Slashdot Mirror
BT Silences Customers Over Phorm
An anonymous reader writes "The Register reports that BT, the UK's dominant telecom and internet service provider, has 'banned all future discussion of Phorm and its "WebWise" targeted advertising product on its customer forums, and deleted all past threads about the controversy dating back to February.' Phorm is a controversial opt-out system for delivering targeted advertising that intercepts traffic passing through an ISP in order to profile subscribers via an assigned unique ID based on their online activities. Subscribers can opt-out at the Webwise website but are opted-in again if the Phorm cookie is cleared. Firefox users can install Melvin Sage's Firephorm add-on to manage their interaction with Phorm and Webwise."
If you have to suppress speech about what you are doing, you shouldn't be doing it.
I'm concerned about how they're hiding the history of ***** use. Deleting post on ***** is quite extreme, and who knows what they'll do next? Start censoring the use of ***** on their network?
Our broadband support forums are designed to be a place where customers can discuss technical support issues and offer solutions.
And someone hijacking and modifying your data isn't a technical support issue?
My ISP recently turned on a similar system. I'm quite unhappy about it but I really don't have a realistic alternate ISP (boonies, telco, blah blah blah). It really does suck when things like this happen. I don't do anything illegal, but I still like my (relative) privacy and the ISP is the easiest place to attach my real identity to my data paths.
So, for now, I'm pondering going back to a fulltime SSH VPN to my web host for everything except the few apps I use that need low latency.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
I remember Google was working on something on the app layer that would guard against this type of connection hijacking but without the setup and teardown overhead of full blown SSL.
Its probably in Google's best interest to get something like this widely deployed -- a lot of ISPs are frothing at the mouth to get Phorm/NebuAd on their networks for more revenue streams, and it won't be long before a Google query would not route to Google (even if done at www.google.com), but to wherever the ISP desires.
I remember Google was working on something on the app layer that would guard against this type of connection hijacking but without the setup and teardown overhead of full blown SSL.
Sounds like you're thinking of the obfuscated tcp story. Wasn't so much a Google project as someone who happened to work at Google iirc.
Isn't this the same BT that sued everyone claiming a patent on hyperlinking? Would you expect anything less from these drones?
In the USA, we like stuff watered down, like beer, television, and freedom.
Firefox can keep a cookie, but what about all those apps doing http requests (wget, media players, apt-get...) without maintaining cookies ??? Those can't opt-out, so basically they are forcing that on you.
That's just plain discusting anyways.
Advertising in television is done with the consent of the content creators, not so with Phorm. Modifying a site in this manner is completely unacceptable, there is no discussion to be had.
If it were done with the consent of the content creators, there would be little or no benefit over google ads.
The right to protest the State is more sacred than the State.
Since it seems like they store a copy of the websites visited, could a website have a license that is "only end users can keep a copy of the data on this site", and then sue Phorm if they keep the data? Or would their impersonating other servers be fraud, especially if people have the "opt-out" cookie?
Looking at the wiki diagram of what they do, that is just insane. They are a man in the middle, adding cookies, hiding cookies, redirecting requests to unrelated sites, etc. They are slowing down every site, and what happens if they get overloaded? Does everything come to a halt?
Imagine if someone got a server on a network and added an entry to webwise.net to the /etc/hosts file (or equivalent), they would get a record of every site that everyone with the extra DNS entry visited. Combine a server with a DNS poisoning attack, and you can get the traffic for a large number of people.
Maybe people should point www.webwise.net to a non-routing address to be safe?
If I have nothing to hide, don't search me
That appears to be the case:
KentErtugrul
Just to clarify: we do not serve adverts into the traffic stream. The websites within which the ads appear are in fact our partners. They choose to partner with us to bring you more helpful, relevant and yes, more valuable advertising
http://www.webwise.com/how-it-works/transcript_080306.html
For years I assumed I needed to pay BT for the line rental so I could get broadband through the telephone line, as I assumed only they could provide it. I got my calls and broadband from companies who give a shit about their customers. Then I found out that there are several companies who can do line rental / call / broadband deals (all of those I checked out were cheaper than BT, and not all signed up for Phorm). When I found this out I was completely away from BT within one month. If you're in the UK, and value privacy and a company who actually wants to please you, I suggest you do some Googling and be prepared to switch. They escaped criminal punishment, government punishment, the only reason they keep doing it is that they assume most people believe they are stuck with BT. If you do switch, make sure you tell them why; who knows, if they see enough rats abandoning ship it may make them rethink the Phorm deal. ispreview.com & adslguide.org should give you a starting point.
The difference is that my TV doesn't track what I watch, who I watch it with, who I talk to, what mail I send and when I go to the bathroom.
What a company could do, assuming it had the cash for reasonable Internet peering, would be to make a VPN service. Give directions for novice BT users to set up and route through. It doesn't have to be an "anonymous" service, however it would be a boon for privacy if TCP/IP logs are held just long enough in case of a security issue (or to make the UK government happy), and then promptly deleted. This service would be hosted physically in the UK to ensure decently fast connections, as opposed to other services located elsewhere around the world where packets would possibly have to cross through high latency overseas lines.
It could offer the usual PPTP services. It can also offer a SSL proxy (plain or using stunnel) for Web traffic so only the Web browser would have to be configured if the user doesn't have administrative rights. For users using ssh, it can offer PPP over ssh.
Then, this company can provide some decent instructions for people to set up a VPN to its site with the usual operating systems (Linux, OS X, BSD, Windows.)
Of course, BT could try to block or throttle the packets, but that is starting a type of legal battle with another company that may not be in BT's interest.
...yet...
