Blackbeaks Blog….All things Analytics

Oh good another Blogger would can’t be bothered to check properly.

He doesn’t know that every scrap of info has to be mirrored in order to decide which bits we want & which we may be able to sell to others later.

All we have to do is tweak the box when BT are not looking!

With respect, I think you have missed the main point completely. Let me explain ..
I do not want all my phone calls intercepted and listened to by unknown 3rd parties.
I do not want all my snail mail opened up and examined by unknown 3rd parties.
I do not want my all my browsing habits examined by unknown 3rd parties.
Is that clear enough for you?

I really think you should go and read the patent for this, read the proffesional people like Dr Richard Clayton’s http://www.lightbluetouchpaper.org/

This does not just place a cookie to watch where you go it actually pretends to be the website you visit to forge the cookie, then mirrors everything you see on your screen it is lke the postman opening up your letter to read then give you junk mail to fit into keywords in the letter.

The other way to describe what can happen is it is like having a stalking following you everywhere you go knows what you see knows where you have been you have no privacy..

The Phorm system is nothing like the google or double click targeted ads. If it were, there would be no objection.

There is no opt out, subscriber data is still passed to Phorms profiler.

In short: All things Analytics, sans analysis.

You are unfortunately very mis-informed…

Please visit http://www.nodpi.org for the facts.

When you say: “My opinion is that BT have made a monumental PR blunder (I mean the kind that can go down in history as how not to do it) but nothing more.”

You miss the fact that what they did is actually against the law!

If we allow what they did tocontinue it IS the same as people opening all your letters to decide on a better class of junk mail for you to be sent. They can see and read ALL your letters when they do that.

It’s a joke to try and make this seem less significant than it is. 18,000 customers, spied on (really) without being asked. That is not right.

Don’t forget the man behind it all: Serach the interenet (or Symantec virus definitions or F-Secure virus definitions)

Kent Ertugrul
121Media (now Phorm)
Spyware/Adware/Rootkit

Rootkit = hide adware program on a user’s PC

Kent = Adware = Invasion of privacy = wrong

Nothing to hide here, I’m no criminal or terrorist. Nothing to hide except my own private life (do I want to be profiled? No thanks)

Read more. Spout less until you do please.

Write to your MP, Sign the Downing Street Petition (number 3 or 4 in the top ten I think at 14500+ signatures?)

There is so much to fault in your blog that it is impossible to do it in a comment; so I will make only these points:

1. Using Deep Packet Inspection technology for the purpose of behavioural advertising in the EU is illegal. There are no if’s or but’s, it is clear legal fact and is based around consent issues. It is impossible to get the consent of all parties as required given that the Internet consists of billions of web sites. There is currently no way Phorm can be legal using DPI and in fact since the EU decided to emphasise informed consent even more in recent regulations, it is unlikely this situation is going to change.

2. There are plenty of methods available for collecting the same data without requiring the use of such intrusive technology. If Phorm are so confident that people want this product they should develop LEGAL client side software (as in -not rootkits- as they did in their previous incarnation as 121Media). That way people would have a clear understanding and a clear choice. Building an entire 21st century network topology based on interception of communications is a ridiculously dangerous path to go down (which is why it is illegal).

3. You may not value your privacy. You may be happy for 3rd party equipment to sit in the network between yourself and the Internet and read every single piece of unencrypted data you access/send over the web, that is fine and you are entitled to that position. Many of the rest of us however value our rights and frankly we find it offensive that a former spyware (or any other) company feel they have the right to steal what the police and law enforcement authorities must obtain a warrant for.

4. Privacy is an inalienable and fundamental Human Right covered in Article’s 7 and 8 of the European Convention on Human Rights 1950, Human Rights Act 1998, Regulation of Investigatory Powers Act 2000, Privacy and Electronic Communications (EC Directive) Regulations 2003, Data Protection Act 1998. Furthermore, the covert trials in 2006/2007 and the planned deployment of the current model are in violation of Fraud Act 2006, Computer Misuse Act 1990, Torts (Interferance with Goods) Act 1977 and Copyright, Designs and Patents Act 1998.

In conclusion, whether you think it is OK or not is wholly irrelevant, it is in violation of both criminal and common law and as such BT should be prosecuted for their covert trials in full and Phorm should be be prosecuted for conspiracy under the same. Also, Phorm’s “services” should be banned in their current form as they are in violation of criminal and common law; and believe me, once we manage to initiate a case in the courts an injunction to prevent Phorm from deploying in the UK will be filed for.

Alexander Hanff

OMG, you have clearly misinterpreted the entire Phorm Saga.

