Please create an account to participate in the Slashdot moderation system


Forgot your password?
The Internet Privacy

Amazon To Block Phorm Scans 140

clickclickdrone writes "The BBC are reporting that Amazon has said it will not allow online advertising system Phorm to scan its web pages to produce targeted ads. For most people this is a welcome step, especially after the European Commission said it was starting legal action against the UK earlier this week over its data protection laws in relation to Phorm's technology. Anyone who values their privacy should applaud this move by Amazon."
This discussion has been archived. No new comments can be posted.

Amazon To Block Phorm Scans

Comments Filter:
  • by jonbryce ( 703250 ) on Wednesday April 15, 2009 @09:44AM (#27585345) Homepage

    It doesn't say anywhere how you opt your own website out of this.

    I suggest everyone does this, no-matter how small or insignificant your site it.

    • by fuzzyfuzzyfungus ( 1223518 ) on Wednesday April 15, 2009 @09:47AM (#27585389) Journal
      • by Richard_at_work ( 517087 ) <> on Wednesday April 15, 2009 @10:48AM (#27586167)
        BT owns a top level cert, so they can do a man in the middle attack without any error messages popping up on your end.
        • by h4rr4r ( 612664 )

          The solution to that is to remove that CA from your browser.

          If mozilla and other browser makers would remove that CA this problem would sort it self out very fast.

        • Re: (Score:2, Informative)

          by daem0n1x ( 748565 )
          Wrong. To do that they would have to have certificates for every possible domain and spoof the domains.
          • by Richard_at_work ( 517087 ) <> on Wednesday April 15, 2009 @01:30PM (#27588217)
            If they have a top level certificate, they can generate all the domain certs they want on the fly - it would be no different at all to the cert you get from Verisign to run on your web server.

            This is why ISPs should never be allowed to own a top level cert.
            • As far as I can see (although I'm not an expert on the topic) the BlackBerry may already do this when contacting BIS. Hit up Options->Security Options->Certificates and you'll probably see various provider certs (trusted root CA's) that seem to be used to sign for other domains while you browse (may depend on TLS settings). I can mark my providers certs as untrusted, but I suspect if they wanted to they could force my settings to be overridden by service book (RIM seems to allow your provider to monke

        • Re: (Score:3, Interesting)

          by Eil ( 82413 )

          How would that work? BT might be a top-level CA but if I have an HTTPS-only site (say, [] they still don't have my private key. Without that private key, they can't do anything to the data flowing between the web server and the end-user's browser without raising some flag or another.

          They could create their own certificate for in order to fool the end-user's browser, but that would involve a very intelligent proxy and would be incredibly (almost painfully) illegal, even

          • You have hit the nail on the head with regard to how they would do it - man in the middle proxy talking to both ends as each other, generating certs for the domains on the fly. With regard to it being illegal, that is something that the EU are currently contesting with the UK suggesting that it isnt.
    • by ebcdic ( 39948 ) on Wednesday April 15, 2009 @09:57AM (#27585535)

      Phorm claims to look at robots.txt, but it's unclear what exactly they mean. See

      • by Anonymous Coward on Wednesday April 15, 2009 @10:08AM (#27585673)

        Kind of useless really. Crawlers using robots.txt are supposed to uniquely identify themselves, so that you may block specific crawlers. Phorm doesn't do this - instead, it processes directives intended for Google, Yahoo, and all crawlers.

        Effectively, the only way to block Phorm with robots.txt would also block all search engines. That makes it effectively impossible to do, while still allowing them to claim that it can be done.


        Anyway, if there were a way to block just Phorm using robots.txt, you can bet that as soon as a couple of major sites start doing it, Phorm will start ignoring it.

      • by kramer ( 19951 ) on Wednesday April 15, 2009 @10:14AM (#27585735) Homepage

        Reading carefully, they'll obey any robot.txt rule for "*", googlebot, or (yahoo) slurp. They apparently didn't feel it necessary to have their own robots.txt identifier so you can block just them.

      • Phraudsters (Score:5, Interesting)

        by Blue Stone ( 582566 ) on Wednesday April 15, 2009 @10:19AM (#27585815) Homepage Journal

        Phorm are liars when it comes to robots.txt.

