Amazon To Block Phorm Scans

clickclickdrone writes "The BBC are reporting that Amazon has said it will not allow online advertising system Phorm to scan its web pages to produce targeted ads. For most people this is a welcome step, especially after the European Commission said it was starting legal action against the UK earlier this week over its data protection laws in relation to Phorm's technology. Anyone who values their privacy should applaud this move by Amazon."

How do I opt my website out?

[jonbryce]

It doesn't say anywhere how you opt your own website out of this.

I suggest everyone does this, no-matter how small or insignificant your site it.

Re:How do I opt my website out?

[fuzzyfuzzyfungus]

SSL.

Re:How do I opt my website out?

You don't. As far as websites go Phorm is opt-in.

Re:How do I opt my website out?

[Pop69]

Perhaps RTFA would be an idea ? Novel one I know this being /.

In a statement, Phorm said: "There is a process in place to allow publishers to contact Phorm and opt out of the system, but we do not comment on individual cases."

This would seem to imply that unless you opt out you are in.

Re:How do I opt my website out?

[ebcdic]

Phorm claims to look at robots.txt, but it's unclear what exactly they mean. See http://www2.bt.com/static/i/btretail/webwise/help.html#how-do-i-prevent-webwise-from-scanning-my-site

Re:How do I opt my website out?

[jonbryce]

I did read the article. In fact I saw it on the BBC before I saw it on slashdot, and would have posted it here myself if someone else hadn't already done so.

There's nothing obvious on Phorm's website about how to opt-out as a website owner.

Re:How do I opt my website out?

[xaxa]

I think you have to email them.
http://www2.bt.com/static/i/btretail/webwise/help.html#how-do-i-prevent-webwise-from-scanning-my-site

I've emailed them for my domains (they're very small and insignificant).

Re:How do I opt my website out?

[jonbryce]

Phorm is only opt-in to the extent that you agree a contract with them to display Phorm ads on your site.

It is opt-out as regards Phorm traking what your visitors get up to on your site.

Re:How do I opt my website out?

Kind of useless really. Crawlers using robots.txt are supposed to uniquely identify themselves, so that you may block specific crawlers. Phorm doesn't do this - instead, it processes directives intended for Google, Yahoo, and all crawlers.

Effectively, the only way to block Phorm with robots.txt would also block all search engines. That makes it effectively impossible to do, while still allowing them to claim that it can be done.

Bastards.

Anyway, if there were a way to block just Phorm using robots.txt, you can bet that as soon as a couple of major sites start doing it, Phorm will start ignoring it.

Re:How do I opt my website out?

[click2005]

Also, as part of the BT trials, they replaced adverts (from a number of charities) on webpages with their own adverts.

Those sites/advertisers weren't given the chance to opt-out.

Re:How do I opt my website out?

[kramer]

Reading carefully, they'll obey any robot.txt rule for "*", googlebot, or (yahoo) slurp. They apparently didn't feel it necessary to have their own robots.txt identifier so you can block just them.

Re:How do I opt my website out?

[LordKronos]

The guy saying "RTFA" was not talking to you, but the AC who claimed Phorm is opt-in, not opt-out.

In the AC's defense, though, the wikipedia article on Phorm says that UK Law requires it to be opt-in, and at least one ISP (TalkTalk) has implemented it in an opt-in manner. Other than that, though, it appears to be opt-out

Re:How do I opt my website out?

[Canazza]

From that page: "robots.txt: The Webwise system will observe the rules that a website sets for major search engines using the robots.txt method. If the website's robots.txt file is set such that "*" (any robot) is not permitted to crawl it, then Webwise will not profile its pages."

First person to capture the User-agent ID gets a cookie!

Re:How do I opt my website out?

[fuzzyfuzzyfungus]

Because sleazy bastards like Phorm would never, ever think of just impersonating an assortment of other people's legitimate User-agent IDs...

Re:How do I opt my website out?

[FrostedWheat]

More to the point ... why should I have to?

Re:How do I opt my website out?

[kalirion]

They mean that the contents of your site's robots.txt file will be used to generate robot ads.

Re:How do I opt my website out?

[blackest_k]

Opting Out is a bit of a joke to these people it seems.

While the privacy safeguards built into BT Webwise mean that sensitive or private content on websites is not compromised, the system also offers a number of mechanisms by which website owners can prevent pages being profiled if they wish. Website owners may implement any of the following methods:

              1. HTTPS: No HTTPS traffic passes through the system or is profiled
              2. Standard HTTP password-protection : Pages protected using standard HTTP password protection, as defined by RFC 1945, will not be profiled
              3. robots.txt: The Webwise system will observe the rules that a website sets for major search engines using the robots.txt method. If the website's robots.txt file is set such that "*" (any robot) is not permitted to crawl it, then Webwise will not profile its pages.

        Alternatively, you may request specifically that your website is not scanned by Webwise. To request that your website not be scanned by Webwise, please email:
        website-exclusion{at}webwise.com.
            [X]
How are robots.txt files handled by Webwise?

        The Webwise system observes the rules that a website sets for the Googlebot, Slurp (Yahoo! agent) and "*" (any robot) user agents. Where a website's robots.txt file disallows any of these user agents, Webwise will not profile the relevant URL. As an example, the following robots.txt text will prevent profiling of all pages on a site:
        user-agent: * disallow: /

        The following example will restrict profiling of a directory named "images":
        user-agent: Slurp disallow: /images

        The system will request the robots.txt file from the root of the host e.g. www.domain.com/robots.txt. When requesting the robots.txt file, the system will follow up to 5 redirects. If no robots.txt file or an HTTP error is returned, if the returned file is not in single-byte ASCII (ISO-8859-x) format, or if the file size is greater than 50Kbytes, then the URL will be marked as allowed for profiling.

