back to article Data pimping: surveillance expert raises illegal wiretap worries

A leading expert on computer surveillance has raised serious doubts over the legality of deals by BT, Virgin Media and Carphone Warehouse to sell their customers' web browsing data to Phorm, a new online advertising company. Professor Peter Sommer, the author of the groundbreaking 1980s book The Hacker's Handbook and a …

COMMENTS

This topic is closed for new posts.

Page:

  1. Neil Barnes Silver badge

    The benefits of Webwise

    Are there any? To me?

  2. Barrie Shepherd
    Stop

    Phorm

    If people want an agency, with which they have no commercial or contractual agreement, to see what they are viewing and data mine their "interests" then let them have the right to opt-in.

    Everyone else should be locked out (not opted out) from the service - meaning no data is passed and that their page requests are just processed directly without delay.

    Lets say that BT & VM press ahead and enable the evil device - it may be over a year before it gets proven to be breaking laws by which tine the operators will have mined enough information on people to go on a big pushed advertising spree at the best, or sell it on to others for linking to bank account details.

    How long before the spies of the US get their hands on the mined data and claim all the info (about my money movements around the UK for example) is theirs? (Oh and BTW Phorm please don’t delete the info just send it over to this US IP address).

    BT shareholders had better sell up now before the value of their company slumps against a background of lost customers and law suits.

  3. TimBiller
    Thumb Down

    RIPA

    I imagine that the Government (who would doubtless benefit from a tap into this data stream) would simply change the law to suit themselves, as happens every time HRMC lose a court case.

    Tim

  4. DM
    Alert

    Marketing...

    Who else guessed that it would boil down the the marketing department with their seemingly blank cheques and limitless unaccountability getting the jump on legal, security and compliance?

    Happens everywhere whilst the security staff are left to clean up the mess, now where's my clue stick?

  5. David Willis
    Thumb Up

    Difficult Call- Contradictory RIPA

    1.3.1 Lawful interception without an interception warrant

    (1) Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which, or which that person has reasonable grounds for believing, is both—

    (a) a communication sent by a person who has consented to the interception; and

    (b) a communication the intended recipient of which has so consented

    Basically - YOU HAVE TO GIVE PERMISSION OR IMPLIED PERMISSION - Think "this call will be recorded for training or other purposes" message when you call a call centre.

    However

    1.3.3 Lawful interception without an interception warrant

    (3) Conduct consisting in the interception of a communication is authorised by this section if—

    (a) it is conduct by or on behalf of a person who provides a postal service or a telecommunications service; and

    (b) it takes place for purposes connected with the provision or operation of that service or with the enforcement, in relation to that service, of any enactment relating to the use of postal services or telecommunications services.

    Initially you have to consent to the operation, unless the operation is "for purposes connected with the provision or operation of that service".

    This ALLOWS BT to record your home phone number, the number you have called, and the time of the call. It also allows you to keep a log of incoming IP numbers in relation to "operation of that service ".

    However even if the Data Pimping is decided by a court to be not within the provison & operation of the service people can still proberbly get out by :-

    1.1.6 Unlawful interception

    The circumstances in which a person makes an interception of a communication in the course of its transmission by means of a private telecommunication system are such that his conduct is excluded from criminal liability under subsection (2) if—

    (a) he is a person with a right to control the operation or the use of the system; or

    (b) he has the express or implied consent of such a person to make the interception.

    Basically "ITS OUR SYSTEM WE WILL DO WHAT WE WANT WITH IT". Depends how BT want to throw the wording of public vs private telecoms system.

    I personally think they are on dodgy ground..

  6. Anonymous Coward
    Anonymous Coward

    "Most customers like this" - really?

    Oh really? I would invite BT to share their questionaire method with us because I have a hard time believing this statement (I also dislike the "most" because that's conveniently vague).

    To me it smacks more of the Ken Livingstone method of surveying (don't ask - just take it from me that "tuning a survey" is a polite way of describing it), so before I believe any statement of the parties standing to benefit from this breach of privacy I'd like to see hard facts.

    And yes, this is the one positive side of RIPA - this is principally an intercept because it results in personally identifyable data acquisition, and thus verboten..

  7. gothicform
    Thumb Up

    What about the data being sent by websites to the customer?

