Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[unicus]

I know that an established secure connection between a browser and a server would be hard to crack but I have a question regarding SSL and interception, could anyone help?

What I was wondering is this; browser A requests a secure connection with server B though the connection is through a transparent interceptor C. Then instead (and unbeknown to A & B) a secure connection is made between A & C and also between C & B. So A thinks it has a secure connection with B and B with A but they both have a secure connections with C which is then able to see everything unencrypted. Is this clear and is this technically possible?

I'm no expert on this stuff but I don't see why it's not possible (and scary). Now I don't think that at this present time Phorm have this type of system but, if it's possible, they could and would just run some spin BS about making it more secure and the suits with pound signs would believe it I'm sure (like they already have).

I actually think that packet inspection equipment should be tightly regulated as it could be very dangerous in the wrong hands (like Phorm's).

[popper]

just browsing for legal ruling like you do and this turned up , the lost RIPA appeal of Stanford's
http://www.lawdit.co.uk/reading_room...20Stanford.htm

Stanford Loses Criminal Appeal

3 February 2006

Stanford Loses Criminal Appeal

Cliff Stanford, the Internet pioneer has recently had his appeal to quash his criminal conviction for intercepting emails denied. Stanford pleaded guilty last year to intercepting emails from his former company Redbus Interhouse – he argued in his appeal that the trial judge had misunderstood the law.

Stanford was the founder of the ISP Demon Internet in 1992 but sold it to Scottish Telecom for £66 million in 1998. It is reported that Stanford made £30 million from the acquisition.

Shortly afterwards Stanford was a co-founder of the co-location and data centre company Redbus Interhouse.

However, Stanford resigned from the company in 2002 after disagreeing with the Chairman Jonathan Porter.

In 2003 allegation started to be made as to whether Stanford was involved in the interception of email between Porter and his month Dame Shirley Porter. Stanford and another man were later charged under the Computer Misuse Act and the Regulation of Investigatory Powers Act 2000 with a trial date set for September 2005. However, both men pleaded guilty to the offence shortly before the case went to trial.

Peters & Peters solicitors for Stanford were reported to have released the following statement:

"Mr Stanford pleaded guilty to this offence following what we regard as an erroneous interpretation of a very complex new statute. The Judge’s ruling gave Mr Stanford no option other than to change his plea to one of guilty."

Apparently, the legal team for Stanford intended to establish his innocence on appeal. However, this has had a severe drawback. He lost.

The Regulation of Investigatory Powers Act 2000 provides a defence to an individual who intercept a communication in the course of its transmission from a private telecommunication system, if they can establish:

a) that they are entitled to control the operation of the system; or

b) they have the express or implied consent of such a person to make the interception.

Stanford relied on the position that he had gained access to the emails through a company employee. The employee apparently was given access to usernames and passwords on the email server.

Therefore, Stanford argued, he was entitled to access the emails as “a person with a right to control the operation or the use of the system”.

Geoffrey Rivlin QC, the trial judge had a different view. He pointed out that
“right to control”
did not mean that someone had a right to access or operate the system, but that the Act required that person to of had a right to authorise or to forbid the operation. [that mean YOU users as the owner of the data]

Stanford appealed the judge’s decision. However, the Court of Appeal upheld Rivlin’s view. It pointed out that the purpose of the law was to protect privacy. Therefore Stanford’s sentence of 6 months imprisonment (suspended for two years) and a fine of £20,000 with £7000 prosecution costs
were upheld.

Daniel Doherty

[Phormic Acid]

Quote:

Originally Posted by unicus

Then instead (and unbeknown to A & B) a secure connection is made between A & C and also between C & B.

At this point, your web browser will warn you that an invalid certificate is being used. C will not be able to use a certificate issued to B. Some very clever people have thought very hard about this. If there was an easy way to compromise the security at any point between A and B, TLS/SSL wouldn’t be used. That’s not to say it’s impossible. People are always looking for potential weaknesses and looking to make improvements should any be found. What we can say is that it’s believed to be very strong, certainly strong enough to stop Phorm intercepting anything.

[unicus]

Quote:

Originally Posted by Phormic Acid

At this point, your web browser will warn you that an invalid certificate is being used. C will not be able to use a certificate issued to B. Some very clever people have thought very hard about this. If there was an easy way to compromise the security at any point between A and B, TLS/SSL wouldn’t be used. That’s not to say it’s impossible. People are always looking for potential weaknesses and looking to make improvements should any be found. What we can say is that it’s believed to be very strong, certainly strong enough to stop Phorm intercepting anything.

Oh yes the certification system, that makes things more secure for SSL.

I've done a bit of looking up on this and they call it a 'Man in the Middle attack (MITM)' apparently which is exactly what Phorm are doing.

