British Telecom's Secret Phorm Trial - Tracked 18,000 users and forgot to tell them all....
Links: home · search · speed test · login · more ·
Links: New Topic
Forums »
bgraham @ 1st Apr 09:28AM:
Do I understand this correctly?
If I read this correctly, someone visiting say DSLR, will get advertisements inserted into the page for routers or whatever. These ads are inserted by the ISP using Java script that the ISP injects using Phorm technology.
Phorm's website does not really say much except a lot of sales and marketing talk.
reply
Karl Bode @ 1st Apr 09:32AM:
Re: Do I understand this correctly?
Nope.
Network hardware sits on the ISP network and monitors every page you visit (and for how long). After the ISP gets a check, that data is sent to a behavioral advertising firm, who then strikes deals with traditional advertising distributors to hit you with ads that use your browsing data to offer ads tailored to your interests (hockey, Hawaiian travel, etc.)
No injection by the ISP in these models (yet).
reply
anon @ 1st Apr 09:57AM:
Re: Do I understand this correctly?
As per Karl says, with additional note that in the secret trials in 2006, The Register reports that JavaScript was injected into some or all web pages visited.
The Phorm system is particularly bad for UK interenet uses because every HTTP requests is countered with a redirect onto Phorms domain, then redirected back to the actual domain, before the request gets sent to the target website.
It also builds a profile of my interests, so if I'm searching for an engagement ring and my partner then uses my computer, she may be bombarded with adverts for weddings (like you would be in Facebook if you set your status to "engaged").
So you can turn it off - right? Well not really. opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
But by far the biggest security risk is that a 3rd party is delivering software to your ISP that has COMPLETE access to your entire browsing stream. Phorm are an honourable and decent company, but what if a rogue employee or a hacker got in? Redirect legitimate requests to fake bank websites? Blackmail people interested in niche but legal perversions?
Fight this now!
reply
knightmb @ 1st Apr 09:56AM:
Re: Do I understand this correctly?
Good thing for Ad Block Plus then :D
reply
Karl Bode @ 1st Apr 10:03AM:
Re: Do I understand this correctly?
quote:
So you can turn it off - right? Well not really. opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
Same here in the States with NebuAD...
Phorm's going one step further by suggesting to users that they're actually an anti-phishing solution, something NebuAD isn't doing....
reply
bgraham @ 1st Apr 10:44AM:
Re: Do I understand this correctly?
According to Phorm: »www.webwise.com/how-it-works/faq.html
and they say that you can shut it off.
They also explain a little more at »www.phorm.com/oix/advertisers.php and I quote:
"For example, Travel advertisers will be able to target messages to anyone seeing the keywords "Paris vacation" either as a search or inside the text of any page with timing of three times in an hour. The OIX will match that campaign to users as they browse, and offer to deliver those highly-relevant ads on OIX participating websites and ad networks whenever those users go to those sites."
It appears that web sites have to participate (pay?) so traffic does not get directed through Phorm's domain, just your advertisement interests I guess.
reply
Nightshade @ 1st Apr 11:16AM:
Re: Do I understand this correctly?
Ad Block, flashblock, and NoScript is a winning combo.
--
True Happiness Must Come From Within
reply
anon @ 1st Apr 11:27AM:
Re: Do I understand this correctly?
Bgraham
Regarding the opt-out, the only thing you are opting out of is their ability to deliver you adverts. If you opt-out your clickstream data/browsing still gets intercepted and passed through the Phorm profiler sitting within the ISP network. The opt-out isn't a true opt-out.
reply
anon @ 1st Apr 12:00PM:
Re: Do I understand this correctly?
Hope it's okay if I jump in here for a second? Here are a few answers, and more is available on www.webwise.com and www.phorm.com, and you can ask questions directly on our blogs there if you like.
said by Tetchy :
every HTTP requests is countered with a redirect onto Phorms domain, then redirected back to the actual domain, before the request gets sent to the target website.
Nope - Roughly 99% of the stream is untouched, with no redirect at all.
said by Tetchy :
so if I'm searching for an engagement ring and my partner then uses my computer, she may be bombarded with adverts for weddings
That assumes you're only ever looking at wedding pages, and that every site you and your partner go to are partners in the OIX so an ad could be delivered. In reality, each user would have scores of potential advertising category matches, and then, there are all the irrelevant ads that you would see that don't come from the OIX. And anyway - if you think you're being bombarded with irrelevant ads now, wouldn't it be better to get relevant ones with NO DATA leaking your privacy all over the internet?
said by Tetchy :
opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
second part is true, but concerned people who delete cookies can simply set webwise.net as a blocked cookie in their browser, and they will never be opted back in or seen by any Phorm server. First part is definitely not true - if you're opted out, either by Opt Out cookie or by blocking the cookie, the ISP-located (not Phorm in any case) server ignores the computer altogether. No data is ever analyzed or passed to Phorm if you're opted out.
said by Tetchy :
what if a rogue employee or a hacker got in?
