Slashdot Mirror
BT Silences Customers Over Phorm
An anonymous reader writes "The Register reports that BT, the UK's dominant telecom and internet service provider, has 'banned all future discussion of Phorm and its "WebWise" targeted advertising product on its customer forums, and deleted all past threads about the controversy dating back to February.' Phorm is a controversial opt-out system for delivering targeted advertising that intercepts traffic passing through an ISP in order to profile subscribers via an assigned unique ID based on their online activities. Subscribers can opt-out at the Webwise website but are opted-in again if the Phorm cookie is cleared. Firefox users can install Melvin Sage's Firephorm add-on to manage their interaction with Phorm and Webwise."
If you have to suppress speech about what you are doing, you shouldn't be doing it.
I'm concerned about how they're hiding the history of ***** use. Deleting post on ***** is quite extreme, and who knows what they'll do next? Start censoring the use of ***** on their network?
Our broadband support forums are designed to be a place where customers can discuss technical support issues and offer solutions.
And someone hijacking and modifying your data isn't a technical support issue?
My ISP recently turned on a similar system. I'm quite unhappy about it but I really don't have a realistic alternate ISP (boonies, telco, blah blah blah). It really does suck when things like this happen. I don't do anything illegal, but I still like my (relative) privacy and the ISP is the easiest place to attach my real identity to my data paths.
So, for now, I'm pondering going back to a fulltime SSH VPN to my web host for everything except the few apps I use that need low latency.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
I remember Google was working on something on the app layer that would guard against this type of connection hijacking but without the setup and teardown overhead of full blown SSL.
Its probably in Google's best interest to get something like this widely deployed -- a lot of ISPs are frothing at the mouth to get Phorm/NebuAd on their networks for more revenue streams, and it won't be long before a Google query would not route to Google (even if done at www.google.com), but to wherever the ISP desires.
I remember Google was working on something on the app layer that would guard against this type of connection hijacking but without the setup and teardown overhead of full blown SSL.
Sounds like you're thinking of the obfuscated tcp story. Wasn't so much a Google project as someone who happened to work at Google iirc.
Isn't this the same BT that sued everyone claiming a patent on hyperlinking? Would you expect anything less from these drones?
In the USA, we like stuff watered down, like beer, television, and freedom.
While I don't live in the UK, I know how I'd feel about such things if they were happening to me.
To begin, it's a private company, and they're allowed to censor whatever they want from their customer forum. Keep in mind, they have to worry about marketing and PR as much as any other private company. Generally, you have options to go to another company if you don't like how they operate. If not, find another place to discuss your beef.
Second, advertising is a means to profit for most any media. We're going through a transition and *everyone* needs to adapt, equally. Many people pay for cable or satellite TV. There are free programs, and paid programs. Everything needs to be funded, somewhere. Let's all try to be reasonable and work this out. There's a learning process to be had, but it'll get sorted out.
Firefox can keep a cookie, but what about all those apps doing http requests (wget, media players, apt-get...) without maintaining cookies ??? Those can't opt-out, so basically they are forcing that on you.
That's just plain discusting anyways.
or censored discussion of mald.. NO CARRIER
does anyone know why they have to implement it with cookies and redirects? (according to wikipedia)
couldn't they have done this silently and leave users completely unaware of it?
Since it seems like they store a copy of the websites visited, could a website have a license that is "only end users can keep a copy of the data on this site", and then sue Phorm if they keep the data? Or would their impersonating other servers be fraud, especially if people have the "opt-out" cookie?
Looking at the wiki diagram of what they do, that is just insane. They are a man in the middle, adding cookies, hiding cookies, redirecting requests to unrelated sites, etc. They are slowing down every site, and what happens if they get overloaded? Does everything come to a halt?
Imagine if someone got a server on a network and added an entry to webwise.net to the /etc/hosts file (or equivalent), they would get a record of every site that everyone with the extra DNS entry visited. Combine a server with a DNS poisoning attack, and you can get the traffic for a large number of people.
Maybe people should point www.webwise.net to a non-routing address to be safe?
If I have nothing to hide, don't search me
For years I assumed I needed to pay BT for the line rental so I could get broadband through the telephone line, as I assumed only they could provide it. I got my calls and broadband from companies who give a shit about their customers. Then I found out that there are several companies who can do line rental / call / broadband deals (all of those I checked out were cheaper than BT, and not all signed up for Phorm). When I found this out I was completely away from BT within one month. If you're in the UK, and value privacy and a company who actually wants to please you, I suggest you do some Googling and be prepared to switch. They escaped criminal punishment, government punishment, the only reason they keep doing it is that they assume most people believe they are stuck with BT. If you do switch, make sure you tell them why; who knows, if they see enough rats abandoning ship it may make them rethink the Phorm deal. ispreview.com & adslguide.org should give you a starting point.
