Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[AlexanderHanff]

Quote:

Originally Posted by R Jones

1. Website cookie forging by Webwise/Phorm remains murky and unexplained by Phorm - who gave anyone permission to forge a cookie purporting to come from one of my registered domains? I withhold consent for BT/Phorm to use the domain names of my sites within any cookie set by Webwise.

A: Webwise cookies are clearly associated with the Webwise service. Where a website uses cookies, we prefix the Webwise UID (unique ID, a random number) to a cookie coming from the website. It is clear in this cookie at what point the Webwise UID starts and the domain cookie stops (and vice versa). Where cookies are not used by a website, only the Webwise UID is placed into a new cookie which will be associated with the domain of the website being visited. In both cases, the Webwise UID element of the cookie is clearly labelled so as to be associated with the Webwise service.

Completely ignored your question and your concerns. Altering an existing cookie from a domain without permission could be seen to infringe Copyright, Designs and Patents Act 1988 as well as Computer Misuse Act 1990 and Fraud Act 2006. Creating a new cookie because a domain does not issues cookies, is almost definitely a violation of Fraud Act 2006 as explained by Dr Richard Clayton at the PIA public meeting.

Quote:

2. In response to your question this week - whether or not you are liable to prosecution if you visit websites like Amazon etc....

A: Any user who has consented to taking the BT Webwise service will not make any unauthorised use of a website as a result of taking the Webwise service. BT has carefully considered the privacy and legal issues arising from the BT Webwise service and we are confident that operating the service does not lead to issues for our users in this regard.

Nicholas Bohm is currently looking into this issue after I raised my concerns with him on the subject of complicity. It would seem likely that if the system is illegal, knowingly opting into that system and then initiating an unauthorised interception by communicating with a web site who have denied consent, that the user would be complicit and guilty of incitement.

Quote:

3. In response to your question yesterday regarding the legality of Webwise/Phorm following the publication of the latest FIPR report and the forthcoming trial dates.....

BT and Phorm have sought extensive legal advice over the last two years and been in regular contact with both the ICO and Home Office. I am sure you have seen their recent statements also. We have also reviewed the FIPR report. BT is, of course, aware of the legal requirements regarding interception of communications under the Regulation of Investigatory Powers Act 2000. We consider that the steps we are taking will meet the legal requirements of RIPA and also ensure that customers are able to take a fully informed decision as to whether to take the service (it will be optional and customers will have a clear choice). Furthermore we are confident that Webwise/our approach conforms with other relevant UK laws.

We will commence trialling BT Webwise shortly and have committed to providing at least 24 hours notice prior to commencing the trial. We will do this via the BT forums etc.. Rest assured it is not unusual for trial/launch dates to change.....

An outright lie. It has been confirmed by the Home Office and ICO that neither BT nor Phorm have communicated with them prior to January this year. Also, they have yet again left themselves wide open for liability with regards to the 2006/2007 trials in saying they believe the steps they "are taking" will be compatible with RIPA as opposed to saying the system is currently and always has been compatible with RIPA.

Basically, their entire reply is nothing but a charade.

Alexander Hanff

Quote:

Originally Posted by AlexanderHanff

Basically, their entire reply is nothing but a charade.

Alexander Hanff

The senior managers at BT are, to all intents and purposes, smoking their own dope.



Hank

[Rchivist]

Quote:

Originally Posted by AlexanderHanff

snip
Basically, their entire reply is nothing but a charade.

Alexander Hanff

I had a feeling you'd be underwhelmed.

[JHM]

Alexander and Robert

Thanks for your explanations regarding my post #4851, much appreciated.

John

[davidb24v]

Quote:

Originally Posted by Chroma

RE: Secure banking.

...

Ok so maybe im scaremongeing and just a touch sarcastic and upon rereading it, I seem to descend entirely into paranoid drivel and sheer tinfoil hattery.
But the simple fact is that monitoring SSL and https isnt nessisary to gain some seriously sensitive information on a person that could be used to his or her detriment.

