Slashdot Mirror
UK ISP Admitted to Spying on Customers
esocid writes "BT, an ISP located in the UK, tested secret spyware on tens of thousands of its broadband customers without their knowledge, it admitted yesterday. The scandal came to light only after some customers stumbled across tell-tale signs of spying. At first, they were wrongly told a software virus was to blame. BT said it randomly chose 36,000 broadband users for a 'small-scale technical trial' in 2006 and 2007. The monitoring system, developed by U.S. software company Phorm, formerly known as 121Media, known for being deeply involved in spyware, accesses information from a computer. It then scans every website a customer visits, silently checking for keywords and building up a unique picture of their interests. Executives insisted they had not broken the law and said no 'personally identifiable information' had been shared or divulged."
BT is not "an ISP". British Telecom was for a very long time monopoly holder on telephone lines in the UK and still the gatekeeper for all ADSL access there. They have a market cap of 35 billion and their revenue just about puts them in the top ten telecoms companies in the world.
In my personal experience their service has been bad enough that they're almost as bad as their competitors. Given their history, it's not surprising if they've overstepped their bounds ... they're used to being in charge, after all.
http://yro.slashdot.org/article.pl?sid=08/02/18/2033202
Why on Earth wouldn't BT just do this on their side of the connection? EVERYTHING that the user gets goes through their pipes, their routers. Just install some monitoring hardware+software and be done with it. There doesn't seem to be any logical reason to do this on a users computer. That's just plain stupid.
The only difference is that you don't have access to encrypted data and "other applications" installed by the user. The stuff they claim to have logged and analyzed is more easily obtainable from their own side.
These people should be shut down completely or compelled to pay some very serious damages to the people whose privacy was compromised this way.
A strong response now would send a message to other ISP's who may be moved to try this kind of irresponsible, illegal spying.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
The parent is correct. BT was the state-run telecom monopoly in the UK, and was converted into a private monopoly in 1984. Not much of an improvement, but at least it finally allowed for the possibility of competition arising, however slim.
Crack dealer executives insisted they had not broken the law and said no 'personally identifiable information' had been shared or divulged."
Developing....
They (BT) are implementing this in the UK, along with a couple of other ISPs (like Virgin).
sounds like a major privacy violation, I hope they get sued into oblivion.
.... that if you are online someone is watching you.
BT's ADSL internet service seems to be one of the worst in the UK. Unfortunately since they have a long history of providing landline connections in the UK, many people assume they must be a worthy internet provider also - not so. I'd recommend UK Slashdotters look at This ADSL ratings site for more personal citations of BT's (and other providers) service.
"I bless every day that I continue to live, for every day is pure profit."
http://www.youtube.com/watch?v=rgZjeckpUXY
This has been bubbling under for a few weeks, but really broke badly in the past couple of days.
Essentially they appear to have broken the Regulation of Investigatoy Powers Act (RIPA) by performing an unauthorised interception of a communication over telecommuncations infrastructure.
No word yet on legal action, although several MP's are kicking up a fuss about it.
BTW BT are the only ones who have confessedd to doing this so far, the other ISP's haveeither kept schtum, or muttered paltitudes like we will wait and see
the RIPA act that covers interception of data says that both parties involved in a communication have to conset to monitoring, so its not just a matter of 1 user consenting i wonder how google feels having its pages modified with banners and inserting tracking without permission ?, tortuous interference perhaps ? definately copyright , i wonder how those hidden intranet/exchange url owners (military/f100 companies etc) feel too having their employees/customers communications intercepted ? see you in the prison visiting room BT executives, ill bring you some smokes to look at
How do i turn the reply buttons back to text like it was before? Ive been moving around computers alot and probably enabled some stupid new feature. I cant seem to find it in the preferences.
thanks
As a potential lottery winner, I totally support tax cuts for the wealthy
...
Wait, so you're telling me that a third party can, without my consent and/or notification (implied or explicit), install and execute a program on my hardware? Isn't that what sends most virus writers to jail?
I'd want a lawyer to run over the BT access agreements with a fine tooth comb, and check this against any applicable privacy laws.
With the new terror-laws, every ISP here in Denmark is bound by law to monitor and log all and every connections made in the country (mainly IP adresses, but probably down to protocel level, ports, mails, IMs etc.). I don't see how this is different...