        They say they respect robots.txt but their scraper will only respect it if it also blocks google and yahoo. If it allows Google and Yahoo, they say it's fair game for Phorm. That's not respecting it at all.

        But what do you expect from the sort of people who would conduct illegal surveillance on people to test their spyware system and claim that letting opt opt out would have been impossible because it would have been too difficult for them to understand the complicated computery stuff they were doing.


        • by heffrey ( 229704 )

          I guess you'd have to write some special processing to return a custom robots.txt to disallow all if the user agent identified the crawler as Webwise and otherwise to return the normal robots.txt.

          I don't know but I imagine webservers can do this sort of thing.

          • But presumably they spoof the Googlebot string, so you have to either blacklist the IP addresses Phorm might use, or whitelist all the IP adddresses Googlebot might use.

      • They mean that the contents of your site's robots.txt file will be used to generate robot ads.

      • by SST-206 ( 699646 )

        FTLA: [] [scroll down]

        Alternatively, you may request specifically that your website is not scanned by Webwise. To request that your website not be scanned by Webwise, please email:

        So would that just earn you more bigpenis spam? It's hard to guess what low tricks these scum won't stoop to.

    • by xaxa ( 988988 ) on Wednesday April 15, 2009 @10:00AM (#27585565)

      I think you have to email them. []

      I've emailed them for my domains (they're very small and insignificant).

      • From that page: "robots.txt: The Webwise system will observe the rules that a website sets for major search engines using the robots.txt method. If the website's robots.txt file is set such that "*" (any robot) is not permitted to crawl it, then Webwise will not profile its pages."

        First person to capture the User-agent ID gets a cookie!

        • by fuzzyfuzzyfungus ( 1223518 ) on Wednesday April 15, 2009 @10:25AM (#27585865) Journal
          Because sleazy bastards like Phorm would never, ever think of just impersonating an assortment of other people's legitimate User-agent IDs...
          • by Canazza ( 1428553 ) on Wednesday April 15, 2009 @10:52AM (#27586219)

            They've given us an 'all or nothing' ultimatum

            Block all Search Robots (and effectivly remove yourself from Google/Yahoo etc) or e-mail them and hope they put you on their no-go list (and as with many hidden services, there will be no easy way of telling if they have)

            We will obey the "*" from the robots.txt but we will disregard everything else.

            Just keep a look out on [] and if you really want to block them do a user-agent Server-side script test and send them "FUCK YOU" Pages

            • Then you are stuck with one option:

              iptables and known Phorm ips. DROP all packets originating from known Phorm addresses. This is ofcourse a pretty much faulty way of approaching it since they can quite easily switch IP-adressess and you will be stuck with outdated adressess on your list.

              My thow at it:

              any known ip-ranges for phorm and how does blocking phorm impact users(BT or otherwise).

              • The trick here is going to be identifying Phorm's IPs. That could be tricky, and if they are essentially impersonating other user agent tags, then it might get very very hard.

                • Re: (Score:3, Informative)

                  by Timmmm ( 636430 )

                  Actually it should be quite easy to work out. I expect that phorm does a man-in-the-middle attack and pretends to have the user agent of the web browser that has been tricked. All you need to do is ask some people who are using phorm to add "PhormIP" to their user agents.

                  It's easy to see if you're using phorm because it does an HTTP redirect to

      • by Nicolas MONNET ( 4727 ) <nicoaltiva AT gmail DOT com> on Wednesday April 15, 2009 @10:50AM (#27586203) Journal

        For real,


        Subject: Exclusion requested from your spyware system

        I hereby request that you remove the following domains that I own or may own in the near future from your WebWise / Phorm system:

        Fuck you very much!

    • More to the point ... why should I have to?
    • I think that telling them of your website or email address is akin to answering spam emails !

      This seems nothing short of ID theft on a great scale and must be investigated at an EU level if the UK government are too incompetent to protect their own people from this kind of intrusion.

  • by eldavojohn ( 898314 ) * <eldavojohn AT gmail DOT com> on Wednesday April 15, 2009 @09:44AM (#27585355) Journal

    Anyone who values their privacy should applaud this move by Amazon.

    Thank you for telling me how to think. I believe we are approaching this from the wrong end (why start with websites?).

