Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

I just had a thought.

Does anyone know for certain what the business relationship is between Phorm and BT? Specifically, do BT employ Phorm to make use of their data or do Phorm employ BT to provide the data for their system?

Phorm's statements regarding the "agreements" or "contracts" with the ISPs seems to suggest that it is Phorm who are running the business and that the ISPs are simply providing them with the data.

The reason I am querying this is that BT (and the other ISPs) term and conditions allow for personal information to be shared with "third-parties" and I'm curious as to whether this relationship actually does apply to Phorm.

[isf]

Quote:

Originally Posted by Dephormation

Its a doddle to capture User Identifiers. SSL, non standard ports, non Phorm ISPs, cookie rewriting... all will cause User Identifiers to leak.

They must be planning to hash it somehow, otherwise we could harvest UIDs and really phuzz the database. Doing this could be classed as a computer misuse offense but Phorm obviously would not have cared about that when they gained unauthorised access to data held on the server doing the UID harvesting.

[Florence]

Quote:

Originally Posted by Peter N

I just had a thought.

Does anyone know for certain what the business relationship is between Phorm and BT? Specifically, do BT employ Phorm to make use of their data or do Phorm employ BT to provide the data for their system?

Phorm's statements regarding the "agreements" or "contracts" with the ISPs seems to suggest that it is Phorm who are running the business and that the ISPs are simply providing them with the data.

The reason I am querying this is that BT (and the other ISPs) term and conditions allow for personal information to be shared with "third-parties" and I'm curious as to whether this relationship actually does apply to Phorm.

When Emma was replying to me she did say Phorm was a partner and covered in the T&C... I did point out a few errors in this but then line of contact dried up as Ian and Emma went on self preservation mode no longer communicating irony they stopped talking... to the people who pay their wages no customers no need for them to be employed.. Well suppose Ian moved to a safe seat as a councillor would say while Emma is in the hot seat MPO.....

---------- Post added at 13:34 ---------- Previous post was at 13:22 ----------

Todays news on ISPr seems to have the retail side buzzing that sales will increase by 2010 the CEO from http://www.javelingroup.com/ has been talking to retailers.

http://www.ispreview.co.uk/news/EkEVuFFklVqSMEmAAQ.html

If they are signed into phorm watch the retail online plummet downwards like Phorms shares keep doing..

[rryles]

Quote:

Originally Posted by isf

They must be planning to hash it somehow, otherwise we could harvest UIDs and really phuzz the database. Doing this could be classed as a computer misuse offense but Phorm obviously would not have cared about that when they gained unauthorised access to data held on the server doing the UID harvesting.

Not sure what you mean by "hash it somehow" but I don't think any such techniques will help them.

They need to set a cookie for each domain that uniquely identifies an individual. That same data will be sent if the connection is over https and/or a non-standard port. Therefore that same data that uniquely identifies a user can be read by the web server.

If you take their claim that the only way they can tell users apart is the cookies they forge. Then it follows that if two users swap cookies they won't notice the switch.

Section 7 of the Data Protection Act states that...

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Thiis is qualifies in Schedule 1 part 2 to mean...

12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a) the processing is carried out under a contract—

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.


We need to know whether or not Phorm has a contract with BT because an "agreement" does not satisfy the DPA. The profiling may be done on BT equipment but the data processing isn't.

The Act also states that the follwing criteria MUST apply...

10 The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.

Phorm's background and Russian connections suggest that NT could not in all fiath support these terms and the 2006 trials took place whilst BT was not in contract with 121Media and that company was under investigation by the American FTC who were still trying to locate the company following a trail that dried up in Poland.

[Florence]

Quote:

Originally Posted by Peter N

Section 7 of the Data Protection Act states that...

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Thiis is qualifies in Schedule 1 part 2 to mean...

12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a) the processing is carried out under a contract—

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.


We need to know whether or not Phorm has a contract with BT because an "agreement" does not satisfy the DPA. The profiling may be done on BT equipment but the data processing isn't.

The Act also states that the follwing criteria MUST apply...

