Wikipedia Opts Out Of Phorm

ais523 writes "Wikipedia (and other websites run by Wikimedia) have requested to opt-out from Phorm; according to the email they sent, they 'consider the scanning and profiling of our visitors' behavior by a third party to be an infringement on their privacy.'" Another reader points to this post on techblog.wikimedia.org which includes a confirmation from Phorm that those sites will be excluded.

Re:Frist Ph0rm

[David Gerard]

It's the opposite of Artificial Intelligence: if you network enough marketers you get Sincere Stupidity.

Re:

[Jurily]

whoosh

Re:

[bit01]

"Sincerity is everything. If you can fake that you've got it made."

Old but good.

---

For web applications a web browser is little more than a multi-language, non-portable graphics+networking library mess, far less consistent than other graphics+networking libraries.

The official post

[David Gerard]

Wikimedia Tech Blog post [wikimedia.org].

(This would have happened sooner, but Brion was snowed under.)

Re:

[Blue Stone]

I'm hoping the BBC will be next.

Re:The official post

[OldakQuill]

The BBC can't opt-out at the moment. It seems that major sites which do opt-out at the moment make news (including headlines at http://news.bbc.co.uk/ [bbc.co.uk]). It'd be quite reflexive for the BBC to opt-out from a scheme run by a major UK telecommunications company and to report it on their news website, since that is a major source of their web traffic. The BBC News website itself would be making the news by undermining BT's scheme on the grounds of privacy invasion. When enough sites have opted-out for it to be non-news, they could do it.

Also, the BBC and BT have to work with each other on things like iPlayer, the online television/radio delivery platform. Perhaps the BBC are avoiding opting-out on these grounds too.

Then again, since the BBC has a special place in the UK regarding license fee and lack of advertising, perhaps they were opted-out of the scheme from the beginning.

Re:

[EdZ]

You don't know the BBC. They've reported on their OWN internal scandals in the past, and tried pretty well to remain unbiased over them.

Re:

[Opportunist]

It's a sad, sad world when governmental owned news media are less biased than privately owned ones. My socialist buddy will heckle me with this for ages if he finds out...

Re:

[Shrike82]

The BBC aren't owned by the Government. It's operated and regulated by the BBC Trust, and it was originally set up by a bunch of telecom companies.

Re:

[Dr_Barnowl]

The BBC is not government-owned. It is an independent media corporation, formed by a Royal Charter.

Re:

[Dr_Barnowl]

The BBC is funded directly through the license fee (which it collects for itself), not through taxation and redistribution from the government.

Re:

[asc99c]

But you do have to pay a licence fee simply for owning a TV, even if it is only used to connect to a console, computer, DVD player etc and you don't want to watch the BBC channels.

Government rules give it a unique position that feels a lot like taxation (i.e. a very similar situation is that you have to pay road tax if you own a car).

NB just being devil's advocate here, big fan of the BBC myself!

Re:

[FireFury03]

But you do have to pay a licence fee simply for owning a TV, even if it is only used to connect to a console, computer, DVD player etc and you don't want to watch the BBC channels.

Please stop spreading misinformation - everything you have just stated is completely incorrect. You need a TV licence in order to watch broadcast TV (this includes streams over the internet which are simulcast with broadcast TV, but does not include streams which are not simulcast). You do not require a licence if you do not receive broadcast TV, no matter whether or not you own a TV - i.e. you don't need a licence in order to watch DVDs, use your computer, etc.

Whether or not you agree with the TV licence

Re:

[asc99c]

I apologise, you are correct technically. But when you buy a TV, you have to register your address, so that TV licencing can follow up with reminder letters and phone calls.

If you try to claim that you aren't using your TV to watch broadcast TV, they won't believe you (I can see why...) and will continue to harass you.

And one point I forgot to include in my original post is that you can't buy a TV just to watch ITV / Channel 4 / Five - in this case you have to pay for a BBC licence fee.

Re:

[FireFury03]

I apologise, you are correct technically. But when you buy a TV, you have to register your address, so that TV licencing can follow up with reminder letters and phone calls.

