We have been following the Phorm controversy for some time now and now some new developments have emerged. These developments consist of a leaked internal report which suggests that Phorm broke the law 113 million times during the controversial trials.
Wikileaks has freshly leaked internal report which says some very interesting things. Here’s the Wikileaks summary of the report:
The internal British Telecom report shows that the carrier committed at least 18,875,324 allegedly illegal acts of interception and modification during its controversial covert “Phorm” trials.
The report also indicates that personal identifying IP addresses were likely used, despite BT previously assuring the public and ICO that no personally identifiable data was used. IP addresses are recognised by the Data Protection Act.
In addition to the 18 million regular advertising injections or hijackings, it appears charity advertisements were hijacked and replaced with Phorm advertisements.
The report concludes that the “opt-out” system would not work, since BT customers find themselves opted back in every time they changed computers or wiped their cookies
There were a number of things in the report which left me believing that BT had misled ICO (and the public) with regards the covert trials.
BT have repeatedly stated the trials involved no personally identifiable data and this is one of the points ICO touched on in their letter to one of the victims of the 2007 trials as reported on this web site last week.
However, and this will be obvious to the technically minded although I have not seen anyone mention it to date, if we return to the table on page 45 we have a row called “IP addresses seen through the Proxy Servers” for the same period as above but also no data for 24th September due to a technical fault. So it is evident that the PageSense servers (running multiple instances of SQUID proxy server) were in possession of customer IPs; and in fact due to the way PageSense worked, they needed to have these IPs in order to forward the web page back to the user once it had been grabbed by SQUID.
He then notes that there was a claim that the trials were trivial, but after a look on page 45, he notes that nearly 19 million tags were inserted into users web pages. He then does an analysis of British law with specific references to the following:
- Regulation of Investigatory Powers Act 2000
- Privacy and Electronic Communications (EC Directive) Regulations 2003
- Computer Misuse Act 1990
- Torts (Interference with Goods) Act 1977
- Copyright, Designs and Patents Act 1998 (see derivative works)
- Data Protection Act 1998 (IP addresses are legally defined as personally identifiable data)
He then tallies up the total number of “highly probable” law infractions and comes to a total of 113,252,124.
“still think that looks trivial?” asks Hanff, “And that is just in 8 days.”
Hanff isn’t the only one that took notice of these developments. Ryan Singel of threat level noted these developments as well and finds that the Phorm technology also causes web browser instability.
Despite these problems, the technical assessment concluded the test was successful and was largely went unnoticed by most users.
Think all of this is just an issue with British users and not U.S. users specifically? Think again. The report also notes an earlier report which points to a company called NebuAds attempting to do similar things in the US with US ISP Charter only to be asked to stopped by Massachusetts Democrat Edward Markey and Texas Republican Joe Barton saying it would be a violation of the Communications Act. Wired obtained a copy of the letter which can be read here (PDF) No word yet on what the next move would be by NebuAds or Charter.
digg_url = ‘http://digg.com/tech_news/Wikileaks_Phorm_Crashes_Browsers_Allegedly_Broke_the_Law’;