Covert BT Phorm Trial Report Leaked

stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe. NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.

Ouch

[mrbluze]

That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?

Re:Ouch

[KnightMB]

That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?

Whether it does or not, someone has already taken the initiative to setup a page to generate fake web pages (or real ones) to pollute the data they collect. So if you can't get them out legally, you can make the data they collect useless, which hits them in the pocketbook and might be more effective than legal countermeasures. You'll find the site here: http://wanip.org/anti-nebuad/ [wanip.org] in which every browser becomes a data-mining polluter when it's run. Get enough those on a suspect ISP and watch the CEO's have a heart attack from the "pollution attack".

Re:Ouch

[EvilMonkeySlayer]

Looking at the site it appears to be pretty easy for phorm here, all they'd need do is do a simple domain lookup. If it doesn't exist they filter it out.

If it doesn't exist then it's generated by this, since all it does is randomly create addresses. It'd be better if it just loaded random websites. Of course, that'd eat up a lot more of the users bandwidth though.

Re:Ouch

[Janos421]

The browsed pages do not exist, so you never download pictures or js files. It's very easy for an ISP to filter these requests, they can filter the HTTP response code.
Two FF exntensions generate fake queries on search segines to pollute the collected data (at search engine level, but it also pollute ISP data). SquiggleSR [mozilla.org] and TrackMeNot [mozilla.org]. Notice that the former also clicks on non-sponsored results and may deceive cookie tracking.

Re:

[flacco]

That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?

Whether it does or not, someone has already taken the initiative to setup a page to generate fake web pages (or real ones) to pollute the data they collect. So if you can't get them out legally, you can make the data they collect useless, which hits them in the pocketbook and might be more effective than legal countermeasures.

You're not being cynical/paranoid enough. You assume the motivation is strictly economic, while it actually might be a cover for plain ol' surveillance. "Extra data" isn't as damaging in this scenario, where they are monitoring you for specific behavior.

Re:Ouch

[siddesu]

not sure what the situation in the UK is, but in Japan some mobile phone operators have been doing this for a while with some phones. since probably half of the internet usage here happens over phones, it doesn't look like a small market.

to make it even worse, my current provider not only injects ads while I browse, they also supply the advertiser with a unique ID, which I can't easily turn off. since the image is inserted on the server i also assume the phone is sending referer headers, so the advertiser can collect your browsing history (and, that being a phone, your URL session cookies too) for good measure.

when i complained, i was told to go away, because there was no such thing as "personal" information being disclosed to the advertiser. to me such arrogance calls for more encryption as a kind hint to the ISPs to go and do the job i'm paying em for.

unless, of course, that option is also defeated by the copyright cretins and the gubbermint, working hard together to prevent child pr0n and terrorists.

in which case, thicker tinfoil will also be necessary.

Re:

[timeOday]

I agree this calls for encryption. ISPs and routers should ONLY be able to see what they need to see - IP routing information. They shouldn't be able to see content, nor port numbers. But I am unsure whether ssl provides this, and how much compute horsepower would be required for big servers to ssl everything.

Re:

[hasdikarlsam]

SSL doesn't, IPSec does. Sadly, the latter is hardly ever used.

IPv6 is supposed to have IPSec as a required element. I don't know how much this means; whether it'll actually be *used*, and resist MITM attacks.

Re:

[Lennie]

I thought SSL MITM isn't possible, could you please point me to a page explaining how that works ?

Atleast when certificates are properly checked it shouldn't be possible.

Re:

[Shakrai]

I thought SSL MITM isn't possible, could you please point me to a page explaining how that works ?

Atleast when certificates are properly checked it shouldn't be possible.

You just explained how it's possible.

Re:Ouch

[Dark Kenshin]

Of course is won't. If a private person were to develop and test this out, he would likely be spending the next 20 years in prison (looking less and less "exaggerated" as time goes on.) The fact that this is for cooperate gains; it will be largely over looked. Yes, I might be lost in cynicism, but life seems to be supporting my case thus far.

Re:Ouch

[MindKata]

"realistically lead to legal action against BT"

Legal action strong enough to totally stop them is unlikely, as the power seekers who run a lot of countries unfortunately seem to be rushing towards building their own Big Brother, so as they make the rules, they choose whats considered legal. So they simply need to change the laws, which is what they keep doing. It seems nearly every week now we are getting ever more stories of new grabs for information and/or power over people. At this rate, 2008 should go down in history as the start of a Worldwide Big Brother.