Clearly, somebody's not reading up on the product and just reading the misinformation out there, or is worried that Phorm is like all the search companies out there storing your search history for years. Anyone who hacked in and stole the entire database would get random numbers associated with Advertising Categories and timestamps. Nothing personal, no IP addresses, nothing to identify the user or sensitive product categories (that's right, you can't actually have a category for adult or gambling or medical, etc.). Here's an answer from the CEO himself:
»www.phorm.com/videos/Is_the_data···ked.html
reply
anon @ 1st Apr 11:59AM:
Re: Do I understand this correctly?
Not true - If you opt out, or block the cookie, no data is analyzed or passed to any Phorm server. The browser is ignored. More about Opting Out is at:
»www.webwise.com/how-it-works/tra···311.html
reply
anon @ 1st Apr 01:23PM:
Re: Do I understand this correctly?
said by Phorm Comms :Not true - If you opt out, or block the cookie, no data is analyzed or passed to any Phorm server. The browser is ignored. More about Opting Out is at:
»
www.webwise.com/how-it-works/tra···311.html Heads up guys, the PR team paid for by Phorm will walk over any forum. Just watch out for inconsistencies like their answer to The Register and the BBC confirming that data will still go to their profiler even if opted out. This is because Phorm can't read cookies in the webwise.net domain if you're visiting dslreports.com until it redirects you onto their domain. The opt-out cookie sits in the webwise domain, so it needs to redirect you just to read it.
»www.theregister.co.uk/2008/03/07···ge3.html
So if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?
MB: What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us.
»news.bbc.co.uk/1/hi/technology/7283333.stm
Q: There are inconsistencies appearing. Phorm told The Register that data is still passed to the "Profiler" even if people opt-out, but apparently the "Profiler" is owned by the ISP, which is how they claim no personal data is sent to Phorm, as per the reply to the BBC.
A: This isn't inconsistent. The Profiler is owned by the ISP. If someone opts out no data is passed from the ISP to Phorm.
@comms team - I thought you'd learned a lesson from the brusing you got in the UK press for stifling debate? DONT LIE.
reply
anon @ 1st Apr 02:14PM:
Re: Do I understand this correctly?
Hello Phorm Comms.
Some facts:
Internet browsers only return cookies to the original domain.
To retrieve the webwise.com "opt-out" cookie, Phorm hijack every EVERY SINGLE WEB REQUEST to trick the browser into temporarily thinking that the request comes from webwise.com.
This is the basis of Phorm's technology.
This hijack happens even if you "opt out".
How certain are you that this is not warrantless interception and therefore in breach of RIPA?
reply
anon @ 1st Apr 01:56PM:
Re: Do I understand this correctly?
said by Phorm Comms :
Hope it's okay if I jump in here for a second?
Hi Comms Team - thought you'd pop up.
said by Phorm Comms :said by Tetchy :
every HTTP requests is countered with a redirect onto Phorms domain, then redirected back to the actual domain, before the request gets sent to the target website.
Nope - Roughly 99% of the stream is untouched, with no redirect at all.
Thats interesting. So you only watch 1% of my browsing? Not what Virasb Vahidi said in the NY Times:
»www.nytimes.com/2008/03/20/busin···f=slogin
“As you browse, we’re able to categorize all of your Internet actions,” said Virasb Vahidi, the chief operating officer of Phorm. “We actually can see the entire Internet.”
said by Phorm Comms :said by Tetchy :
opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
second part is true, but concerned people who delete cookies can simply set webwise.net as a blocked cookie in their browser, and they will never be opted back in or seen by any Phorm server. First part is definitely not true - if you're opted out, either by Opt Out cookie or by blocking the cookie, the ISP-located (not Phorm in any case) server ignores the computer altogether. No data is ever analyzed or passed to Phorm if you're opted out.
But the redirects to the Phorm server just to read the cookie take a finite time. So even if you opt out, you've still got the system messing with your connection.
said by Phorm Comms :said by Tetchy :
what if a rogue employee or a hacker got in?
