Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[Phormic Acid]

Quote:

Originally Posted by AlexanderHanff

So even the government "snooping" party is less invasive than Phorm and even though the data is retained the police still need a warrant to access it.

That’s not my understanding of it, but IANAL either. You just need two different flavours of RIPA Authorising Officer. An investigator will make a request to a RIPA Single Point of Contact (SPoC). The SPoC will get authorisation from a RIPA Designated Person. The SPoC will then handle all the data flow between their organisation and the postal or telecommunications operator. Sadly, there’s no mention of a court or warrant. I thought the police only needed Home Office approval to tap the contents of telecommunications.

Here is the relevant section from Macclesfield Borough Council’s Policy on Use of Covert Surveillance:

4 Communications Data

4.1 The Regulation of Investigatory Powers (Communications Data) Order 2003 extends to local authorities the powers set out within RIPA to access communications data. Communications data includes information relating to the use of a communications service but does not include the contents of the communication itself. Communications data can be split into three types; “traffic data” ie where a communication was made from, to whom and when; “service data” ie
the use made of the service by any person eg itemised telephone records; and “subscriber data” ie any other information that is held or obtained by an operator on a person they provide a service to.

Local authorities are allowed to access ‘service data’ and ‘subscriber data’ but only for the purposes of the prevention or detection of crime or the prevention of disorder.

4.2 Access to communications data may be authorised in two ways; either (a) through an authorisation by a designated person which would allow the authority to collect or retrieve data itself, or (b) by a notice given to a postal or telecommunications operator requiring that operator to collect or retrieve the data and provide it to the local authority.

4.3 Application will be made by the investigating officer and submitted to a Single Point of Contact (SPOC) who will either accept or reject the application. If the SPOC accepts the application he/she will forward it together with a SPOC report and a draft notice (where appropriate) to a Designated Person for authorisation. If the Designated Person accepts the application, the forms will be returned to the SPOC and the SPOC will deal with the postal or telecommunications operator directly. The SPOC will also advise investigating officers and Designated Persons on whether an authorisation or a notice is appropriate in the circumstances .

4.4 No officer will be nominated as the Council’s SPOC unless that officer has received training on a course recognised by the Home Office

The end of the document gives the names of those two Authorising Officers.

My biggest worry is that, while ISPs store only which websites are accessed, not which pages, Phorm get a stream of full URLs. All parties have to trust that Phorm won’t use those URLs to obtain full page contents at a later time, by making their own requests for the pages. The stream of full URLs can be considered to be a highly compressed for of the full traffic; you can use those snippets of information to reconstruct nearly all of the original.

[BadPhormula]

Here is an interesting thread over on Badphorm.co.uk titled "ALL MEMBERS READ *** IMPORTANT ***"

I think it's interesting from the point of view that BT/Phorm have created a situation where the very nature of trust on the Internet is being called into question. When you can't trust your own ISP service provider who can you trust? This thread isn't about BT/Phorm directly (or is it?) it is about one of the moderators warning people about an SQL Injection from a website based in Texas, USA and a suspicious NMAP scan... And as you can see from the details badphorm.co.uk webserver is based in Texas, USA.

As we uncover more dirt on the BT/Phorm saga and the word gets out to a wider audience (the masses). More and more people are naturally going to become paranoid, upset, uncertain and suspicious of every little thing that happens on the Internet... And who's fault is that? Well basically my money is one guy in particular a sneaky shyster @sshole called Stratis Scleparis, this toe tag is responsible for what has been happening at BT and Phorm, he is Phorm's CTO and was formally BT Retails CTO. The guy that made this Phorm sh*t spying happen. Emma Sanderson's involvement may have been as co-conspirator back when sneak Scleparis was in charge of the BT spying but she is definately upto her neck in the sh*t now.

IANAL but I think BT will have a case to answer for with regards to psychological damage done to their customers. I just want people to bear this in mind as they may have a case for suing BT at some point in the future.

http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?5712.0

[Rchivist]

Quote:

Originally Posted by SelfProtection

I know it's a little out of date but it is something to keep for reference.

http://www.theregister.co.uk/2008/03...rul/page4.html

The quote below would suggest that the Profiling is "Always ON", for
the simple reason that the Webwise System can tell you; by "Page
Injection", that they are profiling but not allowed to serve OIX ads!

