Covert BT Phorm Trial Report Leaked 292
stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe.
NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.
Ouch (Score:4, Interesting)
Re:Advertisement Injection (Score:5, Interesting)
Past that, maybe we can start seeing more "regular" traffic served over https -- DPI or not, it looks like garbage unless you can break the encryption. If someone comes up with a way to do that, there are a lot more serious problems to worry about than ad injection.
Re:Is that legal? (Score:3, Interesting)
Re:Advertisement Injection (Score:3, Interesting)
Glad I have a small ISP that likely won't do this, but I wonder if this means that random routers across the internet can use this to inject code into web pages.
Re:Um, Replacing Charity Ads? (Score:5, Interesting)
Great way to influence public opinion against them and convince even usually non-caring people that something evil was going on.
Now if only major news picked this up and made big deal out of it...
Misrepresentation (Score:5, Interesting)
The ISP is then responsible for using my image to endorse their product to my readership, without my permission. Do I have recourse against them for perpetrating such a fraud? IANAL, etc.
Re:Ouch (Score:5, Interesting)
to make it even worse, my current provider not only injects ads while I browse, they also supply the advertiser with a unique ID, which I can't easily turn off. since the image is inserted on the server i also assume the phone is sending referer headers, so the advertiser can collect your browsing history (and, that being a phone, your URL session cookies too) for good measure.
when i complained, i was told to go away, because there was no such thing as "personal" information being disclosed to the advertiser. to me such arrogance calls for more encryption as a kind hint to the ISPs to go and do the job i'm paying em for.
unless, of course, that option is also defeated by the copyright cretins and the gubbermint, working hard together to prevent child pr0n and terrorists.
in which case, thicker tinfoil will also be necessary.
Possible temporary fixes.... (Score:5, Interesting)
2) Use page receipts to vet page authentication
3) litigate, especially for copyright violation as the page has been misused by an intermediary for a purpose not intended by the page's author
4) other solutions that someone will think of; stop the page vandals NOW!
Tortuous Interference W/ Contractual Relations? (Score:2, Interesting)
Loss of Common Carrier Exemption? (Score:3, Interesting)
Consider that the data is being edited on-the-fly based on its content -- i.e., whether or not it's a banner ad. I think a good case could be made that this violates the conditions for a common carrier.
Question is, does this have any legally useful consequences in trying to prevent ISPs from doing it?
Re:Advertisement Injection (Score:4, Interesting)
A sort of "You probably shouldn't trust me that much, but at least nobody's eavesdropping or screwing with the datastream" setting.
As an Oxfam contributor, I am pissed (Score:2, Interesting)
I give money to Oxfam. They take my money, and use it to run their charity, which includes helping people as well as doing some overhead like, for example, creating ads and managing ad campaigns. Seems like a perfectly good use of my donation.
But now I find out that some of these efforts have been sabotaged, stealing part of the money I donated!
Not only does Oxfam have standing to sue, I would think Oxfam donors have also been wronged.
But worst of all, of course, is the loss of aid to the people who really need it. Hijack an Oxfam ad today, and another child goes hungry tomorrow.
Re:Advertisement Injection (Score:4, Interesting)
There's still a cpu overhead, but at least we don't lose all the other methods needed to keep http traffic flowing quickly.
Re:Ouch (Score:3, Interesting)
Term and conditions (Score:3, Interesting)
The system does provide an opt-out mechanism and this was laboratory tested and verified. However the method of opt-out requires consideration. Since it involves the dropping of a web-cookie on the users machine to indicate an opt-out preference, which if wiped by the user means they will be opted back in.
The solution would of course be to make it a opt-in instead of opt-out. Most users would of course not opt-in without seeing a clear benefit for doing so. One obvious benefit would be that those that opt-in recive a discount on their internet connection. Simple and fair.
Re:Advertisement Injection (Score:3, Interesting)
Perhaps a way to take most of the load off the server would be to have trusted certificate but use an RSA_NULL_SHA1 ciphersuite where secrecy isn't important but authentication and integrity are.
And created a copyright violation (Score:1, Interesting)
Or did they have the right to take a copy of the site's pages, make a derivative, and send that on?
Copy to forward is necessary.
Copy to change isn't.
Re:Is that legal? (Score:3, Interesting)
The only question is who is going to sue them, and which laws they will decide to invoke.
Re: (Score:2, Interesting)
Re:I love it--use SSL for everything (Score:4, Interesting)
I interviewed at a company (a few years ago) that had designed a hardware 'appliance' that intercepts SSL web comms and fools the user into accepting a fake cert that looks VERY VERY much like the real thing. he clicks 'ok' and whammo - he FEELS safe but his link is now MITM attacked and compromised. and he didn't even know it.
technically, SSL didn't break but the middle box (cough cough) did some very evil things and asked both ends to talk to it, instead. essentially.
how many people really scrutinize the MESS OF TEXT that comes up in those cert popups? even experts tend to say 'yeah yeah, OK' and click it away.
morale: assume your company is using one of these boxes and go from there. over time, more and more companies WILL be snooping on their employees or users using these 'SSL feel good' faker boxes.
be advised.
Legal Threats (Score:3, Interesting)