Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[warescouse]

Quote:

Originally Posted by bluecar1

my post was relevant as it pointed out that due to phorm not storing PII type information it was not suitable for that application of the technology, so that that avenue of conversation was cut off

peter

Sorry Peter, I was writing my post as you must have been typing yours. It was not aimed at your post.

[Dephormation]

Quote:

Originally Posted by SimonHickling

To that end does anyone have any links to BT or Phorm material where it states that a copy of the web page is made / kept?

Hi Simon, I could have given you this quote too;

http://webwise.bt.com/webwise/customer_choice.html

Quote:

Data Mirror

• The data mirror makes a copy of the user's request as it passes through to the Internet. This copy is forwarded to the Profiler and Anonymizer.
• Only opted-in traffic is mirrored

And by opted-in traffic, they mean from the user pov not the server pov. But obviously, don't say so.

And just in case you need to know where to send the Notice of Legal Action;

Quote:

Other notes

• All equipment is owned by BT and located within BT data centres.

[bluecar1]

Quote:

Originally Posted by Dephormation

snip

And just in case you need to know where to send the Notice of Legal Action;

Quote:

and what about the opt-in/out server run by phorm sat at gyron??

[SimonHickling]

Quote:

Originally Posted by Dephormation

Hi Simon, I could have given you this quote too;

http://webwise.bt.com/webwise/customer_choice.html



And by opted-in traffic, they mean from the user pov not the server pov. But obviously, don't say so.

And just in case you need to know where to send the Notice of Legal Action;

Interesting that only the user's request is mirrored and not the response from the server. Or are they misunderstanding how HTTP works. I assume that it's actually both the request and the response which are mirrored, but it might be worth checking - we might be getting in a lather over nothing

Or are they relying on misinformed consent?

[warescouse]

Quote:

Originally Posted by SimonHickling

Interesting that only the user's request is mirrored and not the response from the server. Or are they misunderstanding how HTTP works. I assume that it's actually both the request and the response which are mirrored, but it might be worth checking - we might be getting in a lather over nothing

Or are they relying on misinformed consent?

I would interpret 'user's request' to include the serviced request data from the server that is mirrored and profiled. Phorm surely would need to 'see' and mirror this data to eventually show the http page containing the Phorm/Webwise adverts.

[AlexanderHanff]

OK let me just clarify something here. The page that you request from the server is mirrored irrespective of whether or not you are opted in opted out or shaking it all about. Kent made this clear at the PIA meeting as does Dr. Richard Clayton's analysis if I remember correctly. The only difference is if you have an opt-out cookie or you have the domain blocked for cookies that data is not passed to the channel server, it still goes through the profiler.

I wouldn't pay a great deal of attention to what is on the WebWise page as it is likely to be a bunch of bs given that they are not going to explain the "technicalities" to "mere customers" because you see, if you remember correctly, we are all too stupid to understand such complex systems.

Alexander Hanff

[warescouse]

Quote:

Originally Posted by AlexanderHanff

..cut

I wouldn't pay a great deal of attention to what is on the WebWise page as it is likely to be a bunch of bs given that they are not going to explain the "technicalities" to "mere customers" because you see, if you remember correctly, we are all too stupid to understand such complex systems.

Alexander Hanff

I'm not convinced BT really understands what is going on either!

[Deko]

BT and understand should not be used in the same message.

[Privacy_Matters]

Steve Gibsons Security Now! Podcast (151) is available at the link below:

http://twit.tv/sn151 (This Week In Tech TV)

Running time: 1:46:37

additionally mp3 available to download on this site

EDIT: More to come again in another 2 weeks

EDIT2: Phorm starts just after halfway, with small intro at the start

[Dephormation]

Quote:

Originally Posted by Privacy_Matters

Steve Gibsons Security Now! Podcast (151) is available at the link below:
http://twit.tv/sn151 (This Week In Tech TV)

Awesome. Just awesome. Break it to the audience gently why don't you Steve.

[Privacy_Matters]

Quote:

Originally Posted by Dephormation

Awesome. Just awesome. Break it to the audience gently why don't you Steve.

have requested permission to use images for links to the Podcast. I will advise of the result when reply received.

[phormwatch]

Quote:

Originally Posted by AlexanderHanff

Believe me I have tried and still am trying to do this but he is incredibly difficult to get hold of, all emails get standard auto responses and phone messages go un-answered.

I was given a contact in the HoC who may be able to contact him and I sent them an email yesterday so lets hope that works out.

Alexander Hanff

Have you tried contacting his campaign people?

contact@daviddavisforfreedom.com

http://www.daviddavisforfreedom.com/

[icsys]

Quote:

Originally Posted by bluecar1

the much talked about anti-phishing in webwise is about to take another one on the chin, due to the delays getting the trial out the natural course of upgrades has seen the Beta 2 of IE8 coming out

see http://www.theregister.co.uk/2008/07..._enhancements/

to quote

***********
Microsoft has detailed a raft of security improvements due to appear in Internet Explorer 8. The second beta of Redmond's web browser will be packed full of features designed to thwart phishing and drive-by download attacks, Redmond explained on Wednesday.

***************
so what use will webwise anti phishing be now with this and FF3 out????

come on phorm give up the pretense that the anti phishing will be of use, fess up it is just a smoke screen to hook gullible punters who do not know what their system are already capable of, who you have not given the full facts to, to opt-in to your spyware

peter

We all know that the anti-phishing' part of webwise is a complete red herring and seen as a bolt-on to sell the technology to the unsuspecting public. Here's the proof that it is a red herring and smoke screen...

