Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Colossal Squid was a Lethargic Blob |
| Bumblebees Making Security Trade-Offs »
September 8, 2008
BT, Phorm, and Me
Over the past year I have gotten many requests, both public and private, to comment on the BT and Phorm incident.
I was not involved with BT and Phorm, then or now. Everything I know about Phorm and BT's relationship with Phorm came from the same news articles you read. I have not gotten involved as an employee of BT. But anything I say is -- by definition -- said by a BT executive. That's not good.
So I'm sorry that I can't write about Phorm. But -- honestly -- lots of others have been giving their views on the issue.
Posted on September 8, 2008 at 6:23 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I have a great deal of respect for you, you have just as much right as anyone else to earn a living and there are few people who have done more to raise awareness of real security issues, but you make a very good point:
It's hard to rage against the man when you *are* the man.
Funny you right this today, I saw an article in the paper over the weekend (Parade magazine, actually) that quoted you about airport security and then mentioned that you were a "BT security" person. I thought I had missed something, but I guess not.
Sadly Bruce is the only BT exec with morals, but hey...
You've got a point; Bruce Schneier *is* the Man.
At least he works for BT, not BA.
Many thanks for this reading between the lines many willsee the warnings. As a BT shareholder I find the fact BT carried out these without the involvement of their paid security and network staff who are paid to protect customers privacy.
suupose that speaks volumes for BT,s integrity and morals.
You mean you can't even edit the Wiki entry?
I know there are some very honerable security people at BT, and they aren't very pleased with the whole Phorm thing - however, as per Virgin Media (who I work for), it's only by pushing boundaries that we define what is acceptable.
I'm actually glad that this happened - it opens up a debate about privacy in the UK, and specifically what companies can do with data they have access to, but don't 'own'.
In the UK we are totally retarded in this respect, IIRC, we only got any privacy laws from our EU membership :-(
(which is a bit sad)
Anonymity is something that 'brits' seem to think exists, but are always outraged when it doesn't - and we don't look at the legal agreements hard enough, or we'd see what companies put in there - which is scary.
(e.g. Google Chrome v1 EULA)
The cynicist in be does not think that these investigations will go anywhere.
After all, what Phorm did is just what most governments would love to do themselves: automatically profile internet users and assign them a risk factor. Next time you get pulled over for a speeding ticket, the cop can quiz you about the extremist web site you visited three months ago.
They just don't have the data or resources. Yet. Phorm and Google will be eager to lend a helping hand, I'm sure.
Thanks for acknowledging this issue Bruce, at the very least. I don't think anyone curses you for your relationship to the company after years of morally sound commentary on privacy and security. Kudos to you.
@Dom De Vitto & @FP
Google Chrome EULA:
Turns out it was a mistake?
@ Florence, Bruce,
"As a BT shareholder"
It think you have a lot more to worry about of the NHS IT systems BT has involvment in.
As far as I can tell BT used some dodgy accounting with regard to payments supposedly earned but not recieved and other future earnings to get executive bonas payments.
The U.K. magazine "Private Eye" had an interesting series of articles adout it shortly before it was anounced that BT was buying Counterpane.
As has often been noted "actions speak louder than words" and BT have sullied their own name on a number of occasions.
Ahhh, censorship-that-is-not-censorship at its finest. Well done, BT.
It's difficult to disagree with your employer in public. Still, good luck contributing to debate that is presumably going on within the company.
As often is the case, find your harshest critics, then silence them. The question then becomes, when do we recognize what actually happened?
Had no idea you worked in telecom? Had the impression you where some sort of security analyst in a university of some sort, but thats how wrong the impression can be when you don't know the entire background of a person.
The irony of this case to me seems to be that BT operated under the advice of "legal council" rather than privacy and security experts.
Hopefully you can teach those lawyers a thing or two, Bruce. The law can be relevant to security but not always the best litmus on its own, especially when it comes to untested areas of information security.
When people refer to BT here regarding Phorm, could they be more specific and mention 'BT Retail'. It might be a small difference when viewing from the outside, but I know it certainly isn't when viewed from the inside!
"When people refer to BT here regarding Phorm, could they be more specific and mention 'BT Retail'. It might be a small difference when viewing from the outside, but I know it certainly isn't when viewed from the inside!"
Well, it's the perception from the outside that BT need to deal with. This Phorm rubbish is dirtying BT's brand as a whole, not just BT Retail. How can anyone trust any part of BT to carry their data securely if they are, as they appear to be, willing to lie about what they have done with customer data in the past? I certainly will never use BT for home or business broadband again, whether that's "fair" on some sections of the business or not.
I'd suggest someone should have thought of that before signing up with these crooks in the first place.
