BT Webwise

BT Webwise is not part of BT Group plc. BT Group is a reseller of Webwise adware. Webwise is a trading name of Phorm, Inc a Delaware, USA, registered advertising network who earn income from displaying behavioural targeted advertisements through Internet connections. The information used to create the behaviour targeting profile is sourced from the Internet connection supplied by your Internet Service Provider (ISP), i.e. BT Broadband.
Phorm are also marketing the adware in South Korea under the QookSmartweb brand.

In an article in the Telegraph Sir Tim Berners-Lee is interviewed about the effects on the integrity of the Internt. "The founder of the web has warned that a new scheme to allow advertisers to target internet users by tracking their browsing habits was akin to putting a spy camera in their homes."

You can read BT's version of Webwise at www2.bt.com/static/i/btretail/webwise/help.html. The notes below have been gathered from other Internet resources and expand on the limited data available on BT's site. Answers given by BT's site relate to only one aspect of this new service: delivery of advertising and anti-phishing add-on [now updated to anti-fraud]. BT do not give any information about how the data is collected and stored. Webwise explained, www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf (technical details used in answers below). There is also a discussion by FIPR press release and PDF paper covering the laws broken by the Phorm / BT Webwise system. A further examination of the legal aspects of Webwise is now available, press release and PDF paper

The impact of Deep Packet Inspection Systems on the overall functioning and security of the web, as presented to the US Congress hearing of July 2008 by Dr. David P. Reed is written in simple terms which explains in some detail why such systems should not be allowed anywhere on the network used to process Internet trafic.

Keep in mind, Lavasoft [supplier of Ad-Aware software] cannot do anything to detect Phorm’s [Webwise] products; this new system is set to be deployed at the ISP level.

A BT customer's view of the history of BT Webwise can be read

Updated March 2009 - earlier versions

About BT Webwise

What is BT Webwise?

An advertising platform which 'sees' everything you do on the Internet. Your surfing habits are used to create a behavioural profile of you. This is used to sell prime advertising spots to advertisers who are interested in promoting to people who match your profile. Radio 4 interview - 16 April 2008.
With previous adware systems you needed to download a software program onto your computer. Often these took the form of rootkits. All software which controls the BT WebWise adware is hosted within the BT network and is invisible to you while it monitors 100% of your Internet activity.

Will you give customers a clear choice whether to take the service?

No. The program is on the network and is always there between you and the Internet. If you opt-in you will receive more relevant advertisements than if you opt-out.
The program needs to see whether or not you have an opt in or an opt out cookie on your computer and the only way it can do this is by monitoring and intercepting everything you do when connected to the Internet.

Do I need to download any software to use BT Webwise?

No. All software and hardware which profiles your surfing and serves your personalised adverts are already hosted within BT's Webwise network. During browser redirects the adware program does download onto your computer scripts which write and read content on your computer. This is invisible to you and occurs thought your browsing sessions and represents and illegal hijack of the usual browser behaviour.

Do I have to have a PC to use BT Webwise?

You need to have a browser.

Will this disrupt my service or make browsing slower?

Yes, each page you request is intercepted so that the scripts can update your profile before the page requested is passed to you. Up to four extra requests are made compared with Internet connections which do not host the Webwise adware. During trails in 2008 some BT customers had trouble interacting with websites.

Can I use any web browser with BT Webwise?

No, not all browsers accept the third party redirects and forged Webwise cookies used by the adware scripting system.

Which parts of BT are considering deploying BT Webwise?

BT Retail - supplied to residential customers including all homeworkers who use the Internet as part of their work. Small business customers will also be monitored according to BT Code of Practice (PDF).

How do you know that your customers want BT Webwise?

Good question. After a year of asking, BT have not provided this information. Were you asked?

When will you be trialling BT Webwise?

Trials have already been run, in 2006 and 2007. news.bbc.co.uk/1/hi/technology/7325451.stm The latest trial ran from 30th September 2008 to 10 December 2008. See BT customer forums - [ the post at http://beta.bt.com/bta/forums/thread.jspa?threadID=6609&start=274 has been removed from public view as part of BT's decision to no longer engage in open discussion with its customers over Webwise ]. The Telegraph: BT bans Phorm talk on its forums

About BT Webwise Anti-fraud feature

How does BT Webwise help protect customers against online fraud?

It does not. BT Webwise requires you to have both cookies enabled and javascript enabled. Both these features DECREASE your security against online fraud. news.bbc.co.uk/1/hi/technology/7349715.stm. The Terms and Conditions relating to the anti-phishing 'service' state that "we do not accept any liability for any loss you incur in the event that the BT Webwise service fails to warn you about a fraudulent or illegal site" (Clause 19).

How does the anti-fraud feature work?

As part of the monitoring of your web surfing, pages requested are checked against a database of known phishing pages. Where a match is found, the page you requested is replaced by a page supplied by Webwise to warn you about the risk. Unfortunately it will not warn you about any HTTPS (secure) pages on fraudulent sites.

I already have anti-virus and anti-spam software installed. Why do I need additional security from BT Webwise?

You don't.

Why doesn't BT just block fraudulent sites?

Good question. There are also a lot of free services offering this service.

Can legitimate sites be accidentally listed by BT Webwise?

Legitimate sites are often hacked and infected with malware or a subdomain may be set up by fraudsters without the knowledge of the domain owner. There is no indication that the Webwise anti-phishing database will protect you from malware infected legitimate sites.

Will BT Webwise stop all fraudulent sites?

No. Only those within the database it purchases. Most fraudulent sites use https and none of these will be detected.

My web browser already provides anti-fraud protection. Will this work with BT Webwise?

Webwise interfers with the browser security. Webwise ignores HTTPS (secure) pages which are used by many fraud sites to make them look more like the real site. Also, Webwise hijacks browsers to read and write fraudulent Webwise cookies to your hard drive. This overwrites one of the anti-fraud protection features of your browser. As data received by the browser has been modified, browser controls and safeguards can no longer be relied upon.

About BT Webwise relevant advertising feature

How does BT Webwise's relevant advertising feature work?

Each page you see in your browser is copied and analysed to see what the page is about so that you can later be shown advertisements covering anything that you are interested in or research. Untargeted adverts usually cover the same products as the page you are viewing. Webwise adverts will be shown on partner sites (content sites) and will be matched to your earlier surfing and may not be connected to the page content.
You may already have seen similar types of adverts on Facebook, where adverts seen depend on information contained in your profile. The difference with Webwise is that it sees all the web so is able to gather a lot more information about you as you surf from site to site.

Does it matter which ads I see?

Only you can answer that. Some people enjoy ads while others find them highly intrusive and block their display.
When you have just booked your holiday, will you find being presented, for days and weeks afterwards, ads showing you where you should have booked intrusive?

Does BT have any say on nature or content of the adverts that are shown or what companies Phorm is doing business with? Does BT Webwise allow campaigns related to adult or illegal activities?

Adverts are controlled by Phorm / OIX advertising nework, the supplier of Webwise's service. BT's only control over what adverts you see is dependant on what information about you BT makes available to Webwise's advertising network.

About Privacy

How are BT subscribers' usage details collected?

First you are given a cookie from the Webwise website, even though you do not visit the site. This cookie contains either a UID, a unique identifying number, which identifies you to the adverting network or indicates that you do not want the adware service. Advertisers are able to define 'channels' which identify which search terms, which websites and what page contents they want people to have visited before being shown their advert. As you surf, the search terms you use when using search engines or site search boxes, the websites you visit and the content of those pages are all copied and analysed to match against the 'channels' defined by advertisers and these channel matches are added to the database against your UID. Even if you have opted out, all your surfing is intercepted as that is the only way the adware can read the opted out status of the cookie.

How do the privacy safeguards in BT Webwise compare with other online advertising systems?

Most advertising networks use tracking cookies and UIDs to build a database of your interests while you surf the Internet. Other networks like Google and Omniture are only able to collect information from sites that host their scripts. Simple browser security features block these tracking cookies.
BT Webwise collects information from every site you visit, without the permission of the site owner, so it knows everything all these other tracking networks know about you plus everything these other networks do not know about you. The Webwise script attempts to remove personal identifiable information but fails to explain how they separate out first names like India, Paris and Kent from channels treating these words as holiday destinations.

