BT 2006 trials of Phorm
Alexander Hanff
ukcrypto at chiark.greenend.org.uk
Thu, 5 Jun 2008 13:43:03 +0100
------=_Part_1043_13407186.1212669783354
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Oh I almost forgot. With regards posting the full report to Wikileaks it
was simply the first place I thought of. I got home with the loose pages in
my hand having read them on the train and realised I needed to get them into
the pubic domain as soon as possible given the amount of sabre rattling
coming from Phorm's direction in recent weeks (I have heard multiple stories
of attempts to have press items blocked from being published). So I scanned
the pages and uploaded as quickly as I could.
Alexander Hanff
2008/6/5 Richard Clayton <richard@highwayman.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> There is a newly arrived document on WikiLeaks (seems that crytome has
> lost street cred now that Home Office use them!). It appears to be an
> internal BT report assessing their 2006 trial of Phorm technology.
>
> <URL:http://www.wikileaks.org/wiki/British_Telecom_Phorm_Page_Sense_Exte
> rnal_Validation_report>
>
> A key point to make is that this trial used slightly different
> technology than the current Phorm system that I recently documented (it
> apparently appended a JavaScript tag to web pages and redirected the
> browser in such a way that the navigation bar in the browser "fluttered"
> and tags ended up in some web postings).
>
> It does seem to have been making use of cookies, but they were
> apparently placed on people's systems in an "honest" manner prior to the
> trial (viz: there was no forgery of other sites in order to trick the
> browsers into accepting them).
>
> An interesting sentence early on reads:
>
> Normally the PageSense system deploys cookies directly to user's
> machines. BT Broadband terms and conditions prevented this approach.
>
> Looking at BT's current T&C's I find it hard to identify if they have
> changed anything yet. The business conditions:
>
> http://www.btbroadbandoffice.com/broadband/terms_busi
>
> don't seem changed in any relevant way from what I can locate on
> www.archive.org for 2006. The consumer T&C's are on the page
>
> http://www.productsandservices.bt.com/consumerProducts/dynamicmodules/pa
> gecontentfooter/pageContentFooterPopup.jsp?pagecontentfooter_popupid=134<http://www.productsandservices.bt.com/consumerProducts/dynamicmodules/pagecontentfooter/pageContentFooterPopup.jsp?pagecontentfooter_popupid=134>
> 08
>
> (!) but seem to have been somewhere else prior to April 2007, so I
> haven't managed to do a comparison to see if these are changed :(
>
>
> Anyway --- back to the 2006 trial. The trial was secret, in that users
> were experimented upon without their knowledge or consent (which is
> generally felt to have been illegal [even with consent it is FIPR and
> others view that is illegal -- without consent I can't see much doubt]).
>
> Also, the trial involved the building of browsing histories and the
> serving of ads on the basis of that history -- which seems to run
> counter to earlier assurances by BT as to the nature of the trial:
>
> http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/
>
> "Absolutely no personally identifiable information was processed,
> stored or disclosed during this trial"
>
> The "disclosed" has already been shown to be dubious (because of the way
> that the technology worked at that time), although the dates don't match
> well, it seems to be much the same technology:
>
> http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?2676.20
>
> [of course the identifiers in the cookies can be leaked in the current
> system as well, which is one of the (many) objections to it].
>
> We can now see from the internal document that "processed" is also false
> (the system used the data in order to build browsing histories):
>
> Which makes the only thing left intact from BT's statement is the lack
> of "storage" (the Phorm system records a distilled down profile against
> your personal identifier).... hmmmmm
>
> There's much more in the document, but this is a long enough message
> already, so I shall just note that the document contains the throw-away
> line "communications regarding advertisement systems and information
> collection could lead to negative perception if not carefully handled".