I use ad-block+ so I never see any ads anyway but further I have absolutely no interest in letting any company besides Google, whom I'm presently very fond of, know anything about my Net habits. It just doesn't serve any of my interests and it causes me great anxiety to think that a profile could be built and accessed and sold. I'm not in the US but as an example the present US administration I would prefer to be an absolute cipher to. Would using a proxy server achieve much?
saul hansell of the times has already been on this. he interviewed a principal of phorm and summarizes it on his times blog. needless to say the readers comments haven't been positive for the companies in question.
http://bits.blogs.nytimes.com/2008/04/03/can-an-eavesdropper-protect-your-privacy/index.html?ref=technology
- js.
The summary of the story doesn't emphasise the point that the spying test was just a small trial, and that Phorm is actually coming directly to the UK.
3 of the major UK ISPs: Virgin Media, BT and Talk Talk are getting all ready to implement and bring in Phorm. More information and details are available at the useful website BadPhorm: http://www.badphorm.co.uk/
Thousands and thousands of UK users are going to be subject to this inescapable violation of their privacy with little to do about it. There is an opt-out cookie, but this does not prevent the fact that the users browsing still goes through the Phorm servers. Would you be happy with all your internet browsing going through a third party server, let alone one owned by an advertising company that wants to profile you and "see the whole internet" (Reference: http://www.badphorm.co.uk/news.php?item.30.3 ) through your browsing history.
There is lots of interesting discussion going on about this, particularly at Cable Forum by Virgin Media users, who are going to be thrown into this spying (Link: http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated.html )
A fast growing petition to the UK government on the governments website is nearing 10000 signatures, and just shows how many people do not want this to happen (Link: http://petitions.pm.gov.uk/ispphorm/ )
This may not concern many people in the US, or people on the smaller ISPs in the UK - but the worrying thing is, other ISPs are already saying that they are going to watch the results and see if the ISPs can get away with it - if they can, they will likely pick it up to. And your ISP might do too!
Why do you (and so many others) trust google?
We see you.
Just -1, Troll talking to another.
The UK has security cameras everywhere that anyone can watch through public tv.
Out of curiosity, can you watch them online? I wouldn't mind watching some British hooligans.
1) I use Google to search, very often 2) I watch their tech talks, often 3) I am starting to use their free apps Google is offering great value gives me services that greatly enhance my life. Plus, I signed up for this. These other jokers are stealing that information without my permission and offering me nothing in return. If ISPs need more money they can ask me for it.
Is somebody going to mod this down then?
This isn't surprising - Yes it is, BT is a massive company who have a lot to lose by getting involved in illegal activities.
The UK has security cameras everywhere - Not true. There are a lot of cameras, but they aren't everywhere.
that anyone can watch through public tv - Just not true.
They use it to discourage violence - Well not just violence, any crime really. It doesn't make much difference really, but some people feel safer.
It isn't surprising to find out that their policies apply to the internet as well, and so does the mentality of voyeurism and big-brother-hood - Are you fucking stoned?
Um...this is spyware (ads) not government interception.
Cable customers get phone and internet without even going near BT. If you're using BT last mile for your ADSL, then you're probably: a) Using a third party ISP (i.e. BT does last mile, but from DSLAM you go to ISP switches) b) Using an unbundled ISP (DSLAM itself doesn't belong to BT). BT owns a lot of copper, but doesn't actually have that many direct ADSL customers - they're not cheap and has been mentioned service is fucking gash (yes I dialled 13 different numbers in one day just to get me away from them). Tend to be used by people who 'trust the BT name' - and therefore frankly get what they deserve.
They have defended our rights where others have not.
They are also relatively honest and havent done anything immoral in regards to privacy to date.
If only I had mod points now...
IANAL but the UK law covering this is the Computer Misuse Act and more recently the European Convention on Cyber Crime.
As I read it BT are guilty under CMA 1(1) which relates to unauthorised access to any program or data held in a computer. Whether the information checking is done on the computer or the ADSL hub it is a violation. With regard to the Convention on Cybercrime they appear to be guilty under Articles 2, 3 and 6.
I hope someone sues their buttocks off.
Python coder | PyQt Applications | Writer
The UK has security cameras everywhere that anyone can watch through public tv.
If that were true, I'd have less of a problem with them (reciprocal transparency and all that). But as it is, most camera feeds go a to a privileged few, making an information elite.
