dslreports logo
site
spacer

spacer
 
   
spc
story category
British Telecom's Secret Phorm Trial
Tracked 18,000 users and forgot to tell them all....
by Karl Bode 08:43AM Tuesday Apr 01 2008
In the States, providers like Wide Open West have started using behavioral advertising tracking technology from NebuAD, and the only way users would have known is if they checked the FAQ or TOS. UK telco British Telecom took things one step further by testing UK behavioral ad system Phorm on 18,000 users without telling anyone. As we've discussed, ISPs are paid to host deep packet inspection hardware on their network that tracks user website use (down to the second), and then pitches those users with ads more suited to their interests.

The debate in the States over this technology hasn't heated up yet because only minor ISPs thus far are using it (as far as we know). The debate is reaching a fevered pitch in the UK, where the three largest broadband ISPs now use the technology. Some advertisers have started pulling out of their deals with the company, which has a history in both spyware and rootkits.

view:
topics flat nest 
bgraham

join:2001-03-15
Smithtown, NY

1 edit

Do I understand this correctly?

If I read this correctly, someone visiting say DSLR, will get advertisements inserted into the page for routers or whatever. These ads are inserted by the ISP using Java script that the ISP injects using Phorm technology.

Phorm's website does not really say much except a lot of sales and marketing talk.

Karl Bode
News Guy
join:2000-03-02
kudos:39

Re: Do I understand this correctly?

Nope.

Network hardware sits on the ISP network and monitors every page you visit (and for how long). After the ISP gets a check, that data is sent to a behavioral advertising firm, who then strikes deals with traditional advertising distributors to hit you with ads that use your browsing data to offer ads tailored to your interests (hockey, Hawaiian travel, etc.)

No injection by the ISP in these models (yet).

knightmb
Everybody Lies

join:2003-12-01
Franklin, TN

Re: Do I understand this correctly?

Good thing for Ad Block Plus then

Nightshade
Premium
join:2002-05-26
Salem, OR

Re: Do I understand this correctly?

Ad Block, flashblock, and NoScript is a winning combo.
--
True Happiness Must Come From Within

Tetchy

@btcentralplus.com
As per Karl says, with additional note that in the secret trials in 2006, The Register reports that JavaScript was injected into some or all web pages visited.

The Phorm system is particularly bad for UK interenet uses because every HTTP requests is countered with a redirect onto Phorms domain, then redirected back to the actual domain, before the request gets sent to the target website.

It also builds a profile of my interests, so if I'm searching for an engagement ring and my partner then uses my computer, she may be bombarded with adverts for weddings (like you would be in Facebook if you set your status to "engaged").

So you can turn it off - right? Well not really. opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.

But by far the biggest security risk is that a 3rd party is delivering software to your ISP that has COMPLETE access to your entire browsing stream. Phorm are an honourable and decent company, but what if a rogue employee or a hacker got in? Redirect legitimate requests to fake bank websites? Blackmail people interested in niche but legal perversions?

Fight this now!

Karl Bode
News Guy
join:2000-03-02
kudos:39

Re: Do I understand this correctly?

quote:
So you can turn it off - right? Well not really. opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
Same here in the States with NebuAD...

Phorm's going one step further by suggesting to users that they're actually an anti-phishing solution, something NebuAD isn't doing....
bgraham

join:2001-03-15
Smithtown, NY

1 edit
According to Phorm: »www.webwise.com/how-it-works/faq.html

and they say that you can shut it off.

They also explain a little more at »www.phorm.com/oix/advertisers.php and I quote:

"For example, Travel advertisers will be able to target messages to anyone seeing the keywords "Paris vacation" either as a search or inside the text of any page with timing of three times in an hour. The OIX will match that campaign to users as they browse, and offer to deliver those highly-relevant ads on OIX participating websites and ad networks whenever those users go to those sites."

It appears that web sites have to participate (pay?) so traffic does not get directed through Phorm's domain, just your advertisement interests I guess.

Phormistan

@ntl.com

Re: Do I understand this correctly?

Bgraham

Regarding the opt-out, the only thing you are opting out of is their ability to deliver you adverts. If you opt-out your clickstream data/browsing still gets intercepted and passed through the Phorm profiler sitting within the ISP network. The opt-out isn't a true opt-out.

Phorm Comms

@verizon.net

Re: Do I understand this correctly?

Not true - If you opt out, or block the cookie, no data is analyzed or passed to any Phorm server. The browser is ignored. More about Opting Out is at:
»www.webwise.com/how-it-works/tra···311.html

Tetchy

@daltonfirth.co.uk

1 recommendation

Re: Do I understand this correctly?

said by Phorm Comms :

Not true - If you opt out, or block the cookie, no data is analyzed or passed to any Phorm server. The browser is ignored. More about Opting Out is at:
»www.webwise.com/how-it-works/tra···311.html
Heads up guys, the PR team paid for by Phorm will walk over any forum. Just watch out for inconsistencies like their answer to The Register and the BBC confirming that data will still go to their profiler even if opted out. This is because Phorm can't read cookies in the webwise.net domain if you're visiting dslreports.com until it redirects you onto their domain. The opt-out cookie sits in the webwise domain, so it needs to redirect you just to read it.