10 The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.

Phorm's background and Russian connections suggest that NT could not in all fiath support these terms and the 2006 trials took place whilst BT was not in contract with 121Media and that company was under investigation by the American FTC who were still trying to locate the company following a trail that dried up in Poland.

Very true they seem to have sliped with their due diligence mind they were blinded with greed and dollar signs.

[isf]

Quote:

Originally Posted by rryles

Not sure what you mean by "hash it somehow" but I don't think any such techniques will help them.

They need to set a cookie for each domain that uniquely identifies an individual. That same data will be sent if the connection is over https and/or a non-standard port. Therefore that same data that uniquely identifies a user can be read by the web server.

If you take their claim that the only way they can tell users apart is the cookies they forge. Then it follows that if two users swap cookies they won't notice the switch.

I'd compute a hash value for the UID using the client IP as the salt. Webwise is no longer leaking IDs, is IP locked and they still wouldn't be storing any PII. Not that I'm here to solve their problems nor that I have any real confidence in Phorm having any technical competence whatsoever.

[rryles]

Quote:

Originally Posted by isf

I'd compute a hash value for the UID using the client IP as the salt. Webwise is no longer leaking IDs, is IP locked and they still wouldn't be storing any PII. Not that I'm here to solve their problems nor that I have any real confidence in Phorm having any technical competence whatsoever.

It might be possible to get something along these line to work, but it isn't easy. A hash on it's own is no protection against forgery. They'd have to use cryptographic signatures. I'd like to see them try and make it IP locked without storing, processing or even possibly coming into possesion of any IP addresses.

If the cookie is locked to your ip then a brute force attack will allow phorm to derive your ip from the cookie. (with IPv4 addresses this brute force attack is fairly trivial)

Surely all of this cookie relates stuff is irrelevant if you opt-out as you will only get the regular cookies with no added data.

[rryles]

Quote:

Originally Posted by Peter N

Surely all of this cookie relates stuff is irrelevant if you opt-out as you will only get the regular cookies with no added data.

Whilst I'd love to think that everyone would opt out (or rather no-one would opt in) I can't see it happening.

In my last posts replace references to 'you' with 'some misguided fool who opts in'

[isf]

Quote:

Originally Posted by rryles

It might be possible to get something along these line to work, but it isn't easy. A hash on it's own is no protection against forgery. They'd have to use cryptographic signatures. I'd like to see them try and make it IP locked without storing, processing or even possibly coming into possesion of any IP addresses.

You're correct, they would need the IP. Here's a (rough untested example) of a much simpler version that does leak the ID (if you know how to decode it) but still renders it useless for fuzzing unless you can somehow do an IP takeover.

Code:

<?php

function xor($a, $b){
  $crypted = '';
  foreach ($i = 0, $j = strlen($uid) - 1; $i < $j; $i++){
    $crypted .= $a[$i] ^ $b[$i];
  }
  return $crypted;
}

// Set UID
$value = xor($uid, hash('sha1', $_SERVER['REMOTE_ADDR']));
set_cookie('webwise', $value);

// Get UID
$uid = xor($_COOKIE['webwise'], hash('sha1', $_SERVER['REMOTE_ADDR']));

Quote:

If the cookie is locked to your ip then a brute force attack will allow phorm to derive your ip from the cookie. (with IPv4 addresses this brute force attack is fairly trivial)

I'd think it'd be easier to match the webwise id to OIX ad server request log files.

---------- Post added at 13:46 ---------- Previous post was at 13:43 ----------

Quote:

Originally Posted by Peter N

Surely all of this cookie relates stuff is irrelevant if you opt-out as you will only get the regular cookies with no added data.

If servers can retrieve the Phorm UID, they can get a good idea of your profile by seeing what ads are served. That's a huge privacy risk for everyone who opts-in, not every company is as upstanding and honest (sic) as Phorm.

