BT pimped customer web data to advertisers last summer

Here are some technical details - from last summer's experiment

http://www.spikelab.org/blog/btProxyHorror.html

Which includes, amongst other logged details the triggered request and the script embedded in the page that triggered it.

Yes ask them

If they have ever been in trouble with the law for related?

Hide your browsing history in plain sight?

Someone on the Digital Spy forums posted this link which might help.

http://mrl.nyu.edu/~dhowe/trackmenot/

Yes please ask them...

1.) Do they receive just headers (then presumably have to visit the sites themselves to get the keywords) or a full HTML stream from the ISP

2.) In either case, what safeguards are in place to prevent de-anonymyzation of anonymous data e.g. through real names displayed in pages, or if they don't receive a full stream, only headers, then names still exist in POST/GET variables

3.) How does this diverting of a communications stream not fall foul of RIPA, since it is widely accepted that HTTP can and is used for personal communications. Whatever safeguards are in place, surely it contravenes RIPA if the data is being passed on to t a third party

4.) Will the data leave the UK?

5.) Have they spoken to the Office of the Information Commissioner and if so, what do they think?

BT's response

BT have an internal security mailing list and this article has been posted about this morning, but no-one has mentioned that they have any direct knowledge about it (unsurprisingly perhaps) but the general consensus could be summed up by the tla : WTF !?

Phorm.com gives a little...

looking at the root of the problem (i.e. Phorm.com) their site speaks of the OIX (Open Internet Exchange) and Webwise... and provides a link telling you how to disable Webwise:

http://www.phorm.com/about/faq.php - look under 'For Consumers'

this redirects you to the Webwise site; on the 'You can choose' page, it states whether webwise is enabled by your ISP...

http://www.webwise.com/privacy/can-choose-NA.html

This page speaks of an 'anonymous cookie' that tells the system in question to ignore your system....

I'm interested how this can be made persistent; dumping temp files would surely clear this 'anonymous cookie'??

@ Sam

Install and use Hotspot Shield, that encrypts all your data and uses a VPN.

Dodgy Data Brokers, Yes! Governments & Security Services, No?

Hang on a minute!

One second our trusty noble ISP's are saying "No!" to the government for access to our web browsing habits for security purposes, the next they are saying "Yes please!" to a very shady rootkit-making private company.

What the hell is going on?

Who turned them down and how do we escape

Two questions, thanks for asking :-)

1 - Who, so far, has turned them down flat?

2 - Is there a way, other than a remote encrypted proxy or some such, of making your web traffic completely byepass their system. I'm not talking about vaig hand waving about collecting it but not doing anything with the data (honest guv); I'm talking about complete opt out so this mob don't even know I'm there.

I think the answer to 1) would form a good start on an ISP whitelist and 2) could well be the start of a new open source project.

The peasants are revolting

Trackmenot acquired, ta.

More please.

As a small skeletal rodent might say, SNHH, SNHH, SNNHH...

More than just a rumour unfortunately...

... this looks pretty damn definite to me:

http://www.phorm.com/about/launch_agreement.php

and just look at what it's doing to their share price:

http://www.ft.com/cms/s/0/b961adc0-daf9-11dc-9fdd-0000779fd2ac.html

@Chris Williams

Regarding the questions suggested by Pie Man (Posted Thursday 28th February 2008 12:03 GMT), can you ask the ISPs the same questions.

They're the ones who will be reading our data, and so far the silence has been deafening (from BT anyway).

PlusNET Kosher despite BT connection

I just had a dialog with PlusNET (one of my ISPs) about this subject and they know of it, they know BT are using it and they do not themselves think it is right for us the customers. They also undertook to seek opinions via their forums before any future decision to change their minds.

Sounds ok to me :)

A better plan of attack might be to go after Webwise

On its website Phorm cites FT.com; iVillage; Universal McCann; MGM OMD Unanimis and APACS as supporters. I bet they don't all know about the dodgy past of the people they are dealing with.

