Covert BT Phorm Trial Report Leaked

stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe. NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.

Ouch

[mrbluze]

That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?

Re:Advertisement Injection

[Rhys]

If you're paying for metered bandwidth, why are you accepting ads in the first place? AdBlock+ solves that problem very quickly.

Past that, maybe we can start seeing more "regular" traffic served over https -- DPI or not, it looks like garbage unless you can break the encryption. If someone comes up with a way to do that, there are a lot more serious problems to worry about than ad injection.

Re:Is that legal?

[porkThreeWays]

It's like a cable company changing the channel ads with their own. I doubt any channel would sit and bear it, especially since their customers (i.e. ad buyers) won't accept that.

Which Comcast already does here in the US...

Re:Advertisement Injection

[Stewie241]

I don't necessarily trust the ISP's JavaScript either... leave my pages alone thank you very much.

Glad I have a small ISP that likely won't do this, but I wonder if this means that random routers across the internet can use this to inject code into web pages.

Re:Um, Replacing Charity Ads?

[zwei2stein]

Its actually good thing they did this.

Great way to influence public opinion against them and convince even usually non-caring people that something evil was going on.

Now if only major news picked this up and made big deal out of it...

Misrepresentation

[Rob T Firefly]

There's another issue. Say I post a banner for Charity X on my site, with a note saying "I support these guys with all my heart and soul, and I urge my readers to do all they can for this cause." You go to my site, but your ISP swaps said charity banner for an ad for personal ads or punching the monkey for a ringtone or some other damn thing, making it appear to you as though I'm imploring you to purchase something I would never willingly endorse.

The ISP is then responsible for using my image to endorse their product to my readership, without my permission. Do I have recourse against them for perpetrating such a fraud? IANAL, etc.

Re:Ouch

[siddesu]

not sure what the situation in the UK is, but in Japan some mobile phone operators have been doing this for a while with some phones. since probably half of the internet usage here happens over phones, it doesn't look like a small market.

to make it even worse, my current provider not only injects ads while I browse, they also supply the advertiser with a unique ID, which I can't easily turn off. since the image is inserted on the server i also assume the phone is sending referer headers, so the advertiser can collect your browsing history (and, that being a phone, your URL session cookies too) for good measure.

when i complained, i was told to go away, because there was no such thing as "personal" information being disclosed to the advertiser. to me such arrogance calls for more encryption as a kind hint to the ISPs to go and do the job i'm paying em for.

unless, of course, that option is also defeated by the copyright cretins and the gubbermint, working hard together to prevent child pr0n and terrorists.

in which case, thicker tinfoil will also be necessary.

Possible temporary fixes....

[postbigbang]

1) write a checksum to a page; if it doesn't match (or another hashing method doesn't match) warn the user that the page has been intercepted and corrupted; the code might not be too tough

2) Use page receipts to vet page authentication

3) litigate, especially for copyright violation as the page has been misused by an intermediary for a purpose not intended by the page's author

4) other solutions that someone will think of; stop the page vandals NOW!

Tortuous Interference W/ Contractual Relations?

[Anonymous Coward]

Some legal eagle can set me straight here but this sounds a bit like a case of tortuous interference. The site owner and the user have a contract that the viewer views their ads in exchange for the content. The ISP is coming in and interfering with that contract in a material way by replacing ads. Somebody could make some big money on a class action -- as tortuous interference settlements are often very large.

Loss of Common Carrier Exemption?

[OmniGeek]

It occurs to me that, at least in the US, an ISP that does ad injection *may* be losing its common-carrier status by changing the information that they convey from a Web site to the subscriber.

Consider that the data is being edited on-the-fly based on its content -- i.e., whether or not it's a banner ad. I think a good case could be made that this violates the conditions for a common carrier.

Question is, does this have any legally useful consequences in trying to prevent ISPs from doing it?

Re:Advertisement Injection

[Nursie]

I like that idea actually.

A sort of "You probably shouldn't trust me that much, but at least nobody's eavesdropping or screwing with the datastream" setting.

As an Oxfam contributor, I am pissed

[Anonymous Cowdog]

BT stole part of my donation to Oxfam.

I give money to Oxfam. They take my money, and use it to run their charity, which includes helping people as well as doing some overhead like, for example, creating ads and managing ad campaigns. Seems like a perfectly good use of my donation.

But now I find out that some of these efforts have been sabotaged, stealing part of the money I donated!

Not only does Oxfam have standing to sue, I would think Oxfam donors have also been wronged.

But worst of all, of course, is the loss of aid to the people who really need it. Hijack an Oxfam ad today, and another child goes hungry tomorrow.

Re:Advertisement Injection

[Albanach]

A possible solution would be opportunistic encryption [wikipedia.org]. It would allow some sites to serve encrypted traffic without changing anything at the apache/squid end of things. No change is needed at the browser level either, and cache's can still be used.

There's still a cpu overhead, but at least we don't lose all the other methods needed to keep http traffic flowing quickly.