Excellent

But I think you've missed that Man In The Middle can and does know what encrypted data was transferred to your machine when you went to your bank's login page. That page is (if it's like my bank's) full of "we is teh secure" logos + the usual corporate graphic identity crap. That's a damn good start to cracking an SSL session key which is why people who know worry about MITM attacks. The best way to crack any kind of crypto is to have an example of what the answer was. Every session may be "unique" (within the limits of finite integers) but if you have that level of access to a version of the answer then maybe it wouldn't be that hard. History shows that, very often.

Pick two places in the world where I would go to get some serious maths (of the crypto kind) done...

My bank told me to contact my ISP if I had any privacy concerns. My credit card company didn't even bother to respond to my secure message. Not naming any names but let's just say I think that Smile and Egg are a bit thick when it comes to stuff like this.

Dave

[ceedee]

Quote:

Originally Posted by R Jones

Quoting communications with a BT exec:
2. In response to your question this week - whether or not you are liable to prosecution if you visit websites like Amazon etc....

A: Any user who has consented to taking the BT Webwise service will not make any unauthorised use of a website as a result of taking the Webwise service. BT has carefully considered the privacy and legal issues arising from the BT Webwise service and we are confident that operating the service does not lead to issues for our users in this regard.

I wonder if it might rattle BT's corporate cage if you asked them to publicly indemnify all consenting BT Webwise users should any legal proceedings be started against them? (Although if I remember correctly, you cannot enforce an indemnity against an illegal action?)

If nothing else, it might get somebody to evaluate the potential legal liability should all BT's privacy and legal research be overturned...

[AlexanderHanff]

OK Update on the video. I just had a very long phone call with Simon who was good to his word and phoned me back. He assures me he is on the case with regards the video and we should have some official statement on it soon.

Alexander Hanff

[Rchivist]

Quote:

Originally Posted by ceedee

I wonder if it might rattle BT's corporate cage if you asked them to publicly indemnify all consenting BT Webwise users should any legal proceedings be started against them? (Although if I remember correctly, you cannot enforce an indemnity against an illegal action?)

If nothing else, it might get somebody to evaluate the potential legal liability should all BT's privacy and legal research be overturned...

The next question to follow up BT's answer on this one is along the lines of:..
"I showed your answer to website TOUGHGUYdotCOM and they said they specifically forbid me to visit their site and they also specifically forbid you to use their domain name in their cookie,and they said there was a notice to that effect on their site, and that if they saw me anywhere near their site with my Webwise rubbish, they'd sue the kilobytes off both me and my *!X$*|**! ISP - is it still safe to visit that site while signed up to Webwise?"

They amaze me - they seem to think that if they say it's legal then everything is okay no matter what any other party thinks.

[mark777]

If they thought it was legal, they would be running the trial now.

One day, with all the cut and paste going on, they will make a mistake and send something out with all the legal/PR comments included.

[CaptJamieHunter]

Has anyone seen or mentioned http://www.theregister.co.uk/2008/04...rial_ad_firms/ yet?

"The Anti-Spyware Coalition has launched a review of Phorm, NebuAd, and other behavioral targeting firms that track user data from inside the world's ISPs.

Today, the ASC - a collection of anti-spyware companies, academics, and various consumer advocates - announced a new internal working group to decide how Phorm and the Phormettes will affect the organization's overarching policies on spyware....

[snip]

Phorm hasn't officially rolled out its service, but it has agreements with BT, Carphone Warehouse, and Virgin in the UK (though Virgin insists this does not mean it will actually use the service). Carphone has said it will ask for user consent before turning Phorm on, but the others have not. In 2006 and 2007, Phorm conducted trials on BT's network without telling customers diddly."

[mark777]

I think Alexander has discussed it on Badphorm. There is also a 'related link' on the recent BBC pages to the Anti-spyware coalition.

ISP-in-the-middle attacks must be very fertile ground for them!

[Paddy1]

Quote:

Originally Posted by CaptJamieHunter

BT (or any ISPs who sign up to Phorm) will have no access to the Phorm equipment.

