Anyone who runs advertising or is in an advertising neetwork, should watch this one like a hawk. It is the life blood of many small websites. If true (unauthorized replacing of ads), I think what British Telecom did, was nothing short of stealing from small websites. However, it may be questionable which sites were getting ads replaced!?

Anyone who runs advertising or is in an advertising neetwork, should watch this one like a hawk. It is the life blood of many small websites. If true, I think what British Telecom did, was nothing short of stealing from small websites.

Not to mention the big boys (like Google) that provide the Ads for smaller sites. I'd imagine that their Lawyers are already preparing the case.

The other thread with Charter's tests might also be of interest:

[webmasterworld.com...]

(and mentioned some leaked documents from Wikileaks about the BT tests on page 4)

What's worrisome is that some smaller ISPs might already be using the deep packet inspection technology but not disclosing it, thereby potentially nibbling away at our publishing revenues.

If there's a script or something that we can add to detect the technology, that would be great (however given that DPI allows ISPs to modify the HTML of a page, conceivably those ISPs could remove the script!).

If this turns out to be legal, then the only solution that I can see is to maintain a list of the IP ranges of the offending ISPs and ban them.

British Telecom Ad Replacement Trial Brings Calls For Prosecution

...and rightly so!

If carrier networks modify pages to line their own pockets, this is nothing else than stealing - stealing from webmasters, big and small. Shame on you, BT!

This is shocking! I don't get how they could do that?

"BT sought expert legal advice before commencing the trial."

Really now? They are taking out the adverts that pay for my websites hosting and running and putting in their own adverts that are going into their pockets?!

Thats insane.

The article does reveal that our worst fears were true and they have been replacing the publisher's own ads on a page.

This would be like a shipping company replacing the ads in magazines whilst the magazines were in transit and the shipper then pocketing fees for the newly placed ads.

If this isn't theft then the definition of theft needs to be amended, by statutory law, to include this practice.

[edited by: Webwork at 2:57 pm (utc) on June 6, 2008]

* Guys with your tinfoil hats can come say I told you so now! *

From [news.bbc.co.uk...] Phorm - Your Questions Answered

We only serve ads to the websites we partner with. In order to participate, websites have to insert a tag into their own page.

But I'd still rather it died a death. Give them an inch.....

We only serve ads to the websites we partner with. In order to participate, websites have to insert a tag into their own page.

Then how does that differ from any other web ad?

No other web ad needs to snoop our connections and modify our cookies? They are nothing short of spyware.

vordmeister, the NNB story linked to in the first post on this thread says

During the trials adverts were stripped out of web pages served up to BT customers and replaced with more targeted ads, if available

I hope that means they were stripping out and replacing ads from sites that are in Phorm's network, but I am suspicious to say the least.

rj87uk, I told you so!

If there's a script or something that we can add to detect the technology, that would be great (however given that DPI allows ISPs to modify the HTML of a page, conceivably those ISPs could remove the script!).

This should be possible, might be as easy as generating a hash on the server side to represent the final HTML page and then creating another hash of the page with a javascript function once the page lands in the users browser, then sending it back to the server for verification in the background. The server would notify the webmaster if the hash differed and the webmaster can decide to take action.

the best thing you can currently do, is enable gzip compression. It is doubtful that any isp is going to dezip, then rezip a packet.

This was posted in a previous thread for detecting changes. Detecting In-Flight Page Changes with Web Tripwires [cs.washington.edu]

"we do not modify web pages or inject ads. We only serve ads to the websites we partner with. In order to participate, websites have to insert a tag into their own page. If you have opted out, will still see ads as you browse - just as you do today - but they won't be from the OIX and they won't be relevant to your browsing. "

Does the above statement mean that much of the damage this system could cause has been mitigated? - it still sucks though -and of course policies can change overnight if they are not making enough money.

We only serve ads to the websites we partner with. In order to participate, websites have to insert a tag into their own page.

Ok so now I am slightly confused, Does this mean that only websites that are using the "advertising" program will have ads uploaded onto a site that has choose to run this program?

Im confused now.

The current system as I understand it tracks your habits at the ISP level if you are customer of the ISP. Sites participating in the program can then serve ads that will be more relevant to your surfing habits. If they don't stray from what they are doing now the only real concern for anyone would be the ISP's customer because of the privacy issues.

According to the articles and the document though it appears they replaced ads during a trial run but there is no indication that is what they are doing now.

The Register has had dozens of articles on Phorm this year.

In one I learnt about the Dephormation extension for Mozilla.

Oh yes!

The ads will be hosted on sites such as ft.com, ivillage.com, and partners of ad agencies such as universalmccann.com

A BT customer who has opted-in to the 'Webwise' system will be monitored everywhere he goes on the internet. Every standard page that he reads and writes to (https excluded) will be scanned and a profile of that user created.

If he then visits one of the partner sites (ft.com, ivillage...) he will start to see ads based on his profile.

The initial forecasts where BT could earn £85 million were based on the system being opt-out only. The ICO smacked them down over that so they have had to re-write the system to be opt-in and the revenue forecasts are now expected to be well below what was initially expected.

As for the trials in 2006 and 2007. Well we have had a lot of spin and lies and only now the truth is being revealed and hopefully the ICO, Home Office or the EU if need be will now do the right thing and take action.

As for the future - they can make the system opt-in, DPA, RIPA and PECR friendly as much as the can from an ISP customer point of view but there is still the issue of us webmasters having our copyrighted website information read and processed.

As I said in this thread:

[webmasterworld.com...]

