Slashdot Mirror
Covert BT Phorm Trial Report Leaked
stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe.
NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.
That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
So let me see - if I am paying for bandwidth (which will soon be metered), and my ISP in injecting its ads into the webpages I am requesting, then the ISP is running down my bandwidth on purpose?
Isn't that sort of like someone from the electrical company who breaks into your house to turn the lights on while you're gone?
I won't even mention the privacy issues, cause those aren't "in" nowadays, nor are they likely to be a sufficient cause to nip this practice in the bud. Cheating people out of money, on the other hand, is always a great way to apply the US tort law to the cause.
Changing content and injecting different ads? I could see two possible violations here, one being copyright (altering content without the consent of the provider of the content), the other one dealing with fraudulent ad change (someone other than the one paying for the ads being displayed).
It's like a cable company changing the channel ads with their own. I doubt any channel would sit and bear it, especially since their customers (i.e. ad buyers) won't accept that.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
BT stands for "British Telecom," Something they failed to mention, except in TFA
I hate it when people use too many arbitrary abbrivations. Let's start actually typing out names to set a context, then let people abbrivate in comments...
You can just tell the online advertisers (The ones which invent ways to bypass all your lovely ad filtering) are going to take this lying down. (End Sacrasm)
How does it distinguish between an advert and real content?
I hear every now and then that SSL could be used to stop this, is this realistic given the load ad-servers would be under?
You could always use Firefox and install the AdBlock Plus extension. http://adblockplus.org/en/
Physics is imagination in a straight jacket. ~John Moffat
The Digital Sorceress
I see lawsuits killing this really quickly. The originating site is creating a unique copyrightable HTML text document. This document is being modified in transit against the wishes of the originator before being delivered to the destination.
Some lawyers are going to make megabucks off this one.
I sense a major lawsuit coming. I can imagine more than a few laws being broken by this sort of manipulation (copyright violations, hacking violations, interference with business violations, etc.). I cannot imagine this will go on for too long. Obviously, I'm not a lawyer (but does that stop any of us form posting our opinions on legal matters?...) so I could well be wrong, but I can't imagine this not resulting in major lawsuits.
...companies are going to start paying the ISPs to advertise for them instead of companies like Google. They are feeling the heat from losing money on their bandwidth, now they have to think of a new strat. to get the cash flowing.
I for one don't mind this in some cases if it means that they would actually have the funds to hook the rest of the United States up to highspeed.
Physics is imagination in a straight jacket. ~John Moffat
There's another issue. Say I post a banner for Charity X on my site, with a note saying "I support these guys with all my heart and soul, and I urge my readers to do all they can for this cause." You go to my site, but your ISP swaps said charity banner for an ad for personal ads or punching the monkey for a ringtone or some other damn thing, making it appear to you as though I'm imploring you to purchase something I would never willingly endorse.
The ISP is then responsible for using my image to endorse their product to my readership, without my permission. Do I have recourse against them for perpetrating such a fraud? IANAL, etc.
Slashdot Burying Stories About Slashdot Media Owned
It's like the thinking goes "let's substitute out something utterly inconsequential and that will have no ramifications whatsoever". No, a charity isn't going to sue your pants off, so I guess it's okay, right?
What's next, Nike tests shoes (leaked codename: "rental") that deteriorate in 30 days -- on retarded children. Through a charity donation. That they write off their taxes the full value of.
Seriously: these are the times I'm glad to procrastinate about being an internet activist[1], because YOU CAN'T MAKE THIS STUFF UP. I couldn't have warned of this if I had tried.
[1] CHILL, guy with the sig 'whenever I hear the word activist I reach for my revolver' It's going to be all right.
I noticed that quote too. It is completely despicable that they would remove charity advertisements. Actually, I think the entire system boils down to theft and unlawful interception of traffic.
What if the phone company inserted commercial adds when you were talking to someone on the phone?
redirect Http://youriste.com to https://yoursite.com/ before anything is served.
If anyone thinks any of the CPM ad networks or major sites will allow this for even an instant, your eye is not on the money.
If they use such tech for the less easily encrypted protocols... you'll find those as well slowly pushed into it.
Which leaves the ISP's with two options if they wish to pursue this, they can proxy everything their customers connect to and essentialyl monkey in the middle the whole affair (not possible due to sheer processing/bandwidth... yet)... or they may form an alliance with the ad networks (scarier more likely prospect).
