| reply to Karl Bode
Re: Do I understand this correctly? As per Karl says, with additional note that in the secret trials in 2006, The Register reports that JavaScript was injected into some or all web pages visited.
The Phorm system is particularly bad for UK interenet uses because every HTTP requests is countered with a redirect onto Phorms domain, then redirected back to the actual domain, before the request gets sent to the target website.
It also builds a profile of my interests, so if I'm searching for an engagement ring and my partner then uses my computer, she may be bombarded with adverts for weddings (like you would be in Facebook if you set your status to "engaged").
So you can turn it off - right? Well not really. opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
But by far the biggest security risk is that a 3rd party is delivering software to your ISP that has COMPLETE access to your entire browsing stream. Phorm are an honourable and decent company, but what if a rogue employee or a hacker got in? Redirect legitimate requests to fake bank websites? Blackmail people interested in niche but legal perversions?
Fight this now! |
|
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| quote:
So you can turn it off - right? Well not really. opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
Same here in the States with NebuAD...
Phorm's going one step further by suggesting to users that they're actually an anti-phishing solution, something NebuAD isn't doing.... |
|
bgraham
join:2001-03-15
Smithtown, NY Reviews:
 ·Verizon VoiceWing
 ·Verizon FiOS
·VOIPo
1 edit | reply to Tetchy
According to Phorm: »www.webwise.com/how-it-works/faq.html
and they say that you can shut it off.
They also explain a little more at »www.phorm.com/oix/advertisers.php and I quote:
"For example, Travel advertisers will be able to target messages to anyone seeing the keywords "Paris vacation" either as a search or inside the text of any page with timing of three times in an hour. The OIX will match that campaign to users as they browse, and offer to deliver those highly-relevant ads on OIX participating websites and ad networks whenever those users go to those sites."
It appears that web sites have to participate (pay?) so traffic does not get directed through Phorm's domain, just your advertisement interests I guess. |
|
|
|
| Bgraham
Regarding the opt-out, the only thing you are opting out of is their ability to deliver you adverts. If you opt-out your clickstream data/browsing still gets intercepted and passed through the Phorm profiler sitting within the ISP network. The opt-out isn't a true opt-out. |
|
| reply to Tetchy
Hope it's okay if I jump in here for a second? Here are a few answers, and more is available on www.webwise.com and www.phorm.com, and you can ask questions directly on our blogs there if you like.
said by Tetchy :
every HTTP requests is countered with a redirect onto Phorms domain, then redirected back to the actual domain, before the request gets sent to the target website.
Nope - Roughly 99% of the stream is untouched, with no redirect at all.
said by Tetchy :
so if I'm searching for an engagement ring and my partner then uses my computer, she may be bombarded with adverts for weddings
That assumes you're only ever looking at wedding pages, and that every site you and your partner go to are partners in the OIX so an ad could be delivered. In reality, each user would have scores of potential advertising category matches, and then, there are all the irrelevant ads that you would see that don't come from the OIX. And anyway - if you think you're being bombarded with irrelevant ads now, wouldn't it be better to get relevant ones with NO DATA leaking your privacy all over the internet?
said by Tetchy :
opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
second part is true, but concerned people who delete cookies can simply set webwise.net as a blocked cookie in their browser, and they will never be opted back in or seen by any Phorm server. First part is definitely not true - if you're opted out, either by Opt Out cookie or by blocking the cookie, the ISP-located (not Phorm in any case) server ignores the computer altogether. No data is ever analyzed or passed to Phorm if you're opted out.
said by Tetchy :
what if a rogue employee or a hacker got in? Clearly, somebody's not reading up on the product and just reading the misinformation out there, or is worried that Phorm is like all the search companies out there storing your search history for years. Anyone who hacked in and stole the entire database would get random numbers associated with Advertising Categories and timestamps. Nothing personal, no IP addresses, nothing to identify the user or sensitive product categories (that's right, you can't actually have a category for adult or gambling or medical, etc.). Here's an answer from the CEO himself:
»www.phorm.com/videos/Is_the_data···ked.html |
|
| reply to Phormistan
Not true - If you opt out, or block the cookie, no data is analyzed or passed to any Phorm server. The browser is ignored. More about Opting Out is at:
»www.webwise.com/how-it-works/tra···311.html |
|
approval from:
catseyenu 
| said by Phorm Comms :Not true - If you opt out, or block the cookie, no data is analyzed or passed to any Phorm server. The browser is ignored. More about Opting Out is at: » www.webwise.com/how-it-works/tra···311.html Heads up guys, the PR team paid for by Phorm will walk over any forum. Just watch out for inconsistencies like their answer to The Register and the BBC confirming that data will still go to their profiler even if opted out. This is because Phorm can't read cookies in the webwise.net domain if you're visiting dslreports.com until it redirects you onto their domain. The opt-out cookie sits in the webwise domain, so it needs to redirect you just to read it.
»www.theregister.co.uk/2008/03/07···ge3.html
So if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?
MB: What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us.
»news.bbc.co.uk/1/hi/technology/7283333.stm
Q: There are inconsistencies appearing. Phorm told The Register that data is still passed to the "Profiler" even if people opt-out, but apparently the "Profiler" is owned by the ISP, which is how they claim no personal data is sent to Phorm, as per the reply to the BBC.
