There was a register article recently about the EU 'pre' warning UK authorities about phorm.
"It is very clear in E.U. directives that unless someone specifically gives authorization (to track consumer activity on the Web) then you don't have the right to do that," EU commissioner Viviane Reding said.
Yep, el reg has produced some excellent Phorm articles. Thanks for the link.Originally Posted by mrsobvious
There have been a number of accidental data losses recently. If the webwise technology is installed, it might only be a matter of time before the browsing histories of private individuals find their way into the wild. Could be fun when all your work mates, the blokes down the pub or your kids know your net proclivities eh?
Can't see it coming to fruitition. Even if it did, some pc bods will develop some software to block it.
Read one of the many links within the thread
This is at the ISP level. There is no "blocking" your data being sold.
*Sigh* And therein lies the rub - Koolpc is no fool but does not know that this technology cannot be blocked.Read one of the many links within the thread
This is at the ISP level. There is no "blocking" your data being sold.
Koolpc, your browsing will be intercepted and modified with targeted advertising before it even reaches you. Your online activity can be recorded, your preferences profiled and a category awarded to you dependent on the types of site you visit.
It has potential for massive impact on personal privacy and I would say that the majority of net users, and it would seem even the pc savvy, do not understand the concept or know nothing of it.
Think about it Koolpc; would they be talking about this in the House of Lords if it didn't have huge ramifications for personal privacy? Would the EU have advised the UK Government of its concern if a bit of software could block "webwise"?
Please, find out more so that you know what is being proposed and how it could affect you, your friends and your family.
Last edited by santa claus; 27-07-2008 at 01:54 PM.
and if there was only one ISP, and we didn't live in some kind of wounderful capitalist world, then phorm would be a problem, as its stands it wouldn't course much of an issue because people would just either stop using that ISP, or not care, if its the latter who are we to tell them their doing it wrong. (who here never watches TV stations that have adverts.)
throw new ArgumentException (String, String, Exception)
But there is a difference between implementing something like Phorm and telling people that their ISP uses them, compared to them understanding what the risks are.
I highly doubt that Phorm will be shouting what the potential downsides are, will they? Its going to be along the lines of "Phorm improves your browsing experience by showing you better targeted adverts"
The TV example doesn't stand up though. A TV advert is entirely passive, its not probing your brain to find out information. Phorm on the other hand does probe your data passing through the connection.
that's a shame, sounds yummy!
Vodka
Still can't see it happening.
enless the comptetitors start selling their services as a "non-invasive" etc, Which they obviously would as their competetive edge would rely on it (as they would have to charge more money monthly to make similar profits).
just really don't see why its run for the hills with a tin foil hat, enless you where one of the effected by the trail, in which case i'd of thought it was time for legal drum banging!
throw new ArgumentException (String, String, Exception)
Thank you Neville Chamberlain.
The big money is in the adverts; once the train starts running, they'll all jump aboard if they're allowed to get away with it.
Everyone is entitled to their own opinion; there's no need to be disparaging. I'm afraid that, in my opinion, this is one issue you may see differently sometime in the future.
Of course, competitors are a valid point but it still doesn't excuse the fact that these practices have a good chance of being illegal.
If this is the case - People should not have to move ISP's because they decided the law doesn't apply to them.
If its legal and people choose to go with them, that's their choice. I'm not preaching on what people should and shouldn't be allowed to do. Although I'm sure very few people will actually understand how a "product" like Phorm can alter the way their connection behaves.
Phorm is a hackers wet dream.
This is a good post over from slashdot: http://yro.slashdot.org/comments.pl?...8&cid=22777122
Lets not forget that the management ran a former adware company....Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people’s observations in the ensuing PR war. Phorm’s sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.
Phorm has hired a specialty PR company, Citigate Dewe Rogerson [citigatedr.co.uk] to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I’ve seen Dutch, German and French language follow-up posts in the last few weeks.
Phorm has addressed the main part of pesky privacy laws in Europe by “gifting” the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm’s technical team. If the equipment stays 5 years in the ISP’s premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn’t left their network should post-analysis show the customer has “opted-out” of passing the information to Phorm’s China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.
The Phorm collectors sit inside the ISP’s network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP’s network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.