All Your Content is Fair Game
If a visitor to your site is Phormed all your content is going to be read and processed whether you want it to or not. This will include parts of the site protected by (non https) .htaccess or php or messageboards where registration is required. The only way to block Phorm is to block Googlebot.

Phorm is Going to Direct Your Customers to a Competitor
A Phormed visitor browses your site. This means that your site is helping to make a profile for that visitor. If your site is about exotic holidays then Phorm is going to start showing that visitor ads for your competitors exotic holiday websites.

Google: Uses keywords from your page content to bring visitors to your web site.

Phorm: Uses keywords from your page content to draw visitors to someone else's web site.

Some good points Frank_Rizzo that I didn't think of before, should be noted the similar system being tested by Charter here in the U.S. is opt-out and the opt-out is cookie based so you'll have to opt out for each browser, user and/or computer you use or you'll have to opt out again if the cookie is deleted.

So it is an "optin" type system - that of course is better, but they are still messing with net neutrality which is important and also what they get away with is a signal for others to try something even more dodgy.

I have just read your initial post listed above Frank_Rizzo - you raise some interesting and frightening points - Phorm can access a paid member area by reading/piggybacking the traffic a valid user has paid for - that has gotta be wrong - not even Google can access member areas I think.

So it is an "optin" type system

The technical spec says opt out, for which you need to acquire, and retain a cookie on your machine. Lose the cookie - you're opted in again.

I imagine customers will be 'encouraged' to 'opt in' via updated terms and conditions at their ISPs. So, the only other opt out will be by opting out of the ISP altogether, which I will do if my ISP goes with Phorm.

I will also inform my ISP as to why I decided to leave, and I'll post about my decision on relevant websites. I would encourage others to make their feelings about this system clear. However, in my business and professional dealings with the major UK ISPs, I've found their general approach to customers to be (almost without exception) dis-satisfactory in the extreme.

Any smaller ISPs reading - advertise yourselves as 'phormless' and you could get a good little niche going ;)

The only way to block Phorm is to block Googlebot

This isn't true. The researcher named in the article posted above has been given unprecedented access to their system, and they have given him permission to post details of the system. You can detect and block phorm with varying degrees of efficacy as both site owner and internet user.

It is still debatable as to what opt-in actually means here. Amongst all the spin and fud this question put to BT and Phorm has still not been answered satisfactorily:

"If I do not opt-in will I still be profiled"

Not opting in will only stop the user being served OIX ads. His profile will STILL be made - he will still be monitored.

I believe they may be working on a fix for that and it could be the reason why trial #3 is beinc constantly delayed.

---

Now back to the member area/piggybacking the traffic. This is a serious concern I have as one of my sites has 'finacial information' where subscribers can analyse data, talk in the non public domain message board etc.

Some phorm huggers say the onus is now on me to convert to full https but why should I do that? This is a problem I never had before.

My security systems has worked fine and keeps out freeloaders and such but there is no way I can keep out a Phormed user who will be leaking my and my customers private information.

I kid you not that it was suggest that we have to block googlebot in robots.txt if we want to stop Phorm from profiling our sites. The response from BT/Phorm was that any site which lets google in is deemed to be in the public domain and that if you let google in Phorm have every right to read that same data.

Of course that is totally unfair as I choose to let google crawl mysite in order that I can have the benefit of increased traffic. Allowing Phorm to analyse my pages will give me no benefit and may actually give benefit to a rival site who has signed up to OIX.

And of course - I don't let googlebot anywhere near the members area, or the parts of the messageboard which require registration. Yet Phorm can waltz in and analyse the pages.

Hi Receptional Andy, I meant it is "optin" for a website, for a "webuser" it is optout as you correctly state.

" You can detect and block phorm with varying degrees of efficacy as both site owner and internet user"

As a site owner I think it is impossible to block it as the packet inspection is done at the ISP level - of course you can block those IPS's who allow it via IP address, but in the UK you are blocking Virgin and BT which is a large % of the UK market - not really sensible.

if you let google in Phorm have every right to read that same data

But this is an attempt at justification, not technical advice. Perhaps a quick breakdown of the tech would be useful.

• ISPs will HTTP 307 (Temporary Redirect) any request on port 80 to a phorm page, with a few parameters
  
• This page checks for the presence of a phorm cookie (with a unique ID identifying the user)
  
• If there's no valid cookie, they set one, otherwise they send the user back to the page with a nice identifier
  

Here's where it gets interesting. The cookie is set on your domain name (apparently named 'webwise', the name they given the system in an apparent attempt to make it seem like a security feature).

If (as a user) you block the cookie, they temporarily stop the phorm redirect (otherwise it would go on forever).

The reliance on cookies set on third party domains is their main Achilles heel. Users can block them, and site owners can detect them. I've heard that blocking the cookies as a user may result in performance problems with your internet connection. As a site owner, you can choose what to show to visitors carrying a phorm/webwise cookie. Of course, you shouldn't need to bother, but that's a different discussion.

Further, from what I've read the system seems like it could be vulnerable to hacking, due to the implementation. I imagine it will also be an attractive target. I'm a bit dubious about some of the ways they seem to be handling redirects, and detecting problems.

Added: just saw your post, driller41, but see above.

[edited by: Receptional_Andy at 8:19 pm (utc) on June 6, 2008]

Personally I say let the hackers have at Phorm if it's taken live. Barring any identify theft which occured as a result (I would feel seriously horrible for the previous statement if this did occur), it would teach Phorm a lesson about messing with that which isn't theirs.

Can I remind / inform those in the UK that there is to be a demonstration at the BT AGM on 16th July.

There will be guest speakers at the event and later in the afternoon a case file is being presented to the police.

More information here:

[nodpi.org...]