How does BT Webwise match what I do online with ads?

The Webwise tracking cookie on your computer identifies you through a unique ID. When visiting a web page, that page's content is matched against an advertising 'channel' and that channel is recorded against your UID in the database held by the advertising network, see the orange area. When you visit the Internet, the web page requests your UID and programs on the page look up your UID in the Webwise hosted database to serve you a relevant advert. The advert program is looking at your computer.

How does BT Webwise make sure that it does not collect personally-identifiable information?

Encrypted data can not be seen - that is for web pages starting HTTPS. Everything else is seen before being analysed. Some examples of data which would be included in the profile (per parsing exclusions given by Webwise) include: 020, EC1, W1, 1AA, Paris, India, Kent, Wales, and thousands more numbers and words which are used everyday.

I use a webmail service. Is my email being analysed like a regular web page?

It will be if you don't ask Webwise to exclude the domain from their profiling. No one knows how this exclusion works and they need to intercept your request before they can decide whether or not to intercept it: a catch 22 situation? Webwise don't supply a list of excluded mail servers and expect everyone to share with Webwise information about their email supplier. (See http://www.webwise.com/forms/webmail.php)

What happens if I don't take the BT Webwise service?

BT have not indicated how they will separate customers who do not want the service. All customers will be intercepted to read the cookie status.

Could this system be useful for tracking illegal online activity, etc, through browsing behaviour?

BT say no. The Webwise intercept sees 100% of your Internet activity. Systems for tracking illegal activity are already available to most Internet service providers and outside this system.

Does remaining opted out depend on the continued presence of an opt-out cookie on the user's computer? What happens if I delete the cookie?

The system always looks for a cookie. If you don't have one, it will try to provide you with a cookie.

How can I remain opted-out of BT Webwise even if I delete cookies regularly?

Setting the browser to block cookies will result in the cookie setting program 'timing out' which will cause only a short delay to your surfing. The most efficient method is to redirect all the webwise domains to localhost using the hosts file.
As the Webwise patent includes a cookie-less option, do not rely on cookie blocking to protect you from being profiled.

Is my data still viewed when I am not participating?

The deep packet insection system sees everything in your data stream. The only difference is that the data stream is not used for UID profiles.

What are the changes in the terms and conditions?

During the 2008 BT Webwise trial Clause 18 gives BT permission to redirect [hijack] your browser and intercept your data stream. Clause 19 reminds you that the anti-phishing benefit can not be relied upon and BT will not accept any liability for your data stream being used during a phishing attack.

Does BT Webwise store a customer's IP address?

Webwise claim that they do not keep a permanent record your IP address information. As most BT customers have dynamic IP addresses your IP address is less reliable than the UID for identifying you.

Has Phorm's software source code (which is used in BT's network) been thoroughly tested and by whom?

BT have not published information on the testing work they have done. Webwise claim that the source is available for review. Privacy advocates who have asked for access have been rejected.

How long is any user data stored by BT Webwise?

Six months

Will BT be providing a way to opt-out of BT Webwise which doesn’t use cookies and which ensures data is not profiled by the system?

A cookie-less option is planed but technical details are not yet available.

How can I distinguish between cookies that were placed by Webwise and those given to me by websites I visited?

This refers to the forged cookies which the Webwise program writes to your computer for every website you visit. Even sites that don't use cookies will have these forged cookies set in their domain name. These cookies are named 'webwise-uid' and either contain your UID or 'OPTED_OUT'.

About switching on and switching off BT Webwise

How can I check whether BT Webwise is on or off?

If you see webwise in your cookies with a 22 character value, webwise is on. You can also visit www2.bt.com/static/i/btretail/webwise/index.html or webwise.com which will show the status of your webwise cookie if you have not disabled IFRAMEs in your browser.

How do I switch BT Webwise on or off?

Once Webwise is enabled at your ISP, you can't switch it off. Every web request is hijacked to look for whether or not the webwise cookie is in opt in or opt out mode. See www2.bt.com/static/i/btretail/webwise/customer_choice.html where the green paths show the intercept which performs this hijack.