I thought it had been decided that Phorm was only legal in the UK if it was an opt-in service, rather than an opt-out service?
does anyone know why they have to implement it with cookies and redirects? (according to wikipedia)
couldn't they have done this silently and leave users completely unaware of it?
As far as I can gather, it's not BT doing the dirty work. They simply route all HTTP traffic through the Phorm system, and their processes are set up so there's no way to filter whose traffic gets routed that way.
By the time it reaches the Phorm system, it may well not be associated with any specific BT user - Phorm don't know who has what IP address - so the only realistic option for them to use something at the application level.
If anything, it's an indictment of our data protection laws that customer rights can be so easily signed away - all that needs to happen is for BT to include in their next bill "Oh, by the way, we're updating our terms and conditions, please check our website for further details".
I left BT a few months ago after they continued with the trial, despite massive outcry from customers and other internet users. Thankfully, here in the UK it's easy to switch ADSL providers, just request a MAC transfer code and give it to your ISP. I moved to ADSL24, a reseller of Entanet who are very open about their network, while other ISPs like to hide it. I have been extremely satisfied with my new provider, and I am going to make sure that I never give any money to BT again. Bad idea to annoy those younger customers, they've still got quite a lot to spend into the future.
I rent game servers, see my homepage for more information
If it went to court, any customer in the UK would be able to get away with terminating their contract on these grounds. I would recommend a formal notification of terminating the contract, the clear reasons why and the promise that this would be resolved via legal action if they chose to pursue you. I would also promise legal action if they in anyway impeded my freedom to move to another ISP.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
What would happen if the webwise.net domain (which shares an IP with phorm.com) was to accidentally get DDOSed?
Going by the Phorm diagram on wikipedia, it would seem that webwise.net is a central point of failure for the system.
Mod parent (insightful and informed AC) up.
As much as I hate Phorm (luckily I'm not with a Phorm ISP), that's not entirely accurate. As mentioned by an AC (but likely to get lost) Phorm only modifies the ad selection for the Phorm advertising network. It does not strip out other ads and replace them with their own (although it wouldn't surprise me if someone had suggested that), it just tries to target ads from a select network of advertisers.
That said, it does still piggy-back any content that I put up on my website by reading it and gaining marketting data from it. I sure as hell didn't agree to that, so I'm investigating methods of stopping them profiting from my content when I don't get a cut and when I purposefully don't put adverts on my sites.
It's about time that all http web traffic was https instead, so the likes of BT could not inject their garbage into pages without people knowing the pages have been compromised.
Take Nobody's Word For It.
It is my understanding that BT won't be removing your ads. Instead, "WebWise" will be a competing advertising provider to the likes of Google, Microsoft, etc. You can elect to put Phorm ads on your site instead, and in theory, those ads will be behaviorally targeted at the people browsing your site. (Or at least, the people who haven't opted out.) If you don't use Phorm, whatever provider's ads you sign up for will be shown.
The shitstorm, as I understand it, isn't that website owners' ads won't be displayed. It's that people using this WebWise thing while browsing your site will be reporting what they're doing to a third party, and since it's opt-in, many (most?) probably won't even know that they're doing it.
Worse, because WebWise now knows that Joe Schmo is interested in whatever it is your web site is advertising, say, cars, then it will start displaying car ads from your competitors on sites that have contracts with Phorm because Joe browsed your site.
All in all, pretty scummy, but I'd genuinely be surprised if it actually removes ads from sites that have nothing to do with it. Especially since they're talking about making it opt-in, I can't imagine that wouldn't be unquestionably illegal.
Surely Phorm violates copyright at some level?
They are effectively modifying content in such a way that what is presented, is not what was published
There could also be some issues effecting the value of the content. I create content, and BT defaces it before it reaches my client/consumer, they are in a sense effectively damaging my property and assets. If I was a large website owner I might take offense to this kind of behavior.
Participatory Governance : The only feasible option for a real democracy, where everyone really does have a say.
Again, this is not my understanding of how it works.
As I read it, if you put Google ads on your site, people from British Telecom are seeing Google ads, period. However, as a web site owner, you can instead choose to put Phorm ads on your site, in which case, people from British Telecom will see the behavior tailored ads.
There's nothing new in that. What is new, and what I understand has everyone so up in arms, is that when British Telecom people are visiting your site (and seeing Google ads), Phorm is finding out about it and logging that fact, so that when British Telecom people visit other sites that have Phorm ads, what they will see is based on what they saw when they visited your site (with Google ads).
Plus, as an opt-out system, people won't know that the sites they're visiting are being silently watched by a third party, which is always very uncool.
If they're actually replacing content served by non-affiliated third parties (i.e. Google, or site owners who run Google ads), I'd like to see a reference to that, because I'm wrong in how I believe this works.
There used to be a phrase "Damn with faint praise". Said in an Alan Rickman snarl one would completely wither the opposition with some remark. Such as: after a resounding technical explanatory victory, the opponent murmurs, "nice vocabulary."
You're right that if stuff looks totally "Pleasantville" then it comes through kinda snitty. But if you allow some *token* complaints, you can give the illusion of fairness while still hiding the killer points.
"Announcement: Posted by Admin: We're sorry if you experience some site slowdowns while we transition our content provider software". (Yea, my site is "slower" because a botch in your proramming made my paid ad provider's ad hang upon loading. That does't do anything towards the fact that it was just fine last month.)
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Thankfully we have a lot of choice and a very competitive market. It is trivial to switch to a different provider, and while most of your data may still be going over BT's networks, BT won't have a legal leg to stand on if they try to intercept communications belonging to people who aren't even their own customers.