        Website owners should note the following aspects of the Webwise system's interpretation of robots.txt files:

                * Malformed robots.txt files will result in the URL being disallowed for profiling.
                * Any of the well-established line-termination tokens are interpreted as a newline, i.e. DOS, UNIX, old-style MacOS linefeeds. Multiple linefeeds are ignored.
                * Web-encoded URLs are decoded and handled as normal.
                * Variable capitalisation within the robots.txt file is converted to lower case and processed.
                * The system does not support Google extensions to the robots.txt standard.

So the options are https, or password protect your site, or use robots.txt to block google and yahoo from indexing your site or email them and ask to be opted out.
option a and b inconvenience visitors, option c will reduce visitors since it means your site isnt getting indexed by the major search engines.
option 4 seems the only practical way to get these jokers to desist.
option d) no phorm in the robots text doesnt exist.

Re:How do I opt my website out?

[Richard_at_work]

BT owns a top level cert, so they can do a man in the middle attack without any error messages popping up on your end.

Re:How do I opt my website out?

[Canazza]

They've given us an 'all or nothing' ultimatum

Block all Search Robots (and effectivly remove yourself from Google/Yahoo etc) or e-mail them and hope they put you on their no-go list (and as with many hidden services, there will be no easy way of telling if they have)

We will obey the "*" from the robots.txt but we will disregard everything else.

Just keep a look out on http://www.botsvsbrowsers.com/ and if you really want to block them do a user-agent Server-side script test and send them "FUCK YOU" Pages

Re:How do I opt my website out?

Nobody makes you trust them as a CA. In fact, whether they're doing MitM yet or not, their very role in collaborating with Phorm is already a good reason to mark them as untrusted.

Alas, I went to delete BT and didn't see 'em on my list (FF3). I sure see a lot of people that I don't know, though. It's crazy that browsers ship with so many trusted CAs.

Re:How do I opt my website out?

[RalphSleigh]

Do you think they supply a user agent for dynamic generation of robots.txt to block them?

Re:How do I opt my website out?

[Daimanta]

Then you are stuck with one option:

iptables and known Phorm ips. DROP all packets originating from known Phorm addresses. This is ofcourse a pretty much faulty way of approaching it since they can quite easily switch IP-adressess and you will be stuck with outdated adressess on your list.

My thow at it:

any known ip-ranges for phorm and how does blocking phorm impact users(BT or otherwise).

Re:How do I opt my website out?

Kind of useless really. Crawlers using robots.txt are supposed to uniquely identify themselves, so that you may block specific crawlers. Phorm doesn't do this - instead, it processes directives intended for Google, Yahoo, and all crawlers.

This may not fall under any nations' anti-fraud laws, but it certianly is a form of fraudulent misrepresentation that violates some of the basic principles required for the Internet to function correctly (the Internet, like most forms of human communication, requires a certain level of trust between the various parties for positive and productive things to happen). Yes I know there are larger problems in the world, but there has to be a way to stop this, otherwise it allows even worse abuses of the Internet as we know it.

Could Phorm be open to civil charges some where, and/or could some international body spank them for not playing by the rules everyone else is expected to follow (e.g. ICANN revoking their domain name ownership)?

Re:How do I opt my website out?

[MightyMartian]

The trick here is going to be identifying Phorm's IPs. That could be tricky, and if they are essentially impersonating other user agent tags, then it might get very very hard.

Re:How do I opt my website out?

[dirvine]

I think that telling them of your website or email address is akin to answering spam emails !

This seems nothing short of ID theft on a great scale and must be investigated at an EU level if the UK government are too incompetent to protect their own people from this kind of intrusion.

Re:How do I opt my website out?

[Timmmm]

Actually it should be quite easy to work out. I expect that phorm does a man-in-the-middle attack and pretends to have the user agent of the web browser that has been tricked. All you need to do is ask some people who are using phorm to add "PhormIP" to their user agents.

It's easy to see if you're using phorm because it does an HTTP redirect to webwise.net.

Re:How do I opt my website out?

[h4rr4r]

The solution to that is to remove that CA from your browser.

If mozilla and other browser makers would remove that CA this problem would sort it self out very fast.

Re:How do I opt my website out?

Or ignore robots.txt outright despite claims to the contrary...

Re:How do I opt my website out?

[daem0n1x]

Wrong. To do that they would have to have certificates for every possible domain and spoof the domains.

Re:How do I opt my website out?

It's not possible to secure a connection with SSL as long as the MITM has a top-level cert? What?

That seems like a bit of a design flaw..

Re:How do I opt my website out?

[mikael]

Phorm purchased slots to place adverts - when there was a match between what the user was reading and adverts available, the advert would be displayed. When there was not match, the charities advert would be displayed. They weren't stealing anyone's advertising space but they were still intercepting the communications of unsuspecting BT customers who had neither been informed or consented to taking part in the experiment.

Re:How do I opt my website out?

[Richard_at_work]

If they have a top level certificate, they can generate all the domain certs they want on the fly - it would be no different at all to the cert you get from Verisign to run on your web server.

This is why ISPs should never be allowed to own a top level cert.

Re:How do I opt my website out?

[Sockatume]

Secret BT trials, at that. It took no end of pressure for BT to admit that they'd quietly implimented Phorm without actually telling anyone.

Re:How do I opt my website out?

[Daimanta]

I guess we only need volunteers and we can intercept the right IPs and add them to the blocklist.

Re:How do I opt my website out?

[SST-206]

FTLA:

http://www2.bt.com/static/i/btretail/webwise/help.html#how-do-i-prevent-webwise-from-scanning-my-site [scroll down]

Alternatively, you may request specifically that your website is not scanned by Webwise. To request that your website not be scanned by Webwise, please email:
website-exclusion{at}webwise.com.

So would that just earn you more bigpenis spam? It's hard to guess what low tricks these scum won't stoop to.

Re:How do I opt my website out?

[tpholland]

BT don't need a top level certificate to do that. They have Bruce Schneier.

Re:How do I opt my website out?

Ahmm Most HTTP servers can block specific adresses.

Re:How do I opt my website out?

