Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[Florence]

On ISPreview we have normaly told them if they have a link in an email they don't know the sender to copy and paste the url onto notepad. If it was madse to look like ebay this would show it it had a redirtect to a http number instead of eday.co.uk works on any link in email to see what you are clicking on.

[pseudonym]

Quote:

Originally Posted by Chroma

I mean the BT/PHORM equipment generates a random UID that it assigns to me.
The Carphone/PHORM equipment would do the same, and unless there was direct communication between the two ISP's equipment then neither cookiemongler would know which UID's where already in the system.

Doesnt this pose a significant problem for the actual database?
I mean a database frankly goes into meltdown when two unique keys are the same for two different tables (unless theres a secondary key to differentiate)

The UID is 128 bits long, phorm could use a few of those bits to uniquely identify each specific device and use an incrementing count rather than being truely random. However with 2^128 permutations it is quite likely that they won't worry about it. The worse that could happen if you share a UID is that you will share the one profile, so the adverts won't be quite so relevant. If a website doesn't appreciate being exploited by phorm, it could change the UID in the tracking cookie for their own domain, potentially poluting someone elses profile with your browsing of their site anyway.

[BadPhormula]

Quote:

Originally Posted by 80/20Thinking

I'd appreciate the opportunity to make a few comments about the broader perspective here, while also conducting a little expectation management regarding the PIA.

I mentioned at the start of the public meeting that tectonic shifts are occurring in the online environment. Many of you will know these shifts well. Microsoft makes a play for Yahoo, while Google acquires Doubleick, capturing more than half the ad potential of the Web. Yahoo responds by cutting a deal with Google. Meanwhile, Time Warner through advertising.com via AOL launches a rival global ad platform.

Meanwhile, back in the EU, the national privacy commissioners, tired of missing the boat on online issues, raise the privacy bar via the Article 29 Group to drive a wedge through the ad space market and lay down an unprecedented set of demands that could, who knows, spark a mini trade war between the EU and the US.

There's about $20 billion up for grabs in ad space margins, which accounts for much of this activity. That accounts for the existence of Phorm, as it accounts for its rival platforms along with the consolidation spree you read about every day.

At the moment I'm trying to come to terms not just with these tectonic shifts within industry, but also the extraordinary chasm that is opening up between the ad market and the new regulatory regime. Phorm accounts for a very small part of that vast picture. Every week I speak with people from each of the key online corporations and the regulators in an attempt to understand where this is taking us as consumers.

Enter the PIA into this equation. Please do not make the mistake of believing that the PIA is likely to be either judge or white knight. It is merely a process that will lead, we hope, both to greater clarification and to a better outcome for consumers. Neither it nor 80/20 carry any legal standing whatever. Our role is not to sit in judgment, but to set out facts. We cannot "set matters right", but we can make recommendations for reform. The market or the courts may decide the ultimate outcome in whatever field we explore.

I can't be the "hero" some of you would like me to be - at least, not as a result of doing a PIA. You may feel confident about some of the points I will make, but you may also be disappointed that some of my observations will be set against those tectonic shifts I mentioned earlier.

Simon

Thank you for this clear statement Simon.

So if I read this correctly what you are really saying reading between the lines
is that we need to start using VPN's & SSL encryption and find a safe harbour with strong privacy laws for our Internet pipe to come out of? Somewhere like the former communist country "East Germany" where they built up a healthy fear of the brutal Stazi secret police and their all seeing eyes.

regards

[serial]

I'm sorry if I'm being overly cynical, but I'm looking at my choice of hats and have selected the tinfoil one.

8020 Advisory group contains: Ray Stanton, Global Head of Business Continuity, Security & Governance, BT plc

So, Phorm, pioneered by BT plc have paid an auditing company to green light its system when that company also has a high level BT plc employee as an advisor.

Anyone else see a major problem here?

[popper]

Quote:

Originally Posted by AlexanderHanff

Can people post the Digg link to other sites they are active on which are covering this issue as well. The extended web edition is much better than the broadcast edition so we need to try and make sure people are aware of it and see it. Encourage your friends to sign up for Digg and digg the story.

Alexander Hanff

this might be handy for people that cant see the original footage or want to put it on their ipod,
its also far easyer to edit and pull the interesting clips out if you want to do that.
http://www.divshare.com/download/4404159-515
click-extended656.mp4

---------- Post added at 04:19 ---------- Previous post was at 03:04 ----------

it appears PhormUKPRteam's new plan is hanging back, waiting for any posts on the blogs to cool off then post a comment or link to a favourable post.....NewScentist in this case.

http://www.newscientist.com/blog/tec...ng-on-you.html

[davews]

Quote:

Originally Posted by pseudonym

I think a bigger problem is websites will be able to read your webwise tracking cookie by embedding some https content on their page. Phorm can't strip the cookie from encrypted streams, so the website will get to see your unique user id. If the website doesn't want to pay for a certificate to read your UID, it should also work if they use a port other than 80.

