the "Stealing Phorm's business model" newsgroup thread is interesting
http://www.chiark.greenend.org.uk/pi...il/084109.html
"
Paul Barnfather ukcrypto at chiark.greenend.org.uk
Mon, 7 Apr 2008 14:36:47 +0100
>
On 07 April 2008 12:59, Richard Clayton wrote:
>
> This cookie can then be used in an access to the webwise.net domain in
>
> order to fetch an advertisement, and analysing the nature of that
>
> advertisement will permit the website to serve their own targeted-by-
>
> behaviour advert.
On Mon, Apr 7, 2008 at 1:17 PM, James Firth <
james2@jfirth.net> wrote:
>
Say I'm a website owner, and I have registered users' details, and I want to
>
find out a bit more about these users. Next time they visit, I steal their
>
Phorm UUID.
If the GUID is easily available then any website operator has access
to a very valuable data set: GUID + registration info (which may
include name, address, email, credit card, etc). This data can (and
presumably will) be sold on by unscrupulous operators.
Any site operator purchasing this data will be able to instantly
obtain personally identifiable data on every visitor by simply
recording the GUID.
Surely this would enable a privacy invasion of spectacular proportions?
---------- Post added at 04:42 ---------- Previous post was at 04:20 ----------
http://www.chiark.greenend.org.uk/pi...il/084087.html
"Peter Fairbrother wrote:
>>
>>
Come to think of it, it may be worse than that - the webwise ad server
will know the UUID, keywords and the user's IP - so there is zero
anonymity anyway.
Rereading Richard's summary, it seems that security-wise Phorm are
pretty complete clowns. They don't have a clue. there is no "impressive
new technology to protect privacy" - it's just another snake-oil sham.
I'd bet that a complete analysis of their method would reveal many more
security breaches - in fact I don't think it is even possible to do
targeted advertising based on web browsing with guaranteed anonymity.
I certainly couldn't do it, and I'm reasonably good in the field.
-- Peter Fairbrother
"