Wikipedia Opts Out Of Phorm

ais523 writes "Wikipedia (and other websites run by Wikimedia) have requested to opt-out from Phorm; according to the email they sent, they 'consider the scanning and profiling of our visitors' behavior by a third party to be an infringement on their privacy.'" Another reader points to this post on techblog.wikimedia.org which includes a confirmation from Phorm that those sites will be excluded.

Re:Frist Ph0rm

[David+Gerard]

It's the opposite of Artificial Intelligence: if you network enough marketers you get Sincere Stupidity.

The official post

[David+Gerard]

Wikimedia Tech Blog post.

(This would have happened sooner, but Brion was snowed under.)

Re:The official post

[Blue+Stone]

I'm hoping the BBC will be next.

Re:The official post

[Dreen]

Not nearly all Wikimedia domains are included there, for example only handful of wikipedia.* is that because the other ones are only redirects or something?

Re:The official post

[David+Gerard]

That's everything which Wikimedia directly controls DNS for. There's others that have different technical or administrative contacts listed. They've been alerted they should do it themselves too.

Re:The official post

[brion]

Those are also not actual Wikipedia content sites, but either redirects or sites of local Wikimedia chapters. All our actual content is on our own domains -- for instance German-language Wikipedia is at http://de.wikipedia.org/ not http://wikipedia.de/ which is a portal page maintained by Wikimedia Deutschland. (In part because German courts routinely shut wikipedia.de down in preliminary injunctions... ;)

Re:The official post

[OldakQuill]

The BBC can't opt-out at the moment. It seems that major sites which do opt-out at the moment make news (including headlines at http://news.bbc.co.uk/). It'd be quite reflexive for the BBC to opt-out from a scheme run by a major UK telecommunications company and to report it on their news website, since that is a major source of their web traffic. The BBC News website itself would be making the news by undermining BT's scheme on the grounds of privacy invasion. When enough sites have opted-out for it to be non-news, they could do it.

Also, the BBC and BT have to work with each other on things like iPlayer, the online television/radio delivery platform. Perhaps the BBC are avoiding opting-out on these grounds too.

Then again, since the BBC has a special place in the UK regarding license fee and lack of advertising, perhaps they were opted-out of the scheme from the beginning.

Re:The official post

[EdZ]

You don't know the BBC. They've reported on their OWN internal scandals in the past, and tried pretty well to remain unbiased over them.

Re:The official post

[AlexanderHanff]

Brion,

I would like to extend my gratitude to you for supporting the campaign and opting the Wikimedia Foundation out, myself and other campaigners are very appreciative of the support.

Sincerely,

Alexander Hanff
Founder of NoDPI.Org

Re:The official post

[Opportunist]

It's a sad, sad world when governmental owned news media are less biased than privately owned ones. My socialist buddy will heckle me with this for ages if he finds out...

Re:The official post

[Shrike82]

The BBC aren't owned by the Government. It's operated and regulated by the BBC Trust, and it was originally set up by a bunch of telecom companies.

Re:The official post

[Dr_Barnowl]

The BBC is not government-owned. It is an independent media corporation, formed by a Royal Charter.

Re:The official post

[Dr_Barnowl]

The BBC is funded directly through the license fee (which it collects for itself), not through taxation and redistribution from the government.

Re:The official post

[mdwh2]

Firstly, the BBC can and do report on their own news.

Secondly, I'm confused as to your logic - are you really saying that the BBC can't do anything that would be "newsworthy", because they might get into some circular-metajournalistic-tangle over whether to report it or not? Either they'll report it, or they won't, but it would be ludicrous to suggest they were prevented from being able to carry out the action itself, whether or not it gets reported.

Re:The official post

[asc99c]

But you do have to pay a licence fee simply for owning a TV, even if it is only used to connect to a console, computer, DVD player etc and you don't want to watch the BBC channels.

Government rules give it a unique position that feels a lot like taxation (i.e. a very similar situation is that you have to pay road tax if you own a car).

NB just being devil's advocate here, big fan of the BBC myself!

