Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[Dephormation]

Here's curious. BT customers, don't try this at home (because your UID/security credentials will leak to an American server operated by Phorm).

Add this line to your host file (either /etc/hosts on linux, or c:\windows\system32\drivers\etc\hosts. on Windows).

207.44.186.90 www.webwise.bt.com

This causes www.webwise.bt.com to resolve to its old US of A address. Now visit www.webwise.bt.com in your browser... tada! Its still there!

Hey welcome to dubyadubyadubya.webwise.bt.com, have a nice day now.

So while they changed the DNS, they didn't actually take the site down.

Anyway, sorry for that irrelevant interlude. I'm off to compose my letter to Ms Reding.

[jelv]

Quote:

Originally Posted by Dephormation

So while they changed the DNS, they didn't actually take the site down.

Which means that anyone who has the old IP address in their DNS cache will still be going to the old site!

Edit: Bet it disappears tomorrow as a result of the PhormPRTeam watching this topic (without logging in).

[BetBlowWhistler]

Quote:

Originally Posted by Dephormation

Here's curious. BT customers, don't try this at home (because your UID/security credentials will leak to an American server operated by Phorm).

Add this line to your host file (either /etc/hosts on linux, or c:\windows\system32\drivers\etc\hosts. on Windows).

207.44.186.90 www.webwise.bt.com

This causes www.webwise.bt.com to resolve to its old US of A address. Now visit www.webwise.bt.com in your browser... tada! Its still there!

Hey welcome to dubyadubyadubya.webwise.bt.com, have a nice day now.

So while they changed the DNS, they didn't actually take the site down.

Anyway, sorry for that irrelevant interlude. I'm off to compose my letter to Ms Reding.

wouldn't it have been easier just to put the ip into the address bar?

[Deko]

@ BetBlowWhistler

I imagine the site uses host headers to know what content to display, the IP itself does not work.

[Rchivist]

Quote:

Originally Posted by Hank

Disappointed eh? I bet she is. Probably a lot more than "disapponted" too!!!

Did BT mislead the ICO? You might very well say that my friend, but I... I could not possibly comment.

Hank

---------- Post added at 18:58 ---------- Previous post was at 18:39 ----------




Are you quoting the ICO / HO directly? Could they get away with questions about "Phorm" which refer to the time pre-their incarnation (i.e. when they were still 121media).

Hank

---------- Post added at 19:00 ---------- Previous post was at 18:58 ----------



Aye... and the reason they have failed so dismally is because there are soooo many more of us than they could afford to hire from PR agencies

In the battle for hearts and minds the ones on the right side of the law and "doing the right things" will win.

Hank

---------- Post added at 19:04 ---------- Previous post was at 19:00 ----------



I had this too (and I am with BT - it started last night on Facebook) browser loading but blank pages when complete - I had to refresh to get it to re-get the page. Most times that sorted it out. It happened about 6 or 8 times in an hour or two. About 8:30 to 10pm.

Hmmm, have we spotted something significant perhaps?

Hank

If you have the Dephormation Firefox addon, even if logging is off, as soon as that happens, leave the blank page as it is and then go to Firefox Tools - Error Console and the log will be on display and is copiable after you highlight the entries you want with a left click, and then get the copy option with a left click. Means you don't have to leave logging ON in the addon which is a bad idea because the logs get BIG.

Tomorrow I will finally post my ICO and Viviane Reding letters snail mail. Duty done.

[BetBlowWhistler]

Quote:

Originally Posted by Deko

@ BetBlowWhistler

I imagine the site uses host headers to know what content to display, the IP itself does not work.

Doh!

um, er, as I was saying, good article on the beeb about Virgin's spying antics (the author alludes to softening up their customers to be spied on too - phorm related comment?)

http://news.bbc.co.uk/1/hi/technology/7444390.stm

[Portly_Giraffe]

Apologies for the length of this post. Please comment on this critique for accuracy, let me know if I've missed any points or am making any spurious points. Or indeed if anything could be expressed more effectively. And typos of course. Thanks. PG.

Quote:

CRITIQUE OF THE ICO’S 31st MAY 2008 RESPONSE TO COMPLAINTS
ABOUT THE BT PAGESENSE/WEBWISE/PHORM TRIALS

ICO: BT have explained that two technical tests of a prototype advertising platform were conducted in 2006 and 2007. They have informed us that these tests were designed to evaluate the functional and technical performance of the platform. BT have confirmed that they sought their own legal advice before both trials.

BT have never disclosed who provided this legal advice, whether it was bona fide or what was in it.

