Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy

Berners-Lee Rejects Tracking 155

kernowyon writes "The BBC has an interview with Sir Tim Berners-Lee during his visit to the UK on their website currently. In it, he voices his concern about the practice of tracking activity on the internet — with particular reference to Phorm. Quotes Sir Tim with regard to his data — "It's mine — you can't have it. If you want to use it for something, then you have to negotiate with me.""
This discussion has been archived. No new comments can be posted.

Berners-Lee Rejects Tracking

Comments Filter:
  • It's all nicey (Score:5, Insightful)

    by mapkinase ( 958129 ) on Monday March 17, 2008 @08:41AM (#22772632) Homepage Journal
    ...but will it have any effect on powers that are in charge? As for influence on us, most users who know who he is already share this position.
  • Negotiation done! (Score:5, Insightful)

    by TheGreek ( 2403 ) on Monday March 17, 2008 @08:46AM (#22772682)

    "It's mine -- you can't have it. If you want to use it for something, then you have to negotiate with me."
    "This content is mine; you can't have it. If you want to access it for free, you have to let me track your activity."
    • Renegotiation done! (Score:4, Interesting)

      by BaphometLaVey ( 1063264 ) on Monday March 17, 2008 @08:51AM (#22772714)
      I will allow you to track it and to use it in house, but the moment a third party touches it or you attempt to sell it, I want a share of the profits.

      Also, if you make me pay a subscription fee (or like slashdot, if I was to choose to), and you STILL sell want to sell my data, I also want a share of the profits.

      I also want a list of all the organisations you supply my information to and I also do not want them to be able to resell it without observing the above conditions: I get a share in the profits, I get to see who the sell it to, people they sell it to have to... etc

      This is the only way I would be happy to allow tracking.
      • by TheGreek ( 2403 )

        This is the only way I would be happy to allow tracking.
        Unless you can get the content provider to agree to your terms, you'll either have to do without the content or start an escalating game of technological cat-and-mouse.
        • Online, I can't think of anything I could possibly need or have needed that I couldn't have found somewhere else.

          Capitalism, done right, feet voting.

          If they asked for DNA samples, would you say sure? Course not, there is a line, probably somewhere in between the current state of things and DNA sampling that is a reasonable compromise. If they thought they could get away with pushing for DNA samples, they would do it. Why shouldn't we push our end?
    • I think even when the content isn't free they track.
    • Re:Negotiation done! (Score:4, Interesting)

      by jrumney ( 197329 ) on Monday March 17, 2008 @08:58AM (#22772776)

      This content is mine

      Only it isn't. They are tracking user activity beyond the websites that use Phorm for their advertising, and even if they were to limit it to those websites, there is still dubious data sharing going on which is probably illegal in the UK if it is not opt-in.

      • Re: (Score:3, Informative)

        by Anonymous Coward
        It is illegal in the UK under RIPA without the consent of both parties -- the ISP subscriber and web site operator. There's an implied consent for public web content but once a user has some form of authenticated session, it's illegal interception.

        The real problem with the Phorm system is that it's purposely designed to grab every users click stream. Phorm are misrepresenting their opt-out cookie, which relates to targeted advertising and not the interception and profiling. The only way Phorm would be legal
      • by Bogtha ( 906264 )

        probably illegal in the UK if it is not opt-in.

        In cases like this, I really don't see the difference between opt-in and opt-out. All the ISPs have to do to make it "opt-in" is include a clause saying that you agree to share your data in amongst the dozens of existing clauses in the terms and conditions when you sign up.

    • Re:Negotiation done! (Score:4, Interesting)

      by Yvanhoe ( 564877 ) on Monday March 17, 2008 @08:59AM (#22772796) Journal
      It is easy to state a price, but negotiation means that both parties have different prices and different means of pressure. What's our ? We are the first to say that Internet is somehow a jungle where almost anything is fair game. So, how do we defend, technologically ?
      • Old Skool - Static (Score:5, Interesting)

        by Gazzonyx ( 982402 ) <scott.lovenberg@nOspam.gmail.com> on Monday March 17, 2008 @09:05AM (#22772842)
        Perhaps the old hacker trick of lowering your signal/noise ratio via injecting bad/misleading data (somewhere in the flow)? If you can't be very quiet, you can usually benefit from being very loud.
        • by Yvanhoe ( 564877 )
          There was a stuff like that in a Doctorow story about Google becoming evil and tracing your search habits. In the story Google rogue engineers, made a "search normalizer" that automatically made searches for you that neutralized any deviant trait that could show up.

