More Phorm Horrors

Spyblog is, of course, making sense when they say that the BT/Virgin Media/Carphone Warehouse spying scheme may be illegal because of the sweeping-up of e-mail traffic with the rest. As you know, Bob, e-mail has the legal status of a letter, thanks to the good folks of the EFF years ago. I thought of this, too; here’s the text of my complaint to the ICO.

I have just become aware that BT, Virgin Media, and Carphone Warehouse have signed agreements to implement a wideranging scheme to monitor Web traffic passing over their access networks. The intent is, apparently, to insert targeted advertisements into Web content requested by their customers.I consider the details of the scheme to be unacceptable and of dubious legality. It appears that the technical implementation requires the participating network to intercept traffic between requesters and remote sites, to keep logs of individual users’ activity, and to amend the content returned in accordance with rules applied to these logs. Legally, electronic mail is considered equivalent to a letter; this implies not just reading the traffic but altering it.

Note that many electronic mail users access their mailboxes via a Web interface, so their electronic mail could be affected by this insofar as it is not encrypted. As requests are being redirected, it is also possible that the security of authenticated sessions might be compromised. No guarantees are offered, or indeed technically possible, that this system would only be used for commercial purposes; as if that made it all right.

Corroborative information is available here [snip a gaggle of links]

Some people are concerned that other ISPs that either use BT’s IPStream service – buying wholesale service on BT’s access lines – or else use BT Wholesale to backhaul the lines they have taken over under local-loop unbundling to their facilities might be affected.

I’m pretty sure they’re not; the distinction between an IPStream customer and a BT Retail customer is essentially which ISP bills you and routes the traffic onwards. BT Retail deals with BT Wholesale and Openreach on the same basis as other ISPs, under the terms of their agreement with Ofcom; so it buys service from BT Wholesale, and its traffic is piped from the BRAS (Broadband Remote Access Server) into its own core network. Meanwhile, the IPStream operators’ traffic is wrapped into something called the Layer 2 Tunnelling Protocol (L2TP) and shipped from the BRAS over BT Wholesale wires to their own core networks, where they unwrap it, bill it, and route it.

If you look at the leaked network diagram above (right-click to enlarge), the Phorm/Websense/whatever stuff is all located in the BT Retail core network, upstream of the switches that handle traffic through their RADIUS servers. RADIUS is a server protocol used for accounting for IP traffic and controlling access, so essentially, all that goes through here is traffic BT Retail is billing for. We can therefore conclude that the other ISPs who use BT IPStream or local-loop unbundling are safe. Note that the left hand side is within BT Wholesale, i.e. everyone, the centre section is within BT Retail, so just their customers, and the right hand side is BT Wholesale’s IP backbone network, so everyone again; if you like, imagine that the other ISPs’ traffic goes around the back of the slide.

Which leads to the ironic conclusion that the best you can do if you’re a Virgin customer is to churn to someone who uses BT’s network.

1 Comment on "More Phorm Horrors"


  1. MY problem is that BT etc., are selling the contents of my traffic. Period.

    I have not been asked.

    I have not approved.

    I send letters in the post but I don’t expect the Post office to tell everyone I write to the Geninto Urinary Clinic with a sample once a week. I assume MI5 etc read my mail anyway – but as far as I know, they don’t sell it to anyone.

    Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.