I've been wondering about this. Why are BT et al allowed no access to the software running on the phorm box(s)?

From what we have been led to believe, all they are doing are some cookie placement, 307 redirects, ad placement and profiling of pages visited.

Cookies... duh!

307 redirects are a standard HTTP protocol mechanism.

Ad placement is just placing a pic in a given box based on a randomised or prioritised queue.

Profiling involves (from what I remember) removing chaff and generating a list of the most commonly used words on the page that was browsed and then categorising it.

None of this requires any commercially sensitive algorithms or coding. The whole system is actually pretty simple and I could probably have a good stab at writing it in a few hours.

There is NO reason why phorm could not supply the software to the ISPys in source code format and allow them to inspect the code and build and deploy it themselves.

Why the secrecy?

Why the apparent willingness of the ISPy network engineers to jeopardise potentially their careers and possibly time at her nibs's pleasure or loss of serious pocket money of the managers in allowing it?

I think we should be told.

[CaptJamieHunter]

Quote:

Originally Posted by Paddy1

I've been wondering about this. Why are BT et al allowed no access to the software running on the phorm box(s)?

From what we have been led to believe, all they are doing are some cookie placement, 307 redirects, ad placement and profiling of pages visited.

Cookies... duh!

307 redirects are a standard HTTP protocol mechanism.

Ad placement is just placing a pic in a given box based on a randomised or prioritised queue.

Profiling involves (from what I remember) removing chaff and generating a list of the most commonly used words on the page that was browsed and then categorising it.

None of this requires any commercially sensitive algorithms or coding. The whole system is actually pretty simple and I could probably have a good stab at writing it in a few hours.

There is NO reason why phorm could not supply the software to the ISPys in source code format and allow them to inspect the code and build and deploy it themselves.

Why the secrecy?

Why the apparent willingness of the ISPy network engineers to jeopardise potentially their careers and possibly time at her nibs's pleasure or loss of serious pocket money of the managers in allowing it?

I think we should be told.

I've mentioned before how as an IT professional I find it offensive and unacceptable that anything on my network's internal infrastructure should not be accessible to me to monitor, manage, report and audit. If I (and others who've commented on this aspect) are as aghast as we are then how the hell are ISPs falling for the "You can trust us" approach?

Everything on a network infrastructure has to have an audit trail or changelog of some description. It's basic management stuff. By allowing an alien presence on your network the ISP is leaving itself wide open to abuse by Phorm (or whoever the provider is) which it cannot track or do anything about.

It all comes back to the keywords of openness, honesty and transparency.

Let's rearrange that into Honesty, Openness and Transparency. The HOT test. We could add Respect into the mix and make it the THOR test. Personally I don't like the way the word "respect" has been twisted in common parlance, so I'll stick with the HOT test.

And right now I don't think Phorm gets anywhere near passing the HOT test.

[Paddy1]

Quote:

Originally Posted by CaptJamieHunter

I've mentioned before how as an IT professional I find it offensive and unacceptable that anything on my network's internal infrastructure should not be accessible to me to monitor, manage, report and audit. If I (and others who've commented on this aspect) are as aghast as we are then how the hell are ISPs falling for the "You can trust us" approach?.

Excuse me Mr. ISP. Can I put my box right in front of your pipe and you just give it all to me! i promise you'll have lots of money.

(Apologies for the crude euphemism but it just fits so well)

((Damn! ))

Quote:

Originally Posted by CaptJamieHunter

Everything on a network infrastructure has to have an audit trail or changelog of some description. It's basic management stuff. By allowing an alien presence on your network the ISP is leaving itself wide open to abuse by Phorm (or whoever the provider is) which it cannot track or do anything about.

I wouldn't allow it, if I was in charge of a major public network infrastructure. (any jobs going in that area yet? )

[bigsanta11]

http://www.phormdesign.co.uk/
[img]Download Failed (1)[/img]


http://www.phorm.com/
[img]Download Failed (1)[/img]