Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Wikipedia Opts Out Of Phorm

timothy posted more than 5 years ago | from the phorm-of-their-objection dept.

Privacy 98

ais523 writes "Wikipedia (and other websites run by Wikimedia) have requested to opt-out from Phorm; according to the email they sent, they 'consider the scanning and profiling of our visitors' behavior by a third party to be an infringement on their privacy.'" Another reader points to this post on techblog.wikimedia.org which includes a confirmation from Phorm that those sites will be excluded.

cancel ×

98 comments

Frist Ph0rm (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27604635)

Wait, I'm confused. I thought Phorm was a botnet.

Re:Frist Ph0rm (5, Funny)

David Gerard (12369) | more than 5 years ago | (#27604665)

It's the opposite of Artificial Intelligence: if you network enough marketers you get Sincere Stupidity.

Re:Frist Ph0rm (1)

stonedcat (80201) | more than 5 years ago | (#27604703)

I would think the opposite of artificial intelligence would be natural stupidity. :p

What? (0)

Anonymous Coward | more than 5 years ago | (#27604971)

"marketers" and "Sincere" in the same sentence? ... Couldn't get more diametrically opposed concepts. The majority of marketers are pathological liars.

Re:What? (1)

Jurily (900488) | more than 5 years ago | (#27608045)

whoosh

Re:Frist Ph0rm (1)

bit01 (644603) | more than 5 years ago | (#27606665)

"Sincerity is everything. If you can fake that you've got it made."

Old but good.

---

For web applications a web browser is little more than a multi-language, non-portable graphics+networking library mess, far less consistent than other graphics+networking libraries.

The official post (4, Informative)

David Gerard (12369) | more than 5 years ago | (#27604685)

Wikimedia Tech Blog post [wikimedia.org] .

(This would have happened sooner, but Brion was snowed under.)

Re:The official post (1)

Blue Stone (582566) | more than 5 years ago | (#27604883)

I'm hoping the BBC will be next.

Re:The official post (4, Interesting)

OldakQuill (1045966) | more than 5 years ago | (#27605635)

The BBC can't opt-out at the moment. It seems that major sites which do opt-out at the moment make news (including headlines at http://news.bbc.co.uk/ [bbc.co.uk] ). It'd be quite reflexive for the BBC to opt-out from a scheme run by a major UK telecommunications company and to report it on their news website, since that is a major source of their web traffic. The BBC News website itself would be making the news by undermining BT's scheme on the grounds of privacy invasion. When enough sites have opted-out for it to be non-news, they could do it.

Also, the BBC and BT have to work with each other on things like iPlayer, the online television/radio delivery platform. Perhaps the BBC are avoiding opting-out on these grounds too.

Then again, since the BBC has a special place in the UK regarding license fee and lack of advertising, perhaps they were opted-out of the scheme from the beginning.

Re:The official post (2, Insightful)

EdZ (755139) | more than 5 years ago | (#27606541)

You don't know the BBC. They've reported on their OWN internal scandals in the past, and tried pretty well to remain unbiased over them.

Re:The official post (1)

Opportunist (166417) | more than 5 years ago | (#27608251)

It's a sad, sad world when governmental owned news media are less biased than privately owned ones. My socialist buddy will heckle me with this for ages if he finds out...

Re:The official post (1)

Shrike82 (1471633) | more than 5 years ago | (#27608779)

The BBC aren't owned by the Government. It's operated and regulated by the BBC Trust, and it was originally set up by a bunch of telecom companies.

Re:The official post (0)

Anonymous Coward | more than 5 years ago | (#27608801)

The BBC aren't owned by the Government. It's operated and regulated by the BBC Trust, and it was originally set up by a bunch of telecom companies.

True, but they aren't free to do as they please. They have a set of rules they have to abide by in order to keep the tax money coming in. And ironically it's this government intervention that's arguably keeping them on the straight and narrow.

Re:The official post (1)

Dr_Barnowl (709838) | more than 5 years ago | (#27608807)

The BBC is not government-owned. It is an independent media corporation, formed by a Royal Charter.

Re:The official post (0)

Anonymous Coward | more than 5 years ago | (#27608845)

Ah, the British civil service, where every excuse is a technicality. He who pays the fiddler, Dr. Barnowl.

Re:The official post (1)

Dr_Barnowl (709838) | more than 5 years ago | (#27608979)

The BBC is funded directly through the license fee (which it collects for itself), not through taxation and redistribution from the government.

Re:The official post (1)

asc99c (938635) | more than 5 years ago | (#27612373)

But you do have to pay a licence fee simply for owning a TV, even if it is only used to connect to a console, computer, DVD player etc and you don't want to watch the BBC channels.

Government rules give it a unique position that feels a lot like taxation (i.e. a very similar situation is that you have to pay road tax if you own a car).

NB just being devil's advocate here, big fan of the BBC myself!

Re:The official post (1)

FireFury03 (653718) | more than 5 years ago | (#27615835)

But you do have to pay a licence fee simply for owning a TV, even if it is only used to connect to a console, computer, DVD player etc and you don't want to watch the BBC channels.

Please stop spreading misinformation - everything you have just stated is completely incorrect. You need a TV licence in order to watch broadcast TV (this includes streams over the internet which are simulcast with broadcast TV, but does not include streams which are not simulcast). You do not require a licence if you do not receive broadcast TV, no matter whether or not you own a TV - i.e. you don't need a licence in order to watch DVDs, use your computer, etc.

Whether or not you agree with the TV licence, spreading misinformation doesn't exactly help your argument.

Re:The official post (1)

asc99c (938635) | more than 5 years ago | (#27616523)

I apologise, you are correct technically. But when you buy a TV, you have to register your address, so that TV licencing can follow up with reminder letters and phone calls.