          So, how do we get this done ? We have to find many trackers and activate them regularly to make noises to pollute the signal ? Anyone knows of such a project ?
          • by Janos421 ( 1136335 ) on Monday March 17, 2008 @09:43AM (#22773164)

            So, how do we get this done ? We have to find many trackers and activate them regularly to make noises to pollute the signal ? Anyone knows of such a project ?
            Well that's exactly the purpose of obfuscation tools like SquiggleSR and TrackMeNot, two Firefox extensions. They generate fake queries on search engines to create noise and deceive data mining algorithms.

            As developer of SquiggleSR, I was thinking to extend it to simulate fake browsing as well to create more noise and deceive track based on cookies. But since some ads are charged when they are displayed, this could actually be assimilated to something like "fraudulent view". What do you think?
            • Re: (Score:3, Insightful)

              by khallow ( 566160 )
              Are teh user or you party to the ad contract? If not (which is probably the case unless the user agrees to something), then it's not your problem.
            • by Yvanhoe ( 564877 )
              I think it is fair game. It is not fraudulent in that the goal is a fair use. The day tracking becomes optional, this fraudulent input won't be necessary any more.
            • Re: (Score:2, Insightful)

              by phantomfive ( 622387 )
              I think you will be fine as long as you follow robots.txt. Personally I think disallowing cross-site cookies is the best way to handle it, though.
              • From their website

                What does it keep? At first, Phorm's technology collects information on browser type, response to advertising, the URLs of some of the web pages viewed, and search terms entered. Neither URLs nor search terms are stored - they are discarded immediately. The matching information that's left is assigned to an anonymous, randomly-generated ID number. The random ID marks an anonymous list of the categories of products or services in which a user appears to be interested.

                I think they're sniffing on the wire passively instead of using cookies. Although, it's hard to tell from their blurb that doesn't contain a single element of useful or technical data. Please correct me if I'm wrong; I'm just assuming from what I can gather.

            • If this goes ahead (which I don't think it will as RIPA is quite specific on the matter), I'm all for polluting the Phorm database. A screen scraper that, for example, every few minutes:
              Picked two random words from a dictionary
              Plugged them into a random search engine (google, youtube, ask... list is endless)
              Visited n of the first i links
              Visited x of the links on each of those pages, and thereafter a 5% chance of following any other link on that page

              would do a great job of confusing the hell out of anything
            • I salute you! That, sir, is brilliant! Although I'm not sure the legal status of fake browsing... I'd say though that it's probably fairly safe; you aren't targeting specific sites or anything. Otherwise, spidering the web would fall under this arena and everyone would be suing everyone else who owns a search engine. Although, obviously, IANAL.
          • Re: (Score:1, Redundant)

            by Gazzonyx ( 982402 )
            I guess they (Phorm) just track web URLs; I was thinking just a simple dictionary attack with a bit of depth to it should take care of this. I just pulled this from my butt at this moment, but I think it would work if you created a shell script or even batch file to do the following...

            Get your favorite tar balled dictionary, pull a random word from it, google the random word with elinks or something, and follow a random link with wget. From that site, pull 3 unique links and visit them, from those site
            • and what happens the first time you randomly wget yourself some kiddy porn?
              • Good point; make sure script doesn't request any page content other than the index/plain text. Like elinks, I guess. That and a little bit of common sense dictionary filtering and/or metadata tags. Although I see where you were going on the whole with it... I haven't the foggiest idea how to make sure I don't land on a page that puts me on a government list somewhere :). Any ideas?
            • by Dude McDude ( 938516 ) on Monday March 17, 2008 @12:25PM (#22774918)

              I guess they (Phorm) just track web URLs
              Nope. The content of every page requested by a user gets sent to Phorm's profiler for analysis, but the profiler ignores* the contents of form fields.

              * according to Phorm, which, in the company's previous incarnation as 121media, was a spyware peddler.

