Courtesy of the Spy Blog, a little scam I had missed.
The Register has published some diagrams of how the appalling Phorm web advertising scheme will work, Major UK broadband Internet Service Providers British Telecom Retail, Virgin Media and Carphone Warehouse TalkTalk, all seem to have signed a “commercial suicide pact” contract, to abuse their customer’s data privacy, without first obtaining their prior informed consent.
The essence of this little scheme is that the ISPs in question sell the right to tap into their customers’ web browsing activities directly so that the user may be subjected to targeted advertising.
Phorm appears to be a combination of these two direct marketing approaches , except this time it is inflicted on all the web traffic of the unlucky customers of the participating ISPs, via man-in-the-middle attack hardware plugged into their core network infrastructure.
There are flaws in the reasoning – quite apart from the ethics. The person browsing may not be the regular user of the computer and the regular user may be browsing on behalf of someone else. I regularly get requests from my sister asking me to look things up for her – and it is none of the ISP’s business. And, I absolutely detest advertising shoved in my face. What is it with these people? Did they not notice the backlash against pop-up ads? It wasn’t just the popping up that pissed people off. Most of us simply don’t want to be subjected to a sales pitch when we are browsing. Something Spyblog reiterates:
Phorm perpetuate the common misconception amongst advertising weasels, that if your web browser software connects with a particular website, at any time, then that somehow means that you as a person, are positively and genuinely interested in receiving direct advertising related to the vague subject category in which they have arbitrarily categorised that website.
Then, of course, there’s the ethics. Are people being asked to opt-in or are the ISPs going for the lazy option; opt-out? This, from BT’s website:
We believe BT Webwise is an important improvement to your online experience — giving you better protection against online fraud and giving you more relevant advertising.
We realise that you may not want to use the free service, so we’ve made it quick and easy to switch on and off.
The lazy option it is, then.
The Spyblog goes on to consider the legal implications of such information gathering:
Since many people use web based email systems, for example, these ISPs and Phorm should be prosecuted for illegal interception of communications without a warrant signed by the Home Secretary under the Regulation of Investigatory Powers Act 2000 section 1 Unlawful interception, and each of the people responsible should be facing up to 2 years in prison, including those who seem to have already conducted full scale pilot trials of this technology on unsuspecting BT customers.
It seems these days every Tom, Dick and Harry wants to poke about in our personal lives for their own grubby ends. Fortunately, I don’t use any of the iSPs in question and have no plans to.
The Register is suitably scathing:
We tapped Aaron Crane, The Register’s Technical Overlord, for help bending our puny scribe’s brain around these diagrams. He said: “Looking at this makes me damn glad my own internet connection is funded by what I pay for it, so the ISP doesn’t have to engage in this sort of shady practice merely to cover costs.”
“If I were using one of the ISPs concerned, I’d switch.”
So would I and I’d make damn sure the ISP knew why.
There’s more info on Bad Phorm.
One final thought; if the ISPs concerned weren’t aware that what they are doing is at best unethical and at worst, illegal, would they have not trumpeted it from the rooftops, announced it with press releases and such? That they didn’t speaks volumes. They are behaving badly – and they know it. But, never mind, sneak it in under the radar and sell their customers’ privacy before they notice – that’ll do the trick.
I had noticed that google reads my gmail posts before I do and puts up relevant adverts above the message box. A bit of a give-away that they have steamed open the envelope and had a peek.
haddock’s last blog post..Lamp post.
That’s why I don’t use gmail.
As each day passes and a new attack on personal privacy is launched from both government and ‘private’ aggressors, I become more and more convinced that the ultimate consequence will be for all of us to ‘go off the grid.’
Vote with your feet…dump the mobile(tracking device), use a public computer,..loose the forms…’destroy your expense sheets’.. become a techno-luddite !
Unless I’m prepared to give up working – which I’m not – that just isn’t a practical option. However, I minimise my exposure by avoiding those companies that play these games.
Hang on – isn’t this kind of snooping what the ISPs claim they can’t do when asked to filter out spam/illegal downloads/kiddie porn/bomb making plans ?
They seem to be opening themselves up to a world of pain here…quite apart from the ethical questions.
Greed has its own rewards…
I would like to share this interesting and informative post I read on Slashdot. It was written by a user called ‘anticypher’. It is not my own. Here it is:
———–
Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people’s observations in the ensuing PR war. Phorm’s sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.
