BT 2006 trials of Phorm
Alexander Hanff
ukcrypto at chiark.greenend.org.uk
Thu, 5 Jun 2008 13:16:05 +0100
------=_Part_921_6258560.1212668165965
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Richard,
The closing statement gave me a good laugh. But in seriousness the proxy
based model they were using in 2006, in my mind actually damns them even
further. I calculated something along the line of 113 million breaches of
law over an 8 day period, based on 18.8M javascript insertions over the
period each seeming to breach 6 Acts/Regulations/Directives as follows:
PECR - Easy enough, regulation 6 and 7 appear to be knackered given that the
table on page 45 shows clearly that IP data was stored and in fact was
required to be stored for the proxy system to even begin to work, which
covers "traffic data".
RIPA - clear interception and modification of the communications.
CMA - I think even under the English version of Computer Misuse Act,
illustration of non compliance is reasonably trivial as I explained in my
dissertation. Clearly the JavaScript is a program that uses client side
resources as well as network resources and it would seem untenable for BT to
say they were not aware of what they were doing or how the system worked
considering they deployed the technology for a very specific purpose.
Copyright Designs and Patents Act - Well inserting the JavaScript is
creating a derivative works for starters.
Torts (Interference with Goods) Act - IF CMA is applicable then
realistically so should Interference with Goods be.
DPA - IP addresses were passed on to Phorm's kit and stored (the proxy
servers) and since IP is personally identifiable, it is covered by DPA.
Then of course as you stated there is definitely processing going on.
In some respect I wish this were the model they are currently trying to
deploy, fair enough we lose Fraud Act, but I feel the others should be a
"slam dunk".
Alexander Hanff
PS - Richard did you get my email re the protest?
2008/6/5 Richard Clayton <richard@highwayman.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> There is a newly arrived document on WikiLeaks (seems that crytome has
> lost street cred now that Home Office use them!). It appears to be an
> internal BT report assessing their 2006 trial of Phorm technology.
>
> <URL:http://www.wikileaks.org/wiki/British_Telecom_Phorm_Page_Sense_Exte
> rnal_Validation_report>
>
> A key point to make is that this trial used slightly different
> technology than the current Phorm system that I recently documented (it
> apparently appended a JavaScript tag to web pages and redirected the
> browser in such a way that the navigation bar in the browser "fluttered"
> and tags ended up in some web postings).
>
> It does seem to have been making use of cookies, but they were
> apparently placed on people's systems in an "honest" manner prior to the
> trial (viz: there was no forgery of other sites in order to trick the
> browsers into accepting them).
>
> An interesting sentence early on reads:
>
> Normally the PageSense system deploys cookies directly to user's
> machines. BT Broadband terms and conditions prevented this approach.
>
> Looking at BT's current T&C's I find it hard to identify if they have
> changed anything yet. The business conditions:
>
> http://www.btbroadbandoffice.com/broadband/terms_busi
>
> don't seem changed in any relevant way from what I can locate on
> www.archive.org for 2006. The consumer T&C's are on the page
>
> http://www.productsandservices.bt.com/consumerProducts/dynamicmodules/pa
> gecontentfooter/pageContentFooterPopup.jsp?pagecontentfooter_popupid=134<http://www.productsandservices.bt.com/consumerProducts/dynamicmodules/pagecontentfooter/pageContentFooterPopup.jsp?pagecontentfooter_popupid=134>
> 08
>
> (!) but seem to have been somewhere else prior to April 2007, so I
> haven't managed to do a comparison to see if these are changed :(
>
>
> Anyway --- back to the 2006 trial. The trial was secret, in that users
> were experimented upon without their knowledge or consent (which is
> generally felt to have been illegal [even with consent it is FIPR and
> others view that is illegal -- without consent I can't see much doubt]).
>
> Also, the trial involved the building of browsing histories and the
> serving of ads on the basis of that history -- which seems to run
> counter to earlier assurances by BT as to the nature of the trial:
>
> http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/
>
> "Absolutely no personally identifiable information was processed,
> stored or disclosed during this trial"
>
> The "disclosed" has already been shown to be dubious (because of the way
> that the technology worked at that time), although the dates don't match
> well, it seems to be much the same technology:
>
> http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?2676.20
>
> [of course the identifiers in the cookies can be leaked in the current
> system as well, which is one of the (many) objections to it].
>
> We can now see from the internal document that "processed" is also false
> (the system used the data in order to build browsing histories):
>
> Which makes the only thing left intact from BT's statement is the lack
> of "storage" (the Phorm system records a distilled down profile against
> your personal identifier).... hmmmmm
>
> There's much more in the document, but this is a long enough message
> already, so I shall just note that the document contains the throw-away
> line "communications regarding advertisement systems and information
> collection could lead to negative perception if not carefully handled".
