Originally Posted by Chroma (Post 34544142)

I mean the BT/PHORM equipment generates a random UID that it assigns to me.
The Carphone/PHORM equipment would do the same, and unless there was direct communication between the two ISP's equipment then neither cookiemongler would know which UID's where already in the system.

Doesnt this pose a significant problem for the actual database?
I mean a database frankly goes into meltdown when two unique keys are the same for two different tables (unless theres a secondary key to differentiate)

Originally Posted by 80/20Thinking (Post 34543858)

I'd appreciate the opportunity to make a few comments about the broader perspective here, while also conducting a little expectation management regarding the PIA.

I mentioned at the start of the public meeting that tectonic shifts are occurring in the online environment. Many of you will know these shifts well. Microsoft makes a play for Yahoo, while Google acquires Doubleick, capturing more than half the ad potential of the Web. Yahoo responds by cutting a deal with Google. Meanwhile, Time Warner through advertising.com via AOL launches a rival global ad platform.

Meanwhile, back in the EU, the national privacy commissioners, tired of missing the boat on online issues, raise the privacy bar via the Article 29 Group to drive a wedge through the ad space market and lay down an unprecedented set of demands that could, who knows, spark a mini trade war between the EU and the US.

There's about $20 billion up for grabs in ad space margins, which accounts for much of this activity. That accounts for the existence of Phorm, as it accounts for its rival platforms along with the consolidation spree you read about every day.

At the moment I'm trying to come to terms not just with these tectonic shifts within industry, but also the extraordinary chasm that is opening up between the ad market and the new regulatory regime. Phorm accounts for a very small part of that vast picture. Every week I speak with people from each of the key online corporations and the regulators in an attempt to understand where this is taking us as consumers.

Enter the PIA into this equation. Please do not make the mistake of believing that the PIA is likely to be either judge or white knight. It is merely a process that will lead, we hope, both to greater clarification and to a better outcome for consumers. Neither it nor 80/20 carry any legal standing whatever. Our role is not to sit in judgment, but to set out facts. We cannot "set matters right", but we can make recommendations for reform. The market or the courts may decide the ultimate outcome in whatever field we explore.

I can't be the "hero" some of you would like me to be - at least, not as a result of doing a PIA. You may feel confident about some of the points I will make, but you may also be disappointed that some of my observations will be set against those tectonic shifts I mentioned earlier.

Simon

Originally Posted by AlexanderHanff (Post 34543656)

Can people post the Digg link to other sites they are active on which are covering this issue as well. The extended web edition is much better than the broadcast edition so we need to try and make sure people are aware of it and see it. Encourage your friends to sign up for Digg and digg the story.

Alexander Hanff

Originally Posted by pseudonym (Post 34544088)

I think a bigger problem is websites will be able to read your webwise tracking cookie by embedding some https content on their page. Phorm can't strip the cookie from encrypted streams, so the website will get to see your unique user id. If the website doesn't want to pay for a certificate to read your UID, it should also work if they use a port other than 80.

Originally Posted by Chroma (Post 34544142)

Another user posted regarding different individuals using the same connection and login account and the possibility of visiting a friend and being essentialy kept in the dark with regards to how his data was being handled and it got me thinking.

Is there intercompatibility between ISP's?

snip

Doesnt this pose a significant problem for the actual database?
I mean a database frankly goes into meltdown when two unique keys are the same for two different tables (unless theres a secondary key to differentiate)

So am i completely missing something here or are the cookies assigned further down the equipment line where presumably multiple ISP's funnel the data through?

If so then this raises a further interesting question:
how can BT even begin to concieve of a setup thats a cookie free opt in/out/shake-it-all-about setup without having consultations with other ISP's that would most definately be effected by such modifications?

Originally Posted by pseudonym (Post 34544088)

I think a bigger problem is websites will be able to read your webwise tracking cookie by embedding some https content on their page. Phorm can't strip the cookie from encrypted streams, so the website will get to see your unique user id. If the website doesn't want to pay for a certificate to read your UID, it should also work if they use a port other than 80.

Originally Posted by pseudonym (Post 34544151)

The UID is 128 bits long, phorm could use a few of those bits to uniquely identify each specific device and use an incrementing count rather than being truely random. However with 2^128 permutations it is quite likely that they won't worry about it. The worse that could happen if you share a UID is that you will share the one profile, so the adverts won't be quite so relevant. If a website doesn't appreciate being exploited by phorm, it could change the UID in the tracking cookie for their own domain, potentially poluting someone elses profile with your browsing of their site anyway.

Originally Posted by JohnHorb (Post 34544168)

AFAIK they don't even need to do that. The cookie is available to be read by CLIENT-SIDE script, so all they need to do is read the UID and copy to another, non-phormed cookie, which won't then be stripped.

Originally Posted by 80/20Thinking (Post 34543934)

You'll understand, I'm sure, why I'm resisting saying anything that could fuel speculation, but you've hit the nail on the head. If we're in the business (at least in part) of finding possible solutions, the browser manufacturers are massively relevant. But talk about a hornet nest....

Simon

Originally Posted by Dephormation (Post 34544194)

Can I query this post, the significance is just starting to sink in.

Are you advocating that browsers support cross site cookies? Finding a 'solution' to the problem that they don't exist? If there is a hornets nest it might be because there is a reason.

Currently there is no such thing, thank God, hence the redirects that Phorm must jumps through to create one.

What positive effect, if any, do you think cross site cookies would have on privacy?

Pete

Originally Posted by Bonglet (Post 34544253)

I see virgin media has already changed there T&C's to suit phorm

G Your details and how we look after them

2. By having the services we provide installed in your home and/or by using them you are giving us your consent to use your personal information together with other information for the purposes of providing you with our services, service information and updates, administration, credit scoring, customer services, training, tracking use of our services (including processing call, usage, billing, viewing and interactive data), profiling your usage and purchasing preferences for so long as you are a customer and for as long as is necessary for these specified purposes after you terminate your services. We may occasionally use third parties to process your personal information in the ways outlined above. These third parties are permitted to use the data only in accordance with our instructions.

Pity vm dosent say what there instructions are and if they ever leave the country :(.
All this data to share with phorm yay (not) starting to get really peed off with events and people.

Originally Posted by serial (Post 34544156)

I'm sorry if I'm being overly cynical, but I'm looking at my choice of hats and have selected the tinfoil one.

8020 Advisory group contains: Ray Stanton, Global Head of Business Continuity, Security & Governance, BT plc

So, Phorm, pioneered by BT plc have paid an auditing company to green light its system when that company also has a high level BT plc employee as an advisor.

Anyone else see a major problem here?

Originally Posted by davews (Post 34544162)

Much has been suggested about the https:// cookie. But in fact this will only work for those sites where all the code on that site is secure, ie an https://site (and which Phorm is unable to profile even if it tries). Just having a single https:// image will mean that site has mixed secure and unsecure content and most browsers will flag this up with a weak security popup error which will alert the user to something not quite right going on. So it is broadly unviable.

I believe the Phorm servers are set up just to strip the cookies which accompany a [GET] request. But any site can easily read all the cookies on a visitor's computer using simple javascript document.cookie. It is not clear whether Phorm attempts to strip cookies obtained in this way, my gut feeling is that they probably don't.

Originally Posted by davews (Post 34544162)

Much has been suggested about the https:// cookie. But in fact this will only work for those sites where all the code on that site is secure, ie an https://site (and which Phorm is unable to profile even if it tries). Just having a single https:// image will mean that site has mixed secure and unsecure content and most browsers will flag this up with a weak security popup error which will alert the user to something not quite right going on. So it is broadly unviable.