Much has been suggested about the https:// cookie. But in fact this will only work for those sites where all the code on that site is secure, ie an https://site (and which Phorm is unable to profile even if it tries). Just having a single https:// image will mean that site has mixed secure and unsecure content and most browsers will flag this up with a weak security popup error which will alert the user to something not quite right going on. So it is broadly unviable.

I believe the Phorm servers are set up just to strip the cookies which accompany a [GET] request. But any site can easily read all the cookies on a visitor's computer using simple javascript document.cookie. It is not clear whether Phorm attempts to strip cookies obtained in this way, my gut feeling is that they probably don't.

[Rchivist]

Quote:

Originally Posted by Chroma

Another user posted regarding different individuals using the same connection and login account and the possibility of visiting a friend and being essentialy kept in the dark with regards to how his data was being handled and it got me thinking.

Is there intercompatibility between ISP's?

snip

Doesnt this pose a significant problem for the actual database?
I mean a database frankly goes into meltdown when two unique keys are the same for two different tables (unless theres a secondary key to differentiate)

So am i completely missing something here or are the cookies assigned further down the equipment line where presumably multiple ISP's funnel the data through?

If so then this raises a further interesting question:
how can BT even begin to concieve of a setup thats a cookie free opt in/out/shake-it-all-about setup without having consultations with other ISP's that would most definately be effected by such modifications?

That's a very interesting question - I think I will ask BT that via the beta forum if you don't mind.

Quote:

Originally Posted by pseudonym

I think a bigger problem is websites will be able to read your webwise tracking cookie by embedding some https content on their page. Phorm can't strip the cookie from encrypted streams, so the website will get to see your unique user id. If the website doesn't want to pay for a certificate to read your UID, it should also work if they use a port other than 80.

AFAIK they don't even need to do that. The cookie is available to be read by CLIENT-SIDE script, so all they need to do is read the UID and copy to another, non-phormed cookie, which won't then be stripped.

[Dephormation]

Quote:

Originally Posted by pseudonym

The UID is 128 bits long, phorm could use a few of those bits to uniquely identify each specific device and use an incrementing count rather than being truely random. However with 2^128 permutations it is quite likely that they won't worry about it. The worse that could happen if you share a UID is that you will share the one profile, so the adverts won't be quite so relevant. If a website doesn't appreciate being exploited by phorm, it could change the UID in the tracking cookie for their own domain, potentially poluting someone elses profile with your browsing of their site anyway.

Agree. If I can obtain your UID, I can impersonate you (because Phorm can't differentiate me from you).

Using your UID I can either corrupt your profile (causing you to see the type of adverts I'd prefer you to see), or obtain a succession of adverts from OIX which reveal your likely profile to me.

If I can buy data from other people who've done the same thing, I can start to build a wider profile about you with Phorm's help.

Even Phorm's DPA registration (purpose 2) suggests they aspire to sell "Personal Details" to "Traders in personal data" "worldwide".

Its valuable stuff your personal details.

---------- Post added at 09:54 ---------- Previous post was at 09:45 ----------

Quote:

Originally Posted by JohnHorb

AFAIK they don't even need to do that. The cookie is available to be read by CLIENT-SIDE script, so all they need to do is read the UID and copy to another, non-phormed cookie, which won't then be stripped.

Sample code on dephormation.org.uk and elsewhere.

It looks like it could be trivial, around 3 lines of Javascript code.

---------- Post added at 10:46 ---------- Previous post was at 09:54 ----------

Quote:

Originally Posted by 80/20Thinking

You'll understand, I'm sure, why I'm resisting saying anything that could fuel speculation, but you've hit the nail on the head. If we're in the business (at least in part) of finding possible solutions, the browser manufacturers are massively relevant. But talk about a hornet nest....

Simon

Can I query this post, the significance is just starting to sink in.

Are you advocating that browsers support cross site cookies? Finding a 'solution' to the problem that they don't exist? If there is a hornets nest it might be because there is a reason.

Currently there is no such thing, thank God, hence the redirects that Phorm must jumps through to create one.

What positive effect, if any, do you think cross site cookies would have on privacy?

Pete

[80/20Thinking]

Quote:

Originally Posted by Dephormation

Can I query this post, the significance is just starting to sink in.

Are you advocating that browsers support cross site cookies? Finding a 'solution' to the problem that they don't exist? If there is a hornets nest it might be because there is a reason.

Currently there is no such thing, thank God, hence the redirects that Phorm must jumps through to create one.