If you try to claim that you aren't using your TV to watch broadcast TV, they won't believe you (I can see why...) and will continue to harass you.

And one point I forgot to include in my original post is that you can't buy a TV just to watch ITV / Channel 4 / Five - in this case you have to pay for a BBC licence fee.

Re:The official post (1)

FireFury03 (653718) | more than 5 years ago | (#27621049)

I apologise, you are correct technically. But when you buy a TV, you have to register your address, so that TV licencing can follow up with reminder letters and phone calls.

It is interesting to note that there has recently been a public consultation on the methods used to collect the licence fee, and the results showed that the public generally feels that the licence fee collection is far too heavy-handed. It will be interesting to see if anything changes as a result of the consultation.

If you try to claim that you aren't using your TV to watch broadcast TV, they won't believe you (I can see why...) and will continue to harass you.

My understanding is that if you officially inform them that you don't receive broadcast TV then they will send round someone to check and then stop harassing you. I've got no first hand experience of this, however, since on the occasions when I didn't have a TV I didn't inform them since I take the attitude that I shouldn't *need* to inform anyone that I'm not breaking the law (when was the last time you phoned up the police to tell them you haven't committed a murder?) They go through a cycle of sending increasingly threatening letters and then send round the "enforcement officer", who I refused entry to my property.

The TV licensing officers have no legal right to enter your property without a warrant and they can only get a warrant if they already have some evidence that you are breaking the law. They rely on people foolishly inviting them in.

At least they've stopped sending libellous letters these days (at one point they took to sending me letters with "YOU ARE BREAKING THE LAW" printed across the outside of the envelope. If I'd had the time and money I would've sued them for libel as I blatantly wasn't breaking the law since I had no TV.)

And one point I forgot to include in my original post is that you can't buy a TV just to watch ITV / Channel 4 / Five - in this case you have to pay for a BBC licence fee.

Well, it isn't a "BBC subscription fee", it is a "TV licence fee" - you need to pay it to watch any broadcast TV and a large proportion (but not all) of the money collected goes to fund the BBC.

For the record, I broadly support the idea of the licence fee, although I disagree with the collection methods and think the whole system could do with being redesigned. IMHO, the licence fee serves the purpose of allowing TV programmes to be produced without having to bow to the commercial pressures. This allows programmes to be made which appeal to minorities, rather than always pushing for higher viewing figures for everything. The changes I think would be beneficial are:
1. Abolish the concept of a licence tied to receiving broadcast TV and just charge a fee to every household (possibly as part of the council tax system) - increasingly the licence fee is going on non-TV services, and it doesn't really seem fair to have TV watchers subsidising services that don't require a licence such as the radio channels, the BBC website, iPlayer, etc. This would also remove the need to harass innocent people, and the associated cost.
2. Avoid using the licence fee to fund really popular programmes that would do just as well on a commercial channel. This could best be served by splitting the BBC channels into a number (maybe 2?) of licence-funded channels and a number of commercial channels. The licence fee would still allow them to produce minority programming and take big risks on cutting edge programming on the licence funded channels, but if a programme becomes really successful it can be "sold" to the commercial arm and the proceeds of the sale can be ploughed back into the licence funded channels. This kind of re-investment would reduce the amount that would need to be charged for a licence fee.

Re:The official post (0)

Anonymous Coward | more than 5 years ago | (#27618259)

The BBC has nothing to do with the Civil Service, except for their role in reporting on the occasional scandal.

Why the BBC is more unbiased (1)

brunes69 (86786) | more than 5 years ago | (#27610157)

This is what many Americans don't get about the BBC. All they think is "it is run by the government, they must have their hands in it".

The reason the BBC can remain so unbiased is because they have no need to profit or grow the company. They know they will be funded next year, they have a government mandate and direct taxation supporting them. Also, it is an arms length from the government. They have a charter to collect the TV tarrif directly - the government does not directly fund them to my knowledge.

Therefore, they don't have to worry about an MP cutting their funding if they run an expose on him.

They don't have to worry about "if we do an expose on ourselves and we look bad we will lose advertising dollars", because they don't run advertising.

They don't have to say "oh we can't do that report on how GE microwaves are faulty, because GE is a huge advertising client".

Since they don't have to worry about markteting and soliciting advertising, they can devote 100% of their time and energy on reporting on the news to the best of their ability.

As a Canadian, where we have the CBC which is funded both through taxpayer dollars AND through advertising, I can see both sides. The CBC is pretty impartial, more so than any American network anyway, but if I had to also have to pay a TV tarrif like people in the UK do, I am unsure if I would be OK with that. Then again, at least that would maybe fund some more decent non-news programming on the CBC.

Re:Why the BBC is more unbiased (1)

Acer500 (846698) | more than 5 years ago | (#27613655)

Since they don't have to worry about marketing and soliciting advertising, they can devote 100% of their time and energy on reporting on the news to the best of their ability.

Not to mention they get a leftover budget for cool shows like Top Gear :)

Re:The official post (1)

An ominous Cow art (320322) | more than 5 years ago | (#27612725)

Why do you say that it's sad? In my perfect world, I'd be more likely expect a privately-owned source to be tainted by the views of its owners, and a governmental one to be closer to reality.

Re:The official post (0)

Anonymous Coward | more than 5 years ago | (#27608917)

I hope they don't.

Instead of those depressing bbc news pictures, I'm now getting ones more suited to my interests.

As far as I'm concerned, a mix of advertising for pornography, computer parts and cat food has, if anything, made reports on the world recession more believable.

Re:The official post (1)

mdwh2 (535323) | more than 5 years ago | (#27611585)

Firstly, the BBC can and do report on their own news.

Secondly, I'm confused as to your logic - are you really saying that the BBC can't do anything that would be "newsworthy", because they might get into some circular-metajournalistic-tangle over whether to report it or not? Either they'll report it, or they won't, but it would be ludicrous to suggest they were prevented from being able to carry out the action itself, whether or not it gets reported.