Its ironic that our so called free countries appear to be building Big Brother as fast, if not faster than other countries. Maybe we just have better technology. Its also ironic that the war on terrorists is a war against people who wish to force others into their point of view. Yet now the people already in power are seeking to clamp down and hold control over everyone. Its like all of us who don't seek power are caught up in a power struggle between the different groups of power seekers who do seek to impose their views on everyone.

I guess the ones in power in some way fear some lost of power, as it can't be just about protecting us. Its got to be about seeking more power, which is what they do thoughout their political lives and all of us who don't seek power are not going to be heard by them. Especially as most people don't seem to even see how much harm can be done with so much power and no way to tell them they are behaving unfairly. They are becoming like a machine which is loosing its feedback mechanism and so running towards ever more extremes.

Re:Ouch

[aproposofwhat]

I came up with this as a concept in 2000, when layer 7 switching was just becoming economically feasible for a startup ISP.

It never flew, because the people I was dealing with weren't complete cunts.

From the document: The advertisements were used to replaced [sic] a 'default' charity advertisement (one of Oxfam, Make Trade Fair or SOS Children's Villages) when a suitable contextual or behavioural match could be made by the PageSense system.

So not only are the bastards hijacking our traffic, they are overwriting paid-for charity ads as well.

I repeat, CUNTS!

Re:Ouch

[mikael]

By their own admission a leading UK telecoms company has deprived several charities of a legal revenue stream to line their own corporate pockets.

Given the outrage following the several Audiocall staff kept 100K of children in need cash for itself [thisislondon.co.uk], I hope BT get the same treatment.

Re:

[tagishsimon]

It's always worth reading the document first.

121Media, who ran the trial, placed charity ads (at its own expense) on a number of websites, and then intercepted them and replaced them with commercial or other charity adverts on the fly. Thus they were replacing their own adverts /and/ serving the charity adverts to those who viewed the web pages and were not in the trial.

Thus there is no question of damage to charities, quite the contrary; nor to websites advertising revenues.

There is, though, the privacy is

Re:And created a copyright violation

[Jason Levine]

I think it is actually worse than copyright violation. It is fraud. When I have an ad on my website, it is an indicator that I either a) really like the product/service the advertised company is providing, b) will profit from viewing/clicking the ad, or c) really think that the charity being advertised is worthwhile. Phorm ads wouldn't fit any of those categories and yet are purposefully being injected into pages to make it look like A, B, or C are true. It is giving the impression of me approving/profiting from an ad that I am not approving and profiting from. In addition, it is taking money out of my pocket (or a charity's pocket) to make Phorm money. That's fraudulent activity in my book.

Re:And created a copyright violation

[mikael]

This was discussed in the forum digitalspy.co.uk

Phorm in the UK [digitalspy.co.uk]

One business user was updating the website for his home business. He used his home network connection to inspect the appearance of his website. To his surprise, he could not understand why the format of his website was consistently different from what he had intended. Disturbed by this, he reinstalled the OS on all his servers in fear of being rootkitted, rechecked all his security settings, reconfigured his firewall, and performed a packet trace on every connection made. In the end he noticed that various links on his webpages were being changed and that in particular some were coming from dns.sysip.net. Basically, this system redirected any links to adverts back to Phorm servers.

Customer who was Phormed [adslguide.org.uk]

Re:

[mabhatter654]

the EU has already rule against Google for selling ads that do just that in generic Google Ads blocks on sites. I'd say they're already breaking the law.

Re:Ouch

[Jellybob]

So if I had an ad-funded website (unlikely in the current climate, but stick with me) Phorm would be screwing me out of the money I'd make for those ads, but replacing them with there own.

Something tells me that if I did the same thing with a billboard - charging customers for me to go out and paste their adverts over the top of paid for adverts at night - Clear Channel would quite quickly be attempting to sue me.

Re:

[XenoPhage]

Something tells me that if I did the same thing with a billboard - charging customers for me to go out and paste their adverts over the top of paid for adverts at night - Clear Channel would quite quickly be attempting to sue me.

What an awesome idea. I'm going to develop glasses and windshields that identify billboards and replace them with ads chosen by the car and glasses manufacturers.. I'll make millions!

Advertisement Injection

[TheMeuge]

So let me see - if I am paying for bandwidth (which will soon be metered), and my ISP in injecting its ads into the webpages I am requesting, then the ISP is running down my bandwidth on purpose?

Isn't that sort of like someone from the electrical company who breaks into your house to turn the lights on while you're gone?

I won't even mention the privacy issues, cause those aren't "in" nowadays, nor are they likely to be a sufficient cause to nip this practice in the bud. Cheating people out of money, on the other hand, is always a great way to apply the US tort law to the cause.

