I don't get this. If, on your site, you have some Phorm ad code, and they serve you ads, and share revenue with you, then cool, keep it coming. It makes no difference to me who serves the ads, G or ISPs. But if our pages are hijacked and Phorm ad code is injected without permission, this is a major problem, and is totally illegal, even probably in Tadjikistan ;)

From Phorm's website:

What is Webwise?

Webwise is a feature offered by leading UK ISPs in the UK that helps protect customers from fraudulent websites and replaces generic online ads with ads that are relevant to customers' interests. Webwise is powered by Phorm technology.

How come these people haven't been sued out of existence yet? "protect customers from fraudulent websites" part is very different from "replaces generic online ads with ads". How is this acceptable?

<mod, professional and other hats off> ;)

"protect customers from fraudulent websites"

When phorm first launched, they placed a great deal of emphasis on how their service was designed to increase the safety of people using the internet. As time has gone on, and they have not demonstrated any significant technology to achieve that, or any compulsion to achieve that goal, they've diluted the early message somewhat. These days they just talk about better privacy, without explaining how more companies having your data (your entire browsing history) without permission is tantamount to improved privacy. They have a very different line when they talk to ISPs.

There are two hugely serious issues at stake here:

As an internet user:

Is it acceptable for third party companies to intercept, analyse, and redistribute your entire internet browsing history? IMO, this data is certain to be "personally identifiable" in the overwhelming majority of cases, and in any sense of that deliberately ambiguous phrase.

As a site owner:

Is it acceptable for internet carriers to intercept and modify all of the internet traffic sent to your site users, in the interest of profiting from the habits of your users. In some cases, this is proposed to be at the site owner's expense (i.e. via replacement or additional advertisments.

The imminent implementation of systems that do both of those things, in the UK, US and elsewhere now a reality, and has encountered precious litle in the way of opposition.

<hats back on...>

I should add that I already have that policy in place for proxies which replace my ad content with theirs. Plenty of proxies already do this.

We need a way to share such information details (the list of IPs) and have an ability to update these lists, review, confirm its still there regularly in order to remain in the list, press releases to announce we stopped a provider of "services" from continuing their evil etc.

Basically we need to organize what people organised against spammer and the like.

Damon -- if I catch a proxy replacing my ads with theirs, I just ban the proxy on a server level. I don't actively look for them but I occasionally find them via google web alerts when I'm checking for stolen content. (Which means Google also sees them as a source of duplicate content, so that's another reason to ban them.)

Most of the ones I've seen swap my ad code out on the fly with their ad code. It's a slightly different issue than ISPs swapping out ads, however -- only a tiny minority of users use proxies, but if the ISPs start swapping out ads, that's a whole 'nother issue.

The way I see it, ad swapping by ISPs is pretty much like if you were a publisher of a magazine and you paid the post office to deliver your magazines -- but the post office then reprinted your magazine without your ads, and you didn't get ad revenue even though you paid all the publishing costs and it's your content.

I really agree with the sentiment that webmasters need to organize here, create lists lists of naughty ISPs, and start systematically banning them on a server level. Yeah, this can also be handled legally, but for small publishers like me, a 301 is a lot easier to do. (And really, even the big boys might find it more expedient to just turn off service to ISPs that ad swap as a swifter and more efficient means of resolving the problem.) If the users don't like it, they can complain at their ISP or get a new one ...

1) I tried to bring up this topic twice before and no one was interested. The one reply I got was that it was OK.

2) Phorm looks likely to be illegal because of privacy law, not copyright.

3) telcos know they can make much higher margins from controlling content: that is what the whole net neutrality argument is about.

As mentioned on Slashdot today, Wikileaks posted internal documents about BT's "Phorm" trial, which uses the deep packet inspection technology:

In addition to the 18 million regular advertising injections or hijackings, it appears charity advertisements were hijacked and replaced with Phorm advertisements.
“The advertisements were used to replaced [sic] a ‘default’ charity advertisement (one of Oxfam, Make Trade Fair or SOS Children’s Villages) when a suitable contextual or behavioural match could be made by the PageSense system.”

if anyone doubted the ability of DPI to actually replace publisher ads with those specified by the ISPs.

[edited by: jatar_k at 3:18 pm (utc) on June 6, 2008]
[edit reason] removed url [/edit]

Edit: Nevermind, read the document. It was a trial.

To reiterate my original post however, the day I hear of an ISP currently using this technology is the day I ban them from my servers. Period. This is utterly unacceptable, morally and legally.

(The trick will be to figure out how to catch phorm in action. You'd almost have to have an end user look at your site and see if your ads display.)

-- Leva

[edited by: Leva at 5:34 pm (utc) on June 5, 2008]

If you are small fry then I guess you cannot do much legally to stop this.

My only thought is to use SSL to stop the deep packet instection, I know it would be difficult for adsense users but this is probably the way to go.

"protect customers from fraudulent websites"

and this is only a harmless starter.
There are a lot more benefits in this technique, really.

Na*i governments may use it to
"protect citizens from un-censored information",
other large entities may use it to
"protect customers from other stuff whatever".

