Berners-Lee Rejects Tracking

kernowyon writes "The BBC has an interview with Sir Tim Berners-Lee during his visit to the UK on their website currently. In it, he voices his concern about the practice of tracking activity on the internet — with particular reference to Phorm. Quotes Sir Tim with regard to his data — "It's mine — you can't have it. If you want to use it for something, then you have to negotiate with me.""

It's all nicey

[mapkinase]

...but will it have any effect on powers that are in charge? As for influence on us, most users who know who he is already share this position.

Negotiation done!

[TheGreek]

"It's mine -- you can't have it. If you want to use it for something, then you have to negotiate with me."

"This content is mine; you can't have it. If you want to access it for free, you have to let me track your activity."

Re:Negotiation done!

[jrumney]

This content is mine

Only it isn't. They are tracking user activity beyond the websites that use Phorm for their advertising, and even if they were to limit it to those websites, there is still dubious data sharing going on which is probably illegal in the UK if it is not opt-in.

Re:Negotiation done!

[Yvanhoe]

It is easy to state a price, but negotiation means that both parties have different prices and different means of pressure. What's our ? We are the first to say that Internet is somehow a jungle where almost anything is fair game. So, how do we defend, technologically ?

Re:Negotiation done!

[Marcion]

Its mine, my precious, get away pesky data-mining hobbits.

Re:Negotiation done!

It is illegal in the UK under RIPA without the consent of both parties -- the ISP subscriber and web site operator. There's an implied consent for public web content but once a user has some form of authenticated session, it's illegal interception.

The real problem with the Phorm system is that it's purposely designed to grab every users click stream. Phorm are misrepresenting their opt-out cookie, which relates to targeted advertising and not the interception and profiling. The only way Phorm would be legal in the UK is for ISPs to use ACLs and isolate opt-out subscribers from Phorms "anonymous" profiling entirely.

Re:Negotiation done!

[Sczi]

I think this is getting OT a bit.. as I understand it Phorm runs at the ISP level and then sells the data to content providers. I, for one, am getting really sick of this trend of uppity ISP's trying to get in the racket of playing monkey in the middle with our data. They get their monthly check simply for being a conduit. How about requiring the ISP's in question to call every one of their subscribers and say "we just wanted to inform you that we are going to sniff all of your traffic and sell the data to advertises" and see what kind of response they get.

Re:Negotiation done!

[stavros-59]

...and all I have to do is keep my hosts file reasonably up to date and substitute a blank gif for anything requested from an adsite.
The Phorm interception is done at hardware at the ISP on the first hop. It won't matter what is in your hosts file. Phorm will get to read and store the opt-out information under the current proposals. All you will miss by using a cookie for "opt-out" is the placed ads. I appreciate that "The Register" is not a regular technical resource around here, but on the issue of Phorm they have done a lot of work to bring this to the attention of users. It is UK ISPs that are first on the list. The Phorm Files

Phorm have form as 121Media. 121Media were the developers and installers of PeopleonPage, ContextPlus spyware and the Apropos rootkit. None were easily removed by commercial software and users flooded malware removal forums for help in removing their malware.

They stopped doing that in 2005-2006 to move to this model of forced data interception and forced contextual advertising.

Much of the development of their software is done in Russia as it was for their previous "commercial" malware offerings.

Their Open Exchange site OIX.com resolves to 203.93.173.3 and seems to be a Chinese web server. Traceroute carried out from your location will always stop at a point somewhere near. If you are in Belgium, for example, the final hop will be in Belgium. If you are in Australia it stops at www.telstra.net/cgi-bin/trace?oix.com

Your relationship with your ISP should not be subject to third party operations at hardware level. It's not too different to the (possible non-car analogy) mail exchange opening your mail before they forward it to your house to check if you might need an alternative insurance offer. This may be coming to an ISP near you, would you know if it wasn't getting some public airing in the UK?

You have to negotiate, and I'm very expensive.

[apathy+maybe]

I agree with ol' Tim. An ISP's job is to provide a pipe for the Internet, charge for usage, and stay out of the way. That's all.

Unless I want them to do something else. And tracking me is not something I want. That's right, spam filtering is something else that I want to be "opt-in", and content filtering, and every other bloody sort of filtering.

Actually though, I would be happy if they paid me, but for one week at a time. For that one week I'll happily browse Goatse, Goatshe, Tubgirl etc. (images downloaded, but not displayed, I'm not that crazy). Any real browsing I'll do via my own encrypted proxy set-up at my webhost.

Basically, I'm not the target audience for tracking.

