BT Silences Customers Over Phorm

An anonymous reader writes "The Register reports that BT, the UK's dominant telecom and internet service provider, has 'banned all future discussion of Phorm and its "WebWise" targeted advertising product on its customer forums, and deleted all past threads about the controversy dating back to February.' Phorm is a controversial opt-out system for delivering targeted advertising that intercepts traffic passing through an ISP in order to profile subscribers via an assigned unique ID based on their online activities. Subscribers can opt-out at the Webwise website but are opted-in again if the Phorm cookie is cleared. Firefox users can install Melvin Sage's Firephorm add-on to manage their interaction with Phorm and Webwise."

Heuristic:

If you have to suppress speech about what you are doing, you shouldn't be doing it.

Re:Heuristic:

[Adam Liversage, BT's chief press officer] said the fact that BT had chosen not only to close the threads but delete them entirely was insignificant. "It doesn't matter either way because the people who are following this will have the threads backed up in multiple copies," he said.

Wow, that's something only a PR man could say with a straight face.

Seems they don't want to admit the difference between stopping speech and suppressing it.

Re:Heuristic:

The US has a "supreme law of the land" yet that hasn't stopped the government from blatantly ignoring it whenever it's convenient.

And I'm not talking about just the last eight years.

Re:Heuristic:

If BT is a government-owned company

It isn't.

then the government may be in violation of its own laws.

They're not.

Too bad the U.K. doesn't have some "supreme law of the land" to act as a contract which the government must follow

It does.

and provides guarantees such as free speech which cannot be over-ruled by a politician.

It does. It could be over-ruled by a whole lot of politicians working together, of course. Can you say "constitutional amendment"? Or maybe "Patriot Act" is easier (at least, it was for the politicians).

Re:Heuristic:

Another question is if they by injecting information into the HTML stream is violating the copyright of the original content.

Otherwise this is also a good motivation for sites and users to use HTTPS more.

Re:Heuristic:

It surely violates the webowners' rights, who PAID to have their ads appear on your screen, but instead British Telecom is blocking them: "BT Webwise also personalizes the online advertising you see when browsing on participating websites by linking ads to your interests. For example, if you search for a weekend trip to Paris or visit pages related to Paris, BT Webwise would replace the standard ads....."

I know if I was Google, Apple, Microsoft, or some other website, I would not be happy.

Ads are what pay my bills. How dare BT remove my revenue-source and jeopardize my ability to continue providing a Free website to my customers?

Is this really how it works?

How dare BT remove my revenue-source and jeopardize my ability to continue providing a Free website to my customers?

It is my understanding that BT won't be removing your ads. Instead, "WebWise" will be a competing advertising provider to the likes of Google, Microsoft, etc. You can elect to put Phorm ads on your site instead, and in theory, those ads will be behaviorally targeted at the people browsing your site. (Or at least, the people who haven't opted out.) If you don't use Phorm, whatever provider's ads you sign up for will be shown.

The shitstorm, as I understand it, isn't that website owners' ads won't be displayed. It's that people using this WebWise thing while browsing your site will be reporting what they're doing to a third party, and since it's opt-in, many (most?) probably won't even know that they're doing it.

Worse, because WebWise now knows that Joe Schmo is interested in whatever it is your web site is advertising, say, cars, then it will start displaying car ads from your competitors on sites that have contracts with Phorm because Joe browsed your site.

All in all, pretty scummy, but I'd genuinely be surprised if it actually removes ads from sites that have nothing to do with it. Especially since they're talking about making it opt-in, I can't imagine that wouldn't be unquestionably illegal.

As a BT customer

I'm concerned about how they're hiding the history of ***** use. Deleting post on ***** is quite extreme, and who knows what they'll do next? Start censoring the use of ***** on their network?

Re:As a BT customer

They're banning all history of hunter2?

Not a tech support issue?

Our broadband support forums are designed to be a place where customers can discuss technical support issues and offer solutions.

And someone hijacking and modifying your data isn't a technical support issue?

Re:Not a tech support issue?

This seems to be the tactic of the day. Apple does the same thing in their forums, delete any posts mentioning things they don't want mentioned on the grounds that it is a user to user technical support forum.

Yet you can post gushing praise of Apple without asking for help or offering to help and the moderators leave those fanboy posts alone.

This is a good reason to start an independent forum on any one of a number of forum hosting sites, preferably out of the reach of BT.

Re:Not a tech support issue?

The smart person would see the lack of criticism as a pretty obvious sign that the site is being stage managed to hide the negative. Any time I compare products / services I look for the good and the bad reviews; the lack of any bad reviews means I stay away from it for just this reason. The lack of a thing can tell just as much as the presence of a thing.

Re:Not a tech support issue?

Hmm, here in Australia we have Whirlpool [whirlpool.net.au] for exactly that. The forums are very active, and all of the major ISPs have employees who get involved to at least refute rumours and clarify information about their services. It's being able to get unfiltered comments from customers which is the most valuable, though. It's a very useful resource.

