BT / Phorm - Would you prosecute?

[confuscius]

This caught my eye - British Telecom Ad Replacement Trial Brings Calls For Prosecution - should be an interesting discussion BUT what would you do?

[John Jupp]

During the trials adverts were stripped out of web pages served up to BT customers and replaced with more targeted ads, if available.

BBC NEWS | Technology | Call to prosecute BT for ad trial

EXACTLY what I have been damn well saying!

The Phorm project is a vehicle for the potential theft of our earnings and the people behind this project, who authorised it are effectively nothing but thieves (by association and participation - complicit in an offence) and seeing they read this forum they can take me to court! I will bring sufficient technical specialists to substantiate that.

They can serve up replacement pages without the webmasters consent, replacing advertising (that has YOUR affiliate id) with their own. They even boast of being able to do so on their own damn website!

[John Jupp]

There is only ONE way I know which can circumvent Phorm. Now remember, if you as a webmaster object to participating ISP's serving up replacement pages having objected in writing, the ISP's just won't display you and neither the ISP's or Phorm are saying much on how to block them.

Simple PHP.

For a text link, take the text link from the network and put it into a MySQL database using a simple text platform to insert the word into the web page text so that where the word would be would actually be a php command, which would display the word hyperlinked which in turn would extract the url from the MySQL database.

For an image link, embed the php into the page to serve up the image and the hyperlink straight from the MySQL database.

[drivetowin]

Quote:

Originally Posted by John Jupp During the trials adverts were stripped out of web pages served up to BT customers and replaced with more targeted ads, if available. BBC NEWS | Technology | Call to prosecute BT for ad trial EXACTLY what I have been damn well saying! The Phorm project is a vehicle for the potential theft of our earnings and the people behind this project, who authorised it are effectively nothing but thieves (by association and participation - complicit in an offence) and seeing they read this forum they can take me to court! I will bring sufficient technical specialists to substantiate that. They can serve up replacement pages without the webmasters consent, replacing advertising (that has YOUR affiliate id) with their own. They even boast of being able to do so on their own damn website!

Sorry John but if you actually read the full report from Dr Richard Clayton rather than the interpretation you will see that points E.63 and E.64 actually say

63. Early speculation about the Phorm system suggested that it added adverts to web pages,or replaced them "on the fly". This is not what happens, the specially targeted adverts only appear on participating websites.

64. A website that contains adverts that come from Phorm's "OIX" network will place into
their webpages some HTML such as , much
as they would do today with existing advertising systems. In practice there may be other
stuff going on, but in essence it is this simple.

So yes it does change pages but only on the pages of publishers who have a commercial relationship with Phorm to carry Phorm advertising.

I think the BBC article has taken this out of context, yes the BT report does say that ads were replaced on webpages but nowhere (and again I've read the full report via the Wiki article - incidentally as a total aside, isn't the leaking of that document an attack on BT's privacy - but I digress) - does it actually say whether those pages were or were not just BT's own pages which presumably were configured to show Phorm OIX ads. My guess is that they probably were just BT's own pages but of course from a journalist's viewpoint that would be a total non-story.

As I've said many times before, and had this discussion with a few people last night at the A4UAwards, I don't like Phorm any more than the next man (or woman) but a) just because we don't like something doesn't necessary mean it's doing anything wrong and b) the main area where it does appear to be doing something which may or may not be illegal is invading users privacy - but is it our role as affiliates to be the Internet's' policemen - unless it directly affects our bottom line I would suggest not........but I know some will disagree.

[Markup]

Quote:

Originally Posted by drivetowin Sorry John but if you actually read the full report from Dr Richard Clayton rather than the interpretation you will see that points E.63 and E.64 actually say

Keith, I'm with John on this, simply because...

... what constitutues a "participating" site?

interesring read though!

[mainlime]

My reading of the leaked document is that Phorm bought ad space on popular websites. The majority of the ad space was "donated" to charity ads but where Phorm came up with a targeted match for a trial participant it replaced the default charity ad with a targeted one.

Of course I could be completely wrong as the document is not clearly worded on this point.

To go back to the original question though, it is quite apparent that BT & Phorm colluded to illegally intercept and manipulate BT subscribers web traffic and they should be prosecuted. In fact, I'd hang 'em from a telegraph pole as an example to others.

[Markup]

quote -
Dr Clayton said the leaked report "clearly shows that back in 2006 BT illegally intercepted their customers' web traffic, and illegally processed their personal data".
He continued: "The BT author seems delighted that only 15-20 people noticed this was happening and looks forward to a new system that will be completely invisible. - unquote


actually it's really friggin scary.
Guys, they are migrating the prison system out into society - what the f'#k are they gonna do next - demand a first read of our mail...

