14 March 2009

ISPs snoop every page we visit: how worried should we be?

British ISPs BT, Virgin Media and TalkTalk intend to launch a service called Webwise that spies on the address and content of every web page that you visit using third-party software from a US company called Phorm, and then make information on your browsing habits available to other web sites (presumably for a kick-back). This sounds pretty worrying, and it has sparked a lot of attention over the last few weeks, incluing Tim Berners-Lee going to Parliament to ask for it to be banned, and ending up in a clash with the Phorm CEO (who it seemed hadn't been invited to the party but turned up anyway).

If Sir Tim's worried then I'm worried, so I decided to find out some more about what it actually is.

In brief, Phorm provide a system that the ISPs will run that performs deep packet inspection. This means that they will be analysing not only the pages you visit, but what's contained on the pages as well. This is then matched against certain patterns to identify browsing habits (e.g. you visited a page containing the words "holiday" and "Bulgaria", so you're now tagged for Bulgarian holidays), and if you match a pattern then this match is stored in a site called the Open Internet Exchange (OIX). Now if you visit another page from a site, that site can query OIX to find what you're interested in and deliver you appropriate advertising. Your privacy is protected because it doesn't store your name, just a random number that stays with you as a cookie so can be used to target content.

BT et al are claiming that this is a great thing for consumers because:
  1. you get adverts targeted at what you're interested in, and
  2. they can also throw in an anti-phishing thing that warns you if you're about to go to a dodgy page.
Note that there's been no mention of you getting a share of the revenue that no doubt BT will get for putting this service in, but that's by the by.

Pulling the analogy from the ZDNet page about Deep Packet Inspection, this is like the Royal Mail rather than just looking at the address on a letter and sending it to you, instead opening the letter up, reading the contents, then telling someone else to send you spam based on what youe letter said. This would never be allowed, so why is it OK for electronic communication? It is also worth remembering that most people's webmail accounts are http rather than https so all their e-mails are fully accessible for scanning.

Two other things deeply worry me about this whole shebang.

Firstly, the anonymity mechanism is totally flawed. Although Phorm don't know who you are (because they claim they won't look at user names, credit card numbers, etc.), any site you're logged into can match up your unique number with your user. They've now got access to your full browsing habits as well, and this is a massive invasion of privacy.

Secondly, the ISPs are running a system from a third-party company with a CEO that has allegedly been responsible for spyware on PCs previously, with no clear regulation, whose legality has also been questioned in the US, and where the BT has already performed secret trials of Webwise without end-users knowing which resulted in the European Commission getting involved. None of this makes me feel warm inside about these people having and distributing my browsing habits.

So - what to do?

I'm not with one of the three ISPs currently planning to launch the service, so I can sleep slightly easier. For those that are:
  • Check out BadPhorm which has some more info on all of this.
  • If you're a Firefox user then get the extension from Dephormation which blocks Webwise from working.
  • Seriously think about switching ISP to one that is not going to sell your secrets to the world.
blog comments powered by Disqus