Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

UK ISP Admitted to Spying on Customers

Posted by ScuttleMonkey on Fri Apr 04, 2008 06:11 PM
from the don't-worry-sir-we're-from-the-internet dept.
Privacy The Internet
esocid writes "BT, an ISP located in the UK, tested secret spyware on tens of thousands of its broadband customers without their knowledge, it admitted yesterday. The scandal came to light only after some customers stumbled across tell-tale signs of spying. At first, they were wrongly told a software virus was to blame. BT said it randomly chose 36,000 broadband users for a 'small-scale technical trial' in 2006 and 2007. The monitoring system, developed by U.S. software company Phorm, formerly known as 121Media, known for being deeply involved in spyware, accesses information from a computer. It then scans every website a customer visits, silently checking for keywords and building up a unique picture of their interests. Executives insisted they had not broken the law and said no 'personally identifiable information' had been shared or divulged."
+ -
story

Related Stories

[+] Sears Installs Spyware 201 comments
Gandalf_the_Beardy writes in with news that's been around a while but is getting more attention lately. Last month Benjamin Googins, a security researcher at CA, determined that Sears Holding Corp. installed ComScore spyware without adequate disclosure. Sears said, yes we tell people about tracking their browsing. On Jan. 1 spyware researcher Ben Edelman weighed in, noting that Sears' notice occurs on page 10 of a 54-page privacy statement, and twits Sears because its installation identifies the software as "VoiceFive" and later claims it's coming from a company called "TMRG, Inc." even though a packet sniffer confirms the software belongs to ComScore, adding "These confusing name-changes fit the trend among spyware vendors."
Firehose:UK ISP admitted to spying on customers by esocid (946821)
[+] ISPs Using "Deep Packet Inspection" On 100,000 Users 309 comments
dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

UK ISP Admitted to Spying on Customers 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • An ISP? (Score:5, Informative)

    by 26199 (577806) * on Friday April 04 2008, @06:11PM (#22968566) Homepage

    BT is not "an ISP". British Telecom was for a very long time monopoly holder on telephone lines in the UK and still the gatekeeper for all ADSL access there. They have a market cap of 35 billion [google.com] and their revenue just about puts them in the top ten telecoms companies [cnn.com] in the world.

    In my personal experience their service has been bad enough that they're almost as bad as their competitors. Given their history, it's not surprising if they've overstepped their bounds ... they're used to being in charge, after all.

    • The parent is correct. BT was the state-run telecom monopoly in the UK, and was converted into a private monopoly in 1984. Not much of an improvement, but at least it finally allowed for the possibility of competition arising, however slim.

    • Re:An ISP? (Score:5, Informative)

      by arkhan_jg (618674) on Friday April 04 2008, @07:13PM (#22968996)
      BT broadband has about 27% of the UK market, and is the largest single ISP in the UK last I checked. There are fairly strong walls between the broadband business (BT retail/openworld) and the phone line last mile business (openreach), and the trunk network (BT wholesale) these days due to regulation by OFCOM since privatisation, though they are all part of BT group.

      The information commisioner, who ensures the data protection act is followed, is investigating BT [telegraph.co.uk] to see if the law has been broken - there's a strong possibility it has been.

      • Re:An ISP? (Score:4, Insightful)

        by unlametheweak (1102159) on Friday April 04 2008, @07:57PM (#22969280) Journal
        From the article:

        Executives insisted they had not broken the law and said no 'personally identifiable information' had been shared or divulged.
        If in fact no laws have been broken, then the laws need to be changed (and made retro-active in this case) to punish and make an example of this type of behaviour. People need to be put in jail for this.

        Average people I will allow some lenience towards. Leaders I have no sympathy for; they all too often make excuses for their behavior and have the power (lawyers, political, etc) to get away with it.

        • Re:An ISP? (Score:5, Informative)

          by TheLink (130905) on Friday April 04 2008, @11:23PM (#22970358) Journal
          I believe the UK Computer Misuse act 1990 covers it.

          http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1.htm [opsi.gov.uk]

          See:
          * Unauthorised access to computer material
          A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.
          * Unauthorised modification of computer material
          A person guilty of an offence under this section shall be liable--
          (a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and
          (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

          I don't see how the Act does not apply to the people involved.

          If someone wrote malware or sniffed your keystrokes, the same law should apply whether the perpetrator is BT or some "Evil Hacker".