[John Jupp]

Every Internet Service Provider maintains a cached image of a web page which is periodically updated. Just ask them, they'll confirm it. In addition when the ISP visits the website at the request of the user, the ISP takes a representation of the site's page before sending it to the user. This is because the ISP provides the connection. I am saying this in very layman terms ok.

What Phorm does is work at the ISP end. It interrogates the incoming webpage and the requesting user's demographics, then replaces the webpage adverts. It does not have to have "participating" websites. We are all participants

The ISP's are adamant that a webmaster must write to deny Phorm. If they do, then the website will return as a 404 File Not Found by the ISP. I spoke to more than five people on a recorded telephone line at Virgin Media and they stated verbally. I also asked them to record the conversation from their end. I also add here that Virgin Media have NOT decided on Phorm yet or even if the trial will go ahead of the Phorm software.

Phorm merely goes as far as saying that unless a webmaster specifically denies Phorm then they are consenting to participation...again opt out and not opt in. Phorm provides no information how to opt out or prevent the script from accessing the website.

http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf for the Clayton report.

So Keith, I would need further clarification. This is because as you point out, html has to be added to the page. I am saying (as are ISP's) that this is automatically done at their end. If it has to be physically done at our end then that is different. As yet there is no official statement.

[drivetowin]

Hi Mark

I agree with you that the wider implications are potentially scary with regards to privacy.

As I've said, I'm not in favour of Phorm, far from it, but if it is to be stopped then the argument has to be based on fact and not conjecture, otherwise Phorm will simply prove that a, b, and c are not true and in a court of law (where Phorm will inevitably end up some time), the case against them will fall apart.

On a broader point, the BT report shows that Mediavest, Mediacom and Mindshare all sold adspace to Phorm for the trial. All three are active in the affiliate space too (and read this forum) so it would be interesting to get their take on it.

John

Yes I know what you are saying but the report does say that you need to have a tag from Phorm / OIX in your page for the ad to be replaced. A little bit of thought shows this has to be so, otherwise how could it replace ads since a) it is relatively easy to hide that the content of part of a page is an ad, as you alluded to earlier in this thread and b) even if it recognised a space on a page as an ad it would need a pretty smart system to work out the size of that ad, and then replace it with another ad of the same size, quickly enough for the user to feel no degradation in performance.

If it does work on size, presumably one way to defeat it (as some did to try and defeat spyware blockers) is to create ads which are non-IAB standard sizes.

As an aside, if an ISP caches your site are they also technically breaching copyright, since most (if not all of us) don't include a statement saying we are happy for someone to retain an electronic copy of our pages.

One problem I have seen consistently on this is that people take one paragraph (or even sentence) from a report out of context and then others build around it.

To conclude,

Are there serious privacy issues - Yes.
Are there issues concerning site copyright - Yes, though personally I'm not convinced there is a strong enough argument to prove it "beyond reasonable doubt".
Is there any proof that it replaces ads without the presence of Phorm tags on the page - No, none at all that I have seen - if anyone has any please let me see it.

[Donk]

Going back to the original question as far as I have discerned from all the hype it is only the Home Office that has the powers to prosecute under the RIPA. The only recourse for "Joe Citizen" is to report the facts to the police who in turn report to the Home Office who will then, if they think fit, prosecute.

Deep Packet Inspection the technology behind Phorm, Barefruit,PaxFire,Nebu-ads etc will not be banned by the government because the government will rely on that technology to prevent people downloading pirated music.

GCHQ have their own system in place to intercept all forms of communications. But in a democracy one has to weigh the cost of the lack of privacy of against safeguarding the population against repeats of 911.

Privacy of personal communications is a deep rooted freedom that is expected in modern democracies. It is in the UN Charter of Human Rights:

Quote:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence

the EU Charter:

Quote:

Everyone has the right to respect for his or her private and family life, home and communications.

and has been enacted into laws such as RIPA and DPA.

Phorm claim that their system does not alter advertisers pages apart from the ones of their own "OIX" network but the technology is there should there be a change in their policy. Barefruit and Nebu-ads on the other hand do not make such a claim.

What worries me most is the possible vulnerabilities in the system. When barefruit came out it did not take hackers to long to find a javascript loophole in their system. According to Phorms 2007 Financial results (page 31) Phorm only employed 2 people Research and Development in 2006 and 4 in 2007 (compared with 34 and 58 in sales and admin). I can't comment on the technical skills and qualifications of these people but compare that with the myriad employed by G, M$ and other software developers. I'm sure there must be many loopholes that need to be plugged. For instance the way POST requests are handled.

According to Richard Clayton's article (#47) Phorm will intercept a POST request and parse the webpage. But according to RFC 2616

Quote:

If the 307 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

So if the useragent (eg Firefox or IE) handle these requests correctly what will happen with Phorm?.

Also a website's POST request may password protect information that is of a personal or private nature. Even the big G can't get to see these pages without the permission of the website owner.