Anyway, it's great to see this sort of issue on mainstream media. Now just to get the 'normal' people to read it...

Re:You have to negotiate, and I'm very expensive.

[maxume]

Did you think about what 'ISP' stands for before you wrote that?

free internet?

[rucs_hack]

Quite honestly, if they want to track my internet usage, and exert some control over my online experience, then they can.

In return, I want high speed internet access to be provided free of change, with no download limit.

Sound fair?

Renegotiation done!

[BaphometLaVey]

I will allow you to track it and to use it in house, but the moment a third party touches it or you attempt to sell it, I want a share of the profits.

Also, if you make me pay a subscription fee (or like slashdot, if I was to choose to), and you STILL sell want to sell my data, I also want a share of the profits.

I also want a list of all the organisations you supply my information to and I also do not want them to be able to resell it without observing the above conditions: I get a share in the profits, I get to see who the sell it to, people they sell it to have to... etc

This is the only way I would be happy to allow tracking.

Phorm's own CEO doesn't even get it

[Scutter]

Kent Ertugrul, chief executive, of Phorm, told BBC News: "We have not had the chance to describe to Tim Berners-Lee how the system works and we look forward to doing that.

You think you need to explain how your tracker works to the father of the internet , and that once you do, he'll be ok with it. Boy, if that ain't arrogance right there, I don't know what is.

Re:Phorm's own CEO doesn't even get it

[WK2]

The article mentions nothing about Al Gore.

I Agree With Tim

[Ngarrang]

After having read the article, I would have to agree with Tim. Where I go on the 'tubes is none of my ISPs business. And this is not about trying to hide some illicit activity, but a defense of my right to live without being watched everywhere I go. I must say, though, that I am not surprised to see this coming out of England. When are its citizens going to finally stand up for their rights and put and end to all of the cameras and tracking? V's speech begins to come to mind.

Old Skool - Static

[Gazzonyx]

Perhaps the old hacker trick of lowering your signal/noise ratio via injecting bad/misleading data (somewhere in the flow)? If you can't be very quiet, you can usually benefit from being very loud.

Re:Old Skool - Static

[Janos421]

So, how do we get this done ? We have to find many trackers and activate them regularly to make noises to pollute the signal ? Anyone knows of such a project ? Well that's exactly the purpose of obfuscation tools like SquiggleSR and TrackMeNot, two Firefox extensions. They generate fake queries on search engines to create noise and deceive data mining algorithms.

As developer of SquiggleSR, I was thinking to extend it to simulate fake browsing as well to create more noise and deceive track based on cookies. But since some ads are charged when they are displayed, this could actually be assimilated to something like "fraudulent view". What do you think?

Re:Old Skool - Static

[khallow]

Are teh user or you party to the ad contract? If not (which is probably the case unless the user agrees to something), then it's not your problem.

Re:Old Skool - Static

[Dude+McDude]

I guess they (Phorm) just track web URLs Nope. The content of every page requested by a user gets sent to Phorm's profiler for analysis, but the profiler ignores* the contents of form fields.

* according to Phorm, which, in the company's previous incarnation as 121media, was a spyware peddler.

Re:"quotes"

[CaptainPatent]

Certainly, "Quoth" would be correct in its place -- but archaic Why am I suddenly reminded of "The Raven?" -

So that now to stop the tracking
with ISPs not lending backing
stoping only shy of hacking - hacking at my gateway door
Quoth Sir Berners: "Nevermore"

Re:What we lose sight of..

[PriceIke]

That's a good comparison. Come back to this thread when electric utilities start offering to sell data collected about what kinds of electrical devices YOU own and use, how often you use them and for what purposes to advertisers, the government and whomever ponies up $$. Hey, you don't own the power lines.

Re:Phorm Phollows Phunction

[Thwomp]

It looks like the article has been edited by the 'Phorm Comms Team'. The edits are summarised with "Factual changes on behalf of Phorm".

Read in to that what you will. :-/

On behalf of Phorm

[Phorm+Comms+Team]

Hi all As the name suggests I work for the Phorm Comms Team. In response to Tim's comments and the raft of commentary tht has followed, we also believe that it is wrong to store Internet users' personal data. Our technology is a real turning point in the protection of privacy online - it does not store personally identifiable information, does not store IP addresss and nor does it store browsing histories. By contrast, ad targeting from other major Internet companies means that potentially identifiable personal data is stored for over 12 months before it is even anonymised. Also, because these companies reach nearly all UK Internet users, consumers effectively have no real choice about being targeted in this way. With the Phorm technology, users can choose - they can opt out or in at any time; and again, no personal data is stored . We look forward to speaking to Tim Berners Lee to explain how our technology is a ground breaking advance in delivering targeted ads while protecting privacy online and consumer choice, as we have with other experts.

