Quote:
Originally Posted by AlexanderHanff
The section of the Directive ICO are referring to is with regards to interception, so they should not be permitted to intercept the traffic in any way unless a user is opted in.
This would mean that their current model would not satisfy the requirements as they need to intercept to verify whether a user has opted in or not (using DPI to look for the cookie).
Alexander Hanff
|
http://www.opsi.gov.uk/si/si2003/20032426.htm
Quote:
7. - (1) Subject to paragraphs (2) and (3), traffic data relating to subscribers or users which are processed and stored by a public communications provider shall, when no longer required for the purpose of the transmission of a communication, be -
(a) erased;
(b) in the case of an individual, modified so that they cease to constitute personal data of that subscriber or user; or
(c) in the case of a corporate subscriber, modified so that they cease to be data that would be personal data if that subscriber was an individual.
(2) Traffic data held by a public communications provider for purposes connected with the payment of charges by a subscriber or in respect of interconnection payments may be processed and stored by that provider until the time specified in paragraph (5).
(3) Traffic data relating to a subscriber or user may be processed and stored by a provider of a public electronic communications service if -
(a) such processing and storage are for the purpose of marketing electronic communications services, or for the provision of value added services to that subscriber or user; and
(b) the subscriber or user to whom the traffic data relate has given his consent to such processing or storage; and
(c) such processing and storage are undertaken only for the duration necessary for the purposes specified in subparagraph (a).
|
7.1.a The data is erased
7.1.b. the data is modified to remove person data
7.1.c. not applicable only happens to home users
7.2. n/a nothing to do with billing
7.3.a it is (supposedly) value added as they've added a phishy filter.. at least that's their get out
7.3.b. user has been informed and opted-in.. or even not opted-out.. doesn't make the distinction
7.3.c. i.e. forever if they're still serving you adverts
also according to Richard Clayton
http://www.cl.cam.ac.uk/~rnc1/080404phorm.pdf
Quote:
16. The Layer 7 switch will again direct the request to a special machine (within the ISP's
network for performance reasons if nothing else). This special machine, which is now acting
as webwise.net, will inspect any existing cookie to establish the current UID associated
with the user. If there is no cookie then a new UID will be issued instead.
28. If the user has set a cookie within the webwise.net domain indicating that they do not
wish to be tracked, then this preference is passed to the Layer 7 switch during the process in
paragraph 16 above. The details on how this is done were not explained by Phorm. . . but
it is presumably related to the mechanism described in the previous paragraph.
|
so the switch redirects to a "fake" webwise domain to inspect a cookie which then decides to proceed or not.. which isn't Deep Packet Inspection
have they covered all the bases and we're dangling by the short an curlies??
(obviously this only goes for any furthur implementations.. the 2 previous trials by BT sholdn't be covered as they were under the radar so not covered by 7.3.b)
edited : 15.29 with some extra detail from richard clayton