Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Sorry Peter, I was writing my post as you must have been typing yours. It was not aimed at your post.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Hi Simon, I could have given you this quote too;

http://webwise.bt.com/webwise/customer_choice.html

And by opted-in traffic, they mean from the user pov not the server pov. But obviously, don't say so.

And just in case you need to know where to send the Notice of Legal Action;

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

and what about the opt-in/out server run by phorm sat at gyron??

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Interesting that only the user's request is mirrored and not the response from the server. Or are they misunderstanding how HTTP works. I assume that it's actually both the request and the response which are mirrored, but it might be worth checking - we might be getting in a lather over nothing ;)

Or are they relying on misinformed consent?

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

I would interpret 'user's request' to include the serviced request data from the server that is mirrored and profiled. Phorm surely would need to 'see' and mirror this data to eventually show the http page containing the Phorm/Webwise adverts.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

OK let me just clarify something here. The page that you request from the server is mirrored irrespective of whether or not you are opted in opted out or shaking it all about. Kent made this clear at the PIA meeting as does Dr. Richard Clayton's analysis if I remember correctly. The only difference is if you have an opt-out cookie or you have the domain blocked for cookies that data is not passed to the channel server, it still goes through the profiler.

I wouldn't pay a great deal of attention to what is on the WebWise page as it is likely to be a bunch of bs given that they are not going to explain the "technicalities" to "mere customers" because you see, if you remember correctly, we are all too stupid to understand such complex systems.

Alexander Hanff

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

I'm not convinced BT really understands what is going on either!

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

BT and understand should not be used in the same message.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Steve Gibsons Security Now! Podcast (151) is available at the link below:

http://twit.tv/sn151 (This Week In Tech TV)

Running time: 1:46:37

additionally mp3 available to download on this site

EDIT: More to come again in another 2 weeks

EDIT2: Phorm starts just after halfway, with small intro at the start

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Awesome. Just awesome. Break it to the audience gently why don't you Steve. :D

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

have requested permission to use images for links to the Podcast. I will advise of the result when reply received.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Have you tried contacting his campaign people?

contact@daviddavisforfreedom.com

http://www.daviddavisforfreedom.com/

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

We all know that the anti-phishing' part of webwise is a complete red herring and seen as a bolt-on to sell the technology to the unsuspecting public. Here's the proof that it is a red herring and smoke screen...

PECR states certain provisions relating to the processing of traffic data under regulation 7:-

Regulation 8 (2) Processing of traffic data in accordance with regulation 7 shall be restricted to what is required for the purposes of one or more of the activities listed in paragraph (3) and shall be carried out only by the public communications provider or by a person acting under his authority.

(3) The activities referred to in paragraph (2) are activities relating to -

(a) the management of billing or traffic;
(b) customer enquiries;
(c) the prevention or detection of fraud;
(d) the marketing of electronic communications services; or
(e) the provision of a value added service.

A,B,C,and D don't apply to webwise, so you see, some form of 'value added service' had to be stuck on to 'attempt' to comply with PECR
That is why the 'anti-phishing' is being pushed so much.

But even so, webwise 'still' falls foul of the regulations because it still does not collect explicit informed consent.

PECR explanatory notes...
Regulation 6 provides that an electronic communications network may not be used to store or gain access to information in the terminal equipment of a subscriber or user ("user" is defined as "any individual using a public electronic communications service") unless the subscriber or user is provided with certain information and is given the opportunity to refuse the storage of or access to the information in his terminal equipment.

Regulations 7 and 8 set out certain restrictions on the processing of traffic data relating to a subscriber or user by a public communications provider. "Traffic data" is defined as "any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication". "Public communications provider" is defined as "a provider of a public electronic communications network or a public electronic communications service".

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

All accessible web traffic was originally going to be mirrored, although not passed right through the profiler.

Phorm launches data pimping fight back

So if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?

Marc Burgess: What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs.

However, this soon changed. The change has been restated a number of times, but I think the following quote represents the first time.

Phorm’s Answers (part3)

phail: Virgin and BT are both currently operating an OPT-OUT solution, which would mean all users are opted in by default, and even if they are opted out OUR data is mirrored on phorm servers, regardless of whether the data is used, you ARE collecting it.

KentErtugrul: When a user opts out, the system is OFF. There is no data collection at all

The 18 May amendment to Richard Clayton’s analysis does include this, as one of the updates provided by Phorm.

The Phorm “Webwise� System

Phorm also say that “in many ISP implementations (all of the UK ones for instance)â€ÂÂ� the mirroring system described in paragraph 2 above, can be set to only mirror the traffic of users who have a valid UID. Thus the traffic of those who have the “OPTED OUTâ€ÂÂ� cookie (or are cookie-disabled) is not mirrored and does not reach the out-of-band machine.

Even without any Phorm-provided equipment, ISPs already rummage through your HTTP headers. They need to record the host names in all the URLs you access, to comply with the Home Office Voluntary Code of Practice on Data Retention.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Yeah just automated responses, but I have his private email address now so I will give that a try, been a bit busy this afternoon.

Alexander Hanff

---------- Post added at 17:40 ---------- Previous post was at 17:33 ----------

Nooo, even then it does not comply with PECR. Firstly 3e does not remove the requirement of explicit informed consent. Secondly WebWise is a completely seperate entity to the OIX platform, so even if they managed to palm off some value added service for WebWise (the anti-phishing) it -still- doesn't cover them for the behavioural profiling for OIX which has nothing to do with the Anti-Phishing and is purely a commercial venture based around advertising.

Why are so many people seeming to try and make excuses for Phorm/BT today? We need to stop second guessing ourselves here folks otherwise any new readers are going to think there is some doubt over whether or not it is illegal, let me make it very clear there is no doubt whatsoever that without consent this technology is ILLEGAL. Myself and other more qualified experts have very thoroughly analysed the law on these issues months ago and there are no grey areas.

Alexander Hanff