Certain ISPs have started selling customers' personal information

probe

BT and others (Carphone Warehouse and Virgin) appear to have been selling details of customers’ browsing habits to a private intelligence gathering company called Phorm. Security expert Steve Gibson has investigated how the system operates and outlines the personal privacy and security implications of Phorm and ISPs in this week’s netcast.

Listen to the story:
http://www.podtrac.com/pts/redirect.mp3/aolradio.podcast.aol.com/sn/SN-151.mp3

Show notes: http://www.grc.com/sn/SN-151.pdf

You can watch this Security Now series being made live on http://www.twitlive.tv at 19h00 IST every Tuesday. Security Now has been made every week for the past three years. The live feed isn't edited and you can see all the background stuff going on - Steve's dog, visitors coming into the Twit cottage - as well as live chat comments from other people watching live.

.probe

The story on Phorm in The Register: http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/

larryone

I am Larrys complete lack of supprise.
As users we put alot of information about ourselves out there.
Companies that have your information see it only as a saleable asset.
Unless there is alot of legal protection, they can do what they want.
I used to have control over my email content and how it was handled, when I was a sysadmin for the organisation that provided the service.
Now I use gmail.
As a result google have alot of information about me - as they do about all their users.
If that data becomes valuable, there's nothing to stop it being sold to a third party.
You use mickeymouse services ltd for everything because you have solid assurances from them that your data is protected.
Then majorcorp buys mickymouse services ltd, your guarantees get swallowed up, and you become another piece of saleable info.

Myself and a group of friends that were in the previous org are setting up our own mail file and web server.
But there's always a service you have to buy from majorcorp, hosting, bandwith, etc.
The only escape from this is to have robust privacy legislation, and to use services that are more likely to be based in the right jurisdiction for the lifetime of your user account.

trout

Phorm ... has been running for some time now.

Some good articles on The Register about it ... I've been following it for some time. There are suggestions of illegality - and EU directives on Data Protection appear to have been breached, but no action has yet been taken.

You might find this one informative -> http://www.theregister.co.uk/2008/06/10/eu_bt_phorm_trial/

And this one too -> http://www.theregister.co.uk/2008/06/10/eu_bt_phorm_trial/

I'm not sure how excited to get over this ... targetted ads don't bother me, as I block traffic from the ad farms, and use ad block addons for my browsers.

It's naive to expect anonymity or privacy on the net, just my opinion.

I'm sure Google are doing something similar, serving ads based on browsing history, cookies, search terms etc.

probe

It is not naïve to expect privacy on the net, anymore than it is naïve to expect to be able to pick up a newspaper or magazine in printed format and read the articles that interest one, without having to fill out a disclosure form saying I read article X and Y and send it to some government agency to hold on file – just in case.

Illegality doesn’t put companies like these off. They know that they are above the law, because politicians don’t take the time to understand developments in technology.

There is a big difference between google and their doubleclick division and Phorm+ your ISP. Google/doubleclick doesn’t know who you are unless you use their gmail.com email service as well.

Your ISP knows who you are and where you live and has your bank/card details, and all your traffic data (including search engine keyword history going back as long as they want to store same, without limitation in law). It is only a matter of time if they get away with installing Phorm-ware when your full ID is passed on to anyone who wants to buy it, in a package with your google search keywords for the past decade or more. In the same way as you can go to a local “DMV” office in the US and buy names and addresses of car owners and their vehicle plate IDs and related data. While I am not suggesting you do so, you could store a huge quantity of data for the entire population of the USA on a $199 1.5 TB hard drive from bestbuy.com, as part of an ID theft operation. Europe is heading in the same direction.

The EU has given your ISP the blessing to store your google and yahoo and every other search engine keywords, and control freak ex “Justice” minister McDowell has forced them to store it for longer than elsewhere in the EU, with no ceiling.

The European Court of Human Rights found Britain in violation of human rights for systematically monitoring Irish telecommunications traffic en masse this week – in 1991 they had kit to monitor 10,000 Irish phone calls simultaneously….. with advances in technology who knows what is going on in 2008? No doubt the Irish government of the day and the EU knew what was going on, and did nothing about this illegality.

As Steve points out in the netcast, this is the thin end of a wedge that will just grow and grow and grow, unless decisive action is taken to stop the perpetrators.

The administrators – be they at EU level, nation state level or local level seem oblivious to who their “customer” is – ie the individual in their community. That individual doesn’t want to their web surfing or email to be spied on systematically, or their driving habits, or anything else. While most right-thinking members of society would have no objection to police access to relevant data to solve serious crimes, under proper judicial control mechanisms, since “9/11” there has been a never ending increase in public and private sector abuse of privacy rights. And marketing racketeers are ready to pounce and take advantage of the ambivalence of today’s largely unthinking society.

