Covert BT Phorm Trial Report Leaked

stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe. NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.

Ouch

That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?

Re:Ouch

That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?

Whether it does or not, someone has already taken the initiative to setup a page to generate fake web pages (or real ones) to pollute the data they collect. So if you can't get them out legally, you can make the data they collect useless, which hits them in the pocketbook and might be more effective than legal countermeasures. You'll find the site here: http://wanip.org/anti-nebuad/ [wanip.org] in which every browser becomes a data-mining polluter when it's run. Get enough those on a suspect ISP and watch the CEO's have a heart attack from the "pollution attack".

Re:Ouch

Looking at the site it appears to be pretty easy for phorm here, all they'd need do is do a simple domain lookup. If it doesn't exist they filter it out.

If it doesn't exist then it's generated by this, since all it does is randomly create addresses. It'd be better if it just loaded random websites. Of course, that'd eat up a lot more of the users bandwidth though.

Re:Ouch

The browsed pages do not exist, so you never download pictures or js files. It's very easy for an ISP to filter these requests, they can filter the HTTP response code.
Two FF exntensions generate fake queries on search segines to pollute the collected data (at search engine level, but it also pollute ISP data). SquiggleSR [mozilla.org] and TrackMeNot [mozilla.org]. Notice that the former also clicks on non-sponsored results and may deceive cookie tracking.

Re:Ouch

not sure what the situation in the UK is, but in Japan some mobile phone operators have been doing this for a while with some phones. since probably half of the internet usage here happens over phones, it doesn't look like a small market.

to make it even worse, my current provider not only injects ads while I browse, they also supply the advertiser with a unique ID, which I can't easily turn off. since the image is inserted on the server i also assume the phone is sending referer headers, so the advertiser can collect your browsing history (and, that being a phone, your URL session cookies too) for good measure.

when i complained, i was told to go away, because there was no such thing as "personal" information being disclosed to the advertiser. to me such arrogance calls for more encryption as a kind hint to the ISPs to go and do the job i'm paying em for.

unless, of course, that option is also defeated by the copyright cretins and the gubbermint, working hard together to prevent child pr0n and terrorists.

in which case, thicker tinfoil will also be necessary.

Re:Ouch

Of course is won't. If a private person were to develop and test this out, he would likely be spending the next 20 years in prison (looking less and less "exaggerated" as time goes on.) The fact that this is for cooperate gains; it will be largely over looked. Yes, I might be lost in cynicism, but life seems to be supporting my case thus far.

Re:Ouch

"realistically lead to legal action against BT"

Legal action strong enough to totally stop them is unlikely, as the power seekers who run a lot of countries unfortunately seem to be rushing towards building their own Big Brother, so as they make the rules, they choose whats considered legal. So they simply need to change the laws, which is what they keep doing. It seems nearly every week now we are getting ever more stories of new grabs for information and/or power over people. At this rate, 2008 should go down in history as the start of a Worldwide Big Brother.

Its ironic that our so called free countries appear to be building Big Brother as fast, if not faster than other countries. Maybe we just have better technology. Its also ironic that the war on terrorists is a war against people who wish to force others into their point of view. Yet now the people already in power are seeking to clamp down and hold control over everyone. Its like all of us who don't seek power are caught up in a power struggle between the different groups of power seekers who do seek to impose their views on everyone.

I guess the ones in power in some way fear some lost of power, as it can't be just about protecting us. Its got to be about seeking more power, which is what they do thoughout their political lives and all of us who don't seek power are not going to be heard by them. Especially as most people don't seem to even see how much harm can be done with so much power and no way to tell them they are behaving unfairly. They are becoming like a machine which is loosing its feedback mechanism and so running towards ever more extremes.

Re:Ouch

I came up with this as a concept in 2000, when layer 7 switching was just becoming economically feasible for a startup ISP.

It never flew, because the people I was dealing with weren't complete cunts.

From the document: The advertisements were used to replaced [sic] a 'default' charity advertisement (one of Oxfam, Make Trade Fair or SOS Children's Villages) when a suitable contextual or behavioural match could be made by the PageSense system.

So not only are the bastards hijacking our traffic, they are overwriting paid-for charity ads as well.

I repeat, CUNTS!

Re:Ouch

By their own admission a leading UK telecoms company has deprived several charities of a legal revenue stream to line their own corporate pockets.

Given the outrage following the several Audiocall staff kept 100K of children in need cash for itself [thisislondon.co.uk], I hope BT get the same treatment.

Re:And created a copyright violation

This was discussed in the forum digitalspy.co.uk

Phorm in the UK [digitalspy.co.uk]

One business user was updating the website for his home business. He used his home network connection to inspect the appearance of his website. To his surprise, he could not understand why the format of his website was consistently different from what he had intended. Disturbed by this, he reinstalled the OS on all his servers in fear of being rootkitted, rechecked all his security settings, reconfigured his firewall, and performed a packet trace on every connection made. In the end he noticed that various links on his webpages were being changed and that in particular some were coming from dns.sysip.net. Basically, this system redirected any links to adverts back to Phorm servers.

Customer who was Phormed [adslguide.org.uk]

Re:Ouch

So if I had an ad-funded website (unlikely in the current climate, but stick with me) Phorm would be screwing me out of the money I'd make for those ads, but replacing them with there own.

Something tells me that if I did the same thing with a billboard - charging customers for me to go out and paste their adverts over the top of paid for adverts at night - Clear Channel would quite quickly be attempting to sue me.

