Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[flowrebmit]

Quote:

Originally Posted by AlexanderHanff

You don't need to convince me of that I am in the process of writing a legal article about it.

Alexander Hanff

Sorry, I am now sure that I've misunderstood your earlier post, although I am not perhaps bright enough to work it out.

I think I was trying to say that I believe Virgin Media would be responsible for the wire-tapping of my data, because they agreed to the installation of the Layer 7 equipment and the web faking and data anonymising computers that would be used for the interception and processing.

Edit: I see lucevans posted while I was still (de)composing

[AlexanderHanff]

Quote:

Originally Posted by lucevans

I think that it's the layer 7 DPI kit that Phorm are going to "gift" to the ISP to get around the "none of your personal data is transmitted outside the ISP's network" issue. Once "anonymised" by the "anonymiser" hardware (?also gifted to the ISP by Phorm, and therefore allegedly still "inside" the ISP's network), the profile is then passed outside the ISP's network to the Phorm-owned ad channel server box (which could still be located physically inside the ISP's data centre, but is considered to be outside the ISP's network because it belongs to a third party). Apparently this final relay of data does not include the customer's IP address, so Phorm can claim that they receive no PII about the customer.

None of the above alters the fact that the interception, even if it's done by the ISP, is being done for reasons other than essential maintenance of the network, so is illegal within the terms of RIPA without explicit consent of both parties to the communication.

Yeah but my point was that in one of the PR "Questions and Answers" articles, Phorm state that the ISP have no access to the hardware, other than it physically being on their network. They have no access to the OS/other software running on the hardware.

Yes it is still interception.

Alexander Hanff

[lucevans]

Quote:

Originally Posted by AlexanderHanff

Yeah but my point was that in one of the PR "Questions and Answers" articles, Phorm state that the ISP have no access to the hardware, other than it physically being on their network. They have no access to the OS/other software running on the hardware.

So it all boils down to trust and accountability when things go tits-up. I personally don't trust a private company with a history in malware production to process my private data with any integrity whatsoever, and quite apart from that, I'm infuriated by their assertion that they somehow have a right to do so simply because it will be anonymised.

Just because you think that you have the capability to handle something that belongs to someone else safely doesn't mean you therefore have the right to.

Quote:

Originally Posted by lucevans

.

Just because you think that you have the capability to handle something that belongs to someone else safely doesn't mean you therefore have the right to.

Which is something our present government has been so bad at. If they can't get it right...

[AlexanderHanff]

I have added the following to the article based on my interpretation of the English version of the Computer Misuse Act 1990:

Quote:

The difference between the Scottish version of the Computer Misuse Act 1990 and the English version is that the English version requires the proof that the entity committing the illegal act has knowledge and intent of their actions, so it is often difficult to use the Act in England and Wales. However, on this occassion I believe it is possible to use the English version based on the following information from Section 3 of the Act:
3. Unauthorised modification of computer material
1. A person is guilty of an offence if-
(a) he does any act which causes an unauthorised modification of the con-
tents of any computer; and
(b) at the time when he does the act he has the requisite intent and the
requisite knowledge.
2. For the purposes of subsection (1)(b) above the requisite intent is an intent
to cause a modification of the contents of any computer and by so doing-
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer;
or
(c) to impair the operation of any such program or the reliability of any such
data.
As we can see ss1.b specifies the need to prove intent and knowledge and if intent
can be proved then ss2.a and ss2.b become applicable (and possibly even ss2.c).
Using the same arguments as discussed with regards the Scottish version of the
Act, it is clear that the Layer 7 technology is being used to "hinder" access and the
process is impairing the network processes of the computer initiating the request
(customer).
The very fact that the Layer 7 technology exists on the network purely for
the purpose of Deep Packet Inspection and rerouting the communication to the
imposter server, should be enough to satisfy both intent and knowledge. The Layer
7 technology is intended to intercept and BT installed it with the knowledge that
this is exactly what it does. So in the case of the 2006/2007 trials, which we
have already established were unauthorised (thus satisfying ss1.a) and with the
information above satisfying ss1.b and ss2.a/ss2.b it would seem likely that the
trials were in breach of the Act

Alexander Hanff

[CaptJamieHunter]

Quote:

Originally Posted by AlexanderHanff

Yeah but my point was that in one of the PR "Questions and Answers" articles, Phorm state that the ISP have no access to the hardware, other than it physically being on their network. They have no access to the OS/other software running on the hardware.

Yes it is still interception.