[DigitAl56K]

As far as I can see (although I'm not an expert on the topic) the BlackBerry may already do this when contacting BIS. Hit up Options->Security Options->Certificates and you'll probably see various provider certs (trusted root CA's) that seem to be used to sign for other domains while you browse (may depend on TLS settings). I can mark my providers certs as untrusted, but I suspect if they wanted to they could force my settings to be overridden by service book (RIM seems to allow your provider to monkey with a lot of settings).

In the end it may be that your provider has more control over your security than you do.

Re:How do I opt my website out?

[Eil]

How would that work? BT might be a top-level CA but if I have an HTTPS-only site (say, https://www.example.com/ they still don't have my private key. Without that private key, they can't do anything to the data flowing between the web server and the end-user's browser without raising some flag or another.

They could create their own certificate for www.example.com in order to fool the end-user's browser, but that would involve a very intelligent proxy and would be incredibly (almost painfully) illegal, even in Britain I'm sure.

Re:How do I opt my website out?

[Caetel]

Not trying to justify Phorm, but how does HTTPS inconvenience visitors?

Re:How do I opt my website out?

[blackest_k]

http://www.wisegeek.com/what-is-the-difference-between-http-and-https.htm

In many ways, https is identical to http, because it follows the same basic protocols. The http or https client, such as a Web browser, establishes a connection to a server on a standard port. When a server receives a request, it returns a status and a message, which may contain the requested information or indicate an error if part of the process malfunctioned. Both systems use the same Uniform Resource Identifier (URI) scheme, so that resources can be universally identified. Use of https in a URI scheme rather than http indicates that an encrypted connection is desired.

There are some primary differences between http and https, however, beginning with the default port, which is 80 for http and 443 for https. Https works by transmitting normal http interactions through an encrypted system, so that in theory, the information cannot be accessed by any party other than the client and end server. There are two common types of encryption layers: Transport Layer Security (TLS) and Secure Sockets Layer (SSL), both of which encode the data records being exchanged.

When using an https connection, the server responds to the initial connection by offering a list of encryption methods it supports. In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities. After this is done, both parties exchange the encrypted information after ensuring that both are using the same key, and the connection is closed. In order to host https connections, a server must have a public key certificate, which embeds key information with a verification of the key owner's identity. Most certificates are verified by a third party so that clients are assured that the key is secure.

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

The first time a user attempts to access a secured page on your site, he or she is typically presented with a dialog containing the details of the certificate (such as the company and contact name), and asked if he or she wishes to accept the Certificate as valid and continue with the transaction. Some browsers will provide an option for permanently accepting a given Certificate as valid, in which case the user will not be bothered with a prompt each time they visit your site. Other browsers do not provide this option. Once approved by the user, a Certificate will be considered valid for at least the entire browser session.

Also, while the SSL protocol was designed to be as efficient as securely possible, encryption/decryption is a computationally expensive process from a performance standpoint. It is not strictly necessary to run an entire web application over SSL, and indeed a developer can pick and choose which pages require a secure connection and which do not. For a reasonably busy site, it is customary to only run certain pages under SSL, namely those pages where sensitive information could possibly be exchanged. This would include things like login pages, personal information pages, and shopping cart checkouts, where credit card information could possibly be transmitted. Any page within an application can be requested over a secure socket by simply prefixing the address with https: instead of http:. Any pages which absolutely require a secure connection should check the protocol type associated with the page request and take the appropriate action if https is not specified.

Finally, using name-based virtual hosts on a secured connection can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result

Re:How do I opt my website out?

[Richard_at_work]

You have hit the nail on the head with regard to how they would do it - man in the middle proxy talking to both ends as each other, generating certs for the domains on the fly. With regard to it being illegal, that is something that the EU are currently contesting with the UK suggesting that it isnt.

Re:How do I opt my website out?

[cyclomedia]

(Disclaimer: I too am livid about phorm and its implications, but facts are facts...) That's not how phorm works, they have real "placeholder" ads that are hosted and served alongside everybody elses, so if you don't get phormed you see the raw placeholder. So in the trial the placeholder was an advert for a charity - leading to much uneducated uproar about phorm evilly replacing a charity's adverts with their own. When the phorm interceptor detects it's own placeholder it then does all the keyword matching and other database stuff to decide what to serve in its place. If you didn't get phormed because you were using a non-phorm ISP to look at the web site you'd see the charity ad, meaning that Phorm were supporting charities, and are therefore nice cuddly humane people, honest. It doesnt just randomly shaft other people's ads or stuff adwords into your web page.

You're Starting at the Wrong End

[eldavojohn]

Anyone who values their privacy should applaud this move by Amazon.

Thank you for telling me how to think. I believe we are approaching this from the wrong end (why start with websites?).

The article hints at two other points I would encourage Brits who care to be vocal about:

Jim Killock, executive director of the Open Rights Group, said: We expect more sites to block Webwise in the near future and also ISPs to drop plans to snoop on web users.

Write your ISPs. Threaten to change ISPs even if you're not able to. Let them know how this makes you feel.

The European Commission has described the technology as an "interception" of user data and wants UK law to reflect more explicitly the need for consent from users in order for the service to be implemented.

As always, contact your parliamentary representative and also EU representative and let them know how you feel about this.

These would be much more effective options than asking each website that exists to request Phorm not scan their site.

Re:You're Starting at the Wrong End

[xaxa]

To write to your UK and EU parliamentary representatives, go to http://www.writetothem.com/

Re:You're Starting at the Wrong End

Write your ISPs.

your ISPs.

Done. Not sure how that's supposed to help though.

Re:You're Starting at the Wrong End

[IndieKid]

The European Commission has described the technology as an "interception" of user data and wants UK law to reflect more explicitly the need for consent from users in order for the service to be implemented.

Actually, I'm not sure that's quite true. The European Commission described the unauthorised trials that BT carried out with Phorm last year as unauthorised interception of user data; I'm not sure they have a problem with the proposed webwise service as such, although that may change.

Re:You're Starting at the Wrong End

Not .co.uk? Dammit and I thought I have been writing to my US parlimentary representatives! Son of a...