Re:Advertisement Injection

[Rhys]

If you're paying for metered bandwidth, why are you accepting ads in the first place? AdBlock+ solves that problem very quickly.

Past that, maybe we can start seeing more "regular" traffic served over https -- DPI or not, it looks like garbage unless you can break the encryption. If someone comes up with a way to do that, there are a lot more serious problems to worry about than ad injection.

Re:Advertisement Injection

[QUILz]

They could still hijack SSL/TLS sessions if users aren't paying any attention to warnings.

Re:Advertisement Injection

[Ed Avis]

Doing man-in-the middle attacks on SSL connections is beyond the technical ability of ISPs, even if users don't bother to check certificates. And the potential for them to get in trouble for it is a lot higher (e.g. if they ended up intercepting financial information, and then the ISP's servers got cracked...). So https is still the right answer here.

It's 2008, why aren't most websites just using https by default? A low-volume site can handle the load with today's superfast CPUs, and high-volume sites can afford to buy one of those crypto engine thingies.

Re:

[Nursie]

"It's 2008, why aren't most websites just using https by default?"

Because you have to go to a third party and pay them money. That would be the problem. We don't (AFAIK) have a free signer with a widely distributed public certificate at present.

AFAIK, anyway.

Re:Advertisement Injection

[Ed Avis]

Yeah it sucks that you have to either pay money or endure scary messages from the web browser. There should be a way to label your site as self-signed where it wouldn't get the special secure icon or magic green glowing bar in the web browser, but on the other hand the user wouldn't be pestered about an invalid certificate (unless the cert offered really has changed since last time the user visited the site).

Re:Advertisement Injection

[Nursie]

I like that idea actually.

A sort of "You probably shouldn't trust me that much, but at least nobody's eavesdropping or screwing with the datastream" setting.

Re:

[VC]

Actually its a terrible idea. SSL only works because you know that the connection is encrypted between you and the person you're talking to. SSL to an untrusted host is just as bad as no ssl because the man-in-the-middle (which is kind of the definition of an ISP) could easily produce a certificate that says, "hey, I'm what ever page you wanted to look at". And the insert ads.

Re:

[Nursie]

Yeah, you're right.

Perhaps a way to take most of the load off the server would be to have trusted certificate but use an RSA_NULL_SHA1 ciphersuite where secrecy isn't important but authentication and integrity are.

Re:

[Albanach]

The CPU requirements of serving large numbers of encrypted pages are massive in comparison to non encrypted pages.

You need to spend CPU cycles encrypting each page for each browser rather than just firing the same data in response to multiple requests,often from a cache.

To make matters worse, browsers for good reason won't cache data received over SSL, so each page view sees much more data having to be served.

Re:

[Nursie]

True, it does up the processing requirements and that could prove costly or even impractical for some high traffic sites. And would increase the bandwidth needed.

But maybe it's a direction we should be heading in when it looks like we are going to have ever-increasing difficulty in trusting that what we're receiving is what the originator actually sent.

Maybe sometime the backbones decide they want a piece of the action, hell, maybe some government decide that company X isn't using any of the infrastructure

Re:Advertisement Injection

[Albanach]

A possible solution would be opportunistic encryption [wikipedia.org]. It would allow some sites to serve encrypted traffic without changing anything at the apache/squid end of things. No change is needed at the browser level either, and cache's can still be used.

There's still a cpu overhead, but at least we don't lose all the other methods needed to keep http traffic flowing quickly.

Re:Advertisement Injection

[jonaskoelker]

You could do something almost good enough, though, that's done completely on the client side:

Let's say you're sending index.html. Take a hash of the page, put the hash early on the page.

In the bottom of the page, insert javascript code that removes the hash value, hashes the page, and compares it to the removed hash. If they mismatch, do an alert("warning: the page has been tampered with since it left Foocorp.com's servers."). The hash function doesn't have to be overly secure; here is actually a good time to write your own bad crypto.

The ISP would then have a hard time modifying the page, because they would have to generate the hash value of the modified page before seeing the page they want to modify only slightly.

They could, of course, buffer the whole page (if the server sends it out, or it could spoof your ACKs) and run the javascript on their modified version to compute the hash function. But how are they to know which functions to call? Include an infinite loop and some exploits that you never call yourself if you want to be really disruptive.

Re:

[Urban Garlic]

> AFAIK, anyway.

