Thursday, 20. March 2008
PermaLink Do all bad things on the Internet begin with a P H?
We're all familiar with phishing - an attempt to acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.

You may also have heard of pharming - a type of attack aiming to redirect a website's traffic to another, bogus website by manipulating the local hosts file or by exploiting vulnerable DNS servers.

Here's another bad ph to add to that list - Phorm - but, unlike the others, this one comes in the apparent guise of a respectable, commercial enterprise.

Phorm is a system which several large UK ISPs (including BT and Virgin Media) plan to implement to deliver targeted advertising to their users. Nothing too sinister there, you might think. Google's been doing something similar for years by showing ads relevant to the keywords you just used in a search.

Phorm is different, though, because where Google's targeted ads are targeted in a largely passive way, Phorm's targeted ads are placed as a result of the interception of live Internet traffic while you are using your computer.

Please just pause to take that in.

Every bit of unencrypted Internet content that is requested by and delivered to your computer is intercepted, passed through a Phorm appliance at your ISP and stored for later reference, although this storage is said by Phorm to be temporary.

The captured data is clearly much richer than the handful of keywords that Google has to go on, but this has the potential to expose the content of every unencrypted web page, email, instant message and so on viewed by any user to scrutiny by a third party.

The privacy issues here should be very obvious.

Data captured by Phorm is said to be anonymised though it is difficult to see how this can be guaranteed when the content of web pages, and elements of the URL in many cases, contain data that exposes someone's identity (think Flickr, del.icio.us and other services where your username forms part of the URL).

The final piece of the Phorm puzzle, having gone to the trouble of intercepting and anonymising your communications, is how to associate the captured data with a particular user. This would on the face of things appear to be a contradictory aim. We can't on the one hand strip all evidence of identity from a body of data, while on the other hand continuing to associate that data with one individual, can we?

Phorm's answer to this is to store a cookie in the browser of the user. This cookie uses a random number, and the same random number is also associated with intercepted browsing data on the Phorm appliance.

Users are said to be able to opt out by requesting a Phorm blocking cookie and storing it in their browser.

You can already see the obvious problems here.

Firstly, all cookies are volatile and associated with a single browser in a single user profile on a single computer. To block Phorm for every member of a household would require that every browser used by every user profile on every computer made an individual request for the blocking cookie. This would have to be repeated at intervals because cookies expire or get deleted during housekeeping. This is so onerous that the effective default condition for Phorm would therefore appear to be on, not off.

Secondly, cookies are a client side thing where the collection of data by Phorm happens in the ISP's data centre. All that a blocking cookie will accomplish, assuming it does what it says it does, is prevent the association by Phorm of collected data with a particular browser being used by a specific user of one computer. It does not prevent the collection of that data in the first place and we have already established that it simply isn't feasible to anonymise all such data no matter how well intentioned the stated policy of so doing happens to be.

In any case, it isn't just browsers that request HTTP objects. You can't set a blocking cookie in your email client. And virtually every other application on your computer these days will attempt an HTTP connection at some point, in order to check for updates or provide help. All of this data will end up getting sucked up and stored by Phorm.

And it just keeps getting worse.

It transpires that Phorm has, well, form.

Phorm's predecessor company (121 Media) was associated with a rootkit. And guess what that rootkit did? Yes, contextual advertising.

Phorm itself may even be illegal - contravening certain provisions of the Regulation of Investigatory Powers Act. Legal opinion given by the Foundation for Information Policy Research clearly thinks so.

"The need for both parties to consent to interception in order for it to be lawful is an extremely basic principle within the legislation [RIPA], and it cannot be lightly ignored or treated as a technicality," said Nicholas Bohm, general counsel at FIPR.

Richard Clayton, treasurer at FIPR, added: "The Phorm system is highly intrusive; it's like the Post Office opening all my letters to see what I'm interested in, merely so that I can be sent a better class of junk mail.

"Not surprisingly, when you look closely, this activity turns out to be illegal."

So, what's to be done?

Firstly, UK residents who find the prospect of this type of invasion of privacy unacceptable can sign a petition and say so. There are nearly 8,000 signatures already at the time of writing.

Secondly, if you are a customer of one of the ISPs planning to use Phorm and you are able and willing to switch to an ISP with some sense, then do so. If you can't switch then write to your ISP and complain.

Thirdly, there are some simple countermeasures which you can take though these will not prevent the harvesting of your information. They will simply prevent the cookie which associates it back with you and obviate the need for a blocking cookie. These are not solutions, but they afford a small measure of protection.

  • Either you could install the Dephormation plugin for Firefox. This is a partial solution but will not protect non-Firefox browsers and would need to be installed in every user profile on every computer to be effective.

  • Or you can just block all traffic to and from www.webwise.net, which is the domain that delivers the Phorm cookies.

The latter is most easily done if you are an OpenDNS user by just adding webwise.net to your blocked domains list.

Otherwise you could add www.webwise.net to the local hosts file on all your computers with an address of 127.0.0.1. This, ironically, is somewhat like a pharming attack against Phorm.

Sometimes attack really is the best form of defence.

Category: Phorm
Technorati:

Comments :

1. Duffbert21/03/2008 03:50:31
Homepage: http://www.duffbert.com


As always, thanks for the great information (in a way we developer types can understand). :)



2. Phorm Comms Team25/03/2008 11:29:41
Homepage: http://www.phorm.com


Hi Chris

Thanks for raising these issues, especially concerning FIPR.