Stay er... evil???

[h4rm0ny]

Well this is a good PR move on the part of Amazon as far as I'm concerned. Cancels out their "censorship" glitch from the other day and puts them back in a healthy credit again. Obviously keeping an eye out as always for loopholes such as allowing a different company to do the same as Phorm on their site, but currently Amazon is getting points from me for this. I despise Phorm. But apparently Phrom haven't been doing that well anyway. There was a bit of an exodus from their board a while back and I heard their shareprice took a bit of a whack after the original scandal. The EU investigating what the UK government refused to has just added to their woes, I'm guessing.

Re:Stay er... evil???

[fuzzyfuzzyfungus]

I suspect we'll see a fair bit more of this. Not because the world is full of fuzzy defenders of privacy(it isn't); but because the world is full of nonfuzzy violators of privacy and Phorm is trying to muscle in on their action.

One of Amazon's major selling points, beyond their good logistics, is their ability to use site analytics to make interest based recommendations to customers. Obviously, they have zero interest in letting Phorm piggyback on that, on their own site no less.

I suspect that many other major web presences will be in a similar place. Phorm is potentially lucrative for the ISPs, but it is a nontrivial threat to larger site and ad-network operators. The small guys are more or less resigned to outsourcing analytics and ad placement, so it won't be as much of a change for them; but the big independents will not be pleased.

Re:Stay er... evil???

[lena_10326]

Well this is a good PR move on the part of Amazon as far as I'm concerned. Cancels out their "censorship" glitch from the other day and puts them back in a healthy credit again

Your opinion regarding that company appears to be fluctuating by the minute. Mmmmm'kay. You've got no experience with large corporations, huh?

Re:Stay er... evil???

[h4rm0ny]

Ah, good insight. It's not like me to not look for the cynical angle first. Well at least Amazon are something I know what they are doing and I can (just about) opt in or out of it. Back on the subject of Phorm, I just created a graph of their share price over the last twelve months which makes for some amusing viewing. I wonder how that's affected their balance sheet?

Re:Stay er... evil???

[jonbryce]

Not only that, but phorm would be able to see Amazon's suggestions, and pass them on to Borders / Blackwells or any of their other competitors.

Re:Stay er... evil???

[fuzzyfuzzyfungus]

Please correct me if I'm wrong; but my understanding was that Phorm's plan was to pay the ISPs for the privilege of spying on their customers and then buy ad space on various websites in order to run ads targeted on the basis of the spying.

For a small site, then, having Phorm spy on your visitors via ISP, then having Phorm pay you to run ads, would not be considerably different than using a 3rd party analytics package, google analytics or similar, and then being paid to run ads from a third party ad network. Now, since, under Phorm, the ISP needs to be paid, the site operator would presumably see less money; but it would be a difference of degree rather than kind.

If my understanding of Phorm is wrong(if, for instance, Phorm were tempted to go with the super-sleazy tactic that one sees occasionally, of colluding with the ISP to strip ads from 3rd party websites and insert their own), then the above is of course irrelevant.

Re:Stay er... evil???

[NoNeeeed]

I understand your argument, but I don't consider Amazon to be violating my privacy. I *choose* to use Amazon, and the data they collect on me is kept between me and Amazon. If Amazon were selling on your book buying habits and browsing history then that would be different, but as far as I'm aware this is not the case (and is unlikely to be in their interests anyway).

The problem with Phorm is that is monitors communication between you and a website without first asking you or the website operator if that is ok.

A dubious analogy....

Amazon - it's like me telling my girlfriend a secret and her not telling anyone else.
Phorm - that's like me telling my girlfriend a secret but having someone else eavesdrop on the conversation and then pass on the information to anyone willing to pay.

I also think the fact that Phorm modifies web pages to insert their own ads is the point where it goes beyond privacy invasion and steps well into fraud and possibly theft (of sorts). I run a website that has ads on it, and while I don't care if users block those ads (it's no different from making a drink during the ad breaks on TV) I do care if they are being systematically stripped out and replaced with someone else's ads, for which I will not be paid, and which the reader will assume were served by me.

Paul

Re:Stay er... evil???

[fuzzyfuzzyfungus]

Oh, I agree that Phorm is considerably more evil. I much prefer people who stick to gathering data on their own domain, as amazon largely does. I was just noting that amazon, and their ilk, don't oppose Phorm on principle; but because it represents a potentially dangerous competitor(by virtue of using eviler tactics than anybody else).

Re:Stay er... evil???

[Kabuthunk]

Well this is a good PR move on the part of Amazon as far as I'm concerned. Cancels out their "censorship" glitch from the other day and puts them back in a healthy credit again.

If all it takes is a single incident... neither of which is overly 'good' or 'bad'... to sway your opinion of a company up and down like a yo-yo, then maybe you should look into being less of a sheep.

Re:Stay er... evil???

[hurfy]

Bah, they were just scared Phorm was going to sell us nasty books...

Re:Stay er... evil???

I also think the fact that Phorm modifies web pages to insert their own ads is the point where it goes beyond privacy invasion and steps well into fraud and possibly theft (of sorts). I run a website that has ads on it, and while I don't care if users block those ads (it's no different from making a drink during the ad breaks on TV) I do care if they are being systematically stripped out and replaced with someone else's ads, for which I will not be paid, and which the reader will assume were served by me.

Common misconception. They will not** interfere with the ads on any website unless that website is signed up with Phorm.

** And dare not. Just think of the lawsuits if they start messing with (say) Disney's websites or replacing (say) IBM's adverts without permission.

They're still evil, just not in that particular way.

Not to nitpick ...

[krou]

... but they obviously didn't do it for privacy reasons. As a business, I can bet they weren't happy with the idea of something scanning their pages and then targeting adverts from possible competitors based on what users were looking at on Amazon.

Re:Not to nitpick ...

[lena_10326]

They obviously did do it for privacy considerations or the perception of privacy, in addition to competition issues.