[popper]

it would seem your key entrys and clickstream data are clearly 'being a thing in action' and 'which is transmissible by assignment or by operation of law as personal or moveable property' wouldnt you say!

and the ISP's and profilers want to be assigned title to your property! for their commercial profit, wouldnt you say,Hmmm.

http://www.lawdit.co.uk/reading_room...-Copyright.htm
Do I Own The Copyright

3 January 2008
By Ben Evans
In many circumstances it will be important to know who is the owner of the copyright.

This involves asking the question who is the first owner of the legal title to the work and, secondly, whether that title has since devolved on some other person.

Legal title may vest in more than one person.
The general rule is that the first legal owner of the copyright in a work whose making was commissioned will be the author, i.e. the person who creates it.

This means that I go to a webdesigner and ask it to build me a website.

Who owns it? Well the designer.
It should nevertheless be borne in mind that in many cases where a work is made pursuant to a contract of commission, it will be a term of the contract, express or implied, that the commissioner will be entitled to the copyright.

Provided that I am entitled to enforce the contract, I will be the equitable owner of the copyright.

Copyright is a statutory property right, [CDPA 1988, s.1(1).] being a thing in action, [Orwin v Attorney-General [1998] F.S.R. 415 at 421.] which is transmissible by assignment or by operation of law as personal or moveable property [CDPA 1988, s.90.]

Lawyers refer to the Copyright Designs and Patents Act 1988. An assignment of the legal title to copyright is not effective unless it is in writing signed by or on behalf of the assignor.

---------- Post added at 04:42 ---------- Previous post was at 04:35 ----------

http://www.lawdit.co.uk/reading_room...fringement.htm
Copyright Infringement

7 December 2007
By Ben Evans
There are two types of copyright infringement: Primary and Secondary, both of which are governed by the Copyright, Designs and Patents Act 1988.
Primary Infringement
To show this the claimant must prove on the balance of probabalities that:

1. the defendant carried out one of the activities which falls within the copyright owner's control;
2. the defendant's work was derived from the copyright work ('casual connection'): and
3. the restricted act was carried out in relation to the work or a substantial part thereof

Secondary Infringement
Secondary infringement can be divided into two categories firstly those who distribute or deal with infringing copies once they have been made and secondly those who facilitate the copying.
Sections 22 and 23 of the act provide that copyright in a work is infringed by a person who without the permission of the rights holder:

1. imports an infringing copy in the course of business,
2. possesses an infringing copy in the course of business,
3. sells or lets for hire, or offers or exposes for sale or hire an infringing copy,
4. in the course of business exhibits in public or distributes an infringing copy, or
5. distributes an infringing copy, otherwise than in the course of a business, to such an extent as to affect prejudially the copyright owner.

Section 24 of the act is concerned with those who facilitate copying.

[AlexanderHanff]

OK I have started work on my article, you can watch it develop here http://www.paladine.org.uk/phorm_paper.pdf

Please feel free to comment on the article as it is being written and to remind me of any details I may miss as this will help to create a more comprehensive and complete piece when it is finished.

I dedicate this article to all the people on these forums and elsewhere who have helped to raise awareness of this issue and taken steps to attempt to prevent this technology from being deployed. It gives me great pride to see the public finally waking up to issues surrounding privacy and liberty in a time where more often than not these rights have been devolved in the years following the World Trade Center attacks on 9th September 2001.

I sincerely hope this is a sign of better things to come, with more people engaging politicians and law with regards to enforcing and protecting rights which exist in order to make the world a more civil place to live.

Alexander Hanff

[popper]

ill read it through later alexander, you know my thoughts so no worrys there, im gone for a while as works catching up etc,inabit.

btw, i emailed and invited a few legal people ,so if they pop over and register,say hello

[Anonymouse]

Well, I feel badly let down by my MEP (am I allowed to name him?) - his reply to my email was 'I am not a lawyer'. Whuh? We're not lawyers either, but that damn well doesn't prevent us from being extremely concerned by all this!

And they wonder why fewer and fewer people vote?! It has nothing to do with "apathy", their favourite excuse - it's just that there seems to be no point having politicians these days!

Just thought I'd mention: after calming down (5% or thereabouts) I replied to him, asking if he could check on whether RIPA has been quietly repealed, and by what authority. I might have been a tad naughty in my suggestion that HMG has a vested interest here...after all, with their unhealthy preoccupation with our everyday affairs, why wouldn't they want to spy on us like this?

I'm currently wrestling with my conscience and ethics, because for all that Virgin are intent on data rape (is it me, or is their brand name now very ironic given said intent...?) I don't want to change ISPs with all the hassle that implies - I'm actually seriously considering subscribing to Ironkey. I don't particularly want the Powers That Be to pay me a visit to ask me why all my communications are suddenly being encrypted to military levels, though. Oh, hang on, I forgot: this isn't the States, is it?

[mart44]

This is a huge thread that I've only just come in on. A search and a quick scan by me hasn't brought up reference to this interview in The Register. Apologies if it has already been highlighted. Perhaps worth a read to see what is said in defence of Phorm.