A few points:

1/. Tracking Cookie: It is NOT a Tracking Cookie, it is a Cookie which acts as a UID which links the user to a profile using ‘Devine Intervention*’ (*that is you accept Phorms explanation of how it works).

The UID will be used each and EVERY time you visit ANY* Website to create a profile of what you have been browsing. (excluding SSL Encrypted Sites)

2/. PII: You say “It’s probably legal because personally identifiable information is not collected…”.

The Papers for the Trials in 2006 Prove without a doubt that the IP Address was used to track back to the user.

The EU have ruled that an IP Address IS Personally Identifiable Information. Therefore, your conclusion is inept at the very least.

3/. Opt-in part 1: You say “Some sources say this was illegal but if BT have illegally conducted tests to people who hadn’t somehow opted into WebWise or something similar then they would have to be incredibly stupid.”

The 2006 Trial Papers clearly indicate that BT tried to ensure that NO Customer were aware what was happening.

Additionally BT have ALREADY confirmed that they did not offer any Opt-out, nor any other information, to the Trialed Customers.

To summarise this point, you say “… they would have to be incredibly stupid.” I will not comment on your conclusion.

4/. Opt-in part 2: You say “The ability to opt-in and opt-out probably makes the service legal.”

Firstly, this implies two things under DPA:

i) The User is aware fully of the system and makes an informed decision.

ii) Phorm are 100% sure that User is fully aware and can subsequently assume applied consent in the absense of Consent.

Firstly, if every User was given all the information about the system, the user would say no and Opt-out. This has been proven in poll after poll regarding this subject.

Secondly, Phorm cannot consider consent in the absense of consent due to the nature of the browser in question. Why? It is against the Law in Europe to gain consent from a minor, and the likelyhood is that the individual using the PC is a minor. Therefore it would be foolish, to say the least, to assume consent in the absense of consent.

5/. IP: You say “You can never go beyond IP address to find out who is being tracked and the IP address might give a general location (like city) but that is about as close as it gets.”

This is a unique circumstance, whereas the Company is working very closely with the ISP. You cannot, as I cannot, prove or disprove, at this time, that Phorm have access to more information based on the user, from the IP.

@all;
Thank you for the comments which I have tried to answer from my perspective. I understand that feelings run strong and haven’t edited anyones posts. But I would ask that we try to keep this discussion civil if indeed you want to continue it. Thanks.

@Phorm (anonymous)
I read the document (PDF) that Dr Clayton wrote and I understand it fully. I double checked the facts and understand your point but don’t see why that is a bad thing as there is nothing personal about it.

@Gemma
With respect I agree but I don’t think BT have the capacity to do what you suggest by using Phorm. They do not know who “you” are, can’t open your snail mail with phorm or tap your phone calls. As I understand it they are taking “aggregate data” about behavior not examining what individuals do.

@Florence
Again I fully understand your concern. But I don’t really think it is like the postman opening your letters to give you junk mail about what you’re interested in.

It’s more like the local city store stocking stuff that you and your entire city might find useful based on what everyone in the city is doing.

@Anon;
As I understand it it’s simply a case of opting out of webwise. This is not difficult to do according to BT.
(http://webwise.bt.com/webwise/help.php)
If as you suggest the information is still passed to Phorm after opt-out then this is something I have missed and could find no information about. Not in Dr Claytons document, on BT’s site or any other source.

@John
Public based routing is used by ISPs all over the world for a variety of reasons for decades. Phorm is another version of this methodology. Deep packet technology and PBR can be used legally in the EU as long as it follows the regulations set out in the laws that Alexander mentions.

@Alexander;
As I said I am not a lawyer but as I understood it there was no law that said you couldn’t use PBR technology for behavioral advertising purposes IF all the content partners have opted into Phorms service. This according to Dr Clayton is how this service reputedly works. I quote;
“Early speculation about the Phorm system suggested that it added adverts to web pages, or replaced them “on the fly”. This is not what happens, the specially targeted adverts only appear on participating websites.”

However this is the part where I have to hold up my hands and say I am not sure. I am not a lawyer. If this is the case and what has been done by BT is illegal then I retract my statement about disagreeing with Dr Clayton regards prosecution. It then becomes a far more serious matter. However the documentation I have read does not say this anywhere.

@Privacy_Matters:

The EU have not ruled that IP addresses are personal identifiers. It’s been discussed but it is not a ruling. There would be major implications if IP addresses were ruled personally identifiable and this is not the case. Therefore I will disregard the comment about my inept conclusion as simply a strong opinion. The other comments, largely I agree. BT would have to be stupid and if they have broken the law then they should be prosecuted but I think the matter is not as cut and dry as everyone seems to think.

Please continue….

