tracing your search habits. In the story Google rogue engineers, made a "search normalizer" that automatically made searches for you that neutralized any deviant trait that could show up.

So, how do we get this done ? We have to find many trackers and activate them regularly to make noises to pollute the signal ? Anyone knows of such a project ?

Re:Old Skool - Static

[Janos421]

So, how do we get this done ? We have to find many trackers and activate them regularly to make noises to pollute the signal ? Anyone knows of such a project ? Well that's exactly the purpose of obfuscation tools like SquiggleSR and TrackMeNot, two Firefox extensions. They generate fake queries on search engines to create noise and deceive data mining algorithms.

As developer of SquiggleSR, I was thinking to extend it to simulate fake browsing as well to create more noise and deceive track based on cookies. But since some ads are charged when they are displayed, this could actually be assimilated to something like "fraudulent view". What do you think?

Re:Old Skool - Static

[Gazzonyx]

I guess they (Phorm) just track web URLs; I was thinking just a simple dictionary attack with a bit of depth to it should take care of this. I just pulled this from my butt at this moment, but I think it would work if you created a shell script or even batch file to do the following...

Get your favorite tar balled dictionary, pull a random word from it, google the random word with elinks or something, and follow a random link with wget. From that site, pull 3 unique links and visit them, from those sites pull 2 unique links and follow them, from those sites pick a single unique link and follow that.
Rinse, lather, repeat.

This should give a deep enough tree with a large enough fanout over enough topics to mask your normal usage patterns. Bonus points for switching up protocols and ports every now and then.

Re:Old Skool - Static

[khallow]

Are teh user or you party to the ad contract? If not (which is probably the case unless the user agrees to something), then it's not your problem.

Re:Old Skool - Static

[Yvanhoe]

I think it is fair game. It is not fraudulent in that the goal is a fair use. The day tracking becomes optional, this fraudulent input won't be necessary any more.

Re:Old Skool - Static

[phantomfive]

I think you will be fine as long as you follow robots.txt. Personally I think disallowing cross-site cookies is the best way to handle it, though.

Re:Old Skool - Static

[Thwomp]

There is already a Firefox extension named Dephormation. It doesn't fake browsing habits it just automatically sets the Phorm 'opt-out' cookie for each page view.

Re:Old Skool - Static

[CheShACat]

I've just installed SquiggleSR and it looks ideal. I like the idea of fake random browsing on top of the fake searches because that simple change would hugely increase the scope of the privacy provided. The only people I can see that would be harmed by this are those who wish to exploit exactly this data - advertisers. And besides, as others have said: it really isn't your problem to worry about content providers arguing with their sponsors over views. Great work on the plugin, fella.

Re:Old Skool - Static

[jank1887]

and what happens the first time you randomly wget yourself some kiddy porn?

Re:Old Skool - Static

[Dude+McDude]

I guess they (Phorm) just track web URLs Nope. The content of every page requested by a user gets sent to Phorm's profiler for analysis, but the profiler ignores* the contents of form fields.

* according to Phorm, which, in the company's previous incarnation as 121media, was a spyware peddler.

Re:Old Skool - Static

[MrNemesis]

If this goes ahead (which I don't think it will as RIPA is quite specific on the matter), I'm all for polluting the Phorm database. A screen scraper that, for example, every few minutes:
Picked two random words from a dictionary
Plugged them into a random search engine (google, youtube, ask... list is endless)
Visited n of the first i links
Visited x of the links on each of those pages, and thereafter a 5% chance of following any other link on that page

would do a great job of confusing the hell out of anything trying to track your browsing habits.