Re:The official post (1)

Dreen (1349993) | more than 5 years ago | (#27605117)

Not nearly all Wikimedia domains are included there, for example only handful of wikipedia.* is that because the other ones are only redirects or something?

Re:The official post (1)

David Gerard (12369) | more than 5 years ago | (#27605291)

That's everything which Wikimedia directly controls DNS for. There's others that have different technical or administrative contacts listed. They've been alerted they should do it themselves too.

Re:The official post (4, Informative)

brion (1316) | more than 5 years ago | (#27605513)

Those are also not actual Wikipedia content sites, but either redirects or sites of local Wikimedia chapters. All our actual content is on our own domains -- for instance German-language Wikipedia is at http://de.wikipedia.org/ [wikipedia.org] not http://wikipedia.de/ [wikipedia.de] which is a portal page maintained by Wikimedia Deutschland. (In part because German courts routinely shut wikipedia.de down in preliminary injunctions... ;)

Re:The official post (2)

AlexanderHanff (1129649) | more than 5 years ago | (#27606907)

Brion,

I would like to extend my gratitude to you for supporting the campaign and opting the Wikimedia Foundation out, myself and other campaigners are very appreciative of the support.

Sincerely,

Alexander Hanff
Founder of NoDPI.Org

Re:The official post (1)

brion (1316) | more than 5 years ago | (#27616019)

Thanks! :)

where is the list ? (1)

johnjones (14274) | more than 5 years ago | (#27604695)

sorry I dont understand

where is the list of websites who have opt'd out of webwise ?

and since webwise is not active at the moment what good will this do ?

regards

John Jones

Re:where is the list ? (4, Insightful)

David Gerard (12369) | more than 5 years ago | (#27605011)

The Open Rights Group is keeping a list of people it's asked to loudly and publicly tell Phorm to phuck off. Amazon opting out made lots of mainstream media a couple of days ago; looks like Wikimedia doing the same will get a bit of notice too.

The point is to publicise that Phorm (a) exists and (b) is a bad thing. Schemes like Phorm only get away with existing insofar as people aren't aware of them.

Re:where is the list ? (4, Insightful)

TubeSteak (669689) | more than 5 years ago | (#27605407)

Schemes like Phorm only get away with existing insofar as people aren't aware of them.

Wrong.
Schemes like Phorm exist because they are opt-out.

Numerous studies have shown that people are lazy and won't even do things that are in their best interest if they have to exert even minimal effort. That's why opt-out is so successful.

Re:where is the list ? (3, Interesting)

oldhack (1037484) | more than 5 years ago | (#27606451)

"Numerous studies have shown that people are lazy and won't even do things that are in their best interest if they have to exert even minimal effort. That's why opt-out is so successful."

Or because opt-out is a fraudulent scam. We've got ten thousand and one things to keep track of for real life, and I don't see why we should have to keep track of opt-out status for every pissant website.

Re:where is the list ? (1)

Opportunist (166417) | more than 5 years ago | (#27608267)

That's exactly what's wrong with opt-out in the first place.

"Here, you are now a member of the Church of Opportunist worshippers. That costs just one buck a day, you can pay a year in advance without worries, and of course the moment you tell us you don't want to be a worshipper anymore, we'll terminate your contract immediately"

This is fine if you first opt-in. I.e., if you have to come to me to worship me and pay me for it (not bloody likely, but hey, if you really wanna...). If it's just "done" to you, probably without you knowing, it is not.

Opt-out basically means you're forced to enter a contract without knowing about it. Dunno about your country, but it's not legal in mine.

Re:where is the list ? (1)

BrokenHalo (565198) | more than 5 years ago | (#27608849)

Definitely the latter. We have become so accustomed to the fact that "opt-out == spam-me-to-hell-now-i've-confirmed-that-i-exist", nobody trusts the option any more. Which is why people take steps with appropriate hosts-file blocking or firefox extensions.

Re:where is the list ? (3, Insightful)

bit01 (644603) | more than 5 years ago | (#27606911)

Numerous studies have shown that people are lazy

Numerous studies have shown that people attempt to rationally allocate their time and attention.

There are millions of businesses in this world. It is not humanly possible to opt-out of all their marketing drivel even when there a cost-benefit in doing so.

Marketers steal the time and attention of many people to make a sale to one person and then act all surprised when those people get pissed. Spam is just the extreme example of that, unfortunately becoming less extreme all the time.

---

The USA is

Re:where is the list ? (0, Flamebait)

Tom (822) | more than 5 years ago | (#27608271)

And that's why opt-out should be illegal. No exceptions. Massive fines. That would end all the spam and scamming right there, at least for the legal part (you still have to find and prosecute the guys, of course, but you don't need any huge laws).

So where are the class-action lawsuits? Americans, I'm looking at you, you make a case out of everything, what's taking you so long?

Re:where is the list ? (1)

Acer500 (846698) | more than 5 years ago | (#27616629)

And that's why opt-out should be illegal. No exceptions. Massive fines. That would end all the spam and scamming right there, at least for the legal part (you still have to find and prosecute the guys, of course, but you don't need any huge laws).

Why is the above a flamebait? Is it the second part (the calling the Americans to action)???

Re:where is the list ? (1)

FireFury03 (653718) | more than 5 years ago | (#27615961)

Schemes like Phorm exist because they are opt-out.

What Phorm is doing is almost certainly illegal - you can't lawfully intercept communications without consent from all involved parties. By making it opt-out, you're not even getting explicit consent from one of the parties (the ISP's customer) - even if it were opt-in, you're not getting consent from the website that you're snooping the connection to, or any of the users of that website that may have posted (potentially private) content on it.