    One thing however that isn't mentioned in the article is that data is being sent both way. Whilst the ISP might have permission of the customer to look at their data do they have the permission of the website sending them the data too? Once they have the data do they have the permission to store it from the website that owns the data or are they going to modify that data, violate the copyright etc?

    I can't see them getting away with this for long before the whole thing collapses in lawsuits and the sharks start to circle as the banks are now discovering.

  8. Anonymous Coward
    Anonymous Coward

    Profile built up on your computer and not Phorm's?

    Where? How do I delete it? Can I edit my father in law's to make it look like he's interested in goat porn?

  9. Tom

    Like getting Hotbar from your ISP

    Sounds just like crap like Hotbar and Cool cursor where they give you some useless "feature" like anti-phishing warnings in exchange for spying and crap ads. Only this time they don't need to use drive-by-downloads to get it installed on peoples computers, they are getting the users own ISP to do it for them.

  10. Aristotles slow and dimwitted horse
    Stop

    Who makes sure that...

    Once I have turned the service off, that it actually IS and remains off, and that none of my browser traffic is being intercepted surreptitiously? Because unfortunately I simply don't believe a word these fuckers say anymore.

    Maybe it's just me but I believe that there no-one, except an infestation of marketing types who believe that the online experience is enhanced due to increased advertising.

    BT, Virgin et al will dig themselves into a hole over this.

  11. Steve
    Alert

    No link, again...

    So here is the link to the FAQ... http://www.webwise.com/how-it-works/faq.html

    I find this Q particularly interesting: I delete my cookies regularly, and I want to keep Webwise switched off. How do I do that?

    If you regularly delete your cookies and want to ensure that Webwise is permanently switched off, simply add [OIX.net] to the Blocked Cookies settings in your browser.

    P.S. El reg, I do love you so, but please learn to link within your articles it's what HTML was designed for... ;) :P

  12. Anonymous Coward
    Anonymous Coward

    re: Difficult Call

    1.3.1(a)&(b) would seem to suggest that you would need permission from both ends so even if I opted in to this system, the website I was browsing would also need to opt in to having it's communications intercepted before it was permissible.

  13. Matthew
    Stop

    gothicform is right

    I host a website and any adverts I choose to serve from my website should be left alone: the site depends on them!

    This idea sounds like it will rip out the ads the website owner provides - which possibly help fund a free site's existence - and replace them with 'targeted' ads for something else.

    It'll kill thousands of small sites when they lose their advertisers, not to mention the problem of a teenager's pr0n-browsing-habits generating dodgy ads on, say, a five year old's view of a Disney page...

    Imagine ITV's views on this kind of thing if, for example, a Freeview decoder replaced the ads they broadcast with something else. I'm looking forward to the first court case!

  14. Hywel Thomas
    Thumb Down

    Does this mean free pr0n ?

    So I can hide my browsing history from the missus, but Virgin may be free to sell this information on ? Disgrace !

    I wonder how this stuff gets pushed back though ? I pay the bill, but four very different people use the connection (a man, a woman, a boy and a girl), for different things (tech, pr0n, tech pr0n; shopping; pokemon, pointless sites; kids tv flash games).

  15. MikeC
    Thumb Down

    Our survey says...bye bye to BT???

    "Detailed customer research by BT has shown that once customers are aware of the benefits of Webwise, they are overwhelmingly in favour of the free security features and more relevant advertising during web browsing," it told The Register last week.

    Are these the same customers who click on every "You have Spyware, download this FREE anti-virus, anti-spyware, and anti-spam software now" link they come across?

    The same software that then shafts your computer right royaly that then takes ages for someone with enough brains not to click on said link to remove?

    If only I'd been asked my opinion, I'd have told them where to stick the enitre thing...

  16. Matthew
    Flame

    The law on unintended consequences

    Anyone prepared to run the book on how long it is before other organisations/individuals/hackers are reading your preferences off your Phorm cookie?