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
I could see Oxfam (and the other charities who had their ads substituted) getting their lawyers to shakedown BT for a substantial "donation" as an alternative to being sued.
Other than the ethical issues, that these guys have no issue with (money before ethics), there is the potential issues of having advertisement for a competing product. Imagine going to Mercedes.com and having an advert for BMW. Also, isn't this likely to deprive content providers of advertising revenue?
Jumpstart the tartan drive.
I'm sure there is a way to use IPtables of Squid-cache to remove any and all ads from packets. If they can be put in, then they can be taken out just as easily.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
This is actually sick, great, lets steal from the charities to deliver targeted ads for Viagra, we need more boners not food for starving children. I think that they should be ending up under investigation for all kinds of privacy and copyright violations for this one. Hope they fry
Like arts? Like cheesy little Indie mags? Check out www.artwerkmag.com, and don't laugh at the bad coding please.
1) write a checksum to a page; if it doesn't match (or another hashing method doesn't match) warn the user that the page has been intercepted and corrupted; the code might not be too tough
2) Use page receipts to vet page authentication
3) litigate, especially for copyright violation as the page has been misused by an intermediary for a purpose not intended by the page's author
4) other solutions that someone will think of; stop the page vandals NOW!
---- Teach Peace. It's Cheaper Than War.
The original website could run HTTPS.
ISPs won't be able to alter the original content short of a man-in-the-middle attack.
Z.
Interesting - whole system runs on RHEL (told you it was evil..) and multiple Squid processes. Adds some latency into browsing (obviously...) Old system dropped javascript tags into URLs but later version did not (resulting in some users having some javascript appearing in their forum posts - like that guy on the motorbike phorum if anyone remembers that incident) Apple.com among the 'download target' sites (page 49) but surprisingly due to Evil, not Microsoft or Google.
... during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertizements purchased by advertisers...a means of serving advertising directly through Layer 7 interception at ISP level...
Do we really have to go down this road? I mean, if we can't trust that the page we're looking at is the page that was served... Are we going to have to go to HTTPS for our browsing now? Are we going to have to have MD5 checksums on our web pages to make sure they weren't tampered with? Stuff like this layer 7 interception will make it inevitable.
When our name is on the back of your car, we're behind you all the way!
Sorry to slashdot and others, but I don't feel the slightest guilt in using that tool (ok slashdot is on my white list) but inspect my packets as deep as you like when adblock sees your ads now PHORM especially will get the boot.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
America, Home of the Brave.
Copyright conditions usually have a "reproduced without modification" clause so someone who's website is copyrighted and contains ads could thoereticaly sue the ISP for modifing thier page.
My bet is that if they once replace a google ad with one of thier own they will drown in subpeonas.
Old COBOL programmers never die. They just code in C.
Do I recall recently that some sort of worm had attached itself to different forums around?
from the pdf:
page 5
3) It was noted that posting to some web forums through PageSense caused the Javascript tag to be appended to a number of users' posts. A fix was provided for this by 121Media towards the end of the trial, following which the issue was not detected. It should not arise with ProxySense as no tag is appended.
shocking.
So far the rest has been as bad if not worse.
liqbase
Some legal eagle can set me straight here but this sounds a bit like a case of tortuous interference. The site owner and the user have a contract that the viewer views their ads in exchange for the content. The ISP is coming in and interfering with that contract in a material way by replacing ads. Somebody could make some big money on a class action -- as tortuous interference settlements are often very large.
It occurs to me that, at least in the US, an ISP that does ad injection *may* be losing its common-carrier status by changing the information that they convey from a Web site to the subscriber.
Consider that the data is being edited on-the-fly based on its content -- i.e., whether or not it's a banner ad. I think a good case could be made that this violates the conditions for a common carrier.
Question is, does this have any legally useful consequences in trying to prevent ISPs from doing it?
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
In germany there are law against that.
- Surpression of Data Â303 StGB (up to 2 years in prison)
- can be extended to 5 years if the data is important for some organization
- Interception of Data 202b StGB (up to 2 years in prisong). Even producing or owning software or hardware that is designed to do this is a felony.
It should be noted, that the customers browser sends a request to see one ad, which is then answer by the ISP with a different add. This could be interpreted as forgery, because the ISP disguises as the legitimate source of the add.