An online customer wants a product or service for a good price, fast delivery, and more importantly know that their transaction and personal information is safe from outsiders and abusive 3rd party companies. Anything that could possibly scare a customer away is going to be seen as a threat to amazon's revenue stream, so any privacy fear due to 3rd parties would be very high on the management's radar screen. Trust is a huge factor behind a customer's decision to buy on your website, so this decision is based on both the privacy issue as well as following a principle of not aiding your competitors.

Re:Not to nitpick ...

[Sockatume]

It is good to know that my privacy is actually importantto a powerful corporation for a change, even if it's for the wrong reasons. The enemy of my enemy is not my friend, but I'll take a temporary ally when I get one. So long as they don't push for some remedial action which will further disadvantage me (i.e. "users' browsing habits are trade secrets", which would block me from seeing my own browsing history, even under the FoIA).

Re:Not to nitpick ...

You're saying that Amazon, who tracks every single thing you do on their website, and who owns Alexa, cares about privacy? Seriously?

Re:So in other words...

you DO hate google

Ha yes, real eKonomix strikes...

Who want to bet that Amazon is actually blocking them because they are not paying to do it?

Incidentally, why would a business let another business makes money out of it for free?

Simple economic strikes: THAT service isn't free.

Re:So in other words...

Yes exactly but Google 'does no evil' so they must be doing it for the betterment of mankind.

Amazon is just pandering now

[wykell]

figuring that any publicity to take the collective internet's minds off of the gay book fiasco (as I have decided to term it) is good publicity. They've probably been sitting on this one for 6 months and just not telling anybody. I still will think more than twice before ordering something from them again.

Re:Amazon is just pandering now

"gay book fiasco" - get over it. It was a bug (and Amazon has admitted as such) not a conspiracy. It hit much more than gay literature (but since that does not satisfy the "gay bashing" story it conveniently got ignored).

"They've probably been sitting on this one for 6 months" - nope, the opt-out mechanism has not been available for that long so that's a impossibility.

"I still will think more than twice before ordering something from them again." - why? best prices, best support, best selection. What's your point?

Re:So in other words...

There's a big difference. Google doesn't hoover up ALL of your http traffic, Phorm, on the other hand, does!

Re:So in other words...

[ji777]

It's actually been a while since I last heard about phorm. I believe that the general issue had more to do with phorm intercepting pages on the ISP's side and re-writing them to insert material before re-serving them to you. Google ads, on the other hand (since you brought them up) is a widget added by the site owner's permission.

Re:So in other words...

[hansamurai]

Except with Google ads, the people who actually own the website choose whether or not to serve them. Phorm ads are injected at the ISP level, completely ignoring whether the server wants the ads or not. Yes, they're still interest based, but they're evil for other reasons in my opinion.

Re:So in other words...

[ebcdic]

Google doesn't do anything unless you use Google. Phorm gets the information from your ISP.

Re:So in other words...

AdBlockPlus Phorm Edition, anyone? :P

Re:So in other words...

[bencollier]

This thing is hard-wired and scoops everything, and the vast majority of people who are targeted won't even realise it's happening. I think it's considerably worse than what google gets up to.

Another reason for https

[freelunch]

More sites should provide an option for https, like gmail does. Some still don't even provide it for authentication.

Once upon a time there were wimpy CPUs, and https was a more significant computational burden. Now, not so much. Especially when compared to the resource requirements of most dynamic page generation systems.

Re:Another reason for https

You think they don't use https because they are wanting to conserve YOUR compute cycles!

AHAHAHAHA!

Re:Another reason for https

[u38cg]

Except BT has a top level cert. They can MITM you till the cows come home and you'd never know. This is one more reason browser security is flawed.

Re:Another reason for https

[drspliff]

Yes, handling a few https connections is quite easy for your desktop computer, however on the server side you may have 300 SSL connections open, encrypting/decrypting on perhaps 100 of them at once ontop of the load generated by your web applications.

I'd like to see hardware crypto accelerators come as standard with all server chips, much like a math co-processor of years ago.

Re:Another reason for https

[squizzar]

You think dynamic page generation occurs on YOUR computer?

Re:Another reason for https

Can't you (I mean mozilla/apple/microsoft) blacklist their specific cert?

Re:Another reason for https

[Ash-Fox]

More sites should provide an option for https

I host near a few hundred websites on one of my servers, it has one IP address. A HTTPS cert does not support virtualhosts, not to mention, each subdomain/domain used requires a new cert that costs money, to work without popping up errors that scares users away.

If you resolve these problems, I'll gladly make HTTPS an option.

Re:Another reason for https

Except BT has a top level cert

It's completely irrelevant what they have if it's not trusted by client software which, may I add, isn't by any browser. I can make a "top level" certificate right now and use it to certify other certificates supposedly covering google.com etc. it means nothing if no one trusts it which is exactly the situation BT is in.

This is one more reason browser security is flawed.

If you know a way that one party can identify another (and sometimes vice versa) without trusted third parties then we are all waiting to hear it because I guarantee you if there was another way people would be doing it.

Re:Another reason for https

[willmorton]

I've seen this a couple of times in this thread. I have IE6 and FF3 on this desktop, and neither of them has a BT cert in their list of roots. Proof please?

Re:Another reason for https

[u38cg]

You have it backwards. If they have a top level certificate, this means that your browser trusts it *by default*. This in turn means that they can transparently decrypt and encrypt your messages to an external server without your knowledge. Check out your list of trusted browser certificates sometime. You may be surprised who you "trust".

As for your other comment, you are correct, third parties are an essential part of the process. However, the incentives are wrong. Think for a moment: who would suffer financially if a top-level certificate on your browser was compromised? It's long been my opinion that users should pay an annual subscription to a top level certificate of their choice. This would encourage market forces to align themselves with best security practices.

Re:Another reason for https

[u38cg]

Certainly. Top level certificates are simply the certificates that come installed in your browser by default - I encourage you to have a look and throw out any you think shouldn't be in there.