The problem I, and others, had with Phorm’s plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.
As an example, let’s take an ordinary, un-intercepted session to slashdot.org. The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can’t be tricked by slashdot’s servers to return cookies from digg or google.
With Phorm, the initial HTML request to slashdot.org gets intercepted by the Phorm equipment, which respond with a 302 redirect to spyware.ru, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for malware.ru with the correct address for slashdot.org, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to malware.ru with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begins, the code can be just about anything, javascript, iframes, cross-site scripting attack, activeX exploits. The code can be used to read and set cookies, add some javascript in an iFrame to survive no matter where the user browses to, etc. It’s a malware writer’s wet dream, to have complete control over the TCP stream the browser sees before the user ever gets to the internet.
Once the browser has been sufficiently hijacked, another 302 temporary redirect can be injected into the browser session using the original HTTP request, so the user sees only a slight delay before reaching their intended website. Given the glacial speeds most UK networks operate at, an extra half second delay is not going to be noticed by non-technical types.
More fun is now to be had, as the page returned from the website can also be copied and analyzed by the Phorm intercept kit. If you log onto a private website, the Phorm kit can see the entire contents. This means a user checking their webmail on the local ISP’s server (without an SSL session since it isn’t going over the internet) can have the contents read and analyzed by Phorm.
Where the storm of controversy comes from is that technically apt people (like slashdot’s readership) are beginning to understand just what an internet stream hijack implies. It means that Phorm can not only read all your web traffic, they can intercept all the traffic near the headend of your broadband connection and read anything. They can read your IM sessions, they can read your email, they can get it all.
Now, at this point, the über-technically adept point out encryption, certificates, Man-in-the-Middle attacks and the like. True, https sessions, encrypted IM, TLS protected POP&IMAP and other protected protocols give some protection from snooping on the content, but not much “signals analysis” protection. They can still snoop on your DNS traffic, even if you run your own local caching server or use OpenDNS or AlterDNS. They can still see what the end points of your encrypted tunnels are. Sure, you could tunnel all your traffic to a remote VPN server, but how many of you do that now? How many average users would even bother?
I was going to insert a long analysis of how they analyze and claim to anonymize the data collected, but this post has gone way too long for slashdot. Maybe another post another time.
I will add that the people behind Phorm have been developing and selling malware and adware for a number of years, and apparently made enough money off of an impossible to uninstall adware toolbar to fund this latest push into malware distribution. Their programmers are mostly Saint Petersburg based, home to the Russian Business Network [slashdot.org]. Their servers are kept only in Saint Petersburg and China, so no ISP customer data is ever stored in the UK. Any personally identifying information they obtain about UK citizens can never be seen or purged using existing UK Data Protection Laws. They run under dozens of different domain names, the name of the company has changed from PeopleOnPage to 121media and recently changed from sysip.net to Phorm. This is typical of a company that knows it will have to shed it’s tarnished brand every year to stay ahead of public outcry. I expect they already have their next brand lined up when they need to burn the Phorm brand.
Sir Tim Berners-Lee has seen their presentation, and held a press conference yesterday to try to stop the practice cold. Even if Phorm is stopped dead tomorrow, the business conditions and legal loopholes are still present to encourage ISPs to try this again and again, and it will certainly be much worse in the US where there is absolutely no legal protections at all, and a ready market for personal data.
the AC
As your follow-up post says, Phorm itself is comprised of the same people as the defunct Company known as 121 Media. The re-branding followed their involvement with spyware, sorry, I mean adware. I'm afraid hacking via the back door could be superceded by simply walking through the front door and saying "stuff the users, there's enough money in this for all of us".
Last edited by santa claus; 27-07-2008 at 06:32 PM.
http://news.bbc.co.uk/1/hi/technology/7542810.stm
Shocking.But the Information Commission ruled in May that no action would be taken against the telco [BT] due to the difficult nature of explaining to consumers what it was doing.
My pet hate is 'me too!' forum posts.... But that really is damn shocking! How hard is it to tell customers that their surfing will be tracked in order to target adverts. Are BT going to get off completely scot free? Kinda looking that way...
What we share with everyone is glum, and dark...
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