[Ravenheart]

Interesting comment from Virgin that Batchain posted a link to in the 3 strikes thread..

http://www.computeractive.co.uk/comp...s-itself-three

Quote:

However, Virgin Media said it felt that this measure was too draconian, raised privacy and legal issues and would also be too costly for ISPs to run.

Raised privacy and legal issues... hmmm now that sounds familiar for some reason..

[AlexanderHanff]

OK I have finished the Abstract and Introduction. The main part of the paper will outline legal concerns in order based on the list of regulations/legislation:

Regulation of Investigatory Powers Act 2000 (RIPA)
Privacy and Electronic Communications Regulations 2003
European Convention on Human Rights
Human Rights Act 1998
Computer Misuse Act 1990
Trespass to Chattels
Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

Since BT have now admitted to the 2006/2007 trials which have been shown to have included altering the data in the stream and inserting javascript, I will be providing information on Computer Misuse Act 1990 and the tort Trespass to Chattels as it is my belief that these additional issues are relevant to the secret trials.

It should be noted that these 2 additional laws are probably not relevant for the revised technology due to be tested next month, although that remains to be seen.

I will update the live pdf after I complete each section and hope to finish it sometime this afternoon.

Alexander Hanff

[weesteev]

Hey Alex

Im confused as to the legal ramifications towards communications providers when they clearly state in their terms and conditions of service that this type of action they can justify.

For example....

Virgin Media T&C's

Section B, Category 3, Sub Section ii

"We reserve the right to monitor and control data volume and/or types of traffic transmitted via the interactive services on your Virgin TV and/or Internet access."

Now its to early in the morning to go trawling through BT's T&C's but I'm sure they will have a similair outlook.

Does this stance within their highlighted T&C's provide adequate privelages to trial products and services without notice over their own network where they deem them to have a beneficial advantage to their customers?

Now dont get me wrong, I'm no Phorm fanboy by a long shot, but I am worried that any sort of action being raised against any ISP will lead to the same outcome... "It's part of our T&C's"

Thoughts?

[AlexanderHanff]

Quote:

Originally Posted by weesteev

Hey Alex

Im confused as to the legal ramifications towards communications providers when they clearly state in their terms and conditions of service that this type of action they can justify.

For example....

Virgin Media T&C's

Section B, Category 3, Sub Section ii

"We reserve the right to monitor and control data volume and/or types of traffic transmitted via the interactive services on your Virgin TV and/or Internet access."

Now its to early in the morning to go trawling through BT's T&C's but I'm sure they will have a similair outlook.

Does this stance within their highlighted T&C's provide adequate privelages to trial products and services without notice over their own network where they deem them to have a beneficial advantage to their customers?

Now dont get me wrong, I'm no Phorm fanboy by a long shot, but I am worried that any sort of action being raised against any ISP will lead to the same outcome... "It's part of our T&C's"

Thoughts?

No definitely not. RIPA has provisions in it covering the principle of those terms which is specifically with regards to them being essential procedures for providing the service (ie your broadband). Note how the terms explicitly state data volume and type of traffic as opposed to the actual contents of the traffic/data. This is acceptable as it falls under reasonable network management, but to actually look at the data itself or intercept that data for the purpose of an advertising business is not covered.

They have no grounds for the interception with regards to their existing terms and conditions.

Furthermore, Privacy and Electronic Communications Regulations 2003 (section 8 I think) states that Terms and Conditions which do not adhere to the regulations (as in must have customer consent first, which implies this must be explicit (informed) consent as opposed to implied consent (not objecting to the terms)) are void under the regulations. So even if they had Terms and Conditions giving themselves permission to intercept, those terms would be invalid and void.

Furthermore, even if they managed to get a "sympathetic" judge, the activity still contravenes the European Convention on Human Rights and the Human Rights Act 1998 and as such the judge would have to rule that the case is incompatible with the Convention.

Hopefully it will all become clear when people read my interpretation of the law in the article I am currently working on.

Alexander Hanff

[Winston Smith]

Just read an article on the BBC news website about the proposed threes strikes on p2p, under the 'See Also' was this http://news.bbc.co.uk/1/hi/technology/7246403.stm. What was interesting was the following quote:

"A spokesman for the Internet Service Providers Association (ISPA) said the 2002 E-Commerce Regulations defined net firms as "mere conduits" and not responsible for the contents of the traffic flowing across their networks.

He added that other laws on surveillance explicitly prohibited ISPs from inspecting the contents of data packets unless forced to do so by a warrant."

The obvious question then is what has changed since the 15th February to make this now legal?

[AlexanderHanff]

Just to make it clear, if they were only using the system to provide extra security features to prevent Phishing (inspecting the packets to look for blacklisted destinations) then it would be a harder argument (although would still need to adhere to the consent aspects as it is not an essential procedure for providing broadband). But the second they use that data for anything else (ie profiling for advertising purposes) then it violates the law.