Links

Ben Laurie blathering


Bad Phorm?

As anyone even half-awake knows, there has been a storm of protest over Phorm. I won’t reiterate the basic arguments, but I am intrigued by a couple of inconsistencies and/or misleading statements I’m spotting from Phorm’s techies.

In an interview in The Register, Phorm’s “top boffin” Marc Burgess says

What the profiler does is it first cleans the data. It’s looking at two sets of information: the information in the request that’s sent to the website and then information in the page that comes back.

From the request it pulls out the URL, and if that URL is a well known search engine such as Google or Yahoo! it’ll also look for the search terms that are in the request.

And then from the information returned by the website, the profiler looks at the content. The first thing it does is it ignores several classes of information that could potentially be sensitive. So there’s no form fields, no numbers, no email addresses (that is something containing an “@”) and anything containing a title like Mr or Mrs.

he says “there’s no form fields”. But this is in the response from the webserver. Form fields in the request sent to the webserver are fair game, it seems. In other words, Phorm are quite happy to spy on what you type, but will ignore form fields sent to you by the server – well, that’s big of them: those fields are usually empty. It’s interesting that many people have picked this up as a contradiction (that is, how can there be no form fields if you are looking at search terms, which are entered into a form field?) – but it has been carefully worded so that it is not contradictory, just easy to misinterpret.

Phorm can completely adhere to this public statement and yet still look at everything you typed. Note also that they only talk about filtering senstive data in the response and not in the request. So nothing, it seems, is really sacred.

Incidentally, they are silent about what they do with the body of the request (usually when you submit a form, the fields end up in the body rather than the URL). That fills me with curiosity.

Even ORG swallow this bit of propaganda (from ORG’s post)

Phorm assigns a user’s browser a unique identifying number, which, it is claimed, nobody can associate with your IP address, not even your ISP.

Of course, this is nonsense. The ISP can easily associate the identifying number with your IP address – all they have to do is watch the traffic and see which IP address sends the cookie with the Phorm ID in it. In fact, they could probably use the Phorm box for this, since it already sees all the data.

and Phorm’s CEO, Kent Ertegrul, again in the interview with The Register

It’s important to understand the distinction between actually recording stuff and concluding stuff. All of our systems sit inside BT’s network. Phorm has no way of going into the system and querying “what was cookie 1000062 doing?”. And even if we did we have no way of knowing who 1000062 was. And even if we did all we could pull out of it is product categories. There’s just no way of understanding where you’ve been, what you’ve done, what you’ve searched for.

They say this, but we have to take their word for it. Obviously the fact it sits inside BT’s network is no barrier to them connecting to it. Clearly they could just look at the traffic traversing the system and know exactly what cookie 1000062 is doing. And which IP address is doing it, which doesn’t tell you who is doing it, but certainly narrows it down. Analysis of the data will almost certainly allow identification of the individual concerned, of course.

Not, of course, that taking people’s word for their privacy practices is unacceptable – it is pretty much unavoidable. What I object to is Phorm’s attempts to convince us that it is impossible for them to misbehave. Of course, it is not.

Now let’s take a look at BT’s FAQ

Is my data still viewed when I am not participating?

No, when you don’t participate or switch the system off — it’s off. 100%. No browsing data whatsoever is looked at or processed by BT Webwise. . We should be clear: the Phorm servers are located in BT’s network and browsing data is not transmitted outside. Even if you are opted out, websites will still show you ads (as they do now) but these will not be ads from the Phorm service and they will not be more relevant to your browsing. In addition, you will also not get extra protection from fraudulent websites.

This is just obviously a lie. Since opt-out is controlled by a cookie, the system must look at your browsing data in order to determine whether you have the opt-out cookie or not. Naughty BT.

Furthermore, it is difficult to imagine how they could architect a system where your data did not traverse some box doing interception, though it may, of course, decide not to look at that data. But once more we’d have to take their word for it. How can we ever be sure they are not? Only by having our data not go to the box at all.

Talk Talk say they are going to architect their system in this way, somewhere in the comments on this post. I await details with interest – I can’t see how they can do it, except by either pushing the traffic through some other interception box, which doesn’t really change the situation at all, or by choosing whether to send to the Phorm box on the basis of IP address – which does not identify the user, so, for example, I could find myself opted-in by my children, without my knowledge!

All these worries apply to the system working as intended. What would happen if the Phorm box got pwned, I dread to think. I hope they’ve done their homework on hardening it! Of course, since they have “no access to the system”, it’ll be interesting to see how they plan to keep it up-to-date as attacks against it evolve.

5 Comments

  1. [...] 13, 2008 · No Comments Ben Laurie has some interesting thoughts here on the debate around Phorm. Ben points out some incosistencies in the story that is being pushed [...]

    Pingback by What’s in a name? « Identity Blogger — 13 Mar 2008 @ 17:34

  2. Your analysis looks correct to me.

    You dread to think “What would happen if the Phorm box got pwned.”

    Hmm, or used by one of the almost 800 bodies that are allowed access to communications traffic data? See:
    http://news.bbc.co.uk/2/low/technology/7226016.stm

    Only by firstly making the government accountable will it be possible to assure privacy elsewhere.

