Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[mark777]

Quote:

Originally Posted by Deko

... snip ...

Summary - legal underall three relevant laws.
Question - do you really think that BT's legal department would have spent 6 months looking into this and made an error when they decided to give the green light. Same with the Home OFfice, the ICO, the QC's thta gave legal opinion etc etc.

Yes.

[AlexanderHanff]

OK in response to the information offered by BT today:

Quote:

1) Reply from EU Information, Society & Media Commissioner Viviane Reding. Any comments?

I have no further comment to what BT, Phorm and others have already stated publicly regarding privacy ie no personally identifiable information is stored. We have also commented previously that we are comfortable that Webwise complies with relevant laws.

Clearly not that confident or they would be willing to make comment justifying their actions and citing why they think they are not breaking any laws.

Quote:

3) Various other questions regarding the two previous small scale tests BT conducted...

I have nothing to add to our previous statements regarding the two previous small scall tests, which were completely anonymous.

Of course they have no comment here, they realise they are seriously neck deep as a result of the illegal trials and any public comment could be used against them in upcoming legal action.

Quote:

4) Re the issue of javascript injection ?

Javascript tags will not be inserted as part of the forthcoming Webwise trial.

This is a very worrying comment. Notice how they say javascript injection will not happen in the upcoming trial; they don't make any attempt to extend that to the final deployment. This to me seems odd and would appear to suggest they have not ruled out injected javascript into the system over the long term.

Quote:

6) Please note, as the account holder for my ADSL account, I do NOT give consent for Webwise trials to be conducted on either my primary account OR any logins using my BTY broadband email sub accounts.

Your choice to accept or decline the invitation to participate in the forthcoming Webwise trial will be managed via the Webwise system itself. When the trial commences, if your broadband connection is among the group invited to participate in the trial, then you will be presented with a webpage which will give you the choice to participate in the trial or not. After this time, and at any point during the trial, you can go to www.bt.com/webwise and click 'BT Webwise off' or BT Webwise on' to change your preference. Alternatively, as I believe you may done already, you can add www.webwise.net to your browser's blocked cookies list at any point to ensure your computer is not part of the trial.

Not good enough. This clearly shows that they still intend to use the model described by Dr Richard Clayton which requires the law to be broken in order for them to detect whether or not consent has been given. I would suggest they are also talking out of their unmentionables. BT have no jurisdiction to say how users may give their consent on how their data is processed. I would suggest that anyone who doesn't want to be included in the trial should write a formal Data Protection Act request and send it by registered post. If you then receive the tiral page when the trials go live, they will be in breach of the Data Protection Act. A Data Protection Act request to the data controller at the ISP is the process required by the Act, BT have no authority to ignore that process.

Quote:

7) Consent to present you or BT broadband customers trying to visit your websites with the Webwise trial invitation page.

Adding www.webwise.net to your browser's blocked cookies list means that you (and any other BT customers that do the same) will not be presented with the Webwise trial invitation page.

See previous point.

Quote:

8) The issue of informed consent from Webmasters and your confirmation that you do not provide such consent for your own websites. How can web sites opt-out?

The system doesn't handle any HTTPS connections as such traffic is, by its nature, private. For HTTP traffic, we assume that if a website wishes to be found by the public through being profiled by major search engines (Google), then the site is in the public domain and therefore as long as we have consent from the requester of the page, we are permitted to profile the site. However we note that you have specifically requested that wimborne-baptist.org.uk and leighparkinitiative.org.uk be excluded and we will honour your request to exclude your websites from profiling within the BT Webwise system. We believe this approach is reasonable and is supported by the advice we have received.

They can keep saying this until they are blue in the face and they will still be wrong. Under common law and the laws governing contracts in the UK as well as Copyright law, they are required to behave in accordance to the terms and conditions of the content publisher. They have no authority to offset the process of opting out of the system to the content owners, if a content owner has explicitly denied the use of their content in such ways the ISP must accept that. My suggestion therefore, as it has been from day one, is too explicitly deny consent in your terms and conditions and then if they breach those terms I would advise you to litigate.

