Feeds

BT admits misleading customers over Phorm experiments

We know what you pimped last summer

High performance access to file storage

BT has admitted that it secretly used customer data to test Phorm's advertising targeting technology last summer, and that it covered it up when customers and The Register raised questions over the suspicious redirects.

The national telecoms provider now faces legal action from customers who are angry their web traffic was compromised.

Stephen Mainwaring, a BT Business customer in Weston-super-Mare, believes sensitive banking data relating to his online horse racing business was press-ganged into a trial of an unproven technology. He suffered sleepless nights after detecting the dodgy DNS requests, and said today: "It is very likely that I and others will take legal action against BT for what they did last summer."

In a statement, BT said: "We conducted a very small scale technical test of a prototype advertising platform on one exchange in June 2007. The test was specifically conducted to evaluate the functional and technical performance of the platform.

"Absolutely no personally identifiable information was processed, stored or disclosed during this trial. As with all service providers, it is important for BT to ensure that, before any potential new technologies are employed, they are robust and fit for purpose."

Speaking to El Reg on Friday, Stephen agreed: "Absolutely, new technologies should be stringently tested, but not using mine and my customers' data. If they wanted to run a trial, they should have asked. I would have told them I did not want to be part of it.

"I note the statement, 'absolutely no personally identifiable information was processed, stored or disclosed'. That means that all my information was processed, stored or disclosed but the personal bits were filtered out. Clearly that was unlawful."

Stephen has already filed a complaint with the Information Commissioner's Office and is consulting on how to proceed through the courts with other BT subscribers who believe their connection was subject to illegal Phorm tests.

Today, he and a fellow BT customer also disputed the claim that only one exchange was involved in the covert testing.

Spike, a Reg reader based in Brighton and Hove, also noticed dodgy redirects of his web traffic last July to sysip.net, a domain owned by Phorm. He wrote about the mystery here at the time.

Spike and Stephen urged other BT customers who believe they may have been co-opted into last summer's secret trials to speak out.

We first asked BT about its relationship with Phorm in July 2007, when it was widely known as 121Media, a firm deeply involved in spyware. BT denied any testing and said customers whose DNS requests were being redirected must have a malware problem.

It wasn't until 14 February this year, when the deals between BT, Virgin Media and Carphone Warehouse to pimp customer web browsing were announced, that a cover-up was revealed. You can read the original story here.

BT's belated confession that it secretly used its customers' traffic to test the safety of ad targeting technology can only add to the distrust around Phorm, whose executive team includes a former BT Retail CTO. Several security firms have confirmed plans to classify Phorm's cookies - both for opting in and opting out of Webwise - as adware.

As part of its admission to the secret 2007 trials, BT also said it will follow Carphone Warehouse's lead and develop an opt-out that does not involve cookies and means no data will be mirrored to a profiling server, even if it is ignored. It follows serious concerns raised by experts on the Regulation of Investigatory Powers Act 2000 (RIPA) that Phorm's plan to use cookies to exclude people who opt-out is illegal.

BT repeated its insistence that the technology is legal, however. It said: "We are already developing an opt-out solution that would remove the need for opt-out cookies altogether. We have carried out significant due diligence in this area, and informed consent from our customers will satisfy the necessary legal requirements."

Yet some authorities on RIPA have argued that ISPs would also need permission from website owners to profile the content of their pages. BT has not responded to our questions on this point.

ISP data pimping has also invoked the ire of the Greatest Living Briton™. Today the BBC reports that Sir Tim Berners-Lee, inventor of the web, has spoken out against ISP ad targeting. He summed up public opposition to the system: "It's [web traffic] mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return."

Meanwhile, the Downing Street petition against Phorm has now garnered almost 5,000 signatures.

Carphone Warehouse has said it will ensure that its subscribers are opted out of Phorm and Webwise by default. BT and Virgin Media have made no such promise.

You can follow all our reporting of Phorm over the last three weeks here. ®

High performance access to file storage

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.