I believe you're right, for normal values of "widely distributed", but I am aware of a promising candidate. Cacert.org provides free authority certificates, and their root certificates are bundled with Debian, and some other Linux distros. If the Firefox guys got on board, this could work.

Re:

[saigon_from_europe]

We don't (AFAIK) have a free signer with a widely distributed public certificate at present.

I've heard that BT is willing to do that for free...

Re:

[Timothy Brownawell]

Perfectly feasible if the users get enough annoying pop-ups that they just click OK on the "invalid certificate" warning, or if they have an installer that adds extra ssl root certificates.

Re:

[Abcd1234]

Perfectly feasible if the users get enough annoying pop-ups that they just click OK on the "invalid certificate" warning

Which is why FF3 makes it so much more difficult to accept an invalid certificate.

Re:

[TheLinuxSRC]

It's 2008, why aren't most websites just using https by default?

Certificates cost money. In order to have an encrypted site that does not pop up a warning about unauthenticated certificates, you have to buy a certificate rather than generate your own. As an example (warning: shameless plug) visit https://pagewash.com/ [pagewash.com] (in Firefox 3.0 it not only gives a warning, but actually shows an "error" page.

If you do not buy one, many people will view your "safer" site as unsafe and simply not visit it.

Re:

[v3rgEz]

Hard? No. Extremely unscalable, particularly at the ISP level? Absolutely, plus that's opening another whole can of worms that most ISPs (today) aren't willing to open (see above re: private banking information concerns, for example). Of course, who would have thought they'd have the sheer chutzpah to replace other sites ads and, you know, threaten the very basis of much of the Internet economy? I sure didn't, even knowing it was technically possible.

Re:Advertisement Injection

[nuzak]

Once advertisers and web sites see a sizable percentage of their advertising being siphoned off and replaced by ads financially benefitting nobody but the ISP's, you'll start seeing more web sites using https.

No, you will see more lawsuits.

Advertisers paid for their ads to be served. Phorm is theft.

Re:

[Stewie241]

I don't necessarily trust the ISP's JavaScript either... leave my pages alone thank you very much.

Glad I have a small ISP that likely won't do this, but I wonder if this means that random routers across the internet can use this to inject code into web pages.

Misrepresentation

[Rob T Firefly]

There's another issue. Say I post a banner for Charity X on my site, with a note saying "I support these guys with all my heart and soul, and I urge my readers to do all they can for this cause." You go to my site, but your ISP swaps said charity banner for an ad for personal ads or punching the monkey for a ringtone or some other damn thing, making it appear to you as though I'm imploring you to purchase something I would never willingly endorse.

The ISP is then responsible for using my image to endorse their product to my readership, without my permission. Do I have recourse against them for perpetrating such a fraud? IANAL, etc.

Loss of Common Carrier Exemption?

[OmniGeek]

It occurs to me that, at least in the US, an ISP that does ad injection *may* be losing its common-carrier status by changing the information that they convey from a Web site to the subscriber.

Consider that the data is being edited on-the-fly based on its content -- i.e., whether or not it's a banner ad. I think a good case could be made that this violates the conditions for a common carrier.

Question is, does this have any legally useful consequences in trying to prevent ISPs from doing it?

Re:Loss of Common Carrier Exemption?

[Red Flayer]

It occurs to me that, at least in the US, an ISP that does ad injection *may* be losing its common-carrier status by changing the information that they convey from a Web site to the subscriber.

Newsflash: ISPs do not have common carrier status.

This means that whatever safeguards you associate with common carriers, are not enforceable wrt ISPs. A lot of the big ISPs are very happy with the current situation, since they basically get the benefits of common carriers, without the drawbacks (such as not be allowed to throttle certain users).

Re:

[Jason Levine]

Good point. Not only could a person's image be tainted by such a swap ("how dare you support that you sell-out!"), not only could you wind up losing money (no clicks on your real ads = no money), but someone could get injured/scammed based on your reputation ("Blogger X whom I trust is recommending Product Y. How bad can it be?"). Combine the two and you could even be sued ("You recommended Product Y and it injured me. I'll see you in court!"). Not that a lawsuit like that might have any merit, but it

Re:

[Casualposter]

Ok, so this is what happens. The Website, let say, Slashdot, makes an agreement with XYZ internet media company to sell ads on the site. Those ads don't pay without a click through. The customer pays the ISP for the upload and download content bandwidth, maybe per gigabit, or "unlimited" bandwidth. The ISP reads all unencrypted packets (and perhaps has to retain such information for some regulated period of time in some country). So when the customer goes to the site, he may or may not get the ads for

Is that legal?