PECR states certain provisions relating to the processing of traffic data under regulation 7:-

Regulation 8 (2) Processing of traffic data in accordance with regulation 7 shall be restricted to what is required for the purposes of one or more of the activities listed in paragraph (3) and shall be carried out only by the public communications provider or by a person acting under his authority.

(3) The activities referred to in paragraph (2) are activities relating to -

(a) the management of billing or traffic;
(b) customer enquiries;
(c) the prevention or detection of fraud;
(d) the marketing of electronic communications services; or
(e) the provision of a value added service.

A,B,C,and D don't apply to webwise, so you see, some form of 'value added service' had to be stuck on to 'attempt' to comply with PECR
That is why the 'anti-phishing' is being pushed so much.

But even so, webwise 'still' falls foul of the regulations because it still does not collect explicit informed consent.

PECR explanatory notes...
Regulation 6 provides that an electronic communications network may not be used to store or gain access to information in the terminal equipment of a subscriber or user ("user" is defined as "any individual using a public electronic communications service") unless the subscriber or user is provided with certain information and is given the opportunity to refuse the storage of or access to the information in his terminal equipment.

Regulations 7 and 8 set out certain restrictions on the processing of traffic data relating to a subscriber or user by a public communications provider. "Traffic data" is defined as "any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication". "Public communications provider" is defined as "a provider of a public electronic communications network or a public electronic communications service".

[Phormic Acid]

Quote:

Originally Posted by AlexanderHanff

OK let me just clarify something here. The page that you request from the server is mirrored irrespective of whether or not you are opted in opted out or shaking it all about. Kent made this clear at the PIA meeting as does Dr. Richard Clayton's analysis if I remember correctly. The only difference is if you have an opt-out cookie or you have the domain blocked for cookies that data is not passed to the channel server, it still goes through the profiler.

All accessible web traffic was originally going to be mirrored, although not passed right through the profiler.

Phorm launches data pimping fight back

So if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?

Marc Burgess: What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs.

However, this soon changed. The change has been restated a number of times, but I think the following quote represents the first time.

Phorm’s Answers (part3)

phail: Virgin and BT are both currently operating an OPT-OUT solution, which would mean all users are opted in by default, and even if they are opted out OUR data is mirrored on phorm servers, regardless of whether the data is used, you ARE collecting it.

KentErtugrul: When a user opts out, the system is OFF. There is no data collection at all

The 18 May amendment to Richard Clayton’s analysis does include this, as one of the updates provided by Phorm.

The Phorm “Webwise� System

Phorm also say that “in many ISP implementations (all of the UK ones for instance)â€ÂÂ� the mirroring system described in paragraph 2 above, can be set to only mirror the traffic of users who have a valid UID. Thus the traffic of those who have the “OPTED OUTâ€ÂÂ� cookie (or are cookie-disabled) is not mirrored and does not reach the out-of-band machine.

Even without any Phorm-provided equipment, ISPs already rummage through your HTTP headers. They need to record the host names in all the URLs you access, to comply with the Home Office Voluntary Code of Practice on Data Retention.

[AlexanderHanff]

Quote:

Originally Posted by phormwatch

Have you tried contacting his campaign people?

contact@daviddavisforfreedom.com

http://www.daviddavisforfreedom.com/

Yeah just automated responses, but I have his private email address now so I will give that a try, been a bit busy this afternoon.

Alexander Hanff

---------- Post added at 17:40 ---------- Previous post was at 17:33 ----------

Quote:

Originally Posted by icsys

We all know that the anti-phishing' part of webwise is a complete red herring and seen as a bolt-on to sell the technology to the unsuspecting public. Here's the proof that it is a red herring and smoke screen...

PECR states certain provisions relating to the processing of traffic data under regulation 7:-

Regulation 8 (2) Processing of traffic data in accordance with regulation 7 shall be restricted to what is required for the purposes of one or more of the activities listed in paragraph (3) and shall be carried out only by the public communications provider or by a person acting under his authority.

(3) The activities referred to in paragraph (2) are activities relating to -

(a) the management of billing or traffic;
(b) customer enquiries;
(c) the prevention or detection of fraud;
(d) the marketing of electronic communications services; or
(e) the provision of a value added service.

A,B,C,and D don't apply to webwise, so you see, some form of 'value added service' had to be stuck on to attempt to comply with PECR
That is why the 'anti-phishing' is being pushed so much.

Nooo, even then it does not comply with PECR. Firstly 3e does not remove the requirement of explicit informed consent. Secondly WebWise is a completely seperate entity to the OIX platform, so even if they managed to palm off some value added service for WebWise (the anti-phishing) it -still- doesn't cover them for the behavioural profiling for OIX which has nothing to do with the Anti-Phishing and is purely a commercial venture based around advertising.

Why are so many people seeming to try and make excuses for Phorm/BT today? We need to stop second guessing ourselves here folks otherwise any new readers are going to think there is some doubt over whether or not it is illegal, let me make it very clear there is no doubt whatsoever that without consent this technology is ILLEGAL. Myself and other more qualified experts have very thoroughly analysed the law on these issues months ago and there are no grey areas.

Alexander Hanff