Re:The official post

[An+ominous+Cow+art]

Why do you say that it's sad? In my perfect world, I'd be more likely expect a privately-owned source to be tainted by the views of its owners, and a governmental one to be closer to reality.

Re:The official post

[FireFury03]

But you do have to pay a licence fee simply for owning a TV, even if it is only used to connect to a console, computer, DVD player etc and you don't want to watch the BBC channels.

Please stop spreading misinformation - everything you have just stated is completely incorrect. You need a TV licence in order to watch broadcast TV (this includes streams over the internet which are simulcast with broadcast TV, but does not include streams which are not simulcast). You do not require a licence if you do not receive broadcast TV, no matter whether or not you own a TV - i.e. you don't need a licence in order to watch DVDs, use your computer, etc.

Whether or not you agree with the TV licence, spreading misinformation doesn't exactly help your argument.

Re:The official post

[brion]

Thanks! :)

Re:The official post

[asc99c]

I apologise, you are correct technically. But when you buy a TV, you have to register your address, so that TV licencing can follow up with reminder letters and phone calls.

If you try to claim that you aren't using your TV to watch broadcast TV, they won't believe you (I can see why...) and will continue to harass you.

And one point I forgot to include in my original post is that you can't buy a TV just to watch ITV / Channel 4 / Five - in this case you have to pay for a BBC licence fee.

Re:The official post

[FireFury03]

I apologise, you are correct technically. But when you buy a TV, you have to register your address, so that TV licencing can follow up with reminder letters and phone calls.

It is interesting to note that there has recently been a public consultation on the methods used to collect the licence fee, and the results showed that the public generally feels that the licence fee collection is far too heavy-handed. It will be interesting to see if anything changes as a result of the consultation.

If you try to claim that you aren't using your TV to watch broadcast TV, they won't believe you (I can see why...) and will continue to harass you.

My understanding is that if you officially inform them that you don't receive broadcast TV then they will send round someone to check and then stop harassing you. I've got no first hand experience of this, however, since on the occasions when I didn't have a TV I didn't inform them since I take the attitude that I shouldn't *need* to inform anyone that I'm not breaking the law (when was the last time you phoned up the police to tell them you haven't committed a murder?) They go through a cycle of sending increasingly threatening letters and then send round the "enforcement officer", who I refused entry to my property.

The TV licensing officers have no legal right to enter your property without a warrant and they can only get a warrant if they already have some evidence that you are breaking the law. They rely on people foolishly inviting them in.

At least they've stopped sending libellous letters these days (at one point they took to sending me letters with "YOU ARE BREAKING THE LAW" printed across the outside of the envelope. If I'd had the time and money I would've sued them for libel as I blatantly wasn't breaking the law since I had no TV.)

And one point I forgot to include in my original post is that you can't buy a TV just to watch ITV / Channel 4 / Five - in this case you have to pay for a BBC licence fee.

Well, it isn't a "BBC subscription fee", it is a "TV licence fee" - you need to pay it to watch any broadcast TV and a large proportion (but not all) of the money collected goes to fund the BBC.

For the record, I broadly support the idea of the licence fee, although I disagree with the collection methods and think the whole system could do with being redesigned. IMHO, the licence fee serves the purpose of allowing TV programmes to be produced without having to bow to the commercial pressures. This allows programmes to be made which appeal to minorities, rather than always pushing for higher viewing figures for everything. The changes I think would be beneficial are:
1. Abolish the concept of a licence tied to receiving broadcast TV and just charge a fee to every household (possibly as part of the council tax system) - increasingly the licence fee is going on non-TV services, and it doesn't really seem fair to have TV watchers subsidising services that don't require a licence such as the radio channels, the BBC website, iPlayer, etc. This would also remove the need to harass innocent people, and the associated cost.
2. Avoid using the licence fee to fund really popular programmes that would do just as well on a commercial channel. This could best be served by splitting the BBC channels into a number (maybe 2?) of licence-funded channels and a number of commercial channels. The licence fee would still allow them to produce minority programming and take big risks on cutting edge programming on the licence funded channels, but if a programme becomes really successful it can be "sold" to the commercial arm and the proceeds of the sale can be ploughed back into the licence funded channels. This kind of re-investment would reduce the amount that would need to be charged for a licence fee.

where is the list ?