BT stole part of my donation to Oxfam.
I give money to Oxfam. They take my money, and use it to run their charity, which includes helping people as well as doing some overhead like, for example, creating ads and managing ad campaigns. Seems like a perfectly good use of my donation.
But now I find out that some of these efforts have been sabotaged, stealing part of the money I donated!
Not only does Oxfam have standing to sue, I would think Oxfam donors have also been wronged.
But worst of all, of course, is the loss of aid to the people who really need it. Hijack an Oxfam ad today, and another child goes hungry tomorrow.
I predict that soon all web pages will be served via https rather than http. The encryption puts a heavier load on the server, but makes it impossible for such injections to be performed.
2. Extraordinary rendition!
The most protocol efficient way to handle this is to use an MD5 checksum and JavaScript to detect tampering with the web page. If the web page is changed, then redirect the user automatically to an https server. That way, the https protocol is only used for users suffering from web-page tampering.
A more evil application of the Level 7 interception technology would be to intercept he GIF and JPG images of the advertisements themselves, and replace just the images. This would be more difficult to detect from JavaScript. Effectively, all the advertisements would need to be encrypted too. The big problem with encrypting images, is that it would make the progressive download and page display algorithms used by web browsers useless. It would also defeat any proxy and website caching software used by the ISPs.
Deploying Level 7 interception may lead to a market response that could ultimately increase the bandwidth costs of ISPs. It could force every internet communication to be a encrypted secure communication, defeating all in-transit caching algorithms.
1) The charity pays if the ad is served.
...), which would allow them to sue BT for modifying the page
2) The ad is served if the snippet from Doubleclick (... insert fav vendor here) that the page owner has inserted into the page gets interpreted by the browser
3) The browser doesn't interpret the snippet from Doubleclick because it isn't there
4) The browser does interpret the new snippet from BT
5) The browser shows the BT ad
6) The BT client gets invoiced
==> in an unmodified page, Doubleclick and the page owner earn money
==> in a modified page, BT earns money
a) BT are trying to charge web site operators for sending traffic their way (no matter whether youtube or doubleclick)
b) would we want to grant page owners the power to stop modification (NoScript in Firefox modifies pages
best regards,
os10000
The system does provide an opt-out mechanism and this was laboratory tested and verified. However the method of opt-out requires consideration. Since it involves the dropping of a web-cookie on the users machine to indicate an opt-out preference, which if wiped by the user means they will be opted back in.
The solution would of course be to make it a opt-in instead of opt-out. Most users would of course not opt-in without seeing a clear benefit for doing so. One obvious benefit would be that those that opt-in recive a discount on their internet connection. Simple and fair.
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
ISPs complain that BitTorrent users are eating up all the bandwidth, and the MPAA and RIAA complain about "stealing" of IP through filesharing. Meanwhile, the RIAA and MPAA are breaking the law trying to turn a profit with their (pseudo) legal engine, and the ISPs are breaking the law with DoS/MITM attacks, and altering content on the fly! This is bullshit, complete and utter bullshit, and it needs to stop, NOW. Net Neutrality needs to be the LAW, and ISPs need to have the hammer dropped HARD on them over bullshit like this.
ARG its annoying, at times for web siggys ill use 468 by 60, bam gets replaced with a webad, but no JS... just the image ive even checked this with wget on my linux box does anyone else get the same thing im going to test more std banner sizes http://en.wikipedia.org/wiki/Web_banner
WulframII - Free Online Mutiplayer 3D Tank Shooting Game
From a legal point of view, I would say this is clearly something that the source web sites can sue over.
Insertion or replacement of advertising is vandalism, which is a criminal act.
It is probably arguable as product tampering.
I would say that even if the ISP has an agreement with the end user (overlooked in the small print) that allows this, they need to properly compensate the originating web site. These hijacked ads represent an improper interference of lawful business practices of the web site, i.e. providing a service sponsored by advertisement. By hijacking the ads, they deprive the website of earned revenue, which is theft.
in the process.
Or did they have the right to take a copy of the site's pages, make a derivative, and send that on?
Copy to forward is necessary.
Copy to change isn't.
I suspect the charity ads were there as a control, after all, it's a test. Set up some "fake" ads (hey, we might as well give a few charities a freebie) and then use those to experiment on. That's my reading of it anyway, nobody's ads were "stolen", just dummies.