»www.theregister.co.uk/2008/03/07···ge3.html
So if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?

MB: What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us.

»news.bbc.co.uk/1/hi/technology/7283333.stm
Q: There are inconsistencies appearing. Phorm told The Register that data is still passed to the "Profiler" even if people opt-out, but apparently the "Profiler" is owned by the ISP, which is how they claim no personal data is sent to Phorm, as per the reply to the BBC.

A: This isn't inconsistent. The Profiler is owned by the ISP. If someone opts out no data is passed from the ISP to Phorm.

@comms team - I thought you'd learned a lesson from the brusing you got in the UK press for stifling debate? DONT LIE.

Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

1 edit
It doesn't really matter much.
If this service were to actually gain a foothold it would be a trivial matter to defeat it.
Rather than trying to avoid the service, give it all you can give it. Flood it with worthless data, their customer base would quickly realize there is no value provided.
How would this be accomplished?
Multiple browser windows transparently making random search requests to the different search engines. Not stopping with just a search engine query, the "excess" or "BS" browser windows would actually visit a few of the results pages before going on the next random, transparent to the end user's view before moving onto the next meaningless query.
One browser window actually being used by the end user for every 4 "BS" browser windows will make the data garbage.
Choke it to death with garbage.

Edit: Of course this would be accomplished without any effort on the part of the end user other than setting an app to run whenever a browser is initiated. This type of software already exists in many flavors & colors.

Phorm Comms

@verizon.net
Hope it's okay if I jump in here for a second? Here are a few answers, and more is available on www.webwise.com and www.phorm.com, and you can ask questions directly on our blogs there if you like.
said by Tetchy :

every HTTP requests is countered with a redirect onto Phorms domain, then redirected back to the actual domain, before the request gets sent to the target website.
Nope - Roughly 99% of the stream is untouched, with no redirect at all.
said by Tetchy :

so if I'm searching for an engagement ring and my partner then uses my computer, she may be bombarded with adverts for weddings
That assumes you're only ever looking at wedding pages, and that every site you and your partner go to are partners in the OIX so an ad could be delivered. In reality, each user would have scores of potential advertising category matches, and then, there are all the irrelevant ads that you would see that don't come from the OIX. And anyway - if you think you're being bombarded with irrelevant ads now, wouldn't it be better to get relevant ones with NO DATA leaking your privacy all over the internet?
said by Tetchy :

opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
second part is true, but concerned people who delete cookies can simply set webwise.net as a blocked cookie in their browser, and they will never be opted back in or seen by any Phorm server. First part is definitely not true - if you're opted out, either by Opt Out cookie or by blocking the cookie, the ISP-located (not Phorm in any case) server ignores the computer altogether. No data is ever analyzed or passed to Phorm if you're opted out.
said by Tetchy :

what if a rogue employee or a hacker got in?
Clearly, somebody's not reading up on the product and just reading the misinformation out there, or is worried that Phorm is like all the search companies out there storing your search history for years. Anyone who hacked in and stole the entire database would get random numbers associated with Advertising Categories and timestamps. Nothing personal, no IP addresses, nothing to identify the user or sensitive product categories (that's right, you can't actually have a category for adult or gambling or medical, etc.). Here's an answer from the CEO himself:
»www.phorm.com/videos/Is_the_data···ked.html

Oblonsky

@btcentralplus.com

Re: Do I understand this correctly?

said by Phorm Comms :

Hope it's okay if I jump in here for a second?
Hi Comms Team - thought you'd pop up.

said by Phorm Comms :

said by Tetchy :

every HTTP requests is countered with a redirect onto Phorms domain, then redirected back to the actual domain, before the request gets sent to the target website.
Nope - Roughly 99% of the stream is untouched, with no redirect at all.
Thats interesting. So you only watch 1% of my browsing? Not what Virasb Vahidi said in the NY Times:

»www.nytimes.com/2008/03/20/busin···f=slogin
“As you browse, we’re able to categorize all of your Internet actions,” said Virasb Vahidi, the chief operating officer of Phorm. “We actually can see the entire Internet.”

said by Phorm Comms :

said by Tetchy :

opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
second part is true, but concerned people who delete cookies can simply set webwise.net as a blocked cookie in their browser, and they will never be opted back in or seen by any Phorm server. First part is definitely not true - if you're opted out, either by Opt Out cookie or by blocking the cookie, the ISP-located (not Phorm in any case) server ignores the computer altogether. No data is ever analyzed or passed to Phorm if you're opted out.
But the redirects to the Phorm server just to read the cookie take a finite time. So even if you opt out, you've still got the system messing with your connection.