Exactly who would you be defrauding though? Unless it becomes illegal to browse random websites? If they're making money on a false assumption (i.e. every website you visit is something you're interested in buying something related to it) then how is it your fault if your predeliction for browsing random rubbish results in them feeding you worthless data? Is the pattern above really that difficult from this http://xkcd.com/214/ ? Maybe when our corporate plutocracies make not providing Innovative Marketing Solutions the Ability to Upsell via Creative Strategic Online-Enabled Mandatory Advertarial Enablement Solutions a criminal offence, until then they can fuck right off. I don't click on ads, I don't even look at ads, I've been trained since I was young enough to see to ignore ads. Hell, everyone who cold calls gets added to a list of Companies I Will Never Buy Anthing From. You can't force me to think ads are relevant, or even essential.

Disclaimer: I am not a BT customer, as in the past they have made their intentions of fucking over the user for the pursuit of greater profits highly visible to me. Their marketing and former monopoly status (switly turning into another monopoly that *isn't* state controlled), combined with most non-techies ignorance of how the internet works has made them exceptionally complacent, to the extent that the UK is beginning to resemble the US's dire telecoms market.

Re:Old Skool - Static

[cleatsupkeep]

When I saw your xkcd link - I thought you were going to go with this one - where there clearly is a pattern: http://xkcd.com/155/.

Re:Old Skool - Static

[Gazzonyx]

From their website

What does it keep? At first, Phorm's technology collects information on browser type, response to advertising, the URLs of some of the web pages viewed, and search terms entered. Neither URLs nor search terms are stored - they are discarded immediately. The matching information that's left is assigned to an anonymous, randomly-generated ID number. The random ID marks an anonymous list of the categories of products or services in which a user appears to be interested. I think they're sniffing on the wire passively instead of using cookies. Although, it's hard to tell from their blurb that doesn't contain a single element of useful or technical data. Please correct me if I'm wrong; I'm just assuming from what I can gather.

Re:Old Skool - Static

[Gazzonyx]

I salute you! That, sir, is brilliant! Although I'm not sure the legal status of fake browsing... I'd say though that it's probably fairly safe; you aren't targeting specific sites or anything. Otherwise, spidering the web would fall under this arena and everyone would be suing everyone else who owns a search engine. Although, obviously, IANAL.

Not surprising but...

[florescent_beige]

In TFA's page source is:

<!-- Code for :bbc -->
<!-- START NetRatings Measurement V5.1 -->
<!-- COPYRIGHT 2003 NetRatings Limited -->

NetRatings being a tracking service of some sort.

Anyway. I always wondered about the philosophical implications of allowing someone to own the vibrations in the air. What I mean is, if someone makes the air around me vibrate in a particular way, I'm not allowed to observe it as I wish. One way of observing the vibrations would be to observe the effect those vibrations have on a particular machine. Call it a "recording machine".

The same goes for photons that impact my body. I'm not allowed to observe them in arbitrary ways, only in certain prescribed ways.

The reason such a strange rule makes sense, they say, is that the vibrations and photons aren't the real issue, the thing in question is the *meaning* of those phenomena. Those phenomena represent "performance".

So ok. I hereby attach meaning to every single action that I make for the rest of my life. They are to be considered a performance. Anyone seeking to observe or record my actions without my consent is hereby committing a copyright violation.

Re:Not surprising but...

[aproposofwhat]

If you look down the bottom right of all the BBC News pages, you'll see two little tabs called 'Most Read' and 'Most Emailed'.

The 'tracking' involved doesn't amount to much more than a page impression counter to enable the BBC to see what interests people most (though I have my worries about such data being used to promote a dumbing-down of editorial policy - lowest common denominator and all that...).

Re:Not surprising but...

[Jane_Dozey]

Also, I am free to not visit the BBC's website or just plain old block scripts and such things that they may use to help them track me. I can also use a proxy if I'm that worried and can't live without my daily BBC fix. However, if I'm understanding Phorms tracking correctly it's done on the ISP side and I have no say in the matter.

Re:Not surprising but...

