Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[phormwatch]

Here's an update:

http://business-openletter.blogspot.com/

Unless anyone wants to add another parapraph, I think we should finish it off with a 'What you can do' section...

Any volunteers?

Check with Rob Jones regarding the copying of websites - I'm sure that he got this in writing from BT.

Regarding the CMA, this was my interpretation of the act and it's application to Phorm's cookies. I wrote this on the BT Forum in early April so feel free to comment on it or pick any holes you find. I asked for feedback at the time but no-one seemed interested - I'd be interested to know what people think now especially as Andrew Liversage has now stated that the next trial could go ahead using opt-in/out cookies.

Have a read of the Computer Misuse Act . I don't see how this can't be applied to BT's secret trials.

In essence, it is an offence to "secure access to any program or data held in any computer" without authorisation when the miscreant knows that they are not authorised. It then states that the type of data is not a factor.

In other words, simply accessing a cookie or reading the contents of the PCs memory (which must contain the data of the current webpage) without authorisation from the computer's owner is a criminal offence.

Even better, Section 2 of the act makes it a further offence to commit the Section 1 with the intention of making it possible or easier to commit other such offences.

In other words, even planting an unauthorised cookie or inserting any daya or code into the webpage (which is also held in the PC's cache and memory) with the intention of reading or writing to it later is an offence in it's own right.

Section 3 makes it an offence to perform "any act which causes an unauthorised modification of the contents of any computer" if the accused deliberately set out to do so and knew that it was not authorised by the computer's owner. It also specifically states that it is irrelevent whether the modification is permenant or temporary.

In other words, altering the contents of any cookie or any webpage (which are also held in the PC's cache and memory) without the authority of the computer's owner is an offence.

There doesn't appear to be any requirement on the part of the complainant to have any personal involvment under the act so it would appear that BT existing admissions and statements should allow any of us to make a complaint to the Met as BT are Lodon based.

Can anyone see anything here or in the act itself that could prevent a criminal charge being brought against BT under the terms of this act or prevent such a complaint from being accepted and investigated?

[icsys]

My FoI request had this statement attached:

Quote:

* Some of the information provided to us by BT was done so on
the basis that it was confidential at that time, and remains so. The
primary reason for this is where commercial sensitivities and interests
are at stake, and also in relation to the first complaint we received
from a member of the public (referred to in the two letters that are
attached). This is particularly apparent by the pages attached to BT's
letter to the ICO of 9 May that have been deleted in their entirety, and
are marked 'deleted'. Where this is the case this information has been
withheld in reliance on section 41 of the Freedom of Information Act
2000, which applies to information that has been provided to the public
authority in confidence, and the disclosure of that information to the
public by the public authority holding it would constitute an actionable
breach of confidence.

The document referred to is BT letter to ICO 9/5/08
It is unclear what the two deleted pages actually referred to but the BT letter revolves around BT and Phorm's legal advice that was 'sought' prior to both trials and references to complaints from the public. I would infer the deletions were in some way connected to the complainants.

[phormwatch]

Guys... I'm trying to keep the Open Letter To Business crazy simple. Our 'target' audience aren't techies.

If you all think that the information already contained within is sound and factually correct, then I think we should finish off with a 'What you can do' paragraph.

[HamsterWheel]

Quote:

Originally Posted by phormwatch

Here's an update:

http://business-openletter.blogspot.com/

Unless anyone wants to add another paragraph, I think we should finish it off with a 'What you can do' section...

Any volunteers?

I can't help thinking that an awful lot of businesses on receipt of that letter will not be following the thought patterns that you want them to.
Instead they will be thinking "That sounds a very effective way for ME to target customers, must get my ad agency onto that and sign up quick".

Being helpful, I'd suggest that you run that through a decent firm of solicitors before you start to circulate just in case anything you state could be construed as defamatory.

[rryles]

First up the usual IANAL disclaimer.

The problem with the CMA is that it is old. It was written before the internet came of age and so is often not very relevant anymore. A rewrite is well overdue. Having said that it can still be used effectively for many nefarious activities. The crux of the matter may well be the "without authorization" clause. It could be argued that by running a web browser that accepts cookies you are giving permission for cookies to be placed on your computer. It is common to imply consent for data to be changed on a computer. However that may fall down when the cookies are forged to look like they come from a domain they have nothing to do with.

I know there are people on here who are for more knowledgeable on the CMA than myself though so I look forward to reading their opinions.

[Rchivist]

Quote:

Originally Posted by phormwatch

Argh. OK, I'm going to try and finish the open letter to business. Can someone please find me an official quote where a BT spokesman says they can freely copy stuff off the web because consent is implied?

Also, the cookie forgery is a violation of the Computer Misuse Act, correct? Which specific part?

Here is the blog:

http://business-openletter.blogspot.com/

Please suggest any additions.

Here's a quote for you - in email from Director, Value Added Services, to me, 02/07/2008, responding to a query from me which contained the words, "Please note - I will infer your consent to the publication of any reply to this email unless you expressly and explicitly withold such consent." - there was no reference to witholding consent to publication in the reply, the bulk of which is copied below. As this is the last email I received from this person of course it is very precious.

ES says
"Neither of the previous small technical trials or our future trial of BT Webwise involve infringement of the copyright of any website holder.
Anyone who puts a webpage on the internet does so for the purpose of people making copies of it for the purpose of looking at it and assessing the information contained in it. There are of course some exceptions to this, which is why, for example, BT Webwise does not profile pages transmitted via HTTPS.

Accordingly I am afraid no royalties or other payments are due to website owners - aside from those that want to participate in the OIX of course (www.phorm.com).

We believe that we can rely upon website owners implied consent, especially if websites are happy to be trawled by major search engines such as Google, as if they are unhappy with this and use robots.txt to block the likes of Google then Phorm will also ensure such sites are excluded. It is not reasonable or practical to contact every website owner in advance or to identify sites displaying Webwise messages.

Over and above this we are also taking reasonable steps to exclude specific websites upon specific request from the website owner, so if website owners provide us with the url's of their websites (and confirmation of ownership) then we will ensure that they are excluded by
Phorm.

I can assure you that we have taken advice and believe our approach is both entirely reasonable (straightforward) and that it complies with relevant legislation."

The email (and no other communications I am aware of from BT) takes no account of the inability of all customers with BTOpenworld or BTYahoo! Geocities websites to use robots.txt exclusion statements, nor do they refer to any communications attempts made by BT to let proactively let even their own webspace owners know this or apply for their sites to be excluded from Webwise profiling. (I know we don't likethat solution, but as it is the one BT are offering, along with robots.txt, they need to have a coherent plan for informing customers about it and they don't.)

[madslug]

Not really Phorm related but an article which shows how easy it is for invasion of privacy for online activities in one country to quickly spread around the world and affect everyone.

As part of the 'Housing Bill' running through the good old USA is a clause which requires payment processors to pass info to the IRS for merchants processing more than $20k per year, which includes holding a database of the purchasers, wherever they are in the world.

See More on the "Housing Bill" about half way down the articles.
http://www.i-cop.org/journal/08-11-08.htm

(And, I don't know why, but for some reason the joke at the end of the articles reminded me of forum moderators - with apologies to moderators here.)

---------- Post added at 17:48 ---------- Previous post was at 17:44 ----------

Quote:

Originally Posted by R Jones

Here's a quote for you - in email from Director, Value Added Services, to me .... <snip>

I have a very similarly worded email. Dated a little earlier so is somewhat shorter in content.

Quote:

Originally Posted by phormwatch

Guys... I'm trying to keep the Open Letter To Business crazy simple. Our 'target' audience aren't techies.

If you all think that the information already contained within is sound and factually correct, then I think we should finish off with a 'What you can do' paragraph.

As regards the MCA you could just refer to Richard Claytons letter.

[Rchivist]

Quote:

Originally Posted by phormwatch

Here's an update:

http://business-openletter.blogspot.com/

Unless anyone wants to add another parapraph, I think we should finish it off with a 'What you can do' section...

Any volunteers?

I like it - I've already sent an earlier version to a fairly litigiously minded Irish company, concerning their own concern (and SUCCESSFUL legal case) about website copyright. I put that in the letterbox today along with my DPA notice to BT.
My DPA request from BT about what data they may have passed to Phorm comes due in about 3 days, so I'll be getting some more stamps. I'm really looking forward to them missing the deadline.
My ICO complaint is acknowledged and pending.

I would imagine the "what you can do" section for a concerned company, would be for them to write to BT Retail legal section and tell them that they would regard it as actionable if Phorm profile their sites on the back of Webwise-linked visitors.

Chief Counsel Commercial Law (Consumer),
BT Retail,
BT Centre, pp B8D,
81 Newgate Street,
London,
EC1A 7AJ

I'm not sure they would be too interested in joining the campaign - they are more likely to think in terms of "sue or not sue" - in otherwords whether their own commercial interests are threatened.

Given the comments about the risk that they might just join OIX - I think that needs to be countered by simply making sure they are aware of the considerable legal challenges to the whole system. Any company with any sense (BT excluded for unique reasons) would be mad to invest any of its advertising budget in such a leaky ship as OIX.