It is interesting to note that there has recently been a public consultation on the methods used to collect the licence fee, and the results showed that the public generally feels that the licence fee collection is far too heavy-handed. It will be interesting to see if anything changes as a result of the consultation.

If you try to claim that you aren't using your TV to watch broadcast TV, they won't believe you (I can see why...) and will continue to harass you.

My understanding is that if you officially inform them that you don't receive broadcast TV then they will send round someone to check and then stop harassing you. I've got no first hand exper

Why the BBC is more unbiased

[brunes69]

This is what many Americans don't get about the BBC. All they think is "it is run by the government, they must have their hands in it".

The reason the BBC can remain so unbiased is because they have no need to profit or grow the company. They know they will be funded next year, they have a government mandate and direct taxation supporting them. Also, it is an arms length from the government. They have a charter to collect the TV tarrif directly - the government does not directly fund them to my knowledge.

The

Re:

[Acer500]

Since they don't have to worry about marketing and soliciting advertising, they can devote 100% of their time and energy on reporting on the news to the best of their ability.

Not to mention they get a leftover budget for cool shows like Top Gear :)

Re:

[An ominous Cow art]

Why do you say that it's sad? In my perfect world, I'd be more likely expect a privately-owned source to be tainted by the views of its owners, and a governmental one to be closer to reality.

Re:

[mdwh2]

Firstly, the BBC can and do report on their own news.

Secondly, I'm confused as to your logic - are you really saying that the BBC can't do anything that would be "newsworthy", because they might get into some circular-metajournalistic-tangle over whether to report it or not? Either they'll report it, or they won't, but it would be ludicrous to suggest they were prevented from being able to carry out the action itself, whether or not it gets reported.

Re:

[Dreen]

Not nearly all Wikimedia domains are included there, for example only handful of wikipedia.* is that because the other ones are only redirects or something?

Re:

[David Gerard]

That's everything which Wikimedia directly controls DNS for. There's others that have different technical or administrative contacts listed. They've been alerted they should do it themselves too.

Re:The official post

[brion]

Those are also not actual Wikipedia content sites, but either redirects or sites of local Wikimedia chapters. All our actual content is on our own domains -- for instance German-language Wikipedia is at http://de.wikipedia.org/ [wikipedia.org] not http://wikipedia.de/ [wikipedia.de] which is a portal page maintained by Wikimedia Deutschland. (In part because German courts routinely shut wikipedia.de down in preliminary injunctions... ;)

Re:

[AlexanderHanff]

Brion,

I would like to extend my gratitude to you for supporting the campaign and opting the Wikimedia Foundation out, myself and other campaigners are very appreciative of the support.

Sincerely,

Alexander Hanff
Founder of NoDPI.Org

Re:

[brion]

Thanks! :)

where is the list ?

[johnjones]

sorry I dont understand

where is the list of websites who have opt'd out of webwise ?

and since webwise is not active at the moment what good will this do ?

regards

John Jones

Re:where is the list ?

[David Gerard]

The Open Rights Group is keeping a list of people it's asked to loudly and publicly tell Phorm to phuck off. Amazon opting out made lots of mainstream media a couple of days ago; looks like Wikimedia doing the same will get a bit of notice too.

The point is to publicise that Phorm (a) exists and (b) is a bad thing. Schemes like Phorm only get away with existing insofar as people aren't aware of them.

Re:where is the list ?

[TubeSteak]

Schemes like Phorm only get away with existing insofar as people aren't aware of them.

Wrong.
Schemes like Phorm exist because they are opt-out.

Numerous studies have shown that people are lazy and won't even do things that are in their best interest if they have to exert even minimal effort. That's why opt-out is so successful.

Re:where is the list ?

[oldhack]

"Numerous studies have shown that people are lazy and won't even do things that are in their best interest if they have to exert even minimal effort. That's why opt-out is so successful."

Or because opt-out is a fraudulent scam. We've got ten thousand and one things to keep track of for real life, and I don't see why we should have to keep track of opt-out status for every pissant website.

Re:

[Opportunist]

That's exactly what's wrong with opt-out in the first place.

