A Setback for ISP Web Tracking

angelheaded tips a Wired story about the resignation of Bob Dykes, CEO of net eavesdropping firm NebuAd. NebuAd has encountered financial troubles lately as the privacy controversy surrounding the company's tracking methods has driven communications companies away. Over in the UK, Phorm responded to the NebuAd news by affirming that it is making progress with its advertising methods. From The Register: "In response to the outcry over our revealing its two secret trials, BT said in April it would re-engineer the planned deployment so traffic to and from customers who do not want their web use profiled for marketing purposes would not come into contact with the Phorm system. The original blueprint meant that a opt-out cookie would tell the technology to simply ignore refuseniks' browsing as it passed through. It's thought the change has proved tricky. Phorm did not immediately respond to a request for comment on the alleged technical problems, but [BT's chief press officer Adam Liversage] said: 'We have been working on some things with Phorm.'"

Why not?

[Creepy Crawler]

Why not just go to the big pipe guys and ask if they could sniff connections inbound and outbound on arbitrary nodes?

Doing a sniffed bridged router is a piece of cake and it allows sniffing of all unencrypted content.

Re:

[sitarah]

There's a very large US company called Hitwise [wikipedia.org] that does exactly that. They watch traffic that comes through ISPs and report on traffic, search terms, and competitor activity. It's all at an aggregate level, so there's no identifying information, and they use %-s of traffic rather than hard numbers, so that's why the ISPs don't view it as a privacy issue. Last I heard, they are audited by PricewaterhouseCoopers to make sure they're anonymizing correctly. The only difference between them and NebuAd is that t

Re:

[mikael]

You don't need to - there are many websites which will automatically check to see if they are being visited by a Phorm server. If they are, then they place a warning message on the webpage you (or the Phorm server) have attempted to download.

They have been discussing

[Anonymous Coward]

who is going to prison for tapping 18,000 people
http://www.theregister.co.uk/2008/09/05/bt_phorm_police_meeting/ [theregister.co.uk]

this is not including the private actions they will be facing for copyright infrigement, insider trading, fraud

Re:They have been discussing

[Antique Geekmeister]

No one is going to prison. The British are even more used to overt, and covert, silence in every aspect of their lives than the USA. Look at the NSA tapping of the core routers of UUnet, and the lack of any prosecutions for blatantly illegal government activity.

As long as they cooperate with law enforcement monitoring desires, I'm afraid there's not going to be any prosecution of any sort.

Re:

[Tim C]

We also have some pretty strong data protection and privacy laws.

As long as they cooperate with law enforcement monitoring desires

Law enforcement already have the Regulation of Investigatory Powers Act and don't need or want Phorm - in fact if you read the linked article, it would most likely be RIPA that would be used against Phorm in this case.

You forget one thing - the last thing most intelligence gathering agencies want is someone else muscling in on their turf.

Re:

[Antique Geekmeister]

I'm sorry if I was unclear: it's not that this monitoring was requested by law enforcement. But as long as the tools used are used to cooperate with government requests, the government is extremely unlikely to take away the tools. And the British seem very, very used to that level of invasive monitoring. They seem less likely to explode over it as many Americans. So where is the incentive to take it to court? And the ability to get past any 'national security' concerns about overall monitoring also in place

Why...

[Darkness404]

Why is it that every internet business thinks that in order to profit they need to stick ads everywhere?

Re:

[Anonymous Coward]

Fortunately they don't. A lot of the smaller guys - particularly podcasters and webcomic artists - have discovered that it's just about possible to run a business solely on the goodwill, and desire for merchandise of listeners.

Sadly a lot of the big guys are taking a very long time to realise this.

Re:Why...

[Adambomb]

Actually, I think thats more of a problem of scale. The larger user base you have, the less consumers think of contributing in the name of good will as "ahh they're doing alright" (and in some cases, that'd be valid to say).

I'm not saying that such a business model would not be profitable, i'm just saying most businesses see it as a diminishing returns kind of model. It will get them to a certain point of profitability but then probably stay there, which is not the kind of thing shareholders want to hear. For someone making a living while producing what they like, this is great. Hell, you could even run a nice private business that way and people would love it so long as you juggled properly. When the words "publicly traded" get into the picture though...well...you wont be hearing the words "eh, we're comfortable with this level of profit. Lets stick with this".