Re:So in other words...

[Sockatume]

You opt into Google's ad service by visiting a site using it, and can opt out by simply stopping them from creating the tracking cookies. You automatically opt into Phorm when you use the internet and can only opt out by setting a special "don't track me bro" cookie on each profile of each browser used by each device in your home. I think that's quite a distinction. Phorm assumes that any of your web activity is theirs to track unless you specifically tell them otherwise.

But how exactly does it work?

[91degrees]

Can someone provide an unbiased explanation of what Phorm is? Why is it an opt-out system? When did I or Slashdot give implied consent to anyone to inspect the packets for reasons other than routing? What data do they collect and what do they do with it?

Re:But how exactly does it work?

[Jane_Dozey]

Phorm wants to inject ads into web pages at the ISP level. They want them to be targeted so not only do they want to alter web content without the owners or receivers consent, they also want to take a look at all web traffic first (deep packet inspection) and keep a history so they can better target the ads. It's opt-out because otherwise no-one would even touch it.

Now, I'm not going to even try to claim that I'm unbiased as living in the UK means that this monstrosity may well hit me but I think that's not an entirely inaccurate explanation. I really hope that the EC manages to step in and squash Phorm and maybe even slap BT with a giant fine.

My website content has been written to look how I want it to look. I block many ads as a policy as I don't want crap clogging up my screen or distracting me. Now they want to bypass both my content layout in my website *and* throw ads at me even though I have zero interest in them. Asshats.

Re:But how exactly does it work?

Phorm is an evil proxy which changes your pages, replacing ads, as it passes the pages to the browsers of people who subscribe to evil ISPs who use Phorm as an additional revenue source. It's like getting your newspaper with the ads cut out and replaced with other ads by the paperboy.

Re:But how exactly does it work?

Phorm wants to inject ads into web pages at the ISP level.

No they don't. They want to monitor all your web browsing (by tapping your ISP) to build up a profile of you. Then they want to sell targeted advertising space to advertisers in much the same was Google does: i.e. a website uses Phorm ads instead of Google ads and Phorm chooses what adverts to place based on the visitor's profile.

Monitoring web browsing is, as far as anyone can tell, illegal, but the govt refuses to enforce the law. That's what the EU is grumbling about. But the other part of the business model is just a standard advertising broker. They're not injecting ads.

Re:But how exactly does it work?

[Jane_Dozey]

Apologies if I've missed something. From what I can gather there were some complaints about ads being messed with in non-participating websites during some of the trials, hence the reason I thought this was a part of the main plan.

Do you know if the ads in participating sites will be there in the actual web page or if they'll be stuffed in during transit of the page to my browser? Curious as the latter might mean having to download the stupid things regardless of whether I want to or not.

Re:But how exactly does it work?

[threeturn]

Technical explanation in some detail

Q Why is it an opt-out system?
A Because they couldn't get away with providing no optionality control, so they went for the option which pushed as many users as possible to their system.

Q When did I or Slashdot give implied consent to anyone to inspect the packets for reasons other than routing?
A You didn't, but Phorm and the spineless UK government has decided you did.

Q What data do they collect and what do they do with it?
A Browsing habits to produce targeted advertising.

Re:But how exactly does it work?

Sorry, I don't know.

Re:But how exactly does it work?

[91degrees]

Thanks for the link. Exactly what I wanted:)

Re:But how exactly does it work?

[Heed00]

Here's a short article by Dr. Richard Clayton that might explain a few things. http://www.guardian.co.uk/commentisfree/2009/apr/15/phorm-internet-privacy-european-union

Re:But how exactly does it work?

People couldn't have a good rant if everyone knew the truth. Your post will stay unmodded because of it.

Imagine this on your website. This is what phorm will ask you to cut and paste into your html:

<img src="http://phorm.com?id=user_id_of_isp_customer" alt="banner ad">

Phorm will have a profile on your user id because Phrom get to see every website you visit because your ISP tells them everything.

Re:But how exactly does it work?

Those who have Mb/Gb limits to their connection should ask for a refund for the extra phorm data that is being downloaded that ISP's are supplying as a "service"... Extra download =$$$ from you, and at the same time phorm is handing $$$ to the ISP's = win win for them.

Can't wait for Phorm2 whereby they inject their cr*p in video-streaming every millisecond or so.

Re:But how exactly does it work?

Somebody who claims to have been at a presentation without signing the NDA says that ... it all goes back to servers in China....

Why MI5/6 haven't strung up a few ISPs is another question that has not been answered.

Hasn't anyone been concerned about OTHER rewriting? Like any query FROM gov.uk about Tibet or Taiwan? Or anyone else's query?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:So in other words...

[mrchaotica]

I believe that the general issue had more to do with phorm intercepting pages on the ISP's side and re-writing them to insert material before re-serving them to you.

WTF?! Even ignoring all the privacy issues everyone else is talking about, isn't that still blatantly illegal? It's copyright infringement! By modifying the web page, Phorm is creating a derivative work, and that requires permission of the copyright holder.

Phraudsters

[Blue+Stone]

Phorm are liars when it comes to robots.txt.

They say they respect robots.txt but their scraper will only respect it if it also blocks google and yahoo. If it allows Google and Yahoo, they say it's fair game for Phorm. That's not respecting it at all.

But what do you expect from the sort of people who would conduct illegal surveillance on people to test their spyware system and claim that letting opt opt out would have been impossible because it would have been too difficult for them to understand the complicated computery stuff they were doing.

Phraudsters.

Re:Phraudsters

[heffrey]

I guess you'd have to write some special processing to return a custom robots.txt to disallow all if the user agent identified the crawler as Webwise and otherwise to return the normal robots.txt.

I don't know but I imagine webservers can do this sort of thing.

Re:Phraudsters

If you malform your Robots.txt in such a way that googlebot and slurp handle it correctly, then Phorm will not index your site but Google and Yahoo! will.