If I wished my internet intercepted, mirrored, keywords gathered then I would still say no to this method. Give me a place on my ISP to fill in my interests, what I might buy, what cars I like etc do not spy on my surfing. I actually help in a public forum and many times search for information to help these members. This is 90% of the time nothing I have interests in I am just helping them find answers why would I want adverts. I actually block all adverts so Phorm has nothing to offer me. Phorm has the ability to mirror https pages and only have the company word they will not… The post office has had times when post hasn’t got through due to temptation and people who couldn’t resist. Putting phorm on the network is putting temptation at ISP level for anyone who has the mind to use this for their own gains.
The patent for phorm does show it can gather IP numbers.
Phorm does break rules intercepting the connection between myself and a website. Website owners will most likely not like the fact it mirrors their site forges cookies and then selects adverts from their site to direct them to other websits that are in the OIX platform.

On no account should an ISP charge a customer, limit downloads then sell the clicks for profit.

@Florence;
Phorm doesn’t have the ability to mirror HTTPS requests. HTTPS is encrypted. Phorm could only mirror the encrypted information which is largely pointless.

SSL is not something that BT or Phorm can affect, https certificates are issued by 3rd parties such as Verisign - that is why it is secure. If you have https requests phorm can’t read them. It’s that simple.

More information here

I get your point about temptation, but as a phorm employee or an employee working for BT based on the current description of the technology from Dr Clayton I can’t see how they would ever be able to identify you as a person. All they will have is a cookie ID that points to a dynamically generated IP address which at best will give them the location of your city.

If it were personal identification I would be as strongly opposed as you but it appears to me that it is not.

A comment was made earlier about the cookie ID being tracked across multiple websites. In my opinion it doesn’t matter as long as the individual behind the IP address can’t be identified. It’s just more huge amounts of data that phorm and BT have to deal with and it’s much more difficult to locate individuals in the aggregation of huge amounts of data.

Your point about website owners resisting the mirroring is valid but according to Dr Clayton they have all opted in (to receive ads) so that BT can serve better adverts on their sites. Only sites which agree to the ads are subject to the Phorm technology. Of course Phorm mirrors everything but why should a site owner care if their site or user experience is not effected? Phorm re-directs appear to the end user in a very similar way to current DART or other advertising technology, fast and pretty seamless for the end user. If for instance CNN had not allowed the Phorm tags to be placed on their site they would not receive any Phorm adverts.

Every argument I’ve heard seems to me to stem from very bad BT practice in their openness and transparency rather than flouting the law. If as Alexander suggests they have broken the law then they should expect the full punishment of the law. However when I see that the regulatory bodies such as the ICO have not seen a need to push it further then I am skeptical that BT or Phorm are doing anything illegal. The ICO have a good record in defending personal information.

You’ve misunderstood a lot about Phorm, but one paragraph hit my button;

“there was no law that said you couldn’t use PBR technology for behavioral advertising purposes IF all the content partners have opted into Phorms service.”

That’s one important bit you’ve missed.

Phorm ignored during trials in 2006/7 (and continues to ignore) the rights of Copyright owners.

I’ve created a 60 sec ‘infotainment’ animation that explains all here;
http://www.dephormation.org.uk/video/copyright.wmv
also on you Tube
http://www.youtube.com/watch?v=w08568bkQK0

Phorm (in its present incarnation) cannot be operated legally under copyright law… as well as all the other offences highlighted by Alex.

And when you consider they’ve already operated such software not once but twice, I’m afraid I can’t share your confidence that no crime has been committed.

In fact, I’m quite confident that the opposite is true and people involved must go to prison.

Pete

“Every argument I’ve heard seems to me to stem from very bad BT practice in their openness and transparency rather than flouting the law…”

yes you have an interesting POV, you as an industry person know, and can sense a good thing when you see it OC, and again , if no case has come up in the courts to be challenged that too makes it fine, its legal.

stanford too has that same keen sense , you know of him i assume ?, a well respected high ranking Uk Top Executive that couldnt be touched as he had the gift

‘Stanford was the founder of the ISP Demon Internet in 1992 but sold it to Scottish Telecom for £66
million in 1998.

It is reported that Stanford made £30 million from the acquisition. Shortly afterwards Stanford was a co-founder of the co-location and data centre company Redbus Interhouse…..”

http://www.lawdit.co.uk/reading_room/room/view_article.asp?name=../articles/Cliff%20Stanford.htm

Thank you for the replies Mr. Blackbeak!
Obviously this is a very emotive subject for a lot of people . feelings are running high in many places!
I agree that BT/Phorm cannot open my mail or tap my phone (I hope?!?) .. but I think my analogy is still the right one! It’s still ’snooping’ of the most intrusive kind .. and once it is implemented, it will, I fear be impossible to remove.
I don’t give a damn about the ad’s being there .. I ignore them anyway for the most part .. that is not, and never has been an issue for me.
Sadly I think it is already too late .. Big Brother is already here, and doing very nicely thank you!

