Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Setback for ISP Web Tracking

Posted by Soulskill on from the so-sorry-about-your-luck dept.

angelheaded tips a Wired story about the resignation of Bob Dykes, CEO of net eavesdropping firm NebuAd. NebuAd has encountered financial troubles lately as the privacy controversy surrounding the company's tracking methods has driven communications companies away. Over in the UK, Phorm responded to the NebuAd news by affirming that it is making progress with its advertising methods. From The Register: "In response to the outcry over our revealing its two secret trials, BT said in April it would re-engineer the planned deployment so traffic to and from customers who do not want their web use profiled for marketing purposes would not come into contact with the Phorm system. The original blueprint meant that a opt-out cookie would tell the technology to simply ignore refuseniks' browsing as it passed through. It's thought the change has proved tricky. Phorm did not immediately respond to a request for comment on the alleged technical problems, but [BT's chief press officer Adam Liversage] said: 'We have been working on some things with Phorm.'"

32 comments

  1. Why not? by Creepy+Crawler · · Score: 3, Interesting

    Why not just go to the big pipe guys and ask if they could sniff connections inbound and outbound on arbitrary nodes?

    Doing a sniffed bridged router is a piece of cake and it allows sniffing of all unencrypted content.

    --
    1. Re:Why not? by Anonymous Coward · · Score: 0

      Why not just go to the big pipe guys and ask if they could sniff connections inbound and outbound on arbitrary nodes?

      It's illegal. They thought ISP's would get away with sneeking this into their contract terms, that's not going to happen and there was never any consent for this from website owners.

    2. Re:Why not? by mikael · · Score: 2, Informative

      You don't need to - there are many websites which will automatically check to see if they are being visited by a Phorm server. If they are, then they place a warning message on the webpage you (or the Phorm server) have attempted to download.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    3. Re:Why not? by sitarah · · Score: 3, Informative

      There's a very large US company called Hitwise that does exactly that. They watch traffic that comes through ISPs and report on traffic, search terms, and competitor activity. It's all at an aggregate level, so there's no identifying information, and they use %-s of traffic rather than hard numbers, so that's why the ISPs don't view it as a privacy issue. Last I heard, they are audited by PricewaterhouseCoopers to make sure they're anonymizing correctly. The only difference between them and NebuAd is that they don't create ads, just sell information.

      It is the same service as Comscore and Compete provide, but without a 'panel'. The reason is that these panels (~1 mil people) know they're being watched and in fact signed up for it. In addition, Comscore can only extrapolate their behavior to the millions of internet users. With Hitwise, you on your ISP have no idea anyone is watching, so it is not biased, and there's a sample size of millions.

  2. They have been discussing by Anonymous Coward · · Score: 4, Informative

    who is going to prison for tapping 18,000 people
    http://www.theregister.co.uk/2008/09/05/bt_phorm_police_meeting/

    this is not including the private actions they will be facing for copyright infrigement, insider trading, fraud

    1. Re:They have been discussing by Antique+Geekmeister · · Score: 3, Interesting

      No one is going to prison. The British are even more used to overt, and covert, silence in every aspect of their lives than the USA. Look at the NSA tapping of the core routers of UUnet, and the lack of any prosecutions for blatantly illegal government activity.

      As long as they cooperate with law enforcement monitoring desires, I'm afraid there's not going to be any prosecution of any sort.

    2. Re:They have been discussing by Tim+C · · Score: 2, Insightful

      We also have some pretty strong data protection and privacy laws.

      As long as they cooperate with law enforcement monitoring desires

      Law enforcement already have the Regulation of Investigatory Powers Act and don't need or want Phorm - in fact if you read the linked article, it would most likely be RIPA that would be used against Phorm in this case.

      You forget one thing - the last thing most intelligence gathering agencies want is someone else muscling in on their turf.