[Opportunist]

Changing content and injecting different ads? I could see two possible violations here, one being copyright (altering content without the consent of the provider of the content), the other one dealing with fraudulent ad change (someone other than the one paying for the ads being displayed).

It's like a cable company changing the channel ads with their own. I doubt any channel would sit and bear it, especially since their customers (i.e. ad buyers) won't accept that.

Re:

[porkThreeWays]

It's like a cable company changing the channel ads with their own. I doubt any channel would sit and bear it, especially since their customers (i.e. ad buyers) won't accept that.

Which Comcast already does here in the US...

Re:

[Drathos]

All cable companies do that. Usually, there's provisions in their contract with the content providers for them to inject a certain amount of local advertising into the feed.

Re:

[SithGod]

They aren't actually changing the ads per say. A local cable company is allowed to sell certain ad space in a broadcast, hence why you'll see ads for Joe Schmo mattress warehouse while watching a nationally televised program. It's just that in that circumstance they are selling the ad to themselves. In summary, it's perfectly legal and a common practice for any carrier.

Re:

[mpapet]

I had another thought. What if the plan is to aggregate advertisers? This would destroy the sites that makes any money based on advertising, or have them go to BT for their ad revenue.

The -eventual- outcome would be every ISP that can afford to do it will create something vaguely like television only with some extra free info out there where they can't sell adverts.

In the time that it takes for the case to make it's way through court, they could make plenty of progress toward this end without consequences

Re:

[Misch]

Changing content and injecting different ads?

I would wonder what this would do for "common carrier" status held by these ISPs?

It's like a cable company changing the channel ads with their own

Seen it. In a very small city I used to live in, Time Warner injected their own ads over other ads on the cable network. You could always tell it was an injected ad because it was local and it was off by a fraction of a second, so you saw the beginning or end of an alternate commercial.

Re:

[norton_I]

Except that the cable company has permission from the national feed to inject local ads in specific slots. Sometimes the raw feeds have black space in those locations, other times they have ads for people who watch the national feed directly. Your local cable company is certainly not splicing in their own commercials without permission.

Re:

[ameyer17]

It's like a cable company changing the channel ads with their own.

They already do.

Re:

[TheRaven64]

It's highly unlikely that this is even remotely legal. It is equivalent to receiving a TV channel and rebroadcasting it with your own adverts substituted for the originals without the consent of the original broadcaster. They are modifying and redistributing copyright content without the copyright holders' consent, which carries fairly stiff penalties under the EUCD and related laws, they are they are misrepresenting content as coming from a third party, which is fraud with penalties under a number of law

Re:

[corsec67]

How could a consumer opt-in with a company to violate a copyright held by a third party?

Take /. for example. How could I opt-in with my ISP to modify the page /. sends to me? Wouldn't that be a derivative, and a copyright violation?

Re:

[Irish_Samurai]

Derivative works are protected under fair use.

Without going into it again, I posted a prospected stance that the ISP would take once challenged on this here [slashdot.org].

Before people start flaming me to death, please note I am not taking the stance that I think this is great and awesome, just being honest with myself about the shit that is going to get thrown back at me when I take action.

Re:

[corsec67]

Derivative works are protected under fair use.

So I could take a song, add "Buy Coke" in the middle, and release that? No, especially not for commercial gain.

Some derivative works are protected by fair use, but they generally have to be mostly newly created content, and can't just be the website with a little bit changed, per Wikipedia [wikipedia.org].

Re:

[kramer]

Derivative works are protected under fair use.

No, they most certainly are not. Certain derivative works are protected under fair use, but they must fall into one of a few narrow categories such as parody or commentary (they vary from country to country). There is no blanket derivative work fair use protection.

For the uninitiated

[Anonymous Coward]

BT stands for "British Telecom," Something they failed to mention, except in TFA

I hate it when people use too many arbitrary abbrivations. Let's start actually typing out names to set a context, then let people abbrivate in comments...

Re:

[Stooshie]

Over here in the UK, nobody needs to expand BT. Everyone knows what it means. (I assume you are not from the UK).

I'm sure stavros-59 just used it out of habit.

Re:

[Richard_at_work]

Actually, BT stands for nothing - its a contraction of 'BT Group plc'. British Telecom stopped trading in 2001 when mmO2 plc and BT Group plc diverged and started trading as two separate companies.

Re:

[ray-auch]

> BT stands for "British Telecom,"

No, it doesn't (anymore). The whole brand and company is "BT". They dropped the British bit (I forget when) when trying to become a global brand.

The full name of the company is "BT Group", but typically when naming companies you don't include the "group" or "plc / ltd. / llc" bits.