    The article hints at two other points I would encourage Brits who care to be vocal about:

    Jim Killock, executive director of the Open Rights Group, said: We expect more sites to block Webwise in the near future and also ISPs to drop plans to snoop on web users.

    Write your ISPs. Threaten to change ISPs even if you're not able to. Let them know how this makes you feel.

    The European Commission has described the technology as an "interception" of user data and wants UK law to reflect more explicitly the need for consent from users in order for the service to be implemented.

    As always, contact your parliamentary representative and also EU representative and let them know how you feel about this.

    These would be much more effective options than asking each website that exists to request Phorm not scan their site.

    • by xaxa ( 988988 ) on Wednesday April 15, 2009 @10:04AM (#27585623)

      To write to your UK and EU parliamentary representatives, go to []

    • The European Commission has described the technology as an "interception" of user data and wants UK law to reflect more explicitly the need for consent from users in order for the service to be implemented.

      Actually, I'm not sure that's quite true. The European Commission described the unauthorised trials that BT carried out with Phorm last year as unauthorised interception of user data; I'm not sure they have a problem with the proposed webwise service as such, although that may change.

  • Well this is a good PR move on the part of Amazon as far as I'm concerned. Cancels out their "censorship" glitch from the other day and puts them back in a healthy credit again. Obviously keeping an eye out as always for loopholes such as allowing a different company to do the same as Phorm on their site, but currently Amazon is getting points from me for this. I despise Phorm. But apparently Phrom haven't been doing that well anyway. There was a bit of an exodus from their board a while back and I heard th
    • by fuzzyfuzzyfungus ( 1223518 ) on Wednesday April 15, 2009 @09:52AM (#27585475) Journal
      I suspect we'll see a fair bit more of this. Not because the world is full of fuzzy defenders of privacy(it isn't); but because the world is full of nonfuzzy violators of privacy and Phorm is trying to muscle in on their action.

      One of Amazon's major selling points, beyond their good logistics, is their ability to use site analytics to make interest based recommendations to customers. Obviously, they have zero interest in letting Phorm piggyback on that, on their own site no less.

      I suspect that many other major web presences will be in a similar place. Phorm is potentially lucrative for the ISPs, but it is a nontrivial threat to larger site and ad-network operators. The small guys are more or less resigned to outsourcing analytics and ad placement, so it won't be as much of a change for them; but the big independents will not be pleased.
      • by h4rm0ny ( 722443 )

        Ah, good insight. It's not like me to not look for the cynical angle first. Well at least Amazon are something I know what they are doing and I can (just about) opt in or out of it. Back on the subject of Phorm, I just created a graph of their share price over the last twelve months [] which makes for some amusing viewing. I wonder how that's affected their balance sheet?
      • Not only that, but phorm would be able to see Amazon's suggestions, and pass them on to Borders / Blackwells or any of their other competitors.

      • by lorenzo.boccaccia ( 1263310 ) on Wednesday April 15, 2009 @10:13AM (#27585727)
        With the difference that with Google ads I get paid, with Phorm the ISP gets paid. This is a big difference even for little guys.
        • Re: (Score:3, Informative)

          Please correct me if I'm wrong; but my understanding was that Phorm's plan was to pay the ISPs for the privilege of spying on their customers and then buy ad space on various websites in order to run ads targeted on the basis of the spying.

          For a small site, then, having Phorm spy on your visitors via ISP, then having Phorm pay you to run ads, would not be considerably different than using a 3rd party analytics package, google analytics or similar, and then being paid to run ads from a third party ad netw
          • no, phorm inject ads on the page you open, mangling them at isp level. I don't actually know if if the system strips the ads from the webpage, as I think that would be nigh illegal; more probably it works injecting html tags around. You may find an essay (not from me) on the topic here []
      • I understand your argument, but I don't consider Amazon to be violating my privacy. I *choose* to use Amazon, and the data they collect on me is kept between me and Amazon. If Amazon were selling on your book buying habits and browsing history then that would be different, but as far as I'm aware this is not the case (and is unlikely to be in their interests anyway).