      • Don't use them. Go somewhere else. You do not need to defeat a technology, just make it unprofitable by not using websites that employ it.
    • by Marcion ( 876801 ) on Monday March 17, 2008 @08:59AM (#22772800) Homepage Journal
      Its mine, my precious, get away pesky data-mining hobbits.
    • by mrbah ( 844007 )

      "This content is mine; you can't have it. If you want to access it for free, you have to let me track your activity."
      That's basically the business model of the current web bubble. None of the services are really free, it's just that you're getting something in return for something you may not have known you had. There's still no such thing as a free lunch.
    • That's perfectly acceptable. But most sites do not advertise the fact that they are tracking you. They could post prices: you can access this page/site by agreeing to be tracked for the next 48 hours. But they don't.
      • But most sites do not advertise the fact that they are tracking you.

        Depends on what you mean by "advertise". A site's Privacy Policy and/or User Agreement will normally state plainly whether the site collects any information about your behavior, and if so how they use that information.
        • That's true, but I think it should be stated more clearly. Just as credit card companies need to state their interest rates in really large print in their contracts (even if they still try to mislead you).
          • It doesn't matter. How many software agreements have you clicked the "I agree" on without reading the entire thing (or any of it at all)? Having a privacy policy that is easy to find on a site is as clearly stated as you are going to get. If people don't care if their information is tracked and how it is used (and that is about 95% of the internet which is why fighting tracking is an uphill battle) it doesn't matter how clearly it is stated. It is just like when they made the warnings on cigarettes bigger.
    • "This content is mine; you can't have it. If you want to access it for free, you have to let me track your activity."
      I prefer: the content is mine. If you want to access it for free, that's okay, just keep my notices intact. If you want to change it or redistribute it, you gotta let everyone else do what I've done for you.
    • For free? I don't know about you, but I pay my ISP £35 a month to access your free content. If your content is of particular interest to me (for instance, an MMORPG) i'll pay you too to access that particular content.

      What I don't expect is for you to automatically forward all the data i'm paying to access, plus all the data I submit to you as the receiving party (which may be confidential), to a third party, previously linked with less than legal practices, with limited or no choice in the mat
      • Sorry, you're not paying for the data from your ISP. You're paying for the ability to access it using the ISP services. Second, the data you submit to me is part of the technology used to request data from me. You can't get it without telling me where you want to send it. Third, I can enter into any contract I want with whomever I want in relation to what data I choose to serve. You wanna touch my content, on my host, you play by my rules.

        Or you just don't come to my server and request my things. Oh, and do
        • Re: (Score:2, Insightful)

          by Sczi ( 1030288 )
          I think this is getting OT a bit.. as I understand it Phorm runs at the ISP level and then sells the data to content providers. I, for one, am getting really sick of this trend of uppity ISP's trying to get in the racket of playing monkey in the middle with our data. They get their monthly check simply for being a conduit. How about requiring the ISP's in question to call every one of their subscribers and say "we just wanted to inform you that we are going to sniff all of your traffic and sell the data to
          • Agreed.

            The above post isn't intended to defend, it's intended to lay out how it is. Know your enemy and all that.

            BTW, the consumers really don't seem to care that the financial industry has been doing this with their ATM, Debit, Credit, and gift cards for a while now.
            • "BTW, the consumers really don't seem to care that the financial industry has been doing this with their ATM, Debit, Credit, and gift cards for a while now."

              I was going to say the same. I know someone who is freaky about personal information issues, then I come to find out he has a couple "rewards" cards from various retailers. When I tried to explain to him that all those cards do is collect information about his habits for retailers, he laughed and called me "paranoid". Yet he searches through his logs
      • by coats ( 1068 )
        What I don't understand is why the following sort of argument shouldn't work:

        The amalgamation of the set of links I follow and the set of queries I make is a literary work that I own, under the Berne copyright treaty. (Note that I'm not talking about the content found at the links but rather the set of links themselves).

        Therefore it is my copyright work, and selling it to a third party is copyright infringement to which both civil and criminal penalties should be applied.

        FWIW...