-----------
KE:
The conversation over opt-in/opt-out is blurred by the one about
transparency. They want to always be aware about whether something is on
or off.
So we're going to do something unprecedented, and you'll never see this
anywhere. Which is, as they continue to browse periodically you're going
to see in an ad space "Webwise is on" or "Webwise is off", so it's more
like a feature. Frankly, it's bad business to have people feel like
something is being forced on them. Google stores everything you search,
but it never says, "look, by the way we're storing all this and we keep
it for a year".

Another example of Kent making statements about how an ISP implementation of Webwise works, when he is only responsible for Phorm.

BT have said, categorically, that as far as the Webwise trial goes, they will not inject javascript - so it will be interesting to see if this "Webwise is ON/OFF" message relies on javascript injection or is just "one of the ads" that they deliver to the page.

But a lot of sewage has flowed under the bridge since that article.

[Toto]

Quote:

Originally Posted by AlexanderHanff

The RIPA request requires a warrant irrespective of where it is being used, even ISPs. Or at least that is my interpretation of the law and is certainly how it is reported as being used.

Alexander Hanff

Thanks Alexander.

I understood that a RIPA request didn't require a court sanctioned warrant, assuming that is what you are referring too, but still its no matter really.

The fact though that an ISP must now record all sites visited based on IP address is a little concerning, especially when we consider how many times Phorm have denied that they can access this information based on IP address.

[SelfProtection]

BT have said, categorically, that as far as the Webwise trial goes, they will not inject javascript - so it will be interesting to see if this "Webwise is ON/OFF" message relies on javascript injection or is just "one of the ads" that they deliver to the page.

But a lot of sewage has flowed under the bridge since that article.[/QUOTE]


The mere delivery of an AD on a page from another Server stating Webwise ON or OFF would still be proof of constant redirection/profiling, if/when Webwise was supposed to not be profiling!
This in effect would be "Page Injection" by the Phorm System for which I would account BT responsible!

[warescouse]

Quote:

Originally Posted by BadPhormula

Here is an interesting thread over on Badphorm.co.uk titled "ALL MEMBERS READ *** IMPORTANT ***"

I think it's interesting from the point of view that BT/Phorm have created a situation where the very nature of trust on the Internet is being called into question. When you can't trust your own ISP service provider who can you trust? This thread isn't about BT/Phorm directly (or is it?) it is about one of the moderators warning people about an SQL Injection from a website based in Texas, USA and a suspicious NMAP scan... And as you can see from the details badphorm.co.uk webserver is based in Texas, USA.

As we uncover more dirt on the BT/Phorm saga and the word gets out to a wider audience (the masses). More and more people are naturally going to become paranoid, upset, uncertain and suspicious of every little thing that happens on the Internet... And who's fault is that? Well basically my money is one guy in particular a sneaky shyster @sshole called Stratis Scleparis, this toe tag is responsible for what has been happening at BT and Phorm, he is Phorm's CTO and was formally BT Retails CTO. The guy that made this Phorm sh*t spying happen. Emma Sanderson's involvement may have been as co-conspirator back when sneak Scleparis was in charge of the BT spying but she is definately upto her neck in the sh*t now.

IANAL but I think BT will have a case to answer for with regards to psychological damage done to their customers. I just want people to bear this in mind as they may have a case for suing BT at some point in the future.

http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?5712.0

I think this is an interesting and worrying statement. I have been in the position whereby a computer I am 'cleaning' or investigating has had strange and worrying IP symptoms. Normally, I can narrow down the problem down by some simple testing and ruling out the obvious safe harbours.

In a hypothetical scenario: I am in a similar position with Phorm/Webwise intercepting my data by deep packet inspection. I don't trust them and I am aware of the latent power available in this invasive technology. I have strange IP symptoms on the PC I am investigating and I am trying to logically prove where and why the problem occurred and how to fix it?

How can I ever hand on heart rule out malpractice on their part if I don't trust Phorm. I have little or no respect for Phorm and I am aware of their rootkit, PeopleOnPage, ContextPlus adware history as 121Media!

It would be impossible for me to do true logical analysis because if Phorm/Webwise was in place, knowing their in-line position, intercepting my data stream and knowing they theoretically have the ability do anything they so desired, I could never rule them out as the source of the problem because hand on heart, I will never trust them!

This really has to be stopped! ISP's must realise this 'lack of trust' knock on effect is very important as well as the general privacy and legal issues we all shout about.

Quote:

Originally Posted by Toto

Thanks Alexander.

I understood that a RIPA request didn't require a court sanctioned warrant, assuming that is what you are referring too, but still its no matter really.

The fact though that an ISP must now record all sites visited based on IP address is a little concerning, especially when we consider how many times Phorm have denied that they can access this information based on IP address.