[johnjones]

sorry I dont understand

where is the list of websites who have opt'd out of webwise ?

and since webwise is not active at the moment what good will this do ?

regards

John Jones

Re:where is the list ?

[David+Gerard]

The Open Rights Group is keeping a list of people it's asked to loudly and publicly tell Phorm to phuck off. Amazon opting out made lots of mainstream media a couple of days ago; looks like Wikimedia doing the same will get a bit of notice too.

The point is to publicise that Phorm (a) exists and (b) is a bad thing. Schemes like Phorm only get away with existing insofar as people aren't aware of them.

Re:where is the list ?

[TubeSteak]

Schemes like Phorm only get away with existing insofar as people aren't aware of them.

Wrong.
Schemes like Phorm exist because they are opt-out.

Numerous studies have shown that people are lazy and won't even do things that are in their best interest if they have to exert even minimal effort. That's why opt-out is so successful.

Re:where is the list ?

[oldhack]

"Numerous studies have shown that people are lazy and won't even do things that are in their best interest if they have to exert even minimal effort. That's why opt-out is so successful."

Or because opt-out is a fraudulent scam. We've got ten thousand and one things to keep track of for real life, and I don't see why we should have to keep track of opt-out status for every pissant website.

Re:where is the list ?

[bit01]

Numerous studies have shown that people are lazy

Numerous studies have shown that people attempt to rationally allocate their time and attention.

There are millions of businesses in this world. It is not humanly possible to opt-out of all their marketing drivel even when there a cost-benefit in doing so.

Marketers steal the time and attention of many people to make a sale to one person and then act all surprised when those people get pissed. Spam is just the extreme example of that, unfortunately becoming less extreme all the time.

---

The USA is

Re:where is the list ?

[Opportunist]

That's exactly what's wrong with opt-out in the first place.

"Here, you are now a member of the Church of Opportunist worshippers. That costs just one buck a day, you can pay a year in advance without worries, and of course the moment you tell us you don't want to be a worshipper anymore, we'll terminate your contract immediately"

This is fine if you first opt-in. I.e., if you have to come to me to worship me and pay me for it (not bloody likely, but hey, if you really wanna...). If it's just "done" to you, probably without you knowing, it is not.

Opt-out basically means you're forced to enter a contract without knowing about it. Dunno about your country, but it's not legal in mine.

Re:where is the list ?

[BrokenHalo]

Definitely the latter. We have become so accustomed to the fact that "opt-out == spam-me-to-hell-now-i've-confirmed-that-i-exist", nobody trusts the option any more. Which is why people take steps with appropriate hosts-file blocking or firefox extensions.

Re:where is the list ?

[FireFury03]

Schemes like Phorm exist because they are opt-out.

What Phorm is doing is almost certainly illegal - you can't lawfully intercept communications without consent from all involved parties. By making it opt-out, you're not even getting explicit consent from one of the parties (the ISP's customer) - even if it were opt-in, you're not getting consent from the website that you're snooping the connection to, or any of the users of that website that may have posted (potentially private) content on it.

Re:where is the list ?

[Acer500]

And that's why opt-out should be illegal. No exceptions. Massive fines. That would end all the spam and scamming right there, at least for the legal part (you still have to find and prosecute the guys, of course, but you don't need any huge laws).

Why is the above a flamebait? Is it the second part (the calling the Americans to action)???

It is possible to block IP

[Daimanta]

But first there is a need for people:

Read this thread down and comment on this one

http://slashdot.org/comments.pl?sid=1199671&cid=27586613

If you are connected with BT please try some of these suggestions and see if it is possible to locate the IP addresses of Phorm. It is important that we stop this menace(or at least do what we can) before it spreads to other ISPs.

Re:It is possible to block IP

[gerrysteele]

I'm on BT but from your link couldn't work out what suggstions you are talking about i'm afraid.