    • but note that, like most transactions, this is dependent on how the item in exchange is valued and by whom -- in the beginning of the p2p days, napster was used by some record companies to measure the success of certain albums/songs etc. once they noticed they were actually bleeding, they squashed it and decentralized all the p2p downloads. to get that kind of data now, they'd have to compile it from 10 or 15 sources and still not have a complete picture (oink being the last real bastion of almost cetralize
    • by Instine ( 963303 )
      "Phorm has said its system offers security benefits which will warn users about potential phishing sites - websites which attempt to con users into handing over personal data. "

      They just turn EVERY SITE YOU VISIT into a phishing site! Sorted.
    • How about: "You put your content on a public, open system designed to give everyone access to it. I am not, cannot be, and WILL NOT be forced to download something I don't want from your website, and I sure as hell WILL NOT let you forceably retreive something from my machine. If you don't want me seeing what you've put online, then put it behind an account/password mechanism, encrypt it, hide it, whatever. PERIOD."
  • by apathy maybe ( 922212 ) on Monday March 17, 2008 @08:48AM (#22772688) Homepage Journal
    I agree with ol' Tim. An ISP's job is to provide a pipe for the Internet, charge for usage, and stay out of the way. That's all.

    Unless I want them to do something else. And tracking me is not something I want. That's right, spam filtering is something else that I want to be "opt-in", and content filtering, and every other bloody sort of filtering.

    Actually though, I would be happy if they paid me, but for one week at a time. For that one week I'll happily browse Goatse, Goatshe, Tubgirl etc. (images downloaded, but not displayed, I'm not that crazy). Any real browsing I'll do via my own encrypted proxy set-up at my webhost.

    Basically, I'm not the target audience for tracking.

    Anyway, it's great to see this sort of issue on mainstream media. Now just to get the 'normal' people to read it...
    • The trouble is that everyone wants helpings of everyone elses' pies. Phone hardware makers now bolt services and content on their phones, phone service companies sell TV, Apple sells music, so why shouldn't ISPs want to wander off the reservation into the lush green 'services' pasture?
    • I thought he would but Mr. Ertugrul doesn't sound like such an idiot actually. See this interview. http://www.mefeedia.com/entry/recent-posts-blip-tv-beta/7018654/ [mefeedia.com] I am starting to think that there is something to it. I'd rather have the ISP know something about some random number then real with all those cookies.
  • Sure this isn't a typo?? :-)
    • Sure this isn't a typo?? :-)
      The summary could have been written in clearer English, however, that is not a typo. RTFA.
  • free internet? (Score:3, Interesting)

    by rucs_hack ( 784150 ) on Monday March 17, 2008 @08:50AM (#22772710)
    Quite honestly, if they want to track my internet usage, and exert some control over my online experience, then they can.

    In return, I want high speed internet access to be provided free of change, with no download limit.

    Sound fair?
  • I don't know that the usage of "quotes" is correct in that submission (I am seriously wondering if someone with access to a more comprehensive dictionary could find out for me).

        Certainly, "Quoth" would be correct in its place -- but archaic -- or just "Said".
  • by Scutter ( 18425 ) on Monday March 17, 2008 @08:56AM (#22772768) Journal
    Kent Ertugrul, chief executive, of Phorm, told BBC News: "We have not had the chance to describe to Tim Berners-Lee how the system works and we look forward to doing that.

    You think you need to explain how your tracker works to the father of the internet , and that once you do, he'll be ok with it. Boy, if that ain't arrogance right there, I don't know what is.
    • Not only that, he's a CEO. People that keep track of what executives say know better than to trust what they say at face value.
    • by unbug ( 1188963 )
      Mate, it ain't arrogance, it's certainty. Even if he's the father of the internet his kneecaps are still soft for those non-verbal descriptions.
    • by WK2 ( 1072560 ) on Monday March 17, 2008 @09:20AM (#22772970) Homepage
      The article mentions nothing about Al Gore.
    • What kind of parent are you? Your kids are all vandals, taking drugs, driving around drunk, and causing trouble all over town. Please ground them or cut off their allowance or something.
  • I Agree With Tim (Score:5, Interesting)

    by Ngarrang ( 1023425 ) on Monday March 17, 2008 @08:59AM (#22772788) Journal
    After having read the article, I would have to agree with Tim. Where I go on the 'tubes is none of my ISPs business. And this is not about trying to hide some illicit activity, but a defense of my right to live without being watched everywhere I go. I must say, though, that I am not surprised to see this coming out of England. When are its citizens going to finally stand up for their rights and put and end to all of the cameras and tracking? V's speech begins to come to mind.
    • And this is not about trying to hide some illicit activity, but a defense of my right to live without being watched everywhere I go.