      --
      It's official. Most of you are morons.
    3. Re:They have been discussing by Antique+Geekmeister · · Score: 1

      I'm sorry if I was unclear: it's not that this monitoring was requested by law enforcement. But as long as the tools used are used to cooperate with government requests, the government is extremely unlikely to take away the tools. And the British seem very, very used to that level of invasive monitoring. They seem less likely to explode over it as many Americans. So where is the incentive to take it to court? And the ability to get past any 'national security' concerns about overall monitoring also in place?

      There are plenty of incentives to bury it, fast.

  3. Why... by Darkness404 · · Score: 1, Redundant

    Why is it that every internet business thinks that in order to profit they need to stick ads everywhere?

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Why... by Anonymous Coward · · Score: 2, Interesting

      Fortunately they don't. A lot of the smaller guys - particularly podcasters and webcomic artists - have discovered that it's just about possible to run a business solely on the goodwill, and desire for merchandise of listeners.

      Sadly a lot of the big guys are taking a very long time to realise this.

    2. Re:Why... by schnikies79 · · Score: 1, Insightful

      Since most websites are free, how else do you expect them to make a profit, or even break even?

      --
      Gone!
    3. Re:Why... by Darkness404 · · Score: 3, Interesting

      If they are really good at what they do, they will have a loyal fanbase that will support them via merchandise or donations. Just look at Homestar Runner, TBC makes a profit solely by merchandise sales.

      Not to mention that a lot of sites that have ads (I'm looking at you cable news stations) already have a steady revenue of money from somewhere.

      --
      Taxation is legalized theft, no more, no less.
    4. Re:Why... by Adambomb · · Score: 5, Insightful

      Actually, I think thats more of a problem of scale. The larger user base you have, the less consumers think of contributing in the name of good will as "ahh they're doing alright" (and in some cases, that'd be valid to say).

      I'm not saying that such a business model would not be profitable, i'm just saying most businesses see it as a diminishing returns kind of model. It will get them to a certain point of profitability but then probably stay there, which is not the kind of thing shareholders want to hear. For someone making a living while producing what they like, this is great. Hell, you could even run a nice private business that way and people would love it so long as you juggled properly. When the words "publicly traded" get into the picture though...well...you wont be hearing the words "eh, we're comfortable with this level of profit. Lets stick with this".

      Of course this is not an excuse; It's simply a reason, but I do think it is why we do not see this kind of model being used in more large scale groups.

      --
      Ice Cream has no bones.
    5. Re:Why... by vakuona · · Score: 1

      A business that relies on donations is not a business, but a charity.

    6. Re:Why... by Anonymous Coward · · Score: 0

      Not to mention that a lot of sites that have ads (I'm looking at you cable news stations) already have a steady revenue of money from somewhere.

      Speaking of cable news advertisements, they've begun inserting ads during television shows(along the bottom half of the screen) and forcing PIP to enable itself with a static ad placed in it's window. Annoying as all hell. Bunch of pricks.

  4. Good but not enough by schwaang · · Score: 3, Insightful

    This needs to be so clearly illegal that no American ISP would have thought about trying it to begin with.

  5. What the frack does Google do? by Anonymous Coward · · Score: 0

    There is no such thing as coincidence. NebuAd was just a small fry. Someone will do this with the blessing of this government.

  6. A cookie? by CSMatt · · Score: 2, Insightful

    Based on what I've read, cookies are one of the main ways a Web site tracks its users. So then why should I trust these "opt-out" cookies from companies like DoubleClick and NebuAd to not track me, as opposed to just blocking their cookies from ever getting to my machine in the first place?

    1. Re:A cookie? by sakdoctor · · Score: 3, Informative

      Exactly. Am I supposed to white list every scumbag company that provides an "opt-out" cookie. That just doesn't make sense because the supply of scumbag companies is practically unlimited.

      http://upload.wikimedia.org/wikipedia/en/c/c4/Phorm_cookie_diagram.png
      Just look at all the spoofing nonsense. That just adds points of failure.