” [b]Hitwise [/b], … and others have been collecting data from ISPs for years.

The manner in which they [b] have used the information is different [/b],
they aren’t using it to specifically serve ads to people, they use it to show Internet demographical and behavioral patterns but their panel sizes are similar and similar data is aggregated.”

ohh yes, “Hitwise” now owned by the No1 Uk Credit Reference Agency (CRA)
[b]Experian [/b]
( the largest of the 3 main ones) used for every single check any company in the world makes on YOUR Credit and related scores.

the very same CRA that all the Banks, BS’s and Broadband companys use, the so called 3B’s that keep the UK’s data flowing and feed YOUR *private* data , (note thats Provate NOT just personal) data into the corporate money making machine….

you might not have know this but “Experian” the CRA also use Deep Packet Interception devices, and hope to also install this same DPI in the ISPs internal UK wide networks (if they havent already..)

so YOU can look forword to having all your most interesting intercepted internet datastreams and their “derivative works” appearing in your Credit Reference file’s sooner than you might think.

http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article3688387.ece
Experian to track net users.

@ Captain Blackbeak.
You said :-

https certificates are issued by 3rd parties such as Verisign.

You should read this :-

http://www.theregister.co.uk/2008/06/13/security_giants_xssed/

You say “it’s probably legal because personally identifiable information is not collected and the service can be opted out of”, but this not-entirely-accurate portrayal addresses the narrow issue of Data Protection Act compliance. It doesn’t even start to address the other laws that the Phorm scheme breaks.

You then suggest that the secret trials in 2006 didn’t break the law because BT are nice chaps really. Unfortunately despite their inherently sunny disposition, they quite clearly broke the law on interception back then, exactly as they will in future trials. Furthermore, because they didn’t seek any permission, then even on your analysis, they infringed the Data Protection Act.

You say it will be a waste of money to prosecute BT. I disagree. We generally expect large companies to obey the law, and generally they do. However, when they so obviously flout multiple laws in search of financial gain, then as a simple matter of public policy it is important to ensure they are taken to court. The punishment is not the relevant issue: it’s the “to encourage the others” aspect that makes it essential to make an example of them.

You’re also mistaken about the way the police tackle child molestors. Furthermore,the DPA has limited relevance and it’s the Regulation of Investigatory Powers Act that applies.

Finally, you’ve clearly read my technical material on Phorm. You should also read FIPR’s legal analysis:
http://www.fipr.org/press/080423phorm.html

Thank you Dr Clayton for presenting the legal documentation to me.

Firstly on the DPA point. If BT have not acted transparently and did not seek permission for the trials or trial with folks who were opted in to Webwise already then they have clearly broken the law and as I already commented should be prosecuted to the full extent of the law. I agree on that and find it incredibly stupid of BT to undertake an operation like this after seeking legal advice as they stated.

I defer to the legal analysis of Nicholas Bohm and retract (though I’ll leave the full original post here for the record) my previous comments. I now agree that a full investigation should be carried out.

If laws have been broken then I agree with you that BT should be prosecuted on your second point for all the reasons you mentioned.

My understanding without any evidence to the contrary (indeed the Home Office/ICO seemed satisfied) was that section 18 of Nicholas Bohms’ document was satisfied. I refer to this section:

“RIPA s3 is relevant to whether that interception can be lawful. RIPA s3(1) makes it lawful if the interception has the consent of both sender and recipient (or if the interceptor has reasonable grounds for believing
that it does).”

My understanding based on your document was that this was satisfied by getting consent from both the consumer and the advertising network.

You state you are not a lawyer so lets leave the legal arguments to the lawyers. The reason I’m writing is that you also seem to be saying that any attempt to hack the Phorm system would be fruitless and any sugestion of such would be scaremongering.

Well have you considered that the Phorm kit makes use of redirects as an integral part of it’s operation? In order to read and manipulate cookies accross domains, the Phorm system redirects users up to three times per request.

Would it not be a rich target for cyber criminals to hack the phorm system so that non-encrypted requests to online banks are quietly diverted to phishing sites? These could then provide a link to the “secure” online banking that would of course have a valid certificate but would not be the right domain. Rich pickings for cyber criminals.

I have spent nearly 7 months researching Phorm, from before launch was announced, liaised with many people regarding the technology and I find it worrying you are making these statements when to all the technologists I’ve met agree that the system is intrusive and open to abuse in several ways.

Thanks all for your comments and this very interesting open debate. You changed my mind because I believe you were right.

Take a look at this article