My rhetoric beats your rhetoric, hands down. Why? because I'm using CAPS so I look smart! (but not as smart as if I used italics)
Jesus christ. Right sentiment, mate, but you're dreadfully misinformed. We wouldn't let just ANYONE watch the cameras, that would be a violation of privacy! Far better to just trust the good old government to do it. And private businesses.
If I was this ISP and had to make a choice, I'd do it the following: :If we have spyclient installed, watch for certain pattern of data through high# ports. IP dest and dest port should not matter, as to prevent detection :Bridges between customer backbones that watch all data from specified port. :The bridge captures and saves pertinent data to separate spy-net that they can watch, not interfere
All this talk only brings bad blood. Anyways, unencrypted traffic can be viewed at any point from source to destination. If people cared, they'd use encrypted tech to hide what they do. I have a hunch that most people "Just Dont Care".
The Home Office indicated their position on the usage of Phorm. Phorm's data collection was declared to be legal and lawful if the end-user gave consent for collecting the information.
Here's a reference from the guardian blogs of March the 12th.
Article says that end-users were not not made aware of the phorm tracking. This will be an interesting case.
Cheers.
Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
I like google but disabled the search tracking since I found it a little creepy. For extra protection I use track me not.
Absolute power corrupts absolutely. indymedia
Google at least gives you a reach around. Gmail has some nice features and I now have over 6.5 GiB of storage and counting. I use iGoogle to organize my most viewed sites with access to all the other Google features/tools/apps. Am I worried abut personal my personal info, shit, the IRS has it all from the late 50's, the FBI has it from the 60's (military secret clearance), the Veterans Administration from the 70's, employers, banks, the post office, state licensing agencies, mortgage companies, title companies, utilities you name it. Sure, I try to guard it as best I can but...
I linked this in another post in this thread.
The Home Office made available their views on whether phorm's user-profile-based tracking is legal w.r.t. the interception of communication legislation.
" Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions. The providers of targeted online advertising services, and ISPs contracting those services and making them available to their users, should then - to the extent interception is at issue - be able to argue that the end user has consented to the interception (or that there are reasonable grounds for so believing)."
And:
" Targeted online advertising can be regarded as being provided in connection with the telecommunication service provided by the ISP in the same way as the provision of services that examine e-mails for the purposes of filtering or blocking spam or filtering web pages to provide a specifically tailored content service."
Finally:
" Targeted online advertising undertaken with the highest regard to the respect for the privacy of ISPs' users and the protection of their personal data, and with the ISPs' users consent, expressed appropriately, is a legitimate business activity. The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. "
If the ISP has put the tracking details into the TERMS and CONDITIONS and the user has OK'd the tracking, then the tracking is legal.
Here is the original article of the Home Office on Phorm.
What i don't know at this time, is whether BT does list the tracking in the T&C....
Cheers.
Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
BT phone home.
1) because i get something back, in exchange for tracking me, they get more data about what i want and their searches are more tailored.
2) because they dont charge me, in exchange for good search results they track me and give me non intrusive ads.
3) because its very easy to switch, if they change their privacy policy im not tied to searching with them for another 6-12 months
4) because they do good stuff with the money ( FF, SOC, etc)
5) because theyre geeks, the main way the information is mis used is if somebody hacks in and steals it, i doubt this will happen with google, but after BT pushed out insecure linux routers to thousands of homes, i cant say id have faith.
5) be
IranAir Flight 655 never forget!
Queue the "what are you hiding if you have done nothing wrong", with a strong scent of "what did you do, if you object?". The horse breeder did nothing wrong, but I guarantee that his racing competition will pay good money to see the ISP records of his web browsing. So "even though he has done nothing _WRONG_", he still has something to hide. People, get the point of privacy...
I see the whole thing like; someone tapping into all your phone calls at the exchange, noting down everything you say, and midway through your conversation with someone else butting and offering phone sales.
God it's sickening! BT can tap into phone calls, but only a few. With the Internet it's like they are tapping into everyone's phone calls. Ugh!
NebUad(responsible for gator) are doing the same thing right now in the US:
http://www.washingtonpost.com/wp-dyn/content/article/2008/04/03/AR2008040304052.html?nav=rss_technology
The best method is to vote with your wallet and change ISP.
I choose to use google mail despite the privacy implications. In this case people are FORCED to have their connections sent through third party servers and profiled.
