Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[SimonHickling]

Just come across this
http://www.lancs.ac.uk/iss/rules/cmisuse.htm

I particularly like the inference from Example 1

Quote:

Example 1, Unauthorised Access to Computer Material.

This would include: using another person's identifier (ID) and password without proper authority in order to use data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data (for example, to a screen or printer); laying a trap to obtain a password; reading examination papers or examination results.

In my head the webwise system is using another person's id to get the data from my password protected systems - in breach of the computer misuse act?

[AlexanderHanff]

http://www.p2pnet.net/story/15980

There you go.

Alexander Hanff

---------- Post added at 19:24 ---------- Previous post was at 19:22 ----------

Quote:

Originally Posted by SimonHickling

Just come across this
http://www.lancs.ac.uk/iss/rules/cmisuse.htm

I particularly like the inference from Example 1


In my head the webwise system id using another person's id to get the data from my password protected systems - in breach of the computer misuse act?

You in Lancaster too? Maybe we could get together after next week (when I finish my degree) for coffee and a chat if you like?

Alexander Hanff

[SimonHickling]

Quote:

Originally Posted by AlexanderHanff

You in Lancaster too? Maybe we could get together after next week (when I finish my degree) for coffee and a chat if you like?

Unfortunately, not been there for many years. I sometimes stop in again if I'm in the area, but it's been more years than I care to remember since I was at Uni there.

[Toto]

Quote:

Originally Posted by AlexanderHanff

http://www.p2pnet.net/story/15980

There you go.

Alexander Hanff

---------- Post added at 19:24 ---------- Previous post was at 19:22 ----------



You in Lancaster too? Maybe we could get together after next week (when I finish my degree) for coffee and a chat if you like?

Alexander Hanff

Looks good Alexander, the bibliography alone will keep me busy for hours.

[lardycake]

I don't think this has been mentioned on here yet (thanks to madslug on BadPhorm forums for spotting it):

Change to webwise FAQ http://www.webwise.com/how-it-works/faq.html

"What about FIPR's analysis of the legality and RIPA?

We don't agree with FIPR's analysis. And its description of the Phorm system is inaccurate. Our technology complies with the Data Protection Act, RIPA and other applicable UK laws. We've sought our own legal opinions as well as consulted widely with experts such as Ernst & Young, 80/20 Thinking, the Home Office, Ofcom and the Information Commissioner's Office (ICO). We discussed our system with the ICO prior to launching it and continue to be in dialogue with the organisation."

I find it rich that they accuse FIPR of inaccurately describing the phorm system, in the light of phorms own inaccurate description of the system to Richard Clayton. I think it is an indication of how BT will try to discredit opponents of phorm/webwise.

[AlexanderHanff]

Quote:

Originally Posted by lardycake

I don't think this has been mentioned on here yet (thanks to madslug on BadPhorm forums for spotting it):

Change to webwise FAQ http://www.webwise.com/how-it-works/faq.html

"What about FIPR's analysis of the legality and RIPA?

We don't agree with FIPR's analysis. And its description of the Phorm system is inaccurate. Our technology complies with the Data Protection Act, RIPA and other applicable UK laws. We've sought our own legal opinions as well as consulted widely with experts such as Ernst & Young, 80/20 Thinking, the Home Office, Ofcom and the Information Commissioner's Office (ICO). We discussed our system with the ICO prior to launching it and continue to be in dialogue with the organisation."

I find it rich that they accuse FIPR of inaccurately describing the phorm system, in the light of phorms own inaccurate description of the system to Richard Clayton. I think it is an indication of how BT will try to discredit opponents of phorm/webwise.

The entire comment is completely untenable given the fact that they had the opportunity to correct any errors (and reportedly did so) before Dr Clayton published the analysis. The published document was agreed to be accurate by Phorm themselves.

Alexander Hanff

[Rchivist]

Quote:

Originally Posted by lardycake

I don't think this has been mentioned on here yet (thanks to madslug on BadPhorm forums for spotting it):

Change to webwise FAQ http://www.webwise.com/how-it-works/faq.html

"What about FIPR's analysis of the legality and RIPA?

We don't agree with FIPR's analysis. And its description of the Phorm system is inaccurate. Our technology complies with the Data Protection Act, RIPA and other applicable UK laws. We've sought our own legal opinions as well as consulted widely with experts such as Ernst & Young, 80/20 Thinking, the Home Office, Ofcom and the Information Commissioner's Office (ICO). We discussed our system with the ICO prior to launching it and continue to be in dialogue with the organisation."

I find it rich that they accuse FIPR of inaccurately describing the phorm system, in the light of phorms own inaccurate description of the system to Richard Clayton. I think it is an indication of how BT will try to discredit opponents of phorm/webwise.

I suppose FIPR can always say that they had to rely on Clayton 1.0, and ICO 1.0 whereas we are now on Clayton 1.3 and ICO 1.3. Clayton 1.3 of course had to be issued because Phorm had a sudden rush of blood to the head and remembered there were more browser redirects than they had originally told Dr Clayton about in the first version.

---------- Post added at 21:39 ---------- Previous post was at 21:08 ----------

Quote:

Originally Posted by R Jones

---------- Post added at 19:14 ---------- Previous post was at 19:11 ----------



Re: password protected sites
I have no explanation of HOW BT Retail claim to do this, but I do know that they claim they won't be going past password logins. Haven't time to look it up but you may find it on the Webwise FAQ.

It's when you ask "HOW" that they clam up. And quite often it means that when you really look at what they have said, it doesn't quite say what they hope you think it said. They are very good at being vague.