  17. Anonymous Coward
    Anonymous Coward

    remove the right to Export your data

    "Virgin Media told us today: "Virgin Media is still some way from deploying Webwise. We will roll-out the system once we are completely satisfied that our implementation meets all applicable privacy guidelines _and complies with all data protection requirements._"

    Potential violation of RIPA through an unlawful interception is a separate issue to requirements under the Data Protection Act, however."

    if there are any DPA personel/UK experts reading , perhaps you might comment on this point please.

    if you send a Data Protection Act notice to the ISP stating ' under the DPA act bla bla, i remove the right to export my personal data'

    does this have the desired effect of stopping any and all data processing of the DPA covered data outside the UK by 3rd partys they want to sell my property to, and indeed anything else outside the basic supply and billing of the Broadband.

    plus the added benefit of putting ISP at odds with exporting the data to their offshore customer care department of course.

    also, can anyone clarify the EU rules as regards your ISP supplyed IP address as personal data as this is also relevant as is the EU opt in advertising.

    it would be good to have all these matters written up and clarifyed in one place so as to help clear the air and misunderstanding.

    not least from the many ISP personel that dont know or consider the DPA important or relevant to their actions and advice they and their line managers etc give.

  18. Steve

    VM's response

    "Hi there,

    Thanks for your email to Virgin Media.

    BT, Virgin Media and Talk Talk argue that Phorm's anonymising techniques> will achieve this feat. When discussing Webwise, the consumer brand for Phorm's advertising targeting system, the existing partners all place heavy emphasis on its widely-available and standard anti-phishing features.

    Here is the link for it http://www.theregister.co.uk/2008/02/29/phorm_broadband_isp_targets/

    I hope the above answers your query, however, should you need further assistance, please don't hesitate to contact us again.

    Kind regards

    (Your Name)

    Virgin Media Technical Support Centre"

    The original question was "How do I opt out of this?" and, yes, the muppet did leave in the (Your Name) part instead of putting his own in. I particularly enjoyed pointing out that the article they linked to has a stream of comments complaining about this idea and the 2nd of which was mine.

  19. The Other Steve
    Thumb Down

    BT privacy policy says...

    " We do not use this information to:

    * identify individuals visiting our website; or

    * analyse your visits to any other websites (except that we do track you if you go to websites carrying our banner, but we do not identify personal details while we do this); or

    * track any Internet searches which you may make while on our website."

    http://www2.bt.com/btPortal/application?pageid=pan_privacy_policy&siteArea=pan

    So I for one will be leaving for another ISP, citing breach breach of contract.

    As for this "detailed custoner research", bollocks. They haven't asked me, although I /am/ in the process of giving them my unsolicited opinion. I somehow can't imagine any group of people answering an honest question, such as "Do you think it's OK if we monitor all your online activities so that we can then embed intrusive advertising and send you spam from our partners" with anything other than a resounding "FOAD".

    In keeping with the way these things are done, I suspect it was a focus group asked something like "Is it OK if we use the data that we already have access to anyway, completely anonymously of course, to erm, give you some free chocolate ?"

    Bastards.

  20. Anonymous Coward
    IT Angle

    Would this be a work around

    Hi,

    would this counter phorm?

    Setting up a EC2 Machine or similar http://www.amazon.com/gp/browse.html?node=201590011

    Then encrpyting all my web traffic via ssh and then redirect it to the EC2 machine to serve all my requests?

    Alternatively setup a machine in Sweden then create a vpn session to it and then use that machine for all my web traffic?

    As it's all encrypted then I doubt they would know what's happening, they would see a very long stream of encrypted traffic. Not sure someone who is more knowledgeable would need to comment on it.

    I don't trust the webwise opt out, granted you wouldn't see the adverts but what's to say that your data is being sent to the anonymiser and then onto china?

  21. Man Outraged
    Linux

    @numerous comments

    1.) Surprising how many people suspect [UK] government surveillance spooks have a hand in this. I reckon if anything it will be foreign intelligence of some kind, possibly even commercial. Think of all the confidential business going on unencryped as people bounce emails to home etc etc.

    2.) RE: Contracdictory RIPA - the get out clauses only seem to apply to the service provider and it is seemingly implied that there needs to be an element of necessity of interception in order to route the communication, i.e. NOT when they're passing information to a third party. Also I'm guessing the rationale behind the get-out clauses is to allow transaparent caching?

    GREAT WORK El-REg - keep it up! Channel 4 News have this story and I can't see it being a case of any publicity is good publicity in this case anyway...