[aproposofwhat]

Correct - I'm just surprised that nobody has come up with a scheme like this before, since the technology to do so has been around for at least 8 years (I was involved in a failed ISP startup in 2000, and planned out a lovely network of layer 7 switches, proxies etc. which looks in hindsight eerily similar to Phorm's setup, but didn't see hijacking browser sessions as ethical or desirable - good job the funding failed, as we had a right bunch of sharks on the sales and marketing side).

It's mine! You can't have it!

[WK2]

with regard to his data - "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me."

Jack Valenti? Is that you?

Seriously. I skimmed the summary, and thought this article was something completely different.

Easy Fix

[SlashWombat]

Phorm should be easily defeated. Just need a script to "harvest" various random sites, and have the script running in the background, clicking away merrily. Phorm will track this random spew and will not be able to differentiate your real traffic from the "noise".

Should call this script/program DEPHORM, guess it could easily ruin some halfwits dreams of embarrassing riches!

Re:Easy Fix

[Thwomp]

I haven't had a chance to look into it properly but there appears to be a Firefox extenstion called Dephormation. The site states "But Dephormation is not a solution. It's a fig leaf for your privacy."

If you, dear reader, live in the U.K. and are with an ISP that's thinking of dealing with Phorm then take a look at Bad Phorm to see what you can do about it.

Privacy Terms of service

[Benjamin_Wright]

Legally, we are coming to a conflict between what companies like Phorm say consumers have agreed to give and what consumers say they have agreed to give. Tracking companies like Phorm will say consumers agreed to their terms of service that allow tracking. But consumers can publish their own privacy terms of use that legally forbid tracking. [This idea is not legal advice to anyone, just something to think about.]

What we lose sight of..

[SuperCharlie]

Believe it or not, the Internet, just like Electricity, is NOT a given right.

We enter into a contract, pay some money, and get a service.

If you dont want to be tracked, profiled, and served steaming hot piles of ads, then build your own network, backbone, etc and see how far you can go with that.

The other option is to simply not use the Internet or find someone with a contract/TOS you can live with but as long as there is money on the table (feeding you ads) tracking and profiling will always be one board meeting away.

In a perfect world, maybe it is your data. In the real world, you dont own the network, the board of directors, or any part of their business. In the end, it is theirs to do with as *they* please and your right to walk away as *you* please.

Re:What we lose sight of..

Wow, what an amazing and realistic solution you have. I for one salute your democratization of the market.

Anonymous Coward
CEO ${Last Mile Internet Company}
CEO ${Worldwide IP Transit Company}
CEO ${Search Engine Company}
CEO ${Advertising Company}
CEO ${Cable Television Company}
CEO ${Grocery Chain Store}
CEO ${Private Airline Company} ...

Re:What we lose sight of..

[PriceIke]

That's a good comparison. Come back to this thread when electric utilities start offering to sell data collected about what kinds of electrical devices YOU own and use, how often you use them and for what purposes to advertisers, the government and whomever ponies up $$. Hey, you don't own the power lines.

Re:What we lose sight of..

[SuperCharlie]

And you dont think if they could that they wouldnt?

Re:What we lose sight of..

[Irish_Samurai]

They already sell data based on usage from areas, times of peak usage, and number of users (monitors) in a given area. They can give your exact usage for a day, week, month, year. Damn, they friggin trade it. Hell, I can go look at it if I want by looking at your meter myself.

It's not they TYPE of data that you get, its whether or not it can be gathered through passive observation. In the case of the internet, it can.

Re:What we lose sight of..

[Kaseijin]

In the real world, you dont own the network, the board of directors, or any part of their business.

In the real world, last-mile ISPs are built on privileged access to rights of way and other public subsidies.

If you dont want to be tracked, profiled, and served steaming hot piles of ads, then build your own network, backbone, etc and see how far you can go with that.

Give me $200 billion and I might just.

Re:What we lose sight of..

[SnowZero]

And you dont think if they could that they wouldnt? No that they would but they shouldn't.

If that does not make sense then I don't know what doesn't.

