Covert BT Phorm Trial Report Leaked

stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe. NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.

For the uninitiated

[Anonymous Coward]

BT stands for "British Telecom," Something they failed to mention, except in TFA

I hate it when people use too many arbitrary abbrivations. Let's start actually typing out names to set a context, then let people abbrivate in comments...

Re:Is that legal?

[Anonymous Coward]

I'm sure it was found illegal in the UK a few months ago (this report is from 2007)

http://news.bbc.co.uk/1/hi/technology/7339263.stm

Re:Ouch

[KnightMB]

That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?

Whether it does or not, someone has already taken the initiative to setup a page to generate fake web pages (or real ones) to pollute the data they collect. So if you can't get them out legally, you can make the data they collect useless, which hits them in the pocketbook and might be more effective than legal countermeasures. You'll find the site here: http://wanip.org/anti-nebuad/ [wanip.org] in which every browser becomes a data-mining polluter when it's run. Get enough those on a suspect ISP and watch the CEO's have a heart attack from the "pollution attack".

I like how it's charity ads that were intercepted

[3-State Bit]

It's like the thinking goes "let's substitute out something utterly inconsequential and that will have no ramifications whatsoever". No, a charity isn't going to sue your pants off, so I guess it's okay, right?

What's next, Nike tests shoes (leaked codename: "rental") that deteriorate in 30 days -- on retarded children. Through a charity donation. That they write off their taxes the full value of.

Seriously: these are the times I'm glad to procrastinate about being an internet activist[1], because YOU CAN'T MAKE THIS STUFF UP. I couldn't have warned of this if I had tried.

[1] CHILL, guy with the sig 'whenever I hear the word activist I reach for my revolver' It's going to be all right.

Re:For the uninitiated

[Stooshie]

Over here in the UK, nobody needs to expand BT. Everyone knows what it means. (I assume you are not from the UK).

I'm sure stavros-59 just used it out of habit.

Brief Overview

[skinfitz]

Interesting - whole system runs on RHEL (told you it was evil..) and multiple Squid processes. Adds some latency into browsing (obviously...) Old system dropped javascript tags into URLs but later version did not (resulting in some users having some javascript appearing in their forum posts - like that guy on the motorbike phorum if anyone remembers that incident) Apple.com among the 'download target' sites (page 49) but surprisingly due to Evil, not Microsoft or Google.

Re:Ouch

[Janos421]

The browsed pages do not exist, so you never download pictures or js files. It's very easy for an ISP to filter these requests, they can filter the HTTP response code.
Two FF exntensions generate fake queries on search segines to pollute the collected data (at search engine level, but it also pollute ISP data). SquiggleSR [mozilla.org] and TrackMeNot [mozilla.org]. Notice that the former also clicks on non-sponsored results and may deceive cookie tracking.

Re:Um, Replacing Charity Ads?

[fhage]

TFA says BT purchased the ads they replaced. The Charities got free advertisements if they were not replaced.

Re:Ouch

[hasdikarlsam]

SSL doesn't, IPSec does. Sadly, the latter is hardly ever used.

IPv6 is supposed to have IPSec as a required element. I don't know how much this means; whether it'll actually be *used*, and resist MITM attacks.

Re:Loss of Common Carrier Exemption?

[Red Flayer]

It occurs to me that, at least in the US, an ISP that does ad injection *may* be losing its common-carrier status by changing the information that they convey from a Web site to the subscriber.

Newsflash: ISPs do not have common carrier status.

This means that whatever safeguards you associate with common carriers, are not enforceable wrt ISPs. A lot of the big ISPs are very happy with the current situation, since they basically get the benefits of common carriers, without the drawbacks (such as not be allowed to throttle certain users).

Re:Advertisement Injection

[VC]

Actually its a terrible idea. SSL only works because you know that the connection is encrypted between you and the person you're talking to. SSL to an untrusted host is just as bad as no ssl because the man-in-the-middle (which is kind of the definition of an ISP) could easily produce a certificate that says, "hey, I'm what ever page you wanted to look at". And the insert ads.

Re:For the uninitiated

[Richard_at_work]

Actually, BT stands for nothing - its a contraction of 'BT Group plc'. British Telecom stopped trading in 2001 when mmO2 plc and BT Group plc diverged and started trading as two separate companies.

Re:Advertisement Injection

[jonaskoelker]

You could do something almost good enough, though, that's done completely on the client side:

Let's say you're sending index.html. Take a hash of the page, put the hash early on the page.

In the bottom of the page, insert javascript code that removes the hash value, hashes the page, and compares it to the removed hash. If they mismatch, do an alert("warning: the page has been tampered with since it left Foocorp.com's servers."). The hash function doesn't have to be overly secure; here is actually a good time to write your own bad crypto.

The ISP would then have a hard time modifying the page, because they would have to generate the hash value of the modified page before seeing the page they want to modify only slightly.

They could, of course, buffer the whole page (if the server sends it out, or it could spoof your ACKs) and run the javascript on their modified version to compute the hash function. But how are they to know which functions to call? Include an infinite loop and some exploits that you never call yourself if you want to be really disruptive.

Re:Misrepresentation

[Jason Levine]

Good point. Not only could a person's image be tainted by such a swap ("how dare you support that you sell-out!"), not only could you wind up losing money (no clicks on your real ads = no money), but someone could get injured/scammed based on your reputation ("Blogger X whom I trust is recommending Product Y. How bad can it be?"). Combine the two and you could even be sued ("You recommended Product Y and it injured me. I'll see you in court!"). Not that a lawsuit like that might have any merit, but it could still be a pain and cost you time and money.

This sounded awfully familiar to me and now I remember where I've heard all this before. Spyware. There are certain spyware programs that, when installed on your computer, would replace the ads that a site displayed with its own ads. Website owners were outraged by this. At least with the spyware, though, the user had to have the application installed on the computer and could remove it (sometimes with much difficulty). With Phorm, the "spyware" is installed on the ISP's systems. You, as a user, aren't aware that it is there and have no say as to whether it replaces ads or not. (Yes, they give you a chance to opt-out, but I can guarantee they'll hide the page for doing so as much as possible.)

I think we need to call Phorm what it is: Spyware on a massive scale.

Re:Is that legal?

[kramer]

Derivative works are protected under fair use.

No, they most certainly are not. Certain derivative works are protected under fair use, but they must fall into one of a few narrow categories such as parody or commentary (they vary from country to country). There is no blanket derivative work fair use protection.

Re:And created a copyright violation

[mikael]

This was discussed in the forum digitalspy.co.uk

Phorm in the UK [digitalspy.co.uk]

One business user was updating the website for his home business. He used his home network connection to inspect the appearance of his website. To his surprise, he could not understand why the format of his website was consistently different from what he had intended. Disturbed by this, he reinstalled the OS on all his servers in fear of being rootkitted, rechecked all his security settings, reconfigured his firewall, and performed a packet trace on every connection made. In the end he noticed that various links on his webpages were being changed and that in particular some were coming from dns.sysip.net. Basically, this system redirected any links to adverts back to Phorm servers.

Customer who was Phormed [adslguide.org.uk]