Re:Not a tech support issue?

Not just hijacking and modifying data, but an active classic man in the middle attack.

Imagine this ad server being compromised, and instead of "just" adding random ads to pages and logging customer activities for sale, picture it redirecting to phishing sites or just grabbing passwords sent to sites that are not SSL protected.

Wasn't Google working on something against this?

I remember Google was working on something on the app layer that would guard against this type of connection hijacking but without the setup and teardown overhead of full blown SSL.

Its probably in Google's best interest to get something like this widely deployed -- a lot of ISPs are frothing at the mouth to get Phorm/NebuAd on their networks for more revenue streams, and it won't be long before a Google query would not route to Google (even if done at www.google.com), but to wherever the ISP desires.

Re:Wasn't Google working on something against this

I remember Google was working on something on the app layer that would guard against this type of connection hijacking but without the setup and teardown overhead of full blown SSL.

Sounds like you're thinking of the obfuscated tcp [slashdot.org] story. Wasn't so much a Google project as someone who happened to work at Google iirc.

What about wget ?

Firefox can keep a cookie, but what about all those apps doing http requests (wget, media players, apt-get...) without maintaining cookies ??? Those can't opt-out, so basically they are forcing that on you.
That's just plain discusting anyways.

Re:What about wget ?

Plus, if they are basing opt-out on a cookie, they are still doing deep packet inspection, since the cookie isn't in the TCP/IP packet headers (being an application layer thing and all).

I would think that people would want to opt out of Phorm interacting with their data at all, not setting a flag that is essentially "don't use this data for marketting purposes."

Re:What about wget ?

Thats really the key of this all. The cookie prevents it from showing you ads. It does not stop the DPI, and tracking.

You don't need BT at all

For years I assumed I needed to pay BT for the line rental so I could get broadband through the telephone line, as I assumed only they could provide it. I got my calls and broadband from companies who give a shit about their customers. Then I found out that there are several companies who can do line rental / call / broadband deals (all of those I checked out were cheaper than BT, and not all signed up for Phorm). When I found this out I was completely away from BT within one month. If you're in the UK, and value privacy and a company who actually wants to please you, I suggest you do some Googling and be prepared to switch. They escaped criminal punishment, government punishment, the only reason they keep doing it is that they assume most people believe they are stuck with BT. If you do switch, make sure you tell them why; who knows, if they see enough rats abandoning ship it may make them rethink the Phorm deal. ispreview.com & adslguide.org should give you a starting point.

Perhaps an Enterprising Brit could make cash?

What a company could do, assuming it had the cash for reasonable Internet peering, would be to make a VPN service. Give directions for novice BT users to set up and route through. It doesn't have to be an "anonymous" service, however it would be a boon for privacy if TCP/IP logs are held just long enough in case of a security issue (or to make the UK government happy), and then promptly deleted. This service would be hosted physically in the UK to ensure decently fast connections, as opposed to other services located elsewhere around the world where packets would possibly have to cross through high latency overseas lines.

It could offer the usual PPTP services. It can also offer a SSL proxy (plain or using stunnel) for Web traffic so only the Web browser would have to be configured if the user doesn't have administrative rights. For users using ssh, it can offer PPP over ssh.

Then, this company can provide some decent instructions for people to set up a VPN to its site with the usual operating systems (Linux, OS X, BSD, Windows.)

Of course, BT could try to block or throttle the packets, but that is starting a type of legal battle with another company that may not be in BT's interest.

Re:Perhaps an Enterprising Brit could make cash?

I personally know an enterprising Scot making a decent stack on this concept.

https://www.vpntunnel.co.uk/ [vpntunnel.co.uk]

Central point of failure?

What would happen if the webwise.net domain (which shares an IP with phorm.com) was to accidentally get DDOSed?

Going by the Phorm diagram on wikipedia, it would seem that webwise.net is a central point of failure for the system.

Re:Just a thought...

The difference is that my TV doesn't track what I watch, who I watch it with, who I talk to, what mail I send and when I go to the bathroom.

Re:Copyright Infringement?

There is absolutely no way in which this isn't copyright infringement. Any web page is copyrighted. This comment is copyrighted and owned by me. The Slashdot terms of use say that they get a nonexclusive distribution right to them. No one else has the right to reproduce them or modify them. The complete page is also copyrighted and owned jointly by all of the posters and by Slashdot.

A carrier has an implicit license to distribute exact copies to their customers and, if the correct headers are set, to cache a copy. Inserting adverts, however, is creating and distributing a derived work from the copyrighted material. Since they profit from the adverts, it counts as commercial infringement, which typically has much larger financial penalties.

The maximum fine for online copyright infringement in the UK is now £5,000 per offence. Every single page that is modified counts as an instance of infringement. The total fines would come to more than the market capitalisation of BT at the moment.