Clearly, somebody's not reading up on the product and just reading the misinformation out there, or is worried that Phorm is like all the search companies out there storing your search history for years. Anyone who hacked in and stole the entire database would get random numbers associated with Advertising Categories and timestamps. Nothing personal, no IP addresses, nothing to identify the user or sensitive product categories (that's right, you can't actually have a category for adult or gambling or medical, etc.). Here's an answer from the CEO himself:
»
www.phorm.com/videos/Is_the_data···ked.html You just don't get it, do you? What you say is true, but what I as a software security professional am concerned with is what if someone ALTERS the phorm software? The Phorm system is so invasive, it sits there at the heart of the ISP and is a basic security risk. In the UK it's illegal under RIPA, according to respected academic think tank FIPR. Did someone at their ISP fail in their due dilligence? I can't speak for the states but you're not wanted in the UK.
reply
Karl Bode @ 1st Apr 02:36PM:
Re: Do I understand this correctly?
quote:
I can't speak for the states but you're not wanted in the UK.
Since only very small ISPs are using such service over here, nobody has been ringing many alarm bells...yet...that will change once a major carrier signs up.
The main behavioral ad outfit over here (NebuAD) doesn't have the shady spyware/rootkit history, and they're not trying to insult user intelligence by pretending their product is an anti-phishing service.
reply
anon @ 1st Apr 03:24PM:
Re: Do I understand this correctly?
said by Tetchy :
opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
said by Phorm Comms :
second part is true, but concerned people who delete cookies can simply set webwise.net as a blocked cookie in their browser, and they will never be opted back in or seen by any Phorm server. First part is definitely not true - if you're opted out, either by Opt Out cookie or by blocking the cookie, the ISP-located (not Phorm in any case) server ignores the computer altogether. No data is ever analyzed or passed to Phorm if you're opted out.
First part definitely IS true, contrary to the assertion by Phorm Comms. Please check your facts.
A browser will ONLY return the webwise.com cookie if it thinks it is visiting webwise.com. To get the opt in/out status, Phorm uses a redirect trick to fool the browser into thinking it is visiting webwise.com (regardless of the final destination). So redirection is carried out on *every single request*, regardless of whether you opt in or out.
You are also being extremely dishonest by claiming that the "ISP-located server" is not a Phorm server. Of course it is! It's supplied by Phorm, it runs software written by Phorm, it's maintained by Phorm and exists solely to provide profiling data to the Phorm network. Peeling the "Phorm" label off does not change this.
reply
Smith6612 @ 1st Apr 04:01PM:
A few things...
Even though the ISP may be able to track your internet usage, they need to stop thinking with money (which is hard) and start thinking about what their customers want. As for the ads, you gotta love Firefox with Adblock with the Filterset G-Updater, and NoScript. Prefect way to defeat anything.
Also, if my ISP were to do anything like this and tech support denies that they are trying to insert unwanted things into my pages, all I need to do is pop out my PSP, and e-mail the support representative a picture of the screen. There's no defeating that as PSPs seriously cannot be hit by spyware and adware that PCs can get, which immediately nullifies their thing that I have adware on my computer.
reply
Anonymous_ @ 1st Apr 04:46PM:
Re: Do I understand this correctly?
said by Karl Bode :
Nope.
Network hardware sits on the ISP network and monitors every page you visit (and for how long). After the ISP gets a check, that data is sent to a behavioral advertising firm, who then strikes deals with traditional advertising distributors to hit you with ads that use your browsing data to offer ads tailored to your interests (hockey, Hawaiian travel, etc.)
No injection by the ISP in these models (yet).
ad blocker works
reply
anon @ 1st Apr 06:18PM:
Re: A few things...
Smith6612
Using these types of addons with Firefox will only stop you seeing the various ads, the information is still being sent to Phorm they just promise not to do anything with it.
Can you trust a company like that? everyone already hates them and it hasnt even been put into action yet, plus the fact that Phorm has stated it has interest in the US market should be of concern to all here.
reply
SnowyOne @ 2nd Apr 02:27AM:
Re: Do I understand this correctly?
It doesn't really matter much.
If this service were to actually gain a foothold it would be a trivial matter to defeat it.
Rather than trying to avoid the service, give it all you can give it. Flood it with worthless data, their customer base would quickly realize there is no value provided.
How would this be accomplished?
Multiple browser windows transparently making random search requests to the different search engines. Not stopping with just a search engine query, the "excess" or "BS" browser windows would actually visit a few of the results pages before going on the next random, transparent to the end user's view before moving onto the next meaningless query.
One browser window actually being used by the end user for every 4 "BS" browser windows will make the data garbage.
Choke it to death with garbage.
Edit: Of course this would be accomplished without any effort on the part of the end user other than setting an app to run whenever a browser is initiated. This type of software already exists in many flavors & colors. :)
reply
Thank you for using lo-fi dslreports.com - report bugs
© 99-2009 silver matrix LLC