Quote:

10) Redirection of browsing traffic up to 3 times before we get to the sites we originally asked for in the first place, is not explained by Phorm. Could you explain that clearly and transparently?

I believe you mentioned you had read Richard Clayton's report - he covers this in some detail, I also understand that Phorm covered this at the event on Tuesday and confirmed that it should occur in fewer than 1% of web requests from the user, so to all intents and purposes, it will be unnoticeable from the user's point of view. We don't believe that this presents any risk and will obviously monitor this as part of the trial.

This is a ridiculous answer. What Kent said at the PIA was this would only effect 1% of customers. Of course this is blatantly untrue. 100% of customers will suffer this triple redirect the first day the system goes live. Their assertion at 1% is an illustration that they believe only 1% of their entire customer base will block all Phorm cookies, which they have no evidence to support. Neither did Kent have any evidence to support this at the PIA meeting, he merely stated it was so. Not good enough. Also Computer Misuse Act, Interference with Goods and Fraud Act all apply to this redirect situation.

Quote:

11) What will happen to the "browsing experience" of a BT customer who adds all the various oix/phorm/webwise domains to his/her HOSTS file, once Webwise/Phorm is in place? Will that "break" my browsing experience?

If a customer who is invited to participate in the trial adds www.webwise.net to their local HOSTS file with the resolved address of 127.0.0.1, they will not be able to browse the Internet on HTTP port 80 on that PC for the period of the trial. This is because access to www.webwise.net is required in order to process the consent status of the user during the trial. Instead, and as per the advice on the www.bt.com/webwise site, the recommended approach for excluding a PC from the Webwise service if the user regularly deletes cookies is to add www.webwise.net to the browser's blocked cookie list. As previously stated, in parallel with the forthcoming trial, we are developing a solution which will manage the choice of users without the use of cookies. We believe this approach is reasonable and is supported by the advice we have received.

This reply basically states that anyone who uses one of the trial exchanges (as they will all be invited to joint the trial) who adds the webwise domain/IPs to their hosts file redirecting to localhost (127.0.0.1) will be unable to use the web. They believe that's ok, I suspect their customers won't and BT could be open to action for breach of contract with regards to the provision of an internet connection.

Quote:

13) What will happen to browsing (and the Phorm business model) when browsers like Firefox (and security software vendors) start to look at layer 7 redirection and treat it as suspicious activity?

It is not clear to me that they will do that. Phorm are talking to security software vendors etc about Webwise.

Completely evaded the question.

Quote:

14) When will BT openly reveal the consumer research (including the questions used) that gave them the idea we as customers, WANTED this stuff?

It is not common practise for us to release our market research. At this stage we have no plans to release the research conducted by BT but that is not to say we will not provide details in the future. I can confirm that it was conducted by a third party market research agency on behalf of BT and others. It explored both aspects of the Webwise service separately - less irrelevant advertising and the additional protection against online fraud. Furthermore we will of course also review how our up coming trial of the service goes. Ultimately what is important though is that our customers will have a clear choice.

Totally confirms my comments during the PIA meeting Q&A where I explained to Kent that no-one in the room was naive enough to believe that BT wouldn't have tainted the poll question in order to receive the response they wanted. Clearly they have admitted they mentioned Advertising and Phishing in the poll. There was no mention of their legal rights under DPA, RIPA, PECR, CMA, HRA, IWG, FA neither was there any mention that the Anti-phishing services they offer are already offered by client side technologies such as web browsers, web browser plugins, operating systems, anti-virus, anti-adware, anti-spyware etc. which do not require the use of intrusive Layer 7 interception and data mining technologies at the network level.

Quote:

15) In response to the ICO's latest statement - can we have an UNEQUIVOCAL statement that the final implementation of Webwise/Phorm will be opt-IN?

We have not finalised our plans beyond the up coming trial and it would be premature to do so. We have committed though that Webwise will be optional and that our customers will have a clear choice.

