Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[James_Firth]

Quote:

Originally Posted by Frank Rizzo

I will just point out one of the latest responses from them.

When I informed them that IP addresses are personally identifiable information, and thus they have a duty to investigate the processing of MY data under the DPA, they wrote back to me saying:

"As your internet connection was paid for by your limited company... the DPA only applies to living beings rather than companies ... we will therefore not investigate further."

Hi everyone. I'm a consultant been following the data profiling debate for a long time.

This is in my view a pretty serious misunderstanding. An IP address in itself *could* possibly be treated as personally identifiable information, because it could be traced to a living person.

But this is not the issue here. IP addresses are pretty much irrelevant as far as Phorm is concerned because Phorm scan the CONTENT of the IP stream to build a profile of an end user.

In my view the content of an IP stream potentially carries a large quantity of personally identifiable information, irrespective of whether the connection is rented by a Limited Company entity or a private individual.

The IP address itself is a red herring.

For example, a small news agent subscribes to a business broadband service. The owner of the news agent uses an unencrypted web-based email service set up and run by a third party. In the course of their business, the news agent will send and receive emails which may contain personal information about their employees or customers. E.g. employees providing an update on medical absences, customers ordering newspapers and magazines, which could belie religious, sexual and political preferences (e.g. specialist Christian magazines, right-wing newspapers, trades magazines).

One could argue that perhaps the business has been negligent in the protection of their customer and employees information by not using encryption, but this would be harsh since in my guesstimation many millions of emails are sent every year by businesses containing low-grade PII for various reasons.

And since even if the web interface was encrypted, the email itself would still be transmitted unencrypted to the recipient mail server, I think this point can safely be dismissed. After all, most people would happily telephone their employer and explain an embarrassing medical ailment, or phone their newsagent to order a magazine, and phone lines aren't encrypted. Nearly every UK ISP also runs a telephone service so I would argue parity here between email and telephone security, although I accept this is far from a simple comparison.

The issue here is that the IP stream itself contains PII, and that, in my opinion, it is not possible to accurately pre-filter all PII from the stream before profiling. Especially considering that there are a wide range of web-based message-passing communication services (social networking, professional discussion groups, religious groups, trades unions, etc), not all communications are in English, that there are an undeterminable number of methods of restricting access to web pages (non-standard authentication mechanisms), and the internet is used to communicate all manner of personal issues, including victim support groups, medical support groups, etc etc.

James Firth

Dalton Firth Ltd

EDIT

Forgot to mention that the other side of the coin is whether a profile of information can be linked to a living person. In the residential case, this is easy enough to argue, there is one user ID per individual. So long as there is some method of linking the ID to an account, e.g. network monitor within the ISP to link ID to account, or ID leaking as described by Richard Clayton, then the profile can if necessary be linked back to an individual. For a business this is harder to prove, however I can see an example where the person has a very strange name, and the profiler stores this name along with the other keywords from an email. It may, and this is a contentious point, be possible to link back. I think another way of looking at it would be to ask the ISP or software vendor (Phorm) to prove that it will NOT, under any circumstances, be possible to do this. And by prove I don't mean say: we've looked at this and it won't happen.

EDIT 2

In a business a user could be allowed to use the internet for personal use, e.g. lunch times and after work. They may also sit at the same desk each day and use the same computer. In this case the Phorm ID would be linked to that computer, and hence that employee, although to actually make this link one would need to either rely on Phorm leaking the ID as described by Richard Clayton or have a network sniffer in the company itself, to deduce the IP address of the machine. Either way it's a thin argument from the ICO to claim that a business subscriber has no claim to protection because the users of the connection would still be people and the data could still relate to individuals.

[phormwatch]

Looks like my account may have been suspended on the BT forums...

[D_Advocate]

Quote:

Originally Posted by rryles

Without conjecture we would not have mathematics or science and would not be having this conversation. Conjecture can be helpful and productive, so long as it is seen for what it is. The original poster of the 'information' was very clear that it could not be verified in any way.

Those of us that are waiting to see what will happen when and if the trials take place, and when and if the Webwise/Phorm product is launched and how it will affect us, are not really interested in what the theorists may deem as possible or conjectural - there is more immediacy than that, and unverifiable information is totally inconsequential at this point in time, even if it eventually proves to be correct.

Quote:

Absolute certainty is very rarely achievable. If you constrain yourself to it then you will get your wish of having no information at all.

Absolute certainty is achieved when an event happens. If and when the trials begin - if and when the product launches, it will have become a certainty. I do not wish to have 'no information', far from it, I simply wish for whatever information there is to be accurate: which though may not imply certainty, it is nearer to it than pure conjecture.

D_A

[SelfProtection]

Quote:

Originally Posted by D_Advocate

Those of us that are waiting to see what will happen when and if the trials take place, and when and if the Webwise/Phorm product is launched and how it will affect us, are not really interested in what the theorists may deem as possible or conjectural - there is more immediacy than that, and unverifiable information is totally inconsequential at this point in time, even if it eventually proves to be correct.



Absolute certainty is achieved when an event happens. If and when the trials begin - if and when the product launches, it will have become a certainty. I do not wish to have 'no information', far from it, I simply wish for whatever information there is to be accurate: which though may not imply certainty, it is nearer to it than pure conjecture.

D_A

What you require is Perfection, when you achieve it let me know!