Re:Phraudsters

It's quite easy to figure out the yahoo and google net ranges. If you want them to crawl your site, send them a sane robots.txt and a "block all" robots.txt for everyone else. (that's probably easier than trying to figure out where phorm hides every other week)

Re:Phraudsters

"Phorm launched the Open Internet Exchange (OIX) to revolutionise online advertising while fully protecting user privacy and anonymity. Also, Phorm has created Webwise; a new system designed to make the Web safer and more relevant to Internet users. Webwise features include enhanced protection against online fraud and more relevant advertising - all without storing any browsing history or personally identifiable information."

I like the way the marketing & legal bigwigs think. its so deliciously evil! just look at the choice of words:

"Open Internet Exchange (OIX)"
"while fully protecting user privacy and anonymity"
"Web safer and more relevant to Internet users"
"enhanced protection against online fraud "

all of them are flat out lies. they are just promoting themselves. its the exact opposite. its like DRM - there's no rights left!

Re:Phraudsters

[jonbryce]

But presumably they spoof the Googlebot string, so you have to either blacklist the IP addresses Phorm might use, or whitelist all the IP adddresses Googlebot might use.

Re:So in other words...

[Xest]

Well no, because when Google does it you have to visit a site that uses Google's technology, you can easily choose not to, you can also just opt-out.

When Phorm does it they are searching through every single action you take on the internet, whether it's a site that has anything to do with Phorm or not. Phorm works at ISP level by watching all the data that goes in and out on your connection. There's no avoiding it, you just have to go through it no matter what.

You see the fundamental difference is this, with Google I have to effectively send the data to them, it is only what I allow to pass out of my connection to them that is effected and only if I haven't opted out.

With Phorm I have no choice, every single bit of data whether I want it to or not goes through their systems.

I don't like what Google is doing either, but at least they make it possible for me to avoid their systems. With Phorm, they get to look at every single bit of data I send or receive, they say I can opt out but that doesn't mean my data isn't still passing through their systems and that's assuming I can opt-out unlike the people who they tested it on covertly with no notice or chance to opt-out.

What they don't tell you

[Nicolas+MONNET]

Is that if you opt-out of Phorm, you are automatically entered, for free, in a program called Phorm2. But don't worry, you can opt out. For your convenience, in that case, you will automatically be entered in our new business web marketing program, Phorm++. If you're not interested in Phorm++, no worries, you can very easily opt-out. In fact, it's so easy, we'll do you a favour and give you free, automatic access to PhormDeluxe. PhormDeluxe is completely optional. Just send us a certified letter to opt out.

Re:What they don't tell you

[wisty]

Can we offer to deliver them complimentary building materials through their windows, with an opt out clause?

Re:What they don't tell you

Actually, if you opt out of PhormDeluxe, you'll be automatically entered for no charge into our basic Phorm program.

Nice catch! Bloody bastards!

[Nicolas+MONNET]

This is stunningly devious. The bastards.

I've emailed them too

[Nicolas+MONNET]

For real,

To: website-exclusion@webwise.com

Subject: Exclusion requested from your spyware system

I hereby request that you remove the following domains that I own or may own in the near future from your WebWise / Phorm system:
phorm-is-a-fraud.com
webwise-is-big-brother.com
bt-is-completely-retarded-for.allowing-this-phorm-nonsense-on-their-network.com
webmasters-shouldnt-have-to-opt-out.com
you-dont-respect-robots.txt-you-lying-scumbags.com

Fuck you very much!

Re:So in other words...

they're still interest based

Advertiser interest based. That has little to do with user interest. I haven't seen an ad I was interested in in years.

Re:So in other words...

[el_gordo101]

What site owners need to do is to identify the HTML that Phorm is injecting and inject some JavaScript/CSS of their own to hide or deface these ads. Something like:

.phorm{display: none;}

or similar should do it. For extra bonus points, inject your own links and/or images into the ads. How long before advertisers pull out of Phorm if the goatse guy or something equally horrific keeps appearing in their ads? It is, after all, your content and you should be able to do with it what you please.

Re:So in other words...

[Heed00]

And don't forget the method by which they do their thing -- deep packet inspection. It's not the behavioural targeted ads that are the real problem with Phorm -- the real problem is that their DPI kit "gifted" to the ISP intercepts communication between two parties (the web surfer and the web page) without informed consent of both parties. In short, they spy on your web browsing in order to profile you.

Re:So in other words...

[RalphSleigh]

I believe phorm acts like other advertisers in that you place areas on your site for ads and link to them, the scary bit is they do a deal with ISPs to DPI your web traffic to help profile you for these adverts, so the user has to opt-out of their profiling. This is the scary/illegal bit they are getting bashed for, and the EU is looking into.

Re:What the hell?

[Tubal-Cain]

Cut new squares out of them.

Re:So in other words...

[wordsnyc]

Right. I'm not seeing the difference, except that Google -- says -- they use the contextual system of adsense ads on a page to categorize it as to "interests," so they are only tracking your route between pages that carry Google ads, not the whole web. They wouldn't take note of your visit to a government agency page, for instance, supposedly.

A distinction without a difference in practical terms at best.

The scary part

[RalphSleigh]

They claim to manage the user opt out via a cookie, from reading the FAQ it appears this cookie is injected into every domain you visit

As explained on the Customer Choice Process page, when a user opts into the BT Webwise service, a Webwise UID cookie, containing a unique random number is placed on the userâ(TM)s computer. This master cookie is held is the Webwise.net domain. When the user then visits other websites, the Webwise system stores a copy of the Webwise UID cookie within the browser in each the website domains visited by the user. The cookies are clearly labelled as belonging to Webwise as noted above and as a result can be easily identified as different to those cookies which may be placed by the website itself.

Since it claims to need no client software, I must assume they do this by injecting extra cookie headers into all the HTTP responses sent to my browser....

Re:The scary part

[Sockatume]

I wonder, does this mean that every domain you visit is handed your Phorm opt-out cookie? Or would they be smart enough to strip it back out? I doubt there's a security hole there, but paying even a trivial security cost for zero user benefit sticks in my craw.