        The problem with Phorm is that is monitors communication between you and a website without first asking you or the website operator if that i

        • Oh, I agree that Phorm is considerably more evil. I much prefer people who stick to gathering data on their own domain, as amazon largely does. I was just noting that amazon, and their ilk, don't oppose Phorm on principle; but because it represents a potentially dangerous competitor(by virtue of using eviler tactics than anybody else).
    • Well this is a good PR move on the part of Amazon as far as I'm concerned. Cancels out their "censorship" glitch from the other day and puts them back in a healthy credit again

      Your opinion regarding that company appears to be fluctuating by the minute. Mmmmm'kay. You've got no experience with large corporations, huh?

    • Well this is a good PR move on the part of Amazon as far as I'm concerned. Cancels out their "censorship" glitch from the other day and puts them back in a healthy credit again.

      If all it takes is a single incident... neither of which is overly 'good' or 'bad'... to sway your opinion of a company up and down like a yo-yo, then maybe you should look into being less of a sheep.

    • by hurfy ( 735314 )

      Bah, they were just scared Phorm was going to sell us nasty books...

  • Not to nitpick ... (Score:4, Insightful)

    by krou ( 1027572 ) on Wednesday April 15, 2009 @09:46AM (#27585385)
    ... but they obviously didn't do it for privacy reasons. As a business, I can bet they weren't happy with the idea of something scanning their pages and then targeting adverts from possible competitors based on what users were looking at on Amazon.
    • They obviously did do it for privacy considerations or the perception of privacy, in addition to competition issues.

      An online customer wants a product or service for a good price, fast delivery, and more importantly know that their transaction and personal information is safe from outsiders and abusive 3rd party companies. Anything that could possibly scare a customer away is going to be seen as a threat to amazon's revenue stream, so any privacy fear due to 3rd parties would be very high on the management'

    • It is good to know that my privacy is actually importantto a powerful corporation for a change, even if it's for the wrong reasons. The enemy of my enemy is not my friend, but I'll take a temporary ally when I get one. So long as they don't push for some remedial action which will further disadvantage me (i.e. "users' browsing habits are trade secrets", which would block me from seeing my own browsing history, even under the FoIA).
  • by Anonymous Coward

    Who want to bet that Amazon is actually blocking them because they are not paying to do it?

    Incidentally, why would a business let another business makes money out of it for free?

    Simple economic strikes: THAT service isn't free.

  • by freelunch ( 258011 ) on Wednesday April 15, 2009 @10:08AM (#27585681)

    More sites should provide an option for https, like gmail does. Some still don't even provide it for authentication.

    Once upon a time there were wimpy CPUs, and https was a more significant computational burden. Now, not so much. Especially when compared to the resource requirements of most dynamic page generation systems.

    • Re: (Score:1, Troll)

      by u38cg ( 607297 )
      Except BT has a top level cert. They can MITM you till the cows come home and you'd never know. This is one more reason browser security is flawed.
      • I've seen this a couple of times in this thread. I have IE6 and FF3 on this desktop, and neither of them has a BT cert in their list of roots. Proof please?
    • Yes, handling a few https connections is quite easy for your desktop computer, however on the server side you may have 300 SSL connections open, encrypting/decrypting on perhaps 100 of them at once ontop of the load generated by your web applications.

      I'd like to see hardware crypto accelerators come as standard with all server chips, much like a math co-processor of years ago.

    • by Ash-Fox ( 726320 )

      More sites should provide an option for https

      I host near a few hundred websites on one of my servers, it has one IP address. A HTTPS cert does not support virtualhosts, not to mention, each subdomain/domain used requires a new cert that costs money, to work without popping up errors that scares users away.

      If you resolve these problems, I'll gladly make HTTPS an option.

      • The first problem has already been solved in SSL's successor, TLS. The "Server Name Indication"[1] extension of TLS allows the client to transmit the desired virtual host before the encryption begins. The current versions of most major browsers support this, including: Firefox 2.0 and later, Opera 8 and later, IE7 and later, Chrome, Safari 3.2.1 and later.
        Apache, Cherokee, Lighttpd and nginx support SNI on the server side.

        Your second problem is not as easy to solve. You could consider CACert[2], a certifica

        • by Ash-Fox ( 726320 )

          The first problem has already been solved in SSL's successor, TLS. The "Server Name Indication"[1] extension of TLS allows the client to transmit the desired virtual host before the encryption begins.