      Personally, I visit religious sites and political sites all the time in which they are a personal thing. Does my ISP need to know which religion I belong to or who am I going to vote for?

      Hell no.
  • In TFA's page source is:

    <!-- Code for :bbc -->
    <!-- START NetRatings Measurement V5.1 -->
    <!-- COPYRIGHT 2003 NetRatings Limited -->

    NetRatings being a tracking service of some sort.

    Anyway. I always wondered about the philosophical implications of allowing someone to own the vibrations in the air. What I mean is, if someone makes the air around me vibrate in a particular way, I'm not allowed to observe it as I wish. One way of observing the vibrations would be to observe the effect those vib
    • If you look down the bottom right of all the BBC News pages, you'll see two little tabs called 'Most Read' and 'Most Emailed'.

      The 'tracking' involved doesn't amount to much more than a page impression counter to enable the BBC to see what interests people most (though I have my worries about such data being used to promote a dumbing-down of editorial policy - lowest common denominator and all that...).

      • Also, I am free to not visit the BBC's website or just plain old block scripts and such things that they may use to help them track me. I can also use a proxy if I'm that worried and can't live without my daily BBC fix. However, if I'm understanding Phorms tracking correctly it's done on the ISP side and I have no say in the matter.
        • Correct - I'm just surprised that nobody has come up with a scheme like this before, since the technology to do so has been around for at least 8 years (I was involved in a failed ISP startup in 2000, and planned out a lovely network of layer 7 switches, proxies etc. which looks in hindsight eerily similar to Phorm's setup, but didn't see hijacking browser sessions as ethical or desirable - good job the funding failed, as we had a right bunch of sharks on the sales and marketing side).
  • with regard to his data - "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me."

    Jack Valenti? Is that you?

    Seriously. I skimmed the summary, and thought this article was something completely different.

  • Phorm should be easily defeated. Just need a script to "harvest" various random sites, and have the script running in the background, clicking away merrily. Phorm will track this random spew and will not be able to differentiate your real traffic from the "noise".

    Should call this script/program DEPHORM, guess it could easily ruin some halfwits dreams of embarrassing riches!
  • Legally, we are coming to a conflict between what companies like Phorm say consumers have agreed to give and what consumers say they have agreed to give. Tracking companies like Phorm will say consumers agreed to their terms of service that allow tracking. But consumers can publish their own privacy terms of use [blogspot.com] that legally forbid tracking. [This idea is not legal advice to anyone, just something to think about.]
  • Believe it or not, the Internet, just like Electricity, is NOT a given right.

    We enter into a contract, pay some money, and get a service.

    If you dont want to be tracked, profiled, and served steaming hot piles of ads, then build your own network, backbone, etc and see how far you can go with that.

    The other option is to simply not use the Internet or find someone with a contract/TOS you can live with but as long as there is money on the table (feeding you ads) tracking and profiling will always be one b
    • Re: (Score:3, Interesting)

      by PriceIke ( 751512 )
      That's a good comparison. Come back to this thread when electric utilities start offering to sell data collected about what kinds of electrical devices YOU own and use, how often you use them and for what purposes to advertisers, the government and whomever ponies up $$. Hey, you don't own the power lines.
      • Re: (Score:3, Interesting)

        They already sell data based on usage from areas, times of peak usage, and number of users (monitors) in a given area. They can give your exact usage for a day, week, month, year. Damn, they friggin trade it. Hell, I can go look at it if I want by looking at your meter myself.

        It's not they TYPE of data that you get, its whether or not it can be gathered through passive observation. In the case of the internet, it can.
    • In the real world, you dont own the network, the board of directors, or any part of their business.

      In the real world, last-mile ISPs are built on privileged access to rights of way and other public subsidies.

      If you dont want to be tracked, profiled, and served steaming hot piles of ads, then build your own network, backbone, etc and see how far you can go with that.

      Give me $200 billion [newnetworks.com] and I might just.

  • For those of us outside merry old Englande, Merry Olde Yew Nark, or Merry Old Moosecow (IN soviet... never mind) Wikipedia [wikipedia.org] says "Phorm, formerly known as 121Media, is a digital technology based in London, New York and Moscow. The company drew attention when it announced it was is in talks with some United Kingdom ISPs to deliver targeted advertising based on a user's profile."

