Quote:
Originally Posted by fidbod
@ Devils Advocate.
One of your previous posts stated you would be concerned if it could be shown that the Phorm system made personally identifiable information (PII) available. I would argue that Phorm also increases your security risk significantly. I am interested in your thoughts on the following thought experiment.
1. The cookie that Phorm set on your PC contains a unique identifier (UID)
2. Your PC's IP address can be read from the HTML requests generated when browsing.
3. Malicous Javascript code on a website can "read" the Phorm UID from your machine.
As a malicous person I now have two pieces of information unique to your PC. That I can use to target you.
You could argue for a long time whether these two bits of information are PII and I will not offer judgement on that. However it is now much easier for me to target your PC to extract further infomation.
thoughts?
|
catching up as have been very busy lately
phorms profiler is supposed to strip the phorm related data back out of the cookie on the fly when a website requests it, but if a web site switches from port 80 to another port 443(ssl) for instance that information will not be stripped and will then be visible to the website
so the cookie can leak you UID
peter
---------- Post added at 08:36 ---------- Previous post was at 08:32 ----------
Quote:
Originally Posted by rryles
I have looked at the RIPA explanatory notes and I'm afraid I still see a problem. I think phorm will argue the following:
Code:
The data is not made available to any person.
The data is processed by an automated system which produces some other data.
This other data is made available to another automated system and potentially certain people.
This other data does not represent any part of the communication.
I really would love to be shown the error of my thinking. I want phorm and BT to be held legally accountable for the trials and I want the whole idea of dpi for advertising to be litigated into oblivion. |
still catching up.
on thing you miss, the data is available to the system admins in the form of the diagnostic logs, which we are told are kept for upto 14 days but not told what happens after that
peter
---------- Post added at 08:57 ---------- Previous post was at 08:36 ----------
Quote:
Originally Posted by rryles
|
not sure if below is relevant
***************
The Parliamentary Under-Secretary of State, Home Office (Lord West of Spithead): My Lords,
the Home Office provides guidance about lawful interception conducted under warrant for law-enforcement purposes. This is separate from
advice provided by the Department for Business, Enterprise and Regulatory Reform on the relevant business facing legislation. ISPs may, with the consent of the consumer, use information about consumers’ internet use for the provision of value-added services. The Information Commissioner provides information to the public on privacy issues.
***************
my bold / UL so is this say that the HO should only give advice regarding interception under warrant? if so does that mean that phorm spoke to the wrong dept and got duff info?
and that DBERR are the ones they should be checking with and so should we? anyone done an FoI request to DBERR?
note the important point "provision of value add service" AKA anti phishing
could it not be argued that to be a value add service it would need to be a service users required not duplicate one they already have? if this were so then webwise would lose its immunity from perc as it would no longer be a value add service?
peter