Covert BT Phorm Trial Report Leaked

stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe. NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.

Ouch

[mrbluze]

That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?

Re:Ouch

[siddesu]

not sure what the situation in the UK is, but in Japan some mobile phone operators have been doing this for a while with some phones. since probably half of the internet usage here happens over phones, it doesn't look like a small market.

to make it even worse, my current provider not only injects ads while I browse, they also supply the advertiser with a unique ID, which I can't easily turn off. since the image is inserted on the server i also assume the phone is sending referer headers, so the advertiser can collect your browsing history (and, that being a phone, your URL session cookies too) for good measure.

when i complained, i was told to go away, because there was no such thing as "personal" information being disclosed to the advertiser. to me such arrogance calls for more encryption as a kind hint to the ISPs to go and do the job i'm paying em for.

unless, of course, that option is also defeated by the copyright cretins and the gubbermint, working hard together to prevent child pr0n and terrorists.

in which case, thicker tinfoil will also be necessary.

Re:Advertisement Injection

[Rhys]

If you're paying for metered bandwidth, why are you accepting ads in the first place? AdBlock+ solves that problem very quickly.

Past that, maybe we can start seeing more "regular" traffic served over https -- DPI or not, it looks like garbage unless you can break the encryption. If someone comes up with a way to do that, there are a lot more serious problems to worry about than ad injection.

Re:Um, Replacing Charity Ads?

[zwei2stein]

Its actually good thing they did this.

Great way to influence public opinion against them and convince even usually non-caring people that something evil was going on.

Now if only major news picked this up and made big deal out of it...

Misrepresentation

[Rob+T+Firefly]

There's another issue. Say I post a banner for Charity X on my site, with a note saying "I support these guys with all my heart and soul, and I urge my readers to do all they can for this cause." You go to my site, but your ISP swaps said charity banner for an ad for personal ads or punching the monkey for a ringtone or some other damn thing, making it appear to you as though I'm imploring you to purchase something I would never willingly endorse.

The ISP is then responsible for using my image to endorse their product to my readership, without my permission. Do I have recourse against them for perpetrating such a fraud? IANAL, etc.

Possible temporary fixes....

[postbigbang]

1) write a checksum to a page; if it doesn't match (or another hashing method doesn't match) warn the user that the page has been intercepted and corrupted; the code might not be too tough

2) Use page receipts to vet page authentication

3) litigate, especially for copyright violation as the page has been misused by an intermediary for a purpose not intended by the page's author

4) other solutions that someone will think of; stop the page vandals NOW!