The website is also www.bt.com - check out the page, no mention of "British" whatsoever.

If you wanted to identify the company better, for folks that don't know it, you could say "BT - a major

Um, Replacing Charity Ads?

[DigitalSorceress]

Wow, talk about low:

In addition to the 18 million regular advertising injections or hijackings, it appears charity advertisements were hijacked and replaced with Phorm advertisements.

        "The advertisements were used to replaced [sic] a 'default' charity advertisement (one of Oxfam, Make Trade Fair or SOS Children's Villages) when a suitable contextual or behavioural match could be made by the PageSense system."

Re:Um, Replacing Charity Ads?

[zwei2stein]

Its actually good thing they did this.

Great way to influence public opinion against them and convince even usually non-caring people that something evil was going on.

Now if only major news picked this up and made big deal out of it...

Mod Parent Up!

[Cassini2]

I noticed that quote too. It is completely despicable that they would remove charity advertisements. Actually, I think the entire system boils down to theft and unlawful interception of traffic.

What if the phone company inserted commercial adds when you were talking to someone on the phone?

Re:Mod Parent Up!

[Nursie]

"Hi Jim, I just a bought a great new handheld console"
"Oh yeah, what did you get"
"A Sony Pzzzzzzzzzzzzzz^^^^^T Nintendo DS proudly sponsors this phonecall! Your pal loves Nintendo DS! bzzzzzt *click* so yeah you should totally get one so we can play against each other dude!"

Re:Mod Parent Up!

[vux984]

What if the phone company inserted commercial adds when you were talking to someone on the phone?

That's nothing. What if they intercepted and changed what was said:

You say: Hey Jim, How are ya?
He hears: Hey Jim, I wish I was eating a tasty Mars bar.

He says: Ok.
You hear: Ok.

You say: Wanna go see a movie?
He hears: Wanna go see Superbad, and get some popcorn?

He says: Uh... sure.
You hear: Uh... sure.

You say: Cool see ya.
He hears: Cool. Can you pick me up some Laramie cigarretes. They take me to flavor country!

He says: Uh... say what?
You hear: Uh... you too.

Re:

[mpapet]

There's a very good reason they chose those ads. Do you think the non-profits have the resources to litigate this? What would they litigate exactly?

It's a big win for BT, and probably Comcast here in the U.S because there are so many legal issues that none of the harmed companies can afford to litigate it. It would be a career's-worth of work for both sides, with the ISP getting the vast majority of their wishes met either through litigation or purchasing legislation.

Re:

[aproposofwhat]

Do you think the non-profits have the resources to litigate this? What would they litigate exactly?

Litigation? I can see the likes of Michael Mansfield [wikipedia.org] sharpening his pencil and accepting the case pro bono without a second thought.

As to what they would litigate, theft seems a good starting point - if I have paid for advertisements to be served from a site, and some Jumped-Up Fucking Marketing Shyster then intercepts those adverts before the user has a chance to accept or reject them, then the JUFMS has sto

Re:

[fhage]

TFA says BT purchased the ads they replaced. The Charities got free advertisements if they were not replaced.

Copyright infringement

[RichMan]

I see lawsuits killing this really quickly. The originating site is creating a unique copyrightable HTML text document. This document is being modified in transit against the wishes of the originator before being delivered to the destination.

Some lawyers are going to make megabucks off this one.

Spidey Sense Tingling

[whisper_jeff]

I sense a major lawsuit coming. I can imagine more than a few laws being broken by this sort of manipulation (copyright violations, hacking violations, interference with business violations, etc.). I cannot imagine this will go on for too long. Obviously, I'm not a lawyer (but does that stop any of us form posting our opinions on legal matters?...) so I could well be wrong, but I can't imagine this not resulting in major lawsuits.

I like how it's charity ads that were intercepted

[3-State Bit]

It's like the thinking goes "let's substitute out something utterly inconsequential and that will have no ramifications whatsoever". No, a charity isn't going to sue your pants off, so I guess it's okay, right?

What's next, Nike tests shoes (leaked codename: "rental") that deteriorate in 30 days -- on retarded children. Through a charity donation. That they write off their taxes the full value of.

Seriously: these are the times I'm glad to procrastinate about being an internet activist[1], because YOU CAN'T MAKE THIS STUFF UP. I couldn't have warned of this if I had tried.

[1] CHILL, guy with the sig 'whenever I hear the word activist I reach for my revolver' It's going to be all right.