    Am I the only one who had to look it up? I thought "Is phorming like phishing"?

    For the humorless cretin who mods me down for linking
  • I am not against my ISP tracking which sites I visit. In fact, I would not mind a summarized list of the sites my family visits and how long they are online. Phone companies automatically track which phone numbers I dial, why cannot it be the same for ISPs?

    I am, however, vehemently against sharing that data with other companies. Of course, unless the ISP is providing me with tracking information, any information that they would track would be useless to them unless they do share it with others.

  • "We believe Phorm makes the internet a more vibrant and interesting place. Phorm protects personal privacy and unlike the hundreds of other cookies on your PC, it comes with an on/off switch."


    So... that 'accept cookies from sites' checkbox in my options menu isn't an on/off switch then?
  • About as much as Westinghouse could do about alternating current being used to electrocute criminals, or Lee de Forest could do about television commercials, or Leo Szilard could do about the atomic bomb being used against Japan.
  • On behalf of Phorm (Score:5, Informative)

    by Phorm Comms Team ( 1257670 ) on Monday March 17, 2008 @11:54AM (#22774542)
    Hi all As the name suggests I work for the Phorm Comms Team. In response to Tim's comments and the raft of commentary tht has followed, we also believe that it is wrong to store Internet users' personal data. Our technology is a real turning point in the protection of privacy online - it does not store personally identifiable information, does not store IP addresss and nor does it store browsing histories. By contrast, ad targeting from other major Internet companies means that potentially identifiable personal data is stored for over 12 months before it is even anonymised. Also, because these companies reach nearly all UK Internet users, consumers effectively have no real choice about being targeted in this way. With the Phorm technology, users can choose - they can opt out or in at any time; and again, no personal data is stored . We look forward to speaking to Tim Berners Lee to explain how our technology is a ground breaking advance in delivering targeted ads while protecting privacy online and consumer choice, as we have with other experts.
    • by thechanklybore ( 1091971 ) * on Monday March 17, 2008 @12:48PM (#22775192) Homepage
      Again, like the other respondent, I question your understanding of your own system if you believe that a simple cookie is a valid "Opt-Out" from Phorm. Maybe you could enlighten all of us Slashdotters as to how redirecting all of the traffic from a customers
      internet connection to the Phorm network even when the "opt-out" cookie is set is opting out?

      "By contrast, ad targeting from other major Internet companies means that potentially identifiable personal data is stored for over 12 months before it is even anonymised. Also, because these companies reach nearly all UK Internet users, consumers effectively have no real choice about being targeted in this way.
      "

      This is completely disingenuous. Whatever Google et al do with my data *I* have chosen to go to their site, *I* have chosen to perform a search. The Phorm method of gathering data is not comparable. If all of a person's HTTP traffic was routed through Google you may find a few people disagreeing with this too!
      • Re: (Score:3, Insightful)

        by grcumb ( 781340 )

        I question your understanding of your own system....

        I question their understanding of what they're doing as well, based on the fact that they could send a marketing droid to debate geeks. On Slashdot.

        The only possible outcome to this kind of a conversation is for the marketer to be positively buried in technical rebuttals which he is neither equipped nor allowed to respond to. $MARKETER will receive not a little disdain in the process, and if he's not careful, will become defensive.

        The first sign of b

    • by ydrol ( 626558 )
      Unfortunately Technical people will not believe marketing/PR oriented comments, who often use technical terms inprecisely.
      They will only understand and trust a precise technical description of the system, something which Phorm may, understandably, be reluctant to give for IP/Business reasons.
      What does "no personal data is stored" mean. Is data stored or not? Is it anonymized in the same way as the AOL Seach scandal was anonymized?
      Will there be cross-pollination of adverts amongst users sharing the sam
  • by Animats ( 122034 ) on Monday March 17, 2008 @12:29PM (#22774964) Homepage

    We've been doing some tracking recently, but aimed at the advertiser side. We have a plug-in for Firefox which rates ads. [sitetruth.com] A little icon is displayed next to each ad, showing what our system knows about the advertiser. As we tell users of the plug in, "AdRater 'phones home', but tells us as little as possible. AdRater sends the domain name associated with each advertisment you see to SiteTruth." SiteTruth then sends back advertiser information, in XML, which the plug-in turns into icons.