>
> <URL:http://www.urbandictionary.com/define.php?term=no+shit+sherlock>
> - --
> richard Richard Clayton
>
> They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety. Benjamin Franklin
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPsdk version 1.7.1
>
> iQA/AwUBSEfQh5oAxkTY1oPiEQLjEQCgjp/IjSz0jyqZCtveeH/J0gWkh9QAnilH
> mmS6PUjmgRnarzY6ipl1XCA9
> =de0C
> -----END PGP SIGNATURE-----
>
>
------=_Part_921_6258560.1212668165965
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Richard,<br><br>The closing statement gave me a good laugh. But in seriousness the proxy based model they were using in 2006, in my mind actually damns them even further. I calculated something along the line of 113 million breaches of law over an 8 day period, based on 18.8M javascript insertions over the period each seeming to breach 6 Acts/Regulations/Directives as follows:<br>
<br>PECR - Easy enough, regulation 6 and 7 appear to be knackered given that the table on page 45 shows clearly that IP data was stored and in fact was required to be stored for the proxy system to even begin to work, which covers "traffic data".<br>
<br>RIPA - clear interception and modification of the communications.<br><br>CMA - I think even under the English version of Computer Misuse Act, illustration of non compliance is reasonably trivial as I explained in my dissertation. Clearly the JavaScript is a program that uses client side resources as well as network resources and it would seem untenable for BT to say they were not aware of what they were doing or how the system worked considering they deployed the technology for a very specific purpose.<br>
<br>Copyright Designs and Patents Act - Well inserting the JavaScript is creating a derivative works for starters.<br><br>Torts (Interference with Goods) Act - IF CMA is applicable then realistically so should Interference with Goods be.<br>
<br>DPA - IP addresses were passed on to Phorm's kit and stored (the proxy servers) and since IP is personally identifiable, it is covered by DPA. Then of course as you stated there is definitely processing going on.<br>
<br>In some respect I wish this were the model they are currently trying to deploy, fair enough we lose Fraud Act, but I feel the others should be a "slam dunk".<br><br>Alexander Hanff<br>PS - Richard did you get my email re the protest?<br>
<br><div class="gmail_quote">2008/6/5 Richard Clayton <<a href="mailto:richard@highwayman.com">richard@highwayman.com</a>>:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
There is a newly arrived document on WikiLeaks (seems that crytome has<br>
lost street cred now that Home Office use them!). It appears to be an<br>
internal BT report assessing their 2006 trial of Phorm technology.<br>
<br>
<URL:<a href="http://www.wikileaks.org/wiki/British_Telecom_Phorm_Page_Sense_Exte" target="_blank">http://www.wikileaks.org/wiki/British_Telecom_Phorm_Page_Sense_Exte</a><br>
rnal_Validation_report><br>
<br>
A key point to make is that this trial used slightly different<br>
technology than the current Phorm system that I recently documented (it<br>
apparently appended a JavaScript tag to web pages and redirected the<br>
browser in such a way that the navigation bar in the browser "fluttered"<br>
and tags ended up in some web postings).<br>
<br>
It does seem to have been making use of cookies, but they were<br>
apparently placed on people's systems in an "honest" manner prior to the<br>
trial (viz: there was no forgery of other sites in order to trick the<br>
browsers into accepting them).<br>
<br>
An interesting sentence early on reads:<br>
<br>
Normally the PageSense system deploys cookies directly to user's<br>
machines. BT Broadband terms and conditions prevented this approach.<br>
<br>
Looking at BT's current T&C's I find it hard to identify if they have<br>
changed anything yet. The business conditions:<br>
<br>
<a href="http://www.btbroadbandoffice.com/broadband/terms_busi" target="_blank">http://www.btbroadbandoffice.com/broadband/terms_busi</a><br>
<br>
don't seem changed in any relevant way from what I can locate on<br>
<a href="http://www.archive.org" target="_blank">www.archive.org</a> for 2006. The consumer T&C's are on the page<br>
<br>
<a href="http://www.productsandservices.bt.com/consumerProducts/dynamicmodules/pagecontentfooter/pageContentFooterPopup.jsp?pagecontentfooter_popupid=134" target="_blank">http://www.productsandservices.bt.com/consumerProducts/dynamicmodules/pa<br>
gecontentfooter/pageContentFooterPopup.jsp?pagecontentfooter_popupid=134</a><br>
08<br>
<br>
(!) but seem to have been somewhere else prior to April 2007, so I<br>
haven't managed to do a comparison to see if these are changed :(<br>
<br>
<br>
Anyway --- back to the 2006 trial. The trial was secret, in that users<br>
were experimented upon without their knowledge or consent (which is<br>
generally felt to have been illegal [even with consent it is FIPR and<br>
others view that is illegal -- without consent I can't see much doubt]).<br>
<br>
Also, the trial involved the building of browsing histories and the<br>
serving of ads on the basis of that history -- which seems to run<br>
counter to earlier assurances by BT as to the nature of the trial:<br>
<br>
<a href="http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/" target="_blank">http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/</a><br>
<br>
"Absolutely no personally identifiable information was processed,<br>
stored or disclosed during this trial"<br>
<br>
The "disclosed" has already been shown to be dubious (because of the way<br>
that the technology worked at that time), although the dates don't match<br>
well, it seems to be much the same technology:<br>
<br>
<a href="http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?2676.20" target="_blank">http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?2676.20</a><br>
<br>
[of course the identifiers in the cookies can be leaked in the current<br>
system as well, which is one of the (many) objections to it].<br>
<br>
We can now see from the internal document that "processed" is also false<br>
(the system used the data in order to build browsing histories):<br>
<br>
Which makes the only thing left intact from BT's statement is the lack<br>
of "storage" (the Phorm system records a distilled down profile against<br>
your personal identifier).... hmmmmm<br>
<br>
There's much more in the document, but this is a long enough message<br>
already, so I shall just note that the document contains the throw-away<br>
line "communications regarding advertisement systems and information<br>
collection could lead to negative perception if not carefully handled".<br>
<br>
<URL:<a href="http://www.urbandictionary.com/define.php?term=no+shit+sherlock" target="_blank">http://www.urbandictionary.com/define.php?term=no+shit+sherlock</a>><br>
- --<br>
richard Richard Clayton<br>
<br>
They that can give up essential liberty to obtain a little temporary<br>
safety deserve neither liberty nor safety. Benjamin Franklin<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: PGPsdk version 1.7.1<br>
<br>
iQA/AwUBSEfQh5oAxkTY1oPiEQLjEQCgjp/IjSz0jyqZCtveeH/J0gWkh9QAnilH<br>
mmS6PUjmgRnarzY6ipl1XCA9<br>
=de0C<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br>
------=_Part_921_6258560.1212668165965--