That said, it's still a downright evil thing to be doing, if I can prove that any of my IP has been infringed I'll be straight on to a lawyer. See? IP regs DO have a use. (Presumably "I don't Believe In Imaginary Property" thinks this is a perfectly legitimate tactic by BT?)
I think the best argument against this is twofold, from a legal perspective: a)compilation copyright issues and b)unwanted traffic. If you are, in fact, metered, the company most likely has your standard "bend over and smile while we do what we like" ToS attached - and this may or may not be enough to get around these issues. I think the unwanted traffic issue will be covered until a court is presented with a REALLY EXTREME example - like someone who an ISP accidentally sent 250gb of data to and tried to make them pay for it. The compilation copyright claim is probably stronger, but would require action from a third party - namely, the website owner or some such. For example, if an ad I've put up on my webcomic page for, say, t-shirts I sell to do with my comic is replaced. That's quite possibly a relevant claim, BUT I, as the WEBCOMIC OWNER, would need to present a claim (since I've suffered the harm). You haven't been harmed, technically. Relatedly, if an ad I serve on my webpage (and am being paid to do so) is replaced by the ISP, I'm losing money - so that's a fair claim. Net neutrality legislation would almost certainly bar this type of practice - it would just be prioritizing ISP ads over website ads, and if that isn't biased, I don't know what is. The free market doesn't work in a situation like that, where any one website, unless it's Google or Amazon, is nothing but a puny gnat compared to the near-monopolistic ISP's. Another interesting question would be to do with those sites where you go and do nothing but click ads to donate money to charity, or the like. Those sites would become basically completely defunct, and though ISP's would try to say "oh, we'll except you!" it's very problematic to actually do so in practice, for every site, every time, with perfect reliability, as new sites pop up and old ones have subtle programming changes. Even if they do "fix" it, those are great examples to bring into court! In short, I think an American company that uses this should expect to be sued posthaste. There's no reason to think there's any level of benevolence in American ISP's, so expect this to be adopted as quickly as they can get away with it - just like Time Warner is trying to pull with its "test" of bandwidth "caps" that's really a staged setup. Nothing is really going to change until legislation or large legal judgments come down, I fear.
Eh? There was a secret court case against Bluetooth?
How many Dots Per Inch were the illustrations of the judge?
So, my ISP modifies the electronic data that I requested from someone. That could be a felony in Michigan and elsewhere. http://www.infosecnews.org/hypermail/0009/2760.html
"Under current Michigan law, the unauthorized alteration, damage,
destruction or use of a computer system resulting in at least $1,000
in damage is a felony punishable by 5 years in jail and/or a fine of
$10,000 or three times the aggregate amount involved, whichever is
greater. An amendment to the law, however, which takes effect
September 19, will remove the $1,000 damage threshold.
Granholm added: "In the future, any hacking, regardless of the amount
of financial damage it causes, will be a felony. A vandal is a vandal
whether you are a virtual vandal putting graffiti on a web site or a
real world vandal putting graffiti on a wall. Both are illegal."
Also, in Michigan computer trespass or hacking "Or known as hacking, any person who uses a computer or computer network with knowledge that such use is without authority and with the intention of: Deleting or in any way removing, either temporarily or permanently, any computer program or data from a computer or computer network; (2) Obstructing, interrupting, or in any way interfering with the use of a computer program or data; or (3) Altering, damaging, or in any way causing the malfunction of a computer, computer network, or computer program, regardless of how long the alteration, damage, or malfunction persists"
Either (a) the website isn't getting any advertising revenue because Phorm has STOLEN the advertising - leading to a loss of revenue for the website and eventual closing.
Or (b) The charity has paid money for an advert display, but Phorm has STOLEN that advert opportunity for their own profit. As it's a charity, that means that's the money of the people who have donated to it. This is vile, nasty behaviour.
Simply inserting extra adverts into a page is bad enough, and also I believe is altering a copyrighted work without authorisation.
It's a shame that ethics and morals aren't part of business / management courses, like they are part of many other coursees. There's something sick at the heart of corporatism.
I'm sure they would be very intrested to hear about it considering they rely on donations and contributions.
It would certainly be nice to hear their stance/reactions on these actions. If anything BT might of found a prime target as charities would probably be less likely to issue legal action due to the costs involved.