Phorm doesn't agree with FIPR's analysis. And its description of the Phorm system is inaccurate. Our technology complies with the Data Protection Act, RIPA and other applicable UK laws. We've sought our own legal opinions as well as consulted widely with experts such as Ernst & Young, 80/20 Strategic Thinking, the Home Office, Ofcom and the Information Commissioner's Office (ICO). We discussed our system with the ICO prior to launching it and continue to be in dialogue with the organisation.

You can ask questions about the system and get loads more information by visiting http://blog.webwise.com, www.webwise.com or www.phorm.com.



3. phormwatch03/04/2008 22:28:35
Homepage: http://phormwatch.blogspot.com/


The Phorm PR team - AKA as the Phorm 'Comm' team - have been posting cookie cutter responses all over the web to counter the negative publicity surrounding their spyware system.

If you Google for 'we don't agree with FIPR's analysis. And its description of the Phorm system is inaccurate.' for example, Google will return no less than three websites with the same text.

That text is just part of one of quite a few cookie cutter responses which don't actually address any issues, and are infact, sometimes outright misleading.

For example, Phorm claims that anyone can 'opt-out' of their system. In fact, users can only 'opt-out' of being served targetted ads. They cannot 'opt-out' of having their data pass through Phorm servers.

The RIPA act forbids the interception of electronic communications by a third party unless both parties consent. It is irrelevant whether the data is anonymised or processed in a way cannot individually identify users. RIPA makes no such provision for interception. Furthermore, who's legal opinion are you going to trust regarding privacy issues? FIPR or Phorm -- a company whose CEO formerly ran a spyware company?

Ernst & Young audited Phorm spyware technology to American, not UK, standards. Furthermore, this is the same auditing company which audited Enron's finances before the scandal and subsequent collapse of the company.

If you genuinely want more information about Phorm's OIX spyware technology, a good place to look is the Register. All you will find on webwise.com is Phorm PR.



4. Steve10/05/2008 14:47:43


Er... Hello Phorm Comms (PR) Team. You do spring up in the most unlikely of places LOL

Right, everyone reading this... Be aware that Kent Ertugrul (CEO of Phorm) is a plonker. Secondly, his Comms (cough... PR) Team are also not very clever people. They, the expert PR team, thought it would be ok to "edit out" true facts about Phorm on Wikipedia. This was spotted and changed back. The Phorm Comms (PR) Team admitted their very wrong act of trying to get rid of statements that were true about Phorm.

Now, of the 3 UK ISPs who Phorm claimed to have signed deals with, 1 quickly pulled out of the automatic "Opt In" which Phorm planned (that's Talk Talk/Carphone Warehouse). Another, Virgin Media, has recently announced, in a clarifying press release, that they are under no obligation to implement Phorm (but don't think that is the end of it with VM... we need to watch them).

The third ISP, BT, started a web forum for customers to ask questions. And they promised to give answers too. They did give answers, then they stopped giving answers! Then they closed the forum down. A new one was started. Naughty BT, they cannot silence the opposition to this.

Finally, and this is the juicy bit... BT ran a trial of Phorm technology in 2006, then another in 2007. Did they ask or tell their customers? No. They did it secretley.

What is Phorm? It's a way of listening in, on everything you do, on the internet. It's like the operator listening to every telephone call you make or receive. It's like Royal Mail, opening every letter and jotting down key points about you before they deliver the letter.

Phorm, previously 121Media, have a history of spyware/adware and a nasty way of hiding their software using something called a rootkit. Not nice.

And they are not nice. Kent is a nasty piece of work (go back and watch him on the BBC Click TV programme 3rd May... The interviewer did not make a joke about the temeperature during the interview with Alexander Hoff for nothing)

Who is Alexander Hoff? Well, he wrote a paper about the legality (or maybe I should say "Illegality") of Phorm implementation.

You can read much more (there's A LOT) on the Cable Forum where this has been debated strongly. You'll even see the wonderful Phorm Comms Team in action (although they have given up there due to losing every argument with people that understand technology and the law!)

Remember please that whilst they may like to say you can "switch webwise off" that does not stop them being there - between you and the internet. It's like them intercepting your phone call but not listening whilst you've told them not to. Can you be sure they won't listen? They're there, in the middle - once they are there, you cannot actually get them out even if you tell them not to listen in (look up "Network Layer 7" if you want to understand that more)

And finally, although I strongly believe this will be found to be illegal, we need your support:

Over 12,000 people have signed the Downing Street Prime Minister Petition. Please join them.

http://petitions.pm.gov.uk/ispphorm/

Write to your MP, tell them you think that Phorm is wrong.

And head over to the Cable Forum, there's lots to learn about this. Please join us. We need to stop Phorm.

http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated.html

PS. Before anyone starts to argue with any of the above, I've heard all the arguments in favour of sitting back and doing nothing. None of them impress me. If you think Google is the same as Phorm for tracking your behaviour, for spying on you etc... Well, Google has it's own issues, but it's not a patch on the loss of privacy you get if Phorm gets going.

Ste.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2009
2009
2009
2009
2008
Full Archive
Links
Chris' Posterous
CircleID
Anti-Spam Tools
Misc Links
Land banking information
LDV Blog
Landscape Gardener in Birmingham
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments

Visitor Locations
Locations of visitors to this page
Hosted by


logicspot.com