Re:Ouch

[mabhatter654]

the EU has already rule against Google for selling ads that do just that in generic Google Ads blocks on sites. I'd say they're already breaking the law.

Term and conditions

[TheP4st]

Excerpt from chapter 4 titled Terms and Conditions of the document.

Also consideration must be given to the opt-out procedure enabling user to circumvent the system. The latter issue regarding op-out could not be specifically trialed since BTRT concucted this test as a stealth trial.
The system does provide an opt-out mechanism and this was laboratory tested and verified. However the method of opt-out requires consideration. Since it involves the dropping of a web-cookie on the users machine to indicate an opt-out preference, which if wiped by the user means they will be opted back in.

The solution would of course be to make it a opt-in instead of opt-out. Most users would of course not opt-in without seeing a clear benefit for doing so. One obvious benefit would be that those that opt-in recive a discount on their internet connection. Simple and fair.

Re:Advertisement Injection

[Nursie]

Yeah, you're right.

Perhaps a way to take most of the load off the server would be to have trusted certificate but use an RSA_NULL_SHA1 ciphersuite where secrecy isn't important but authentication and integrity are.

And created a copyright violation

[Anonymous Coward]

in the process.

Or did they have the right to take a copy of the site's pages, make a derivative, and send that on?

Copy to forward is necessary.

Copy to change isn't.

Re:Is that legal?

[TheRaven64]

It's highly unlikely that this is even remotely legal. It is equivalent to receiving a TV channel and rebroadcasting it with your own adverts substituted for the originals without the consent of the original broadcaster. They are modifying and redistributing copyright content without the copyright holders' consent, which carries fairly stiff penalties under the EUCD and related laws, they are they are misrepresenting content as coming from a third party, which is fraud with penalties under a number of laws, and they are (by injecting JavaScript) running code on a computer without permission, which is illegal under the Computer Misuse Act.

The only question is who is going to sue them, and which laws they will decide to invoke.

Re:

[TheWGP]

I think the best argument against this is twofold, from a legal perspective: a)compilation copyright issues and b)unwanted traffic. If you are, in fact, metered, the company most likely has your standard "bend over and smile while we do what we like" ToS attached - and this may or may not be enough to get around these issues. I think the unwanted traffic issue will be covered until a court is presented with a REALLY EXTREME example - like someone who an ISP accidentally sent 250gb of data to and tried to make them pay for it. The compilation copyright claim is probably stronger, but would require action from a third party - namely, the website owner or some such. For example, if an ad I've put up on my webcomic page for, say, t-shirts I sell to do with my comic is replaced. That's quite possibly a relevant claim, BUT I, as the WEBCOMIC OWNER, would need to present a claim (since I've suffered the harm). You haven't been harmed, technically. Relatedly, if an ad I serve on my webpage (and am being paid to do so) is replaced by the ISP, I'm losing money - so that's a fair claim. Net neutrality legislation would almost certainly bar this type of practice - it would just be prioritizing ISP ads over website ads, and if that isn't biased, I don't know what is. The free market doesn't work in a situation like that, where any one website, unless it's Google or Amazon, is nothing but a puny gnat compared to the near-monopolistic ISP's. Another interesting question would be to do with those sites where you go and do nothing but click ads to donate money to charity, or the like. Those sites would become basically completely defunct, and though ISP's would try to say "oh, we'll except you!" it's very problematic to actually do so in practice, for every site, every time, with perfect reliability, as new sites pop up and old ones have subtle programming changes. Even if they do "fix" it, those are great examples to bring into court! In short, I think an American company that uses this should expect to be sued posthaste. There's no reason to think there's any level of benevolence in American ISP's, so expect this to be adopted as quickly as they can get away with it - just like Time Warner is trying to pull with its "test" of bandwidth "caps" that's really a staged setup. Nothing is really going to change until legislation or large legal judgments come down, I fear.

Re:I love it--use SSL for everything

[TheGratefulNet]

SSL fixes nothing. the user is still stupid.

I interviewed at a company (a few years ago) that had designed a hardware 'appliance' that intercepts SSL web comms and fools the user into accepting a fake cert that looks VERY VERY much like the real thing. he clicks 'ok' and whammo - he FEELS safe but his link is now MITM attacked and compromised. and he didn't even know it.

technically, SSL didn't break but the middle box (cough cough) did some very evil things and asked both ends to talk to it, instead. essentially.

how many people really scrutinize the MESS OF TEXT that comes up in those cert popups? even experts tend to say 'yeah yeah, OK' and click it away.

morale: assume your company is using one of these boxes and go from there. over time, more and more companies WILL be snooping on their employees or users using these 'SSL feel good' faker boxes.

be advised.

Legal Threats

[AlexanderHanff]

Well, firstly I am glad to see that the document has forked such a debate here on Slashdot and I thank you all for that (it is long overdue). As a result of some of my comments regarding the report, I am now facing legal threats from Phorm and BT. Alexander Hanff