There's a big difference between profiling people based on adds on participating sites and scanning every connection to ANY site. Google doesn't see what Wikipedia pages I am editing, this system could.
The only way you could compare this to Google would be if every site you could connect to was using Google adds, and they were all written as to not render if you used add block. Actually, it is worse than that seeing that this actually interferes with sites that don't benefit from the scheme. It is more as if the search results in google would link to modified pages of the destination, each containing a google add , which was then used with a tracking cookie ( assuming there was no other way to get to webpages other than google's search ).
No, really, google doesn't even come close to this...
And when they don't tell you they are doing it and/or lie about it like BT did? Seems wiser to rig one's machine to mess with their systems as much as possible. How about scrambling the contents of their cookies? Proxy servers? Encryption of some kind?
Interesting! When I previewed this in the new comment box, all was fine.
I think the confusion here is this article is about a previous trial that involved client-side spying by the same company that is now doing network-side spying.
But IMHO, either way it's still spying and it's just plain wrong, unless users opt-IN with informed consent because they believe they'll get something valuable in exchange, as is the case with using Google Mail.
And by opt-in, I mean they have to have a genuine choice, not "here's a 10-page EULA, like it or lump it, we're the only broadband you can get."
If spying on your customer does not break the law, the law is broken.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Can't we just encrypt everything, or do some sort of similar magic?
the sheer mechanics of it are mind-boggling.
What?
http://en.wikipedia.org/wiki/IPsec
Now if only people could make it work...
What does this button d$#%* NO CARRIER
I don't trust anybody. If I need to trust something I encrypt end to end. Even my local HD is sector encrypted.
:)
I you want safe browsing (as IN infecton free), use VMWare and contain your browsing to a sandbox environment.
Scan your machines regularly. Install stuff in VMWare first and then scan.
Lock down your browsers to white lists. Black lists do not work. White lists do. Just keep adding domains and cookies as you go. You will be supprised how little you actually need.
Do not purchase from web stores that REQUIRE a sign up first. Just purchase from stores that click order and then deliver without forcing a "loyalty" sign up scheme. Remember they want YOUR money.
We have laws here that REQUIRE companies REMOVE all online information on request. I site that every time I order in the "comments" section of my purchase orders
I also demand them if they spam or whatever, I never buy from them again. It gets the message home and quickly.
So what happens when you have multiple people using one internet connection? My family can have up to 4 people surfing at any one time, do I get my sister or my little brothers ads? Am I likely to get my *shudders* mothers ads? I don't like the whole concept, and I am pretty outraged about the way the ISPs are handling this, thankfully we moved away from Virgin last year. But I have my concerns for how this whole issue is going to be viewed if it's not challenged, how far will ISPs go? I think it's time, personally speaking, to look into how to better secure my surfing, I'd like to believe that my surfing habits are mine and only my concern. It'll be interesting to see how things go with this story and with the whole Phorm thing. I imagine, unfortunately that a large number of people just won't know or care though. Bugs :/
BT as an ISP failed it's customers at just about every level imaginable. Not only they infringed on privacy of it's customers, but it was apparently done deliberately and on a grand scale. I haven't found direct reasoning behind these actions, but spying on customers and citizens is nowadays "covered" by the omnypotent argument, that there's a ongoing "war on terror". I just wonder what happends next in the name of the fight against terrorism?
When the Nazis came for the communists, I remained silent; I was not a communist.
When they locked up the social democrats, I remained silent; I was not a social democrat.
When they came for the trade unionists, I did not speak out; I was not a trade unionist.
When they came for the Jews, I remained silent; I wasn't a Jew.
When they came for me, there was no one left to speak out.
Google can't be trusted....I think it's stupid to store your most sensitive emails, conversations, and documents, on someone elses property. Use scroogle over an SSH tunnel, tor, or freenet. Any centralized organization that collects even the most unimportant data in mass amounts can turn that data into established paterns, habits, etc. Information they do NOT need to know about you. Augementation > Algorithm.
Trying to install linux on my microwave, but keep getting a kernel panic...
I don't think using a proxy will help, because your http session still passes through Phorm's profiler. Everything goes through the profiler, they just promise not to look at anything other than port 80 traffic.
I'm not sure if something like Tor would help. If the Tor exit node is on one of the ISP networks running Phorm software/hardware, then the browsing session will be profiled.