Question 1: Why has the ICO does not asked BT for this information?


ICO: Where a purely technical trial is conducted that, in BT's view, is likely to have little or no impact on customers, they have advised that they would not generally seek consent from customers.

The first success criterion of the trials indicates that their purpose was to determine whether the installation, integration, and use of Pagesense/Webwise/Phorm would be transparent to customers. (Leaked report page 10, section 3.1, requirement 1.1). The success criterion for this was “No customer calls to helpdesk related to installation, integration & use compatibility issues of PageSense application with other applications”. So BT clearly expected that problems could arise.

Question 2: Will the ICO explain why they agreed that BT could act without consent from their customers if such problems were possible, let alone the fact that without such consent (and probably even with it) the trials were illegal under RIPA?


ICO: As they did not anticipate the trials would cause customers problems they did not brief their customer service helpdesks about them (hence the problems you experienced in getting advice from them at the time).

Although BT claim they did not brief their helpdesks, they clearly did monitor calls. 15-20 trialists identified the presence of the system and had a negative reaction. (Leaked report page 4, Executive Summary, Point 1).

Question 3: Will the ICO ask BT to explain how they identified these 15-20 users?


ICO: BT have told us that they did not associate your enquiry with the 2007 trial and as they were not able to identify individual customers that had participated (because of the anonymity of the process) . . .

BT appear to have been aware of the IP addresses of the triallists. (Leaked report page 45, under the heading "IP addresses seen through the Proxy Servers – obscured in the leaked copy of the document but present in the original).

Question 4: Will the ICO explain how their statement that BT “were not able to identify individual customers that had participated” is consistent with the leaked report?


ICO: . . . they were unable to get back to you. They have advised that they attempted to contact you after you had expressed concerns online at 'The Register' however they were apparently not successful.

The complainant says that BT logged support, abuse, and customer service records in his name and was always available to be contacted. In his own words: “Was the line constantly engaged? Did they not know my phone number or address? I was a god damn BT customer! Of course they had my contact details.”

Question 5: Why has the ICO accepted BT’s assurances apparently without question when they appear to contradict the triallist’s experience?


ICO: Finally, BT have confirmed that no personally identifiable information was processed, stored or disclosed during either trial. We have no reason to doubt this assertion. Where no personal data is processed the Data Protection Act will not apply.

BT appear to have been aware of the IP addresses of the triallists (see above).

Data in the BT trials was processed at sysip.net, a domain operated outside the BT network, and indeed outside the EU, by adware company 121media, whose products were categorised as malware by at least three reputable anti-virus companies.

Question 6: Why does the ICO accept BT's assurances that no personally identifiable information was processed, stored or disclosed during either trial when it appears that they were and indeed the whole point of Phorm/ Webwise is to do just that?


ICO: As we discussed when we spoke the issues that we have considered in this case relate primarily to the requirements of Regulations 6 and 7 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Regulation 6 requires that where an organisation is using an electronic communications network to store information, or gain access to information stored, in the terminal equipment of a subscriber or user, the subscriber or user should (in most cases) be provided with 'clear and comprehensive' information about the purposes of the storage of, or access to, that information, and the opportunity to refuse the storage of or access to that information. In other words, if an organisation collects information using cookies they have to tell people about that, and advised them how to prevent operating.

… however it is our view that Regulation 6 would likely to apply. BT’s view is that as the 2007 trial was small scale and technical in nature and no adverts were served, it would have been difficult to frame any advice for customers about the operation of cookies, and obtain any relevant consents for the processing of traffic data, with a wording that they would have any resonance at all for their customers.

The leaked BT report states that the 2006 trials of Webwise/Phorm involved a userbase of approximately 18,000 customers with a maximum of 10,000 online concurrently. The document states that the planned userbase for their phase 2 testing (presumably the 2007 trials) was 350,000.

Question 7: How big does the level of interception have to be before the ICO will act?


ICO: Our view is that, whether or not there was a technical breach of the Regulation, there is no evidence that the trials generally involved significant detriment to individuals involved (although we acknowledge – as have BT – the problem you flagged) or privacy risks to individuals.

The trials involved interception, reading, recording and in some cases alteration of messages sent between internet users and the websites they accessed. Data in the BT trials was processed outside the EU, by a third party few technically aware users would have trusted had they known they were involved.

Privacy laws exist precisely because the detriment of intrusion is not always measurable in purely economic terms.

Question 8: Will the ICO explain whether they are now only interested in cases where economic loss can be demonstrated?


