Quote:
Originally Posted by mark777
Just trying to anticipate the wriggles. This means that it was sent from the server? Does it mean it was copied to a phorm e-mail address?
If not, what would be left on the server in the way of logs etc?
I'm just trying establish if BT/Phorm can argue that no data was collected/kept by phorm. They can probably argue it's not phishing because BT themselves must have pointed the URL towards that site.
Having said that, BT could have pointed it towards the information page, Phorm could have added the 'contact us' bit by themselves. That would be phishing.
Perhaps BT need to confirm that they authorised Phorm to collect the 'contact us' information?
|
Well the fact that the sensitive personal data is being collected on a server in the US is the first issue; this would appear to break EU Data Protection directives with regards to exporting sensitive personal data outside Europe without explicit informed consent.
The second issue is the ww3.phorm.com reference header. This suggests that the email which BT's system is replying to has been sent directly from ww3.phorm.com, logically a Phorm controlled server. This means that Phorm potentially have access to -all- the data submitted in that contact us form.
The third issue is the ww3.phorm.com server must utilise some form of parser to then forward that contact us forms contents to BT via email.
We have no idea what is being logged, whether this information is being retained by Phorm or why it is even being sent to Phorm in the first place.
I think this is an important issue and shows a complete lack of transparency by all parties and seems to be breaking yet more laws.
It is simply unacceptable.
Alexander Hanff