Sorry, "Websise" should have been "Webwise".
I'm sure you're right, knowing so much about BT's network and all but.... who do you think is BT's second biggest network customer? Clue: they use BT to connect up the backbone of their cable network. No guesses? oh come on....
My point was that whilst nearly all ADSL subscribers use BT infrastructure - only a small majority actually use a BT as their ISP (and hence are exposed to evil adware thingie)
"Sure, I try to guard it as best I can but..."
That last statement sounds like you care about your personal information... but the body of your comment suggests otherwise. Just because it has become a solid norm does NOT mean it can't change. Complacency of the masses is the real enemy. YO JOE!
Executives insisted they had not broken the law and said no 'personally identifiable information' had been shared or divulged."
Yeah, I'll break into your home, take a picture of everything you have but I will not make it public. That is perfectly legal isn't it ?
Insightful? Slashdot idiot sheep!
Watch this Heartland Institute video
It's GO JOE for G.I. JOE.
1) Really? The search results are getting worse every day for google. I see it as google getting all of my data, and offering me minimal, beta services in exchange. GMail? Calendar? Google Maps? Google Earth? None of these are groundbreaking or offer anything new. Mapquest works just fine without tracking my data like google does. Keystone's earth viewer software was just fine and unobtrusive before google bought it. GMail was cool when it offered 1 GB of space, but nobody cares about it anymore. Google calendar is scary - they're storing your itinerary for you. They know when and where you will be, and what you will be doing. It's not even a very impressive calendar program. Is it really worth the risk?
2) They track you and give you very intrusive ads. I hate, with a passion, that every single major site is infested with links, hotwords, banner ads, interstitials, flash ads, etc. etc. etc. I should not HAVE to run plugins to block ads. And for those who think it's a fair exchange, they should not be running those plugins (or if run them, whitelist all google and double click ads). Blocking google's ads while loving google is hypocritical.
3) It's very easy to switch with my ISP. Most ISPs are month to month. You may sign up for some 6 month or 12 month special rate, but in exchange, you get that lower rate. With google, think about moving all of your e-mails over. Think about your calendar, your documents, etc. Everything you give to google you can get back, but they still have all of your information. It's really no different from an ISP that tracks people in some way and later sells that information. Google has TONS more information, AND all of your emails, documents, etc. that have ever touched their services. Google may not lock you in now (I think you can get locked in if you buy their online storage space for a year), but I don't trust them to keep GoogleDocs free and open forever. I don't like the idea of having to plow through a gmail account and transfer all of my emails over.
Google in fact did try to lock you in when gmail first opened. They didn't even have a delete button. When a user is faced with moving 20,000 e-mails (even though most are spam or old stuff that should have been deleted), they'll hesitate. Google had to back down and offer the option to actually delete e-mails, however.
4) Good stuff with their money? Last I heard they were wasting most of it on trying to make it seem like they were the best place in the world to work. Google sells stock and ads. That's not a very good business model, especially when most of the people who love google also love blocking their ads. If you like Google for the "good" they've done with their money, then Bill Gates is your god. For the amount of money it has, Google has done VERY LITTLE in the way of philanthropy (through whatever medium) when compared to other large corporations, or even wealthy individuals.
5) They're geeks? Really? Last I herd, they were run by business people, like a business, and since they're publicly traded, their first and foremost goal, which they are legally bound to aspire to, is PROFIT. You said you doubt google would be hacked? Why? You're on slashdot, you should know better. Google WILL be hacked one day, and it will cause a shitstorm.
Yes, lots of places have your sensitive information, but they type of information Google tends to collect is more personal.
They know your habits, interests, and, if you use their calendar, they might even know where you will physically be and when you will be there.
Sure, social security number, name, address, account numbers, are all sensitive information. Any legitimate company/agency has strict rules for handling such information. They also face penalties, and possible lawsuits, if they mishandle it.
Last I checked, Google's datamining didn't really have any regulation. And what little, vague rules there are do nothing to protect you when Google can just turn around and say "It's not personally identifiable" or "They gave consent when they signed up for the service".
I wasn't going to response to this post, but you used "GiB". Sorry, that's not a real term, despite what any group says. Adding K, G, M, etc to b or B, (meaning bits or bytes) means you're using 1024, not 1000, as the factor. It's how computer science works.