Feeds

BT and Phorm secretly tracked 18,000 customers in 2006

Spied on, profiled, and targeted for credit cards

Boost IT visibility and business value

Exclusive BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year.

BT Retail ran the "stealth" pilot without customer consent between 23 September and 6 October 2006. The technology was approved, pending a further trial*.

Documents seen by The Register show that the companies used the secret profiles to target advertising at broadband customers when they visited certain popular websites.

Phorm had purchased commercial space on these websites, although their URLs are not included in the documents. The groups targeted included people interested in finance (for an Egg credit card campaign), weight loss (a Weight Watchers campaign), and jobs (a Monster.com campaign).

The technical report drawn up by BT in the wake of the 2006 trial states: "The validation was made within BT's live broadband environment and involved a user base of approximately 18,000 customers, with a maximum of 10,000 online concurrently.

"The customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience."

The Regulation of Investigatory Powers Act 2000 (RIPA) makes intercepting internet traffic without a warrant or consent an offence.

BT claims that when it launches, Phorm's technology will be legal under RIPA, despite counter arguments from respected experts on the legislation. The ISP's and Phorm's claim is based on advice from the Home Office, which was recently published and disputed on the influential UK-Crypto mailing list.

The government advice was solicited by the ISPs and Phorm in the run up to the announcement of their partnership on 14 February. Written by civil servant Simon Watkin, it argues that the system will probably be legal if consent is obtained from users.

Watkin wrote: "Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions."

BT has said it plans to change its terms and conditions accordingly to comply with the law.

On the legality of the proposed opt-out system using cookies, the BT technical report states: "Whilst the... issue is not really a technical consideration of this report, it is mentioned since owing to the legal position, direct cookie dropping could not be trialed and should be verified once the legal position is clearer."

That means all 18,000 test subjects were always opted-in without their knowledge.

BT has not answered The Register's question, posed on Friday morning, over whether it believes intercepting and profiling the web traffic of 18,000 customers without telling them was a lawful act. A statement it sent us merely confirmed it performed the experiments on customer data, and repeated the party line that no personally identifiable information is used by Phorm technology. You can read the statement here.

BT also refused to reveal where in the national broadband network the thousands of guinea pigs were sourced from.

One senior source in the broadband industry we spoke to was appalled by BT's actions. "This is extremely serious," he said. "Data protection errors are generally viewed as a potentially bad thing by the industry, but not a real threat to an ISP's reputation. This seems like a breach of criminal law, which is much, much worse."

Even during the early phase of the BT/Phorm deal that the technical report describes, the pair were preparing to spin the technology to the public. "121Media [Phorm] will take action (both technical and public relations) to avoid any perception that their system is a virus, malware or spyware and to show that in effect it is a positive web development," BT wrote in the report.

Read on to see Phorm school El Reg on ethics.

The essential guide to IT transformation

More from The Register

next story
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Canadian ISP Shaw falls over with 'routing' sickness
How sure are you of cloud computing now?
Don't call it throttling: Ericsson 'priority' tech gives users their own slice of spectrum
Actually it's a nifty trick - at least you'll pay for what you get
Three floats Jolla in Hong Kong: Says Sailfish is '3rd option'
Network throws hat into ring with Linux-powered handsets
Fifteen zero days found in hacker router comp romp
Four routers rooted in SOHOpelessly Broken challenge
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
US TV stations bowl sueball directly at FCC's spectrum mega-sale
Broadcasters upset about coverage and cost as they shift up and down the dials
PwC says US biz lagging in Internet of Things
Grass is greener in Asia, say the sensors
Ofcom sees RISE OF THE MACHINE-to-machine cell comms
Study spots 9% growth in IoT m2m mobile data connections
O2 vs Vodafone: Mobe firms grab for GCHQ, gov.uk security badge
No, the spooks love US best, say rival firms
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.