Phorm Phollows Phunction

[sm62704]

For those of us outside merry old Englande, Merry Olde Yew Nark, or Merry Old Moosecow (IN soviet... never mind) Wikipedia says "Phorm, formerly known as 121Media, is a digital technology based in London, New York and Moscow. The company drew attention when it announced it was is in talks with some United Kingdom ISPs to deliver targeted advertising based on a user's profile."

Am I the only one who had to look it up? I thought "Is phorming like phishing"?

For the humorless cretin who mods me down for linking uncyclopedia, since there is no uncyclopedia entry for Phorm I'll link something that sounds similar.

Re:Phorm Phollows Phunction

[Thwomp]

It looks like the article has been edited by the 'Phorm Comms Team'. The edits are summarised with "Factual changes on behalf of Phorm".

Read in to that what you will. :-/

Re:Phorm Phollows Phunction

[bryce4president]

Name a single internet company that begins with numbers such as 121Media that is not a scam.... go ahead...next to 1&1 hosting I can't think of one...

Not Against Tracking

[sjaguar]

I am not against my ISP tracking which sites I visit. In fact, I would not mind a summarized list of the sites my family visits and how long they are online. Phone companies automatically track which phone numbers I dial, why cannot it be the same for ISPs?

I am, however, vehemently against sharing that data with other companies. Of course, unless the ISP is providing me with tracking information, any information that they would track would be useless to them unless they do share it with others.

Phorm on cookies

[Kamineko]

"We believe Phorm makes the internet a more vibrant and interesting place. Phorm protects personal privacy and unlike the hundreds of other cookies on your PC, it comes with an on/off switch."

So... that 'accept cookies from sites' checkbox in my options menu isn't an on/off switch then?

copyright

[bugs2squash]

Is it not copyright ?

After all - I need do nothing to cause anything original that I write or say to be copyright, would that not extend to patterns that I make as I walk around, or sequences of web sites I visit or some other such original act that I perpetrate.

What if it turned out that the sequence of URLs I visited was a poem.

slashdot.org/there/was/a/young/man/from/Venus
google.com/who/had/an/enormous... etc.

Re:copyright

[Rary]

After all - I need do nothing to cause anything original that I write or say to be copyright...

Actually, you do have to do something to copyright a work -- you have to "fix" it. In other words, write it down or record it in some way. If you're not recording it, then you have nothing to copyright. If someone else is recording it, then they have something to copyright. However, even if you did record it in some way, it's not the content that would be protected by copyright, but your recording of that content that would be protected.

You can't copyright facts, but you can copyright a presentation of facts.

Re:copyright

[bugs2squash]

So, for example, after MLK Jr wrote his "I have a Dream" speech and delivered it from the steps of the Lincoln memorial, the TV and radio networks who recorded it at the time have copyright over their recordings of it, but who has copyright over the speech itself - surely MLK's heirs ? Surely I can't make a cover version of "Dark Side of the Moon" without getting permission from Messrs. Pink and Floyd. It sounds like I have some terribly confused idea of what copyright is.

Re:copyright

[Rary]

So, for example, after MLK Jr wrote his "I have a Dream" speech and delivered it from the steps of the Lincoln memorial, the TV and radio networks who recorded it at the time have copyright over their recordings of it, but who has copyright over the speech itself - surely MLK's heirs ?

Before delivering the speech, MLK wrote it down and registered it with the copyright office. Therefore he owned the speech as it was written (but had no ownership of the public delivery of that speech), while those who recorded it owned their specific recordings. This means that the TV/radio stations can rebroadcast their specific recordings of the speech, but they could not create a new recording of the content of that speech without permission from MLK or his representatives.

However, MLK owning that speech does not mean that he owned the facts in the speech. In other words, I could present the same ideas in a different speech, and I would hold the copyright to my speech.

Surely I can't make a cover version of "Dark Side of the Moon" without getting permission from Messrs. Pink and Floyd.