    We use this to find out what the advertisers are doing. Individuals are entitled to privacy; advertisers are not. We're building up a picture of the on-line advertising market. We now have, for example, a list of Google's AdSense advertisers.

    Soon we'll be issuing reports on advertiser quality. (Ads on Bloomberg: mostly legit. Ads on LinkedIn: quality varies, mostly OK. Ads on MySpace: mostly bottom-feeders.) More on this in coming weeks.

    It's not just advertisers tracking users any more. Sometimes it's the other way round.

    • Soon we'll be issuing reports on advertiser quality. (Ads on Bloomberg: mostly legit. Ads on LinkedIn: quality varies, mostly OK. Ads on MySpace: mostly bottom-feeders.) More on this in coming weeks.
      I'd be interested in seeing the criteria, and sample data, for determining the quality of advertisers before I view your report as having any legitimacy.
      • by Animats ( 122034 )

        I'd be interested in seeing the criteria, and sample data, for determining the quality of advertisers before I view your report as having any legitimacy.

        Sure. See these documents. [sitetruth.com]

  • The Foundation for Information Policy Research [fipr.org] has recently published an open letter [fipr.org] in which it argues that the Phorm system that many British ISPs have signed up to is illegal. I am definitely having no regrets about having emigrated from the U.K. to Denmark.
  • by anticypher ( 48312 ) <anticypher.gmail@com> on Monday March 17, 2008 @03:37PM (#22777122) Homepage
    Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people's observations in the ensuing PR war. Phorm's sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.

    Phorm has hired a specialty PR company, Citigate Dewe Rogerson [citigatedr.co.uk] to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I've seen Dutch, German and French language follow-up posts in the last few weeks.

    Phorm has addressed the main part of pesky privacy laws in Europe by "gifting" the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm's technical team. If the equipment stays 5 years in the ISP's premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn't left their network should post-analysis show the customer has "opted-out" of passing the information to Phorm's China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.

    The Phorm collectors sit inside the ISP's network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP's network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.

    The problem I, and others, had with Phorm's plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.

    As an example, let's take an ordinary, un-intercepted session to slashdot.org. The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can't be tricked by slashdot's servers to return cookies from digg or google.

    With Phorm, the initial HTML request to slashdot.org gets intercepted by the Phorm equipment, which respond with a 302 redirect to spyware.ru, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for malware.ru with the correct address for slashdot.org, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to malware.ru with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begi
    • technically apt people ... are beginning to understand just what an internet stream hijack implies
      Well, I guess that excludes me. I didn't follow how they went from hijacking my browser session to getting my whole TCP stream. Could you explain?

      Or did you mean that Phorm's servers intercept everything coming across my connection, and that the browser scenario was just one example?
      • did you mean that Phorm's servers intercept everything coming across my connection

        Have a look at how BT will be implementing [theregister.co.uk] the Phorm interceptor line tap. The equipment is located where it intercepts all flows from all customers on the exchange, filtering out port 80 traffic to be passed to the F5 interception engine. The box known as "ACE" in the slides is provided, configured, and administered by Phorm, although it officially is "gifted" in accounting terms to the ISP to circumvent UK privacy laws.

        Nobod
  • To all you ISP exec's that might be reading this dialog: I'd pay $5/mo more if you'd anonymize my use of the internet (in a way I can verify) and if your service terms stated that I was anonymized in very clear language (ie. no legalese loopholes). - p
    • by Zakabog ( 603757 )
      I'd pay $5/mo more if you'd anonymize my use of the internet (in a way I can verify) and if your service terms stated that I was anonymized in very clear language (ie. no legalese loopholes)

      You're now giving the ISPs a business model selling you a "service" which should be included with your account...
      • So? We've got a number of years behind us where they've demonstrated they won't protect customer privacy on their own, regardless of what the customer asks for. Why not motivate them with increased revenue? In many markets there's only 1 broadband solution available so, barring legislation, they can pretty much do whatever they want and not risk losing customers. I'd love to see the appropriate legislation in place but my understanding is this happens fairly slowly in the best of circumstances and fighting

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...