[bluecar1]

Quote:

Originally Posted by isf

I'd compute a hash value for the UID using the client IP as the salt. Webwise is no longer leaking IDs, is IP locked and they still wouldn't be storing any PII. Not that I'm here to solve their problems nor that I have any real confidence in Phorm having any technical competence whatsoever.

only problem with that is BT Retail use dynamic IP's

peter

[rryles]

Quote:

Originally Posted by isf

You're correct, they would need the IP. Here's a (rough untested example) of a much simpler version that does leak the ID (if you know how to decode it) but still renders it useless for fuzzing unless you can somehow do an IP takeover.

A webmaster could still swap uid's of two of his visitors by xor ing their cookies with the sha1 of each ip address.

Quote:

Originally Posted by isf

I'd think it'd be easier to match the webwise id to OIX ad server request log files.

Probably would be easier, but neither is difficult. The search space for the brute force attack is < 1e7. If you know the RAS a user is on it is even smaller.

---------- Post added at 14:56 ---------- Previous post was at 14:55 ----------

Quote:

Originally Posted by bluecar1

only problem with that is BT Retail use dynamic IP's

peter

Not the only problem but certainly is one.

[Rchivist]

Quote:

Originally Posted by bluecar1

don't forget they are also working on a cookieless optout, could the delay be the fact they have dropped the cookie based opt-out due to to many issues(and poss legal probs) and trying to get the cookieless opt-out to work

just a thought

peter

that's the cookie free solution that requires access to the BT Wholesale equipment so they can sort users according to IP ranges - opted in get one set of IP's and not opted-in, get another IP range. BT Retail can't actually achieve this with the equipment under their control AFAIK. But it is the solution they have SAID officially they are looking for.

Originally it was going to be a cookie based trial, with the promise that they were looking at a cookie free solution for the final rollout (although there seemed little point in trialling a technology then changing it again - they already did that with PageSense when they allegedly broke the law in 2006/7). But the trial has been delayed so long, there is no knowing what they are up to now.

We can be HOPING that it is delayed because of legal fears, and other complications - corporate cold feet etc. - but it could be simply because they have been doing yet another massive retrofit (the sort of retrofit that 80/20 Thinking warned about in their interim PIA as being inevitable when you don't do your privacy planning well in advance). Maybe the trial when it occurs will actually be a cookie free opt-IN, but it will have required co-operation from BTWholesale which AFAIK is not actually allowed by the comms regulator for competitive reasons.

---------- Post added at 15:15 ---------- Previous post was at 15:12 ----------

Quote:

Originally Posted by bluecar1

the best way is an account level opt-in / out where opted out traffic takes a different rout out to the net bypassing all the phorm kit due to ip subnet (but this requires help from BTW who operate the RAS servers and issue IP's

BUT, what happens if the main account holder opts in, but a subaccount holder doesnot want there traffic going via the profiler even if they are opted out?

no win me thinks for BT

peter

That's one of the significant unanswered questions. (Henceforth known as SUQ's) So far BT have avoided that one by simply refusing to take any responsibility for it. Their take so far is that they have one account, and whatever happens with that account or any of the sub accounts, is the responsibility of the account holder. They have NOT answered any questions about the enforceability of a change in T&C's triggered by a minor or any other user of the account/subaccounts, who opts in to Webwise.

When they don't answer a question it means they haven't got an answer. If they had a legal watertight answer, they would give it - anthing to help propr up the share price!!! And then there is usually a further delay in the trial date. So - "keep asking them difficult questions" is my method!

[isf]

Quote:

Originally Posted by rryles

A webmaster could still swap uid's of two of his visitors by xor ing their cookies with the sha1 of each ip address.

Only so long as we can know the exact mechanism they're using, I was just giving an example If they add a "secret" key prior to hashing it's more difficult still. I think Phorms "privacy enhancing" feature of leaking the UID over the entire web is the bigger issue for them to solve -- along with all the other show stoppers.

---------- Post added at 14:21 ---------- Previous post was at 14:16 ----------

Quote:

Originally Posted by bluecar1

only problem with that is BT Retail use dynamic IP's

peter

I don't think that matters, it's the uid number that links you to your profile and they'd simply set a valid cookie over the stale one. I'm only giving examples, they could use the hostname of the site so long as we don't know the mechanism (security by obscurity).