  22. Anonymous Coward
    Anonymous Coward

    Do These people not read the news or something?

    From memory of recent articles:

    Google is falling foul of EU privacy laws and is facing sanction unless they take action for recording browsing habits by IP which can be traced back to a person.

    Facebook faced a massive revolt and an eventual climbdown over their tracking systems

    Its all just a bad idea, wont fly with the regulators, wont please the customers, wont work. I use admuncher to strip out adverts, so i wont benefit from it. I also use CC cleaner to wipe cookies i don't explicitly want / need.

    If the marketing men and women want to earn more £ for breaching my privacy they can just sod off unless they are offering me some £ and even then i dont think my goat pr0n habits are for sale. Its my privacy, its not for sale and i expect the powers that be to stamp on folk who disagree especially dodgy spyware companies.

    ISP's you have been warned! Some set up a Downing street petition please!

  23. g e

    Ummm id I undertsand this right?

    So Phorm's machines proxy the request for you or they are just inserted in the BT route for the data path?

    If the former then as an ISP you can simply stick a simple Apache style redirect into your HTTPD config for Phorm IP's informing the customer their browsing may be being intercepted.

    Presumably they exempt HTTPS traffic as well??

  24. Maurice Shakeshaft

    I don't really mind...

    receiving junk eMails or, indeed, telephone cold calls selling double glazing. I'd rather not but it happens.

    I do, however, really mind more than ever such a little tiny bit any website setting out to capture my browsing habits with a view to using them to "condition" my "internet experience". I get very pissed off when they then start to make a profit out of said data by selling it on to potentially unscrupulous 3rd parties or government agencies in a possibly illegal manner.

    I know it isn't April 1st and I assume that this isn't a joke?

    I can see multiple identities being required here..... but ooops, that's not allowed for law abiding citizens. So, if I try to evade I'm performing an illegal act myself???

  25. Chris

    re: Downing Street petition

    "ISP's you have been warned! Some set up a Downing street petition please!"

    There is one, it's here: http://petitions.pm.gov.uk/ispphorm/

    Wisnae me.

  26. darsyx
    Stop

    @Maurice Shakeshaft

    for telephone cold calls, you can (in theory) opt out by subscribing to the telephone preference service ( http://www.tpsonline.org.uk/tps/ ).

    Perhaps we need a similar service to opt out of Phorm-supplied ads...

  27. Mark

    Nothing much to worry about

    So they're just storing info about you in a cookie on your PC and nowhere else - sounds much less worrying than was first thought then. Because Phorm aren't storing any data then data protection is a non issue.

    Blocking cookies from oix.com would effectively turn off this functionality - no need for an opt out.

    @ Matthew

    No, as has been said countless times (and in this article) the Phorm ads will only appear on websites which have signed up to the Phorm service.

  28. Secretgeek
    Stop

    The more people....

    Tell your friends, tell your family, tell the people at work and the man on the bus (ok maybe not him he's looks a bit weird). I work in Data Proetction and Freedom of Information and this story gives me the willies! How dare they.

    I'm no expert on RIPA but I'd have to say that even under plain old DPA 1998 they're on highly dubious ground. 'Excessive use' anybody? Transfer outside the EEUA possibly? What we have to remember is that the people that we really need to communicate this message to won't be able to set up intricate workarounds, aren't interested in the whys and wherefore's. Keep it simple - EVERY WEBSITE YOU VISIT ONLINE IS INTERCEPTED AND TRACKED BY BT AND PHORM.

  29. Hayden Clark Silver badge
    Unhappy

    You people have such touching faith in the mass of users out there.

    Most people on BT broadband will see the email, go "huh?" and forget it. Really. There will be no mass migration, no outrage, no shareholder revolt. Why would most people bother, even if they had any clue what was going on (which they won't because the comforting words from their ISP won't tell them).

  30. Ash

    Hey there!

    Ash again!

    Just popping by to say that i'm dropping Virgin again :)

    Thanks for the RIPA and DPA info; i'll be sure to include that in the letter!

  31. Anonymous Coward
    Happy

    Re: Mycho

    Mycho said:

    "Where? How do I delete it? Can I edit my father in law's to make it look like he's interested in goat porn?"

    More to the point, how can I edit my settings to make it look like I am NOT interested in goat porn?