It is possible to block IP (2, Interesting)

Daimanta (1140543) | more than 5 years ago | (#27604701)

But first there is a need for people:

Read this thread down and comment on this one

http://slashdot.org/comments.pl?sid=1199671&cid=27586613 [slashdot.org]

If you are connected with BT please try some of these suggestions and see if it is possible to locate the IP addresses of Phorm. It is important that we stop this menace(or at least do what we can) before it spreads to other ISPs.

Re:It is possible to block IP (1)

gerrysteele (927030) | more than 5 years ago | (#27605127)

I'm on BT but from your link couldn't work out what suggstions you are talking about i'm afraid.

Re:It is possible to block IP (1)

Frosty Piss (770223) | more than 5 years ago | (#27605277)

Perhaps a better approach to Big Internet Business would be rather than "user privacy", which in reality they don't give a damn about, we pointed out to them that Phorm "monetizes" other people's visitors (customers) without a return to the Web site owner ("you're STEALING my customers"). Microsoft and Yahoo might consider how much they like their Web "properties" being hijacked for someone else's profit.

That email may not work... (1, Informative)

Tribbles (218927) | more than 5 years ago | (#27604707)

It might be ignored as we (in the UK) don't spell "legitimize" with a "z" - it's legitimise here :)

Re:That email may not work... (1, Funny)

Anonymous Coward | more than 5 years ago | (#27604877)

Phuck oph.

Re:That email may not work... (4, Informative)

tomtomtom (580791) | more than 5 years ago | (#27605503)

Actually, "-ize" is absolutely not an Americanism - it is in fact correct spelling in either British or American English, whereas "-ise" is correct only in less formal British English.

It is sad that very few of us British seem to understand our language properly; almost no one here realizes that it is actually more conservative in British English to use -ize and not -ise. For example, go and look at an older copy of the Oxford English dictionary or the Times and you will see all those words spelled "-ize". I believe that even the newer editions of the OED, despite now listing the "-ise" forms, state that "-ize" is the preferred form.

To further complicate matters, the only words to which this rule can can apply are those which derive from Greek (and thus contain the Greek suffix "-ize" - this is the rationale for it being the more correct variant). So for example "enterprize" and "capsise" are always just wrong in either British or American English.

Re:That email may not work... (0)

Anonymous Coward | more than 5 years ago | (#27608531)

it is actually more conservative in British English to use -ize and not -ise

The reason I use -ise (and -our instead of -or etc) is because the fsckin' Americans don't

Re:That email may not work... (1)

drinkypoo (153816) | more than 5 years ago | (#27608671)

The reason I use -ise (and -our instead of -or etc) is because the fsckin' Americans don't

Yes, that is quite hilarious. In fact, American English sounds more like Old English than British English does, specifically because Brits have changed their speech to sound different from yanks. In particular the pronounciation of the letters "A" and "R" is dramatically closer in the American stuff. Also, the person who got to name Aluminum wanted it named Aluminum, not Aluminium.

Re:That email may not work... (0)

Anonymous Coward | more than 5 years ago | (#27608843)

To be specific, American English sounds like a west country dialect. The kind of thing you hear in Somerset.

It's one particular flavour of old English, quite different from what you would have heard in the rest of the country.

It's amusing sometimes when action heroes in Hollywood films sound to me like cider drinking farmers. :)

Re:That email may not work... (0)

Anonymous Coward | more than 5 years ago | (#27609097)

You'll have to explain "cider" to them too.

Re:That email may not work... (1)

Haeleth (414428) | more than 5 years ago | (#27618361)

In fact, American English sounds more like Old English than British English does

Not true. Neither language sounds remotely like Old English, so far as anyone can tell; of course, Old English stopped being spoken around a thousand years ago, so we don't really know what it sounded like anyway.

In any case, you're probably thinking of Early Modern English, i.e. the language as spoken when the first colonists set sail.

It is true that American English preserves some features of Early Modern English that have been lost in some southern dialects of British English. But that still doesn't mean it sounds like Early Modern English. It doesn't. It has evolved in a different way, and it has of course also lost features that have been preserved in British English, such as certain vowel distinctions.

Re:That email may not work... (1)

uncle slacky (1125953) | more than 5 years ago | (#27609293)

AIUI the -ise ending was introduced as a replacement for -ize during the 18th century, when it became trendy to spell things in a French style, hence -er endings became -re (centre, theatre) and -ise replaced -ize. Because American English was essentially divorced from the mother tongue by that time (politically if not culturally), the changes didn't propagate over the pond.

As someone else noted, American English resembles British rural dialects (particularly Oxfordshire and Bristolian, so I'm told), which leads to the amusing conclusion that when one hears, for example, one of Shakespeare's plays performed by Americans, it's pretty close to how the original would have sounded.

Why not go one step better? (2, Insightful)

TheRaven64 (641858) | more than 5 years ago | (#27604763)

Detect IPs from ISPs who are part of Phorm and redirect them to a page about Phorm the first time they visit Wikipedia each day. Amazon probably couldn't afford to do this, but it's not like Wikipedia loses any revenue if they irritate their visitors a bit, and if they can direct that anger to the ISP then it could do a lot of good.

Re:Why not go one step better? (0)

Anonymous Coward | more than 5 years ago | (#27604901)

it's not like Wikipedia loses any revenue if they irritate their visitors a bit

Half the point of doing this is to avoid pissing off their visitors using what they see as privacy infringement.

Besides, they seem to be doing this as a favour to their users, not because they actively dislike Phorm.

Re:Why not go one step better? (1)

David Gerard (12369) | more than 5 years ago | (#27605031)

When it was proposed in a couple of mailing list discussions, the unanimous response was "HELL YES!" So I think you could reasonably say we actively dislike Phorm ;-)

Re:Why not go one step better? (0)

Anonymous Coward | more than 5 years ago | (#27604917)

No, no, no!
They're doing this out of concern for their visitors. Deliberately irritating even a small fraction really defeats the purpose of their initial action.