What a company could do, assuming it had the cash for reasonable Internet peering, would be to make a VPN service. Give directions for novice BT users to set up and route through. It doesn't have to be an "anonymous" service, however it would be a boon for privacy if TCP/IP logs are held just long enough in case of a security issue (or to make the UK government happy), and then promptly deleted. This service would be hosted physically in the UK to ensure decently fast connections, as opposed to other services located elsewhere around the world where packets would possibly have to cross through high latency overseas lines.
It could offer the usual PPTP services. It can also offer a SSL proxy (plain or using stunnel) for Web traffic so only the Web browser would have to be configured if the user doesn't have administrative rights. For users using ssh, it can offer PPP over ssh.
Then, this company can provide some decent instructions for people to set up a VPN to its site with the usual operating systems (Linux, OS X, BSD, Windows.)
Of course, BT could try to block or throttle the packets, but that is starting a type of legal battle with another company that may not be in BT's interest.
So find a forum somewhere else that can be used for all the legal/moral/ethical/boycott/etc issues. If there isn't one, make one (rent a server).
now we need to go OSS in diesel cars
I thought it had been decided that Phorm was only legal in the UK if it was an opt-in service, rather than an opt-out service?
A better solution against targetted advertising would be for every BT subscriber to install software that emulated in a completely indistinguishable manner an end user browsing websites using the Phorm program causing ads to be loaded but never clicked, or to always be clicked but never resulting in any sale.
Analytics would then show either that the cost per impression is way too high to make economic sense and Phorm would be priced out of business, or ROI was similarly way too low.
Perhaps if such an attack on Phorm were to take place widescale Phorm and BT would find a better way to let users opt-out of Phorm. Something that made sense. Like, oh, I don't know... opt-out by MAC address.
Can any BT Customer still trust that ANYTHING (s)he's reading through non-SSL-connections is unmodified? Or even unmoderated?
Sorry, but why do the UK people let their government and companies put them way beyond "1984"?
I left BT a few months ago after they continued with the trial, despite massive outcry from customers and other internet users. Thankfully, here in the UK it's easy to switch ADSL providers, just request a MAC transfer code and give it to your ISP. I moved to ADSL24, a reseller of Entanet who are very open about their network, while other ISPs like to hide it. I have been extremely satisfied with my new provider, and I am going to make sure that I never give any money to BT again. Bad idea to annoy those younger customers, they've still got quite a lot to spend into the future.
I rent game servers, see my homepage for more information
What would happen if the webwise.net domain (which shares an IP with phorm.com) was to accidentally get DDOSed?
Going by the Phorm diagram on wikipedia, it would seem that webwise.net is a central point of failure for the system.
It's about time that all http web traffic was https instead, so the likes of BT could not inject their garbage into pages without people knowing the pages have been compromised.
Take Nobody's Word For It.
This should be made completly illegal! I do not want my traffic intercepted and advertising directed at me...and this isnt the first time BT have kept quiet about something. In the past they didn't say a word to customers when they where performing gradual updates to individual exchanges, which bought internet speed down to only 300Kb/s for a whole month! Even after 5 call's to BT, no-one would admit it was DRM. I only found out from an online forum that my connection was being DRM'ed...and even after that I found out that the update had been finished I had to call up, and specifically mention DRM for them to uncap my connection again. If I hadn't done that, I would still be stuck at 300Kb/s!
I am soon hoping to switch ISP to Virgin Media. My advice, Stay Away from BT!!
It is my understanding that BT won't be removing your ads. Instead, "WebWise" will be a competing advertising provider to the likes of Google, Microsoft, etc. You can elect to put Phorm ads on your site instead, and in theory, those ads will be behaviorally targeted at the people browsing your site. (Or at least, the people who haven't opted out.) If you don't use Phorm, whatever provider's ads you sign up for will be shown.
The shitstorm, as I understand it, isn't that website owners' ads won't be displayed. It's that people using this WebWise thing while browsing your site will be reporting what they're doing to a third party, and since it's opt-in, many (most?) probably won't even know that they're doing it.
Worse, because WebWise now knows that Joe Schmo is interested in whatever it is your web site is advertising, say, cars, then it will start displaying car ads from your competitors on sites that have contracts with Phorm because Joe browsed your site.
All in all, pretty scummy, but I'd genuinely be surprised if it actually removes ads from sites that have nothing to do with it. Especially since they're talking about making it opt-in, I can't imagine that wouldn't be unquestionably illegal.