"Here, you are now a member of the Church of Opportunist worshippers. That costs just one buck a day, you can pay a year in advance without worries, and of course the moment you tell us you don't want to be a worshipper anymore, we'll terminate your contract immediately"

This is fine if you first opt-in. I.e., if you have to come to me to worship me and pay me for it (not bloody likely, but hey, if you really wanna...). If it's just "done" to you, p

Re:

[BrokenHalo]

Definitely the latter. We have become so accustomed to the fact that "opt-out == spam-me-to-hell-now-i've-confirmed-that-i-exist", nobody trusts the option any more. Which is why people take steps with appropriate hosts-file blocking or firefox extensions.

Re:where is the list ?

[bit01]

Numerous studies have shown that people are lazy

Numerous studies have shown that people attempt to rationally allocate their time and attention.

There are millions of businesses in this world. It is not humanly possible to opt-out of all their marketing drivel even when there a cost-benefit in doing so.

Marketers steal the time and attention of many people to make a sale to one person and then act all surprised when those people get pissed. Spam is just the extreme example of that, unfortunately becoming less extreme all the time.

---

The USA is

Re:

[Tom]

And that's why opt-out should be illegal. No exceptions. Massive fines. That would end all the spam and scamming right there, at least for the legal part (you still have to find and prosecute the guys, of course, but you don't need any huge laws).

So where are the class-action lawsuits? Americans, I'm looking at you, you make a case out of everything, what's taking you so long?

Re:

[Acer500]

And that's why opt-out should be illegal. No exceptions. Massive fines. That would end all the spam and scamming right there, at least for the legal part (you still have to find and prosecute the guys, of course, but you don't need any huge laws).

Why is the above a flamebait? Is it the second part (the calling the Americans to action)???

Re:

[FireFury03]

Schemes like Phorm exist because they are opt-out.

What Phorm is doing is almost certainly illegal - you can't lawfully intercept communications without consent from all involved parties. By making it opt-out, you're not even getting explicit consent from one of the parties (the ISP's customer) - even if it were opt-in, you're not getting consent from the website that you're snooping the connection to, or any of the users of that website that may have posted (potentially private) content on it.

It is possible to block IP

[Daimanta]

But first there is a need for people:

Read this thread down and comment on this one

http://slashdot.org/comments.pl?sid=1199671&cid=27586613 [slashdot.org]

If you are connected with BT please try some of these suggestions and see if it is possible to locate the IP addresses of Phorm. It is important that we stop this menace(or at least do what we can) before it spreads to other ISPs.

Re:

[gerrysteele]

I'm on BT but from your link couldn't work out what suggstions you are talking about i'm afraid.

Re:

[Frosty Piss]

Perhaps a better approach to Big Internet Business would be rather than "user privacy", which in reality they don't give a damn about, we pointed out to them that Phorm "monetizes" other people's visitors (customers) without a return to the Web site owner ("you're STEALING my customers"). Microsoft and Yahoo might consider how much they like their Web "properties" being hijacked for someone else's profit.

That email may not work...

[Tribbles]

It might be ignored as we (in the UK) don't spell "legitimize" with a "z" - it's legitimise here :)

Re:

[Anonymous Coward]

Phuck oph.

Re:That email may not work...

[tomtomtom]

Actually, "-ize" is absolutely not an Americanism - it is in fact correct spelling in either British or American English, whereas "-ise" is correct only in less formal British English.

It is sad that very few of us British seem to understand our language properly; almost no one here realizes that it is actually more conservative in British English to use -ize and not -ise. For example, go and look at an older copy of the Oxford English dictionary or the Times and you will see all those words spelled "-ize". I believe that even the newer editions of the OED, despite now listing the "-ise" forms, state that "-ize" is the preferred form.

To further complicate matters, the only words to which this rule can can apply are those which derive from Greek (and thus contain the Greek suffix "-ize" - this is the rationale for it being the more correct variant). So for example "enterprize" and "capsise" are always just wrong in either British or American English.