          • Re:An ISP? (Score:4, Interesting)

            by pacman on prozac (448607) on Saturday April 05 2008, @07:33AM (#22971966)
            It also seems like a fairly clear cut case of fraud [wikipedia.org].

            fraud is the crime or offense of deliberately deceiving another in order to damage them usually, to obtain property or services unjustly.

            Deliberately returning false DNS responses in order to obtain marketing information from them without their permission.

        • Re:An ISP? (Score:5, Informative)

          by arkhan_jg (618674) on Saturday April 05 2008, @03:24AM (#22971320)
          It's illegal under the Regulation of Investigatory Powers Act also, according to several legal experts.

          RIPA states: "For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if he... monitors transmissions made by means of the system."

          RIPA goes on to allow for interception without a warrant - i.e. by Phorm and your ISP rather than law enforcement agencies - "if the communication is one sent by, or intended for, a person who has consented to the interception".
          Given that consent wasn't even sought for the technicial trials of 36,000 users, let alone granted, and it isn't in the contract either - they may well be subject to criminal sanctions if the government decide to prosecute.

          There are also possible sanctions under the Data Protection Act, as personal data was collected and passed to a 3rd party without proper safeguards. BT and phorm argue that no personal data is collected. Since all unencrypted traffic is recorded, including webmail, and associated with a unique ID and kept for 14 days, it seems they're taking a somewhat optimistic view about that.

          If they accessed customer PCs directly with spyware, they could be prosecuted under the computer misuse act but as the interception took place at the ISP level, it probably doesn't apply.

  • Idiots... don't do it client-side (Score:5, Insightful)

    by sd.fhasldff (833645) on Friday April 04 2008, @06:16PM (#22968590)
    Why on Earth wouldn't BT just do this on their side of the connection? EVERYTHING that the user gets goes through their pipes, their routers. Just install some monitoring hardware+software and be done with it. There doesn't seem to be any logical reason to do this on a users computer. That's just plain stupid.

    The only difference is that you don't have access to encrypted data and "other applications" installed by the user. The stuff they claim to have logged and analyzed is more easily obtainable from their own side.
    • I would guess that it is easier/cheaper for them to use 3rd party software on client machines than to spend quite a bit of money on network hardware that can filter/cateogrize/inspect every packet that flows through their infrastructure. Having a bit of software on tens of thousands of machines report condensed data back is likely to be much, much cheaper to do.

      Even doing simple L3 inspection on the dataflows that ISPs like BT deal with would require insane amounts of hardware, let alone inspection on the

    • Re:Idiots... don't do it client-side (Score:5, Informative)

      by joebp (528430) on Friday April 04 2008, @06:30PM (#22968680) Homepage
      The body of this story is misleading. Phorm *does* work on the ISP's side of the connection. It basically does a MITM attack on HTTP traffic to insert tracking cookies.

          • Re: (Score:3, Interesting)

            by datajack (17285)

            I too am with Virgin Media. Any idea how we can defend against phorm?

            Yup. The RIPA act (which received an unwelcome reception) actually helps us out here. It basically says that a wiretap without police/government sanction is illegal without the consent of both parties involved in the communication.

            Phorm says that their activities do not break RIPA because hosting a publicly available website implies public monitoring (duh?) and that ISPs may include an acceptance of monitoring clause in their Ts & Cs.

    • Why on Earth wouldn't BT just do this on their side of the connection? EVERYTHING that the user gets goes through their pipes, their routers.

      That's really just a matter of semantics, either way it's still spying. Contrary to what is frequently espoused here on slashdot, there should still be an expectation of privacy even though the internet is largely public. If I yell my ATM pin number in the bank, then everyone knows it through no shady effort on their part, but if someone carefully looks over my shoul
        • I linked this in another post in this thread.
          The Home Office made available their views on whether phorm's user-profile-based tracking is legal w.r.t. the interception of communication legislation.

          " Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions. The providers of targeted online advertising services, and ISPs contracting those services and making them available to their users, should then - to the

  • safe assumption.... (Score:4, Insightful)

    by 3seas (184403) on Friday April 04 2008, @06:40PM (#22968744) Homepage Journal
    .... that if you are online someone is watching you.