ICO: On this basis, and taking into account the difficulties involved in providing meaningful and clear information to customers (the vast majority of whom were likely to be completed unrelated to the anonymous technical trial) in this case, this is not an issue we intend to pursue further with BT.

In other words because it was difficult for their Webwise/Phorm trials to obey the law, the ICO says it will allow BT to break it in this case.

Question 9: Does that mean that the ICO will allow any ISP, telecoms provider or postal service to carry out a similar scheme if its operation is sufficiently opaque?


ICO: However, as we discussed when we spoke I understand you were considering the options available to you in terms of pursuing this matter further yourself. As I mentioned briefly on the telephone, Regulation 30 specifies that a person who suffers damage by reason of a contravention of any of the requirements of the Regulations by any other person can make a claim for compensation for that damage.

If you believe you have suffered quantifiable damage as a result of a breach of the Regulations and are considering pursuing this matter you should seek your own legal advice.

Question 10: What purpose does the ICO serve if it is unable or unwilling to uphold the criminal law?

[SelfProtection]

Anyone still using the Windows Safari Browser please look at this link:

http://www.theregister.co.uk/2008/06..._bombing_demo/

[Rchivist]

Quote:

Originally Posted by BetBlowWhistler

Doh!

um, er, as I was saying, good article on the beeb about Virgin's spying antics (the author alludes to softening up their customers to be spied on too - phorm related comment?)

http://news.bbc.co.uk/1/hi/technology/7444390.stm

I like the bit about the WPAA trying to sue laser printers. Alex - could you disguise yourself as a laser printer this way next time you put something on noDPI that BT don't like?

[Dephormation]

Quote:

Originally Posted by Portly_Giraffe

Apologies for the length of this post. Please comment on this critique for accuracy, let me know if I've missed any points or am making any spurious points. Or indeed if anything could be expressed more effectively. And typos of course. Thanks. PG.

Some other thoughts;

• BT made no attempt to measure the economic impact on customers (how could they? it was done secretly and anonymously). The ICO simply accepted their assurance that there was no economic impact. The value of privacy/security is intangible; it is priceless. I don't recall reading an economic threshold in the DPA.
• BT didn't do an adequate risk assessment, they didn't even warn customers, or the Home Office. In the process BT would have profiled people who for personal reasons, or career reasons, might have been placed in jeopardy. ICO have ignored this, claiming it would have been too difficult to communicate to customers.
• ICO have not consulted with independent IT experts, or conducted an independent investigation. They even go as far as saying; "We've worked with BT and Phorm and we are not going to take any punitive action at this stage" which is hardly independent regulation at its finest.

So many things. So many many things.

Richard Thomas must resign, before he allows this outrage to happen again.

And BT must be prosecuted.

Quote:

Originally Posted by Portly_Giraffe

Apologies for the length of this post. Please comment on this critique for accuracy, let me know if I've missed any points or am making any spurious points. Or indeed if anything could be expressed more effectively. And typos of course. Thanks. PG.

Re the point above Q7 '...and no adverts were served'. Isn't this a downright lie, according to the leaked report?

[Rchivist]

Quote:

Originally Posted by Portly_Giraffe

Apologies for the length of this post. Please comment on this critique for accuracy, let me know if I've missed any points or am making any spurious points. Or indeed if anything could be expressed more effectively. And typos of course. Thanks. PG.

Done via PM

---------- Post added at 21:40 ---------- Previous post was at 21:07 ----------

Quote:

Originally Posted by JohnHorb

Re the point above Q7 '...and no adverts were served'. Isn't this a downright lie, according to the leaked report?

The leaked report is about the 2006 trials. We haven't located the leakable report on the 2007 ones yet. But there's still time....

[Florence]

BT not even made the shareholders aware of the DPI or nature of this according to my email today. since BT products run into the thousands..

Would it be good if more send the questions to ICO to give them more to consider.

[Dephormation]

Been looking back over some of the blog posts, recapping material for a very detailed complaint to Ms Reding. To melancholic Amy Winehouse music*.

Its like looking back over a verbal battlefield, strewn with casualties, foul acts of treachery, famous victories, and heroism.

I'm proud to have been a small part of it (whatever the outcome).

Sorry, back to the letter writing.

*Update, got a grip now, THE CLASH: I FOUGHT THE LAW now ringing in my ears, BT Directors would like it

[Rchivist]

Quote:

Originally Posted by Florence

BT not even made the shareholders aware of the DPI or nature of this according to my email today. since BT products run into the thousands..

Maybe it is because it would be too difficult to explain? So they don't need to?