Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by lucevans

http://www.theregister.co.uk/2008/07...ds_https_only/

So, google are to start encrypting their webmail pages from start to finish, eh? Presumably they want to ensure that they are the only ones who are going to be able to profit from profiling the contents of their customers' e-mails.

Didn't someone here predict that the effect Phorm would have would be to drive more and more sites to switch to https? Looks like Google are setting the trend...

I don't know about this forum but I posted the following on the BT Forum on 12th May.

It is entirely because the internet is so new and growing so quickly that we need our government to draw the lines now before it's too late. The internet is not going to come to a halt because one money-making scheme fails but it is at serious risk if people are afraid to use it.

The alternative - one which I predict will be with us very soon if this goes ahead - will be the encoding all data between users and between users and websites using private keys such that Phorm style systems can not read the data. If Phorm want to read your data or access data transferred from your website, they would have to be granted a key and pay for it if so required. As the data - including the website's content would only be decrypted after it reaches the end-user's computer, it would not be available in any usable format for the ISP and the whole Webwise idea falls to pieces.

Even the use of a simple encryption key on the data would require an illegal act on the part of BT or Phorm (or any other similar system) as unauthorised decryption is prohibited under existing law without a warrant and it is extremely unlikely that any such warrant would ever be issued on the basis of "we want to make a profit". Even the police and security services sometimes get refused such warrants and such intervention has always been taken very seriously in the UK.

If you combine encryption with data compression you have a doubly useful tool given as the volume of data carried could be reduced making better use of bandwidth. Imagine that everything you send or receive travels along the internet as an password protected zip file with a non-commercial use condition applied not to the data itself but to the key. It kills Phorm's argument that information on the web is freely available and makes it immediataley and irrefutably illegal to access the data. Newer PCs with multicore processors will not even see a marked slowdown as the data is transferred - it could still be packeted - and decrypted on the fly at the PC. Older PC's may be slower at the encryption/decryption but this is a short term problem which reduces as PCs are replaced.

Governments have always tried to oppose such an idea as it could be used to prevent monitoring by official bodies such as anti-terrorism or anti-childporn investigators. The US government has often tried to and sometimes succeeded in preventing new encryption techniques from being made available to the public for similar reasons. The public in America are more worried about government monitoring than about commercial datra usage but even they seem to be getting hot under the collar about this issue now that they've been informed that various ISPs have been intercepting their data over the last year or so.

It may be that faced with such a system coming into being purely to avoid ISP level profiling for profit, governments may decide that allowing such action by data carriers is not quite as trivial as they seem to believe it is at present.

[madslug]

Quote:

Originally Posted by Dephormation

Copyright theft isn't the most valuable thing that Phorm are trying to take.

What they really value is not the copy of the content (they discard that after they've extracted the keywords)... its the marketing intelligence they glean by linking a user to the sites and ecommerce businesses they are interacting with.

That's why the Home Office advice (that you could imply consent of web site operators for interception) is so completely wrong.

<snip>

The Home Office advice does not say that you can imply consent of ALL web site operators for interception. The whole document is about intercepting consenting user data streams with UIDs and scripts hosted on web sites to deliver the adverts. The advert delivery script is downloaded by the user's computer and is not part of the original page intercepted. The implied consent comes in the delivery of the page which enables the ad delivery script to be called.

Nowhere does it say anything about non-RIPA interceptions relating to web sites which are not part of providing the advertising services to consenting users being exempt from RIPA. The document is silent on this other than to confirm that 2(2) and (8) are confirmed as an interception within the meaning of RIPA (viewable by a human or recorded on a proxy where it is technically possible for a person to view the content).

The more I read the HO document, the more I see that the answer related to one very specific question: the interception of the user to enable the advert delivery script to deliver the advert. See para.2

Read para.7 (a closed system - not a DPI provided data stream) and consider the conclusion in para.8

[phormwatch]

Quote:

Originally Posted by SimonHickling

Yep, same here

Thnaks.

How stupid.

[pseudonym]

Quote:

Originally Posted by phormwatch

TOR would work, in so far as your communications cannot be traced back to you. However, at some point, there needs to be what's called an 'exit node', which means that at some point, an unencrypted request to a website needs to be made. If Phorm has its spyware software on the ISP on which this request is made, then it can be intercepted.

However, I don't see how that would be profitable for Phorm or any OIX partner: lots of different requests from many different people will come from the same exit node, therefore the targeted ads will be completely useless.