IANAL nor do I know how UK copyright law works but why doesn't someone who owns a website (preferably one involving paid content or something) and who also has an account with BT visit their website via their BT connection, have all the inserted ads come up and then sue BT for copyright violation.
One way to deal with fascism.
Make the public aware.
Stop funding them.
Lobby against them.
Send a battalion of Lawyers or Solicitors after them.
webwise tries to sell this insecure proxy spying nonsense as a security product. They are telling you it's safe, but you must take it on blind faith that it's safe. In essence they are trying to make the whole web their own personal network. You have to trust them. Perhaps if you can prove that it's false advertising, and a deceptive lie, you can get them shut down and outlawed.
If they are routing all their packets through a router, you have no choice but to find another ISP, stop using the web, or accept it.
What a unacceptable world this fascist company has created. I'd resist. Straight up. There is no way I would stay with that nonsense.
I am wondering if cidr ban on their/8 would help your cause? By getting complaints for no connectivity perhaps this should be part of the solution.
If you have the IP / cidr numbers post them!
Maybe we who host websites outside of their networks can do re-directs to a page explaining the problem. We need the cidr and or ip numbers so we can detect, then either block or redirect their connections. And we need a text of what to say specifically.
Meanwhile, Cancel your contract, and sue them for spying.
Short their stock, make their company worth zero. Get this out on Newspaper, Magazines, Broadcast tv, and radio. Move fast!
Don't just hope to switch ISP's, do it right now.
I can't believe that whoever handles this stuff for BT isn't aware of the "Streisand Effect." Maybe their PR staff had nothing to do with it.
It's the stupidest thing you can do these days, tring to censor your customer base in public like that.
It's one of the things that really makes me feel good about the internet, and one of the few phenomenons in these times where people can organize (without even organizing) and change the behavior of a corporate behemoth.
It must drive authoritarian corporations and governments crazy. I love it.
Surely Phorm violates copyright at some level?
They are effectively modifying content in such a way that what is presented, is not what was published
There could also be some issues effecting the value of the content. I create content, and BT defaces it before it reaches my client/consumer, they are in a sense effectively damaging my property and assets. If I was a large website owner I might take offense to this kind of behavior.
Participatory Governance : The only feasible option for a real democracy, where everyone really does have a say.
If this was any other company (Time Warner, AOL, etc), Bruce Schneier would be all over the privacy and censorship issues here. But he's the CTO of British Telecom, and when the gravy train is on the line, the privacy-vocal cipherpunk is nowhere to be found.
As a web author:
-> I did NOT give them permission to place or inject their ads on *my* site.
-> I have no control over what ads are delivered with my content -- some of it may be counter to things I beleive, and some ads may imply an endorsement of products, people or policies that I abhor.
-> I am not recieving ad revenues from their ad hits which my site geneates for them.
To me, this is outright theft of my content to generate revenue for them. I beleive the legal term is "conversion", taking someone else's property and using it to make money as if it was your own property.
What legal recourse do content creators and holders have against this theft of thier content to produce revenues for someone else?
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
Again, this is not my understanding of how it works.
As I read it, if you put Google ads on your site, people from British Telecom are seeing Google ads, period. However, as a web site owner, you can instead choose to put Phorm ads on your site, in which case, people from British Telecom will see the behavior tailored ads.
There's nothing new in that. What is new, and what I understand has everyone so up in arms, is that when British Telecom people are visiting your site (and seeing Google ads), Phorm is finding out about it and logging that fact, so that when British Telecom people visit other sites that have Phorm ads, what they will see is based on what they saw when they visited your site (with Google ads).
Plus, as an opt-out system, people won't know that the sites they're visiting are being silently watched by a third party, which is always very uncool.
If they're actually replacing content served by non-affiliated third parties (i.e. Google, or site owners who run Google ads), I'd like to see a reference to that, because I'm wrong in how I believe this works.
There used to be a phrase "Damn with faint praise". Said in an Alan Rickman snarl one would completely wither the opposition with some remark. Such as: after a resounding technical explanatory victory, the opponent murmurs, "nice vocabulary."
You're right that if stuff looks totally "Pleasantville" then it comes through kinda snitty. But if you allow some *token* complaints, you can give the illusion of fairness while still hiding the killer points.
"Announcement: Posted by Admin: We're sorry if you experience some site slowdowns while we transition our content provider software". (Yea, my site is "slower" because a botch in your proramming made my paid ad provider's ad hang upon loading. That does't do anything towards the fact that it was just fine last month.)
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
The Firefox addon mentioned in TFA has the option to randomize the UID in the tracking cookie phorm sets on each web page. Not as grand as your poisoning ideas, but similar.
As for the opt-out by MAC address you mentioned, you'd still have to opt out for every machine you connect to the internet. Better would be opt-out by BT account, or, better yet, opt-in by BT account.
