Berners-Lee Rejects Tracking 155
kernowyon writes "The BBC has an interview with Sir Tim Berners-Lee during his visit to the UK on their website currently.
In it, he voices his concern about the practice of tracking activity on the internet — with particular reference to Phorm.
Quotes Sir Tim with regard to his data — "It's mine — you can't have it. If you want to use it for something, then you have to negotiate with me.""
free internet? (Score:3, Interesting)
In return, I want high speed internet access to be provided free of change, with no download limit.
Sound fair?
Renegotiation done! (Score:4, Interesting)
Also, if you make me pay a subscription fee (or like slashdot, if I was to choose to), and you STILL sell want to sell my data, I also want a share of the profits.
I also want a list of all the organisations you supply my information to and I also do not want them to be able to resell it without observing the above conditions: I get a share in the profits, I get to see who the sell it to, people they sell it to have to... etc
This is the only way I would be happy to allow tracking.
Re:Negotiation done! (Score:4, Interesting)
Only it isn't. They are tracking user activity beyond the websites that use Phorm for their advertising, and even if they were to limit it to those websites, there is still dubious data sharing going on which is probably illegal in the UK if it is not opt-in.
I Agree With Tim (Score:5, Interesting)
Re:Negotiation done! (Score:4, Interesting)
Old Skool - Static (Score:5, Interesting)
Re:What we lose sight of.. (Score:3, Interesting)
Re:What we lose sight of.. (Score:3, Interesting)
It's not they TYPE of data that you get, its whether or not it can be gathered through passive observation. In the case of the internet, it can.
Tracking the advertiser, not the user (Score:5, Interesting)
We've been doing some tracking recently, but aimed at the advertiser side. We have a plug-in for Firefox which rates ads. [sitetruth.com] A little icon is displayed next to each ad, showing what our system knows about the advertiser. As we tell users of the plug in, "AdRater 'phones home', but tells us as little as possible. AdRater sends the domain name associated with each advertisment you see to SiteTruth." SiteTruth then sends back advertiser information, in XML, which the plug-in turns into icons.
We use this to find out what the advertisers are doing. Individuals are entitled to privacy; advertisers are not. We're building up a picture of the on-line advertising market. We now have, for example, a list of Google's AdSense advertisers.
Soon we'll be issuing reports on advertiser quality. (Ads on Bloomberg: mostly legit. Ads on LinkedIn: quality varies, mostly OK. Ads on MySpace: mostly bottom-feeders.) More on this in coming weeks.
It's not just advertisers tracking users any more. Sometimes it's the other way round.
Some notes from the Phorm sales pitch (Score:5, Interesting)
Phorm has hired a specialty PR company, Citigate Dewe Rogerson [citigatedr.co.uk] to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I've seen Dutch, German and French language follow-up posts in the last few weeks.
Phorm has addressed the main part of pesky privacy laws in Europe by "gifting" the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm's technical team. If the equipment stays 5 years in the ISP's premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn't left their network should post-analysis show the customer has "opted-out" of passing the information to Phorm's China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.
The Phorm collectors sit inside the ISP's network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP's network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.
The problem I, and others, had with Phorm's plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.
As an example, let's take an ordinary, un-intercepted session to slashdot.org. The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can't be tricked by slashdot's servers to return cookies from digg or google.
With Phorm, the initial HTML request to slashdot.org gets intercepted by the Phorm equipment, which respond with a 302 redirect to spyware.ru, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for malware.ru with the correct address for slashdot.org, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to malware.ru with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begi