Seconding what Chris above said. I just had to set up Broadband for my girlfriend and chose to avoid BT Retail and any of their subsidiaries (PlusNet, Brightview, Waitrose Broadband). I'll also be avoiding any other business owned by BT (eg Dabs.com) for the foreseeable future.
It is hard to split BT retail from BT group when Phorm start to post repeats of the PR spin on the forums for BT group on interactive investor. This was allowed to be put in the news for BT group shareholders to see on Thursday 4th Sept.
I agree that it can only be set up on BT retail as all other ISP's customers contracts are nothing to do with BT so would cause some problems if BT started to use phorm on other ISP's customers.
I know many that have started to boycott these same companies.
I hope you read this. I feel it is important if Phorm is to go ahead that the security people in BT have access to the full source of any 3rd party software running within their network which has potential access to privileged communications.
That would mean that BT need effectively to be in charge of the build process, so they know what is actually running on their own servers.
When Phorm issues patches and updates, I would hope a delta of the source is reviewe alongside a delta of the software requirements and it is confirmed via fingerprint of the binary image that the actual software running represents the source provided for review.
In short, I choose to trust BT with my private communications, and unless people like you are there to assure me that all the necessary checks and balances are in place to ensure that Phorm can't step out of the box, and that rogue employees can't start a secret data harvest, then I will not trust BT to handle my data.
An article in The Register recently said that BT were being spoken to by Police in London about Phorm. Thank Christ for that!
I mean, if the vast majority of the UK Government forgets to encrypt, and/or password protect files, or even to take their memory sticks WITH THEM when they go somewhere like a TUBE TRAIN, then I'm sure the Police will have BT in check.
Avoid BT. Rent your lines from Tiscali or Toucan, and make your calls through Vonage or Skype.
The privacy, security, and integrity of data communication must be protected.
Phorm must be stopped.
Phorm is wrong. Spyware on the ISP network. A wiretap. Incredible stupidity to trial at BT in 06 & 07. Criminal. Glad police are investigating.
Sign the Downing Street petition (18k people have)
Phorm must be stopped. Now. And Kent can take a hike and go back to his adware and rootkits or launch Phorm in Asia somewhere if they let him.
According to an article in The Globe and Mail (http://tinyurl.com/6dun2n) NebuAd uses your IP address (run through a hash algorithm) to identify you. I can see two significant problems with that. First, my home IP address is dynamic. So I might end up seeing ads targeted at the previous lessee of that IP address.
Second, even if my home IP address were static, my whole family shares one IP connection to the Internet. So the targeting fails again - I might be seeing ads based on my son's browsing. To take this to the extreme: the business I work for has well over 1,000 employees in one building, all of whose browsing gets funnelled through one (or perhaps a handful) of IP addresses. How are NebuAd going to sort THAT out?
I hope one day your valuable insight to security will be used one day as an expert witness in court for this whole phorm - webwise affair. I guess, you being an honourable man, BT retail will not come out too well from your truthful analysis.
Presumably, BT would have NO objection to Bruce writing something complimentary about Phorm. But he hasn't has he? Nuff said.
When the subject is Phorm or BT Webwise, it's always what isn't said that matters!
I wonder if Keorea Telecom have involved their security experts... Poor Koreans. Now it's their turn to be snooped on by Kent Ertugrul's Webwise/Weblies system.
To learn more, take a look at www.NoDPI.org and if you are on Facebook, search for the Phorm groups
I''ve always been a bit confused about the advantages of behavioral advertising.
Correct me if I'm wrong, but it picks up what you were interested in looking at previously, about which you've probably made your mind up and bought, rather than what you will want to buy tomorrow.
As far as I can see, it's only value is to identify companies whose products are so poor they need to be shoved in your face, rather than sell on their own merits.
But may be I'm just cynical.
Since most of your commentary is political in nature in the sense that they are opinions rather than "truths", your position at BT compromises your impartiality. So now you can't comment on things where BT has significant business interests. We can no longer rely on you to get the "Schneier" view, since you can only give us the BT view which we can well do without. Bruce you've compromised your integrity, and that is a total shame!
Two years later, still nothing to add? :(
Four years now, and still nothing to say? :(
And yet, now you're a signatory to an EPIC Amicus Brief condemning the "secret collection of private communications"?
Please help me understand. I really don't follow the logic of your position at all.
"Welcome to an Internet without privacy, and we've ended up here with hardly a fight", Bruce Schneier. (source)
We fought Phorm, Bruce. But where were you when we were fighting? Where was your support at the BT AGM when we protested? Where was your evidence when we sought prosecutions?
Instead you were mute; "I can't write about Phorm".
Don't criticize the few who did try to fight against mass surveillance for their weakness. Damn the few who were in a position of power to stop it, and said nothing instead.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.