  32. Ian Peters
    Thumb Down

    Detailed customer research by BT

    Does anyone every see these types of research? Why do journalists never seem to ask to see them as proof?

  33. Anonymous Coward
    Coat

    But what about the Children?

    No-one seems to be willing to answer the question about what happens when more than one person is sharing and internet connection?

    I dont have kids using my internet connection but I know several people who have.. so, for the sake of argument, lets pretend I have

    How will phorm ensure that adverts based on MY browsing habits aren't delivered to my kids, and to turn it round ensure that I don't get bombarded for adverts based on my kids browsing habits?

  34. John Bayly
    Flame

    @Hayden Clark

    Agreed, which is why I've been telling everyone I know. And everyone (except for a housemate) was appalled.

    I've spent a decent amount of time writing to various places to try getting an article in a website for the masses. The problem is that most media outlets don't appear to give a shit.

    <rant>

    This is another example of the the media deciding what we should know and care about. At least people in China,North Korea, etc know they can't make a difference. We are taught from the word go that we can choose how the country is run. This is just another prime example of how this is bullshit.

    </rant>

  35. Anonymous Coward
    Anonymous Coward

    Pandora's box

    I can't think of an end to the mischief that this opens the door to. I can't think of a way of defeating it technically except by encrypting everything sent over HTTP.

    I hope that's only because I'm not an expert on the intertubes.

  36. Anonymous Coward
    Flame

    @John Bayly

    My boyfriend is actually a deputy editor at a national broadsheet. I've been hopping about this since it broke on Feb 14 and he keeps telling me it's a.) difficult to explain the more alarmist elements without getting into detailed technical arguments that will lose the readers and b.) difficult to research without a real tech-focussed reporter and c.) not really target audience. Obviously they will report it if/when any action is announced by regulators or someone launches civil legal proceedings.

    On another slant - everyone is focussing on data privacy and protection, but there's one technical argument that shouldn't be overlooked. I know of at least one proprietary system that (ab)uses port 80 (HTTP) and html in order to allow remote clients to connect to head office. It uses port 80 and pseudo html so the connection can be routed via most proxys. If the system is broken by spurious unexpected content such as cookies being injected then who's at fault? You could argue the system developers were short sighted but you never expect your data stream to be tampered with, do you?

  37. Richard Thomas

    @ Pie Man

    Your boyfriend's national broadsheet wouldn't happen to be The Grauniad or the FT would it? If so there's a teeny weeny conflict of interest according to the article...

  38. Anonymous Coward
    Anonymous Coward

    Keep this one going

    Thank god this story hasn't been forgotten from last week.

    Still no word from the regular media about this, which is shocking, but hopefully the shit will hit the fan this week.

    Again, people need arresting for this.

  39. Anonymous Coward
    Unhappy

    Privacy International

    I got a reply to my email, to avoid any legal problems, I wrote this myself.

    We have been pushing for Phorm to remove this content for quite some

    time now. PI does not work for companies, nor do we endorse products.

    Two of PI's staff members, in a private venture, advised Phorm of the

    serious risks that their technology raised. We are pushing for Phorm

    to disclose this risk assessment.

    To avoid any conflict of interest, we have notified our Trustees and

    International Advisory Board of this activity.

    The reality is that PI's accounts are so weak that we must often fund

    ourselves through other ventures.

    Keep well...

  40. Jon

    opt-out opt-in

    ISPs won't want to miss out on this money making scheme. all they will odo is create a two tier system. If you are ok with ads then you only pay current rates and by paying this rate you opt-in. If you want to keep your browsing secret you will have to pay "enhanced" rate of propbaly 3 times this. :(

  41. Andy ORourke
    Thumb Down

    BT's Response (& implied opt-in)

    I just opened a ticket to opt out and here is the reply:

    Thank you for your e-mail dated 3rd March '08. It has been logged under the reference number BLAH BLAH BLAH. As I understand from you e-mail, you want to opt out of BT Phorm.

    I regret to inform we, being the broadband technical helpdesk, do not have the adequate resources to terminate your BT Phorm subscription. Hence, issue needs to be taken care of our dedicated BT Broadband Technical Helpdesk on 0845 600 7030 (open 24 hours / 7 days). They would investigate into the matter and if necessary, they would transfer the call to our Yahoo! Helpdesk.