There is just too much unencrypted web traffic on the net, and too much snooping and now man-in-the-middle attacks. SSL/TLS fixes that (unless Phorm subverts a certificate authority, which would REALLY be playing with fire). So now there's finally more incentive to start using it. Authentication and privacy in one now-fairly-simple operation. SSL isn't nearly widely enough used because years ago it was hard to set up and cpu-expensive. But the heavy computation is just during the session negotiation, and CPU's are fast enough now that it's just not significant (about 1 millisecond server-side on today's Core 2 processors vs a good fraction of a second in the early web era, to set up the key for the whole browsing session).
It may not lead to any legal action but it certainly was the number one cause for me to cancel my BT broadband account a couple of months ago. If more and more people hear about this kind of invasive snooping, hopefully BT will be left without any customers at all!
and where is the tunnel endpoint ?
is this service free ?
can it handle 18 million British Telecom users ?
It should be just plain damn illegal to intercept and modify communications from one person to another. Period.
If I have chosen to log onto www.cnn.com and pull content from that site, linked advertisements and all, then I have made that choice. No one should be able to modify the content stream and/or links to inject other content into it.
What's next? Modifying the content of the actual NEWS?
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
"Raping and pillaging YOUR network packets since 2008!"
"We know what you want...because we just told you!"
"Big Brother?...no. It's more like Big Family...everyone is screwing with you!"
"All the packets you deserve...and many you don't!"
This irritates me. Self-serving and not well thought out. Kind of like New Coke; what's good for the consumer doesn't exist, it's only about the revenue stream.
I may set up some tests in my lab and see if DPI retards throughput in stuff like WoW, CoD2, and so on. Does it cause issues streaming video? And so on. Curious for now, but may come in handy during the class action lawsuit later!
I am my own gestalt.
... please come to the PR office, there are a few million calls for you!
By default Adblock prevents the ads from being downloaded at all but it is possible to change that in the configuration options if you wish.
The more of this kind of activity I read about, the more it seems like we need to take the power to regulate/intimidate/manipulate our information systems away from those without the common sense to understand that my information is mine, and when I send it to someone, I expect it to arrive unadulterated.
Perhaps we should move to a wireless infrastructure, and avoid the "intartubes" all together?
To answer your immediate outburst: No, I haven't really thought this through. On the other hand, It's obvious that the ISPs aren't thinking through their reality-twisting plans, either... so why should I?
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
Page 14 of the report claims "During the trial three users posted their observation of this effect [browser briefly redirecting to site unknown to user]. In each case the reaction was negative, the user suspecting a virus, malware or spyware of some kind"
If you read the next three pages you see similar comments in the report, strongly suggesting that they were manually inspecting data over the trial period, including users forum posts. Further proof can be found on page 4 of the report: "no BT customer helpdesk calls were received which were directly attributed to a defect of the page system".
Is that legal? For ISPs to monitor what their users are posting to web forums? I hope my ISP doesnt get up to s\*3$%%S&#:: CARRIER BREAK
This post was originally a charity ad but was replaced with this text.
Well, firstly I am glad to see that the document has forked such a debate here on Slashdot and I thank you all for that (it is long overdue). As a result of some of my comments regarding the report, I am now facing legal threats from Phorm and BT. Alexander Hanff
NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users.
So those ISPs have chosen to deliberately corrupt data transmitted to at least ten percent of their user base.
Brilliant.
The higher the technology, the sharper that two-edged sword.
We've had phishing for a while. Recently people have been talking about "pharming" or "phlashing" --- it's getting to the point where replacing an f with a ph is the industry-standard way of denoting something as malicious.
So, Phorm's choice of name is ... interesting.
Repton.
They say that only an experienced wizard can do the tengu shuffle.
IANAL, but I thought this was a BIG no, no as far as the RIP is concerned. You cant do this unless both the sender and receiver give consent, or your MI5/MI6/GCHQ/Judge etc. And thats just to snoop, modifying traffic is a even worse.
You can snoop on a private network, if you own the network (ie a company can spy on its own network/equipment), but BT would be considered a public network and you cant do this on a public network.
Any other guys in the UK know any more?
http://www.opsi.gov.uk/acts/acts2000/ukpga_20000023_en_2
Every website you visit should start encrypting it's data -- hell, even with self-signed certs. Simply to prevent this kind of tampering. That it also acts as a huge impediment to eavesdropping is a big bonus too. Google, why don't you take the lead on this?