What positive effect, if any, do you think cross site cookies would have on privacy?

Pete

I was thinking of user controls and cookie management.

Simon

[Bonglet]

I see virgin media has already changed there T&C's to suit phorm

G Your details and how we look after them

2. By having the services we provide installed in your home and/or by using them you are giving us your consent to use your personal information together with other information for the purposes of providing you with our services, service information and updates, administration, credit scoring, customer services, training, tracking use of our services (including processing call, usage, billing, viewing and interactive data), profiling your usage and purchasing preferences for so long as you are a customer and for as long as is necessary for these specified purposes after you terminate your services. We may occasionally use third parties to process your personal information in the ways outlined above. These third parties are permitted to use the data only in accordance with our instructions.

Pity vm dosent say what there instructions are and if they ever leave the country .
All this data to share with phorm yay (not) starting to get really peed off with events and people.

[lucevans]

Quote:

Originally Posted by Bonglet

I see virgin media has already changed there T&C's to suit phorm

G Your details and how we look after them

2. By having the services we provide installed in your home and/or by using them you are giving us your consent to use your personal information together with other information for the purposes of providing you with our services, service information and updates, administration, credit scoring, customer services, training, tracking use of our services (including processing call, usage, billing, viewing and interactive data), profiling your usage and purchasing preferences for so long as you are a customer and for as long as is necessary for these specified purposes after you terminate your services. We may occasionally use third parties to process your personal information in the ways outlined above. These third parties are permitted to use the data only in accordance with our instructions.

Pity vm dosent say what there instructions are and if they ever leave the country .
All this data to share with phorm yay (not) starting to get really peed off with events and people.

I wouldn't call Phorm's profiling of every GET request you make on the internet "occasional use" by a third party. In fact, I'd call it "continuous use" and that is a very different thing indeed.
I don't think the above quoted T&C would stand-up for 10 seconds in court as giving permission to allow Phorm to profile everything every customer does all the time.

Expect to see a significantly different set of T&Cs should Phorm-Webwise ever get off the ground.

Anyway, aren't the above quotes from the Interactive TV section of the T&Cs - Broadband has it's own set.

[AlexanderHanff]

Quote:

Originally Posted by serial

I'm sorry if I'm being overly cynical, but I'm looking at my choice of hats and have selected the tinfoil one.

8020 Advisory group contains: Ray Stanton, Global Head of Business Continuity, Security & Governance, BT plc

So, Phorm, pioneered by BT plc have paid an auditing company to green light its system when that company also has a high level BT plc employee as an advisor.

Anyone else see a major problem here?

They also have the Earl of Northesk on their advisory board who has been very outspoken against Phorm in his official capacity as a peer in the House of Lords.

So no I don't see a problem with 80/20 Thinking having influential and important people on their advisory boards.

Alexander Hanff

---------- Post added at 11:50 ---------- Previous post was at 11:40 ----------

Quote:

Originally Posted by davews

Much has been suggested about the https:// cookie. But in fact this will only work for those sites where all the code on that site is secure, ie an https://site (and which Phorm is unable to profile even if it tries). Just having a single https:// image will mean that site has mixed secure and unsecure content and most browsers will flag this up with a weak security popup error which will alert the user to something not quite right going on. So it is broadly unviable.

I believe the Phorm servers are set up just to strip the cookies which accompany a [GET] request. But any site can easily read all the cookies on a visitor's computer using simple javascript document.cookie. It is not clear whether Phorm attempts to strip cookies obtained in this way, my gut feeling is that they probably don't.

Dav, the point being made was that less ethical web site owners could simply include some HTTPS content in order to "see" the cookie and grab the UID then associate it with IP. The way the Phorm technology works is it strips the cookie out of the communication before it gets to the website, however it is unable to do this with https, so using https you can see any cookie the user has stored under your domain (included the forged Phorm ones).

Alexander Hanff

[Bonglet]

Those are the broadband ones lucevans go take a look, if anything was reported to tarnish vm they could reply in argument that its in the end users t&c's those i highlighted would have been used to implement phorm with such simpleness as vm and phorm would have hoped, but are now stalling on due to the interest and complicity issues of the idea.

[pseudonym]

Quote:

Originally Posted by davews

Much has been suggested about the https:// cookie. But in fact this will only work for those sites where all the code on that site is secure, ie an https://site (and which Phorm is unable to profile even if it tries). Just having a single https:// image will mean that site has mixed secure and unsecure content and most browsers will flag this up with a weak security popup error which will alert the user to something not quite right going on. So it is broadly unviable.

Fair point, opening a https page from within the http page using javascript or just redirecting the http: page request to a https: page would avoid that problem.