Re:

[drinkypoo]

The reason I use -ise (and -our instead of -or etc) is because the fsckin' Americans don't

Yes, that is quite hilarious. In fact, American English sounds more like Old English than British English does, specifically because Brits have changed their speech to sound different from yanks. In particular the pronounciation of the letters "A" and "R" is dramatically closer in the American stuff. Also, the person who got to name Aluminum wanted it named Aluminum, not Aluminium.

Re:

[Haeleth]

In fact, American English sounds more like Old English than British English does

Not true. Neither language sounds remotely like Old English, so far as anyone can tell; of course, Old English stopped being spoken around a thousand years ago, so we don't really know what it sounded like anyway.

In any case, you're probably thinking of Early Modern English, i.e. the language as spoken when the first colonists set sail.

It is true that American English preserves some features of Early Modern English that have be

Re:

[uncle slacky]

AIUI the -ise ending was introduced as a replacement for -ize during the 18th century, when it became trendy to spell things in a French style, hence -er endings became -re (centre, theatre) and -ise replaced -ize. Because American English was essentially divorced from the mother tongue by that time (politically if not culturally), the changes didn't propagate over the pond.

As someone else noted, American English resembles British rural dialects (particularly Oxfordshire and Bristolian, so I'm told), which

Why not go one step better?

[TheRaven64]

Detect IPs from ISPs who are part of Phorm and redirect them to a page about Phorm the first time they visit Wikipedia each day. Amazon probably couldn't afford to do this, but it's not like Wikipedia loses any revenue if they irritate their visitors a bit, and if they can direct that anger to the ISP then it could do a lot of good.

Re:

[David Gerard]

When it was proposed in a couple of mailing list discussions, the unanimous response was "HELL YES!" So I think you could reasonably say we actively dislike Phorm ;-)

Re:

[stephanruby]

Or they could just detect those IP addresses as you said, but put it in the message on top of the page, where they usually put official messages and calls for raising funds. A complete redirect would be overkill in my opinion.

WTF is Phorm?

[EvanED]

For those of you, like me, that read TFA and the article linked from TFA and still don't know what Phorm is other than it's something that some UK ISPs are implementing and there appear to be privacy concerns, Wikipedia [wikipedia.org].

In short, it's system for doing targeted advertising by deep-packet inspection.

Re:

[orangesquid]

I thought this was obvious? Doesn't PHORM stand for Privacy Heinously Obliterated for Rogue Marketing?

Wait, I think my conscience is interfering with accurate perception of reality to discourage nightmares... dammit, why does this happen so often.....

Re:WTF is Phorm?

[AlexanderHanff]

If you would like more information on Phorm/WebWise, NoDPI.Org has been leading the campaign against them for the past 14 months (and were co-signatories to the Open Letter). We have worked on a number of iniatives including organising the House of Lords Round Table Event which Sir Tim Berners-Lee attended on the 11th March this year. We plan to take the lobby all the way to Brussels and the campaign has already led the European Commission to initiate legal proceedings against the UK Government after they failed to enforce EU Privacy Directives with regards to Phorm's covert trials with BT Group in 2006/2007. I also filed a criminal case with the police in July last year, which they closed stating that there was no criminal intent and it was not in the public interest. As a result of this I was forced to contact the Director of Public Prosecutions and bypass the police entirely - the Crown Prosecution Service are now investigating the matter and will make a decision on whether or not to prosecute. The covert trials in 2006 alone intercepted over 130 million communications over less than 2 weeks and modified those communications to insert Javascript into web pages which passed through their systems (then known as PageSense). I leaked an internal BT report which goes into a great deal of detail about the 2006 trials to WikiLeaks last summer and I also wrote my undergraduate dissertation on the legal implications of the same covert trials.

You can find the dissertation here: https://nodpi.org/documents/phorm_paper.pdf [nodpi.org]
You can find the leaked report here: https://secure.wikileaks.org/wiki/Image:BT_Report.pdf [wikileaks.org]
And you can catch up on the entire scandal on our blog here: https://nodpi.org/ [nodpi.org]

Hope that clarifies things for those who are not aware of who/what Phorm/WebWise are/is.