Actually, you don't need their permission, however you are required to get a mechanical license and pay royalties. That's because the words, music, and recording are all individually and separately covered by copyright. You would hold the copyright to your recording of the song, but they would still hold the copyright to the words and music that you used (assuming you didn't change them significantly).

And what, exactly, can he do about it?

[dpbsmith]

About as much as Westinghouse could do about alternating current being used to electrocute criminals, or Lee de Forest could do about television commercials, or Leo Szilard could do about the atomic bomb being used against Japan.

On behalf of Phorm

[Phorm+Comms+Team]

Hi all As the name suggests I work for the Phorm Comms Team. In response to Tim's comments and the raft of commentary tht has followed, we also believe that it is wrong to store Internet users' personal data. Our technology is a real turning point in the protection of privacy online - it does not store personally identifiable information, does not store IP addresss and nor does it store browsing histories. By contrast, ad targeting from other major Internet companies means that potentially identifiable personal data is stored for over 12 months before it is even anonymised. Also, because these companies reach nearly all UK Internet users, consumers effectively have no real choice about being targeted in this way. With the Phorm technology, users can choose - they can opt out or in at any time; and again, no personal data is stored . We look forward to speaking to Tim Berners Lee to explain how our technology is a ground breaking advance in delivering targeted ads while protecting privacy online and consumer choice, as we have with other experts.

Re:On behalf of Phorm

Your technology is clearly a violation of RIPA because all requests are intercepted and mirrored to your profiling system -- even when a user has "opted-out" by getting a cookie.

With the Phorm technology, users can choose - they can opt out or in at any time

This is an outright lie! The only company that has announced it will allow an opt-out is TalkTalk, the cookie is a non-issue. You either do not understand how your own system works or are deliberately attempting to deceive the public -- which is it?

Re:On behalf of Phorm

[thechanklybore]

Again, like the other respondent, I question your understanding of your own system if you believe that a simple cookie is a valid "Opt-Out" from Phorm. Maybe you could enlighten all of us Slashdotters as to how redirecting all of the traffic from a customers
internet connection to the Phorm network even when the "opt-out" cookie is set is opting out?

"By contrast, ad targeting from other major Internet companies means that potentially identifiable personal data is stored for over 12 months before it is even anonymised. Also, because these companies reach nearly all UK Internet users, consumers effectively have no real choice about being targeted in this way.
"

This is completely disingenuous. Whatever Google et al do with my data *I* have chosen to go to their site, *I* have chosen to perform a search. The Phorm method of gathering data is not comparable. If all of a person's HTTP traffic was routed through Google you may find a few people disagreeing with this too!

Re:On behalf of Phorm

Two things: 1. Stay away from my network traffic (no need to act on that, I'll instantly move away from any ISP that gives you access to it) 2. Stick your "targetted advertising" up your arse

Re:On behalf of Phorm

[ydrol]

Unfortunately Technical people will not believe marketing/PR oriented comments, who often use technical terms inprecisely.
They will only understand and trust a precise technical description of the system, something which Phorm may, understandably, be reluctant to give for IP/Business reasons.
What does "no personal data is stored" mean. Is data stored or not? Is it anonymized in the same way as the AOL Seach scandal was anonymized?
Will there be cross-pollination of adverts amongst users sharing the same account - I can answer that for you - Yes.

Re:On behalf of Phorm

[grcumb]

I question your understanding of your own system....

I question their understanding of what they're doing as well, based on the fact that they could send a marketing droid to debate geeks. On Slashdot.

The only possible outcome to this kind of a conversation is for the marketer to be positively buried in technical rebuttals which he is neither equipped nor allowed to respond to. $MARKETER will receive not a little disdain in the process, and if he's not careful, will become defensive.

The first sign of back-tracking (a perfectly acceptable way to concede a point in many business meetings) will be turned into a rout when $MARKETER finds himself faced with chapter and verse of every fallacious or inaccurate statement he's made anywhere on the web, ever. Heaven help him if he's on MySpace or Facebook.

