Archive for the ‘phorm’ Category

Now we might find something out

November 13, 2008

Netizens sue NebuAd, data pimping ISPs • The Register

Fifteen American netizens have sued behavioral ad targeter NebuAd and several of its data pimping ISP partners, alleging wiretapping, packet forgery, and browser hijacking.

Filed Monday in a California federal court, the class action accuses NebuAd and its partners of violating the US Electronic Communications Privacy Act, the US Computer Fraud and Abuse Act, California’s Invasion of Privacy Act, and California’s Computer Crime Law. And that’s just a start.

Using deep packet inspection, NebuAd’s ISP-level hardware tracks a web surfer’s search and browsing activity and shuttles it to various advertising networks, where it’s used to target ads. If you search for, say, French vacations, you’ll soon see ads for French vacations.

By the late spring, NebuAd had deployed its hardware inside several mid-sized American ISPs. The Silicon Valley outfit claimed these partners explicitly notified customers before turning the system on, but this wasn’t always this case. NebuAd did provide a cookie-based opt-out and claimed to anonymize all user data with a one-way hash, but the law may require an opt-in.

Even if NebuAd eventually gets out from under most or all of these charges, this is the way it should be decided, with thorough discovery rather than just claims on both sides.

When you’re apparently violating the law, you don’t get to just skate by assuring people they should trust you to be doing things right. (I’m thinking of a burglar telling a cop, “Oh, sure Fred told me it was OK to drop by tonight and pick up the TV and the computer he’s giving me.”) I’d like to know the details of the explicit notification and opt-out system. I want to know that the hashing really is secure, and not subject to obvious attacks, and that the data was kept safe before it was hashed. And the company saying so with no details isn’t enough. If they have to give up their code to prove whether they were doing right or wrong, that’s the price they pay for operating as a lawful company rather than a gang of crackers. </rant>


Such an offer

September 26, 2008

Phorm mulls incentives for ad targeting wiretaps • The Register

The idea is one of more than a dozen possible incentives being punted in a survey running on the market research site The questionnaire probes attitudes to “Webwise”, the consumer-friendly branding its planned Phorm’s system will carry once switched on.

Other carrots suggested include:

* An upgrade to a faster broadband package at no extra cost
* £1 off monthly broadband bills
* £1 cashback per month
* A cut of advertising revenues
* A free premium technical support line
* Free music download vouchers
* Free anti-virus software
* Parental content controls

The current incentive planned by BT and Phorm for Webwise – checking URLs against a white label anti-phishing list – is also offered by the survey. Toluna users are also questioned about a potential feature called “Webwise Local” that would allow advertisers to target internet users based on their location.

Wow. They’re offering things they ought to be delivering as a matter of course (OK, not some of the actual monetary incentives, although prices could be lower) as an inducement for letting them track you and interfere with your browsing. Whee.

Quoted without comment

June 20, 2008

Phorm failed to mention ‘illegal’ trials at Home Office meeting in 2007 | The Register

The Home Office held a private meeting with Phorm in August last year, but BT’s interception and profiling partner did not disclose that it had completed an allegedly illegal trial of its technology on tens of thousands of unwitting broadband subscribers just weeks earlier.

Some things shouldn’t be open-sourced

May 22, 2008
Mozilla phancies doing a Phorm | The Register

Executives last week confirmed they are working on a project referred to internally as “Data”. This would gather anonymised data on a voluntary basis, and provide the analytical information for anyone who wanted it.

Mozilla claims Firefox has around 170m users, which means it has more users than the largest ISP outside China. So it’s easy to see why the temptation is there.

“There are worlds of information about how people use the web that are locked up and not currently shared,” tootles Mozilla CEO John Lilly.

And that’s the way it should say…

Small compared to several million

April 15, 2008

BT’s ‘illegal’ 2007 Phorm trial profiled tens of thousands | The Register

Phorm sent us this statement:

We confirmed in our 2006 Financial Statement that we had concluded the trial announced on 19 July 2006 and were about to start a larger trial in 2007. In reality, the 2007 test was actually smaller than was planned at the point this statement was issued. At its peak, it involved tens of thousands of users for a couple of days, not the several hundred thousand as anticipated.