    For any further assistance please do not hesitate to contact us or use our BT Broadband Self Help web site http://www.bt.com/broadband/help

    Thank you for using BT Total Broadband Support

    BT Total Broadband Support

    Notice the phrase "Your BT Phorm Subscription" I don’t remember subscribing? By the way the incorrect spelling and grammar have been left in place!

  42. Anonymous Coward
    Anonymous Coward

    Channel 4 site

    Yay! and they're even using the correct Registerese - 'data pimping'. Let's make sure that Phorm, BT and 'data pimping' become part of daily conversation:

    http://www.channel4.com/news/articles/science_technology/concerns+over+data+pimping+deal/1703547

    Now I wonder if they'll run the story on the television news?

  43. John Bayly
    Thumb Up

    @Pie Man

    Those are fair points that you've made. Point (a) is the one I really have to agree with. It took a bit of effort to explain to my housemate (he's the type that tries to login when "his bank" email him).

    I have just found that it's been mentioned on Channel 4's new website:

    http://www.channel4.com/news/articles/science_technology/concerns+over+data+pimping+deal/1703547

    Regarding the Proprierty system you mentioned, not only could they be breaking it (I imagine that inserting cookies into the response could break checksums too), they are eavesdropping on something that is not supposed. (Using their highly dubious logic that our HTTP streams are theirs to snoop)

  44. Anonymous Coward
    Thumb Down

    Webwise my @rse!

    This webwise nonsense is a complete joke. Switch to OpenDNS and you get warned about phising sites for free without OpenDNS having to examine all your data. This Phorm lark is pure evil. I'm a VM customer, does anyone have the great Beardy one's contact details. I think a number of concerned customers complaining to him directly about how his integrity and brand image will be damaged by this might achieve something.

    Arturo Toromolusco

  45. mixbsd

    Boycott

    It wouldn't be too difficult to compile a list of companies who utilise the ad brokers/publishers connected to Phorm.

    Boycott the lot of 'em.

  46. RW
    Alert

    That Ernst & Young Report

    It's just disinformation commissioned in order to muddy the waters.

    Accounting firms are like lawyers: they tell the clients what the clients want to hear.

    You have been warned.

  47. Anonymous Coward
    Anonymous Coward

    @Richard Thomas

    No... comment! But forgive me I've been totally rebuked for ev en mentioning using my partners name in trying to publicise this. But seriously so many people on here have mentioned writing to the likes of the BBC, and I myself have written to several news outlets, and the only people running the story (and duly crediting El-Reg) are Channel 4 News:

    http://www.channel4.com/news/articles/science_technology/concerns+over+data+pimping+deal/1703547

    Spread the word!

  48. Anonymous Coward
    Anonymous Coward

    Tuning a Survey

    On the subject of tuning a survey by "Anonymous Coward",

    think back to the last time you completed an employee satisfaction survey for your employer, every company I have ever worked for which conducts those surveys always seems to miss out the fundamental questions. Funny, how those surveys *always* show that the employer is doing a good job, and the employees are nearly entirely happy.

  49. Graham Wood
    Stop

    @Mark

    The "opt out" doesn't stop phorm snooping the traffic, and therefore it being exposed to interception.

    Would you be happy for all your phone calls to be routed through a single building on the Thames near vauxhall (co-inceidently next to MI6's HQ) if you were told that typing something at the start of the call would stop anyone listening?

    The network diagrams that el-reg has shown imply that ALL TRAFFIC goes through the phorm devices - regardless of any opt in/out. Therefore all your opt out does is stop them sending you the ads, it DOESN'T stop them seeing your traffic.

  50. John Edwards

    This should cover it

    Virgin Media Ltd

    PO Box 333

    Swansea SA7 9ZJ

    4.3.08

    Sir,

    I forbid the collection of data concerning the use of my computer and its connections for any purpose whatever beyond that which is necessary for billing or monitoring for technical faults.

    In particular I expressly forbid for passing any of my information to Phorm, (or any like organisation), for any purpose whatever.

    This letter may be taken to over-ride any past or future conditions in your End User License Agreement.

    Yours faithfully,

    Paris because she can cover me any time she likes

Page:

This topic is closed for new posts.