Covert BT Phorm Trial Report Leaked

stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe. NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.

Advertisement Injection

[TheMeuge]

So let me see - if I am paying for bandwidth (which will soon be metered), and my ISP in injecting its ads into the webpages I am requesting, then the ISP is running down my bandwidth on purpose?

Isn't that sort of like someone from the electrical company who breaks into your house to turn the lights on while you're gone?

I won't even mention the privacy issues, cause those aren't "in" nowadays, nor are they likely to be a sufficient cause to nip this practice in the bud. Cheating people out of money, on the other hand, is always a great way to apply the US tort law to the cause.

Is that legal?

[Opportunist]

Changing content and injecting different ads? I could see two possible violations here, one being copyright (altering content without the consent of the provider of the content), the other one dealing with fraudulent ad change (someone other than the one paying for the ads being displayed).

It's like a cable company changing the channel ads with their own. I doubt any channel would sit and bear it, especially since their customers (i.e. ad buyers) won't accept that.

Um, Replacing Charity Ads?

[DigitalSorceress]

Wow, talk about low:

In addition to the 18 million regular advertising injections or hijackings, it appears charity advertisements were hijacked and replaced with Phorm advertisements.

        "The advertisements were used to replaced [sic] a 'default' charity advertisement (one of Oxfam, Make Trade Fair or SOS Children's Villages) when a suitable contextual or behavioural match could be made by the PageSense system."

Re:Advertisement Injection

[QUILz]

They could still hijack SSL/TLS sessions if users aren't paying any attention to warnings.

Re:Is that legal?

[corsec67]

How could a consumer opt-in with a company to violate a copyright held by a third party?

Take /. for example. How could I opt-in with my ISP to modify the page /. sends to me? Wouldn't that be a derivative, and a copyright violation?

Mod Parent Up!

[Cassini2]

I noticed that quote too. It is completely despicable that they would remove charity advertisements. Actually, I think the entire system boils down to theft and unlawful interception of traffic.

What if the phone company inserted commercial adds when you were talking to someone on the phone?

Oxfam ads substituted

[andyh-rayleigh]

I could see Oxfam (and the other charities who had their ads substituted) getting their lawyers to shakedown BT for a substantial "donation" as an alternative to being sued.

Re:Ouch

[Dark Kenshin]

Of course is won't. If a private person were to develop and test this out, he would likely be spending the next 20 years in prison (looking less and less "exaggerated" as time goes on.) The fact that this is for cooperate gains; it will be largely over looked. Yes, I might be lost in cynicism, but life seems to be supporting my case thus far.

Re:Ouch

[EvilMonkeySlayer]

Looking at the site it appears to be pretty easy for phorm here, all they'd need do is do a simple domain lookup. If it doesn't exist they filter it out.

If it doesn't exist then it's generated by this, since all it does is randomly create addresses. It'd be better if it just loaded random websites. Of course, that'd eat up a lot more of the users bandwidth though.

Re:Advertisement Injection

[Ed Avis]

Doing man-in-the middle attacks on SSL connections is beyond the technical ability of ISPs, even if users don't bother to check certificates. And the potential for them to get in trouble for it is a lot higher (e.g. if they ended up intercepting financial information, and then the ISP's servers got cracked...). So https is still the right answer here.

It's 2008, why aren't most websites just using https by default? A low-volume site can handle the load with today's superfast CPUs, and high-volume sites can afford to buy one of those crypto engine thingies.

Re:Ouch

[MindKata]

"realistically lead to legal action against BT"

Legal action strong enough to totally stop them is unlikely, as the power seekers who run a lot of countries unfortunately seem to be rushing towards building their own Big Brother, so as they make the rules, they choose whats considered legal. So they simply need to change the laws, which is what they keep doing. It seems nearly every week now we are getting ever more stories of new grabs for information and/or power over people. At this rate, 2008 should go down in history as the start of a Worldwide Big Brother.

Its ironic that our so called free countries appear to be building Big Brother as fast, if not faster than other countries. Maybe we just have better technology. Its also ironic that the war on terrorists is a war against people who wish to force others into their point of view. Yet now the people already in power are seeking to clamp down and hold control over everyone. Its like all of us who don't seek power are caught up in a power struggle between the different groups of power seekers who do seek to impose their views on everyone.

I guess the ones in power in some way fear some lost of power, as it can't be just about protecting us. Its got to be about seeking more power, which is what they do thoughout their political lives and all of us who don't seek power are not going to be heard by them. Especially as most people don't seem to even see how much harm can be done with so much power and no way to tell them they are behaving unfairly. They are becoming like a machine which is loosing its feedback mechanism and so running towards ever more extremes.