If the exit node you are using was on a phormed ISP connection, or if phorm were to run their own exit nodes, then the Phorm Webwise UID would be unique for each person's browser, so each person would be tracked individually.

Providing a Tor exit node, or running a public proxy would be a good way to test phorm - in fact the leaking javascript in Phorm's 2006 tests contained a variable which indicated the ISP that was running the test, and one of the values was "I.PUBLICPROXY".

I guess you could monitor your traffic for webwise.net redirects and Nebuad faireagle.com requests and blacklist exit nodes that exhibit those symptoms, however you'll have no guarantee that the owner of the exit node isn't monitoring your activity - TOR aims to provide anonymity not privacy - Also if you intend to use a proxy such as tor it is wise to delete all your cookies first because a dodgy exit node could use man-in-the-middle type exploits to trick your browser into sending cookies for any site they are interested in so that it can capture them.

[SimonHickling]

Quote:

Originally Posted by madslug

The Home Office advice does not say that you can imply consent of ALL web site operators for interception. The whole document is about intercepting consenting user data streams with UIDs and scripts hosted on web sites to deliver the adverts. The advert delivery script is downloaded by the user's computer and is not part of the original page intercepted. The implied consent comes in the delivery of the page which enables the ad delivery script to be called.

Nowhere does it say anything about non-RIPA interceptions relating to web sites which are not part of providing the advertising services to consenting users being exempt from RIPA. The document is silent on this other than to confirm that 2(2) and (8) are confirmed as an interception within the meaning of RIPA (viewable by a human or recorded on a proxy where it is technically possible for a person to view the content).

The more I read the HO document, the more I see that the answer related to one very specific question: the interception of the user to enable the advert delivery script to deliver the advert. See para.2

Read para.7 (a closed system - not a DPI provided data stream) and consider the conclusion in para.8

I read this as meaning ALL web sites

Quote:

15. A question may also arise as to whether a targeted online advertising
provider has reasonable grounds for believing the host or publisher of a web
page consents to the interception for the purposes of section 3(1)(b). It
may be argued that section 3(1)(b) is satisfied in such a case because the
host or publisher who makes a web page available for download from a server
impliedly consents to those pages being downloaded.

However, it does say downloaded and not intercepted

[madslug]

Quote:

Originally Posted by R Jones

Here is the reply I got today from BT Retail Chief Counsel Commercial Law (Consumer) - they gave permission to publish - they are on my BT Openworld webspace.

Page 1 of letter http://tinyurl.com/5bwerh
Page 2 of letter http://tinyurl.com/6lsjgg
Page 3 of letter http://tinyurl.com/5tta4t

So, they are transparent in telling web site owners that they have to block googlebot if they don't want to be phormed. I don't really know who is being blackmailed the most here. Do BT really think that they can tell sites to stop trading with google: are they trying to put google out of business, or is it the sites that rely on their business partnership with the search engine to stay in business that they are trying to stop from trading?

If BT are so transparent about their requirement, where are the newspaper articles or full page adverts circulating around the world to publicize the need to block googlebot?

IF BT are so transparent, why have they failed to reply to emails requesting technical information relating to how blocking googlebot will block the phorm script from intercepting the site?
With googlebot, the webmaster can see googlebot requesting the robots.txt file and the logs will show that googlebot has honoured the robots.txt file by not visiting any pages. What audit trail is left by the phorm script?

Oh dear, Revenue Science and Tacoda use scripts and cookies, hosted on partner sites, which all web savvy people block, so BT can use scripts which don't require any partner sites and which no one can block. That is good logic

And the UID is safe because there won't be a coordinated market for harvesting the data. Oh, the innocence.

Can anybody find a s.28A in the Copyright Designs and Patents Act? The only reference I can find is as follows, and relates to an amendment to the Patents Act 1977 where section 28 relates to the restoration of lapsed patents.

Quote:

7 After that section insert—
“28A Effect of order for restoration of patent

(1) The effect of an order for the restoration of a patent is as follows.

(2) Anything done under or in relation to the patent during the period between expiry and restoration shall be treated as valid.

(3) Anything done during that period which would have constituted an infringement if the patent had not expired shall be treated as an infringement—

(a) if done at a time when it was possible for the patent to be renewed under section 25(4), or

(b) if it was a continuation or repetition of an earlier infringing act.