>
> <URL:http://www.urbandictionary.com/define.php?term=no+shit+sherlock>
> - --
> richard Richard Clayton
>
> They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety. Benjamin Franklin
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPsdk version 1.7.1
>
> iQA/AwUBSEfQh5oAxkTY1oPiEQLjEQCgjp/IjSz0jyqZCtveeH/J0gWkh9QAnilH
> mmS6PUjmgRnarzY6ipl1XCA9
> =de0C
> -----END PGP SIGNATURE-----
>
>
------=_Part_1043_13407186.1212669783354
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Oh I almost forgot. With regards posting the full report to Wikileaks it was simply the first place I thought of. I got home with the loose pages in my hand having read them on the train and realised I needed to get them into the pubic domain as soon as possible given the amount of sabre rattling coming from Phorm's direction in recent weeks (I have heard multiple stories of attempts to have press items blocked from being published). So I scanned the pages and uploaded as quickly as I could.<br>
<br>Alexander Hanff<br><br><div class="gmail_quote">2008/6/5 Richard Clayton <<a href="mailto:richard@highwayman.com">richard@highwayman.com</a>>:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
There is a newly arrived document on WikiLeaks (seems that crytome has<br>
lost street cred now that Home Office use them!). It appears to be an<br>
internal BT report assessing their 2006 trial of Phorm technology.<br>
<br>
<URL:<a href="http://www.wikileaks.org/wiki/British_Telecom_Phorm_Page_Sense_Exte" target="_blank">http://www.wikileaks.org/wiki/British_Telecom_Phorm_Page_Sense_Exte</a><br>
rnal_Validation_report><br>
<br>
A key point to make is that this trial used slightly different<br>
technology than the current Phorm system that I recently documented (it<br>
apparently appended a JavaScript tag to web pages and redirected the<br>
browser in such a way that the navigation bar in the browser "fluttered"<br>
and tags ended up in some web postings).<br>
<br>
It does seem to have been making use of cookies, but they were<br>
apparently placed on people's systems in an "honest" manner prior to the<br>
trial (viz: there was no forgery of other sites in order to trick the<br>
browsers into accepting them).<br>
<br>
An interesting sentence early on reads:<br>
<br>
Normally the PageSense system deploys cookies directly to user's<br>
machines. BT Broadband terms and conditions prevented this approach.<br>
<br>
Looking at BT's current T&C's I find it hard to identify if they have<br>
changed anything yet. The business conditions:<br>
<br>
<a href="http://www.btbroadbandoffice.com/broadband/terms_busi" target="_blank">http://www.btbroadbandoffice.com/broadband/terms_busi</a><br>
<br>
don't seem changed in any relevant way from what I can locate on<br>
<a href="http://www.archive.org" target="_blank">www.archive.org</a> for 2006. The consumer T&C's are on the page<br>
<br>
<a href="http://www.productsandservices.bt.com/consumerProducts/dynamicmodules/pagecontentfooter/pageContentFooterPopup.jsp?pagecontentfooter_popupid=134" target="_blank">http://www.productsandservices.bt.com/consumerProducts/dynamicmodules/pa<br>
gecontentfooter/pageContentFooterPopup.jsp?pagecontentfooter_popupid=134</a><br>
08<br>
<br>
(!) but seem to have been somewhere else prior to April 2007, so I<br>
haven't managed to do a comparison to see if these are changed :(<br>
<br>
<br>
Anyway --- back to the 2006 trial. The trial was secret, in that users<br>
were experimented upon without their knowledge or consent (which is<br>
generally felt to have been illegal [even with consent it is FIPR and<br>
others view that is illegal -- without consent I can't see much doubt]).<br>
<br>
Also, the trial involved the building of browsing histories and the<br>
serving of ads on the basis of that history -- which seems to run<br>
counter to earlier assurances by BT as to the nature of the trial:<br>
<br>
<a href="http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/" target="_blank">http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/</a><br>
<br>
"Absolutely no personally identifiable information was processed,<br>
stored or disclosed during this trial"<br>
<br>
The "disclosed" has already been shown to be dubious (because of the way<br>
that the technology worked at that time), although the dates don't match<br>
well, it seems to be much the same technology:<br>
<br>
<a href="http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?2676.20" target="_blank">http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?2676.20</a><br>
<br>
[of course the identifiers in the cookies can be leaked in the current<br>
system as well, which is one of the (many) objections to it].<br>
<br>
We can now see from the internal document that "processed" is also false<br>
(the system used the data in order to build browsing histories):<br>
<br>
Which makes the only thing left intact from BT's statement is the lack<br>
of "storage" (the Phorm system records a distilled down profile against<br>
your personal identifier).... hmmmmm<br>
<br>
There's much more in the document, but this is a long enough message<br>
already, so I shall just note that the document contains the throw-away<br>
line "communications regarding advertisement systems and information<br>
collection could lead to negative perception if not carefully handled".<br>
<br>
<URL:<a href="http://www.urbandictionary.com/define.php?term=no+shit+sherlock" target="_blank">http://www.urbandictionary.com/define.php?term=no+shit+sherlock</a>><br>
- --<br>
richard Richard Clayton<br>
<br>
They that can give up essential liberty to obtain a little temporary<br>
safety deserve neither liberty nor safety. Benjamin Franklin<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: PGPsdk version 1.7.1<br>
<br>
iQA/AwUBSEfQh5oAxkTY1oPiEQLjEQCgjp/IjSz0jyqZCtveeH/J0gWkh9QAnilH<br>
mmS6PUjmgRnarzY6ipl1XCA9<br>
=de0C<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br>
------=_Part_1043_13407186.1212669783354--