Alexander Hanff

Which makes it, in my professional opinion, something I would not be prepared to tolerate on any network for which I was responsible. It's an alien, unknown quantity. Unable to be checked, monitored, managed and reported on.

[JackSon]

It seems this is trickling as high profile as slashdot now

-> http://yro.slashdot.org/article.pl?sid=08/04/04/208225

It is not anything new to us but I think this classifies as prominient coverage for the IT sector if nothing else (not to urinate on El Reg of course ).

Interesting, there is a 'related' news item listed on there that says US ISP's have been using DPI to intercept users communications - within the numbers of 100,000 customers. BT have been slacking compared to that

-> http://yro.slashdot.org/article.pl?sid=08/04/05/1232206

If you find yourself really bored, Alexander it seems there is always the option of braodening your article on US law regarding data interception, seems there are a few folk over there that may have been violated too. Once you've gotten really fed up on concentrating on our side of the pond first though Had first read of your paper today, wanted to let it build before I sampled it - really impressed, well done. Wish I was as passionate about a subject when I wrote my dissertation now.

Get this man some more coffee!

[AlexanderHanff]

Quote:

Originally Posted by JackSon

If you find yourself really bored, Alexander it seems there is always the option of braodening your article on US law regarding data interception, seems there are a few folk over there that may have been violated too. Once you've gotten really fed up on concentrating on our side of the pond first though Had first read of your paper today, wanted to let it build before I sampled it - really impressed, well done. Wish I was as passionate about a subject when I wrote my dissertation now.

Get this man some more coffee!

I am about to start on Trespass to Chattels (Torts (Interefence with Goods) Act) hope to have that finished tonight and maybe even the Fraud Act 2006 tonight as well. In fact I will probably start on the Fraud Act 2006 first, since it follows on directly from the explanation of the Layer 7 technology.

Alexander Hanff

[OF1975]

Another very short blog from the guardian today:

http://blogs.guardian.co.uk/technolo...nto_phorm.html

[Ravenheart]

I see Phorm have spun Richard Clayton's latest report, you know the one where he states

Quote:

Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.

You can see the Phorm spun post here: http://blog.phorm.com/?p=12

[Cobbydaler]

Quote:

Originally Posted by OF1975

Another very short blog from the guardian today:

http://blogs.guardian.co.uk/technolo...nto_phorm.html

Interesting point in the comments there:

Quote:

sandinista

Comment No. 1024974
April 2 11:43
Re Stratis Scleparis.
Not only did he move to Phorm after conducting the BT trial he also (this is from Phorms own site)
"held senior technology management roles with leading firms Orange UK plc (formerly Freeserve/Wanadoo), AOL Europe and the BBC."
That probably explains why the BBC have mostly just used Phorms publicity statements instead of carrying out real journalism.

Conspiracy theories, doncha just love 'em...

[JackSon]

Yes it's a bit cheeky that quote cropping. Also notice how they look forward to Richard posting more on his blog? Funny, kind of seemed they wanted the opposite regarding the comment they left on his blog about not publicising security concerns.

[OF1975]

Quote:

Originally Posted by Cobbydaler

Interesting point in the comments there:

Conspiracy theories, doncha just love 'em...

Woah. I have to admit that really does make me wonder now. The bbc have gone from almost ignoring the issue to then covering it but giving BT spokeswoman an easy ride. The more I learn about this the more I dislike it.

Having said that, I am really glad that Phorm did invite Dr Richard Clayton and Becky from ORG in so that we could finally get some of the answers to our questions on the technology although I note yet again nowhere is the issue of "research and debug logs" being stored for 14 days raised or explained. Debug logs dont worry me but that word "research" gives them a whole lot of scope.

Alexander if you do get to have a chat with Kent Ertugrul could you please raise this issue with him? I dont doubt the need for them to keep debug logs. I do, however, want to know precisely what data is stored in them and what research they are going to do with that data for the 14 days they store it.

[AlexanderHanff]

OK the article is really coming along now, so far I have covered:

1. European Convention on Human Rights (1950)
2. Human Rights Act (1998)
3. Regulation of Investigatory Powers Act (2000)
4. Privacy and Electronic Communications (EC Directive) Regulations 2003
5. Computer Misuse Act 1990 (both Scottish and English versions)
6. Fraud Act 2006

I still have to write about:

1. Torts (Interference with Goods) Act 1997
2. Copyright, Designs and Patents Act 1988
3. Data Protection Act 1998
4. The Council of Europe's Convention on Cybercrime

That will be the legal stuff finished I think which will then leave my conclusion. So far, I can only believe that the trials of 2006/2007 after careful analysis of UK Law were incredibly illegal, led to multiple criminal offences under multiple laws and leave BT open to litigation under Tort Law.