(4) If after it was no longer possible for the patent to be so renewed, and before publication of notice of the application for restoration, a person—

(a) began in good faith to do an act which would have constituted an infringement of the patent if it had not expired, or

(b) made in good faith effective and serious preparations to do such an act,

he has the right to continue to do the act or, as the case may be, to do the act, notwithstanding the restoration of the patent; but this right does not extend to granting a licence to another person to do the act.

(5) If the act was done, or the preparations were made, in the course of a business, the person entitled to the right conferred by subsection (4) may—

(a) authorise the doing of that act by any partners of his for the time being in that business, and

(b) assign that right, or transmit it on death (or in the case of a body corporate on its dissolution), to any person who acquires that part of the business in the course of which the act was done or the preparations were made.

(6) Where a product is disposed of to another in exercise of the rights conferred by subsection (4) or (5), that other and any person claiming through him may deal with the product in the same way as if it had been disposed of by the registered proprietor of the patent.

(7) The above provisions apply in relation to the use of a patent for the services of the Crown as they apply in relation to infringement of the patent.”.

and I see nothing in any of that text that nullifies infringement nor decreases the rights of the patent owner.

[phormwatch]

• TECHNOLOGY. Ricchetti Incorporated is lobbying for Phorm on online privacy issues. Steve Ricchetti, former deputy chief of staff under the Clinton administration, and Luke Albee, former chief of staff to Sen. Patrick Leahy (D-Vt.), will be lobbying for Phorm.

http://thehill.com/business--lobby/b...008-07-28.html

[warescouse]

Quote:

Originally Posted by Peter N

...cut
It may be that faced with such a system coming into being purely to avoid ISP level profiling for profit, governments may decide that allowing such action by data carriers is not quite as trivial as they seem to believe it is at present.[/I]

Totally agree with your post Peter, the problem as I see it is that we currently have decisions being made by powers that be who seem to have the technical know-how to only plan as far ahead as the next move on a chessboard. The end of their nose seems to be as far as they can see.

I suspect a lot of them may also have been Phormwashed by Kent. A subtle 'Phorm' of Hypnotism.

[madslug]

Quote:

Originally Posted by SimonHickling

I read this as meaning ALL web sites

Read the question above para.3 - it is about targeted online advertising services. It is not about general browsing that is not partnered with delivering targeted advertising services. (Sorry about the double negative.)

Quote:

Originally Posted by SimonHickling

However, it does say downloaded and not intercepted

Keep reading. English is a wonderful language and each word has a unique meaning, with the context within a sentence, paragraph or section helping to confirm that unique meaning. Take an English word out of context and it can mean whatever you like.

Even para.9 talks of filtering and deleting. It does not talk about filtering, making a record and then deleting. The filtering and deleting could reference the anti-phishing warning or the detection of the advertising partner - most probably, as it then analyses whether or not the script delivering the script is an interception, and decides that it is not, in para.11. (Displays a lack of understanding of DPI, but ignore that as DPI is not under discussion here, although interception by proxy is considered in para.10 for delivery of web page and targeted advertising content.)

At the risk of repeating myself (I've asked this before but it's still relevent and still unanswered)

If ISPs want to profile their customers' data and they are so sure that customers are happy to allow this in return for targetted adverts, why not release Webwise as a browser add-on and allow people to download it.

All of the profiling would be done on the user's PC saving BT and Phorm the cost of installing and maintaining dedicated equipment. There would be no need to fake cookies as the application would send the profile data when they open the webpage and there would be no need for an extra copies to be made of the data so all information would remain entirely on the customer's PC. Add to that the fact that Phorm already have such software ready made from their previous spyware toolbar add-ons and you have to wonder what is going on.

This is a cheaper, safer and more effective solution than Phorm's DPI based one so you have to ask the simple question:-

Why are the ISPs so fired up about using DPI to get information that can be obtained much more cost effectively and with no legal problems through existing methods?

Could it be because the system I suggest can only be used to deliver adverts and can't be subverted into other uses such as surveillance or personal profiling?

[SimonHickling]

Section 17 of Copyright, Designs and Patents Act 1988

Quote:

17 Infringement of copyright by copying

(1) The copying of the work is an act restricted by the copyright in every description of copyright work; and references in this Part to copying and copies shall be construed as follows.

(2) Copying in relation to a literary, dramatic, musical or artistic work means reproducing the work in any material form.

This includes storing the work in any medium by electronic means.

(3) In relation to an artistic work copying includes the making of a copy in three dimensions of a two-dimensional work and the making of a copy in two dimensions of a three-dimensional work.