    Comment by David Pollard — 14 Mar 2008 @ 3:27

  3. Phorm/Webwise isn’t the only proposal to profile browsing habits, and there have been a fair few complaints from people who don’t want their web page trawled in this context.

    Is there any possibility, do you think, of establishing a new meta keyword, like ‘robots: index, follow, noprofile’ (or whatever) that would specifically forbid the use of a page for profiling? Would this establish appropriate copyright or allow other remedies IF the page were to be used to generate profiles and IF this could be proved? I’m not sure that a code of practice would be sufficient, but it might be a step in the right direction, and it would provide, in principle at least, an opt-out on the other side of the browser.

    Comment by David Pollard — 14 Mar 2008 @ 3:48

  4. [...] I have seen about this service has too many contradictions and rings too many alarm bells. Ben Laurie has a good technical write up and considers what they look at, the risks of attack on the service [...]

    Pingback by BT advertising system abuses trust « The r-evolving web — 16 Mar 2008 @ 2:18

  5. I recently found a post on Slashdot which deals with many of the issues and the modus operandi of Phorm and OIX spyware technology. It was written by a poster named ‘anticypher’. The original post is here:

    http://yro.slashdot.org/comments.pl?sid=489948&cid=22777122

    While the full text is below:

    ————————-

    Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people’s observations in the ensuing PR war. Phorm’s sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.

    Phorm has hired a specialty PR company, Citigate Dewe Rogerson [citigatedr.co.uk] to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I’ve seen Dutch, German and French language follow-up posts in the last few weeks.

    Phorm has addressed the main part of pesky privacy laws in Europe by “gifting” the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm’s technical team. If the equipment stays 5 years in the ISP’s premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn’t left their network should post-analysis show the customer has “opted-out” of passing the information to Phorm’s China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.

    The Phorm collectors sit inside the ISP’s network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP’s network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.

    The problem I, and others, had with Phorm’s plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.

    As an example, let’s take an ordinary, un-intercepted session to slashdot.org. The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can’t be tricked by slashdot’s servers to return cookies from digg or google.

    With Phorm, the initial HTML request to slashdot.org gets intercepted by the Phorm equipment, which respond with a 302 redirect to spyware.ru, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for malware.ru with the correct address for slashdot.org, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to malware.ru with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begins, the code can be just about anything, javascript, iframes, cross-site scripting attack, activeX exploits. The code can be used to read and set cookies, add some javascript in an iFrame to survive no matter where the user browses to, etc. It’s a malware writer’s wet dream, to have complete control over the TCP stream the browser sees before the user ever gets to the internet.

    Once the browser has been sufficiently hijacked, another 302 temporary redirect can be injected into the browser session using the original HTTP request, so the user sees only a slight delay before reaching their intended website. Given the glacial speeds most UK networks operate at, an extra half second delay is not going to be noticed by non-technical types.

    More fun is now to be had, as the page returned from the website can also be copied and analyzed by the Phorm intercept kit. If you log onto a private website, the Phorm kit can see the entire contents. This means a user checking their webmail on the local ISP’s server (without an SSL session since it isn’t going over the internet) can have the contents read and analyzed by Phorm.

    Where the storm of controversy comes from is that technically apt people (like slashdot’s readership) are beginning to understand just what an internet stream hijack implies. It means that Phorm can not only read all your web traffic, they can intercept all the traffic near the headend of your broadband connection and read anything. They can read your IM sessions, they can read your email, they can get it all.

    Now, at this point, the über-technically adept point out encryption, certificates, Man-in-the-Middle attacks and the like. True, https sessions, encrypted IM, TLS protected POP&IMAP and other protected protocols give some protection from snooping on the content, but not much “signals analysis” protection. They can still snoop on your DNS traffic, even if you run your own local caching server or use OpenDNS or AlterDNS. They can still see what the end points of your encrypted tunnels are. Sure, you could tunnel all your traffic to a remote VPN server, but how many of you do that now? How many average users would even bother?

    I was going to insert a long analysis of how they analyze and claim to anonymize the data collected, but this post has gone way too long for slashdot. Maybe another post another time.

    I will add that the people behind Phorm have been developing and selling malware and adware for a number of years, and apparently made enough money off of an impossible to uninstall adware toolbar to fund this latest push into malware distribution. Their programmers are mostly Saint Petersburg based, home to the Russian Business Network [slashdot.org]. Their servers are kept only in Saint Petersburg and China, so no ISP customer data is ever stored in the UK. Any personally identifying information they obtain about UK citizens can never be seen or purged using existing UK Data Protection Laws. They run under dozens of different domain names, the name of the company has changed from PeopleOnPage to 121media and recently changed from sysip.net to Phorm. This is typical of a company that knows it will have to shed it’s tarnished brand every year to stay ahead of public outcry. I expect they already have their next brand lined up when they need to burn the Phorm brand.

    Sir Tim Berners-Lee has seen their presentation, and held a press conference yesterday to try to stop the practice cold. Even if Phorm is stopped dead tomorrow, the business conditions and legal loopholes are still present to encourage ISPs to try this again and again, and it will certainly be much worse in the US where there is absolutely no legal protections at all, and a ready market for personal data.

    the AC

    Comment by phormwatch — 25 Mar 2008 @ 20:21

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress