Slashdot Mirror
BT Silences Customers Over Phorm
An anonymous reader writes "The Register reports that BT, the UK's dominant telecom and internet service provider, has 'banned all future discussion of Phorm and its "WebWise" targeted advertising product on its customer forums, and deleted all past threads about the controversy dating back to February.' Phorm is a controversial opt-out system for delivering targeted advertising that intercepts traffic passing through an ISP in order to profile subscribers via an assigned unique ID based on their online activities. Subscribers can opt-out at the Webwise website but are opted-in again if the Phorm cookie is cleared. Firefox users can install Melvin Sage's Firephorm add-on to manage their interaction with Phorm and Webwise."
If you have to suppress speech about what you are doing, you shouldn't be doing it.
I'm concerned about how they're hiding the history of ***** use. Deleting post on ***** is quite extreme, and who knows what they'll do next? Start censoring the use of ***** on their network?
Our broadband support forums are designed to be a place where customers can discuss technical support issues and offer solutions.
And someone hijacking and modifying your data isn't a technical support issue?
My ISP recently turned on a similar system. I'm quite unhappy about it but I really don't have a realistic alternate ISP (boonies, telco, blah blah blah). It really does suck when things like this happen. I don't do anything illegal, but I still like my (relative) privacy and the ISP is the easiest place to attach my real identity to my data paths.
So, for now, I'm pondering going back to a fulltime SSH VPN to my web host for everything except the few apps I use that need low latency.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
I remember Google was working on something on the app layer that would guard against this type of connection hijacking but without the setup and teardown overhead of full blown SSL.
Its probably in Google's best interest to get something like this widely deployed -- a lot of ISPs are frothing at the mouth to get Phorm/NebuAd on their networks for more revenue streams, and it won't be long before a Google query would not route to Google (even if done at www.google.com), but to wherever the ISP desires.
I remember Google was working on something on the app layer that would guard against this type of connection hijacking but without the setup and teardown overhead of full blown SSL.
Sounds like you're thinking of the obfuscated tcp story. Wasn't so much a Google project as someone who happened to work at Google iirc.
Isn't this the same BT that sued everyone claiming a patent on hyperlinking? Would you expect anything less from these drones?
In the USA, we like stuff watered down, like beer, television, and freedom.
Firefox can keep a cookie, but what about all those apps doing http requests (wget, media players, apt-get...) without maintaining cookies ??? Those can't opt-out, so basically they are forcing that on you.
That's just plain discusting anyways.
Advertising in television is done with the consent of the content creators, not so with Phorm. Modifying a site in this manner is completely unacceptable, there is no discussion to be had.
If it were done with the consent of the content creators, there would be little or no benefit over google ads.
The right to protest the State is more sacred than the State.
does anyone know why they have to implement it with cookies and redirects? (according to wikipedia)
couldn't they have done this silently and leave users completely unaware of it?
Since it seems like they store a copy of the websites visited, could a website have a license that is "only end users can keep a copy of the data on this site", and then sue Phorm if they keep the data? Or would their impersonating other servers be fraud, especially if people have the "opt-out" cookie?
Looking at the wiki diagram of what they do, that is just insane. They are a man in the middle, adding cookies, hiding cookies, redirecting requests to unrelated sites, etc. They are slowing down every site, and what happens if they get overloaded? Does everything come to a halt?
Imagine if someone got a server on a network and added an entry to webwise.net to the /etc/hosts file (or equivalent), they would get a record of every site that everyone with the extra DNS entry visited. Combine a server with a DNS poisoning attack, and you can get the traffic for a large number of people.
Maybe people should point www.webwise.net to a non-routing address to be safe?
If I have nothing to hide, don't search me
That appears to be the case:
KentErtugrul
Just to clarify: we do not serve adverts into the traffic stream. The websites within which the ads appear are in fact our partners. They choose to partner with us to bring you more helpful, relevant and yes, more valuable advertising
http://www.webwise.com/how-it-works/transcript_080306.html
For years I assumed I needed to pay BT for the line rental so I could get broadband through the telephone line, as I assumed only they could provide it. I got my calls and broadband from companies who give a shit about their customers. Then I found out that there are several companies who can do line rental / call / broadband deals (all of those I checked out were cheaper than BT, and not all signed up for Phorm). When I found this out I was completely away from BT within one month. If you're in the UK, and value privacy and a company who actually wants to please you, I suggest you do some Googling and be prepared to switch. They escaped criminal punishment, government punishment, the only reason they keep doing it is that they assume most people believe they are stuck with BT. If you do switch, make sure you tell them why; who knows, if they see enough rats abandoning ship it may make them rethink the Phorm deal. ispreview.com & adslguide.org should give you a starting point.
The difference is that my TV doesn't track what I watch, who I watch it with, who I talk to, what mail I send and when I go to the bathroom.