Not good enough, the law requires explicit opt-in, the law prevents modifying terms and conditions in order to get implied consent. You cannot assume implied consent to breach a fundamental human right, it must be explicit.

Feel free to use any of my response in your reply to BT Management.

Alexander Hanff

[Rchivist]

Thanks Alexander. Keep up the good work and don't forget to sleep occasionally.

[dav]

point 8 above looks like the clearest indication that they have absolutely no intention of providing their own agent string and will masquerade as one of the "major search engines (Google)"
That's not what I would call the activity of a "transparent and open" company.

[lucevans]

On the subject of Phorm droids harvesting user profiles on both cableforum.co.uk and badphorm....

Could it be that they are compiling a blacklist of ISP customers that they'll then pass-on to BT/VM/TT to ensure that the most vocal amongst us are not "invited" to participate in the looming trials?

I realise that these user profiles alone are not enough to reveal our IP addresses (unless they're planning to hack cableform's servers) but perhaps once identified by forum moniker, the ISPs will use that shiny new DPI kit (illegally, of course) to find out which troublesome customers we are? Not too difficult, surely? Just add "lucevans", "Phorm" and "cableforum" to the categories list in the profiling software and, oh, there's my IP address.

...Or am I just being a bit ?

[ceedee]

Quote:

Originally Posted by Deko

Anyone care to comment on this from here http://www.advfn.com/cmn/fbb/thread.php3?id=14453044

ferdinandling - 18 Apr'08 - 21:00 - 1441 of 1441

Don't know who the RIPA expert was. His name was Casper something. The chairman (previous chairman of FIPR) knew him by name and explained to the audience that eh was probably the world's leading light with regard to RIPA. He agreed that the system was legal under that law.

Sounds like Caspar Bowden, the chair of FIPR before Ian Brown.
He's been very active in the legal and privacy spheres for years and a google on his name returns 13,100 results.

Found this interesting BBC article from 2000 regarding the targeting of adverts to mobile phones (known as Location Based Services) that seems to contradict his current stance:

Consumers should have the option to decide what advertisements they want or how often they receive them, as well as the chance to turn off the facility, he says.

No such thing as a free lunch

Even if this information isn't used to market unwelcome promotions to you, somewhere there sits a mass of data that paints a picture of your life, argue campaigners.

With the new powers received under the Regulation of Investigatory Powers Act, many government organisations can get their hands on this data without any judicial or Home Secretary authorisation.

"The privacy risk is that once the information is available on a non-warranted basis, anyone who really wants to find exactly where you went [can], it is just going to be a question of paying money to private investigators," the Foundation for Information Policy Research's Caspar Bowden said.

"What we are talking about is the invasion of privacy and restriction on civil liberties by this information being available as a tool of surveillance."

This "enables this tool to be put on half the population. It is like putting an electronic tag on half the population," he added.

Wonder if he's saying now that Webwise-style wire-tapping is legal but ought to be outlawed?

[wecpc]

After emailing Simon Watkins at the Home Office as advised by 'Florence', I had a reply but he stated that BT had not admitted to a trial in 2007, when I was intercepted. So I reported back that he should look at The Register and I gave him the required link.
He also stated that my interception was lawful by virtue of section 3(3) of RIPA 2000 which states:

3) Conduct consisting in the interception of a communication is authorised by this section if�

(a) it is conduct by or on behalf of a person who provides … a telecommunications service; and

(b) it takes place for purposes connected with the provision or operation of that service …..

I then replied back stating about the info being passed to a 3rd party (PHORM) and then quoted "Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users."
I will let you kow if I get another reply.

Colin

[fidbod]

Quote:

Originally Posted by Deko

Anyone care to comment on this

from here :http://www.advfn.com/cmn/fbb/thread.php3?id=14453044

ferdinandling - 18 Apr'08 - 21:00 - 1441 of 1441


Don't know who the RIPA expert was. His name was Casper something. The chairman (previous chairman of FIPR) knew him by name and explained to the audience that eh was probably the world's leading light with regard to RIPA. He agreed that the system was legal under that law.