Sites and others will move to SSL

[visionsofmcskill]

This sort of BS will cause standard non-commercial / login sites to all move to SSL.

redirect Http://youriste.com to https://yoursite.com/ [yoursite.com] before anything is served.

If anyone thinks any of the CPM ad networks or major sites will allow this for even an instant, your eye is not on the money.

If they use such tech for the less easily encrypted protocols... you'll find those as well slowly pushed into it.

Which leaves the ISP's with two options if they wish to pursue this, they can proxy everything their

Oxfam ads substituted

[andyh-rayleigh]

I could see Oxfam (and the other charities who had their ads substituted) getting their lawyers to shakedown BT for a substantial "donation" as an alternative to being sued.

The problem here

[Midnight Thunder]

Other than the ethical issues, that these guys have no issue with (money before ethics), there is the potential issues of having advertisement for a competing product. Imagine going to Mercedes.com and having an advert for BMW. Also, isn't this likely to deprive content providers of advertising revenue?

iptables or squid-cache: ads -- /dev/null

[flyingfsck]

I'm sure there is a way to use IPtables of Squid-cache to remove any and all ads from packets. If they can be put in, then they can be taken out just as easily.

Possible temporary fixes....

[postbigbang]

1) write a checksum to a page; if it doesn't match (or another hashing method doesn't match) warn the user that the page has been intercepted and corrupted; the code might not be too tough

2) Use page receipts to vet page authentication

3) litigate, especially for copyright violation as the page has been misused by an intermediary for a purpose not intended by the page's author

4) other solutions that someone will think of; stop the page vandals NOW!

Re:

[vux984]

1) write a checksum to a page; if it doesn't match (or another hashing method doesn't match) warn the user that the page has been intercepted and corrupted; the code might not be too tough

So much for using adblock.

Re:

[Abcd1234]

Huh? Adblock doesn't change the contents of the HTML being delivered to the browser (unlike these products). It just causes the browser to render the page differently (ie, not downloading or displaying images, embedded objects, etc).

'course, these products could just re-compute and re-insert the checksum into the page...

Re:Possible temporary fixes....

[kvezach]

Intermediate term fix: Tunnel everything over IPsec. If ISPs are going to act like Eve or Mallory, let's treat them as such.

Brief Overview

[skinfitz]

Interesting - whole system runs on RHEL (told you it was evil..) and multiple Squid processes. Adds some latency into browsing (obviously...) Old system dropped javascript tags into URLs but later version did not (resulting in some users having some javascript appearing in their forum posts - like that guy on the motorbike phorum if anyone remembers that incident) Apple.com among the 'download target' sites (page 49) but surprisingly due to Evil, not Microsoft or Google.

Do we have to...

[camperdave]

... during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertizements purchased by advertisers...a means of serving advertising directly through Layer 7 interception at ISP level...

Do we really have to go down this road? I mean, if we can't trust that the page we're looking at is the page that was served... Are we going to have to go to HTTPS for our browsing now? Are we

Google Ads

[Stooshie]

• Ask BT to replace ads with my google ads
• ...
• profit!!!

Would a copyright challenge be possible?

[supersnail]

Copyright conditions usually have a "reproduced without modification" clause so someone who's website is copyrighted and contains ads could thoereticaly sue the ISP for modifing thier page.

My bet is that if they once replace a google ad with one of thier own they will drown in subpeonas.

Tortuous Interference W/ Contractual Relations?

[Anonymous Coward]

Some legal eagle can set me straight here but this sounds a bit like a case of tortuous interference. The site owner and the user have a contract that the viewer views their ads in exchange for the content. The ISP is coming in and interfering with that contract in a material way by replacing ads. Somebody could make some big money on a class action -- as tortuous interference settlements are often very large.

As an Oxfam contributor, I am pissed

[Anonymous Cowdog]

BT stole part of my donation to Oxfam.

I give money to Oxfam. They take my money, and use it to run their charity, which includes helping people as well as doing some overhead like, for example, creating ads and managing ad campaigns. Seems like a perfectly good use of my donation.

But now I find out that some of these efforts have been sabotaged, stealing part of the money I donated!

Not only does Oxfam have standing to sue, I would think Oxfam donors have also been wronged.

But worst of all, of course, is the

https

[TheSHAD0W]

I predict that soon all web pages will be served via https rather than http. The encryption puts a heavier load on the server, but makes it impossible for such injections to be performed.

Re:

[wild_berry]

The cheaper answer is HTTP 1.2 which mandates MD5 and SHA1 hashes in "hash-md5: " and "hash-sha1: " fields of the header.