Re:It is possible to block IP

[Frosty+Piss]

Perhaps a better approach to Big Internet Business would be rather than "user privacy", which in reality they don't give a damn about, we pointed out to them that Phorm "monetizes" other people's visitors (customers) without a return to the Web site owner ("you're STEALING my customers"). Microsoft and Yahoo might consider how much they like their Web "properties" being hijacked for someone else's profit.

That email may not work...

[Tribbles]

It might be ignored as we (in the UK) don't spell "legitimize" with a "z" - it's legitimise here :)

Re:That email may not work...

Phuck oph.

Re:That email may not work...

[tomtomtom]

Actually, "-ize" is absolutely not an Americanism - it is in fact correct spelling in either British or American English, whereas "-ise" is correct only in less formal British English.

It is sad that very few of us British seem to understand our language properly; almost no one here realizes that it is actually more conservative in British English to use -ize and not -ise. For example, go and look at an older copy of the Oxford English dictionary or the Times and you will see all those words spelled "-ize". I believe that even the newer editions of the OED, despite now listing the "-ise" forms, state that "-ize" is the preferred form.

To further complicate matters, the only words to which this rule can can apply are those which derive from Greek (and thus contain the Greek suffix "-ize" - this is the rationale for it being the more correct variant). So for example "enterprize" and "capsise" are always just wrong in either British or American English.

Re:That email may not work...

[drinkypoo]

The reason I use -ise (and -our instead of -or etc) is because the fsckin' Americans don't

Yes, that is quite hilarious. In fact, American English sounds more like Old English than British English does, specifically because Brits have changed their speech to sound different from yanks. In particular the pronounciation of the letters "A" and "R" is dramatically closer in the American stuff. Also, the person who got to name Aluminum wanted it named Aluminum, not Aluminium.

Re:That email may not work...

[uncle+slacky]

AIUI the -ise ending was introduced as a replacement for -ize during the 18th century, when it became trendy to spell things in a French style, hence -er endings became -re (centre, theatre) and -ise replaced -ize. Because American English was essentially divorced from the mother tongue by that time (politically if not culturally), the changes didn't propagate over the pond.

As someone else noted, American English resembles British rural dialects (particularly Oxfordshire and Bristolian, so I'm told), which leads to the amusing conclusion that when one hears, for example, one of Shakespeare's plays performed by Americans, it's pretty close to how the original would have sounded.

Re:That email may not work...

[Haeleth]

In fact, American English sounds more like Old English than British English does

Not true. Neither language sounds remotely like Old English, so far as anyone can tell; of course, Old English stopped being spoken around a thousand years ago, so we don't really know what it sounded like anyway.

In any case, you're probably thinking of Early Modern English, i.e. the language as spoken when the first colonists set sail.

It is true that American English preserves some features of Early Modern English that have been lost in some southern dialects of British English. But that still doesn't mean it sounds like Early Modern English. It doesn't. It has evolved in a different way, and it has of course also lost features that have been preserved in British English, such as certain vowel distinctions.

Why not go one step better?

[TheRaven64]

Detect IPs from ISPs who are part of Phorm and redirect them to a page about Phorm the first time they visit Wikipedia each day. Amazon probably couldn't afford to do this, but it's not like Wikipedia loses any revenue if they irritate their visitors a bit, and if they can direct that anger to the ISP then it could do a lot of good.

Re:Why not go one step better?

[David+Gerard]

When it was proposed in a couple of mailing list discussions, the unanimous response was "HELL YES!" So I think you could reasonably say we actively dislike Phorm ;-)

Re:Why not go one step better?

[stephanruby]

Or they could just detect those IP addresses as you said, but put it in the message on top of the page, where they usually put official messages and calls for raising funds. A complete redirect would be overkill in my opinion.

WTF is Phorm?

[EvanED]

For those of you, like me, that read TFA and the article linked from TFA and still don't know what Phorm is other than it's something that some UK ISPs are implementing and there appear to be privacy concerns, Wikipedia.

In short, it's system for doing targeted advertising by deep-packet inspection.

