BT pimped customer web data to advertisers last summer
Denied secret relationship with Phorm, blamed malware
Exclusive BT’s servers were secretly passing data on subscribers to its "new" advertising partner as long ago as last summer, though the companies refused to acknowledge any relationship at the time.
BT - the UK's number one internet provider - finally revealed the plan earlier this month along with Virgin Media and Talk Talk, which occupy the number two and three spots behind it. This means Phorm, the company that will run the targeting system, will have access in all to more than 10 million streams of web browsing data.
Phorm's Open Internet Exchange is an online broker that matches advertisers with publishers, much like Google or Yahoo!. The difference is that rather than target your interests using data you volunteer via web searches and by using free email services, Phorm is paying your ISP to hand over data on your browsing habits direct. The technology has roots in spyware, but the company insists it is setting a new "gold standard" in privacy online and emphasises that ISP customers will be able to opt-out.
Phorm and its trio of ISP partners are hoping to sell consumers on the idea by bundling some shiny anti-phishing bells and whistles with the package. However, BT's reluctance to acknowledge what appears to have been a pilot of the Phorm system indicates how nervous executives are - or were - about their new revenue scheme.
'You have malware'
In June 2007, Reg reader Stephen noticed his Firefox 22.214.171.124 installations making suspicious unauthorised connections to the domain dns.sysip.net every time he visted any website. Naturally worried his machines had contracted some kind of digital infection, Stephen performed a series of exhaustive malware scans, which all came back clean.
He wasn't the only BT subscriber to notice that his browser was making the mysterious contacts around July last year, as this thread archived at Thinkbroadband.com shows.
"I spent all weekend wiping my disks clean and reinstalling from backups (four PCs seemed to be affected). I spent a further two days researching and installing all kinds of anti-virus, anti-spyware and anti-rootkit utilities. But even after all that I still have this problem!" Stephen told us at the time.
Having failed to trace the source of the dodgy redirect in his own network, he contacted BT to suggest one of their DNS servers may have been hijacked. BT dismissed the idea, yet the browser requests were still making an unauthorised stop off at dns.sysip.net.
Worried that his business' financial data might be being monitored, Stephen continued to investigate. A Whois search for dns.sysip.net revealed the domain was registered by Ahmet Can, an employee of a new online advertising company called 121Media. The address is now registered through a third party private domaining agency. 121Media rebranded itself as - you guessed it - Phorm in May 2007.
This is, you'll be unsurprised to learn, is indeed the same Phorm that BT, Virgin Media and Carphone Warehouse recently revealed they had agreed to sell their customer's browsing habits to, despite the questions over its links to spyware. For helping Phorm target advertising, the ISPs are set to bag a cut of click revenues.
The company's proposed business model was in the public domain last summer, and being able to put two and two together, Stephen asked Phorm and BT what they were doing with dns.sysip.net and his browsing data. This is where the story got weird.
Deus ex machina
Phorm confirmed that the domain was one of the addresses it was using to collect browsing data. The company told Stephen to contact his ISP if he had a problem with it, but refused to confirm or deny it any relationship with BT. Indeed, a couple of months earlier, Phorm had been prompted to release an official denial that it had a deal with BT to the Alternative Investment Market, in response to persistent rumours that were moving its share price.
BT support stuck firmly to the line that the dns.sysip.net lookups were nothing to do with it, despite further tests Stephen had carried out with a brand new computer. The firm's response, via emails, was: "sysip.net is a DNS hijacker, similar to a malware therefore your anti virus scan would not have picked this up." After many calls and emails, finally it conceded "an issue which affected some users that week".
That was when The Register got involved. We contacted the BT press office in July last year, and were issued with a firm denial that its DNS servers were compromised. Likewise BT had no involvement with 121Media/Phorm, we were assured. The trail went cold.
Come Valentine's Day 2008, the major data sales deal between the pair is announced. Analysts estimate the new revenue stream will be worth £85m to BT in 2010, without the firm having to enhance its service to consumers in any way. Don't worry about privacy, BT tells us - it "has carried out extensive commercial, legal and technical due diligence on Phorm".
Remember that in summer last year, at least as far as BT support were concerned, Phorm's technology was "malware". Now BT is "confident that customer confidentiality and security is wholly protected".
We contacted BT early yesterday morning to ask for an explanation, but it has yet to respond. A spokesman says it is "looking into" the events we describe above. We'll update this story if he comes back to us.
An angry Stephen told us following our first Phorm story on Monday: "I'm very disappointed with this. It caused me sleepless nights as I had initially assumed I had some new super Trojan which was undetectable.
"If only BT or Phorm had put their hands up and said that they were using a sample of users as guinea pigs it would have saved me and my business a lot of time and money."
There's no word yet on when BT will draft the rest of its broadband customers into the new targeting system. Phorm chief executive Kent Ertegrul has claimed he is in talks with every UK ISP and in early stages of attacking the US market.
Phorm was unavailable for comment today. ®