Whilst we are on that subject, Dr Clayton admitted that the ICO had made an error about another law PECR requring opt-in. I'm not a techie so don't quite understand but along the lines of...Regulation 7 of PECR is referring only to traffic data. The Phorm system does not use traffic data, therefore the ICO's recommendation about OPt-in is not valid.

FInally, the last law that Phorm has been accused of breaking is the Data Protection Act. Dr Clayton's own review of the Phorm system (in MArch) agreed that it did not fall foul of any data protection rules.

Summary - legal underall three relevant laws.
Question - do you really think that BT's legal department would have spent 6 months looking into this and made an error when they decided to give the green light. Same with the Home OFfice, the ICO, the QC's thta gave legal opinion etc etc.

trying to remember what happened at the meeting.

I am fairly certain that this occurred during the question and answer session at the end.

The chairman, Richard Clayton and Casper the previous executive of FIPR where discussing the difference in meaning of the word traffic in PECR and RIPA. It was too arcane for me apart from the fact the two statutes have very different interpretations of the word.

I think their discussion centred around the possible legality of the new BT/Phorm/Webwise front page.

What I am certain of is that at no point did he disagree with Richard Clayton's assessment of the legality of the BT trial

[flowrebmit]

Quote:

Originally Posted by AlexanderHanff

<snip>
This is a ridiculous answer. What Kent said at the PIA was this would only effect 1% of customers. Of course this is blatantly untrue. 100% of customers will suffer this triple redirect the first day the system goes live. Their assertion at 1% is an illustration that they believe only 1% of their entire customer base will block all Phorm cookies, which they have no evidence to support. Neither did Kent have any evidence to support this at the PIA meeting, he merely stated it was so. Not good enough. Also Computer Misuse Act, Interference with Goods and Fraud Act all apply to this redirect situation.
<snip>

If I understand Dr Richard Clayton's paper correctly:

The triple redirection cookie browser con will happen for every new web site domain that you visit.

The cookie has an expiry of 3 days. So even for sites that you have visited in the past - every 3 days it seems your browser will be forced into the triple redirection cookie browser con.

[AlexanderHanff]

Quote:

Originally Posted by flowrebmit

If I understand Dr Richard Clayton's paper correctly:

The triple redirection cookie browser con will happen for every new web site domain that you visit.

The cookie has an expiry of 3 days. So even for sites that you have visited in the past - every 3 days it seems your browser will be forced into the triple redirection cookie browser con.

It doesn't really matter to be honest. the main point is that Kent saying only 1% of users will experience this is simply not a convincing argument. They haven't offered any data to support this claim, it seems like they just plucked it out of thin air.

Furthermore, even if it is 1% or 0.1% or 0.01% it is still too many, why should -any- users have to suffer degradation of service or loss of service in the case of the infinite loop (which is what Kent was referring to when he said 1%)?

Alexander Hanff

[flowrebmit]

Sorry, the system won't let me multi-quote your posting - I think you wrote too much

Quote:

Originally Posted by AlexanderHanff

<snip>This reply basically states that anyone who uses one of the trial exchanges (as they will all be invited to joint the trial) who adds the webwise domain/IPs to their hosts file redirecting to localhost (127.0.0.1) will be unable to use the web. They believe that's ok, I suspect their customers won't and BT could be open to action for breach of contract with regards to the provision of an internet connection.
<snip>

The BT answer to question 11 - staggers belief. The BT customers selected to join the trial, will be forced through the Webwise/Phorm Layer 7 equipment even if they have not consented to being in the trial. Because there is no independant opt-in system yet.

I am not sure that I believe BT when they say they will be working on an opt-in system that will be independant of the Webwise/Phorm DPI layer 7 equipment.

[AlexanderHanff]

Quote:

Originally Posted by flowrebmit

Sorry, the system won't let me multi-quote your posting - I think you wrote too much


The BT answer to question 11 - staggers belief. The BT customers selected to join the trial, will be forced through the Webwise/Phorm Layer 7 equipment even if they have not consented to being in the trial. Because there is no independant opt-in system yet.

