Slashdot Mirror

← Back to Stories (view on slashdot.org)

Covert BT Phorm Trial Report Leaked

Posted by CmdrTaco on from the look-at-what-someone-found dept.

stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe. NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.

12 of 292 comments (clear)

  1. Advertisement Injection by TheMeuge · · Score: 5, Insightful

    So let me see - if I am paying for bandwidth (which will soon be metered), and my ISP in injecting its ads into the webpages I am requesting, then the ISP is running down my bandwidth on purpose?

    Isn't that sort of like someone from the electrical company who breaks into your house to turn the lights on while you're gone?

    I won't even mention the privacy issues, cause those aren't "in" nowadays, nor are they likely to be a sufficient cause to nip this practice in the bud. Cheating people out of money, on the other hand, is always a great way to apply the US tort law to the cause.

    1. Re:Advertisement Injection by Rhys · · Score: 5, Interesting

      If you're paying for metered bandwidth, why are you accepting ads in the first place? AdBlock+ solves that problem very quickly.

      Past that, maybe we can start seeing more "regular" traffic served over https -- DPI or not, it looks like garbage unless you can break the encryption. If someone comes up with a way to do that, there are a lot more serious problems to worry about than ad injection.

      --
      Slashdot Patriotism: We Support our Dupes!
    2. Re:Advertisement Injection by QUILz · · Score: 5, Insightful

      They could still hijack SSL/TLS sessions if users aren't paying any attention to warnings.

  2. Re:Um, Replacing Charity Ads? by zwei2stein · · Score: 5, Interesting

    Its actually good thing they did this.

    Great way to influence public opinion against them and convince even usually non-caring people that something evil was going on.

    Now if only major news picked this up and made big deal out of it...

    --
    -- Technology for the sake of technology is as pathetic as eschewing technology because it's technology.
  3. Re:Ouch by KnightMB · · Score: 5, Informative

    That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT? Whether it does or not, someone has already taken the initiative to setup a page to generate fake web pages (or real ones) to pollute the data they collect. So if you can't get them out legally, you can make the data they collect useless, which hits them in the pocketbook and might be more effective than legal countermeasures. You'll find the site here: http://wanip.org/anti-nebuad/ in which every browser becomes a data-mining polluter when it's run. Get enough those on a suspect ISP and watch the CEO's have a heart attack from the "pollution attack".
  4. Misrepresentation by Rob+T+Firefly · · Score: 5, Interesting

    There's another issue. Say I post a banner for Charity X on my site, with a note saying "I support these guys with all my heart and soul, and I urge my readers to do all they can for this cause." You go to my site, but your ISP swaps said charity banner for an ad for personal ads or punching the monkey for a ringtone or some other damn thing, making it appear to you as though I'm imploring you to purchase something I would never willingly endorse.

    The ISP is then responsible for using my image to endorse their product to my readership, without my permission. Do I have recourse against them for perpetrating such a fraud? IANAL, etc.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  5. Re:Ouch by siddesu · · Score: 5, Interesting

    not sure what the situation in the UK is, but in Japan some mobile phone operators have been doing this for a while with some phones. since probably half of the internet usage here happens over phones, it doesn't look like a small market.

    to make it even worse, my current provider not only injects ads while I browse, they also supply the advertiser with a unique ID, which I can't easily turn off. since the image is inserted on the server i also assume the phone is sending referer headers, so the advertiser can collect your browsing history (and, that being a phone, your URL session cookies too) for good measure.

    when i complained, i was told to go away, because there was no such thing as "personal" information being disclosed to the advertiser. to me such arrogance calls for more encryption as a kind hint to the ISPs to go and do the job i'm paying em for.

    unless, of course, that option is also defeated by the copyright cretins and the gubbermint, working hard together to prevent child pr0n and terrorists.

    in which case, thicker tinfoil will also be necessary.

  6. Re:Ouch by Dark+Kenshin · · Score: 5, Insightful

    Of course is won't. If a private person were to develop and test this out, he would likely be spending the next 20 years in prison (looking less and less "exaggerated" as time goes on.) The fact that this is for cooperate gains; it will be largely over looked. Yes, I might be lost in cynicism, but life seems to be supporting my case thus far.

    --
    "I only know 2 things: The love for me, and the fear of me."
  7. Re:Ouch by aproposofwhat · · Score: 5, Insightful
    I came up with this as a concept in 2000, when layer 7 switching was just becoming economically feasible for a startup ISP.

    It never flew, because the people I was dealing with weren't complete cunts.

    From the document: The advertisements were used to replaced [sic] a 'default' charity advertisement (one of Oxfam, Make Trade Fair or SOS Children's Villages) when a suitable contextual or behavioural match could be made by the PageSense system.

    So not only are the bastards hijacking our traffic, they are overwriting paid-for charity ads as well.

    I repeat, CUNTS!

    --
    One swallow does not a fellatrix make
  8. Re:Ouch by Janos421 · · Score: 5, Informative

    The browsed pages do not exist, so you never download pictures or js files. It's very easy for an ISP to filter these requests, they can filter the HTTP response code.
    Two FF exntensions generate fake queries on search segines to pollute the collected data (at search engine level, but it also pollute ISP data). SquiggleSR and TrackMeNot. Notice that the former also clicks on non-sponsored results and may deceive cookie tracking.

  9. Re:Mod Parent Up! by Nursie · · Score: 5, Funny

    "Hi Jim, I just a bought a great new handheld console"
    "Oh yeah, what did you get"
    "A Sony Pzzzzzzzzzzzzzz^^^^^T Nintendo DS proudly sponsors this phonecall! Your pal loves Nintendo DS! bzzzzzt *click* so yeah you should totally get one so we can play against each other dude!"

  10. Re:Loss of Common Carrier Exemption? by Red+Flayer · · Score: 5, Informative

    It occurs to me that, at least in the US, an ISP that does ad injection *may* be losing its common-carrier status by changing the information that they convey from a Web site to the subscriber.
    Newsflash: ISPs do not have common carrier status.

    This means that whatever safeguards you associate with common carriers, are not enforceable wrt ISPs. A lot of the big ISPs are very happy with the current situation, since they basically get the benefits of common carriers, without the drawbacks (such as not be allowed to throttle certain users).
    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai