Slashdot Mirror
UK ISP Admitted to Spying on Customers
esocid writes "BT, an ISP located in the UK, tested secret spyware on tens of thousands of its broadband customers without their knowledge, it admitted yesterday. The scandal came to light only after some customers stumbled across tell-tale signs of spying. At first, they were wrongly told a software virus was to blame. BT said it randomly chose 36,000 broadband users for a 'small-scale technical trial' in 2006 and 2007. The monitoring system, developed by U.S. software company Phorm, formerly known as 121Media, known for being deeply involved in spyware, accesses information from a computer. It then scans every website a customer visits, silently checking for keywords and building up a unique picture of their interests. Executives insisted they had not broken the law and said no 'personally identifiable information' had been shared or divulged."
This has been bubbling under for a few weeks, but really broke badly in the past couple of days.
Essentially they appear to have broken the Regulation of Investigatoy Powers Act (RIPA) by performing an unauthorised interception of a communication over telecommuncations infrastructure.
No word yet on legal action, although several MP's are kicking up a fuss about it.
BTW BT are the only ones who have confessedd to doing this so far, the other ISP's haveeither kept schtum, or muttered paltitudes like we will wait and see
Why do you (and so many others) trust google?
1) I use Google to search, very often 2) I watch their tech talks, often 3) I am starting to use their free apps Google is offering great value gives me services that greatly enhance my life. Plus, I signed up for this. These other jokers are stealing that information without my permission and offering me nothing in return. If ISPs need more money they can ask me for it.
Why on Earth wouldn't BT just do this on their side of the connection? EVERYTHING that the user gets goes through their pipes, their routers.
That's really just a matter of semantics, either way it's still spying. Contrary to what is frequently espoused here on slashdot, there should still be an expectation of privacy even though the internet is largely public. If I yell my ATM pin number in the bank, then everyone knows it through no shady effort on their part, but if someone carefully looks over my shoulder to learn my pin number that is a very different matter. When two people are having a quiet conversation in a park it is rude to listen in, but if they are having a shouting match in the same park, then there is no fault in hearing it. Most of the time when someone is surfing the net, they are doing so with the expectation that they are only communicating with one other entity, the site that they are visiting. Regardless of any claims in the EULA from the ISP, that is the common expectation. Privacy is part of what is expected in return for paying for use of an ISPs infrastructure, so the fact that the ISPs own the routers and fiber that the information passes through does not give the ISPs rights to that information. Some may say that in this case the common expectation is wrong, but remember that common values and expectations are the foundation for any system of law.
We are all just people.
IANAL but the UK law covering this is the Computer Misuse Act and more recently the European Convention on Cyber Crime.
As I read it BT are guilty under CMA 1(1) which relates to unauthorised access to any program or data held in a computer. Whether the information checking is done on the computer or the ADSL hub it is a violation. With regard to the Convention on Cybercrime they appear to be guilty under Articles 2, 3 and 6.
I hope someone sues their buttocks off.
Python coder | PyQt Applications | Writer
Yup. The RIPA act (which received an unwelcome reception) actually helps us out here. It basically says that a wiretap without police/government sanction is illegal without the consent of both parties involved in the communication.
Phorm says that their activities do not break RIPA because hosting a publicly available website implies public monitoring (duh?) and that ISPs may include an acceptance of monitoring clause in their Ts & Cs. IMO, if you write to the ISPs involved expressly denying the right to monitor you as a user and also expressly denying the right to monitor any websites you may own puts them in clear breach of RIPA if they do so. RIPA is a criminal law, not a civil one so the penalties are potential jail-time for directors not a minor fine for the company.
That is what I will be doing shortly. I run a website used regularly by a few thousand local peeps so hopefully that will et Phorm kicked out of our local network area.
I linked this in another post in this thread.
The Home Office made available their views on whether phorm's user-profile-based tracking is legal w.r.t. the interception of communication legislation.
" Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions. The providers of targeted online advertising services, and ISPs contracting those services and making them available to their users, should then - to the extent interception is at issue - be able to argue that the end user has consented to the interception (or that there are reasonable grounds for so believing)."
And:
" Targeted online advertising can be regarded as being provided in connection with the telecommunication service provided by the ISP in the same way as the provision of services that examine e-mails for the purposes of filtering or blocking spam or filtering web pages to provide a specifically tailored content service."
Finally:
" Targeted online advertising undertaken with the highest regard to the respect for the privacy of ISPs' users and the protection of their personal data, and with the ISPs' users consent, expressed appropriately, is a legitimate business activity. The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. "
If the ISP has put the tracking details into the TERMS and CONDITIONS and the user has OK'd the tracking, then the tracking is legal.
Here is the original article of the Home Office on Phorm.
What i don't know at this time, is whether BT does list the tracking in the T&C....
Cheers.
Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
BT as an ISP failed it's customers at just about every level imaginable. Not only they infringed on privacy of it's customers, but it was apparently done deliberately and on a grand scale. I haven't found direct reasoning behind these actions, but spying on customers and citizens is nowadays "covered" by the omnypotent argument, that there's a ongoing "war on terror". I just wonder what happends next in the name of the fight against terrorism?
It also seems like a fairly clear cut case of fraud.
fraud is the crime or offense of deliberately deceiving another in order to damage them usually, to obtain property or services unjustly.
Deliberately returning false DNS responses in order to obtain marketing information from them without their permission.
Google can't be trusted....I think it's stupid to store your most sensitive emails, conversations, and documents, on someone elses property. Use scroogle over an SSH tunnel, tor, or freenet. Any centralized organization that collects even the most unimportant data in mass amounts can turn that data into established paterns, habits, etc. Information they do NOT need to know about you. Augementation > Algorithm.
Trying to install linux on my microwave, but keep getting a kernel panic...