Phorm, NebuAd, and Privacy

April 14, 2008 at 16:37 | Posted in Privacy/Security | 3 Comments
Tags: , , , , , ,

Well it seems NebuAd is coming to Canada soon, and is already in place in several US ISP’s.

So Considering all this I spent much of the day mulling ways that users can protect their privacy. I have so far come up with the following suggestions:

Flush Cookies on each browser close:

Although it won’t stop them watching what you click it will help to prevent them from getting a good picture as they will not have month or years of you browsing tied to a single UUID.

Use as much SSL as possible:

They can’t use their DPI (deep packet inspection) on encrypted connections, so find ways to be as encrypted as possible. If you use web mail make sure the entire session is encrypted (not just the log on). Better yet, use an email client that supports secure connections and a email provider that supports them Google, Yahoo Canada, fastmail, etc. Using an e-mail client with TLS/SSL not only encrypts the connection it takes cookies out of the picture.

Use things like Scroogle’s SSL page, for searching to keep them from sniffing your searches.

Use an Encrypting Proxy:

Set up and use a VPN or SSL encrypted proxy. This will make your entire session unreadable. There it the problem of trust. Encrypting systems like TOR, and I2P may just expose you to even more tracking from evil exit nodes. JAP may be backdoored (but according to Wikipedia this is not/no longer the case). Similarly “Open” proxies on the net may not be trustworth.

The best solution I can think of for this problem is to have a trusted friend in another counrty set up a VPN, private SSL proxy or Psiphon node for you, and you could do the same for them. Even if his ISP was sniffed by NebuAd and your’s by Phorm it would muddy the waters. Which bring us to


Find ways to hide your traffic. You could run a TOR or I2P exit node (lots of HTTP traffic for them to sniff none of it yours).

Find alternate ways to get webpages you don’t want sniffed like web2mail.

So those are some of my thoughts on the matter. I’ll post more as I come up with them. If any readers know of good HTTPS services on the web like secure Wikipedia or Secure WikiBooks, etc Please post them in the comments

Thoughts and comments always welcome



  1. Right – so you’re advocating using Gmail (which is stored and can be read by Google), yet you’re scared of being assigned a random number.

  2. Thanks for your comment Jimmy. I’ve had my issue with Gmail and their content scanning back in the day. Before this blog. The fact that they support SSL connections for IMAP and POP, and webmail sessions that stay SSL encrypted means that e-mails would not be scanned by the ISP (the question at hand).

    My focus in this blog post was not e-mail security, nor being assigned a UUID. It was and is the DPI that I find onerous. Sniffing the contents of my communications is akin to a wiretap on my phone. Yes the companies involved promise to listen to just selected portions of my conversation, (but are unwilling to clearly divulge which parts), but I do not want ANY part of my conversation listened to. In my country privacy is a “right” and I do not appreciate ISPs or some other company trying to do an end run around my rights.

    E-Mail and privacy is another huge and complicated issue in and of it self. The truth of the matter is the 99.9% of e-mail is “in the clear”, stored, and scanned. Yahoo, MSN, ISPs, Etc have virus and spam scanners. Spam scanners most definitely look at the contents of the e-mail. They also will almost definitely have a system of regular back-ups so the e-mails will be stored.

    If it were up to me every e-mail client would support PGP/GnuPG so that I could send all my e-mails both signed and encrypted, instead of just digitally signed which I do now.

    All that said, thanks for bringing this up. It is important for people to be able to look into thing like this before they make such a choice. I do however feel it is equally important that they realize that e-mail is like a post card not a letter. Anyone along the chain of it’s transmission could read it if they choose, even when I have a SSL connection to the E-mail server that only protects me from my ISP. Once the e-mail leaves google, yahoo, MSN, Fastmail, what have you the chances are extremely high that it will be traveling in the clear on an unencrypted connection. The current e-mail system is fundamentally insecure, and everyone should keep that in mind when writing e-mails.

  3. […] write a blog entry on hardening you computer and Internet activities against these threats soon. I wrote one related to Phorm earlier but as this threat is growing I think a more in-depth Blog entry is […]

Sorry, the comment form is closed at this time.

Create a free website or blog at
Entries and comments feeds.

%d bloggers like this: