British Telecom's eavesdropping software crashed browsers

A leaked report on British Telecom's spyware "Phorm" project -- eavesdropping software that the ISP secretly infected its customers' PCs with, in order to insert ads into their browsing sessions -- caused browser crashes, slowdowns and system instability.

The users were not informed they were being made guinea pigs for a new revenue system for BT and had no way to opt out of the system, according to the report. The JavaScript caused flickering problems for some users as the script reported back information about the content of the web page to a Phorm server. The script also crashed browsers that loaded a website that relied excessively on anchor tags. Additionally, the rogue JavaScript showed up unexpectedly in user's posts to some web forums.

Link (Thanks, Robbo!)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Civlib

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

mikelotus

i can not imagine that content owners will let this slide. modifying their content in such a way has to be legally problematic.
Enochrewt

#6 IMPAK: So you’re cool with the phone company keeping track of what you look up in the phonebook? Or you’re fine with the government keeping track of what books you buy? It’s all the same principle, and it’s an invasion of privacy.
PrettyBoyTim

Surely this is illegal under the Computer Misuse Act?
RevEng

As has been pointed out, this seems like a rather open and shut case. I’m not familiar with the british laws, but in both Canada and the US, there are laws specifically against installing software on somebody’s computer without their knowledge. It’s not surprising to see a random website doing this, but for an ISP to do this, and for such selfish reasons, calls for swift action. Let’s hope this goes to court swiftly and decisively.
RevEng

@ #6, I think you’re missing part of the picture. Sure, they don’t know the exact contents of the page, but just know where you’ve been says a lot. In fact, it is worse in many ways, because without the context of why you were visiting those sites and what was on them, it’s easy to misinterpret your actions.

As an analogy, consider having a private investigator follow you around. He doesn’t have a big microphone or camera recording every conversation you have, he just follows you and make notes about where you’ve been. Say you happen to visit the unemployment office, a prison, a hospital, then spend the night at a halfway home. At first glance, I’d say you were some poor junkie on parole. However, you’re actually a counselor for battered women.

If you think that was an unreasonable example, consider what your search terms on Google look like. When AOL had that list of millions of customers’ searches leaked, there were some rather bizarre correlations. One woman looked like she was either at the end of her rope or in desperate need of medical attention. In reality, she had tried to help many friends all with various ailments.

The common belief that there’s nothing to fear if you have nothing to hide is false because the interpretation of one’s actions can be quite negative even if they are done with good intentions.

Besides, what business do they have keeping track of where you go? Other than making them money, what are they providing you in return?
danegeld

You’d think.

If the post-office started steaming open letters and putting adverts inside the envelopes they delivered, I’d be f****d off with them, too.
danegeld

I actually have my webserver set up to include the

Content-MD5:

header on some pages. Does this mean BT just screws with the text of the webpages on the fly and breaks the hashes / filters them out?
Cefn Hoile

Just subscribed for BT’s ‘employee broadband’ for a nominal Â£1 a year.

I wonder if I can get my money back…
imipak

Far be it from me to defend BT or this plainly illegal activity, but there’s really no need to exaggerate the case and call it “eavesdropping” – that suggests someone sitting there watching your HTTP data. AFAIK Phorm is “just” about tracking URLs you visit, not the content of data going either way (so things you type into forms like the BoingBoing comment form weren’t getting intercepted.)

Incidentally it’s looking quite likely that the Information Commissioner will get them prosecuted for this – if they don’t, THAT will be the real scandal. Huge corporate bends or ignores the law for pecuniary advantage? Old news. Independent Crown Prosecution Service refuses to prosecute an open and shut case? That’s serious.
imipak

@4: What’s the point of putting an MD5 hash in a page as proof it hasn’t been intercepted and modified? An attacker who doesn’t want to be detected will just rewrite the hashes.
WeightedCompanionCube

Danegeld – more like the post office sticking post-its on the pages of your magazines. If there’s an ‘envelope’ (SSL) then Phorm can’t mess with it.

Still, magazines don’t phone home when you turn the pages, but the might fall apart when you start stuffing them full of flyers.

Messing with anything inline is a bad idea…
foobar

In the long run these sort of shenanigans probably have a positive effect, as it highlights the need for encryption.

Processor time is cheap. Is there any real reason not to encrypt all http traffic?
snackcake

They named the project “Phorm”… Really? Reads a bit like “Pr0n.”
Neko

Everyone go watch the movie “One Point Oh” / “Paranoia 1.0″ now.
Fibers Centenary

IMIPAK: “there’s really no need to exaggerate the case and call it “eavesdropping” – that suggests someone sitting there watching your HTTP data.”

Well, I’m quite sure there’s no one looking at *every* request. Yet they *did* manage to count the number of customers’ bulletin board posts reporting problems. But hey, I guess they just googled it. Didn’t they?
hassan-i-sabbah

Cory,What happened with you showdown with Virgin?
Some help would be good ‘cos I have MAJOR issues with their service it the moment.