said by Phorm Comms :

said by Tetchy :

what if a rogue employee or a hacker got in?
Clearly, somebody's not reading up on the product and just reading the misinformation out there, or is worried that Phorm is like all the search companies out there storing your search history for years. Anyone who hacked in and stole the entire database would get random numbers associated with Advertising Categories and timestamps. Nothing personal, no IP addresses, nothing to identify the user or sensitive product categories (that's right, you can't actually have a category for adult or gambling or medical, etc.). Here's an answer from the CEO himself:
»www.phorm.com/videos/Is_the_data···ked.html
You just don't get it, do you? What you say is true, but what I as a software security professional am concerned with is what if someone ALTERS the phorm software? The Phorm system is so invasive, it sits there at the heart of the ISP and is a basic security risk. In the UK it's illegal under RIPA, according to respected academic think tank FIPR. Did someone at their ISP fail in their due dilligence? I can't speak for the states but you're not wanted in the UK.


clanger9

@78.144.190.x
Hello Phorm Comms.

Some facts:

Internet browsers only return cookies to the original domain.

To retrieve the webwise.com "opt-out" cookie, Phorm hijack every EVERY SINGLE WEB REQUEST to trick the browser into temporarily thinking that the request comes from webwise.com.

This is the basis of Phorm's technology.

This hijack happens even if you "opt out".

How certain are you that this is not warrantless interception and therefore in breach of RIPA?

Karl Bode
News Guy
join:2000-03-02
kudos:39

Re: Do I understand this correctly?

quote:
I can't speak for the states but you're not wanted in the UK.
Since only very small ISPs are using such service over here, nobody has been ringing many alarm bells...yet...that will change once a major carrier signs up.

The main behavioral ad outfit over here (NebuAD) doesn't have the shady spyware/rootkit history, and they're not trying to insult user intelligence by pretending their product is an anti-phishing service.

clanger9

@78.144.190.x
said by Tetchy :

opt-out is by setting a cookie on your browser, but you still need to be redirected via Phorm's servers to read the value of the opt-out cookie! Also the cookie could be wiped if you have a monthly clean-out like I do. Then you'd be opted back in.
said by Phorm Comms :

second part is true, but concerned people who delete cookies can simply set webwise.net as a blocked cookie in their browser, and they will never be opted back in or seen by any Phorm server. First part is definitely not true - if you're opted out, either by Opt Out cookie or by blocking the cookie, the ISP-located (not Phorm in any case) server ignores the computer altogether. No data is ever analyzed or passed to Phorm if you're opted out.
First part definitely IS true, contrary to the assertion by Phorm Comms. Please check your facts.

A browser will ONLY return the webwise.com cookie if it thinks it is visiting webwise.com. To get the opt in/out status, Phorm uses a redirect trick to fool the browser into thinking it is visiting webwise.com (regardless of the final destination). So redirection is carried out on *every single request*, regardless of whether you opt in or out.

You are also being extremely dishonest by claiming that the "ISP-located server" is not a Phorm server. Of course it is! It's supplied by Phorm, it runs software written by Phorm, it's maintained by Phorm and exists solely to provide profiling data to the Phorm network. Peeling the "Phorm" label off does not change this.

Anonymous_
Anonymous
Premium
join:2004-06-21
127.0.0.1
kudos:2
Reviews:
·Time Warner Cable
said by Karl Bode:

Nope.

Network hardware sits on the ISP network and monitors every page you visit (and for how long). After the ISP gets a check, that data is sent to a behavioral advertising firm, who then strikes deals with traditional advertising distributors to hit you with ads that use your browsing data to offer ads tailored to your interests (hockey, Hawaiian travel, etc.)

No injection by the ISP in these models (yet).
ad blocker works

Smith6612
Premium,MVM
join:2008-02-01
North Tonawanda, NY
kudos:24
Reviews:
·Verizon Online DSL
·Frontier Communi..

A few things...

Even though the ISP may be able to track your internet usage, they need to stop thinking with money (which is hard) and start thinking about what their customers want. As for the ads, you gotta love Firefox with Adblock with the Filterset G-Updater, and NoScript. Prefect way to defeat anything.

Also, if my ISP were to do anything like this and tech support denies that they are trying to insert unwanted things into my pages, all I need to do is pop out my PSP, and e-mail the support representative a picture of the screen. There's no defeating that as PSPs seriously cannot be hit by spyware and adware that PCs can get, which immediately nullifies their thing that I have adware on my computer.

donotwant

@ukonline.co.uk

Re: A few things...

Smith6612

Using these types of addons with Firefox will only stop you seeing the various ads, the information is still being sent to Phorm they just promise not to do anything with it.

Can you trust a company like that? everyone already hates them and it hasnt even been put into action yet, plus the fact that Phorm has stated it has interest in the US market should be of concern to all here.