          I didn't know that had been implemented in HTTPS yet, that's awesome.

          Your second problem is not as easy to solve. You could consider CACert[2], a certificate authority based on a web of trust. When I applied for CACert, the assurers were quite serious and checked my identity (ID card, photo and signature) more

  • Can someone provide an unbiased explanation of what Phorm is? Why is it an opt-out system? When did I or Slashdot give implied consent to anyone to inspect the packets for reasons other than routing? What data do they collect and what do they do with it?
    • by Jane_Dozey ( 759010 ) on Wednesday April 15, 2009 @10:27AM (#27585905)

      Phorm wants to inject ads into web pages at the ISP level. They want them to be targeted so not only do they want to alter web content without the owners or receivers consent, they also want to take a look at all web traffic first (deep packet inspection) and keep a history so they can better target the ads. It's opt-out because otherwise no-one would even touch it.

      Now, I'm not going to even try to claim that I'm unbiased as living in the UK means that this monstrosity may well hit me but I think that's not an entirely inaccurate explanation. I really hope that the EC manages to step in and squash Phorm and maybe even slap BT with a giant fine.

      My website content has been written to look how I want it to look. I block many ads as a policy as I don't want crap clogging up my screen or distracting me. Now they want to bypass both my content layout in my website *and* throw ads at me even though I have zero interest in them. Asshats.

      • Re: (Score:1, Informative)

        by Anonymous Coward

        Phorm wants to inject ads into web pages at the ISP level.

        No they don't. They want to monitor all your web browsing (by tapping your ISP) to build up a profile of you. Then they want to sell targeted advertising space to advertisers in much the same was Google does: i.e. a website uses Phorm ads instead of Google ads and Phorm chooses what adverts to place based on the visitor's profile.

        Monitoring web browsing is, as far as anyone can tell, illegal, but the govt refuses to enforce the law. That's what the EU is grumbling about. But the other part of the busine

        • Apologies if I've missed something. From what I can gather there were some complaints about ads being messed with in non-participating websites during some of the trials, hence the reason I thought this was a part of the main plan.

          Do you know if the ads in participating sites will be there in the actual web page or if they'll be stuffed in during transit of the page to my browser? Curious as the latter might mean having to download the stupid things regardless of whether I want to or not.

    • by threeturn ( 622824 ) on Wednesday April 15, 2009 @11:21AM (#27586565)
      Technical explanation in some detail []

      Q Why is it an opt-out system?
      A Because they couldn't get away with providing no optionality control, so they went for the option which pushed as many users as possible to their system.

      Q When did I or Slashdot give implied consent to anyone to inspect the packets for reasons other than routing?
      A You didn't, but Phorm and the spineless UK government has decided you did.

      Q What data do they collect and what do they do with it?
      A Browsing habits to produce targeted advertising.

    • by Heed00 ( 1473203 )
      Here's a short article by Dr. Richard Clayton that might explain a few things. []
  • The scary part (Score:4, Interesting)

    by RalphSleigh ( 899929 ) on Wednesday April 15, 2009 @11:36AM (#27586777) Homepage
    They claim to manage the user opt out via a cookie, from reading the FAQ it appears this cookie is injected into every domain you visit

    As explained on the Customer Choice Process page, when a user opts into the BT Webwise service, a Webwise UID cookie, containing a unique random number is placed on the userâ(TM)s computer. This master cookie is held is the domain. When the user then visits other websites, the Webwise system stores a copy of the Webwise UID cookie within the browser in each the website domains visited by the user. The cookies are clearly labelled as belonging to Webwise as noted above and as a result can be easily identified as different to those cookies which may be placed by the website itself.

    Since it claims to need no client software, I must assume they do this by injecting extra cookie headers into all the HTTP responses sent to my browser....

    • I wonder, does this mean that every domain you visit is handed your Phorm opt-out cookie? Or would they be smart enough to strip it back out? I doubt there's a security hole there, but paying even a trivial security cost for zero user benefit sticks in my craw.
  • "Anyone who values their privacy should applaud this move by Amazon" /golfclap

    Supplication before our Robotic Overlord. Check.

    Suspend free-thought. Check.

    Check-out cart. Check.

"There is no distinctly American criminal class except Congress." -- Mark Twain