In short, it would be more merciful to the poor droid for us to send him straight to tubgirl right now, rather than leaving him with the false impression that there's any hope at all of emerging intact from this foray into the world of Slashdot. 8^)

Re:On behalf of Phorm

To further address some of the more technical issues addressed in this post and some of the other points raised throughout the discussion: Webwise does not leave any HTML tracking code. HTML is not a software language which allows applications, it is simply a markup language for displaying pages. Our software doesn't use HTML frames.

Secondly, we don't track or interfere with any DNS requests. Webwise only looks at opted-in data coming from a list of known parties that have chosen the service. We don't look at all traffic - we don't look at opted-out data, secure pages and we don't look at non-browser data (IM, POP3, etc)

To reiterate on the corporate level, Phorm has no offices or employees based in Saint-Petersburg. The group in Moscow is an integral part of the Phorm team. Under the close direction of Phorm's UK headquarters, and with colleagues from the UK and USA, they have helped us to build a world-class technology product. We have no relationship with Russian Business Network (indeed, no one in this office had even heard of it before this post). We have absolutely no connection with China.

Sir Tim Berners Lee is not familiar with the Phorm system, so he did not know that his example is impossible with our system (in the BBC story: http://news.bbc.co.uk/1/hi/technology/7299875.stm). There is no match to 'sensitive' areas such as medical conditions, no record of what sites users have visited, and no data of any kind is passed by the system to a third party (in his example to insurers).

We look forward to speaking to Tim Berners Lee to explain how our technology is a ground breaking advance in delivering targeted ads while protecting privacy online and consumer choice, as we have with other experts.

Lastly, domains which are associated with our products are clearly and openly named. They are webwise.net, webwise.com, oix.net, oix.com and phorm.com

Re:On behalf of Phorm

Secondly, we don't track or interfere with any DNS requests. Webwise only looks at opted-in data coming from a list of known parties that have chosen the service. We don't look at all traffic - we don't look at opted-out data, secure pages and we don't look at non-browser data (IM, POP3, etc)

Yes your system does look at opt-out data, please stop saying that you do not. deny this: does the raw HTML data go to the phorm profiler based at the ISP or not even when the opt-out cookie is set (I don't care what you do with it..it does go there!). The answer is that it does according to your CEO. The profiler, whilst technically owned by the ISP, is your software..correct. you also administer it (patches etc) correct? will you also have direct access to these servers (i mean physically, i don't care if BT has policies that say you must have permission before actually connecting).

p.s. as some may know, BT has now (some unofficially) announced that it will have an account level setting you can use to opt-out so you do not have to rely on this crap cookie method. Hopefully they will announce this in mainstream press next week see this thread for the talk about it.

Webwise does not leave any HTML tracking code. HTML is not a software language which allows applications, it is simply a markup language for displaying pages

Somehow i don't think you need to tell slashdotters what HTML is. however, a non-expiring cookie can be tracking code can't it. On the subject of the cookie. once the ISP infrastructure has assigned the UID and stored all your web history in terms of keywords, our browser now hits the advert side of things..so tell me, if my computer sends this cookie off to one of the ad servers, doesn't that ad server now know 1. my UID 2. my IP address and other browser details (user agent string etc). so combining your data repository in the ISP with your advert server logs, you can in fact tie IP address to UID later on..or don't you consider IP address to be personal information?

Tracking the advertiser, not the user

[Animats]

We've been doing some tracking recently, but aimed at the advertiser side. We have a plug-in for Firefox which rates ads. A little icon is displayed next to each ad, showing what our system knows about the advertiser. As we tell users of the plug in, "AdRater 'phones home', but tells us as little as possible. AdRater sends the domain name associated with each advertisment you see to SiteTruth." SiteTruth then sends back advertiser information, in XML, which the plug-in turns into icons.