Re:So in other words...

[MightyMartian]

I'm no fan of AdSense, but Phorm's scheme is technically quite different. Google does not, nor can it, do the kind of packet inspection that Phorm is doing.

Was I the only one ...

... who read "Amazon to block porn scams"?

scans...

[Anachragnome]

"Anyone who values their privacy should applaud this move by Amazon" /golfclap

Supplication before our Robotic Overlord. Check.

Suspend free-thought. Check.

Check-out cart. Check.

Re:So in other words...

[iangoldby]

In fact, even if you do set the Phorm 'opt out' cookie on all browsers/devices/profiles that you use in your house, all of you HTTP requests still go through multiple redirects before getting to the intended destination.

If your ISP implements Phorm, then there is no way of opting out of having your HTTP requests being directed through Phorm's servers before finally redirecting back to the server you wanted in the first place.

All that the 'opt out' cookie does is to stop them serving up customised advertisments. You still have all your HTTP requests going through their servers. There is no way to avoid this, other than to change ISP.

I do hope the above is incorrect. Sadly I'm pretty sure it is accurate.

Re:So in other words...

[iangoldby]

I think you've misunderstood. Apart from some questions about early trials by BT, the Phorm system inserts customised advertisments only where the site owner has requested them. It won't insert advertisments into pages served up by owners who don't want Phorm advertisments. There won't be any Phorm advertisments (or any other for that matter) appearing on my personal website, or any other websites that I maintain.

No, the real objections most people have to Phorm are:

1. It spies on information that is private to the client and the server.

2. It degrades the web by causing every HTTP request to go through a series of redirects before getting to its final destination.

3. It spoofs cookies on the client's machine.

Re:So in other words...

[AlexBirch]

But in all fairness to Phorm, their corporate motto is:
Do only Evil.

Question

So how does Phorm actually display its ads? Will it replace ads on my site with ads of their own (if so, how will they identify which images are ads?) If so, what happens to my ads - and to the people who have paid to advertise on my site? If not, will it modify my site's layout to place its ads (say, a banner on top of the page)? If so, what happens to my layout - will it be fubar?

I'm seriously asking, I haven't really come across a good explanation of the "delivering ads" bit of their business, only the "snooping and spoofing" parts.

Re:So in other words...

[el_gordo101]

Thanks for clarifying, I was under the impression that the ads would be injected into sites on the fly. In this case, if we could figure out the user-agent and/or IP addresses for their spiders, we could still do some interesting and mischievous things like keyword injection or replacing the normal content with random strings of garbage text. This would have the effect out poisoning their keyword scraping process, at least for your site. I know Google frowns on this practice and can knock you down in the SERPS or even de-list you, but who cares about these Phorm bastards.

TLS with SNI and CACert

[xororand]

The first problem has already been solved in SSL's successor, TLS. The "Server Name Indication"[1] extension of TLS allows the client to transmit the desired virtual host before the encryption begins. The current versions of most major browsers support this, including: Firefox 2.0 and later, Opera 8 and later, IE7 and later, Chrome, Safari 3.2.1 and later.
Apache, Cherokee, Lighttpd and nginx support SNI on the server side.

Your second problem is not as easy to solve. You could consider CACert[2], a certificate authority based on a web of trust. When I applied for CACert, the assurers were quite serious and checked my identity (ID card, photo and signature) more thoroughly than some ISPs who are reselling commercial certificates. No major browser ships with the CACert root cert but fortunately it's very easy to install!

[1] http://en.wikipedia.org/wiki/Server_Name_Indication
[2] http://www.cacert.org/

Re:TLS with SNI and CACert

[Ash-Fox]

The first problem has already been solved in SSL's successor, TLS. The "Server Name Indication"[1] extension of TLS allows the client to transmit the desired virtual host before the encryption begins.

I didn't know that had been implemented in HTTPS yet, that's awesome.

Your second problem is not as easy to solve. You could consider CACert[2], a certificate authority based on a web of trust. When I applied for CACert, the assurers were quite serious and checked my identity (ID card, photo and signature) more thoroughly than some ISPs who are reselling commercial certificates. No major browser ships with the CACert root cert but fortunately it's very easy to install!

No, that is not a option. I already can't get half the people to login on a HTTPS site because it's self signed and adding the certificate is just as easy as running a downloadable executable. I ended up moving it to regular HTTP to escape the stupidity of people telling me "Firefox says the page is not found" (in reality, firefox gave them an error page, and they 'saw' it a page not found message - couldn't convince them to even read the error page). While some IE users said the website is not secure and couldn't figure out how to get it to work. Worst was, I had given them a direct link to a executable that would install the certs etc. correctly and they couldn't get to doing that (I don't understand how they installed Firefox or their instant messengers if they can't do that).

Doh! Not PORN!

I saw this Phorm and instantly thought it would lead to phone porn!!!

Double Doh!!

Why not work with Google on this?

[Auxbuss]

Why not have a key pair (or something of that ilk) that you exchange with the crawlers? If you authenticate, then you can crawl my site. At the moment it's a free for all. Why not use the weight of Google to change the rules. Just my starter for ten after a few beers.

Creative Commons License?

[DriveMelter]

I was wondering if this use is in violation of the Attribution-Non-Commercial-No Derivative Works 2.0 UK: England & Wales license? http://creativecommons.org/licenses/by-nc-nd/2.0/uk/

Re:So in other words...

[cyclomedia]

I posted a correction to this above, (boy am i going to get flamed today, yes, phorm is evil, but not because of this bit...), If a banner ad rotator serves up a non Phorm ad you'll see it as normal, if it serves up a Phorm placeholder ad and you're on a Phorm ISP that ad may be switched out on the fly for a different Phorm ad. If you're not on a phorm isp you'll see the placeholder ad just like it was a normal banner. They used a charity's banner ads in the trial to try and portray themselves as "nice".

Comment removed

[account_deleted]

Comment removed based on user account deletion