      If you haven't switched away from your phorm infested ISP by now, then be sure to add both *phorm* AND *webwise.net* to your ad blocker.
      Remember, friends don't let friends use (AOL|talktalk|virgin.net|BT)

    2. Re:A cookie? by tlhIngan · · Score: 1

      Ok, maybe someone can explain this to me. a cookie is just a file on your computer right?. So how is the isp (or router sniffing the packets), going to retrieve this cookie and not target ads at me. Not all my packets may not go through the same router every time (though I'm sure usually they do). So are they going to request this cookie for every packet? keep a big local list on the router of ip addresses to not sniff and have to check against that list everytime and hope the ip of my non-static ip address doesn't change ever?

      A bit more insidious than that - think something along the lines of a transparent Squid proxy, except that instead of proxying, it monitors connections (and injects its own data). You make a request, it goes through this proxy who sees the request, logs it, then forwards the packets on. On the return trip, it then decides it has better ads, and rewrites the webpage enroute back to you (maintaining all necessary TCP state information so your PC and the server you connect to suddenly have different values for things like the sequence number). It doesn't actually send the ad or embed a link, it really replaces the ad HTML with its own HTML that points your webbrowser at a different ad server.

      That ad server gets the "opt-out" cookie, and returns the ad you were supposed to see (being embedded in the link that sent you to the third-party ad server).

      Thus, you have this box that's monitoring all your HTTP connections, and bouncing ad requests to a third-party server who serves up their own ads. Not only is the box knowing every site you visit, but that third party webserver too.

  7. Technical analysis by labcake · · Score: 3, Informative

    If you are interested in what phorm /webwise actually does here is a technical paper: Richard Claytons technical paper: http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf

  8. Phorm breaks the web by Anonymous Coward · · Score: 0

    In response to the outcry over our revealing its two secret trials, BT said in April it would re-engineer the planned deployment so traffic to and from customers who do not want their web use profiled for marketing purposes would not come into contact with the Phorm system. The original blueprint meant that a opt-out cookie would tell the technology to simply ignore refuseniks' browsing as it passed through.

    This change is essential. The original phorm design redirected all traffic to the phorm site, then back to the original destination once the tracking cookie was inserted. I can't be the only developer whose software uses a simple HTTP GET library (for retrieving data) that doesn't support redirects. Phorm would break it and god knows how many other apps.

  9. Negative/Positive headers by Teun · · Score: 2, Insightful
    Why such a negative header?

    For the majority of net users this should be a very positive incident and the title should/could have reflected this, it's by all measure a Setback for Snoopers.

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  10. A cookie? by ciej · · Score: 1

    Ok, maybe someone can explain this to me. a cookie is just a file on your computer right?. So how is the isp (or router sniffing the packets), going to retrieve this cookie and not target ads at me. Not all my packets may not go through the same router every time (though I'm sure usually they do). So are they going to request this cookie for every packet? keep a big local list on the router of ip addresses to not sniff and have to check against that list everytime and hope the ip of my non-static ip address doesn't change ever?

  11. Trying to mislead the public? by Anonymous Coward · · Score: 0

    What?

    Surely it's easy. When you sign up with BT^H^H your ISP you are either put into group a which are routed through Phorm or group b who aren't, at your disgression. There is no technical difficulty at all.

    BT manage a system which has multiple virtual ISPs all on the same copper ADSL network. Do they seriously expect us to believe that they can't split their own customers into two groups based on the account a particular client logs into their system with?

    More likely, they are hoping to mislead the general (i.e. technologically illiterate) public into thinking that it's somehow impossible for only some of the customers to have Phorm.

    This is why no-one sane uses BT as their internet provider.

  12. Simple Solution by Anonymous Coward · · Score: 0

    I'm willing to bet that BT has some sort of DPI chassis deployed...maybe even Sandvine. I'll also assume that they are using RADIUS for auth....even with the DHCP stuff they have which will be hidden from the user. With that said...

    The solution is simple. Physically connect the NebuAD device to the DPI chassis (think loopback and not inline). Create a rule that will redirect all HTTP traffic (remember, DPI here so port 80 is irrilivant) is by default sent to the DPI chassis. Then create a custom RADIUS attribute that will be seen by the DPI chassis. Any subscriber that has that VSA will not be sent to the DPI chassis.