You might also ask them what aspect of their technology they believe is patentable, as reading their application it all looks pretty straightforward to me. More spin designed to impress investors perhaps?

silly silly silly

I'd also like to point out that E&Y's 'independent' report reads as totally incompetent...

Especially as the report states that Phorm does not collect form input, but does say it collects search terms; last time I checked, search terms are usually entered into html forms...

The "Opt-out" idea is ridiculous, it essentially mandates you send a piece of data with every request saying "ignore me", this is contrary to the more reliable/secure/sane practice of requiring data to opt-in.

This smacks of being poorly thought through and has a seriously strong likelihood of compliance and legal issues rearing their ugly heads for the ISP.

Re: BT say its just a rumour

To the best of my knowledge, BT Business Broadband do not use HTTP proxies, transparent or otherwise, so may not be affected by this "Phorm Storm". I've tested my companies connection and can detect none. I'm guessing from my experience as a system architect that transaparent proxies will be the best point to pipe out the dump to Phorm, so in the strict sense of the reply from BT B.B. it may well be just a rumour!

Chris: if you get a gig with BT/Virgin/The Other One could you ask them if they plan to write to each customer informing them of their new practice and how they may opt out?

This is not good

This is very troubling ... much like "Crossing the Streams" in Ghostbusters kind-of-bad.

A Delaware company with servers in China ... I can't wait to clear out my Temporary Internet folders before the tainted dumplings start to rot.

I'm seriously looking forward to hearing more about this. Great Job El Reg !

HTML injection

This should be obvious with 'View Source' or moral equivalent and 'Find in Document' for dns.sysip.net . Soon I expect some Firefox/Greasemonkey expert to devise a small Greasemonkey script to remove the offending code. Too bad for IE users. :-)

This is simply a man in the middle attack. Were this perpetrated by a hacker, it would be a crime. Perpetrated by two corporations, it's good business. Hmm.

Tell TalkTalk what you think

If you visit their website today you are asked to take a survey during which you get the chance to tell them why you don't want to be a Talktalk customer.

@ Pieman

This will be promoted to customers as Webwise - a new feature helping protect you from phishing and spyware - presumably because the bad guys will have all your data already! Buried in the Webwise small print it may hint at the fact that all your data am belong to them. But looking at the BT website it already gives the definite impression that only people who are a bit 'cranky' would want to opt out of Webwise.

Maybe one answer would be to get Norton et al to classify Webwise as spyware. Hmmm...

Comparison with Supermarket Loyalty Cards

This just struck me... When J Sainsbury, Tesco and the others decided they wanted access to personal shopping records they soon realised they'd have to pay for the privilege, and “reward” people with what is effectively a percentage discount on their shopping bill in order to convince them to opt-in. Technically they didn’t need reward cards as most people paid by credit/debit card, but holding wealth of information against a credit card must have seemed politically sensitive if not unlawful (and did give a slight advantage as they could track people’s payment habits too).

Now the ISPs want in on the personal data gig, but instead of bribing customers to opt-in with some kind of reward, they’re pushing it out to everyone, and not providing any concrete answers as to how to properly opt-out of the data exchange element (not just opt out of the personal adverts).

Here’s another argument on the Human Rights angle (right to a personal life - on top of RIPA and Data Protection arguments). Two guys live together, one is secretly gay, uses a shared computer but takes step to clean browsing history. Housemate 2 uses the computer and is bombarded with adverts for everything from gay dating to Arab Straps. 2nd housemate knows about targeted advertising and therefore housemate 1’s right to privacy is breached.

re: "like all Bandwagon's all UK ISP's will quickly jump on."

This would be the same Zen who issued a PR statement (several actually) claiming they would -never- introduce bandwidth caps, FUPs or throttling and then did exactly that. Zen are about as trustworthy as BT and Virgin.

Its out in the open now

http://news.bbc.co.uk/2/hi/technology/7280791.stm