Re:Why not go one step better? (1)

stephanruby (542433) | more than 5 years ago | (#27611465)

Or they could just detect those IP addresses as you said, but put it in the message on top of the page, where they usually put official messages and calls for raising funds. A complete redirect would be overkill in my opinion.

WTF is Phorm? (5, Informative)

EvanED (569694) | more than 5 years ago | (#27604817)

For those of you, like me, that read TFA and the article linked from TFA and still don't know what Phorm is other than it's something that some UK ISPs are implementing and there appear to be privacy concerns, Wikipedia [wikipedia.org] .

In short, it's system for doing targeted advertising by deep-packet inspection.

Re:WTF is Phorm? (1)

orangesquid (79734) | more than 5 years ago | (#27605049)

I thought this was obvious? Doesn't PHORM stand for Privacy Heinously Obliterated for Rogue Marketing?

Wait, I think my conscience is interfering with accurate perception of reality to discourage nightmares... dammit, why does this happen so often.....

Re:WTF is Phorm? (4, Informative)

AlexanderHanff (1129649) | more than 5 years ago | (#27606861)

If you would like more information on Phorm/WebWise, NoDPI.Org has been leading the campaign against them for the past 14 months (and were co-signatories to the Open Letter). We have worked on a number of iniatives including organising the House of Lords Round Table Event which Sir Tim Berners-Lee attended on the 11th March this year. We plan to take the lobby all the way to Brussels and the campaign has already led the European Commission to initiate legal proceedings against the UK Government after they failed to enforce EU Privacy Directives with regards to Phorm's covert trials with BT Group in 2006/2007. I also filed a criminal case with the police in July last year, which they closed stating that there was no criminal intent and it was not in the public interest. As a result of this I was forced to contact the Director of Public Prosecutions and bypass the police entirely - the Crown Prosecution Service are now investigating the matter and will make a decision on whether or not to prosecute. The covert trials in 2006 alone intercepted over 130 million communications over less than 2 weeks and modified those communications to insert Javascript into web pages which passed through their systems (then known as PageSense). I leaked an internal BT report which goes into a great deal of detail about the 2006 trials to WikiLeaks last summer and I also wrote my undergraduate dissertation on the legal implications of the same covert trials.

You can find the dissertation here: https://nodpi.org/documents/phorm_paper.pdf [nodpi.org]
You can find the leaked report here: https://secure.wikileaks.org/wiki/Image:BT_Report.pdf [wikileaks.org]
And you can catch up on the entire scandal on our blog here: https://nodpi.org/ [nodpi.org]

Hope that clarifies things for those who are not aware of who/what Phorm/WebWise are/is.

Alexander Hanff

Re:WTF is Phorm? (1)

stephanruby (542433) | more than 5 years ago | (#27611759)

I'm surprised Virgin is one of the three ISPs doing this. Does Richard Branson still own that ISP? If he does, I will do my part and boycott all the Virgin brands. Since I live in the US, and since I don't do business with BT, boycotting and bad mouthing BT would be pointless.

More information please? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#27604831)

Would it be too much to ask for the summary to give some clue about what "Phorm" is, or why Wikipedia would need to or want to "opt out" of it?

Re:More information please? (1)

u38cg (607297) | more than 5 years ago | (#27608541)

Or would it be too much to ask that if you only read slashdot once in a blue moon and have no idea about a topic you've never heard of that you at last try one Google search before accusing slashdot of being lazy?

Re:More information please? (0)

Anonymous Coward | more than 5 years ago | (#27619727)

Very difficult to explain in a small comment. Read about it here and follow the links. http://www.inphormationdesk.org/ [inphormationdesk.org]

stealing advertising revenue (4, Informative)

wjh31 (1372867) | more than 5 years ago | (#27604843)

aside from the whole invasion of privacy thing, people seem slightly less to pay attetion to the suggestion that intercepting and replacing the adverts on a page is tantamount to theft of advertising revenue, to the page owner for their share, to e.g google for their commision or however they work, and to the advertiser whom may otherwise have recieved an extra click through to their site

Re:stealing advertising revenue (0)

Anonymous Coward | more than 5 years ago | (#27605245)

By overstating your case you weaken it. What Phorm is actually doing. [slashdot.org]

May be copyvio too (4, Interesting)

Xtifr (1323) | more than 5 years ago | (#27605341)

Any content that is distributed under any of the Creative Commons NC licenses (e.g. cc-sa-nc [creativecommons.org] cannot legally used for advertising purposes. The very similar license under which the Grateful Dead allow redistribution [cnet.com] of their old concert recordings explicitly lists advertising and "exploiting databases compiled from their traffic" as forbidden.

Re:stealing advertising revenue (3, Interesting)

tomtomtom (580791) | more than 5 years ago | (#27605759)

... intercepting and replacing the adverts on a page is tantamount to theft of advertising revenue ...

Not that I want to be seen to defend Phorm, but that's just not what their system does.

To be fair to you, some of the original secret trials did include nasty rewriting of web pages to include their ads but they pretty quickly dropped this (I suspect more because it didn't work well enough than for any moral or legal reason given their dubious track record and the previous lives of the individuals behind Phorm).

Phorm monitors your general web usage using Deep Packet Inspection at the ISP level, even and especially on sites which have never signed up with (or even heard of) Phorm, in order to build up a behavioural profile of you. They then use this to serve you targeted ads when you browse to a site which is signed up to their ad hosting service.

What's more, they decided to not only track what sites you visit, but do keyword analysis of the content of the pages served to you by third parties. They claim this data is anonymized but we all know that in reality you could probably identify any given user from the data they collect with >50% probability as recent studies on anonymized data sets have shown.