  • One of the Worst Providers in the UK (Score:4, Insightful)

    by lobiusmoop (305328) on Friday April 04 2008, @06:41PM (#22968752) Homepage
    BT's ADSL internet service seems to be one of the worst in the UK. Unfortunately since they have a long history of providing landline connections in the UK, many people assume they must be a worthy internet provider also - not so. I'd recommend UK Slashdotters look at This ADSL ratings site [dslzoneuk.net] for more personal citations of BT's (and other providers) service.
  • This has been bubbling under for a few weeks, but really broke badly in the past couple of days.

    Essentially they appear to have broken the Regulation of Investigatoy Powers Act (RIPA) by performing an unauthorised interception of a communication over telecommuncations infrastructure.

    No word yet on legal action, although several MP's are kicking up a fuss about it.

    BTW BT are the only ones who have confessedd to doing this so far, the other ISP's haveeither kept schtum, or muttered paltitudes like we will wait and see

  • The spying begins: Phorm coming to 3 major UK ISPS (Score:5, Informative)

    by Sosigenes (950988) on Friday April 04 2008, @07:03PM (#22968910)
    The summary of the story doesn't emphasise the point that the spying test was just a small trial, and that Phorm is actually coming directly to the UK.

    3 of the major UK ISPs: Virgin Media, BT and Talk Talk are getting all ready to implement and bring in Phorm. More information and details are available at the useful website BadPhorm: http://www.badphorm.co.uk/ [badphorm.co.uk]

    Thousands and thousands of UK users are going to be subject to this inescapable violation of their privacy with little to do about it. There is an opt-out cookie, but this does not prevent the fact that the users browsing still goes through the Phorm servers. Would you be happy with all your internet browsing going through a third party server, let alone one owned by an advertising company that wants to profile you and "see the whole internet" (Reference: http://www.badphorm.co.uk/news.php?item.30.3 [badphorm.co.uk] ) through your browsing history.

    There is lots of interesting discussion going on about this, particularly at Cable Forum by Virgin Media users, who are going to be thrown into this spying (Link: http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated.html [cableforum.co.uk] )

    A fast growing petition to the UK government on the governments website is nearing 10000 signatures, and just shows how many people do not want this to happen (Link: http://petitions.pm.gov.uk/ispphorm/ [pm.gov.uk] )

    This may not concern many people in the US, or people on the smaller ISPs in the UK - but the worrying thing is, other ISPs are already saying that they are going to watch the results and see if the ISPs can get away with it - if they can, they will likely pick it up to. And your ISP might do too!

    • Re:Dupe! (Score:5, Informative)

      by moderatorrater (1095745) on Friday April 04 2008, @06:21PM (#22968626)
      Not a dupe at all. The article you reference is about an ISP that tracks for the purposes of advertising and lets the customer know. This, on the other hand, is the ISP snooping on traffic without notifying anyone and lying to someone when they ask about it. It's the difference between consensual sodomy and what happens in prisons. It's also a dumb move on the ISP's side, because they're doing something to people that is rightly linked with illegal and shady practices.

    • Re: (Score:3, Insightful)

      by arth1 (260657)
      BT is the equivalent of Bell/AT&T in the US. It's impossible to sue them into oblivion. The best you can hope for is that one of the sub-sub-sub-sub-sub-CEOs gets a slap on the wrist and won't be invited to the next golf tournament.

    • Re:What's the best method of defeating all this ** (Score:5, Interesting)

      by sexconker (1179573) on Friday April 04 2008, @07:03PM (#22968912)
      Why do you (and so many others) trust google?

      • Re: (Score:3, Insightful)

        by cheater512 (783349)
        They have defended our rights where others have not.

        They are also relatively honest and havent done anything immoral in regards to privacy to date.

      • Re: (Score:3, Informative)

        by fuego451 (958976)
        Google at least gives you a reach around. Gmail has some nice features and I now have over 6.5 GiB of storage and counting. I use iGoogle to organize my most viewed sites with access to all the other Google features/tools/apps. Am I worried abut personal my personal info, shit, the IRS has it all from the late 50's, the FBI has it from the 60's (military secret clearance), the Veterans Administration from the 70's, employers, banks, the post office, state licensing agencies, mortgage companies, title compa
    • IANAL but the UK law covering this is the Computer Misuse Act and more recently the European Convention on Cyber Crime.

      As I read it BT are guilty under CMA 1(1) [wikipedia.org] which relates to unauthorised access to any program or data held in a computer. Whether the information checking is done on the computer or the ADSL hub it is a violation. With regard to the Convention on Cybercrime [coe.int] they appear to be guilty under Articles 2, 3 and 6.

      I hope someone sues their buttocks off.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.