Reminds me of a very old science fiction plot, where all phone conversation was captured by a central computer in realtime and any critical comment being cut out and replaced by some big-brother like newspeak. The way they overcame this was using handwriting on paper.

While we just see a beta test of phase one of this online-censoring project, wait for the full implementation of phase two.

Yes, it would be definitely time to move to https, but I fear longstanding old web sites will loose ranking in transistion, and we can't do that without google changing their adsense technique.

Are we having fun yet?

Kind regards,
R.

We might also develop some javascript to check and report back when it sees our publisherid being replaced.

That way we can find who's replacing our ads and start acting accordingly (by e.g replacing common ads with affiliate content (make sure it's not going to be replaced too ...)

HTTPS will only work so long as the users care about the certificates matching the domain that they're visiting.

I can't think of anything to stop these Phorm-touting thieves from simply proxying the security certificate, so that the end user sees a message saying "Site is example.com but certificate is for phorm-scum.com, do you want to continue."

Seeing as there's no training for certificate security in schools, they'll obediently click yes, and then the ISP can do what they like with the "encrypted" page.

[edited by: jatar_k at 10:16 am (utc) on June 9, 2008]

I can't think of anything to stop these Phorm-touting thieves from simply proxying the security certificate

I can, the banking, credit, stocks and securities industries for starters because breaching SSL means the entire online financial system is insecure.

It would get real ugly real quick.

[edited by: incrediBILL at 6:08 pm (utc) on June 8, 2008]

"I can't think of anything to stop these Phorm-touting thieves from simply proxying the security certificate"

Hi, can you explain the background to this please a little, it sounds interesting but I do not fully understand how this breaches the SSL encryption.

Google for "Man in the Middle" attack.

SSL only really works if either or both of the following is true:

1) The customer has a unique certificate in their browser and the bank (or whatever) trusted site can check for that unique client cert.

2) The user checks that the SSL certificate of the site they are at matches the address bar.

If neither is true than all SSL gives you is a nice secure link to an imposter who relays your traffic to the end site, observing and altering at will.

Usually, neither is true, and thus SSL is not necessarily doing what you hope.

Rgds

Damon

[edited by: DamonHD at 11:15 pm (utc) on June 8, 2008]

I added a Creative Commons Attribution-No Derivative Works 3.0 Unported License on all my pages. I'm working on the assumption that if some rogue ISP inserts an ad they've "altered, transformed, or built upon the work". Not sure if this would stand up in court though. [creativecommons.org ]

I don't think this content molestation would stand up in court, copyright notice or not.

Just because you drive a bunch of people to the cinema doesn't mean you can sell your own concessions inside the theatre.

I don't think this content molestation would stand up in court

No probably not. At this point that's not an issue though because they are not proposing content molestation.

Charter (the source of this thread) is proposing spying. Not necessarily any better but an entirely different debate.

The trials that were run recently involved substituting Phorm's ads for those of publishers. As this forum is for Adsense publishers I think those financial issues have, rightly or wrongly, a more immediate impact than the general concerns over privacy.

Yes I heard about those trials, I was just making one last futile attempt to bring this thread (which is about Charter and their plans and was started and titled based on a misunderstanding) back to reality. ;-)

While spying on users is most probably morally if not legally wrong,
for adsense publishers the title of the post "ISPs to insert their own ads into websites" matters more than exactly what company does it (and will hurt us).

I'd love a statement from the bigger players like Google that they will not help those trying to substitute or inject ads to use their inventory to do so and see a little bit loyalty to us.

I for one am willing to start blocking ISPs doing this, but we need a good system to collect the data on what ISP is doing this and it needs to be reliable, and dynamic (e.g.: an ISP dropping out of such a system needs to have access again).

So either we wait till it becomes a real threat to our income or either we start to organize ourselves into an anti-ISP-inserted-ads coalition that provides tools to webmasters to arm themselves against them.

Cool. I think this is great. This means I can go down to Barne's and Noble and put a leaflet advertising my website in every magazine, book and newspaper I can find.

Well, no. But Barnes and Noble can.

Is it acceptable for third party companies to intercept, analyse, and redistribute your entire internet browsing history? IMO, this data is certain to be "personally identifiable" in the overwhelming majority of cases, and in any sense of that deliberately ambiguous phrase.

Hasn't this already been going on for a long time? Normally what I browse I want to see more of anyway so in reality I'm all for it.

As a site owner:

Is it acceptable for internet carriers to intercept and modify all of the internet traffic sent to your site users, in the interest of profiting from the habits of your users.

Other companies do it.

Take Kroger, a grocery chain. They give me a Kroger Plus Card which gives me better deals and in turn I give them my complete shopping history.

Take [ISP], a [service provider]. They give me [internet access] which gives me [internet] and in turn I give them my complete [browsing] history.

[edited by: StoutFiles at 3:11 pm (utc) on June 11, 2008]

Well, no. But Barnes and Noble can.

I doubt they can rip ads from magazines and replace them with theirs. It wouldn't take long for those magazines to ban distribution in that place.