Don Foster MP, a Liberal Democrat who has taken a lead in parliament over the Phorm controversy, has called on BT to reveal the details of its allegedly illegal action. Branding BT’s role in the secret trials “disgraceful”, he said: “It’s time for BT to come clean about exactly what happened last summer and why customers were kept in the dark while they were used as guinea pigs.”

Instead, Emma Sanderson, the BT Retail executive offered to television news for interviews last week parroted the line that no personally identifiable information had been disclosed. She said the tests were “small scale”.

If you think about it, though, tens of thousands of users is pretty small-scale. For a serious overestimate, let’s say that 10,000 users visited 1000 pages an hour for 10 hours a day. That would be all of 100 million URLs. You could fit the whole dataset in an ipod nano. My PC is going on five years old, and with just the tiniest bit of indexing you could hold all the information in RAM and throw statistical-analysis software at it for fun.

Which potentially means that phorm and the ISPs it’s working with have no idea how their software and hardware will perform under real loads, and are silently signing up entire subscriber bases as unknowing alpha testers. Whee.

What we already knew about phorm, in more detail

April 8, 2008

Light Blue Touchpaper » Blog Archive » The Phorm “Webwise” System

Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.

Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic — however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.

Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.

And all of this, of course, assumes that Phorm as implemented doesn’t turn out to have holes in it. Something we will find out only after the fact.

Because no one is going to notice

April 8, 2008

FIPR: ICO gives BT ‘green light for law breaking’ with Phorm | The Register

Meanwhile a battle over the Wikipedia article on Phorm began on Friday, with suspicious forum posters at Badphorm charging interference by self-interested parties. Widespread criticisms of Phorm were censored in a revision to the entry and more “on message” PR-type statements were inserted.

Wikipedians quickly moved to revert the changes to the article. You can compare the different versions here. The apparently Phorm-friendly edits included removing BT’s admission that it misled customers and the media over its second secret Phorm trial, conducted in summer 2007.

A quote from The Guardian’s advertising manager Simon Kilby where he explained the paper’s decision to withdraw from negotiations to join Phorm’s advertising network on ethical grounds was also censored from a BT IP address. It read: “Our decision was in no small part down to the conversations we had internally about how this product sits with the values of our company.”

This is just plain stupid. Doesn’t whoever is doing this know that lying about something in a really obvious way is generally going to make things worse for them?

And El Reg updates:

The spokesman said Phorm’s PR team had not been aware of Wikipedia’s policy on conflicts of interest. Among many other rules they violated, it states: “Producing promotional articles for Wikipedia on behalf of clients is strictly prohibited.”

A BT representative meanwhile wrote in an email: “I don’t see anything wrong with correcting Wikipedia articles about your own company or services.

We lied with the best of intentions

March 19, 2008

BT confesses lies over secret Phorm experiments | The Register

BT has admitted that it secretly used customer data to test Phorm’s advertising targeting technology last summer, and that it covered it up when customers and The Register raised questions over the suspicious redirects.

The national telecoms provider now faces legal action from customers who are angry their web traffic was compromised.

In general, if you think what you’re doing is OK and your customer won’t object, you don’t keep it secret or lie about it.

Meanwhile, this BBC story suggests that Phorm may have entirely the wrong architecture:

“Information from websites and queries regarding sexual content, political preferences, medical health, racial origin should be blocked from processing.

If they’re relying on some kind of blacklist to keep from processing the wrong kinds of data, they’re always going to be on the wrong side of privacy law, because there will always be new sites popping up, new combinations of search queries and so forth, and the blacklist can never be updated quickly enough. The right way to do this would be to have a whitelist, and only collect data involving those sites (and after opt-in from the user). But that would mostly make the service useless, because the whole point is collecting data about as many different sites and queries as possible until someone says “no more.”