Re:On behalf of Phorm

[thechanklybore]

Again, like the other respondent, I question your understanding of your own system if you believe that a simple cookie is a valid "Opt-Out" from Phorm. Maybe you could enlighten all of us Slashdotters as to how redirecting all of the traffic from a customers
internet connection to the Phorm network even when the "opt-out" cookie is set is opting out?

"By contrast, ad targeting from other major Internet companies means that potentially identifiable personal data is stored for over 12 months before it is even anonymised. Also, because these companies reach nearly all UK Internet users, consumers effectively have no real choice about being targeted in this way.
"

This is completely disingenuous. Whatever Google et al do with my data *I* have chosen to go to their site, *I* have chosen to perform a search. The Phorm method of gathering data is not comparable. If all of a person's HTTP traffic was routed through Google you may find a few people disagreeing with this too!

Re:On behalf of Phorm

[grcumb]

I question your understanding of your own system....

I question their understanding of what they're doing as well, based on the fact that they could send a marketing droid to debate geeks. On Slashdot.

The only possible outcome to this kind of a conversation is for the marketer to be positively buried in technical rebuttals which he is neither equipped nor allowed to respond to. $MARKETER will receive not a little disdain in the process, and if he's not careful, will become defensive.

The first sign of back-tracking (a perfectly acceptable way to concede a point in many business meetings) will be turned into a rout when $MARKETER finds himself faced with chapter and verse of every fallacious or inaccurate statement he's made anywhere on the web, ever. Heaven help him if he's on MySpace or Facebook.

In short, it would be more merciful to the poor droid for us to send him straight to tubgirl right now, rather than leaving him with the false impression that there's any hope at all of emerging intact from this foray into the world of Slashdot. 8^)

Re:What we lose sight of..

[Irish_Samurai]

They already sell data based on usage from areas, times of peak usage, and number of users (monitors) in a given area. They can give your exact usage for a day, week, month, year. Damn, they friggin trade it. Hell, I can go look at it if I want by looking at your meter myself.

It's not they TYPE of data that you get, its whether or not it can be gathered through passive observation. In the case of the internet, it can.

Tracking the advertiser, not the user

[Animats]

We've been doing some tracking recently, but aimed at the advertiser side. We have a plug-in for Firefox which rates ads. A little icon is displayed next to each ad, showing what our system knows about the advertiser. As we tell users of the plug in, "AdRater 'phones home', but tells us as little as possible. AdRater sends the domain name associated with each advertisment you see to SiteTruth." SiteTruth then sends back advertiser information, in XML, which the plug-in turns into icons.

We use this to find out what the advertisers are doing. Individuals are entitled to privacy; advertisers are not. We're building up a picture of the on-line advertising market. We now have, for example, a list of Google's AdSense advertisers.

Soon we'll be issuing reports on advertiser quality. (Ads on Bloomberg: mostly legit. Ads on LinkedIn: quality varies, mostly OK. Ads on MySpace: mostly bottom-feeders.) More on this in coming weeks.

It's not just advertisers tracking users any more. Sometimes it's the other way round.

Dear Mr Father-of-Internet

[wsanders]

What kind of parent are you? Your kids are all vandals, taking drugs, driving around drunk, and causing trouble all over town. Please ground them or cut off their allowance or something.

Some notes from the Phorm sales pitch

[anticypher]

Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people's observations in the ensuing PR war. Phorm's sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.

Phorm has hired a specialty PR company, Citigate Dewe Rogerson to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I've seen Dutch, German and French language follow-up posts in the last few weeks.

Phorm has addressed the main part of pesky privacy laws in Europe by "gifting" the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm's technical team. If the equipment stays 5 years in the ISP's premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn't left their network should post-analysis show the customer has "opted-out" of passing the information to Phorm's China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.

The Phorm collectors sit inside the ISP's network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP's network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.

The problem I, and others, had with Phorm's plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.

As an example, let's take an ordinary, un-intercepted session to slashdot.org. The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can't be tricked by slashdot's servers to return cookies from digg or google.

With Phorm, the initial HTML request to slashdot.org gets intercepted by the Phorm equipment, which respond with a 302 redirect to spyware.ru, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for malware.ru with the correct address for slashdot.org, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to malware.ru with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begi