Re:Ouch

[aproposofwhat]

I came up with this as a concept in 2000, when layer 7 switching was just becoming economically feasible for a startup ISP.

It never flew, because the people I was dealing with weren't complete cunts.

From the document: The advertisements were used to replaced [sic] a 'default' charity advertisement (one of Oxfam, Make Trade Fair or SOS Children's Villages) when a suitable contextual or behavioural match could be made by the PageSense system.

So not only are the bastards hijacking our traffic, they are overwriting paid-for charity ads as well.

I repeat, CUNTS!

Re:Possible temporary fixes....

[kvezach]

Intermediate term fix: Tunnel everything over IPsec. If ISPs are going to act like Eve or Mallory, let's treat them as such.

Re:Advertisement Injection

[Ed Avis]

Yeah it sucks that you have to either pay money or endure scary messages from the web browser. There should be a way to label your site as self-signed where it wouldn't get the special secure icon or magic green glowing bar in the web browser, but on the other hand the user wouldn't be pestered about an invalid certificate (unless the cert offered really has changed since last time the user visited the site).

Re:Ouch

[mikael]

By their own admission a leading UK telecoms company has deprived several charities of a legal revenue stream to line their own corporate pockets.

Given the outrage following the several Audiocall staff kept 100K of children in need cash for itself [thisislondon.co.uk], I hope BT get the same treatment.

Re:Advertisement Injection

[v3rgEz]

Hard? No. Extremely unscalable, particularly at the ISP level? Absolutely, plus that's opening another whole can of worms that most ISPs (today) aren't willing to open (see above re: private banking information concerns, for example). Of course, who would have thought they'd have the sheer chutzpah to replace other sites ads and, you know, threaten the very basis of much of the Internet economy? I sure didn't, even knowing it was technically possible.

Re:Is that legal?

[corsec67]

Derivative works are protected under fair use.

So I could take a song, add "Buy Coke" in the middle, and release that? No, especially not for commercial gain.

Some derivative works are protected by fair use, but they generally have to be mostly newly created content, and can't just be the website with a little bit changed, per Wikipedia [wikipedia.org].

Re:For the uninitiated

[cmsd2]

BT stands for "British Telecom," Something they failed to mention, except in TFA I hate it when people use too many arbitrary abbrivations. Let's start actually typing out names to set a context, then let people abbrivate in comments...

It's not British Telecom. It hasn't been so since 1991 when it changed its name to BT Group Plc.

Pot calling the kettle black?

[Duncan Blackthorne]

ISPs complain that BitTorrent users are eating up all the bandwidth, and the MPAA and RIAA complain about "stealing" of IP through filesharing. Meanwhile, the RIAA and MPAA are breaking the law trying to turn a profit with their (pseudo) legal engine, and the ISPs are breaking the law with DoS/MITM attacks, and altering content on the fly! This is bullshit, complete and utter bullshit, and it needs to stop, NOW. Net Neutrality needs to be the LAW, and ISPs need to have the hammer dropped HARD on them over bullshit like this.

Re:Advertisement Injection

[Casualposter]

Ok, so this is what happens. The Website, let say, Slashdot, makes an agreement with XYZ internet media company to sell ads on the site. Those ads don't pay without a click through. The customer pays the ISP for the upload and download content bandwidth, maybe per gigabit, or "unlimited" bandwidth. The ISP reads all unencrypted packets (and perhaps has to retain such information for some regulated period of time in some country). So when the customer goes to the site, he may or may not get the ads for the site as the ads may be substituted by the ISP so that clicks go to the ISP instead of the site. And the ISP is free to send small or large ads depending upon what is economically advantageous to the ISP.

This is nothing more than the ISP asking for a blank check from the customer, while stealing ad revenue from the visited websites. But it would be very hard to detect from the website. How would you know your ads are being intercepted?

Another scenario. What is to stop the ISP from being paid by a political action group to simply replace all instances of an opposing group's ads with their own? Seems to me that is left up to the integrity of the ISP, which from my experience is not very high. These are the folks who will sell your phone records to the first PI that pretends to be you, and also to the first G-man to merely ask.