You can see the article so far on http://www.paladine.org.uk/phorm_paper.pdf

Alexander Hanff

[popper]

Quote:

Originally Posted by JohnHorb

If we don't stop this now.....

http://business.timesonline.co.uk/to...cle3688387.ece

WOW, that needs more than a simple link or people might forget it.

http://business.timesonline.co.uk/to...cle3688387.ece

Quote:

"
April 6, 2008

Experian to track net users



James Ashton


EXPERIAN, the credit checking company, is braving mounting concerns over internet privacy with plans to launch a service that will track broad-band users’ activity so they can be targeted with advertising.

Through Hitwise, the web-site company it acquired for £120m a year ago, Experian has held talks with internet service providers to sell its monitoring technology.

Observers expect it to compete in part with Phorm,...
"
"
However, the key difference is that Hitwise, which describes itself as an “online competitive intelligence service” would play little part in dispatching the advertising to web pages itself, something that Phorm does through its Open Internet Exchange.

“Hitwise is not in the online behavioural targeting business,” a spokesman said.
...
"
"
The company has recruiteda heavyweight board, including David Dorman, the former boss of AT&T and Christopher Lawrence, the vice-chairman of Rothschild.

Experian, once part of GUS, is best known for trawling public records and selling the data to banks and retailers."

again, you might be needing to read SurlyBonds old CRA thread there.

http://www.consumeractiongroup.co.uk...d-removal.html

Quote:

"Defaults - a proposed method for removal and the full template letter
Basic things to remember about this whole process:

a) Remember that the three Credit Reference Agencies (CRAs), Experian, Equifax and CallCredit were not constituted by an Act of Parliament. They hold no official Govt. power even though they like to think they do.

b) The CRAs are corporations who simply have the technology to store vast amounts of data and have been doing so for years.

c) The banks and lenders supply them with information about your accounts not because they are legally allowed to, but simply because YOU agreed to it via your contract.

d) CRAs are allowed to hold any data about you that is deemed in the public interest or in the public domain. Things like Bankruptcy Orders and Discharges, CCJs, IVAs, etc. are public information, and you cannot stop CRAs holding this information. You can ask them to mark them as settled, but they do have legal right to hold JUST these on their records because there are actual Laws that allow them to do so, and judges have signed the Orders in all these types of cases. However, agreement 'defaults' do NOT come under those Laws, unless they have been progressed to a CCJ, etc.

e) Civil contract details cannot be stored unless you agree in writing. The Data Protection Act states clearly that your account information is personal data and only you have the right to determine who may collate, process and disclose it.

f) When CRAs reply with “it’s our legal right” they are talking nonsense. The legal to which they refer is simply the ‘lawful right’ because you gave permission. That permission can be withdrawn at any time according to your rights under the Data Protection Act.
You can see more about this in the copy of the Experian letter also here in the sticky section, where thay actually admit that they have no legal authority and that there is no six year 'rule'.

g) You are also allowed to tell any Data Controller (a company that processes or stores your data) to cease to process your data in any fully-automated process. The Data Protection Act states quite clearly that this includes processes that e.g. “affect your creditworthiness”. The actual clause is in the template letter.

h) If you decide to opt-out of auto-processing, then you may opt back in again later.

i) To ask a Data Controller to do anything you want them to do, including requesting bank statements, you send what is called a Data Subject Notice – you are known in the Act as the Data Subject – i.e. the person to whom the data refers.

j) Data is anything on computer disk, paper, etc., that can identify you as a individual person. “all 34-year-old architects” is not personal data, but “Mr A N Other, a 34-year-old architect from 16 Acacia Avenue, Anytown, AnyPostalCode” is personal data as it can identify a particular person.”

k) Your contract and all transactions relating to the running and administration of your account is deemed your personal data, as these may be subsets referenced by an account number that, in turn, can be linked to you.

l) All Data Controllers have a duty to protect your data, and must hold a Data Protection Act licence (issued by the Information Commissioners Office) to hold and process data. However, this licence does not allow them to disclose data without your express written permission – it is a criminal offence to do otherwise, except for reasons of national security, taxation, health, etc.

There is loads more on the Data Protection Act specifics and I might edit and add to this post as time goes by. The above is to give you the basics and the understanding of how to use this in the method below.
....
.....
"