Re:stealing advertising revenue (1)

MichaelSmith (789609) | more than 5 years ago | (#27606809)

Oh great. Now my wife is going to get adverts targeted at my browsing habits. Just what I need.

Re:stealing advertising revenue (1)

Opportunist (166417) | more than 5 years ago | (#27608569)

Hey, would you mind her having bigger tits and a maid outfit? :)

Re:stealing advertising revenue (0)

Anonymous Coward | more than 5 years ago | (#27614261)

She already has those.

Re:stealing advertising revenue (1)

IBBoard (1128019) | more than 5 years ago | (#27608729)

It isn't stealing advertising revenue, though.

The way Phorm works is to monitor every page on all websites that a user on a Phorm'd ISP visits and build up a profile of them by analysing the content. This is then used to supply more targeted adverts on every site that is part of Phorm's network.

They don't replace (for example) GoogleAds with their own adverts, but they do read the content of your website and use it for their own profit by scanning it after an interesting flurry of fakes and redirects [wikipedia.org] - all without returning a single penny to you.

That's the part that annoys me the most. I'm not on a Phorm'd ISP, so it doesn't affect me as a user, but I don't have any adverts on any of my websites so I sure as hell don't want them making an advertising profit from my content without me getting a proportion of it. That plus their method of monitoring and using opt-out is ethically dubious at best.

Wikipedia is for losers (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27604849)

The reason why Wikipedia sucks is the sad admins known as j.delanoy, nishkid64, antandurus, MER-C, nawlinwiki, krazliec, spacebirdy, Bongwarrior, pmdrive1061 and others.

All users of slashdot are encouraged to vandalize Wikipedia.

Tell them Willy on Haggers sent you

Mental disconnect (0)

Anonymous Coward | more than 5 years ago | (#27604851)

A while ago there was this story:

AP Says "Share Your Revenue, Or Face Lawsuits" [slashdot.org]

The very first comment was:

If you don't want people looking at it, don't put it on the friggin internet! (Score:5, Insightful)

There were several other comments to the same effect. I am interested in hearing from anyone apply the same sort of logic in this case. I hope that there will not be bias simply because the story is regarding our beloved Wikipedia.

a. Phorm committing an "infringement of privacy" against Wikipedia's users.

or

b. It's on the internet, it's fair game.

I do not believe that one can have it both ways.

Re:Mental disconnect (2, Informative)

growse (928427) | more than 5 years ago | (#27604985)

You're confusing the content and the information about the people accessing the content. If I publish a web-page, that is public (copyright me). Anyone can read it. However, what isn't public is the list of IP addresses that accessed that content. When reading a webpage, you don't get to know who else has read that webpage.

Phorm gets to know who else read that webpage. And any other HTTP-only webpage.

Re:Mental disconnect (4, Informative)

David Gerard (12369) | more than 5 years ago | (#27605057)

The way they're doing it is likely illegal in the EU. The EU is actually taking Britain to court for not having prosecuted Phorm and BT already.

Re:Mental disconnect (3, Informative)

hguorbray (967940) | more than 5 years ago | (#27605265)

El Reg has been covering Phorm and its existing and planned abuses for some time:

http://search.theregister.co.uk/?q=phorm [theregister.co.uk]

unfortunately one of the Phorm directors is also in tight with the UK gov in an internet policy group
http://www.theregister.co.uk/2009/04/15/kip_meek_berr/ [theregister.co.uk]
and they have been hard to dislodge over there, although Brussels (EU) has also taken notice
(see parent)

so far, they seem to have been treated with suspicion and hostility over here in the USA by everyone AFAICT, which is probably a good thing

I'm just sayin'

Phuck Phorm (0)

Anonymous Coward | more than 5 years ago | (#27604929)

Phuck Phorm is all I can say

How is lying about a redirection legal? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27605311)

If you look at http://en.wikipedia.org/wiki/File:Phorm_cookie_diagram.png , they are lying to the customer by claiming that a website has moved when it hasn't. As a website owner, I should be able to sue them if I have proof of such a fraudulent redirection. Why would opt-out be necessary or advisable under these circumstances?

screw Phorm. (0)

Anonymous Coward | more than 5 years ago | (#27606021)

A script that continuously randomly serfs the web . . . at random intervales and with high traffic. The pages are just thrown away. Then when I serf the aHoles at Faschist central won't know if it is me or my doppelganger script or what I am looking at.

Screw opt-out, the RIGHT solution is HTTPS! (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27606159)

Opting out as a web site or user is just a lame attempt to avoid implementing the even simpler, and vastly more effective solution: MAKE YOUR WEB SITES ACCESS VIA HTTPS WITH SSL SECURITY FOR ALL PAGES, ALWAYS!

That way nobody can easily "man in the middle" attack your page content for any purposes of deep inspection, advertising, user profiling, invasions of privacy like 3rd party traffic logging, et. al.

Notice that I said "nobody can" versus "PHORM cannot" -- this would protect against ANY 3rd party snooping or data tampering, which surely is a far more effective "one solution fits all" approach than JUST relying on PHORM's good hearted integrity to honor your request not to profile your traffic. HTTPS solves the problem once and for all for ANY such threat. It is something that your web servers already support. It would be trivial to enable this wholesale across thousands of web sites.
The benefits to users could extend far past advertising related snooping; it would help secure your users against even worse kinds of malicious or oppressive censoring / analysis of their web interactions.

The ONLY things that would be available for inspection / logging by a 3rd party would be:

a: some client's PC did a recusive DNS lookup of your domain such as en.wikipedia.org

b: some client's PC made a TCP connection to an IP address which happens to serve some particular set of sites, e.g. 22.33.44.55 = en.wikipedia.org, uk.wikipedia.org, some_other_virtual_server.com, et. al.

c: a certain amount of SSL encrypted traffic flowed back and forth from the client's PC and the site over SSL. Packet timing, packet group sizes could probably indirectly reveal some information via traffic analysis about what content may have been accessed, but this would be certainly far more difficult and less useful for a 3rd party like phorm to have to analyze / process.