Another scenario. NOw that it has been demonstrated that every packet can be read and that this can be used to generate profits, what level of responsibility does the ISP take upon itself for the contents of the websites? ARe they liable for every underage relationship transmitted across their lines while they serve ads for condoms next to the sex talk? What about those instance where websites are serving information that could be used to commit a crime? Shouldn't the ISP, with it ability to completely read the subject's searches KNOW or should know that a crime is being researched? How many times will the internet be blamed for harm to a minor before the ISP gets held partially liable, or required to monitor the internet by the government?

Re:Ouch

[Lennie]

I thought SSL MITM isn't possible, could you please point me to a page explaining how that works ?

Atleast when certificates are properly checked it shouldn't be possible.

Re:Ouch

[Jellybob]

So if I had an ad-funded website (unlikely in the current climate, but stick with me) Phorm would be screwing me out of the money I'd make for those ads, but replacing them with there own.

Something tells me that if I did the same thing with a billboard - charging customers for me to go out and paste their adverts over the top of paid for adverts at night - Clear Channel would quite quickly be attempting to sue me.

Re:Ouch

[Shakrai]

I thought SSL MITM isn't possible, could you please point me to a page explaining how that works ?

Atleast when certificates are properly checked it shouldn't be possible.

You just explained how it's possible.

Re:Advertisement Injection

[nuzak]

Once advertisers and web sites see a sizable percentage of their advertising being siphoned off and replaced by ads financially benefitting nobody but the ISP's, you'll start seeing more web sites using https.

No, you will see more lawsuits.

Advertisers paid for their ads to be served. Phorm is theft.

Re:For the uninitiated

[ray-auch]

> BT stands for "British Telecom,"

No, it doesn't (anymore). The whole brand and company is "BT". They dropped the British bit (I forget when) when trying to become a global brand.

The full name of the company is "BT Group", but typically when naming companies you don't include the "group" or "plc / ltd. / llc" bits.

The website is also www.bt.com - check out the page, no mention of "British" whatsoever.

If you wanted to identify the company better, for folks that don't know it, you could say "BT - a major UK telco & ISP - ..." or something like that, but identifying them as "British Telecom" is simply incorrect.

Re:And created a copyright violation

[Jason Levine]

I think it is actually worse than copyright violation. It is fraud. When I have an ad on my website, it is an indicator that I either a) really like the product/service the advertised company is providing, b) will profit from viewing/clicking the ad, or c) really think that the charity being advertised is worthwhile. Phorm ads wouldn't fit any of those categories and yet are purposefully being injected into pages to make it look like A, B, or C are true. It is giving the impression of me approving/profiting from an ad that I am not approving and profiting from. In addition, it is taking money out of my pocket (or a charity's pocket) to make Phorm money. That's fraudulent activity in my book.

Re:Is that legal?

[Ctrl+V]

This would destroy the sites that makes any money based on advertising, or have them go to BT for their ad revenue.

this is the biggest problem with an ISP switching ads to their own. In the end, it's a destructive practice:

1) advertisers will start to understand that ads they pay for on site x are being over-ridden

2) advertisers start paying ISPs for advertising

3) site x, now not able to support its costs through advertising, closes up shop

4) rinse, repeat, until

5) there's no longer any sites that users want to visit, and ISPs are getting less money from advertisers, and are loosing subscribers cause there's less demand

6) everybody looses

Re:Ouch

[foobsr]

Yes, I might be lost in cynicism, ...

This is only what they tell you to obfuscate that you are on the way to enlightenment :), which as a consequence renders you useless as a prototypical consumer (if you escape being caught by Prozac&Co.)

CC.

Re:Ouch

[flacco]

That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?

Whether it does or not, someone has already taken the initiative to setup a page to generate fake web pages (or real ones) to pollute the data they collect. So if you can't get them out legally, you can make the data they collect useless, which hits them in the pocketbook and might be more effective than legal countermeasures.

You're not being cynical/paranoid enough. You assume the motivation is strictly economic, while it actually might be a cover for plain ol' surveillance. "Extra data" isn't as damaging in this scenario, where they are monitoring you for specific behavior.

Re:Ouch

[tagishsimon]

It's always worth reading the document first.

121Media, who ran the trial, placed charity ads (at its own expense) on a number of websites, and then intercepted them and replaced them with commercial or other charity adverts on the fly. Thus they were replacing their own adverts /and/ serving the charity adverts to those who viewed the web pages and were not in the trial.

Thus there is no question of damage to charities, quite the contrary; nor to websites advertising revenues.

There is, though, the privacy issue.

It would be helpful if we could hang them for what they are guilty of, rather than making unsupported allegations.