Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[Wildie]

Quote:

Originally Posted by Privacy_Matters

Share Price: 925.00
Bid: 875.00
Ask: 975.00
Change: -100.00 (-9.76%)
Faller - Phorm Reg S

Says it all

nothing to do with us lot, the market place is in a downward trend on it`s own, somat to do with a very weak poorly $ and credit.

[jca111]

Quote:

Originally Posted by rryles

They say they only intercept port 80 so no DNS. Intercepting DNS queries would solve some of the issues but far from all. To come up with a half decent system they would have to intercept ALL traffic. Consider this:

https://258.23.239.2:22/

(IP address intentionally broken so it doesn't go anywhere)

The bottom line is this is a bad way to implement phishing protection.

Your example proves a very valid point. Phorm would have to look at all ports and look at the protocol being used (http) and then decide if its a phishing attack. Othewise, as your example shows, it would be so easy to circumvent the phorm anti-phishing "service", even for http attacks, let alone https.

[BetBlowWhistler]

What do you think would happen if you set up a web site that re-directed you to another port (other than 80)?

[thebarron]

8.75

I am enjoying today.

http://finance.google.com/finance?q=LON:PHRM

[Rchivist]

Just to show that BT are keeping themselves sharp and on the button legally speaking here's a copy of my latest (and last) correspondence with Emma Sanderson: (on the topic of website copyright). It contains some great quotes for use in court!

My email to Emma Sanderson: (in full)

Greetings.
Today's topic is the much neglected subject of website copyright which BT/Phorm seem to think does not apply to them.

Yes I've read the FOI stuff from the ICO and seen his mistaken and sadly inadequate understanding of implied consent with reference to Web content. He is wrong.

You have a major problem with Webwise in relation to the copyright of Website content. Here are the problems you have so far failed to address in public statements and private emails that I have seen. I understand your position to be represented by the following statement you made recently in an email to a customer, published on Cableforum and BT Beta forums.

"We believe that, in general, we can rely upon website owners' implied consent where websites have not taken steps to make their sites inaccessible generally, for example by excluding major search engines such as Google via robots.txt.
Over and above this, we are also taking reasonable steps to exclude specific websites from profiling upon specific request from the website owner. As per my previous email, if you provide me with the domain name for your website (and confirmation of ownership) then we will ensure that it is excluded from profiling within Webwise."

This ignores major sections of copyright law and places you in the position of being liable to CRIMINAL prosecution for copyright abuse for commercial gain.

1- you have not worked out how to avoid websites that carry a legal front page text warning or privacy policy explicitly witholding consent from the Phorm/Webwise system. There are an increasing number of such sites out there now, many of them actually mentioning the disgraceful Webwise system by name. If Webwise profiles those sites, you are in trouble.

2 - you are relying on robots.txt Google statements for implied consent, when the internet standards specify robots.txt is an "exclusion" mechanism, not a consent mechanism according to internet standards. There is no way you could defend this in a court of law - and believe me you will end up in one if you operate this system, facing people who know a great deal more about copyright law than you do. And it looks ridiculous anyway, because Mr Ertugrul is always highlighting the DIFFERENCE between Google and Phorm/Webwise - so how he/you think that when it comes to website copyright they are the same, beggars belief. But if you think you can justify it without looking silly, fair enough.

3 - you have totally failed to deal with the issue of ISP provided webspace, such as BTY-Geocities and BTOpenworld (to name a couple you may be familiar with) that do not operate for the owner at a top level domain, and therefore where robots.txt is not actually read by google and therefore where webmasters do not USE robots.txt. I've mentioned this before but you have never responded specifically so I mention it again. Again - it will look very embarrassing in court when you are asked about this. And you will be.

4 - you are offering an "opt-out" system for webmasters, when you know full well that the majority of the millions of the websites in the world will not be aware of, nor should they have to even consider the work involved in sorting out their inclusion on your spurious Webwise opt-out list. Do your "reasonable steps" include ANY attempt to contact every website owner in the world? Do your reasonable steps include any worldwide publicity about Webwise that website owners could reasonably be expected to see? What reasonable steps HAVE you taken to publicise this list and inform webmasters? What publicly available information IS out there and how might a webmaster reasonably locate it? How many languages is it published in for example? Where is it published?