What a company could do, assuming it had the cash for reasonable Internet peering, would be to make a VPN service. Give directions for novice BT users to set up and route through. It doesn't have to be an "anonymous" service, however it would be a boon for privacy if TCP/IP logs are held just long enough in case of a security issue (or to make the UK government happy), and then promptly deleted. This service would be hosted physically in the UK to ensure decently fast connections, as opposed to other services located elsewhere around the world where packets would possibly have to cross through high latency overseas lines.
It could offer the usual PPTP services. It can also offer a SSL proxy (plain or using stunnel) for Web traffic so only the Web browser would have to be configured if the user doesn't have administrative rights. For users using ssh, it can offer PPP over ssh.
Then, this company can provide some decent instructions for people to set up a VPN to its site with the usual operating systems (Linux, OS X, BSD, Windows.)
Of course, BT could try to block or throttle the packets, but that is starting a type of legal battle with another company that may not be in BT's interest.
So find a forum somewhere else that can be used for all the legal/moral/ethical/boycott/etc issues. If there isn't one, make one (rent a server).
now we need to go OSS in diesel cars
...yet...
I thought it had been decided that Phorm was only legal in the UK if it was an opt-in service, rather than an opt-out service?
Can any BT Customer still trust that ANYTHING (s)he's reading through non-SSL-connections is unmodified? Or even unmoderated?
Sorry, but why do the UK people let their government and companies put them way beyond "1984"?
It's nothing Mr. Orwell didn't predict long ago. We're closer than ever to making it a reality.
~ I am logged on, therefore I am.
British Telecom tracks when you go to the bathroom? Yikes!
I left BT a few months ago after they continued with the trial, despite massive outcry from customers and other internet users. Thankfully, here in the UK it's easy to switch ADSL providers, just request a MAC transfer code and give it to your ISP. I moved to ADSL24, a reseller of Entanet who are very open about their network, while other ISPs like to hide it. I have been extremely satisfied with my new provider, and I am going to make sure that I never give any money to BT again. Bad idea to annoy those younger customers, they've still got quite a lot to spend into the future.
I rent game servers, see my homepage for more information
What would happen if the webwise.net domain (which shares an IP with phorm.com) was to accidentally get DDOSed?
Going by the Phorm diagram on wikipedia, it would seem that webwise.net is a central point of failure for the system.
Mod parent (insightful and informed AC) up.
As much as I hate Phorm (luckily I'm not with a Phorm ISP), that's not entirely accurate. As mentioned by an AC (but likely to get lost) Phorm only modifies the ad selection for the Phorm advertising network. It does not strip out other ads and replace them with their own (although it wouldn't surprise me if someone had suggested that), it just tries to target ads from a select network of advertisers.
That said, it does still piggy-back any content that I put up on my website by reading it and gaining marketting data from it. I sure as hell didn't agree to that, so I'm investigating methods of stopping them profiting from my content when I don't get a cut and when I purposefully don't put adverts on my sites.
Gah, I meant the GP's "modifying content without permission" isn't accurate. The AC's comments are accurate (complete with a reference!)
It's about time that all http web traffic was https instead, so the likes of BT could not inject their garbage into pages without people knowing the pages have been compromised.
Take Nobody's Word For It.
You are wrong. Not sure about Phorm, but at least NebuAd does this with content owner consent. Content owner then gets some clicks from the ads, just like with AdWords.
It is my understanding that BT won't be removing your ads. Instead, "WebWise" will be a competing advertising provider to the likes of Google, Microsoft, etc. You can elect to put Phorm ads on your site instead, and in theory, those ads will be behaviorally targeted at the people browsing your site. (Or at least, the people who haven't opted out.) If you don't use Phorm, whatever provider's ads you sign up for will be shown.
The shitstorm, as I understand it, isn't that website owners' ads won't be displayed. It's that people using this WebWise thing while browsing your site will be reporting what they're doing to a third party, and since it's opt-in, many (most?) probably won't even know that they're doing it.
Worse, because WebWise now knows that Joe Schmo is interested in whatever it is your web site is advertising, say, cars, then it will start displaying car ads from your competitors on sites that have contracts with Phorm because Joe browsed your site.
All in all, pretty scummy, but I'd genuinely be surprised if it actually removes ads from sites that have nothing to do with it. Especially since they're talking about making it opt-in, I can't imagine that wouldn't be unquestionably illegal.
IANAL nor do I know how UK copyright law works but why doesn't someone who owns a website (preferably one involving paid content or something) and who also has an account with BT visit their website via their BT connection, have all the inserted ads come up and then sue BT for copyright violation.
One way to deal with fascism.
Make the public aware.
Stop funding them.
Lobby against them.