Phorm has hired a specialty PR company, Citigate Dewe Rogerson [citigatedr.co.uk] to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I’ve seen Dutch, German and French language follow-up posts in the last few weeks.
Phorm has addressed the main part of pesky privacy laws in Europe by “gifting” the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm’s technical team. If the equipment stays 5 years in the ISP’s premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn’t left their network should post-analysis show the customer has “opted-out” of passing the information to Phorm’s China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.
The Phorm collectors sit inside the ISP’s network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP’s network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.
The problem I, and others, had with Phorm’s plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.
As an example, let’s take an ordinary, un-intercepted session to slashdot.org. The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can’t be tricked by slashdot’s servers to return cookies from digg or google.
With Phorm, the initial HTML request to slashdot.org gets intercepted by the Phorm equipment, which respond with a 302 redirect to spyware.ru, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for malware.ru with the correct address for slashdot.org, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to malware.ru with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begins, the code can be just about anything, javascript, iframes, cross-site scripting attack, activeX exploits. The code can be used to read and set cookies, add some javascript in an iFrame to survive no matter where the user browses to, etc. It’s a malware writer’s wet dream, to have complete control over the TCP stream the browser sees before the user ever gets to the internet.
Once the browser has been sufficiently hijacked, another 302 temporary redirect can be injected into the browser session using the original HTTP request, so the user sees only a slight delay before reaching their intended website. Given the glacial speeds most UK networks operate at, an extra half second delay is not going to be noticed by non-technical types.
More fun is now to be had, as the page returned from the website can also be copied and analyzed by the Phorm intercept kit. If you log onto a private website, the Phorm kit can see the entire contents. This means a user checking their webmail on the local ISP’s server (without an SSL session since it isn’t going over the internet) can have the contents read and analyzed by Phorm.
Where the storm of controversy comes from is that technically apt people (like slashdot’s readership) are beginning to understand just what an internet stream hijack implies. It means that Phorm can not only read all your web traffic, they can intercept all the traffic near the headend of your broadband connection and read anything. They can read your IM sessions, they can read your email, they can get it all.
Now, at this point, the über-technically adept point out encryption, certificates, Man-in-the-Middle attacks and the like. True, https sessions, encrypted IM, TLS protected POP&IMAP and other protected protocols give some protection from snooping on the content, but not much “signals analysis” protection. They can still snoop on your DNS traffic, even if you run your own local caching server or use OpenDNS or AlterDNS. They can still see what the end points of your encrypted tunnels are. Sure, you could tunnel all your traffic to a remote VPN server, but how many of you do that now? How many average users would even bother?
I was going to insert a long analysis of how they analyze and claim to anonymize the data collected, but this post has gone way too long for slashdot. Maybe another post another time.
I will add that the people behind Phorm have been developing and selling malware and adware for a number of years, and apparently made enough money off of an impossible to uninstall adware toolbar to fund this latest push into malware distribution. Their programmers are mostly Saint Petersburg based, home to the Russian Business Network [slashdot.org]. Their servers are kept only in Saint Petersburg and China, so no ISP customer data is ever stored in the UK. Any personally identifying information they obtain about UK citizens can never be seen or purged using existing UK Data Protection Laws. They run under dozens of different domain names, the name of the company has changed from PeopleOnPage to 121media and recently changed from sysip.net to Phorm. This is typical of a company that knows it will have to shed it’s tarnished brand every year to stay ahead of public outcry. I expect they already have their next brand lined up when they need to burn the Phorm brand.
Sir Tim Berners-Lee has seen their presentation, and held a press conference yesterday to try to stop the practice cold. Even if Phorm is stopped dead tomorrow, the business conditions and legal loopholes are still present to encourage ISPs to try this again and again, and it will certainly be much worse in the US where there is absolutely no legal protections at all, and a ready market for personal data.
the AC
Thanks for that – it’s worse than I thought, and that was bad enough. They really are a bunch of parasitic shits.
I don’t think that the gmail comparision is appropiate. gmail scans the text of an email, provides an ad and then discards the data.
Phorm builds a target profile from all websurfing.
Also, you agree to gmail ads when you sign up, Phorm is being done without the customers knowledge
My reference to Gmail is merely that I do not want ads – targeted or otherwise. That’s why I have not signed up for it and am unlikely to do so. In no way was I suggesting that it is comparable to Phorm.