Leaked Report: ISP Secretly Added Spy Code To Web Sessions, Crashing Browsers

By Ryan Singel
Wired
Jun. 12, 2008

An internal British Telecom report on a secret trial of an ISP eavesdropping and advertising technology found that the system crashed some unsuspecting users' browsers, and a small percentage of the 18,000 broadband customers under surveillance believed they'd been infected with adware.

The January 2007 report (.pdf) -- published Thursday by the whistle blowing site Wikileaks -- demonstrates the hazards broadband customers face when an ISP tampers with raw internet traffic for its own profit. The leak comes just weeks after U.S. broadband provider Charter Communications told users it would be testing a technology similar to what's described in the BT document.

The report documents BT's partnership with U.K. ad company Phorm, which specializes in building profiles of ISP customers, then serving targeted ads on webpages the user visits.

From late September to early October 2006, British Telecom secretly partnered with Phorm to let the company monitor and track 18,000 of the BT's customers. Phorm installed boxes on BT's network that redirected web requests through their proxy server.

Those boxes inserted JavaScript code into every web page downloaded by the users. That script then reported back to Phorm the contents of the web page, which Phorm used to create ad profiles of a user. Additionally, Phorm purchased advertising space on prominent web sites, showing a default ad for a charity. But when a user who had previously looked at car sites visited one of those pages, he instead got an advertisement for car insurance.

The users were not informed they were being made guinea pigs for a new revenue system for BT and had no way to opt out of the system, according to the report. The JavaScript caused flickering problems for some users as the script reported back information about the content of the web page to a Phorm server. The script also crashed browsers that loaded a website that relied excessively on anchor tags. Additionally, the rogue JavaScript showed up unexpectedly in user's posts to some web forums.

Despite these problems, the technical assessment concluded the test was successful and was largely went unnoticed by most users.

The operation of the system does have noticeable side effects, which included web-page tag insertion and navigation bar flutter.

From the postings, no user correctly determined the source of these effects and users did not post that the system was causing poor performance.

However all postings suspected that their machines had a virus, a malware or a spyware infection.

Neither Phorm nor BT returned calls seeking comment on the document.

The U.S.'s fourth largest ISP, Charter Communications, is set to test out technology similar to Phorm's in the coming weeks using a U.S.-based company called NebuAd. After Charter sent out notice of the test to customers, two influential members of the U.S. House of Representatives asked the company to postpone the test, citing possible violation of privacy laws.

Congressman Ed Markey, who chairs a powerful telecom oversight subcommittee, is planning to meet with company representatives next week, according to a spokeswoman.

Charter's partner, NebuAd, claims to have have applied for a patent for its technology to let users opt-out of having their web sessions eavesdropped on and categorized, but the only patent applied for under its name is one that replaces ads on third-party websites with ads of their own.

BT's secret test first came to light when one suspicious user contacted The Register about the problem. At the time, BT denied any involvement, though the company later admitted it had run a secret test and planned to expand the monitoring technology to its entire network.

The newly released documents confirm a further report in The Register in April about the extent of the secret test.