UK mobile operator Three illegally intercepting and sharing traffic

2

I was recently lucky enough to be given a new phone, and also got a 3 PAYG SIM to use with the device. Shortly after starting to use the service however I noticed that my connection was being filtered and my attempts to establish VPN connections seemed to fail. It would appear from the brief explanation that I got from Three that this was being done to filter out adult content as they could not be certain of the age of customers on PAYG connections without further verification. To make matters worse however the page that showed the block advertised – yes, you guessed it – porn.

This is something that all mobile phone operators in the UK seem to do. For them the excuse ‘for the children’ seems to excuse any illegal behaviour that takes place as a result of this filtering. It’s a view that completely ignores the fact that sooner or later children will gain access to that sort of material. Furthermore a lot of the material actually originates from the children themselves (google the term ‘sexting’ to see what I mean). This user generated material will never be caught by the filter.

Hey Three, here’s an idea: if protecting children from smut on mobiles is so important then don’t sell them the handsets to start with!

Doing anything else is little better than paying lip service to the issue and done at the expense of the privacy of others.

Further investigation

One other mobile operator in particular already uses services provided by a US company called Bluecoat to filter traffic, so I was curious to see if the same was happening with Three. I tried visiting a custom page produced by somebody with an interest in privacy that had been designed to expose entries in the web server’s access log. Sure enough there was a couple of entries that were of particular interest:

Date/Time: 2011-11-30 17:35:56 (GMT)
Remote Address: 92.40.255.4
Remote Host: 92.40.255.4.threembb.co.uk
User Agent: Mozilla/5.0 (Linux; U; Android 2.3.5; en-gb; GT-N7000
Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
Safari/533.1
Request URI: /stalker/[ID removed]/index.php?personal_guid=[ID removed]
Query String: personal_guid=[ID removed]
Referer Site:
Date/Time: 2011-11-30 17:35:56 (GMT)
Remote Address: 199.19.249.196
Remote Host: 199.19.249.196
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; MS-RTC LM 8; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)
Request URI: /stalker/[ID removed]/index.php?personal_guid=[ID removed]
Query String: personal_guid=[ID removed]
Referer Site:

 

The first IP address is owned by Three. The second IP address is owned by Bluecoat. More information on the IP address can be found here:

http://www.robtex.com/ip/199.19.249.196.html?tab=whois

The IDs in the log entries above have been removed by me, but they have identical values in all 6 cases. What would appear to be happening is that Three are sharing the requests I’m making to websites with Bluecoat. Bluecoat then visit the same site using the same credentials as me.

In addition I have also been visited by another Bluecoat IP address: 8.28.16.254.

This method of duplicating visits is sometimes referred to as a replay attack. This not just illegal, it can cause serious problems with the operation of websites too. Imagine the situation where visiting a given URL confirms payment for an item. Visiting it through a Three connection could end up with the payment going through twice thanks to this unwanted extra visit.

This is the surprising part though: I tried complaining publically through Twitter and Three’s own blog as they seemed to be taking their time responding to emails. One of the moderators actually replied with the following:

Admission by 3 that they use Bluecoat

Admission by 3 that they use Bluecoat

That particular response can be found here:

http://blog.three.co.uk/2011/11/21/data-data-everywhere/comment-page-1/

They seem to be quite happy to admit that they use Bluecoat. There is one problem with their excuse of filtering for content listed by the IWF though: if you go to the IWF website then you’ll see that Three are listed as one of the recipients of the IWF list. Why then send details of our online activities half way around the world to check against a list that they already have access to?

I tried to get more details from Three as to how they could possibly believe that what they were doing was legal. The best I could get from them was this:

Hi Patrick

Thank you for your emails.

Three’s policy with regards to filtering is intended to ensure that
children are protected from inappropriate content when using the
internet on their phones.  This is why we require our Pay As You Go
customers to prove they are 18 before they can access sites that Three
considers to be inappropriate for under 18s and/or which are classified
as inappropriate by the IWF.  This is not about intercepting customer
communications but is about the safety of children who use our network.

We do not accept your allegations that Three’s policy in this regard
breaches any of the laws that you have mentioned in your correspondence.
However, if you maintain your position that Three is in breach of RIPA,
the DPA, the PECRs and/or the Computer Misuse Act, then you are at
liberty to take this matter up with the police and/or the ICO, and we
will fully cooperate with any investigations that they may wish to
instigate.  Similarly, we note your comments regarding the SABAM/Scarlet
case, but do not believe that we’re required to change our policy in
light of this case.

With regards to your concerns about Bluecoat, I recommend that you take
the matter up directly with Bluecoat.

I hope this clarifies our final position regarding this matter.

Regards

Nicki Macleod
Social Media Advisor -
Executive Office

 

Observant readers will also notice how three have repeatedly tried to use the old excuse for breaking the law: ‘it’s for the children’. This is something that also appears to serve the additional aim of trying to scare people into not complaining by raising the spectre of paedophilia.

This just isn’t good enough.

Three have decided to sell their phones to minors both through resellers and their own shops. It’s up to Three to find an acceptable solution without trampling over the rights of the entire general public to private communications. This is after all a problem that Three themselves have created. In addition there is no age limit within RIPA, the DPA or the CMA. Everybody has the same rights to private communications. Even children. If Three were really committed to protecting children then they would stop any sale of their devices to minors, only allow them to be sold to adults and make the adult buying the phone make the decision as to whether filtering is required. The fact that they care so much about maximising profits at the expense of the privacy of their customers shows where their priorities really lie.