I've now found the relevant bit of an email from BT about this: (from Director, Value Added Services)

Now let me try to allay your concerns as to what will happen with the private, password protected areas of your own website……

First of all let me say that we completely understand the potential concerns of some website owners, who have sensitive/private/password protected websites or areas on their website, and are taking the necessary steps to ensure that password protected sites are excluded from this service and no information will be scanned from these pages. We are also excluding a range of more sensitive categories for example medical, religious and gambling websites. We are also taking steps to ensure that those websites that do not want search engines to 'crawl' them (by the use of robots.txt) will also be excluded from the Webwise service.

And here is the extensive explanation from the BT Webwise FAQ
http://webwise.bt.com/webwise/help.h...14,15,16,17,18

Actuallly it's so extensive, it's worth quoting in full
"BT Webwise does not scan password-protected content so it is ignored."

Richard Clayton Mark 3 (after Phorm phessed up to misleading him)
http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf
refers to this briefly in para 37, p5

---------- Post added at 21:43 ---------- Previous post was at 21:39 ----------

Quote:

Originally Posted by AlexanderHanff

The entire comment is completely untenable given the fact that they had the opportunity to correct any errors (and reportedly did so) before Dr Clayton published the analysis. The published document was agreed to be accurate by Phorm themselves.

Alexander Hanff

Did you mean Clayton or Bohm here Alexander?

the problem is that the Phorm goalposts are sliding sideways at the moment, a bit like the ad boards go up and down on the side of the pitch. As Dr Clayton is finding - having to constantly revise his analysis because Phorm keep "remembering" things they forgot to tell him earlier.

[AlexanderHanff]

Quote:

Originally Posted by R Jones

Did you mean Clayton or Bohm here Alexander?

the problem is that the Phorm goalposts are sliding sideways at the moment, a bit like the ad boards go up and down on the side of the pitch. As Dr Clayton is finding - having to constantly revise his analysis because Phorm keep "remembering" things they forgot to tell him earlier.

Dr Clayton. It was his technical paper which originally alleged the technology was illegal iirc, which is what the webwise citation is referring to.

Alexander Hanff

[pseudonym]

Quote:

Originally Posted by Dephormation

Obliged except that the ISPA don't enforce their own code of practice. At least, not against their biggest fee paying member.

The complaints procedure seems to be, complain to BT. After you fail to reach a satisfactory conclusion, your or BT refer the case (at their discretion presumably) to ISPA. ISPA immediately do a slopey shoulders and send you to something called OTELO that I've never heard of.

See this thread on BadPhorm

That could get quite expensive for BT.

OTELO is an OFCOM approved Alternative Dispute Resolution (arbitration) service.

OfCom require communication providers to be a member of either OTELO or CISAS. Customers can complain to an ISP's ADR once their provider's internal complaint procedure has been exhausted (a deadlock letter is usually required, or else proof that the complaint has not been resolved within three months). The ADR's decision is binding on the ISP.

It is free for the complainant as the ISP picks up OTELO's case fees (was £325 per case in 2005 - http://www.otelo.org.uk/downloads/Cu...Survey2005.pdf )

http://www.otelo.org.uk/pages/4howtocomplain.php

[SimonHickling]

Quote:

And here is the extensive explanation from the BT Webwise FAQ
http://webwise.bt.com/webwise/help.h...14,15,16,17,18

Actuallly it's so extensive, it's worth quoting in full
"BT Webwise does not scan password-protected content so it is ignored."

Thanks for that - I'll raise the question in my next exchange.

Just had a thought - does anyone have details of the IP ranges for the affected ISPs (or the default dynamic names given) in order to warn their victims?

[Rchivist]

Quote:

Originally Posted by SimonHickling

Thanks for that - I'll raise the question in my next exchange.

Just had a thought - does anyone have details of the IP ranges for the affected ISPs (or the default dynamic names given) in order to warn their victims?

Pete at Dephormation.org.uk

[mark777]

Bit old, but does this sort of thing help to explain a man in the middle attack to joe public?

http://www.dailymail.co.uk/news/arti...staurants.html

Especially when lots of big name companies tell you it's perfectly safe. In fact, an improvement on what you had before, and nothing can go wrong. Trust us.

There are probably better articles to quote out there somewhere.

edit : (sorry, ISP in the middle, with a dodgy mate, who employs dodgy people, from dodgy countries)

edit again: Of course, if your chip and pin has been nicked, eventually the problem will go away when you change your bank account number and card etc. You will have to do all that and move house if phorm goes wrong. And even then they will have your name, DoB, NI number etc..

[Phormic Acid]

I’ve just seen Procera Networks’ advert for universal end-to-end encryption!

[mark777]

Just seen the BT ad on the box. Looks like the bloke's about to cheat on his missus.

[bluecar1]

just looking at the first line of my yahoo cookie from BT

Y
v=1&n=fdv4pcpalqqrg&l=6h4o2em@1j8dj4hd4j.2ec/o&p=m21vvuk013000000&iz=MEXX5DT&r=ia&lg=en-GB&intl=uk
yahoo.com/

notice the bit in red

MY POSTCODE!!!!!! (x'ed out 2 chars for privacy)

easy for phorm to get my post code and match it to MY unique random number ID as when you logon to parental controls it will see the cookie go by along with its own

i also notice the reference to strings of numbers longer than 3 digits has gone from the webwise faq page

also notice http://routeplanner.rac.co.uk/showmulti.php?saddress=meXX%205dt&daddress=b69%206lt&vaddress1=&vaddress2=&vaddress 3=&vaddress4=&vaddress5=&rtype=fast&preferences=3& trafficconditions=3&maptype=JAVA&nextgengeo=1

can pick up post code from travel sites when it passes data from one page to the next (my postcode above in red x'ed again),

so no identifiable data???? pull the other one