Of course this is not an excuse; It's simply a reason, but I do think it is why we do not see this kind of model being used in more large scale groups.

Re:

[schnikies79]

Since most websites are free, how else do you expect them to make a profit, or even break even?

Re:Why...

[Darkness404]

If they are really good at what they do, they will have a loyal fanbase that will support them via merchandise or donations. Just look at Homestar Runner, TBC makes a profit solely by merchandise sales.

Not to mention that a lot of sites that have ads (I'm looking at you cable news stations) already have a steady revenue of money from somewhere.

Re:

[vakuona]

A business that relies on donations is not a business, but a charity.

Good but not enough

[schwaang]

This needs to be so clearly illegal that no American ISP would have thought about trying it to begin with.

A cookie?

[CSMatt]

Based on what I've read, cookies are one of the main ways a Web site tracks its users. So then why should I trust these "opt-out" cookies from companies like DoubleClick and NebuAd to not track me, as opposed to just blocking their cookies from ever getting to my machine in the first place?

Re:A cookie?

[sakdoctor]

Exactly. Am I supposed to white list every scumbag company that provides an "opt-out" cookie. That just doesn't make sense because the supply of scumbag companies is practically unlimited.

http://upload.wikimedia.org/wikipedia/en/c/c4/Phorm_cookie_diagram.png [wikimedia.org]
Just look at all the spoofing nonsense. That just adds points of failure.

If you haven't switched away from your phorm infested ISP by now, then be sure to add both *phorm* AND *webwise.net* to your ad blocker.
Remember, friends don't let friends use (AOL|talktalk|virgin.net|BT)

Technical analysis

[labcake]

If you are interested in what phorm /webwise actually does here is a technical paper: Richard Claytons technical paper: http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf [cam.ac.uk]

Negative/Positive headers

[Teun]

Why such a negative header?

For the majority of net users this should be a very positive incident and the title should/could have reflected this, it's by all measure a Setback for Snoopers.

A cookie?

[ciej]

Ok, maybe someone can explain this to me. a cookie is just a file on your computer right?. So how is the isp (or router sniffing the packets), going to retrieve this cookie and not target ads at me. Not all my packets may not go through the same router every time (though I'm sure usually they do). So are they going to request this cookie for every packet? keep a big local list on the router of ip addresses to not sniff and have to check against that list everytime and hope the ip of my non-static ip address

Re:

[tlhIngan]

Ok, maybe someone can explain this to me. a cookie is just a file on your computer right?. So how is the isp (or router sniffing the packets), going to retrieve this cookie and not target ads at me. Not all my packets may not go through the same router every time (though I'm sure usually they do). So are they going to request this cookie for every packet? keep a big local list on the router of ip addresses to not sniff and have to check against that list everytime and hope the ip of my non-static ip address

Time for HTTPS:// everywhere

[harrie_o]

Time for HTTPS:// everywhere.

Back on July 9, Obama followed Pelosi's lead and legalized spying on Americans (which Bush had been doing since shortly after 9-11.

They aren't parking a van outside your house, folks, they are recording EVERYONE's web traffic and keeping it ... forever???? Maybe.

The Narus suite of deep packet inspection spy gear (covert spying in Iraq ... oh my!) is now legal for telecom (thanks Obama) to use inside the USA so politicians need cover by making sure you think everyone el

Illusion of Privacy

[caller9]

I never start with the assumption that my network traffic is not being sniffed by a man-in-the-middle. Some disgruntled ISP employee looking to steal identities. Somebody playing with bgp or whatever. Then there is the fact that my traffic hits a 10. net as a second hop. I'm sure this is just my lame ISP being lame, but it looks odd.

So it is really in your best interest to assume that all of your unencrypted traffic, and indeed the weaker versions of that are being intercepted.

I do take issue with JavaScrip

Re:

[jc42]

I do take issue with JavaScript injection that amounts to a man-in-the-middle attack http://www.theregister.co.uk/2008/06/23/topolski_takes_on_nebuad/ [theregister.co.uk]

This is just one more data point explaining why, ever since client-side scripting was first introduced into browsers, those of us who understand the Web have done most of our browsing with scripting turned off. If you permit strangers to download and run code on your machine, you're just inviting them to take advantage of you like this. And such injection a