Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[fidbod]

Pete,

please can you explain how the CDR tool you created works?

In particular what data does it capture UID, IP etc

and what level of oversight does it give a website owner? Can it tell you only if your site has been visited by a phormed IP or can it tell you which pages within the website have been visited and number of unique visits by the phormed IP?

I have chased up my MP on Phorm - Kate Hoey. However I think the complaint to the EU has definitely got legs.

Pete, do you agree with this?

In the third paragraph of the letter from the EU Commission:

In particular Member States are to ensure the confidentiality of communications and related traffic data through national legislation. They are required to prohibit interception or surveillance of communications and the related traffic data by persons other than the users without the consent. Traffic data may only be processed for certain defined purposes (eg billing) and for a limited period. The subscriber must be informed about such processing. Additional processing requires anonymisation or prior consent of the subscriber or user.

Clearly this means that in the BT trial of the DPI kit/system from Phorm, the lack of BT to inform their customers was wrong, because it was not in the Ts & Cs given by BT beforehand.

Secondly, the internal paper leaked from BT showed "additional processing" was taking place (changing the web page content - the charity advert swap). So because the subscriber or user gave no prior consent, BT was wrong there too.

So, with regard to interception of customer internet data streams in 2006 and 2007:

"The commission will continue to follow this case and take approriate action, should the need arise, to ensure that the relevant EU law is effectively implemented by the UK authorities on this matter"

If the police don't investigate (which I think we have now solidly identifed is the requirement under the RIPA issue) then our next course of action is to use the EC formal complaint process to lodge against our member state's inaction.

Agreed?

Awaiting a response from our police service here. And awaiting a response to the report made by Alex to the police in London... Either of them actually doing something and passing their results to the CPS means we can hold off on the EC bit (as long as it goes into court - ref the points in the letter which state that the government here must have effective laws and must provide the resource to enforce them)

I've thought about progressing the EC complaint route now, but have decided in my case I will wait until I hear from the police (who have received my recorded delivery letter)

Hank
(PS - Thanks for typing/scanning your copy of the letter in!)

[pseudonym]

Quote:

Originally Posted by warescouse

It is a very good point you make and one that needs to be addressed. Rather than talk about the redirects and the shenanigans that goes on perhaps we should use more often simplified pictures show what is happening.

Something like http://en.wikipedia.org/wiki/Image:P...ie_diagram.png shown even more simplified (if possible) and compared side by side with a standard browser DNS request. The points can then be raised that these shenanigans can break HTTP applications, due to all the redirect requests and the cookie issues.

Compared side by side the original compared to the Phorm'ed connection would show a lot of extra overhead in the latter.

As can clearly be seen from the diagram, I'm no artist , but I did have a stab at a simplified version. I think what's really needed is an animation showing a web page request with and without phorming, however I still suspect a step could be missing in the information provided to Dr. Richard Clayton, so it may need updating.

[Rchivist]

Quote:

Originally Posted by Dephormation

Sure, should have included;

It was dated 16/07/2008

Reference details are INFSO/B-2/MP/fd D(2008)930170 A(2008)525835

It came from the European Commission Information Society and Media Directorate-General (Paraskevi Michou, Head of Unit).

Okay - MP informed. Thx.

[Ryewolf]

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

http://eur-lex.europa.eu/LexUriServ/...2L0058:EN:HTML

[Tarquin L-Smythe]

The question has to be asked if the BT legal bods looked into UK laws or if they considered the provisions as set out in EU law. maybe a swift nnnnotelet to EmEmEmma S may throw some light if she is answering of course .Hopefully the test case will be brought to court an those whom have failed to answer will have to under oath and I wonder if KE will have enough dosh to fuel the Mig.
Bob
thanks to Rob for the pm info

[gnilddif]

Quote:

Originally Posted by warescouse

Something like http://en.wikipedia.org/wiki/Image:P...ie_diagram.png shown even more simplified (if possible) and compared side by side with a standard browser DNS request. The points can then be raised that these shenanigans can break HTTP applications, due to all the redirect requests and the cookie issues.

That's very helpful, thanks warescouse.
Can someone explain how such shenanigans can break HTTP apps please? And why HTTP is particularly significant. Not just for me, a techno-semi-literate, but it would be useful detail to add in my enlightening letters to John Hutton and Shriti Vadera at BERR and my MP, and I don't wish to misinform, or only partially inform.
Is it possible to put clear links to, or the actual technical information of this nature, on a webpage that is easily accessed? Useful links on this thread easily get lost because it moves fast.
gnilddif

[Dephormation]

Quote:

Originally Posted by fidbod

Pete,

please can you explain how the CDR tool you created works?

In particular what data does it capture UID, IP etc

and what level of oversight does it give a website owner? Can it tell you only if your site has been visited by a phormed IP or can it tell you which pages within the website have been visited and number of unique visits by the phormed IP?

I have chased up my MP on Phorm - Kate Hoey. However I think the complaint to the EU has definitely got legs.

I'll release it as open source immediately once the trials start, but until then, I see no reason to give BT a head start... If it were a question of privacy protection of course I'd publish it instantly, without a moments hesitation.

The code produces accurate billing files for each ISP, subdivided according to the level of confidence that a given user was Phormed, and recording as much evidence as possible about IP address/host/UID cookies etc.