Alexander Hanff

Re:

[stephanruby]

I'm surprised Virgin is one of the three ISPs doing this. Does Richard Branson still own that ISP? If he does, I will do my part and boycott all the Virgin brands. Since I live in the US, and since I don't do business with BT, boycotting and bad mouthing BT would be pointless.

More information please?

[Anonymous Coward]

Would it be too much to ask for the summary to give some clue about what "Phorm" is, or why Wikipedia would need to or want to "opt out" of it?

Re:

[AnotherBrian]

http://lmgtfy.com/?q=phorm [lmgtfy.com]

Re:

[u38cg]

Or would it be too much to ask that if you only read slashdot once in a blue moon and have no idea about a topic you've never heard of that you at last try one Google search before accusing slashdot of being lazy?

stealing advertising revenue

[wjh31]

aside from the whole invasion of privacy thing, people seem slightly less to pay attetion to the suggestion that intercepting and replacing the adverts on a page is tantamount to theft of advertising revenue, to the page owner for their share, to e.g google for their commision or however they work, and to the advertiser whom may otherwise have recieved an extra click through to their site

May be copyvio too

[Xtifr]

Any content that is distributed under any of the Creative Commons NC licenses (e.g. cc-sa-nc [creativecommons.org] cannot legally used for advertising purposes. The very similar license under which the Grateful Dead allow redistribution [cnet.com] of their old concert recordings explicitly lists advertising and "exploiting databases compiled from their traffic" as forbidden.

Re:

[tomtomtom]

... intercepting and replacing the adverts on a page is tantamount to theft of advertising revenue ...

Not that I want to be seen to defend Phorm, but that's just not what their system does.

To be fair to you, some of the original secret trials did include nasty rewriting of web pages to include their ads but they pretty quickly dropped this (I suspect more because it didn't work well enough than for any moral or legal reason given their dubious track record and the previous lives of the individuals behind Phorm).

Phorm monitors your general web usage using Deep Packet Inspection at the ISP level, even an

Re:

[MichaelSmith]

Oh great. Now my wife is going to get adverts targeted at my browsing habits. Just what I need.

Re:

[Opportunist]

Hey, would you mind her having bigger tits and a maid outfit? :)

Re:

[IBBoard]

It isn't stealing advertising revenue, though.

The way Phorm works is to monitor every page on all websites that a user on a Phorm'd ISP visits and build up a profile of them by analysing the content. This is then used to supply more targeted adverts on every site that is part of Phorm's network.

They don't replace (for example) GoogleAds with their own adverts, but they do read the content of your website and use it for their own profit by scanning it after an interesting flurry of fakes and redirects [wikipedia.org] - all

Re:

[growse]

You're confusing the content and the information about the people accessing the content. If I publish a web-page, that is public (copyright me). Anyone can read it. However, what isn't public is the list of IP addresses that accessed that content. When reading a webpage, you don't get to know who else has read that webpage.

Phorm gets to know who else read that webpage. And any other HTTP-only webpage.

Re:Mental disconnect

[David Gerard]

The way they're doing it is likely illegal in the EU. The EU is actually taking Britain to court for not having prosecuted Phorm and BT already.

Re:Mental disconnect

[hguorbray]

El Reg has been covering Phorm and its existing and planned abuses for some time:

http://search.theregister.co.uk/?q=phorm [theregister.co.uk]

unfortunately one of the Phorm directors is also in tight with the UK gov in an internet policy group
http://www.theregister.co.uk/2009/04/15/kip_meek_berr/ [theregister.co.uk]
and they have been hard to dislodge over there, although Brussels (EU) has also taken notice
(see parent)

so far, they seem to have been treated with suspicion and hostility over here in the USA by everyone AFAICT, which is probably a good thing

I'm just sayin'

How is lying about a redirection legal?

[Anonymous Coward]

If you look at http://en.wikipedia.org/wiki/File:Phorm_cookie_diagram.png , they are lying to the customer by claiming that a website has moved when it hasn't. As a website owner, I should be able to sue them if I have proof of such a fraudulent redirection. Why would opt-out be necessary or advisable under these circumstances?

Screw opt-out, the RIGHT solution is HTTPS!

