Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[Tharrick]

Well then. I'll be contacting them as soon as possible.

[Bonglet]

They cant auto renew anything without your signature.

[Tharrick]

That's what I thought - surely if I haven't signed anything they can't claim that it's valid?

[Tarquin L-Smythe]

Talk Talk forum here
http://www.talktalkmembers.com/forum...?t=740&page=18

[pseudonym]

Quote:

Originally Posted by tarka

Confirmed, when clicking the opt in link I do see a similar cookie for a.webwise.net (i'm with BT). Interestingly, the opt out link just goes to the home page. To confirm that the opt out link wasn't doing anything at all I tried leaving the cookie in place then clicking the opt out link but after being sent to the home page the cookie remained, presumably leaving me opted in.

I also tried visiting a.webwise.net/services/ and got a 404.

The ISP check is carried out from the home page :- http://www.webwise.com/index.php

If you look on the left hand side it should say:-

"The Webwise feature
is not available
at this time."


The opt-in and opt-out are on separate pages


OPT-IN = http://www.webwise.com/privacy/opt/in.html

OPT-OUT = http://www.webwise.com/privacy/opt/out.html

Bypassing the homepage and using either these links works for me (I'm not with one of the Phorm Three)

The opt-out link deletes the UID cookie and creates the opt-out cookie "OPTED_OUT=YES".

Quote:

{Firephorm} Blocked Master cookie (http://a.webwise.net/services/OO?op=...om%2Findex.php)

Phorm Master Cookie: "uid=na; expires=Sat, 4-Aug-2007 20:50:26 GMT; path=/services/
OPTED_OUT=YES; expires=Tue, 3-Aug-2010 20:50:26 GMT; domain=.webwise.net; path=/"

I believe they "fixed" the opt-in/opt-out script to check referrer a few months after I mentioned the remote opt-in issue over on ISPReview - So directly accessing the actual opt-in url http://a.webwise.net/services/OO?op=in without spoofing referrer will give an error - I guess people who block referer wouldn't want to opt-out anyway.

[Florence]

Quote:

Originally Posted by phormwatch

http://stevenimmons.org/blogs/steven...ne-advertising

Possibly the same http://www.linkedin.com/in/snimmons

more from the PR guys

---------- Post added at 22:34 ---------- Previous post was at 22:32 ----------

Quote:

Originally Posted by Bonglet

They cant auto renew anything without your signature.

I signed once for BB wich was fitted 20th July 2000 once 12 months are up they auto renew but monthly or mine was unless T&C have changed to extend it to 12 months again as some of BT's do.

[SelfProtection]

Quote:

Originally Posted by pseudonym

The ISP check is carried out from the home page :- http://www.webwise.com/index.php

If you look on the left hand side it should say:-

"The Webwise feature
is not available
at this time."


The opt-in and opt-out are on separate pages


OPT-IN = http://www.webwise.com/privacy/opt/in.html

OPT-OUT = http://www.webwise.com/privacy/opt/out.html

Bypassing the homepage and using either these links works for me (I'm not with one of the Phorm Three)

The opt-out link deletes the UID cookie and creates the opt-out cookie "OPTED_OUT=YES".



I believe they "fixed" the opt-in/opt-out script to check referrer a few months after I mentioned the remote opt-in issue over on ISPReview - So directly accessing the actual opt-in url http://a.webwise.net/services/OO?op=in without spoofing referrer will give an error - I guess people who block referer wouldn't want to opt-out anyway.

So if BT actually test Phorm again & they still use these Web links, could any Web Server redirect the client & either log them out of BT Webwise or actually log then in when they are logged out!

[phormwatch]

Quote:

Originally Posted by Florence

Possibly the same http://www.linkedin.com/in/snimmons

more from the PR guys

---------- Post added at 22:34 ---------- Previous post was at 22:32 ----------


I signed once for BB wich was fitted 20th July 2000 once 12 months are up they auto renew but monthly or mine was unless T&C have changed to extend it to 12 months again as some of BT's do.

I don't think this one is definitely one of Phorm's PR guys - the blog isn't really pro-behavioural targeting anyway.

[pseudonym]

Quote:

Originally Posted by SelfProtection

So if BT actually test Phorm again & they still use these Web links, could any Web Server redirect the client & either log them out of BT Webwise or actually log then in when they are logged out!

Not now Phorm have changed it to check referrer - unless someone finds a browser/ add-on flaw that allows them to spoof the browser's referrer - it used to be possible to spoof referrer using Flash, but that was fixed in recent versions.

Having read R.Clayton's analysis, I've an idea or two about other potential issues, but we won't know unless or until Phorm goes live so I'm in no hurry to find out if I'm right. And given all the delays, they've had plently of time to review their code and fix any other oversights.