Advertisement Injection

So let me see - if I am paying for bandwidth (which will soon be metered), and my ISP in injecting its ads into the webpages I am requesting, then the ISP is running down my bandwidth on purpose?

Isn't that sort of like someone from the electrical company who breaks into your house to turn the lights on while you're gone?

I won't even mention the privacy issues, cause those aren't "in" nowadays, nor are they likely to be a sufficient cause to nip this practice in the bud. Cheating people out of money, on the other hand, is always a great way to apply the US tort law to the cause.

Re:Advertisement Injection

If you're paying for metered bandwidth, why are you accepting ads in the first place? AdBlock+ solves that problem very quickly.

Past that, maybe we can start seeing more "regular" traffic served over https -- DPI or not, it looks like garbage unless you can break the encryption. If someone comes up with a way to do that, there are a lot more serious problems to worry about than ad injection.

Re:Advertisement Injection

They could still hijack SSL/TLS sessions if users aren't paying any attention to warnings.

Re:Advertisement Injection

Doing man-in-the middle attacks on SSL connections is beyond the technical ability of ISPs, even if users don't bother to check certificates. And the potential for them to get in trouble for it is a lot higher (e.g. if they ended up intercepting financial information, and then the ISP's servers got cracked...). So https is still the right answer here.

It's 2008, why aren't most websites just using https by default? A low-volume site can handle the load with today's superfast CPUs, and high-volume sites can afford to buy one of those crypto engine thingies.

Re:Advertisement Injection

You could do something almost good enough, though, that's done completely on the client side:

Let's say you're sending index.html. Take a hash of the page, put the hash early on the page.

In the bottom of the page, insert javascript code that removes the hash value, hashes the page, and compares it to the removed hash. If they mismatch, do an alert("warning: the page has been tampered with since it left Foocorp.com's servers."). The hash function doesn't have to be overly secure; here is actually a good time to write your own bad crypto.

The ISP would then have a hard time modifying the page, because they would have to generate the hash value of the modified page before seeing the page they want to modify only slightly.

They could, of course, buffer the whole page (if the server sends it out, or it could spoof your ACKs) and run the javascript on their modified version to compute the hash function. But how are they to know which functions to call? Include an infinite loop and some exploits that you never call yourself if you want to be really disruptive.

Misrepresentation

There's another issue. Say I post a banner for Charity X on my site, with a note saying "I support these guys with all my heart and soul, and I urge my readers to do all they can for this cause." You go to my site, but your ISP swaps said charity banner for an ad for personal ads or punching the monkey for a ringtone or some other damn thing, making it appear to you as though I'm imploring you to purchase something I would never willingly endorse.

The ISP is then responsible for using my image to endorse their product to my readership, without my permission. Do I have recourse against them for perpetrating such a fraud? IANAL, etc.

Re:Loss of Common Carrier Exemption?

It occurs to me that, at least in the US, an ISP that does ad injection *may* be losing its common-carrier status by changing the information that they convey from a Web site to the subscriber.

Newsflash: ISPs do not have common carrier status.

This means that whatever safeguards you associate with common carriers, are not enforceable wrt ISPs. A lot of the big ISPs are very happy with the current situation, since they basically get the benefits of common carriers, without the drawbacks (such as not be allowed to throttle certain users).

Is that legal?

Changing content and injecting different ads? I could see two possible violations here, one being copyright (altering content without the consent of the provider of the content), the other one dealing with fraudulent ad change (someone other than the one paying for the ads being displayed).

It's like a cable company changing the channel ads with their own. I doubt any channel would sit and bear it, especially since their customers (i.e. ad buyers) won't accept that.

For the uninitiated

BT stands for "British Telecom," Something they failed to mention, except in TFA

I hate it when people use too many arbitrary abbrivations. Let's start actually typing out names to set a context, then let people abbrivate in comments...

Um, Replacing Charity Ads?

Wow, talk about low:

In addition to the 18 million regular advertising injections or hijackings, it appears charity advertisements were hijacked and replaced with Phorm advertisements.

        "The advertisements were used to replaced [sic] a 'default' charity advertisement (one of Oxfam, Make Trade Fair or SOS Children's Villages) when a suitable contextual or behavioural match could be made by the PageSense system."

Re:Um, Replacing Charity Ads?

Its actually good thing they did this.

Great way to influence public opinion against them and convince even usually non-caring people that something evil was going on.

Now if only major news picked this up and made big deal out of it...

Re:Mod Parent Up!

"Hi Jim, I just a bought a great new handheld console"
"Oh yeah, what did you get"
"A Sony Pzzzzzzzzzzzzzz^^^^^T Nintendo DS proudly sponsors this phonecall! Your pal loves Nintendo DS! bzzzzzt *click* so yeah you should totally get one so we can play against each other dude!"

Possible temporary fixes....

1) write a checksum to a page; if it doesn't match (or another hashing method doesn't match) warn the user that the page has been intercepted and corrupted; the code might not be too tough

2) Use page receipts to vet page authentication

3) litigate, especially for copyright violation as the page has been misused by an intermediary for a purpose not intended by the page's author

4) other solutions that someone will think of; stop the page vandals NOW!

Re:Possible temporary fixes....

Intermediate term fix: Tunnel everything over IPsec. If ISPs are going to act like Eve or Mallory, let's treat them as such.