We're just settling into the century of Tracking Everything because it's Fun!
Let's assuming you are a male weighing between 175 and 200 lbs, getting somewhat less exercise than you should, eating somewhat less fiber than you should, but with a bonus modifier for having some fruit and a metabolism a touch above normal.
Given an example nominal 22oz of type-2 material per week, Pi divided by the number of type-2 rest visits per week gives the percent chance modifier that you will overload the residential grade rest facility. Thus 2.4 visits per week means you have about a 31% chance of needing the Helper. Solution is to eat out twice a week.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
The BT network is in fact so poor in our area that I do all my deployment update downloads for our company at home on Virgin (20Mbit/s downloads) and thus get better total download speeds than our office BT business lines.
Although BT is officially a private company, it cannot really be one because national infrastructure runs over its lines. It badly needs a complete overhaul, but it cannot get the investment as a private company, and the Government dare not spend billions of taxpayer money on it, as it will screw up. I wouldn't be surprised if in the long term Virgin, Vodafone and Hutchinson Whampoa end up running the country's Internet infrastructure, as 3G technology improves.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I wonder why these types of companies aren't doing away with cookies altogether and getting their clients to install a completely server-side monitoring system.
Nobody would even have a cookie to delete in that case.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Can a site admin request that nothing form a given site be looked at, or will I have to put up with the private forum I visit (not to mention every IRC network and MUD, which can't be opted out of at all) being spied on because a single person forgot to opt out?
Liberte, Egalite, Fraternite (TM)
My brain fell over while reading your post. I must not be geeky enough.
"Another question"
to get back on topic, i'm rather disturbed that British ISPs would partner themselves with a company with a history of distributing spyware/malware and uses deceptive (and arguably illegal) tactics, such as using a rootkit, to get/keep their software installed on the computers of unsuspecting individuals.
i'm not from the U.K. so i don't know how much choice Brits have with regards to broadband access. if it's anything like the U.S. then BT subscribers probably won't be able to just switch to a different broadband provider and boycott BT's actions. broadband access, like most communications networks, tend to be natural monopolies because a network's usefulness is directly proportional to its size. having a bunch of small fragmented networks isn't very useful, whereas having a large nationwide network is.
it seems like the public has only two options here. they can either, lobby the government to establish regulations protecting the rights of consumers, or they should establish municipal WiFi/WiMax networks that each community can run themselves. obviously BT won't listen to their consumers, which is why they're silencing them to suppress criticism, and there doesn't seem to be any laws forbidding BT from pursuing this partnership. so establishing a municipal wireless network seems like the best way to protect consumer interests.
you can't dictate what a private corporation does, but you do have a voice in local government. therefore if members of the community don't like how their publicly-run broadband network is managed, they can change it; it's they're legal prerogative to do so.
Even if you opt out, all your traffic is going through the Phorm servers, the opt out is only them promising not to watch or interfere with it as it flows through.....so the question is, do you trust a former spyware company to watch valuable data flow past and not touch it? BT (and the other scumbags who sold their customers out) could lessen the damage by only piping the opted in chumps through the Phorm servers.....oh yeah, and making it an opt in service.
I don't know about the UK's views on it, but I'm pretty sure this is a colossal privacy issue that SHOULD run afoul of consumer protection and privacy laws. If this starts to show up here in Canada, you could expect a pretty significant uproar and an appeal to the government to stop this sort of thing before it becomes habit.
Are there no privacy laws in the UK? Is it seriously that bad?
and offer some support on the bt forums
Thankfully we have a lot of choice and a very competitive market. It is trivial to switch to a different provider, and while most of your data may still be going over BT's networks, BT won't have a legal leg to stand on if they try to intercept communications belonging to people who aren't even their own customers.
the liberal whackos are trying to do to anyone who doesnt believe in the hoax that is global warming. http://www.discussglobalwarming.com/blog
They've already begun doing this to those who refuse to believe in Darwinism. Guess this world is going to have to forcefully take back what is being stolen from them, ala Hitler-style bullshit without the gas chambers.
One of my favourite examples of this was when Rolling Stone (I think) reviewed Jewel Kilcher's poetry book. It was a full book review, concentrating exclusively on the typography, paper quality, etc without one mention of the poetry.
It's not technically feasible for them to do that, anyway.
Doc Nickel
http://www.network54.com/Forum/9013/message/1227323265/Hey%2C+Doc%2C+Where's+My+Book-
Unfortunately the UK government appears unwilling to make any attempt to stop this. The tinfoil-hat-wearers believe that it's due to the government's desire to get their hands on a similar system for themselves. Personally, I think it's just a case of resounding incompetence.