Thread: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
View Single Post
Old 04-05-2008, 10:46   #5634
Dephormation
Inactive
 
Join Date: Apr 2008
Location: Bristol
Services: Aquiss.net and loving it. No more Virgin Media, no more Virgin Phone, no more Virgin Mobile.
Posts: 629
Dephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to all
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
Quote:
Originally Posted by pseudonym View Post
The UID is 128 bits long, phorm could use a few of those bits to uniquely identify each specific device and use an incrementing count rather than being truely random. However with 2^128 permutations it is quite likely that they won't worry about it. The worse that could happen if you share a UID is that you will share the one profile, so the adverts won't be quite so relevant. If a website doesn't appreciate being exploited by phorm, it could change the UID in the tracking cookie for their own domain, potentially poluting someone elses profile with your browsing of their site anyway.
Agree. If I can obtain your UID, I can impersonate you (because Phorm can't differentiate me from you).

Using your UID I can either corrupt your profile (causing you to see the type of adverts I'd prefer you to see), or obtain a succession of adverts from OIX which reveal your likely profile to me.

If I can buy data from other people who've done the same thing, I can start to build a wider profile about you with Phorm's help.

Even Phorm's DPA registration (purpose 2) suggests they aspire to sell "Personal Details" to "Traders in personal data" "worldwide".

Its valuable stuff your personal details.

---------- Post added at 09:54 ---------- Previous post was at 09:45 ----------

Quote:
Originally Posted by JohnHorb View Post
AFAIK they don't even need to do that. The cookie is available to be read by CLIENT-SIDE script, so all they need to do is read the UID and copy to another, non-phormed cookie, which won't then be stripped.
Sample code on dephormation.org.uk and elsewhere.

It looks like it could be trivial, around 3 lines of Javascript code.

---------- Post added at 10:46 ---------- Previous post was at 09:54 ----------

Quote:
Originally Posted by 80/20Thinking View Post
You'll understand, I'm sure, why I'm resisting saying anything that could fuel speculation, but you've hit the nail on the head. If we're in the business (at least in part) of finding possible solutions, the browser manufacturers are massively relevant. But talk about a hornet nest....

Simon
Can I query this post, the significance is just starting to sink in.

Are you advocating that browsers support cross site cookies? Finding a 'solution' to the problem that they don't exist? If there is a hornets nest it might be because there is a reason.

Currently there is no such thing, thank God, hence the redirects that Phorm must jumps through to create one.

What positive effect, if any, do you think cross site cookies would have on privacy?

Pete
Dephormation is offline