Other than the small issue of paying for a SSL certificate for commercial domains, what exactly is the problem here? If your site is commercial / large traffic then presumably a modest annual cost is negligible compared to your existing server / IT / staff / security / bandwidth / electricity costs -- and you probably ALREADY have SSL certs anyway just for your login / e-commerce types of processes. If you have a low traffic / personal / non-profit type site, then just use self signed certs for free, and it'd be doing your users a big favor protecting them from 3rd party attacks / snoops on their traffic for basically zero cost to you.

Large / commercial sites presumably have hardware capability to handle SSL processing at the necessary speeds. Small sites presumably have small enough traffic that even a very modest personal desktop CPU that is already in use for the server could handle it at that throughput level with no problem.

If we're going to be petitioning sites to do SOMETHING to stop the harmful practices of 3rd party traffic logging / deep packet inspection, shouldn't we be asking them to do it the BEST and really the ONLY EFFECTIVE way? Anything less is a joke. *NICELY ASKING* a "malicious" would-be eavesdropper to not snoop on your totally unencrypted totally unsecured data stream is like wearing a t-shirt that says "please don't rob me" while you walk around with tons of expensive jewelry and electronics through dark alleys in bad neighborhoods. News-flash -- the people that would snoop on your / your users' data are doing it for PROFIT or CONTROL self-interest; if they CARED about being "nice" and respecting your / your users' privacy, THEY WOULDN'T BE DOING IT IN THE FIRST PLACE! Don't "ask nicely" for them to stop -- they'll do it anyway, and so will 10,000 others who YOU DON'T EVEN KNOW ABOUT -- PROACTIVELY PREVENT them from doing it, YOU HAVE THE TECHNOLOGY!

Re:Screw opt-out, the RIGHT solution is HTTPS! (1)

shentino (1139071) | more than 5 years ago | (#27606615)

The problem is forking over $$$$ to verisign and giving them monopoly control of the internet.

I would rather be insecure than verisign's puppet.

Re:Screw opt-out, the RIGHT solution is HTTPS! (0)

Anonymous Coward | more than 5 years ago | (#27606795)

>The problem is forking over $$$$ to verisign and giving them monopoly control of the internet.

OP here -- agreed, I don't like the "monopoly" (well small-N-polyopoly) of "trusted" CAs either.
I've proposed 'solutions' for this such as any name registrar being a trusted CA and them just giving out wildcard subdomain SSL certificates for each domain you pay to register with them as part of the domain registration service. Thus you always have access to secure communications for any domain/sub-domain that you own and control. I'm not a big fan of the polyopoly of "for profit" name registrars either, but given that they exist, it seems silly to have to trust them to get the domain and then buy a trusted cert for the same domain from a different party. At least the domain registrars KNOW you own the domain since you just registered it, so there's a 1:1 mapping of domain ownership / control with SSL cert ownership / control. Same thing for credit card processors, paypal, whatever; if you've signed up to take credit card payments or receive paypal payments or so on, they could just issue you a cert. saying that you're trusted to receive that type of transaction since, obviously, you are, since they just opened a merchant account for you.

For other certificates that are personal or organization in nature, have, say, banks issue certs for any person or company that opens an account. They know who you are, they've checked your ID / papers, they're a "trusted" entity, and it'd cost them next to nothing to issue a certificate in conjunction with your account as a perk. Same thing if you do something like file the papers with the county/state to start a business -- they give you your business license and CA certs package deal.

For other purposes there'd be no reason a non-profit organization couldn't be formed to be a trusted CA and they'd issue keys basically free or close to it (e.g. $0.10) to any individual or non-profit organization. CACERT already does this, though they're still not listed as trusted with all the browsers and so on.

Actually just look at all the 'free' services on the internet -- yahoo, hotmail, google mail, google docs, facebook, flickr, youtube, whatever all giving away gigabytes of storage / bandwidth / services for 'free' for millions of users. Any of these companies could just start issuing free personal or organizational certificates as a way to increase their popularity / user base just as with their other free services.

Anyway though we're talking about a figure of less than a few hundred dollars a year even for a commercial SSL cert from some company like verisign / comodo / thawte / GTC / whatever. Any significant sized commercial website is paying hundreds or thousands of times that figure in staff, servers, ISP fees, etc. annually; for the sites that are most relevant to secure with HTTPs, cost / technical difficulty is the LEAST issue. In fact it'd be hard to even NAME many big commercial web sites that DON'T ALREADY have SSL certs ANYWAY for user login or such purposes. Most of these sites want you to do a secure login just to access your email or blog or forum or subscriptions or social network or personalized preferences or whatever. So they have NO EXCUSE for not just flipping the switch to HTTPS for any/all URLs now.

Using self-signed certificates is always a free / simple option also; if a few big web hosts or many little ones started doing this, all the major browser makers would set up a better form of security in their browsers to seamlessly facilitate that within weeks. Just because a connection is ENCRYPTED doesn't mean it should have to be strongly authenticated, there could be weak authentication and free certificates / self signed ones for general purpose sites and strong validation for sites like merchants where you're doing financial transactions or accessing very sensitive private information. That's right in line with the status quo for extended validation certs vs. normal ones; the only difference being that "normal" ones should be free or close to it.

Re:Screw opt-out, the RIGHT solution is HTTPS! (2, Informative)

shentino (1139071) | more than 5 years ago | (#27606839)

And if DNSSEC was properly implemented across the board then we wouldn't even NEED to be wary of self-signed certificates to begin with.