In addition I asked Three why they were wasting money on Bluecoat’s services when any webmaster worth his salt knows how to tailor the webpage provided based on the IP address of the PC making the request. They could produce a page full of innocent images for Bluecoat when they come calling, but save all the unsavoury material for the ‘real’ visitor. There is also the certainty that the service would not be of any use when SSL is used. I can’t emphasise this enough: if the site is protected by the use of SSL then Bluecoat’s services are rendered useless. The same page used to get the log entries included in this article doesn’t show any shadow visits from Bluecoat when the page is protected in this way.

The system as a whole is ineffective as a security measure.

It would also appear to be completely unnecessary given that other operators – notably Orange – don’t appear to need to share traffic in this way in order to filter it. This is the first time I’ve seen this excuse: ‘Bluecoat made us do it’. It really does beggar belief and does nothing to encourage people to believe that any filter is capable of doing it’s job satisfactorily. Anybody wanting an example of how badly filters can fail should look into TalkTalk’s HomeSafe product and how it failed to block access to one of the biggest porn sites on the internet.

I wonder if Three realise that anything sent to the US can always be accessed by the US government thanks to the PATRIOT act? Don’t they see that allowing this sort of eavesdropping increases the chance of industrial espionage? US companies could quite easily end up having access to confidential information obtained through illegal means. The potential for losing confidential information or giving away intellectual property is huge.

Three are intercepting my requests without prior authorisation from both the sender and recipient parties to the communication. That’s illegal under the Regulation of Investigatory Powers Act. They’re sharing my information without consent with a 3rd party overseas and that is completely outside the reach of the regulators here. That goes against the Data Protection Act. They are interfering with the operation of a computer. That’s illegal under the Computer Misuse Act.

I suppose now I had better get that complaint to the police sorted out as I have no intention of putting up with this illegal interception and sharing of my personal communications.

Questions that need answering

0
11 months ago
by Patrick in ,

There has been talk recently of making changes to the expenses system that MPs have to abide by. Personally I find the whole episode sickening. 

One of the biggest complaints by some MPs appears to be that their chosen profession and the expenses regime attached to it is family-unfriendly.

Perhaps it’s escaped their notice, but there are plenty of other people in jobs that earn far less than the generous salary currently given to MPs. Such people often work just as much or more as them. They too can often spend a huge amount of time away from their families. Why should MPs be given the sort of special treatment? They rarely if ever consider giving it to others, and expect employees in the public sector to put up with a pay freeze for the forseeable future.

Today for example we learn about low morale in the armed forces thanks to the impending cuts and possible redundancies. These are the very people that put their lives on the line for us every day, yet they face their allowances being cut, their family lives being made unbearable and even the possibility of losing their job – all at the very time that those same MPs are seeking more money from the tax payer to fund the sort of lifestyle that MPs now expect to get as part of their job.

On top of all this IPSA – the independent body put in place to oversee expenses – faces having changes forced upon it by the government. The key word there in the last sentence is ‘independent’, a word that most MPs don’t seem to understand, at least when it suits them. I’ve actually tried to point out failings with public bodies such as the ICO and CPS and time and time again the response has been little more than ‘they’re independent and we won’t do anything to improve matters’, yet they mysteriously manage to find a way of doing just this when they’re directly affected by the outcome. The ICO are useless at data protection. The CPS are useless when it comes to Phorm (848 days now and counting – the CPS need an average of 8.6 days to come to a decision).

Nothing has been done about either of them. There is no visible intention of ever dealing with them, yet MPs can still manage to find both the means and the time to change independent bodies like IPSA if it means maximising their own expenses.

I’d like to know why MPs place so much importance on their own comfort and family life yet pay little attention when it comes to more important things like ensuring that nobody escapes the rule of law. Is their lifestyle really more important than the rights of the entire general public? Are they really more deserving of support than the families that have loved ones facing danger each day half way around the world?

Almost 100 times longer than the average

0
11 months ago
by Patrick in , , ,

According to statistics the CPS currently takes an average of 8.6 days to come to a decision as to whether to prosecute. The CPS has had a case open on Phorm for 848 days now. If it takes much longer they will have taken as long as they would have on one hundred other cases. Of course the CPS claim that there has been no political interference, but this is very difficult to believe when these sorts of delays are involved.

And don’t expect an answer any time soon. They had previously promised to come to a decision by the end of last year, but at the last minute decided that this was no longer going to be the case.

No political interference? After 848 days spent doing virtually nothing? Do they honestly expect us to believe that?

Trying to have their cake and eat it

0
1 year ago
by Patrick in , ,

Senior judges are to review the Digital Economy Act following a complaint from BT and TalkTalk that it was rushed through Parliament before the election.

[...]

In particular, they claim measures in the new legislation designed to reduce copyright infringement via filesharing networks violate European rules including those on privacy and an ISP’s role as “mere conduit”.

[...]

The Register article

The hypocrisy here is simply astounding. On one hand they want to be treated as ‘mere conduits’, yet on the other they want to be able to ‘monetise’ their customers (gods I hate that term) by spying on their web traffic so that they can be served with targeted advertising. BT have Phorm, TalkTalk have Huawei and Virgin Media have CView.

They don’t deserve to be treated as mere conduits when they behave in such a deplorable way towards their customers.

Has anybody also noticed that big business always seem to get more attention than the general public? The privacy of tens of thousands of BT customers gets sacrificed to help BT’s bottom line. The ICO reaction to that? Nothing. The police’s reaction to that? Indifference. The home office’s reaction to Phorm? They tried to make sure that Phorm were ‘comforted’ by the advice they were giving out, rather than do their job.

Yet when the poor ISPs face losing being forced to hand over details and interfere with the service they provide they quickly manage to get a judicial review of the law.

Go to Top