I don't think the ISP's are required to retain any other data other than the IP that was allocated to a customer at any given time or date and the duration of the allocation (all that is required for billing purposes) and the police would require a warrant to access this information:

http://www.theregister.co.uk/2008/05...ion_directive/

"Law enforcement agencies can gain access to such data with a court-ordered warrant. Though providers almost uniformly keep the information for such periods to resolve any future billing disputes, the laws will ensure that they do so."

"The reality is that nothing much has changed. The new legislation will make little practical difference as most telecoms providers keep certain information for billing purposes and customer records," said Michael Eagle of the Federation of Communications Services. "That information would be enough to meet the requirements of law enforcement agencies. There is no need to keep more data that you are ever likely to be asked for."

[Rchivist]

Quote:

Originally Posted by SelfProtection

BT have said, categorically, that as far as the Webwise trial goes, they will not inject javascript - so it will be interesting to see if this "Webwise is ON/OFF" message relies on javascript injection or is just "one of the ads" that they deliver to the page.

But a lot of sewage has flowed under the bridge since that article.


The mere delivery of an AD on a page from another Server stating Webwise ON or OFF would still be proof of constant redirection/profiling, if/when Webwise was supposed to not be profiling!
This in effect would be "Page Injection" by the Phorm System for which I would account BT responsible!

My money is on it being Kent talking rubbish again. (Shock, horror!)
As you say, if Webwise is off, how do they control ANYTHING I see - especially as the BT Webwise "diagrams" (ha ha) show non-opted-in customers going nowhere near the Phorm equipment.

At the present state of play my gut feeling is that whatever system BT trial (due in the next 10 days -if they trial anything) it won't be a bit like what Kent Ertugrul former rootkit merchant has been talking about. But there again - that relies on BT Retail being
a) sensible
b) competent
c) having integrity
d) wanting to obey the law
e) having any regard at all for their customers

So maybe I'm being over-optimistic.

However - I do think there are some people in BT Retail currently buying in extra anti-perspirant and toilet paper which is a comforting thought.


Incidentally - I'm starting to distinguish in my posts and letters and emails betwen BT, BT Retail and BT Wholesale - it worries them when you do that.

[davews]

Quote:

Originally Posted by SelfProtection

The mere delivery of an AD on a page from another Server stating Webwise ON or OFF would still be proof of constant redirection/profiling, if/when Webwise was supposed to not be profiling!
This in effect would be "Page Injection" by the Phorm System for which I would account BT responsible!

Not necessarily. Since the ads inserted on OIX sites are choosen by the Phorm servers (which change these ads to targetted ones for those who are opted in) it is perfectly feasible to have a bunch of ads to be served to all who are not opted in (and anybody else not in the Phorm network for that matter) which have a "Phorm is off, click here to turn on" button. They will only change the ads for opted in customers, who will get the other version. No need to check whether you are opted in to serve these generic ads.

Non Phorm customers may wonder what it all about but will get the message that your ISP is not using Phorm if they click on it.

(I think I have understood what I have been trying to say....)

[Toto]

Quote:

Originally Posted by Paul Delaney

I don't think the ISP's are required to retain any other data other than the IP that was allocated to a customer at any given time or date and the duration of the allocation

ISP's already do this, they keep IP allocation records so that under RIPA the police can request the account details of who owned what IP address on a given date/time.

This act goes one better, the police can now also ask what sites were visited based on an IP address, or possibly based on known account information. ISP's will be required to "keep logs of internet usage" for a period of 12 months.

What is of concern is this quote in The Register article.

Quote:

“The aim of the [Directive] is to ensure that certain data is retained to enable public authorities to undertake their lawful activities to investigate, detect and prosecute crime and to protect the public," said a Home Office spokeswoman.

Now, call me paranoid, but education councils have already "exploited" RIPA to spy on parents who wanted their child to attend a certain school.

The article says

Quote:

Law enforcement agencies can gain access to such data with a court-ordered warrant. Though providers almost uniformly keep the information for such periods to resolve any future billing disputes, the laws will ensure that they do so.

I know for fact that police do not need a court ordered warrant to access IP data history, there is provision within RIPA to allow such requests to be passed through central controlled divisions within the police ranks. What's to say this will not be accessed in the same way, or in fact that the article has got this bit wrong?

But lets cut to the chase, this act, proposed by the government as part of an EU directive that they now need to ratify means this.

Our Internet usage from a certain date on will be recorded and retained for a period of 12 months by our ISP. What isn't clear is which public authorities will be able to access such data.

As Alexander has said, this is nothing new, however, this is the first time to my knowledge that this requirement will be enshrined in Law, and the first time for sure our browsing data will be recorded, and can be used as part of a criminal or national security investigation.

Obviously my point is off-topic as it doesn't directly relate to Phorm, but this is about privacy.

Quote:

Originally Posted by Toto

ISP's already do this, they keep IP allocation records so that under RIPA the police can request the account details of who owned what IP address on a given date/time.

This act goes one better, the police can now also ask what sites were visited based on an IP address, or possibly based on known account information. ISP's will be required to "keep logs of internet usage" for a period of 12 months.

What is of concern is this quote in The Register article.

Now, call me paranoid, but education councils have already "exploited" RIPA to spy on parents who wanted their child to attend a certain school.

The article says I know for fact that police do not need a court ordered warrant to access IP data history, there is provision within RIPA to allow such requests to be passed through central controlled divisions within the police ranks. What's to say this will not be accessed in the same way, or in fact that the article has got this bit wrong?

But lets cut to the chase, this act, proposed by the government as part of an EU directive that they now need to ratify means this.

Our Internet usage from a certain date on will be recorded and retained for a period of 12 months by our ISP. What isn't clear is which public authorities will be able to access such data.

As Alexander has said, this is nothing new, however, this is the first time to my knowledge that this requirement will be enshrined in Law, and the first time for sure our browsing data will be recorded, and can be used as part of a criminal or national security investigation.

Obviously my point is off-topic as it doesn't directly relate to Phorm, but this is about privacy.

The ISP's have fought legislation like this for years their main bone of contention being who is going to pay to store the data. The sweetener, for them, came with the announcement that the law will only require them to store the type of data that would normally be required for billing purposes.

A typical scenario where the police would want to access the data:

The police take down a website used by paedophiles / terrorist suspects - all the site's visitors will have left their IP's and the time and date they visited on the site's hit log. The police sort the IP's into their respective ISP IP ranges. Using this collected evidence as justification a court will grant them a warrant to access ISP data. They then match the IP/date/time from the website with the corresponding data retained by the ISP to identify their suspect.

I don't know about the council's use of RIPA but in this case the police are required to provide the court with evidence in order to justify the granting of a warrant.

[Toto]

Quote:

Originally Posted by Paul Delaney

I don't know about the council's use of RIPA but in this case the police are required to provide the court with evidence in order to justify the granting of a warrant.

I hope you're right, because currently under RIPA the police can request account details based on IP address with date/time without going to the courts, this is what the RIPA act is all about.

Quote:

Originally Posted by Toto

I hope you're right, because currently under RIPA the police can request account details based on IP address with date/time without going to the courts, this is what the RIPA act is all about.

The problem is that if a prosecution depended on it the police would have to show that all the evidence had been collected in accordance with all the relevant legislation or else risk a clever defence lawyer convincing a judge that it should be ruled as inadmissible.

This has happened on several occasions were the police prosecution case has relied on evidence collected from mobile phone wire taps carried out without a warrant and so deemed illegal.

[Toto]

Quote:

Originally Posted by Paul Delaney

The problem is that if a prosecution depended on it the police would have to show that all the evidence had been collected in accordance with all the relevant legislation or else risk a clever defence lawyer convincing a judge that it should be ruled as inadmissible.

This has happened on several occasions were the police prosecution case has relied on evidence collected from mobile phone wire taps carried out without a warrant and so deemed illegal.

Yes, but not all cases, and the gathering of certain data, i.e IP log history only goes to bolster a police investigation, and may not be used as evidence.

E.g. Under the new law, the police can go to the courts to request a warrant (or enforce RIPA if this new legislation allows it) to enter a premises and extract computer equipment where they have reason to suspect that the owner may potentially be a paedophile based on what URL's have been recorded against his Internet account in the last year. Now, having recorded URL's may not be evidence, but extracting that evidence under new legislation will be easy, and will provide the needed evidence for a warrant to be issued so that the claim can be investigated further, such as through forensic examination of any computer equipment in that property.

My point is this, up until now, the police could request from an ISP who owned an IP address at a particular time in the past, or currently and they wouldn't need a court order. The new legislation coming into force would require our ISP to record basic internet activity, such as sites visited for a rolling 12 month period, and the police could request that information also, without the need for an interception request, also available under RIPA, and does not need a judge to sign it off. Whether this new legislation can be administered through RIPA as it stands is yet to be seen.

[Wildie]

side tracked here i think, i cannot see the police selling the data for profit and sending adverts.
unless you really got something to hide.