Send a battalion of Lawyers or Solicitors after them.
webwise tries to sell this insecure proxy spying nonsense as a security product. They are telling you it's safe, but you must take it on blind faith that it's safe. In essence they are trying to make the whole web their own personal network. You have to trust them. Perhaps if you can prove that it's false advertising, and a deceptive lie, you can get them shut down and outlawed.
If they are routing all their packets through a router, you have no choice but to find another ISP, stop using the web, or accept it.
What a unacceptable world this fascist company has created. I'd resist. Straight up. There is no way I would stay with that nonsense.
I am wondering if cidr ban on their/8 would help your cause? By getting complaints for no connectivity perhaps this should be part of the solution.
If you have the IP / cidr numbers post them!
Maybe we who host websites outside of their networks can do re-directs to a page explaining the problem. We need the cidr and or ip numbers so we can detect, then either block or redirect their connections. And we need a text of what to say specifically.
Meanwhile, Cancel your contract, and sue them for spying.
Short their stock, make their company worth zero. Get this out on Newspaper, Magazines, Broadcast tv, and radio. Move fast!
Don't just hope to switch ISP's, do it right now.
I can't believe that whoever handles this stuff for BT isn't aware of the "Streisand Effect." Maybe their PR staff had nothing to do with it.
It's the stupidest thing you can do these days, tring to censor your customer base in public like that.
It's one of the things that really makes me feel good about the internet, and one of the few phenomenons in these times where people can organize (without even organizing) and change the behavior of a corporate behemoth.
It must drive authoritarian corporations and governments crazy. I love it.
Surely Phorm violates copyright at some level?
They are effectively modifying content in such a way that what is presented, is not what was published
There could also be some issues effecting the value of the content. I create content, and BT defaces it before it reaches my client/consumer, they are in a sense effectively damaging my property and assets. If I was a large website owner I might take offense to this kind of behavior.
Participatory Governance : The only feasible option for a real democracy, where everyone really does have a say.
If this was any other company (Time Warner, AOL, etc), Bruce Schneier would be all over the privacy and censorship issues here. But he's the CTO of British Telecom, and when the gravy train is on the line, the privacy-vocal cipherpunk is nowhere to be found.
LOL @ Troll. I forgot that on slashdot, unpopular opinion = troll mod-down.
fucktards
As a web author:
-> I did NOT give them permission to place or inject their ads on *my* site.
-> I have no control over what ads are delivered with my content -- some of it may be counter to things I beleive, and some ads may imply an endorsement of products, people or policies that I abhor.
-> I am not recieving ad revenues from their ad hits which my site geneates for them.
To me, this is outright theft of my content to generate revenue for them. I beleive the legal term is "conversion", taking someone else's property and using it to make money as if it was your own property.
What legal recourse do content creators and holders have against this theft of thier content to produce revenues for someone else?
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
Again, this is not my understanding of how it works.
As I read it, if you put Google ads on your site, people from British Telecom are seeing Google ads, period. However, as a web site owner, you can instead choose to put Phorm ads on your site, in which case, people from British Telecom will see the behavior tailored ads.
There's nothing new in that. What is new, and what I understand has everyone so up in arms, is that when British Telecom people are visiting your site (and seeing Google ads), Phorm is finding out about it and logging that fact, so that when British Telecom people visit other sites that have Phorm ads, what they will see is based on what they saw when they visited your site (with Google ads).
Plus, as an opt-out system, people won't know that the sites they're visiting are being silently watched by a third party, which is always very uncool.
If they're actually replacing content served by non-affiliated third parties (i.e. Google, or site owners who run Google ads), I'd like to see a reference to that, because I'm wrong in how I believe this works.
There used to be a phrase "Damn with faint praise". Said in an Alan Rickman snarl one would completely wither the opposition with some remark. Such as: after a resounding technical explanatory victory, the opponent murmurs, "nice vocabulary."
You're right that if stuff looks totally "Pleasantville" then it comes through kinda snitty. But if you allow some *token* complaints, you can give the illusion of fairness while still hiding the killer points.
"Announcement: Posted by Admin: We're sorry if you experience some site slowdowns while we transition our content provider software". (Yea, my site is "slower" because a botch in your proramming made my paid ad provider's ad hang upon loading. That does't do anything towards the fact that it was just fine last month.)
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
The Firefox addon mentioned in TFA has the option to randomize the UID in the tracking cookie phorm sets on each web page. Not as grand as your poisoning ideas, but similar.
As for the opt-out by MAC address you mentioned, you'd still have to opt out for every machine you connect to the internet. Better would be opt-out by BT account, or, better yet, opt-in by BT account.
We're just settling into the century of Tracking Everything because it's Fun!
Let's assuming you are a male weighing between 175 and 200 lbs, getting somewhat less exercise than you should, eating somewhat less fiber than you should, but with a bonus modifier for having some fruit and a metabolism a touch above normal.