A: This isn't inconsistent. The Profiler is owned by the ISP. If someone opts out no data is passed from the ISP to Phorm.
@comms team - I thought you'd learned a lesson from the brusing you got in the UK press for stifling debate? DONT LIE. |
|
| reply to Phorm Comms
Hello Phorm Comms.
Some facts:
Internet browsers only return cookies to the original domain.
To retrieve the webwise.com "opt-out" cookie, Phorm hijack every EVERY SINGLE WEB REQUEST to trick the browser into temporarily thinking that the request comes from webwise.com.
This is the basis of Phorm's technology.
This hijack happens even if you "opt out".
How certain are you that this is not warrantless interception and therefore in breach of RIPA? |
|
| reply to Phorm Comms
said by Phorm Comms :
Hope it's okay if I jump in here for a second?
Hi Comms Team - thought you'd pop up.
said by Phorm Comms :said by Tetchy :
every HTTP requests is countered with a redirect onto Phorms domain, then redirected back to the actual domain, before the request gets sent to the target website.
Nope - Roughly 99% of the stream is untouched, with no redirect at all. Thats interesting. So you only watch 1% of my browsing? Not what Virasb Vahidi said in the NY Times:
»www.nytimes.com/2008/03/20/busin···f=slogin
“As you browse, we’re able to categorize all of your Internet actions,” said Virasb Vahidi, the chief operating officer of Phorm. “We actually can see the entire Internet.”
said by Phorm Comms :said by Tetchy :
opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
second part is true, but concerned people who delete cookies can simply set webwise.net as a blocked cookie in their browser, and they will never be opted back in or seen by any Phorm server. First part is definitely not true - if you're opted out, either by Opt Out cookie or by blocking the cookie, the ISP-located (not Phorm in any case) server ignores the computer altogether. No data is ever analyzed or passed to Phorm if you're opted out. But the redirects to the Phorm server just to read the cookie take a finite time. So even if you opt out, you've still got the system messing with your connection.
said by Phorm Comms :said by Tetchy :
what if a rogue employee or a hacker got in? Clearly, somebody's not reading up on the product and just reading the misinformation out there, or is worried that Phorm is like all the search companies out there storing your search history for years. Anyone who hacked in and stole the entire database would get random numbers associated with Advertising Categories and timestamps. Nothing personal, no IP addresses, nothing to identify the user or sensitive product categories (that's right, you can't actually have a category for adult or gambling or medical, etc.). Here's an answer from the CEO himself: » www.phorm.com/videos/Is_the_data···ked.html You just don't get it, do you? What you say is true, but what I as a software security professional am concerned with is what if someone ALTERS the phorm software? The Phorm system is so invasive, it sits there at the heart of the ISP and is a basic security risk. In the UK it's illegal under RIPA, according to respected academic think tank FIPR. Did someone at their ISP fail in their due dilligence? I can't speak for the states but you're not wanted in the UK.
|
|
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| reply to clanger9
quote:
I can't speak for the states but you're not wanted in the UK.
Since only very small ISPs are using such service over here, nobody has been ringing many alarm bells...yet...that will change once a major carrier signs up.
The main behavioral ad outfit over here (NebuAD) doesn't have the shady spyware/rootkit history, and they're not trying to insult user intelligence by pretending their product is an anti-phishing service. |
|
| reply to Phorm Comms
said by Tetchy :
opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
said by Phorm Comms :
second part is true, but concerned people who delete cookies can simply set webwise.net as a blocked cookie in their browser, and they will never be opted back in or seen by any Phorm server. First part is definitely not true - if you're opted out, either by Opt Out cookie or by blocking the cookie, the ISP-located (not Phorm in any case) server ignores the computer altogether. No data is ever analyzed or passed to Phorm if you're opted out.
First part definitely IS true, contrary to the assertion by Phorm Comms. Please check your facts.
A browser will ONLY return the webwise.com cookie if it thinks it is visiting webwise.com. To get the opt in/out status, Phorm uses a redirect trick to fool the browser into thinking it is visiting webwise.com (regardless of the final destination). So redirection is carried out on *every single request*, regardless of whether you opt in or out.
You are also being extremely dishonest by claiming that the "ISP-located server" is not a Phorm server. Of course it is! It's supplied by Phorm, it runs software written by Phorm, it's maintained by Phorm and exists solely to provide profiling data to the Phorm network. Peeling the "Phorm" label off does not change this. |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5
 ·RoadRunner Cable
 ·Clearwire Wireless
1 edit | reply to Phorm Comms
It doesn't really matter much.
If this service were to actually gain a foothold it would be a trivial matter to defeat it.
Rather than trying to avoid the service, give it all you can give it. Flood it with worthless data, their customer base would quickly realize there is no value provided.
How would this be accomplished?
Multiple browser windows transparently making random search requests to the different search engines. Not stopping with just a search engine query, the "excess" or "BS" browser windows would actually visit a few of the results pages before going on the next random, transparent to the end user's view before moving onto the next meaningless query.
One browser window actually being used by the end user for every 4 "BS" browser windows will make the data garbage.
Choke it to death with garbage.
Edit: Of course this would be accomplished without any effort on the part of the end user other than setting an app to run whenever a browser is initiated. This type of software already exists in many flavors & colors.  |
|
