Phorm failed to mention ‘illegal’ trials at Home Office meeting in 2007 | The Register
The Home Office held a private meeting with Phorm in August last year, but BT’s interception and profiling partner did not disclose that it had completed an allegedly illegal trial of its technology on tens of thousands of unwitting broadband subscribers just weeks earlier.
Executives last week confirmed they are working on a project referred to internally as “Data”. This would gather anonymised data on a voluntary basis, and provide the analytical information for anyone who wanted it.
…
Mozilla claims Firefox has around 170m users, which means it has more users than the largest ISP outside China. So it’s easy to see why the temptation is there.“There are worlds of information about how people use the web that are locked up and not currently shared,” tootles Mozilla CEO John Lilly.
And that’s the way it should say…
BT’s ‘illegal’ 2007 Phorm trial profiled tens of thousands | The Register
Phorm sent us this statement:We confirmed in our 2006 Financial Statement that we had concluded the trial announced on 19 July 2006 and were about to start a larger trial in 2007. In reality, the 2007 test was actually smaller than was planned at the point this statement was issued. At its peak, it involved tens of thousands of users for a couple of days, not the several hundred thousand as anticipated.
Don Foster MP, a Liberal Democrat who has taken a lead in parliament over the Phorm controversy, has called on BT to reveal the details of its allegedly illegal action. Branding BT’s role in the secret trials “disgraceful”, he said: “It’s time for BT to come clean about exactly what happened last summer and why customers were kept in the dark while they were used as guinea pigs.”
Instead, Emma Sanderson, the BT Retail executive offered to television news for interviews last week parroted the line that no personally identifiable information had been disclosed. She said the tests were “small scale”.
If you think about it, though, tens of thousands of users is pretty small-scale. For a serious overestimate, let’s say that 10,000 users visited 1000 pages an hour for 10 hours a day. That would be all of 100 million URLs. You could fit the whole dataset in an ipod nano. My PC is going on five years old, and with just the tiniest bit of indexing you could hold all the information in RAM and throw statistical-analysis software at it for fun.
Which potentially means that phorm and the ISPs it’s working with have no idea how their software and hardware will perform under real loads, and are silently signing up entire subscriber bases as unknowing alpha testers. Whee.
Light Blue Touchpaper » Blog Archive » The Phorm “Webwise” System
Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic — however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.
Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.
And all of this, of course, assumes that Phorm as implemented doesn’t turn out to have holes in it. Something we will find out only after the fact.
FIPR: ICO gives BT ‘green light for law breaking’ with Phorm | The Register
Meanwhile a battle over the Wikipedia article on Phorm began on Friday, with suspicious forum posters at Badphorm charging interference by self-interested parties. Widespread criticisms of Phorm were censored in a revision to the entry and more “on message” PR-type statements were inserted.
Wikipedians quickly moved to revert the changes to the article. You can compare the different versions here. The apparently Phorm-friendly edits included removing BT’s admission that it misled customers and the media over its second secret Phorm trial, conducted in summer 2007.
A quote from The Guardian’s advertising manager Simon Kilby where he explained the paper’s decision to withdraw from negotiations to join Phorm’s advertising network on ethical grounds was also censored from a BT IP address. It read: “Our decision was in no small part down to the conversations we had internally about how this product sits with the values of our company.”
This is just plain stupid. Doesn’t whoever is doing this know that lying about something in a really obvious way is generally going to make things worse for them?
And El Reg updates:
The spokesman said Phorm’s PR team had not been aware of Wikipedia’s policy on conflicts of interest. Among many other rules they violated, it states: “Producing promotional articles for Wikipedia on behalf of clients is strictly prohibited.”
A BT representative meanwhile wrote in an email: “I don’t see anything wrong with correcting Wikipedia articles about your own company or services.
BT confesses lies over secret Phorm experiments | The Register
BT has admitted that it secretly used customer data to test Phorm’s advertising targeting technology last summer, and that it covered it up when customers and The Register raised questions over the suspicious redirects.The national telecoms provider now faces legal action from customers who are angry their web traffic was compromised.
In general, if you think what you’re doing is OK and your customer won’t object, you don’t keep it secret or lie about it.
Meanwhile, this BBC story suggests that Phorm may have entirely the wrong architecture:
“Information from websites and queries regarding sexual content, political preferences, medical health, racial origin should be blocked from processing.
If they’re relying on some kind of blacklist to keep from processing the wrong kinds of data, they’re always going to be on the wrong side of privacy law, because there will always be new sites popping up, new combinations of search queries and so forth, and the blacklist can never be updated quickly enough. The right way to do this would be to have a whitelist, and only collect data involving those sites (and after opt-in from the user). But that would mostly make the service useless, because the whole point is collecting data about as many different sites and queries as possible until someone says “no more.”
Whee.