If you can trust that the DNS pointed you to the right site, then you are as safe as you are using SSL.

Re:Screw opt-out, the RIGHT solution is HTTPS! (1)

shentino (1139071) | more than 5 years ago | (#27623099)

Actually, DNSSEC only obsoletes the authentication portion of SSL. You still need its encryption to prevent MITM attacks, but sites that are properly authenticated with DNSSEC would at least be able to publish their own certificates.

My mistake...

Re:Screw opt-out, the RIGHT solution is HTTPS! (1)

u38cg (607297) | more than 5 years ago | (#27608565)

Hi. You appear to be under the impression that SSL is a magic bullet. I have bad news for you. If someone really wants to read your https traffic, they most likely already are: it's not that hard. And if you're an ISP, it's not exactly difficult to get hold of a legitimate certificate to do your MITM with.

I think a better approach would be to make damn sure that everyone involved in commercial activity understands that they should keep the fuck away from my data, encrypted or not.

Re:Screw opt-out, the RIGHT solution is HTTPS! (1)

linuxrocks123 (905424) | more than 5 years ago | (#27608957)

Actually, the only significant problem with his proposal is that a high-traffic website would have significantly higher server processing costs if it had to encrypt everything. There are no known breaks for SSL right now, so it's highly unlikely anyone is reading your https traffic except the website on the other end of the connection. An ISP would certainly be able to purchase a certificate for itself, but that certificate would be useless for MITM because a legitimate certificate authority won't knowingly issue a certificate for a DNS domain not under that ISP's control.

Have a nice day,
---linuxrocks123

Re:Screw opt-out, the RIGHT solution is HTTPS! (1)

u38cg (607297) | more than 5 years ago | (#27610755)

What if your ISP is big enough to control a top-level certificate issuing authority? Or even easier, what if they supply your browser and add their own top-level certificate? If you work in a large institution such as a bank, this is exactly what happens. Right now, at my desk, if I connect to my bank's website, my employer can read my traffic. I'm the last person to descend into tinfoil hattery, but when it comes to encryption, there really are too many ways for it to go wrong for it to be a magic bullet for *anything*. Lastly, bear in mind that most users are *utterly clueless* about their encryption, and therefore won't think twice about clicking through certificate errors for any domain. People have MITMed in the wild using this technique - never mind the people that have reversed engineered MD5 hashed certificates.

Re:Screw opt-out, the RIGHT solution is HTTPS! (1)

linuxrocks123 (905424) | more than 5 years ago | (#27611393)

If your ISP is, in effect, providing you with a hacked web browser, then, yeah, the people who use it are stuck. But, only those people: those who used their own browsers would object, some quite strenuously, to their ISP doing a man-in-the-middle attack on every SSL website, so that scheme wouldn't be workable in practice. Employers can (sometimes) get away with the antics they pull because they're paying you. I wouldn't visit my bank from work unless I were booted from a CD anyway (and that's against policy at a lot of places, so I'd probably just check from home).

Who is your employer, by the way?

---linuxrocks123

Re:Screw opt-out, the RIGHT solution is HTTPS! (0)

Anonymous Coward | more than 5 years ago | (#27610879)

Unfortunately, the main ISP involved in Phorm (British Telecom) actually *is* a certificate authority. It can issue any certificates for any domains it damn well pleases. Normally I would say that as is this probably highly illegal (issueing a cert for a site which has not requested it is probably some sort of fraud) then they won't do it. But large companies often appear to be able to do what they damn well please with the government virtually encouraging them when it comes to trampling on people's privacy.

Open software and Monetaries (0)

Anonymous Coward | more than 5 years ago | (#27606773)

Wanna bet that Phorm made this possible using addblock lists?

Imagine... (0)

Anonymous Coward | more than 5 years ago | (#27609111)

...you're someday looking at some pr0n while you're wife's out, and when she come back you browse to some normal page and pr0n ads pop up...

NoDPI complaint to the Financial Services Authorit (1)

AlexanderHanff (1129649) | more than 5 years ago | (#27617693)

Just a quick update for everyone. Today we have sent a letter of complaint to the Financial Services Authority (FSA) that Phorm's statement to markets this week that government regulators and departments support their technology as fully compliant with UK law - is misleading and possibly fraudulant.

I have added a link and summary to my firehose here:

http://slashdot.org/firehose.pl?op=view&id=4200429 [slashdot.org]

you can find the original article here:

https://nodpi.org/2009/04/17/phorm-protests-berr-says-we-are-fully-compliant/ [nodpi.org]

Alexander Hanff

screw the paperwork (0)

Anonymous Coward | more than 5 years ago | (#27618735)

So how do I blacklist Phorm's IP range - With this kind of scam I don't want to serve my pages into such dishonest people.
My interest is to ensure ethical networks by blacklisting the unethical - when these people come knocking I want to either tarpit the IP or serve up a condemnation of the Phorm inline worm and those that support it by using it.

even if they have no choice, because they need to become activists and they should be told that.

Re:screw the paperwork (1)

AlexanderHanff (1129649) | more than 5 years ago | (#27619049)

Blacklisting Phorm's IPs will serve no purpose. The visits you see to your web sites will have the IPs of the ISP customers, Phorm then intercept these communications and copy the page "in transit". The only way to guarantee that your site will not be compromised by Phorm is to block all the IPs registered to the various ISPs that decide to deploy Phorm's technology.

The only other option is to use the Opt-Out mechanism that Amazon, WikiMedia and others have used; and then trust Phorm to honour that request.

Alexander Hanff

Re:screw the paperwork (1)

AlexanderHanff (1129649) | more than 5 years ago | (#27619095)

I should add that you can also block Phorm's technology by using SSL for all your web site pages. If you have a busy site however, you should be aware that this could cause a significant resources overhead.

Alexander Hanff
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...