[SelfProtection]

Quote:

Originally Posted by pseudonym

Not now Phorm have changed it to check referrer - unless someone finds a browser/ add-on flaw that allows them to spoof the browser's referrer - it used to be possible to spoof referrer using Flash, but that was fixed in recent versions.

Having read R.Clayton's analysis, I've an idea or two about other potential issues, but we won't know unless or until Phorm goes live so I'm in no hurry to find out if I'm right. And given all the delays, they've had plently of time to review their code and fix any other oversights.

I'm not in any hurry to find out either, just checking the possible problems & options.

[Rchivist]

Quote:

Originally Posted by lucevans

Sorry my post last night may have been a bit confusing: I actually went out of my way to see if I could get the webwise website to place a Phorm cookie on my system via my Virgin Media cable connection as follows:

I had to navigate through pages of badly-linked stuff on the site, but eventually got to the following page:

http://www.webwise.com/privacy/opt/in.html

where I clicked on the link called "Switch ON Webwise".

This dropped a cookie on my system called uid with the path /services and an expiry date of 4th August 2009.

The content of this particular cookie (which I have since deleted) was ZrUyKoAJTTeD6iXeivlOpA|| which I believe adheres to the format outlined in Richard Clayton's paper (Quote:"Phorm told us that the UID which is allocated to the user is a 16 byte value chosen at random. That is to say it is just a number. It is not, for example, an encryption of some data that might later be decrypted. The actual value sent on the wire will be base-64 encoded, so it will be seen by humans as a 22 character string.")

The website that my browser (Safari) attributed to this cookie was a.webwise.net

All this was done over a Virgin Media cable connection via cpc1-pete8-0-0-custxxx.pete.cable.ntl.com

I hope this clarifies things for those who were worried.

That drops a similar uid cookie on my machine too if I "opt in"
Content: 7oKkf/UOR/+7bpcdPKXaMg||

I'm a BT customer.

---------- Post added at 23:27 ---------- Previous post was at 23:19 ----------

Quote:

Originally Posted by davews

Do you mean you are proposing changes to the already existing page on BT Total Broadband - on the URL you mentioned. That article has been there for a long time and has gone through quite a few changes, although not much in the Phorm/Webwise days. Surprisingly it is not even linked from the Phorm WP page, guess I can soon sort that out.

I have done a lot of editing on Wikipedia over the past couple of years. The normal rule applies - be bold and put in your changes and see what happens. But always to remember to follow Wikipedia policies and you will soon get put in your place if you start stating strong points of view or claims not backed up by authoritative references. I suspect a simple paragraph stating they have recently been involved in Phorm/Webwise and a link to the Phorm article will be enough, anything more will probably get stamped on. I know, I have been through all that, you soon find your place there...

Yes I thought a small extra paragraph about the same length and style as the one on throttling/p2p. Seemed appropriate. And yes - most of the point would be to generate links to Phorm/Webwise articles. The article has none at the moment.

[madslug]

Quote:

Originally Posted by pseudonym

The opt-in and opt-out are on separate pages

OPT-IN = http://www.webwise.com/privacy/opt/in.html

OPT-OUT = http://www.webwise.com/privacy/opt/out.html

Bypassing the homepage and using either these links works for me (I'm not with one of the Phorm Three)

It must be my browser spoofing that messes up something in the scripts (the actual browser is not on the accepted list)

Code:

Request #286
GET http://a.webwise.net/services/OO?op=in&success_url=http%3A%2F%2Fwww.webwise.com%2Fprivacy%2Fopt%2Fin-confirm.html&fail_url=http%3A%2F%2Fwww.webwise.com%2Findex.php&already_url=http%3A%2F%2Fwww.webwise.com%2Findex.php
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Accept-Charset: utf-8;q=0.9,utf-16;q=0.5,ISO-8859-1;q=0.7,*;q=0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Response #286
Status 403; http://a.webwise.net/services/OO?op=in&success_url=http%3A%2F%2Fwww.webwise.com%2Fprivacy%2Fopt%2Fin-confirm.html&fail_url=http%3A%2F%2Fwww.webwise.com%2Findex.php&already_url=http%3A%2F%2Fwww.webwise.com%2Findex.php
Server: Apache
Connection: close
Date: Sun, 03 Aug 2008 22:28:08 GMT
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1
P3p: CP="NOI DSP LAW CURa DEVa TAIa PSAa PSDa OUR STP BUS UNI COM NAV INT"

I can visit the success_url. Browser gives me the same message I see on the home page: "line 179:Null value" which I assume is the ISP sniffing or some other testing.