Re:WTF is Phorm?

[orangesquid]

I thought this was obvious? Doesn't PHORM stand for Privacy Heinously Obliterated for Rogue Marketing?

Wait, I think my conscience is interfering with accurate perception of reality to discourage nightmares... dammit, why does this happen so often.....

Re:WTF is Phorm?

[AlexanderHanff]

If you would like more information on Phorm/WebWise, NoDPI.Org has been leading the campaign against them for the past 14 months (and were co-signatories to the Open Letter). We have worked on a number of iniatives including organising the House of Lords Round Table Event which Sir Tim Berners-Lee attended on the 11th March this year. We plan to take the lobby all the way to Brussels and the campaign has already led the European Commission to initiate legal proceedings against the UK Government after they failed to enforce EU Privacy Directives with regards to Phorm's covert trials with BT Group in 2006/2007. I also filed a criminal case with the police in July last year, which they closed stating that there was no criminal intent and it was not in the public interest. As a result of this I was forced to contact the Director of Public Prosecutions and bypass the police entirely - the Crown Prosecution Service are now investigating the matter and will make a decision on whether or not to prosecute. The covert trials in 2006 alone intercepted over 130 million communications over less than 2 weeks and modified those communications to insert Javascript into web pages which passed through their systems (then known as PageSense). I leaked an internal BT report which goes into a great deal of detail about the 2006 trials to WikiLeaks last summer and I also wrote my undergraduate dissertation on the legal implications of the same covert trials.

You can find the dissertation here: https://nodpi.org/documents/phorm_paper.pdf
You can find the leaked report here: https://secure.wikileaks.org/wiki/Image:BT_Report.pdf
And you can catch up on the entire scandal on our blog here: https://nodpi.org/

Hope that clarifies things for those who are not aware of who/what Phorm/WebWise are/is.

Alexander Hanff

Re:WTF is Phorm?

[stephanruby]

I'm surprised Virgin is one of the three ISPs doing this. Does Richard Branson still own that ISP? If he does, I will do my part and boycott all the Virgin brands. Since I live in the US, and since I don't do business with BT, boycotting and bad mouthing BT would be pointless.

More information please?

Would it be too much to ask for the summary to give some clue about what "Phorm" is, or why Wikipedia would need to or want to "opt out" of it?

Re:More information please?

[AnotherBrian]

http://lmgtfy.com/?q=phorm

Re:More information please?

[u38cg]

Or would it be too much to ask that if you only read slashdot once in a blue moon and have no idea about a topic you've never heard of that you at last try one Google search before accusing slashdot of being lazy?

stealing advertising revenue

[wjh31]

aside from the whole invasion of privacy thing, people seem slightly less to pay attetion to the suggestion that intercepting and replacing the adverts on a page is tantamount to theft of advertising revenue, to the page owner for their share, to e.g google for their commision or however they work, and to the advertiser whom may otherwise have recieved an extra click through to their site

Re:stealing advertising revenue

[tomtomtom]

... intercepting and replacing the adverts on a page is tantamount to theft of advertising revenue ...

Not that I want to be seen to defend Phorm, but that's just not what their system does.

To be fair to you, some of the original secret trials did include nasty rewriting of web pages to include their ads but they pretty quickly dropped this (I suspect more because it didn't work well enough than for any moral or legal reason given their dubious track record and the previous lives of the individuals behind Phorm).

Phorm monitors your general web usage using Deep Packet Inspection at the ISP level, even and especially on sites which have never signed up with (or even heard of) Phorm, in order to build up a behavioural profile of you. They then use this to serve you targeted ads when you browse to a site which is signed up to their ad hosting service.

What's more, they decided to not only track what sites you visit, but do keyword analysis of the content of the pages served to you by third parties. They claim this data is anonymized but we all know that in reality you could probably identify any given user from the data they collect with >50% probability as recent studies on anonymized data sets have shown.

Re:stealing advertising revenue

[MichaelSmith]

Oh great. Now my wife is going to get adverts targeted at my browsing habits. Just what I need.

