Thread: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
View Single Post
Old 03-05-2008, 11:51   #5497
James_Firth
Inactive
 
Join Date: May 2008
Posts: 29
James_Firth is on a distinguished roadJames_Firth is on a distinguished road
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
Quote:
Originally Posted by ceedee View Post
Check out Simon's background.
Drop him a PM if you have any doubts about his previous record.
Email him and ask for a chat (but recognise that he's kind of busy right now and probably won't want to discuss the PIA conclusions until they're published).

I'm confident that you'll find it extremely difficult to find a single candidate that you'd rather have conducting the PIA.
I for one do not doubt Simon and 80/20 thinking's ability to handle the privacy angle.

My concern is that he is essentially auditing a rather intricate software system which is itself a rather complex and specialist task, and I don't see any visibility of who is involved with this task.

There is a need to consider not only what Phorm claim the system to do now, but what a software expert views the system to do now, and what the platform is capable in future (with software upgrade).

These risks then need to be mitigated by strict operational, development, validation and procurement procedures as they are e.g. in any mainstream communications equipment manufacturer.

There is a well-documented chasm in opinion between how executives in software companies view software development and the view of the software developers, designers and architects themselves (just one example in Watts S. Humphrey in Winning with Software: An Executive Strategy: http://www.amazon.co.uk/Winning-Soft...dp/0201776391/)

This applies especially to how risks are viewed and mitigated. Whilst executives tend to believe risk (and with it software security) management is just another bolt-on layer that can be organised and paid for (i.e. bought in) as part of planning a programme of works, in reality this risk needs to be mitigated from the start of the project and by training everyone involved in the project, from developer to director, to spot and mitigate these risks.

The cyber security threat is very real, with documented cases:
http://www.theregister.co.uk/2008/04...e_development/

TS Ameritrade showed last year what such practises can do when it admitted that a backdoor created by an outsourced programmer was to blame for the loss of 6.3 million customers' details

Note also that in allowing Phorm, the Home Office and ICO are implicitly opening up the intra-ISP profiling market to all. A green light, as The Register put it, to anyone who can pursuade an ISP to allow them access. Since big financial rewards are being touted, ISPs may be pursuaded. Don't also forget the many "micro-ISPs" e.g. operating hotspots in Hotel rooms.

My concern is over who will regulate this market, ensuring not only that the profilers do what they say, safeguard privacy and respect user’s choice, but also ensuring the software vendors adhere to the strictest standards and development procedures to minimise the increased security threat.

It was first suggested by Phorm that the ISPs themselves are more than capable and motivated to do this, however, as I have pointed out in numerous blogs, to the BBC, at the Town Hall and to Phorm in person (Radha) that the ISP has for the first time got a financial interest in ensuring the marketability of the data output from the profiler.

The “Cisco” argument put to me by Phorm (an ISP accepts software on trust from Cisco, so why not Phorm) falls over because neither Cisco nor an ISP stand to made direct financial gain based on the marketability of the output of its kit.

I have no direct experience of Cisco but I do of other manufacturers and I know first hand the procedures such companies have in place. Furthermore full source is provided where kit is to be installed in sensitive situations, and these same units are on general sale, to millions of customers worldwide. These customers gain much comfort in knowing these facts.

I simply don't see who is going to regulate this market.

The question of legality is a red herring of sorts. A practice is legal until the courts (or regulators) decide it's not. Furthermore Parliament may still decide to change the law to legalise a practice they see as beneficial (EU commitments duly noted).

Access to the courts is restricted by money or public interest, and at the moment Phorm is generally seen as a good thing for business, even by Don Foster, who wrote in a personal letter to me, "Having met [with Phorm] ... I am convinced that Phorm can provide a useful service with more than adequate security protection for each user."

The argument I am trying to put forward is that there is a public interest in this issue, and in the absence of a capable independent regulator for intra-ISP profiling I personally think RIPA should be enforced strictly because I feel there is a legitimate threat to cyber security once the market is open to all.

James Firth
James_Firth is offline