The Register ®

Biting the hand that feeds IT

The Register » Comms » Networks »

Original URL: http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/

BT admits misleading customers over Phorm experiments

By Chris Williams
Published Monday 17th March 2008 09:52 GMT

BT has admitted that it secretly used customer data to test Phorm's advertising targeting technology last summer, and that it covered it up when customers and The Register raised questions over the suspicious redirects.

The national telecoms provider now faces legal action from customers who are angry their web traffic was compromised.

Stephen Mainwaring, a BT Business customer in Weston-super-Mare, believes sensitive banking data relating to his online horse racing business was press-ganged into a trial of an unproven technology. He suffered sleepless nights after detecting the dodgy DNS requests, and said today: "It is very likely that I and others will take legal action against BT for what they did last summer."

In a statement, BT said: "We conducted a very small scale technical test of a prototype advertising platform on one exchange in June 2007. The test was specifically conducted to evaluate the functional and technical performance of the platform.

"Absolutely no personally identifiable information was processed, stored or disclosed during this trial. As with all service providers, it is important for BT to ensure that, before any potential new technologies are employed, they are robust and fit for purpose."

Speaking to El Reg on Friday, Stephen agreed: "Absolutely, new technologies should be stringently tested, but not using mine and my customers' data. If they wanted to run a trial, they should have asked. I would have told them I did not want to be part of it.

"I note the statement, 'absolutely no personally identifiable information was processed, stored or disclosed'. That means that all my information was processed, stored or disclosed but the personal bits were filtered out. Clearly that was unlawful."

Stephen has already filed a complaint with the Information Commissioner's Office and is consulting on how to proceed through the courts with other BT subscribers who believe their connection was subject to illegal Phorm tests.

Today, he and a fellow BT customer also disputed the claim that only one exchange was involved in the covert testing.

Spike, a Reg reader based in Brighton and Hove, also noticed dodgy redirects of his web traffic last July to sysip.net, a domain owned by Phorm. He wrote about the mystery here (http://www.spikelab.org/blog/btProxyHorror.html) at the time.

Spike and Stephen urged other BT customers who believe they may have been co-opted into last summer's secret trials to speak out.

We first asked BT about its relationship with Phorm in July 2007, when it was widely known as 121Media, a firm deeply involved in spyware (http://www.theregister.co.uk/2008/02/25/phorm_isp_advertising/). BT denied any testing and said customers whose DNS requests were being redirected must have a malware problem.

It wasn't until 14 February this year, when the deals between BT, Virgin Media and Carphone Warehouse to pimp customer web browsing were announced, that a cover-up was revealed. You can read the original story here (http://www.theregister.co.uk/2008/02/27/bt_phorm_121media_summer_2007/).

BT's belated confession that it secretly used its customers' traffic to test the safety of ad targeting technology can only add to the distrust around Phorm, whose executive team includes a former BT Retail CTO. Several security firms have confirmed (http://www.theregister.co.uk/2008/03/12/phorm_av_vendors/) plans to classify Phorm's cookies - both for opting in and opting out of Webwise - as adware.

As part of its admission to the secret 2007 trials, BT also said it will follow Carphone Warehouse's lead and develop an opt-out that does not involve cookies and means no data will be mirrored to a profiling server, even if it is ignored. It follows serious concerns raised by experts on the Regulation of Investigatory Powers Act 2000 (RIPA) that Phorm's plan to use cookies to exclude people who opt-out is illegal (http://www.theregister.co.uk/2008/03/04/phorm_ripa/).

BT repeated its insistence that the technology is legal, however. It said: "We are already developing an opt-out solution that would remove the need for opt-out cookies altogether. We have carried out significant due diligence in this area, and informed consent from our customers will satisfy the necessary legal requirements."

Yet some authorities on RIPA have argued that ISPs would also need permission from website owners to profile the content of their pages. BT has not responded to our questions on this point.

ISP data pimping has also invoked the ire of the Greatest Living Briton™. Today the BBC reports (http://news.bbc.co.uk/1/hi/technology/7299875.stm) that Sir Tim Berners-Lee, inventor of the web, has spoken out against ISP ad targeting. He summed up public opposition to the system: "It's [web traffic] mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return."

Meanwhile, the Downing Street petition (http://petitions.pm.gov.uk/ispphorm/) against Phorm has now garnered almost 5,000 signatures.

Carphone Warehouse has said it will ensure that its subscribers are opted out of Phorm and Webwise by default. BT and Virgin Media have made no such promise.

You can follow all our reporting of Phorm over the last three weeks here (http://www.theregister.co.uk/2008/02/29/phorm_roundup/). ®

© Copyright 2008