Re:stealing advertising revenue

[Opportunist]

Hey, would you mind her having bigger tits and a maid outfit? :)

Re:stealing advertising revenue

[IBBoard]

It isn't stealing advertising revenue, though.

The way Phorm works is to monitor every page on all websites that a user on a Phorm'd ISP visits and build up a profile of them by analysing the content. This is then used to supply more targeted adverts on every site that is part of Phorm's network.

They don't replace (for example) GoogleAds with their own adverts, but they do read the content of your website and use it for their own profit by scanning it after an interesting flurry of fakes and redirects - all without returning a single penny to you.

That's the part that annoys me the most. I'm not on a Phorm'd ISP, so it doesn't affect me as a user, but I don't have any adverts on any of my websites so I sure as hell don't want them making an advertising profit from my content without me getting a proportion of it. That plus their method of monitoring and using opt-out is ethically dubious at best.

Re:Mental disconnect

[growse]

You're confusing the content and the information about the people accessing the content. If I publish a web-page, that is public (copyright me). Anyone can read it. However, what isn't public is the list of IP addresses that accessed that content. When reading a webpage, you don't get to know who else has read that webpage.

Phorm gets to know who else read that webpage. And any other HTTP-only webpage.

Re:Mental disconnect

[David+Gerard]

The way they're doing it is likely illegal in the EU. The EU is actually taking Britain to court for not having prosecuted Phorm and BT already.

Re:Mental disconnect

[hguorbray]

El Reg has been covering Phorm and its existing and planned abuses for some time:

http://search.theregister.co.uk/?q=phorm

unfortunately one of the Phorm directors is also in tight with the UK gov in an internet policy group
http://www.theregister.co.uk/2009/04/15/kip_meek_berr/
and they have been hard to dislodge over there, although Brussels (EU) has also taken notice
(see parent)

so far, they seem to have been treated with suspicion and hostility over here in the USA by everyone AFAICT, which is probably a good thing

I'm just sayin'

How is lying about a redirection legal?

If you look at http://en.wikipedia.org/wiki/File:Phorm_cookie_diagram.png , they are lying to the customer by claiming that a website has moved when it hasn't. As a website owner, I should be able to sue them if I have proof of such a fraudulent redirection. Why would opt-out be necessary or advisable under these circumstances?

May be copyvio too

[Xtifr]

Any content that is distributed under any of the Creative Commons NC licenses (e.g. cc-sa-nc cannot legally used for advertising purposes. The very similar license under which the Grateful Dead allow redistribution of their old concert recordings explicitly lists advertising and "exploiting databases compiled from their traffic" as forbidden.

Screw opt-out, the RIGHT solution is HTTPS!

Opting out as a web site or user is just a lame attempt to avoid implementing the even simpler, and vastly more effective solution: MAKE YOUR WEB SITES ACCESS VIA HTTPS WITH SSL SECURITY FOR ALL PAGES, ALWAYS!

That way nobody can easily "man in the middle" attack your page content for any purposes of deep inspection, advertising, user profiling, invasions of privacy like 3rd party traffic logging, et. al.

Notice that I said "nobody can" versus "PHORM cannot" -- this would protect against ANY 3rd party snooping or data tampering, which surely is a far more effective "one solution fits all" approach than JUST relying on PHORM's good hearted integrity to honor your request not to profile your traffic. HTTPS solves the problem once and for all for ANY such threat. It is something that your web servers already support. It would be trivial to enable this wholesale across thousands of web sites.
The benefits to users could extend far past advertising related snooping; it would help secure your users against even worse kinds of malicious or oppressive censoring / analysis of their web interactions.

The ONLY things that would be available for inspection / logging by a 3rd party would be:

a: some client's PC did a recusive DNS lookup of your domain such as en.wikipedia.org

b: some client's PC made a TCP connection to an IP address which happens to serve some particular set of sites, e.g. 22.33.44.55 = en.wikipedia.org, uk.wikipedia.org, some_other_virtual_server.com, et. al.

c: a certain amount of SSL encrypted traffic flowed back and forth from the client's PC and the site over SSL. Packet timing, packet group sizes could probably indirectly reveal some information via traffic analysis about what content may have been accessed, but this would be certainly far more difficult and less useful for a 3rd party like phorm to have to analyze / process.