Perhaps a brief reference to the turbulent time the whole technology is having with both EU and US regulatory concern would be enough to deter them (for now) from investing in OIX - after all there are better legally safer, more proven systems for them to spend their ad budget on.

[madslug]

Quote:

Originally Posted by HamsterWheel

Being helpful, I'd suggest that you run that through a decent firm of solicitors before you start to circulate just in case anything you state could be construed as defamatory.

I assume that you are referring to the use of the word 'spyware'. An interesting point, considering that 121Media and Phorm have continued to deny any connection with spyware.

Taking that into consideration, perhaps the following amendments are in order:

"... 121Media was responsible for writing a piece of adware software (often packaged with free software or other downloads) which antivirus companies such as F-Secure classified as malicious Spyware.
....
Phorm's 'adware' technology may make you lose customers and revenue
....
The deep packet inspection system sold by Phorm to broadband suppliers sees everything on the web before it is sent to the person surfing your sites. So that the 'adware' technology can keep track of web surfers across the net, it forges a webwise cookie that it appears to come from your website when visited by the person surfing the web.
... "

Or, perhaps there is some other error which your long association with 121Media/Phorm has enabled you to spot? Please share your knowledge.

[Rchivist]

Quote:

Originally Posted by madslug

I assume that you are referring to the use of the word 'spyware'. An interesting point, considering that 121Media and Phorm have continued to deny any connection with spyware.

Taking that into consideration, perhaps the following amendments are in order:

"... 121Media was responsible for writing a piece of adware software (often packaged with free software or other downloads) which antivirus companies such as F-Secure classified as malicious Spyware.
....
Phorm's 'adware' technology may make you lose customers and revenue
....
The deep packet inspection system sold by Phorm to broadband suppliers sees everything on the web before it is sent to the person surfing your sites. So that the 'adware' technology can keep track of web surfers across the net, it forges a webwise cookie that it appears to come from your website when visited by the person surfing the web.
... "

Or, perhaps there is some other error which your long association with 121Media/Phorm has enabled you to spot? Please share your knowledge.

With regard to defamation Madslug, - I find it beyond the bounds of credibility that BT would bring a defamation case. They would be insane to do so.

In a court there are serious penalties for perjury.
In a court you can subpoena witnesses (directors and press officers) and force them to testify.
In a court you can't dodge questions.
In a court you cannot control the outcome.

Given the things I have read on various forums and blogs, that are far far more critical of BT than anything in the Open Letter to Businesses, I really don't think defamation would be an issue.

BT suing for defamation is about as likely as Jonathan Aitken or Jeffrey Archer doing so.

Generally to succeed in the courts, you need deep pockets and a very very clear conscience. BT certainly have deep pockets. But they seem reluctant to proceed with legal action.

[madslug]

Quote:

Originally Posted by R Jones

With regard to defamation Madslug, - I find it beyond the bounds of credibility that BT would bring a defamation case. They would be insane to do so.

I was thinking more about Phorm rather than BT. Phorm still have a few millions not spent.
I can just see a judge being somewhat confused by mention of malware and rootkits on PCs and then trying to get to grips with the technical differences experienced by a surfer whose every data packet is subjected to interception via DPI.

[Privacy_Matters]

Quote:

Originally Posted by HamsterWheel

I can't help thinking that an awful lot of businesses on receipt of that letter will not be following the thought patterns that you want them to.
Instead they will be thinking "That sounds a very effective way for ME to target customers, must get my ad agency onto that and sign up quick".

Being helpful, I'd suggest that you run that through a decent firm of solicitors before you start to circulate just in case anything you state could be construed as defamatory.

Defamatory? I see opinions, not accusations! Maybe you should visit the Solicitors as you suggest - take some 'humble pie', as you will need it!!!

[oblonsky]

Quote:

Originally Posted by madslug

I was thinking more about Phorm rather than BT. Phorm still have a few millions not spent.
I can just see a judge being somewhat confused by mention of malware and rootkits on PCs and then trying to get to grips with the technical differences experienced by a surfer whose every data packet is subjected to interception via DPI.

This is a crucial point - that unless we have enough money to properly defend ourselves then I wouldn't be so gung-ho about defamation.

Also from an educated reader's point of view we should be careful to lay out the facts as they are. Quoting press articles on anything contentious shifts the responsibility "blah said it could be described as spyware" then referring in the remaining piece as adware, as Madslud suggested.

BT are unlikely to defend Phorm's reputation for them - I believe Phorm took the PR chalice as part of it's early agreement with BT. Phorm is unlikely to hold back correcting something they believe is untrue - possibly Phorm's top brass are on a bit of a mission to get back at "the very few but vocal" anti-Phorm protestors!