We use this to find out what the advertisers are doing. Individuals are entitled to privacy; advertisers are not. We're building up a picture of the on-line advertising market. We now have, for example, a list of Google's AdSense advertisers.

Soon we'll be issuing reports on advertiser quality. (Ads on Bloomberg: mostly legit. Ads on LinkedIn: quality varies, mostly OK. Ads on MySpace: mostly bottom-feeders.) More on this in coming weeks.

It's not just advertisers tracking users any more. Sometimes it's the other way round.

Re:Tracking the advertiser, not the user

[Irish_Samurai]

Soon we'll be issuing reports on advertiser quality. (Ads on Bloomberg: mostly legit. Ads on LinkedIn: quality varies, mostly OK. Ads on MySpace: mostly bottom-feeders.) More on this in coming weeks. I'd be interested in seeing the criteria, and sample data, for determining the quality of advertisers before I view your report as having any legitimacy.

Re:Tracking the advertiser, not the user

[Animats]

I'd be interested in seeing the criteria, and sample data, for determining the quality of advertisers before I view your report as having any legitimacy.

Sure. See these documents.

Phorm 'illegal' says FIPR

[c_g_hills]

The Foundation for Information Policy Research has recently published an open letter in which it argues that the Phorm system that many British ISPs have signed up to is illegal. I am definitely having no regrets about having emigrated from the U.K. to Denmark.

Dear Mr Father-of-Internet

[wsanders]

What kind of parent are you? Your kids are all vandals, taking drugs, driving around drunk, and causing trouble all over town. Please ground them or cut off their allowance or something.

OWNED!

Ah, Mr. Berners-Lee?

Concerned about being tracked?

Why just on the internet?

What about off of the internet, you know, away from your computer?

Do you pay cash for all your financial transactions?

I thought not...

OWNED!

uh... I mean tracked!

Some notes from the Phorm sales pitch

[anticypher]

Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people's observations in the ensuing PR war. Phorm's sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.

Phorm has hired a specialty PR company, Citigate Dewe Rogerson to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I've seen Dutch, German and French language follow-up posts in the last few weeks.

Phorm has addressed the main part of pesky privacy laws in Europe by "gifting" the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm's technical team. If the equipment stays 5 years in the ISP's premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn't left their network should post-analysis show the customer has "opted-out" of passing the information to Phorm's China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.

The Phorm collectors sit inside the ISP's network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP's network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.

The problem I, and others, had with Phorm's plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.

As an example, let's take an ordinary, un-intercepted session to slashdot.org. The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can't be tricked by slashdot's servers to return cookies from digg or google.

With Phorm, the initial HTML request to slashdot.org gets intercepted by the Phorm equipment, which respond with a 302 redirect to spyware.ru, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for malware.ru with the correct address for slashdot.org, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to malware.ru with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begi

Re:Some notes from the Phorm sales pitch

[Phorm+Comms+Team]

Hi I work on behalf of Phorm here in the UK. Whilst we welcome the healthy debate across the web, there are some factual errors in these ntoes that should be addressed. Firstly we do not have servers in China or Russia. We have programmers in the UK and US, and we are also lucky to have a first-class team in Moscow. It is entirely normal for international companies to operate development groups overseas, e.g. in India, the far East, and central Europe, and Russia is of course pre-eminent in software development. The group in Moscow is an integral part of the Phorm team is under the direction of Phorm's UK headquarters. All of our data processing for our clients BT, Talk Talk and Virgin will be done in the UK. We are confident out system meets all the relevant UK laws. When it was called PeopleOnPage, the company was involved in the adware business, not spyware or malware. Adware is a software component designed to deliver ads as part of a legitimate commercial product or service. The software was installed with the knowledge and consent of individual users, could be identified and uninstalled, and was not intended to cause harm or steal information. We fully stand by everything we did in the adware business, but it became clear to us it was impossible for people to distinguish adware from spyware. The company quickly decided that the model of providing downloadable software was a wrong turn and was taking us away from our core vision for the business: personalising the Internet. The company then took the unprecedented step of voluntarily shutting down the download business model - worth $5-6 million a year to the business. Instead we decided to concentrate on our ISP strategy of providing more relevant ads and higher levels of user privacy. We announced this move away from the old model to the ISP strategy transparently to the market. Lastly, Tim Berners Lee has never had a presentation from Phorm or seen our system - his comments yesterday were a result of questions put to him.