We have arrived at a stage of political arrogance where Alain Lamassoure, MEP feels comfortable telling Jamie Smyth of the Irish Times this week that “Ireland was wrong to hold a referendum, which is 'a tool for dictators'”! Who is the dictator please? The voter? Or politicians like M Lamassoure? Or companies like BT and Phorm? Yet another reason for people to vote “no” in any Lisbon II referendum. While they still have a vote! Before these functionaries, and b***ards like Phorm get total and absolute control over our lives.

.probe

trout

I'm not arguing with you ... I'm just not surprised, and I don't expect anything but self-serving rhetoric, propoganda and utter disrespect for the privacy of my online activities, especially from ISP's, Corporates, and EU or (God help us) Irish politicians.

probe wrote: »

It is not naïve to expect privacy on the net

OK ... let me rephrase ... only naive people expect privacy online. BT customers in the UK have learned this the hard way, after the fact. I am sure similar data collection is going on all over the world.

Case in point is the recent decision by a US Federal Judge which resulted in Google agreeing to hand over 12 Terabytes of youtube search/access data to the media company Viacom. Apparently, Google are hoping to 'anonymise' the data before they hand it over.

12 Terabytes of data for Youtube access. And Google 'hope' to anonymise it. Think about it.

probe wrote: »

There is a big difference between google and their doubleclick division and Phorm+ your ISP. Google/doubleclick doesn’t know who you are unless you use their gmail.com email service as well.

Don't forget about iGoogle users, Google Calendar users and Google Docs users.

probe

12 TB of data, while a mega amount of data by some standards, is just 8 x 1.5 TB USB drives in my local FNAC store – about the price of a cheap notebook PC in total. Google has the largest supercomputer network in the world. If they really wanted to anonymise 12 TB of data (ie remove the IP numbers) it would be a trivial task for them. Listen in the same netcast on how Steve built his own PC that could do real-time compression of media content, a feat that took an hour with his off the shelf quad-core processor box.

I suspect that they will be unable to anonymise it, simply because they could be accused of “tampering with the evidence”. The IP number is the main target Viacom lawyers want to get their hands on. This will allow them to machine-gun the ISPs who have been assigned these IP numbers, to force them to deliver end-user names and addresses.

I have no problem with media proprietors seeking to protect their assets. If I made a film, I might decide to make it freely re-distributable open-source content, or I might wish to license it, subject to conditions. In the latter case, I might perhaps be “litigiously annoyed” at google & co if my licensed movie appeared on youtube.com. I have no problem from a copyright perspective with youtube.com distributing video of students getting tasered (Electro-Muscular Disruption) by some college security guard, taken by a fellow student who puts the video up on youtube.com for the world to see and make their own judgement on.

I’d even go further. There is great value for the consumer in having the video they want available to them on demand, rather than when the “monopolistic broadcaster” decides to screen same. Depending on where you live, a decade or so ago one might have had access to say 30 to 100 TV channels. Today, potentially every URL is a different “TV channel” on demand. Dailymotion.com, vimeo.com (best quality video – eg http://www.vimeo.com/1029690 click icon bottom right for full screen version – makes google & co bite the dust....) and youtube.com, among others, have been pushing the envelope in this direction.

It is only a matter of time before everyone will have a RED 4K camera equivalent in their pocket (4K has twice the resolution of BluRay – ie the current HD format). www.red.com And many will want to put the stuff they shoot (and the stuff they come across) on the net. You can’t stop the tide flowing, except at great expense to anyone who tries it.

.probe

larryone

Solution?
We need to loby for better legislation for data protection and data retention (it's now cheaper to keep all the data and buy more disks than it is to process all of it and figure out what needs to be deleted.)
Not every user is going to be able to run their own email server or proxy or whatever. I think it's unrealistic to expect Jo(e) Soap to read the entire terms and conditions for every service (s)he signs up for. (assuming the providor will actually follow up on these anyway)
But the generic user needs to be more aware aswell. If everyone is more aware, then there's the slightest chance the politicians might be more aware also (assuming they give a sh!te)?

probe

Steve Gibson has issued another netcast today on ISP snooping using Phorm, including an interview with Alex Hanff of https://nodpi.org/ who is running a campaign against BT's snooping operations on their customers.

Listen: http://www.podtrac.com/pts/redirect.mp3/aolradio.podcast.aol.com/sn/SN-153.mp3

.probe

http://www.twit.tv/