(4) Copying in relation to a film, television broadcast or cable programme includes making a photograph of the whole or any substantial part of any image forming part of the film, broadcast or cable programme.

(5) Copying in relation to the typographical arrangement of a published edition means making a facsimile copy of the arrangement.

(6) Copying in relation to any description of work includes the making of copies which are transient or are incidental to some other use of the work.

I like 2 & 6 especially.

I agree with others who have said that the copyright aspect is only one small aspect of what Phorm wish to do, however, I have my suspicions about how they intend to claim that what they do is legal (interception-wise).

[madslug]

Quote:

Originally Posted by Peter N

If ISPs want to profile their customers' data and they are so sure that customers are happy to allow this in return for targetted adverts, why not release Webwise as a browser add-on and allow people to download it.

All of the profiling would be done on the user's PC saving BT and Phorm the cost of installing and maintaining dedicated equipment. There would be no need to fake cookies as the application would send the profile data when they open the webpage and there would be no need for an extra copies to be made of the data so all information would remain entirely on the customer's PC. Add to that the fact that Phorm already have such software ready made from their previous spyware toolbar add-ons and you have to wonder what is going on.

You are forgetting that what a user downloads will be copied from their browser cache and used for commercial purposes without the permission of the copyright owner. This makes the person downloading the content liable for infringement, jointly liable with the person supplying the method of making the copy. Do you think anyone will be happy when the web site owner contacts their ISP with a letter demanding payment for copyright infringement? - with music and videos they are complaining enough about warning letters.

There are already many much easier solutions. Sites where you can register your interests and be rewarded with seeing adverts for related products, including discount codes so that you can even save some money in exchange with sharing your interests. No browsing is intercepted, and you don't have to even visit related sites to be shown the ads you are interested in. Everything is coded and scripted on just one site.

Look at how popular the existing discount code sites are and they don't even ask for any information about your interests.

[warescouse]

Quote:

Originally Posted by Peter N

At the risk of repeating myself (I've asked this before but it's still relevent and still unanswered)

If ISPs want to profile their customers' data and they are so sure that customers are happy to allow this in return for targetted adverts, why not release Webwise as a browser add-on and allow people to download it.

All of the profiling would be done on the user's PC saving BT and Phorm the cost of installing and maintaining dedicated equipment. There would be no need to fake cookies as the application would send the profile data when they open the webpage and there would be no need for an extra copies to be made of the data so all information would remain entirely on the customer's PC. Add to that the fact that Phorm already have such software ready made from their previous spyware toolbar add-ons and you have to wonder what is going on.

This is a cheaper, safer and more effective solution than Phorm's DPI based one so you have to ask the simple question:-

Why are the ISPs so fired up about using DPI to get information that can be obtained much more cost effectively and with no legal problems through existing methods?

Could it be because the system I suggest can only be used to deliver adverts and can't be subverted into other uses such as surveillance or personal profiling?

Yes I thought that Phorms (121Media) PeopleOnPage browser add-on did basically the same thing when linked with their contextPlus Engine. (Nasty Spyware though (can you see much difference?) )

I think the post Rob Jones referenced this evening on BT beta Here #12828 definitely throws up some very interesting points that are very much in-line with some of my thoughts (and perhaps yours) and excellently put across in the comment referenced.

I'm not forgetting it.

I'm just pointing out that everything that Webwise can do can already be done using far cheaper and far less dangerous methods and thereby raising the basic question of why is this system necessary and why are the ISPs willing to spend money and alienate their customers to bring it in.

The copyright issues are not directly to the reasons why the ISP are so focused on the use of DPI which is what I was dealing with.

[madslug]

Webwise DPI at ISP level = 100% coverage. That is a lot of data that can be sold again and again, not to mention analysed in many different ways.

Nowhere has the opt out ever been an opt out of the DPI route. It has only ever been an opt out of the phorm/webwise/oix controlled advert system.

DPI is not the rouge here. Using DPI for the interception of all the data packets is the problem. It is the fine tuning of the demographics that earns the money.

Isn't it interesting that the few independent and financially secure ISPs in UK are not even thinking about using DPI for anything other than traffic monitoring and service enhancement for all their users. They don't need to collect any user data to sell on to 3rd parties because they use any data collected to improve the service they offer the customers and earn additional revenue by providing a premium service.
Because the non-phorming ISPs offer value for money, they don't have to tie their customers into anything more than 1 month contracts, they don't have to spend a fortune on customer retention, and they don't need expensive help desks answering questions about poor services and the problems that causes.