5 - you have not considered the international legal aspects of Webwise in reference to Website copyright. Not only do you have to be familiar with the legal situation in the UK (which you patently are NOT as the debacle of the 2006 and 2007 trials displays - see ICO comment on illegality of those trials) - but you need to be familiar with the legal environment in every country in the WORLD, because you are rolling Webwise out across the WORLDwideweb. Are you quite convinced that for example, no website owner in the USA will take copyright infringement action against BT when a Webwise linked BT customer visits their site? Perhaps a Congressional campaigner against NebuAd who will be well prepared for a DPI snoop to their site, and be well informed, and have a similarly well briefed US lawyer ready to sue the pants off you? Or possibly initiate a criminal case?

6 - and of course finally and most importantly, copyright law simply prohibits what you are doing with Webwise. Period. It's illegal. You CANNOT copy, make derivative works from, exploit for commercial gain, copyright material without IN ADVANCE obtaining a licence to do so from the copyright holder. The existence of publicly available material does NOT mean it is not still copyright. Books in a public library are copyright. Web pages are copyright whether publicly available or encrypted or password protected. It is ALL copyright. You are proposing to copy this material, profile it, make derivative works based on it, and all for commercial gain. Webwise is criminal, copyright theft. You can go to jail for it. You can be fined for it. And you can (and will) be sued for it in the civil courts.

Have you not thought about what a prosecution (or plaintiff) lawyer would DO to an ISP defendant who tried out your ridiculous "defence" on copyright? Do you not think he would have a list a mile long of previous ISP statements about filesharers? About how the ISP's present themselves as champions for intellectual property rights? Do you not realise how stupid they would make you look (before finding you guilty)? Do you not think the press would have a field day comparing the way in which ISP's co-operate in the persecution of individual teenagers, yet attempt wholesale copyright fraud through their DPI/Profiling technology?

If you have been following the Cableforum or BT Beta forum discussions (and it would be negligent of you NOT to have been following them) you will have seen these arguments rehearsed in detail by people who know their copyright onions extremely well. I refer you also to the Dephormation site copyright page at http://www.dephormation.org.uk/web_m...html#Copyright - if you haven't yet read this you need to read it very carefully. And your lawyers need to read it too. And come up with answers BEFORE you commit potentially CRIMINAL acts with respect to copyright, acts that could result in JAIL sentences.

You can dismiss us if you like, the way Kent Ertugrul does. But we'll still be here when Webwise has bitten the dust. And we are trying to warn you - you are in dangerous legal waters and you could end up with criminal charges against you.

I wonder what the shareholders will think about all this legal high wire walking that BT executives are planning to do with their company? Aren't you in enough legal trouble anyway? With the police file being handed in on 16th, don't you think it would be wise NOT to commit any more illegal acts for a while? Let alone a massive copyright offence of global proportions.

Please note - I will infer your consent to the publication of any reply to this email unless you expressly and explicitly withold such consent.

Her reply to me: (some final comments about there being no further replies are edited out)

Neither of the previous small technical trials or our future trial of BT Webwise involve infringement of the copyright of any website holder.
Anyone who puts a webpage on the internet does so for the purpose of people making copies of it for the purpose of looking at it and assessing the information contained in it. There are of course some exceptions to this, which is why, for example, BT Webwise does not profile pages transmitted via HTTPS.

Accordingly I am afraid no royalties or other payments are due to website owners - aside from those that want to participate in the OIX of course (www.phorm.com).

We believe that we can rely upon website owners implied consent, especially if websites are happy to be trawled by major search engines such as Google, as if they are unhappy with this and use robots.txt to block the likes of Google then Phorm will also ensure such sites are excluded. It is not reasonable or practical to contact every website owner in advance or to identify sites displaying Webwise messages.

Over and above this we are also taking reasonable steps to exclude specific websites upon specific request from the website owner, so if website owners provide us with the url's of their websites (and confirmation of ownership) then we will ensure that they are excluded by
Phorm.

I can assure you that we have taken advice and believe our approach is both entirely reasonable (straightforward) and that it complies with relevant legislation.

I was particularly taken by the acknowledgement that BT intend to ignore and flaunt the requirements of website privacy/copyright notices. Great to see that put so clearly in writing.

Anyway - I thought all this ought to be on record, and I have of course inferred consent from the lack of any request for the reply to remain private.

And the share price according to google is now 875p - is that the lowest yet this year?

[SelfProtection]

Quote:

Originally Posted by BetBlowWhistler

What do you think would happen if you set up a web site that re-directed you to another port (other than 80)?

That's an interesting point do Phorm/Webwise specifically say only port 80 or only the http protocol http://xxxx:3215 is a valid http request!