[Anonymous Coward]

Opting out as a web site or user is just a lame attempt to avoid implementing the even simpler, and vastly more effective solution: MAKE YOUR WEB SITES ACCESS VIA HTTPS WITH SSL SECURITY FOR ALL PAGES, ALWAYS!

That way nobody can easily "man in the middle" attack your page content for any purposes of deep inspection, advertising, user profiling, invasions of privacy like 3rd party traffic logging, et. al.

Notice that I said "nobody can" versus "PHORM cannot" -- this would protect against ANY 3rd party snoopin

Re:

[shentino]

The problem is forking over $$$$ to verisign and giving them monopoly control of the internet.

I would rather be insecure than verisign's puppet.

Re:

[shentino]

And if DNSSEC was properly implemented across the board then we wouldn't even NEED to be wary of self-signed certificates to begin with.

If you can trust that the DNS pointed you to the right site, then you are as safe as you are using SSL.

Re:

[shentino]

Actually, DNSSEC only obsoletes the authentication portion of SSL. You still need its encryption to prevent MITM attacks, but sites that are properly authenticated with DNSSEC would at least be able to publish their own certificates.

My mistake...

Re:

[u38cg]

Hi. You appear to be under the impression that SSL is a magic bullet. I have bad news for you. If someone really wants to read your https traffic, they most likely already are: it's not that hard. And if you're an ISP, it's not exactly difficult to get hold of a legitimate certificate to do your MITM with.

I think a better approach would be to make damn sure that everyone involved in commercial activity understands that they should keep the fuck away from my data, encrypted or not.

Re:

[linuxrocks123]

Actually, the only significant problem with his proposal is that a high-traffic website would have significantly higher server processing costs if it had to encrypt everything. There are no known breaks for SSL right now, so it's highly unlikely anyone is reading your https traffic except the website on the other end of the connection. An ISP would certainly be able to purchase a certificate for itself, but that certificate would be useless for MITM because a legitimate certificate authority won't knowing

Re:

[u38cg]

What if your ISP is big enough to control a top-level certificate issuing authority? Or even easier, what if they supply your browser and add their own top-level certificate? If you work in a large institution such as a bank, this is exactly what happens. Right now, at my desk, if I connect to my bank's website, my employer can read my traffic. I'm the last person to descend into tinfoil hattery, but when it comes to encryption, there really are too many ways for it to go wrong for it to be a magic bull

Re:

[linuxrocks123]

If your ISP is, in effect, providing you with a hacked web browser, then, yeah, the people who use it are stuck. But, only those people: those who used their own browsers would object, some quite strenuously, to their ISP doing a man-in-the-middle attack on every SSL website, so that scheme wouldn't be workable in practice. Employers can (sometimes) get away with the antics they pull because they're paying you. I wouldn't visit my bank from work unless I were booted from a CD anyway (and that's against p

NoDPI complaint to the Financial Services Authorit

[AlexanderHanff]

Just a quick update for everyone. Today we have sent a letter of complaint to the Financial Services Authority (FSA) that Phorm's statement to markets this week that government regulators and departments support their technology as fully compliant with UK law - is misleading and possibly fraudulant.

I have added a link and summary to my firehose here:

http://slashdot.org/firehose.pl?op=view&id=4200429 [slashdot.org]

you can find the original article here:

https://nodpi.org/2009/04/17/phorm-protests-berr-says-we- [nodpi.org]

Re:

[AlexanderHanff]

Blacklisting Phorm's IPs will serve no purpose. The visits you see to your web sites will have the IPs of the ISP customers, Phorm then intercept these communications and copy the page "in transit". The only way to guarantee that your site will not be compromised by Phorm is to block all the IPs registered to the various ISPs that decide to deploy Phorm's technology.

The only other option is to use the Opt-Out mechanism that Amazon, WikiMedia and others have used; and then trust Phorm to honour that requ

Re:

[AlexanderHanff]

I should add that you can also block Phorm's technology by using SSL for all your web site pages. If you have a busy site however, you should be aware that this could cause a significant resources overhead.

Alexander Hanff