UK ISP Admitted to Spying on Customers 163
esocid writes "BT, an ISP located in the UK, tested secret spyware on tens of thousands of its broadband customers without their knowledge, it admitted yesterday. The scandal came to light only after some customers stumbled across tell-tale signs of spying. At first, they were wrongly told a software virus was to blame. BT said it randomly chose 36,000 broadband users for a 'small-scale technical trial' in 2006 and 2007. The monitoring system, developed by U.S. software company Phorm, formerly known as 121Media, known for being deeply involved in spyware, accesses information from a computer. It then scans every website a customer visits, silently checking for keywords and building up a unique picture of their interests. Executives insisted they had not broken the law and said no 'personally identifiable information' had been shared or divulged."
BT are going to get screwed big style over this (Score:4, Interesting)
Essentially they appear to have broken the Regulation of Investigatoy Powers Act (RIPA) by performing an unauthorised interception of a communication over telecommuncations infrastructure.
No word yet on legal action, although several MP's are kicking up a fuss about it.
BTW BT are the only ones who have confessedd to doing this so far, the other ISP's haveeither kept schtum, or muttered paltitudes like we will wait and see
Re:What's the best method of defeating all this ** (Score:5, Interesting)
Re:BT are going to get screwed big style over this (Score:2, Interesting)
"An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject."
Essentially, users should be able to opt out of targeted advertising based on their personal data if they wish.
Re:What's the best method of defeating all this ** (Score:2, Interesting)
Re:Idiots... don't do it client-side (Score:3, Interesting)
That's really just a matter of semantics, either way it's still spying. Contrary to what is frequently espoused here on slashdot, there should still be an expectation of privacy even though the internet is largely public. If I yell my ATM pin number in the bank, then everyone knows it through no shady effort on their part, but if someone carefully looks over my shoulder to learn my pin number that is a very different matter. When two people are having a quiet conversation in a park it is rude to listen in, but if they are having a shouting match in the same park, then there is no fault in hearing it. Most of the time when someone is surfing the net, they are doing so with the expectation that they are only communicating with one other entity, the site that they are visiting. Regardless of any claims in the EULA from the ISP, that is the common expectation. Privacy is part of what is expected in return for paying for use of an ISPs infrastructure, so the fact that the ISPs own the routers and fiber that the information passes through does not give the ISPs rights to that information. Some may say that in this case the common expectation is wrong, but remember that common values and expectations are the foundation for any system of law.
Computer Misuse Act (Score:3, Interesting)
As I read it BT are guilty under CMA 1(1) [wikipedia.org] which relates to unauthorised access to any program or data held in a computer. Whether the information checking is done on the computer or the ADSL hub it is a violation. With regard to the Convention on Cybercrime [coe.int] they appear to be guilty under Articles 2, 3 and 6.
I hope someone sues their buttocks off.
Re:BT are going to get screwed big style over this (Score:3, Interesting)
Re:Idiots... don't do it client-side (Score:3, Interesting)
Yup. The RIPA act (which received an unwelcome reception) actually helps us out here. It basically says that a wiretap without police/government sanction is illegal without the consent of both parties involved in the communication.
Phorm says that their activities do not break RIPA because hosting a publicly available website implies public monitoring (duh?) and that ISPs may include an acceptance of monitoring clause in their Ts & Cs. IMO, if you write to the ISPs involved expressly denying the right to monitor you as a user and also expressly denying the right to monitor any websites you may own puts them in clear breach of RIPA if they do so. RIPA is a criminal law, not a civil one so the penalties are potential jail-time for directors not a minor fine for the company.
That is what I will be doing shortly. I run a website used regularly by a few thousand local peeps so hopefully that will et Phorm kicked out of our local network area.
No, the contract defines if it is legal (Score:3, Interesting)
The Home Office made available their views on whether phorm's user-profile-based tracking is legal w.r.t. the interception of communication legislation.
" Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions. The providers of targeted online advertising services, and ISPs contracting those services and making them available to their users, should then - to the extent interception is at issue - be able to argue that the end user has consented to the interception (or that there are reasonable grounds for so believing)."
And:
" Targeted online advertising can be regarded as being provided in connection with the telecommunication service provided by the ISP in the same way as the provision of services that examine e-mails for the purposes of filtering or blocking spam or filtering web pages to provide a specifically tailored content service."
Finally:
" Targeted online advertising undertaken with the highest regard to the respect for the privacy of ISPs' users and the protection of their personal data, and with the ISPs' users consent, expressed appropriately, is a legitimate business activity. The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. "
If the ISP has put the tracking details into the TERMS and CONDITIONS and the user has OK'd the tracking, then the tracking is legal.
Here is the original article of the Home Office on Phorm [guardian.co.uk].
What i don't know at this time, is whether BT does list the tracking in the T&C....
Cheers.
again "war on terror"? (Score:2, Interesting)
Re:An ISP? (Score:4, Interesting)
fraud is the crime or offense of deliberately deceiving another in order to damage them usually, to obtain property or services unjustly.
Deliberately returning false DNS responses in order to obtain marketing information from them without their permission.
Re:What's the best method of defeating all this ** (Score:2, Interesting)