Given an example nominal 22oz of type-2 material per week, Pi divided by the number of type-2 rest visits per week gives the percent chance modifier that you will overload the residential grade rest facility. Thus 2.4 visits per week means you have about a 31% chance of needing the Helper. Solution is to eat out twice a week.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
The BT network is in fact so poor in our area that I do all my deployment update downloads for our company at home on Virgin (20Mbit/s downloads) and thus get better total download speeds than our office BT business lines.
Although BT is officially a private company, it cannot really be one because national infrastructure runs over its lines. It badly needs a complete overhaul, but it cannot get the investment as a private company, and the Government dare not spend billions of taxpayer money on it, as it will screw up. I wouldn't be surprised if in the long term Virgin, Vodafone and Hutchinson Whampoa end up running the country's Internet infrastructure, as 3G technology improves.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
and they're allowed to censor whatever they want from their customer forum
And we're allowed to call them out on it.
If I have been able to see further than others, it is because I bought a pair of binoculars.
I wonder why these types of companies aren't doing away with cookies altogether and getting their clients to install a completely server-side monitoring system.
Nobody would even have a cookie to delete in that case.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Can a site admin request that nothing form a given site be looked at, or will I have to put up with the private forum I visit (not to mention every IRC network and MUD, which can't be opted out of at all) being spied on because a single person forgot to opt out?
Liberte, Egalite, Fraternite (TM)
My brain fell over while reading your post. I must not be geeky enough.
"Another question"
to get back on topic, i'm rather disturbed that British ISPs would partner themselves with a company with a history of distributing spyware/malware and uses deceptive (and arguably illegal) tactics, such as using a rootkit, to get/keep their software installed on the computers of unsuspecting individuals.
i'm not from the U.K. so i don't know how much choice Brits have with regards to broadband access. if it's anything like the U.S. then BT subscribers probably won't be able to just switch to a different broadband provider and boycott BT's actions. broadband access, like most communications networks, tend to be natural monopolies because a network's usefulness is directly proportional to its size. having a bunch of small fragmented networks isn't very useful, whereas having a large nationwide network is.
it seems like the public has only two options here. they can either, lobby the government to establish regulations protecting the rights of consumers, or they should establish municipal WiFi/WiMax networks that each community can run themselves. obviously BT won't listen to their consumers, which is why they're silencing them to suppress criticism, and there doesn't seem to be any laws forbidding BT from pursuing this partnership. so establishing a municipal wireless network seems like the best way to protect consumer interests.
you can't dictate what a private corporation does, but you do have a voice in local government. therefore if members of the community don't like how their publicly-run broadband network is managed, they can change it; it's they're legal prerogative to do so.
As has been pointed out by others, my previous post was incorrect. IMO, this leaves a few issues:
- Invasion of privacy for both webmaster and user (not all web content is static, they could be looking at pages meant only for the user)
- That being said, could the information that the ISP is gathering be considered private? Could it be covered by wiretapping laws or something similar?
Whether the server is using HTTPS or not, if a site requires a login, that could be considered to be an attempt to secure it. If the ISP (or anyone else) then records this "conversation" which was intended to be secure, I would think that's illegal. Then again, I'm from the states, I have no idea how british law works.
The right to protest the State is more sacred than the State.
Even if you opt out, all your traffic is going through the Phorm servers, the opt out is only them promising not to watch or interfere with it as it flows through.....so the question is, do you trust a former spyware company to watch valuable data flow past and not touch it? BT (and the other scumbags who sold their customers out) could lessen the damage by only piping the opted in chumps through the Phorm servers.....oh yeah, and making it an opt in service.
I don't know about the UK's views on it, but I'm pretty sure this is a colossal privacy issue that SHOULD run afoul of consumer protection and privacy laws. If this starts to show up here in Canada, you could expect a pretty significant uproar and an appeal to the government to stop this sort of thing before it becomes habit.
Are there no privacy laws in the UK? Is it seriously that bad?
Unless you plug a Tivo into it.
Comment of the year
Thankfully we have a lot of choice and a very competitive market. It is trivial to switch to a different provider, and while most of your data may still be going over BT's networks, BT won't have a legal leg to stand on if they try to intercept communications belonging to people who aren't even their own customers.
One of my favourite examples of this was when Rolling Stone (I think) reviewed Jewel Kilcher's poetry book. It was a full book review, concentrating exclusively on the typography, paper quality, etc without one mention of the poetry.
It's not technically feasible for them to do that, anyway.
For info on countermeasures for webmasters, visit Dephormationor PhormCheck or Deny Phorm. There's a lot of material out there if you look for it, this is an issue that most of those in the know are not keen to let lie.
Unfortunately the UK government appears unwilling to make any attempt to stop this. The tinfoil-hat-wearers believe that it's due to the government's desire to get their hands on a similar system for themselves. Personally, I think it's just a case of resounding incompetence.