Term and conditions

[TheP4st]

Excerpt from chapter 4 titled Terms and Conditions of the document.

Also consideration must be given to the opt-out procedure enabling user to circumvent the system. The latter issue regarding op-out could not be specifically trialed since BTRT concucted this test as a stealth trial.
The system does provide an opt-out mechanism and this was laboratory tested and verified. However the method of opt-out requires consideration. Since it involves the dropping of a web-cookie on the users machine to indicate an opt-out preference, which if wiped by the user means they will be opted back in.

The solution would of course be to make it a opt-in instead of opt-out. Most users would of course not opt-in without seeing a clear benefit for doing so. One obvious benefit would be that those that opt-in recive a discount on their internet connection. Simple and fair.

Pot calling the kettle black?

[Duncan Blackthorne]

ISPs complain that BitTorrent users are eating up all the bandwidth, and the MPAA and RIAA complain about "stealing" of IP through filesharing. Meanwhile, the RIAA and MPAA are breaking the law trying to turn a profit with their (pseudo) legal engine, and the ISPs are breaking the law with DoS/MITM attacks, and altering content on the fly! This is bullshit, complete and utter bullshit, and it needs to stop, NOW. Net Neutrality needs to be the LAW, and ISPs need to have the hammer dropped HARD on them over bullshit like this.

Absolutely actionable

[mlwmohawk]

From a legal point of view, I would say this is clearly something that the source web sites can sue over.

Insertion or replacement of advertising is vandalism, which is a criminal act.

It is probably arguable as product tampering.

I would say that even if the ISP has an agreement with the end user (overlooked in the small print) that allows this, they need to properly compensate the originating web site. These hijacked ads represent an improper interference of lawful business practices of the web site, i.e. providing a service sponsored by advertisement. By hijacking the ads, they deprive the website of earned revenue, which is theft.

I love it--use SSL for everything

[phr1]

There is just too much unencrypted web traffic on the net, and too much snooping and now man-in-the-middle attacks. SSL/TLS fixes that (unless Phorm subverts a certificate authority, which would REALLY be playing with fire). So now there's finally more incentive to start using it. Authentication and privacy in one now-fairly-simple operation. SSL isn't nearly widely enough used because years ago it was hard to set up and cpu-expensive. But the heavy computation is just during the session negotiation, and CPU's are fast enough now that it's just not significant (about 1 millisecond server-side on today's Core 2 processors vs a good fraction of a second in the early web era, to set up the key for the whole browsing session).

Re:I love it--use SSL for everything

[TheGratefulNet]

SSL fixes nothing. the user is still stupid.

I interviewed at a company (a few years ago) that had designed a hardware 'appliance' that intercepts SSL web comms and fools the user into accepting a fake cert that looks VERY VERY much like the real thing. he clicks 'ok' and whammo - he FEELS safe but his link is now MITM attacked and compromised. and he didn't even know it.

technically, SSL didn't break but the middle box (cough cough) did some very evil things and asked both ends to talk to it, instead. essentially.

how many people really scrutinize the MESS OF TEXT that comes up in those cert popups? even experts tend to say 'yeah yeah, OK' and click it away.

morale: assume your company is using one of these boxes and go from there. over time, more and more companies WILL be snooping on their employees or users using these 'SSL feel good' faker boxes.

be advised.

Legal Threats

[AlexanderHanff]

Well, firstly I am glad to see that the document has forked such a debate here on Slashdot and I thank you all for that (it is long overdue). As a result of some of my comments regarding the report, I am now facing legal threats from Phorm and BT. Alexander Hanff

Re:

[poetmatt]

Uh?

Why not just use Google's ads (which are far superior) and monetize them? It's not like google refuses to cut you a share of the profits.

Or you can use completely irrelevant ads that nobody reads, that don't work, such as the viagra/enhance your mangina ads. If an ad isn't relevant and interesting, nobody will read it. This is more on the intrusive category, which means its unwelcome and useless.

Also, what about the funds the companies already have? Surely you dont' think they'd keep pocketing the money

Re:

[aproposofwhat]

All that can be done by the site serving the ad through simple scripting - we know where the source address of the request is (well, roughly), and it's simple to serve a different image based on source IP address.

Oh, and good luck to the Shots [theshots.co.uk] for next season in the League :P

Re:

[Stooshie]

Advert tend to be fairly standard image sizes(468x60 and 120x60 being the most common) and are quite often delivered in iframes. They also tend to be delivered via a very small number of advert providers.

Re:

[Stooshie]

Unfortunately, if it is charities they are targetting then they are the least able to fight back.