I am not sure that I believe BT when they say they will be working on an opt-in system that will be independant of the Webwise/Phorm DPI layer 7 equipment.

Yeah I found the statement utterly arrogant. They have been told by respected privacy advocates and legal experts that the first trials broke the law because communications were intercepted without consent and yet still they plan to deploy the upcoming trials which will be doing exactly the same illegal interception to detect consent cookies.

Alexander Hanff

[unicus]

Quote:

Originally Posted by wecpc

After emailing Simon Watkins at the Home Office as advised by 'Florence', I had a reply but he stated that BT had not admitted to a trial in 2007, when I was intercepted. So I reported back that he should look at The Register and I gave him the required link.
He also stated that my interception was lawful by virtue of section 3(3) of RIPA 2000 which states:

3) Conduct consisting in the interception of a communication is authorised by this section if�

(a) it is conduct by or on behalf of a person who provides … a telecommunications service; and

(b) it takes place for purposes connected with the provision or operation of that service …..

So at the time of the secret trial what service were you signed up to with BT that required the use of the Phorm/Webwise equipment to intercept your communication?

Just as an anology with regard to RIPA. Under the normal course of Royal Mail's communication distribution they can't just open a letter for their own personal gain (though this is what Phorm et al. are proposing) and would not be legal as it is not necessary for the service with which they are contracted.

Now lets say the Royal Mail are sorting a letter with an address window but they cannot see any address but it was fairly obvious the letter was folded wrong and by opening the letter they would be able to see the address and carry out their obligation to deliver the letter. This would be legal because the otherwise illegal act of opening the letter was necessary to carry out their normal business as contracted.

Why do they keep trying to tell us this interception is legal when quite clearly the Phorm equipment is not necessary for the ISP to carry out it's contracted duty to relay communications therefore under RIPA it must be unlawful interception. After all their "provision or operation of that service" has managed fine without Phorm's equipment.

[AlexanderHanff]

Quote:

Originally Posted by wecpc

After emailing Simon Watkins at the Home Office as advised by 'Florence', I had a reply but he stated that BT had not admitted to a trial in 2007, when I was intercepted. So I reported back that he should look at The Register and I gave him the required link.
He also stated that my interception was lawful by virtue of section 3(3) of RIPA 2000 which states:

3) Conduct consisting in the interception of a communication is authorised by this section if—

(a) it is conduct by or on behalf of a person who provides … a telecommunications service; and

(b) it takes place for purposes connected with the provision or operation of that service …..

I then replied back stating about the info being passed to a 3rd party (PHORM) and then quoted "Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users."
I will let you kow if I get another reply.

Colin

Simon clearly doesn't understand S3 of RIPA. Subsections a and b are mutually inclusive and must BOTH be satisfied which is why there is a very prominent and at the end of subsection a.

The interceptions do not satisfy condition b because they were absolutely nothing to do with the provision of the service. The service can be provided (and has/still is) without these interceptions (service being connection to the Internet) and the interceptions only take place for the purpose of selling data to a 3rd party for behavioural advertising.

Let me make this very clear, there was not even any testing of the anti-phishing service during these covert trials so they can't even use that as an excuse under subsection b.

Alexander Hanff

[flowrebmit]

Quote:

Originally Posted by AlexanderHanff

It doesn't really matter to be honest. the main point is that Kent saying only 1% of users will experience this is simply not a convincing argument. They haven't offered any data to support this claim, it seems like they just plucked it out of thin air.

Furthermore, even if it is 1% or 0.1% or 0.01% it is still too many, why should -any- users have to suffer degradation of service or loss of service in the case of the infinite loop (which is what Kent was referring to when he said 1%)?

Alexander Hanff

To me it shows that Kent has spun yet another lie. Say to Joe Public a very small number and they'll think it's no big deal If it is easy to demonstrate that the number is much larger, and the Webwise/Phorm security browser breach happens on every new site visited and then every 3 days after that - it doesn't sound so good.

But I am sorry to admit I don't understand most of the legal discussion going on in this thread - so my point is probably not relevant