    I don't see what the big deal is no matter what country you're in. Each broadband customer is using more data but rates are not going up. This has to be account for somehow. Providers can either raise rates, impliment usage caps, or shape the traffic that's OK to be delayed. Bandwidth for the service providers is not getting cheaper at the same rate that demand is growing. Oversubscription is a requirement in all home based packages....otherwise it would be a dedicated product offering with business rates. No matter what action the service providers implement the bloggers will make a scene about it as change is bad.

    If I have my choice I'll take the same rate, no usage cap, and shape my P2P during times of congestion. Now if I could just get someone to listen to my opinion.....

  13. Time for HTTPS:// everywhere by harrie_o · · Score: 2, Insightful

    Time for HTTPS:// everywhere.

    Back on July 9, Obama followed Pelosi's lead and legalized spying on Americans (which Bush had been doing since shortly after 9-11.

    They aren't parking a van outside your house, folks, they are recording EVERYONE's web traffic and keeping it ... forever???? Maybe.

    The Narus suite of deep packet inspection spy gear (covert spying in Iraq ... oh my!) is now legal for telecom (thanks Obama) to use inside the USA so politicians need cover by making sure you think everyone else wants to SPY to know what you are up to, too. Great political cover. We attack the Phorms and NebuAds and ignore the ENABLERs Pelosi & the republi-Crats she leads.

    The game is called SELLING ADs. You know the do-not-call list? We need a do-not-spy list.

    This is called HTTPS:// which makes it VERY CPU INTENSIVE for spy gear to decipher all our ramblings. Know it. Use it. Implement it so your web sites don't get tampered with on their way to the customer's browser.

    Keep the NebuAds and Phorms of the world from recording your business is your own damn business and we need to use the tools and our heads.

    If we wise up, the gov't will force us to give them (GOV'T, CIA, FBI) our encrpytion keys but that is the equivalent of a search warrant and we can keep changing them to keep them on their toes ... at least then we know they are watching us (and likely not ALL of us LIKE THEY ARE DOING RIGHT NOW).

    Don't stay un-encrypted at the web server level or the browser we need to stop the SPYING now.

  14. It all makes sense now! by Anonymous Coward · · Score: 0

    The DNA databases, the warrantless wiretapping, the mail snooping, the CCTV cameras on every street, the web tracking, etc.

    It's all about delivering the right advertisements!

  15. Illusion of Privacy by caller9 · · Score: 1

    I never start with the assumption that my network traffic is not being sniffed by a man-in-the-middle. Some disgruntled ISP employee looking to steal identities. Somebody playing with bgp or whatever. Then there is the fact that my traffic hits a 10. net as a second hop. I'm sure this is just my lame ISP being lame, but it looks odd.

    So it is really in your best interest to assume that all of your unencrypted traffic, and indeed the weaker versions of that are being intercepted.

    I do take issue with JavaScript injection that amounts to a man-in-the-middle attack http://www.theregister.co.uk/2008/06/23/topolski_takes_on_nebuad/

    Injecting content and claiming that it is from google.com while using it to add essentially spyware javascript is just dirty. I'm sure someone could rally Google into tearing them a new one if this crops up again. They have tons of lobbying money right?

    1. Re:Illusion of Privacy by jc42 · · Score: 1

      I do take issue with JavaScript injection that amounts to a man-in-the-middle attack http://www.theregister.co.uk/2008/06/23/topolski_takes_on_nebuad/

      This is just one more data point explaining why, ever since client-side scripting was first introduced into browsers, those of us who understand the Web have done most of our browsing with scripting turned off. If you permit strangers to download and run code on your machine, you're just inviting them to take advantage of you like this. And such injection attacks demonstrate that the dangers lie not just in the sites that you visit, but also with any machines along the path of your packets. Naturally, this would be no surprise to any network programmer.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.