Feeds

BT and Phorm secretly tracked 18,000 customers in 2006

Spied on, profiled, and targeted for credit cards

High performance access to file storage

Exclusive BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year.

BT Retail ran the "stealth" pilot without customer consent between 23 September and 6 October 2006. The technology was approved, pending a further trial*.

Documents seen by The Register show that the companies used the secret profiles to target advertising at broadband customers when they visited certain popular websites.

Phorm had purchased commercial space on these websites, although their URLs are not included in the documents. The groups targeted included people interested in finance (for an Egg credit card campaign), weight loss (a Weight Watchers campaign), and jobs (a Monster.com campaign).

The technical report drawn up by BT in the wake of the 2006 trial states: "The validation was made within BT's live broadband environment and involved a user base of approximately 18,000 customers, with a maximum of 10,000 online concurrently.

"The customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience."

The Regulation of Investigatory Powers Act 2000 (RIPA) makes intercepting internet traffic without a warrant or consent an offence.

BT claims that when it launches, Phorm's technology will be legal under RIPA, despite counter arguments from respected experts on the legislation. The ISP's and Phorm's claim is based on advice from the Home Office, which was recently published and disputed on the influential UK-Crypto mailing list.

The government advice was solicited by the ISPs and Phorm in the run up to the announcement of their partnership on 14 February. Written by civil servant Simon Watkin, it argues that the system will probably be legal if consent is obtained from users.

Watkin wrote: "Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions."

BT has said it plans to change its terms and conditions accordingly to comply with the law.

On the legality of the proposed opt-out system using cookies, the BT technical report states: "Whilst the... issue is not really a technical consideration of this report, it is mentioned since owing to the legal position, direct cookie dropping could not be trialed and should be verified once the legal position is clearer."

That means all 18,000 test subjects were always opted-in without their knowledge.

BT has not answered The Register's question, posed on Friday morning, over whether it believes intercepting and profiling the web traffic of 18,000 customers without telling them was a lawful act. A statement it sent us merely confirmed it performed the experiments on customer data, and repeated the party line that no personally identifiable information is used by Phorm technology. You can read the statement here.

BT also refused to reveal where in the national broadband network the thousands of guinea pigs were sourced from.

One senior source in the broadband industry we spoke to was appalled by BT's actions. "This is extremely serious," he said. "Data protection errors are generally viewed as a potentially bad thing by the industry, but not a real threat to an ISP's reputation. This seems like a breach of criminal law, which is much, much worse."

Even during the early phase of the BT/Phorm deal that the technical report describes, the pair were preparing to spin the technology to the public. "121Media [Phorm] will take action (both technical and public relations) to avoid any perception that their system is a virus, malware or spyware and to show that in effect it is a positive web development," BT wrote in the report.

Read on to see Phorm school El Reg on ethics.

High performance access to file storage

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.