[rryles]

Quote:

Originally Posted by SelfProtection

That's an interesting point do Phorm/Webwise specifically say only port 80 or only the http protocol http://xxxx:3215 is a valid http request!

Exactly. To make a half decent anti phishing system phorm will have to intercept ALL traffic. Even then they will be less effective than a system running on the users pc.

This is a bad way to protect against phishing.

[jca111]

Quote:

Originally Posted by BetBlowWhistler

What do you think would happen if you set up a web site that re-directed you to another port (other than 80)?

Exactly, this is my point. It does not even need to redirect, it just needs to be set up on port X. Anything can link to it (email, website etc). Port numbers are just a "recommendation", if you want, of which port (which is just a suffix really on the IP Packet) to send different types of protocols down (e.g.80, 443 we are all familiar with, but 20 & 21 for FTP etc). There is nothing to stop you using ANY port for ANY protocol as far as I am aware (some firewalls may flag this however).

So the only way phorm anti-phishing can work is to scan all ports and analyse and recognise what protocols are being used.

Otherwise the anti-phish system will fail. If a phisher can circumvent detection in any way - they will.

This is so simple to circumvent - its embarrassing!

Unless..... No they cant be can they.... Scanning all ports???????? Nah!

[rryles]

Quote:

Originally Posted by R Jones

And the share price according to google is now 875p - is that the lowest yet this year?

AFAIK that is the lowest ever!

[Privacy_Matters]

Quote:

Originally Posted by jca111

Exactly, this is my point. It does not even need to redirect, it just needs to be set up on port X. Anything can link to it (email, website etc). Port numbers are just a "recommendation", if you want, of which port (which is just a suffix really on the IP Packet) to send different types of protocols down (e.g.80, 443 we are all familiar with, but 20 & 21 for FTP etc). There is nothing to stop you using ANY port for ANY protocol as far as I am aware (some firewalls may flag this however).

So the only way phorm anti-phishing can work is to scan all ports and analyse and recognise what protocols are being used.

Otherwise the anti-phish system will fail. If a phisher can circumvent detection in any way - they will.

This is so simple to circumvent - its embarrassing!

Unless..... No they cant be can they.... Scanning all ports???????? Nah!

http://www.badphorm.co.uk/e107_plugi...topic.php?4267

Right now, I'm using -p tcp --dport 80 -j REDIRECT --to-ports 3128 to
transparently proxy web traffic to a running squid.

I'd like to be able to balance between several running squid
processes, say, on 3128, 3129, 3130, and 3131.

The --to-ports option to REDIRECT says it can take a port range,
which I tried ("--to-ports 3128-3131"), but it only rewrites the dest
port to 3128. What is a port range option to --to-ports ever used for?

This is part of a conversation between 121Media and a Support Forum for Squid, during the initial creation of Webwise. It indicates the ports they would like to redirect to, and also the Port they wished to intercept.

Unfortunately nothing about whether they will intercept anything on any other port.

[Dephormation]

Unless I'm very much mistaken, I don't think I've ever seen the anti-phishing system in any of the diagrams, and there is certainly no reference to it in the 2006 trial report.

There's certainly no mention of it in this (current) picture;

http://webwise.bt.com/webwise/customer_choice.html

[HamsterWheel]

Quote:

Originally Posted by rryles

AFAIK that is the lowest ever!

Then you know very little.
I bought some for a fiver, and it was about a quid when listed.

[Privacy_Matters]

Quote:

Originally Posted by Dephormation

Unless I'm very much mistaken, I don't think I've ever seen the anti-phishing system in any of the diagrams, and there is certainly no reference to it in the 2006 trial report.

There's certainly no mention of it in this (current) picture;

http://webwise.bt.com/webwise/customer_choice.html

Also, looking at the diagram, between the 'Rules Engine' and the 'Customer Choice Module' - the path appears to have the potential to cause a loop, if the software/hardware fails to coherently recognize the Customer Selection - or in itself fails.

Additionally, the 'Customer Choice Module' still clearly indicates the Cookie Opt-out.

Quote:

Originally Posted by HamsterWheel

Then you know very little.
I bought some for a fiver, and it was about a quid when listed.

Prove it.

[rryles]

Quote:

Originally Posted by HamsterWheel

Then you know very little.
I bought some for a fiver, and it was about a quid when listed.

You've been in for a long time then. Google doesn't go back that far.

I may not have known that but I can assure you I know a fair bit. I also have an idea of the limits of my knowledge, hence the AFAIK prefix.