However, if I use Safari as a browser, I do get an a.webwise.net cookie for opted in but a .webwise.net cookie for opted out. And I am not on the phorming three either.

Conclusion: Not all browsers are equal, even when you spoof them to be an accepted browser through the useragent.

[isf]

Quote:

Originally Posted by phormwatch

http://stevenimmons.org/blogs/steven...ne-advertising

More comedy featuring web 3.0, even the semantic web makes an appearance. It's like 2002 all over again, these guys really should go and read Shirky.

http://www.shirky.com/writings/semantic_syllogism.html
http://www.shirky.com/writings/ontology_overrated.html

Quote:

The backlash against Beacon and public meetings over Phorm indicate that the consumer must not be rushed. The Internet has an almost unique position in modern culture, for many a last bastion of escapism. We are profiled regularly in ‘real world’ retailing, resistance to which has largely faded, but Internet anonymity will not be easily surrendered. Trust, data security and privacy must be addressed with users and not ‘in spite of them’. The key sell is advertising ‘as content inline with user experience’. Enriching and non-interruptive models coupled with Semantic Web and Web3.0 herald an exciting future for the industry and Internet community.

Is this another futile attempt to broaden the discussion? I hope that's not a hidden assumption that the consumer should accept illegal interception if only they weren't rushed? I'm certainly not profiled in real world retailing, I have no loyalty cards and only gave in and got a credit card to make online purchases. There's no comparison to what Phorm want to do.

[madslug]

Quote:

Originally Posted by Tharrick

That's what I thought - surely if I haven't signed anything they can't claim that it's valid?

Utilities work on verbal contracts (recorded phonecalls) - hence so much slamming before the sales forces sorted themselves out. And why utilities write to you to confirm that you are moving to a different supplier.

Most contracts have some clause which includes an 'auto renewal'. It protects users from being disconnected on the last day and having to pay for reconnection. Usually the renewal will be on a much shorter notice period, like one month. BT however works in 12/18 month contracts and charges for any unused portion if you ignore the need to give a minimum one months notice before the end of the contract if you don't want the auto renewal on original contract terms. If you read the small print on BT's special deals, there is a right mix of 1/12/18 month contracts for packages that 'renew' and look very similar.

[pseudonym]

Quote:

Originally Posted by madslug

It must be my browser spoofing that messes up something in the scripts (the actual browser is not on the accepted list)

Code:

Request #286
GET http://a.webwise.net/services/OO?op=in&success_url=http%3A%2F%2Fwww.webwise.com%2Fprivacy%2Fopt%2Fin-confirm.html&fail_url=http%3A%2F%2Fwww.webwise.com%2Findex.php&already_url=http%3A%2F%2Fwww.webwise.com%2Findex.php
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Accept-Charset: utf-8;q=0.9,utf-16;q=0.5,ISO-8859-1;q=0.7,*;q=0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Response #286
Status 403; http://a.webwise.net/services/OO?op=in&success_url=http%3A%2F%2Fwww.webwise.com%2Fprivacy%2Fopt%2Fin-confirm.html&fail_url=http%3A%2F%2Fwww.webwise.com%2Findex.php&already_url=http%3A%2F%2Fwww.webwise.com%2Findex.php
Server: Apache
Connection: close
Date: Sun, 03 Aug 2008 22:28:08 GMT
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1
P3p: CP="NOI DSP LAW CURa DEVa TAIa PSAa PSDa OUR STP BUS UNI COM NAV INT"

There's no "Referer:" header in your browser's request so their opt-in script is rejecting it with an error 403.

Quote:

I can visit the success_url. Browser gives me the same message I see on the home page: "line 179:Null value" which I assume is the ISP sniffing or some other testing.

I've previously noticed that error too - there's a div ID= uslocalselect on the web page, but no element called uklocalselect so the script below fails.

Code:

var res = '<a href="/privacy/policy/index.html" onClick="return setLocale(\'us\');"><img src="/images/flag-us-' + usstat + '.gif" name="Image98" width="23" height="15" border="0" id="Image98" onMouseOver="MM_swapImage(\'Image98\',\'\',\'/images/flag-us-on.gif\',1)" onMouseOut="MM_swapImgRestore()"></a>';

	document.getElementById('uslocaleselect').innerHTML = res;



	var res = '<a href="/privacy/policy/index.html" onClick="return setLocale(\'uk\');"><img src="/images/flag-uk-' + ukstat + '.gif" name="Image99" width="23" height="15" border="0" id="Image99" onMouseOver="MM_swapImage(\'Image99\',\'\',\'/images/flag-uk-on.gif\',1)" onMouseOut="MM_swapImgRestore()"></a>';

	document.getElementById('uklocaleselect').innerHTML = res;