Re:Some notes from the Phorm sales pitch

Please take your canned replies and stuff them somewhere dark. Seriously.

We're on to you. Transparent bullcrap like the response you gave above is only proving the point. We know what you're doing. We know where you're doing it from. You are scum. The filth of the net. I can only hope you're less despicable in person(s). I doubt it, though. Sadly.

Re:Some notes from the Phorm sales pitch

[jovlinger]

technically apt people ... are beginning to understand just what an internet stream hijack implies Well, I guess that excludes me. I didn't follow how they went from hijacking my browser session to getting my whole TCP stream. Could you explain?

Or did you mean that Phorm's servers intercept everything coming across my connection, and that the browser scenario was just one example?

Re:Some notes from the Phorm sales pitch

[anticypher]

did you mean that Phorm's servers intercept everything coming across my connection

Have a look at how BT will be implementing the Phorm interceptor line tap. The equipment is located where it intercepts all flows from all customers on the exchange, filtering out port 80 traffic to be passed to the F5 interception engine. The box known as "ACE" in the slides is provided, configured, and administered by Phorm, although it officially is "gifted" in accounting terms to the ISP to circumvent UK privacy laws.

Nobody knows exactly what the "ACE" box is, but from where it is positioned in the ISP network, it can intercept, alter, or block all your traffic. Not just your web traffic, ALL your traffic.

the AC

ISP value added suggestion

[psbrogna]

To all you ISP exec's that might be reading this dialog: I'd pay $5/mo more if you'd anonymize my use of the internet (in a way I can verify) and if your service terms stated that I was anonymized in very clear language (ie. no legalese loopholes). - p

Re:ISP value added suggestion

[Zakabog]

I'd pay $5/mo more if you'd anonymize my use of the internet (in a way I can verify) and if your service terms stated that I was anonymized in very clear language (ie. no legalese loopholes)

You're now giving the ISPs a business model selling you a "service" which should be included with your account...

Re:ISP value added suggestion

[psbrogna]

So? We've got a number of years behind us where they've demonstrated they won't protect customer privacy on their own, regardless of what the customer asks for. Why not motivate them with increased revenue? In many markets there's only 1 broadband solution available so, barring legislation, they can pretty much do whatever they want and not risk losing customers. I'd love to see the appropriate legislation in place but my understanding is this happens fairly slowly in the best of circumstances and fighting a battle against what is essentially an entrenched regime with deep pockets (consider the marketing industry and the many ways they've been able to build detailed demographic databases for years) isn't something I'd expect to go smoothly. We're talking about credit card companies and super-retailers like Walmart: resourceful entities with massive resources (ie. lobbying leverage). Our private information has been a commodity to these people for years.

Didn't think of that, actually.

[Gazzonyx]

Good point; make sure script doesn't request any page content other than the index/plain text. Like elinks, I guess. That and a little bit of common sense dictionary filtering and/or metadata tags. Although I see where you were going on the whole with it... I haven't the foggiest idea how to make sure I don't land on a page that puts me on a government list somewhere :). Any ideas?

The food industry. . .

[DKlineburg]

Convinced us it is common place to get discounts for reviling your information to them. Everyone: Safeway, Albertsons, Fred Myer, and QFC have a "card" to get you discounts. What do you think they do with the data? Not look at the personal stuff? I would hate to think would happen if you used there online service. Good think I spoofed them all to be fake.