Because Copyright damages are civil, the standard of proof is balance of probability. If you have 10,000 hits/month from BT subscribers, and BT announce to advertisers that 75% of users are opted in to Phorm... that's 7,500 billable hits. Invoice them for 5,000 and they can't really object.

Bear in mind too BT are effectively actively attempting to conceal the Phorm UID, and evidence of copyright infringement. That won't do them any favours.

There is a criminal dimension to Copyright infringement, but that's a different topic.

Pete

---------- Post added at 12:21 ---------- Previous post was at 12:07 ----------

Oh rats, ink cartridge exhausted, ammunition depleted. Click, click, reload.

[D_Advocate]

Quote:

Originally Posted by Peter N

Check the Oxford English Dictionary before attempting to correct me on my spelling.

I did - hence my correction.

Quote:

How about posting something of merit - maybe something with actual content and a cogent argument to support you position?

You mean like your post to me ?

Quote:

It's plain to me that you have nothing to say that will add to these discussions and that your only reason for posting here is not because you are "Pro-Phorm" but because you are "Anti-Anti-Phorm".

Exactly - I thought I'd made that point clear.

Quote:

If you can't post something useful or relevent to this thread then you should start a new one.

I shall give your advice my most earnest consideration Peter - thank you.

D_A

[gnilddif]

Has anyone got an answer to this legal matter. Maybe it's been asked already, but I've not seen it.
As Chief Technical Officer in our family, I configure our systems to allow and deny access to sites, I expect to have the freedom to make my own decisions about any measures I wish to take, and I do not propose to use BT software. If I include certain Webwise/phorm/oix entries in the hosts file such that, because of the nature of the Webwise intercepts, all browsing is killed, as BT have warned might happen, do I have any legal redress against BT, because they are refusing me direct access to w3.directsiteaccessofmychoiceDITcom, something that I assume they are obliged to do as my ISP?
gnilddif

[pseudonym]

Quote:

Originally Posted by gnilddif

That's very helpful, thanks warescouse.
Can someone explain how such shenanigans can break HTTP apps please? And why HTTP is particularly significant. Not just for me, a techno-semi-literate, but it would be useful detail to add in my enlightening letters to John Hutton and Shriti Vadera at BERR and my MP, and I don't wish to misinform, or only partially inform.
Is it possible to put clear links to, or the actual technical information of this nature, on a webpage that is easily accessed? Useful links on this thread easily get lost because it moves fast.
gnilddif

One notable issue was discovered by a poster on Badphorm. It was pointed out that because phorm's system redirects the browser to a third party domain (webwise.net), the webwise.net cookie is in fact a third party cookie (see rfc2965).

Now Safari, Internet Explorer and Firefox do not treat such cookies as third party.

Opera however will block (neither send not accept) all cookies after a redirect to a third party domain occurs if the "accept only cookies from the site I visit" option has been enabled by the user. It will continue to block cookies until a user action occurs where the user can verify the domain requested - such as clicking on a link on the page (even if subsequently redirected back to the original URL).

This will result in the genuine website not being sent its cookies after a Phorm redirect, which will cause problems for users of Opera who block third party cookies. As Phorm's system would not be able to set its cookie it would blacklist such users for 30 minutes after each webwise redirect, but this would only serve to make the problem intermittent.


Another potential issue with some websites:-

Phorm will strip its forged cookies from http requests, but where a site also uses https it will receive these forged cookies. While this usually won't cause a problem, it would not be unreasonable for a web developer to expect only cookies set by his site to be present and write his code accordingly, so it is likely that some sites will not function correctly.

[fidbod]

Dear Kate Hoey,

I have written to you previously on the subject of the company Phorm and behavioral advertising more generally.

With a few notable exceptions (the Earl of Northesk, Don Foster MP) the apathy and inability to act decisively on this matter, demonstrated by the legislative and executive bodies of the UK government, is pathetic.

You will be aware that Viviane Reding, the EU commissioner with competence in this area, has expressed concerns over the failures of UK government to act.

Prior to pursuing a complaint against the UK government at a European level I would appreciate it if you could confirm the following for me.

1. Whether the file of evidence presented to the metropolitan police is under active investigation and the likelihood of a prosecution under RIPA.

2. If the UK government intends to address the failure of the ICO to act as an effective regulator? Information revealed through FOI requests clearly demonstrates that the office of the ICO has neither the technical aptitude nor the intention to be an effective regulator in this area. for the source material please refer to www.dephormation.org.uk

3. What reforms are intended to prevent the bureaucratic pass the parcel that the Police forces, ICO and the Home Office engaged in over this matter from reoccurring?



Yours sincerely,

Stuart

CC

Earl of Northesk
Don Foster MP
Sir John Stanley MP

[AlexanderHanff]

City of London Police not Metropolitan Police. Also CC Baroness Miller.

Alexander Hanff

[fidbod]

Quote:

Originally Posted by AlexanderHanff

City of London Police not Metropolitan Police. Also CC Baroness Miller.

Alexander Hanff

Thanks Alex, will do.

Quote:

Originally Posted by D_Advocate

I did - hence my correction.



You mean like your post to me ?



Exactly - I thought I'd made that point clear.



I shall give your advice my most earnest consideration Peter - thank you.

D_A

btw: It's 'relevant' not 'relevent'

The warning about off topic posts do actually apply to you also you have been warned the next time will be your last for a while anyway