Other than the small issue of paying for a SSL certificate for commercial domains, what exactly is the problem here? If your site is commercial / large traffic then presumably a modest annual cost is negligible compared to your existing server / IT / staff / security / bandwidth / electricity costs -- and you probably ALREADY have SSL certs anyway just for your login / e-commerce types of processes. If you have a low traffic / personal / non-profit type site, then just use self signed certs for free, and it'd be doing your users a big favor protecting them from 3rd party attacks / snoops on their traffic for basically zero cost to you.

Large / commercial sites presumably have hardware capability to handle SSL processing at the necessary speeds. Small sites presumably have small enough traffic that even a very modest personal desktop CPU that is already in use for the server could handle it at that throughput level with no problem.

If we're going to be petitioning sites to do SOMETHING to stop the harmful practices of 3rd party traffic logging / deep packet inspection, shouldn't we be asking them to do it the BEST and really the ONLY EFFECTIVE way? Anything less is a joke. *NICELY ASKING* a "malicious" would-be eavesdropper to not snoop on your totally unencrypted totally unsecured data stream is like wearing a t-shirt that says "please don't rob me" while you walk around with tons of expensive jewelry and electronics through dark alleys in bad neighborhoods. News-flash -- the people that would snoop on your / your users' data are doing it for PROFIT or CONTROL self-interest; if they CARED about being "nice" and respecting your / your users' privacy, THEY WOULDN'T BE DOING IT IN THE FIRST PLACE! Don't "ask nicely" for them to stop -- they'll do it anyway, and so will 10,000 others who YOU DON'T EVEN KNOW ABOUT -- PROACTIVELY PREVENT them from doing it, YOU HAVE THE TECHNOLOGY!

Re:Screw opt-out, the RIGHT solution is HTTPS!

[shentino]

The problem is forking over $$$$ to verisign and giving them monopoly control of the internet.

I would rather be insecure than verisign's puppet.

Re:Screw opt-out, the RIGHT solution is HTTPS!

[shentino]

And if DNSSEC was properly implemented across the board then we wouldn't even NEED to be wary of self-signed certificates to begin with.

If you can trust that the DNS pointed you to the right site, then you are as safe as you are using SSL.

Re:Screw opt-out, the RIGHT solution is HTTPS!

[u38cg]

Hi. You appear to be under the impression that SSL is a magic bullet. I have bad news for you. If someone really wants to read your https traffic, they most likely already are: it's not that hard. And if you're an ISP, it's not exactly difficult to get hold of a legitimate certificate to do your MITM with.

I think a better approach would be to make damn sure that everyone involved in commercial activity understands that they should keep the fuck away from my data, encrypted or not.

Re:Screw opt-out, the RIGHT solution is HTTPS!

[linuxrocks123]

Actually, the only significant problem with his proposal is that a high-traffic website would have significantly higher server processing costs if it had to encrypt everything. There are no known breaks for SSL right now, so it's highly unlikely anyone is reading your https traffic except the website on the other end of the connection. An ISP would certainly be able to purchase a certificate for itself, but that certificate would be useless for MITM because a legitimate certificate authority won't knowingly issue a certificate for a DNS domain not under that ISP's control.

Have a nice day,
---linuxrocks123

Re:Screw opt-out, the RIGHT solution is HTTPS!

[u38cg]

What if your ISP is big enough to control a top-level certificate issuing authority? Or even easier, what if they supply your browser and add their own top-level certificate? If you work in a large institution such as a bank, this is exactly what happens. Right now, at my desk, if I connect to my bank's website, my employer can read my traffic. I'm the last person to descend into tinfoil hattery, but when it comes to encryption, there really are too many ways for it to go wrong for it to be a magic bullet for *anything*. Lastly, bear in mind that most users are *utterly clueless* about their encryption, and therefore won't think twice about clicking through certificate errors for any domain. People have MITMed in the wild using this technique - never mind the people that have reversed engineered MD5 hashed certificates.