Will all users of my broadband connection be affected if I click 'BT Webwise Off' or 'BT Webwise On'?

The option is dependent on user login and browser choice.

What happens when I switch off BT Webwise?

The webwise cookie stored on your computer will have the UID replaced with an 'OPTED_OUT' value. The Webwise cookie will still be requested for each website requested. The forged domain webwise cookies which store your UID will only expire after 3 days.
See PCPro Article:– Phorm boss: Opt-in is a "red herring" When you come online there will be a page saying [WebWise] is on, this is what it does and you can click and you can see a privacy video and you'll have a choice. It's not really about opt-in and opt-out, that's a red herring. It's about, do you know it is on and do you know what you're buying into. - when Webwise is on, cookies can't turn it off. Cookies just change the way the Webwise adware script behaves.

If I try to switch BT Webwise off twice, what happens?

The system will behave as above. Each time you request a new page, the webwise cookie is requested to confirm whether you have opted in or out, so it is possible to switch the cookie state between any requests for web pages.

How do I block the invitation page so that I won’t be invited to join the trial?

Block the webwise.net domain in browsers, security software and/or hosts file.

How can I prevent other users of my computer opting in when the invitation screen is shown?

BT expects all customers to tell other users not to opt in without the permission of the account holder. All Internet users should know to never click on any unexpected pop-up regardless of who it claims to represent. The only secure method is to block the Webwise domains in the hosts file and to not give any users other than the Admin user access to edit this file.
Or move to a Webwise free ISP.

About Phorm

What is Phorm?

Phorm is an innovative technology company specialising in delivering behaviourally and contextually targeted advertising. Phorm's partners include leading Internet Service Providers (ISPs) who supply the data used for customer profiling, Publishers, Ad Networks and Advertisers.
Phorm is a Delaware, US incorporated company, with offices in New York, London and Moscow. The Company was admitted to the AIM market of the London Stock Exchange in 2004 and has over 100 employees. In 2007, 121Media (a supplier and distributor of unwelcome adware / spyware) changed its name to Phorm.

Information for Website owners

I own a website. How does BT Webwise help me?

It doesn't. Webwise uses a copy of your website's content to identify the interests of your visitors and then target them with advertisements for your competitors' products. This is a form of industrial sabotarge / spying.

I own a website which contains private/sensitive information which I don't want to be scanned by Webwise. What can I do to achieve this?

WARNING: If you notify Webwise that you do not want them to profile your sites, shortly afterwards you will be visited by up to 6 scrapper bots who will cache your whole site.
Sites using HTTPS will be intercepted but the contents will not be used for profiling.
Password protection should work, how is not clear.
Phorm claim that they will honour robots.txt file but do not provide a separate useragent other than to say they will follow instructions for googlebot, slurp or *, i.e. if you allow bots you can't block phorm's scripts.
Block access from ISPs using the Phorm supplied DPI systems.

How are robots.txt files handled by Webwise?

They aren't - the phorm script has no useragent, see point above.

Click the above banner to sign the petition to the Prime Minister "We the undersigned petition the Prime Minister to prevent private companies profiling users' internet stream from within ISPs."

More information on protecting your data and your life from being sold is available at:

• DoNotTrustWebwise.org - a short and simple lesson in Do Not Trust Webwise
• www.badphorm.co.uk - news and technical information,
• www.nodpi.org - campaign website against the use of DPI equipment by ISPs
• phormwatch.blogspot.com,
• www.inphormationdesk.org
• baldyslap.blogspot.com - Draft letters requesting the Data Controller to a) stop processing data likely to cause damage or distress and b) cease, or not to begin, processing for the purposes of direct marketing personal data

Privacy is important. Those who value their right to keep their data private, and not sold to the highest bidder, run privacy protecting software on their computers and block all tracking cookies. When ISPs host the tracking software within their network there is nothing that you can do to protect your privacy.
Over 21,000 people signed the 10 Downing Street Internet Privacy Petition before it closed. The response from the Prime Minister's Office put all monitoring onto the ICO even though the ICO are not responsible for monitoring or approving the interception of communications.