Re:Screw opt-out, the RIGHT solution is HTTPS!

[linuxrocks123]

If your ISP is, in effect, providing you with a hacked web browser, then, yeah, the people who use it are stuck. But, only those people: those who used their own browsers would object, some quite strenuously, to their ISP doing a man-in-the-middle attack on every SSL website, so that scheme wouldn't be workable in practice. Employers can (sometimes) get away with the antics they pull because they're paying you. I wouldn't visit my bank from work unless I were booted from a CD anyway (and that's against policy at a lot of places, so I'd probably just check from home).

Who is your employer, by the way?

---linuxrocks123

Re:Screw opt-out, the RIGHT solution is HTTPS!

[shentino]

Actually, DNSSEC only obsoletes the authentication portion of SSL. You still need its encryption to prevent MITM attacks, but sites that are properly authenticated with DNSSEC would at least be able to publish their own certificates.

My mistake...

Re:Frist Ph0rm

[bit01]

"Sincerity is everything. If you can fake that you've got it made."

Old but good.

---

For web applications a web browser is little more than a multi-language, non-portable graphics+networking library mess, far less consistent than other graphics+networking libraries.

Re:What?

[Jurily]

whoosh

Why the BBC is more unbiased

[brunes69]

This is what many Americans don't get about the BBC. All they think is "it is run by the government, they must have their hands in it".

The reason the BBC can remain so unbiased is because they have no need to profit or grow the company. They know they will be funded next year, they have a government mandate and direct taxation supporting them. Also, it is an arms length from the government. They have a charter to collect the TV tarrif directly - the government does not directly fund them to my knowledge.

Therefore, they don't have to worry about an MP cutting their funding if they run an expose on him.

They don't have to worry about "if we do an expose on ourselves and we look bad we will lose advertising dollars", because they don't run advertising.

They don't have to say "oh we can't do that report on how GE microwaves are faulty, because GE is a huge advertising client".

Since they don't have to worry about markteting and soliciting advertising, they can devote 100% of their time and energy on reporting on the news to the best of their ability.

As a Canadian, where we have the CBC which is funded both through taxpayer dollars AND through advertising, I can see both sides. The CBC is pretty impartial, more so than any American network anyway, but if I had to also have to pay a TV tarrif like people in the UK do, I am unsure if I would be OK with that. Then again, at least that would maybe fund some more decent non-news programming on the CBC.

Re:Why the BBC is more unbiased

[Acer500]

Since they don't have to worry about marketing and soliciting advertising, they can devote 100% of their time and energy on reporting on the news to the best of their ability.

Not to mention they get a leftover budget for cool shows like Top Gear :)

NoDPI complaint to the Financial Services Authorit

[AlexanderHanff]

Just a quick update for everyone. Today we have sent a letter of complaint to the Financial Services Authority (FSA) that Phorm's statement to markets this week that government regulators and departments support their technology as fully compliant with UK law - is misleading and possibly fraudulant.

I have added a link and summary to my firehose here:

http://slashdot.org/firehose.pl?op=view&id=4200429

you can find the original article here:

https://nodpi.org/2009/04/17/phorm-protests-berr-says-we-are-fully-compliant/

Alexander Hanff

Re:screw the paperwork

[AlexanderHanff]

Blacklisting Phorm's IPs will serve no purpose. The visits you see to your web sites will have the IPs of the ISP customers, Phorm then intercept these communications and copy the page "in transit". The only way to guarantee that your site will not be compromised by Phorm is to block all the IPs registered to the various ISPs that decide to deploy Phorm's technology.

The only other option is to use the Opt-Out mechanism that Amazon, WikiMedia and others have used; and then trust Phorm to honour that request.

Alexander Hanff

Re:screw the paperwork

[AlexanderHanff]

I should add that you can also block Phorm's technology by using SSL for all your web site pages. If you have a busy site however, you should be aware that this could cause a significant resources overhead.

Alexander Hanff