Back to the debate as to whether or not this happens, as I've stated before time will tell!

[rryles]

Quote:

Originally Posted by D_Advocate

Absolute certainty is achieved when an event happens.

Philosophers would disagree, but that is way off topic.

Quote:

Originally Posted by D_Advocate

unverifiable information is totally inconsequential at this point in time, even if it eventually proves to be correct.

I disagree. Sometimes it is advantageous to act on unverifiable information, especially if you have nothing to loose from the information being wrong. If we make ready for a trail beginning in the next week and it fails to materialize then what do we loose?

[D_Advocate]

Quote:

Originally Posted by SelfProtection

You don't do any fishing then?

To quote: "There's a fine line between fishing and standing on the shore looking like an idiot." Steven Wright

I don't do either

D_A

[Florence]

Quote:

Forgot to mention that the other side of the coin is whether a profile of information can be linked to a living person. In the residential case, this is easy enough to argue, there is one user ID per individual. So long as there is some method of linking the ID to an account, e.g. network monitor within the ISP to link ID to account, or ID leaking as described by Richard Clayton, then the profile can if necessary be linked back to an individual. For a business this is harder to prove, however I can see an example where the person has a very strange name, and the profiler stores this name along with the other keywords from an email. It may, and this is a contentious point, be possible to link back. I think another way of looking at it would be to ask the ISP or software vendor (Phorm) to prove that it will NOT, under any circumstances, be possible to do this. And by prove I don't mean say: we've looked at this and it won't happen.

With me my name is Florence there is a town of Florence so my name repeated on a page would be profiled then I would be fed adverts about holidays in Florence.

Also people could then link me to this by my name also my mothers name is Florence..

The whole thing about Phorm on the network has too many Iffs and Buts to be safe...

[AlexanderHanff]

Quote:

Originally Posted by James_Firth

Hi everyone. I'm a consultant been following the data profiling debate for a long time.

This is in my view a pretty serious misunderstanding. An IP address in itself *could* possibly be treated as personally identifiable information, because it could be traced to a living person.

But this is not the issue here. IP addresses are pretty much irrelevant as far as Phorm is concerned because Phorm scan the CONTENT of the IP stream to build a profile of an end user.

In my view the content of an IP stream potentially carries a large quantity of personally identifiable information, irrespective of whether the connection is rented by a Limited Company entity or a private individual.

The IP address itself is a red herring.

For example, a small news agent subscribes to a business broadband service. The owner of the news agent uses an unencrypted web-based email service set up and run by a third party. In the course of their business, the news agent will send and receive emails which may contain personal information about their employees or customers. E.g. employees providing an update on medical absences, customers ordering newspapers and magazines, which could belie religious, sexual and political preferences (e.g. specialist Christian magazines, right-wing newspapers, trades magazines).

One could argue that perhaps the business has been negligent in the protection of their customer and employees information by not using encryption, but this would be harsh since in my guesstimation many millions of emails are sent every year by businesses containing low-grade PII for various reasons.

And since even if the web interface was encrypted, the email itself would still be transmitted unencrypted to the recipient mail server, I think this point can safely be dismissed. After all, most people would happily telephone their employer and explain an embarrassing medical ailment, or phone their newsagent to order a magazine, and phone lines aren't encrypted. Nearly every UK ISP also runs a telephone service so I would argue parity here between email and telephone security, although I accept this is far from a simple comparison.

The issue here is that the IP stream itself contains PII, and that, in my opinion, it is not possible to accurately pre-filter all PII from the stream before profiling. Especially considering that there are a wide range of web-based message-passing communication services (social networking, professional discussion groups, religious groups, trades unions, etc), not all communications are in English, that there are an undeterminable number of methods of restricting access to web pages (non-standard authentication mechanisms), and the internet is used to communicate all manner of personal issues, including victim support groups, medical support groups, etc etc.

James Firth

Dalton Firth Ltd

EDIT

Forgot to mention that the other side of the coin is whether a profile of information can be linked to a living person. In the residential case, this is easy enough to argue, there is one user ID per individual. So long as there is some method of linking the ID to an account, e.g. network monitor within the ISP to link ID to account, or ID leaking as described by Richard Clayton, then the profile can if necessary be linked back to an individual. For a business this is harder to prove, however I can see an example where the person has a very strange name, and the profiler stores this name along with the other keywords from an email. It may, and this is a contentious point, be possible to link back. I think another way of looking at it would be to ask the ISP or software vendor (Phorm) to prove that it will NOT, under any circumstances, be possible to do this. And by prove I don't mean say: we've looked at this and it won't happen.

EDIT 2

In a business a user could be allowed to use the internet for personal use, e.g. lunch times and after work. They may also sit at the same desk each day and use the same computer. In this case the Phorm ID would be linked to that computer, and hence that employee, although to actually make this link one would need to either rely on Phorm leaking the ID as described by Richard Clayton or have a network sniffer in the company itself, to deduce the IP address of the machine. Either way it's a thin argument from the ICO to claim that a business subscriber has no claim to protection because the users of the connection would still be people and the data could still relate to individuals.

Hi James and welcome to the thread. Some of us are probably familiar with your interests in these issues because we read UK Crypto, but it is still good to have you on board.

I agree with everything you have said, the IP Address is a red herring it is the content data that is the concern in my mind. IP address was originally raised as an issue because BT claimed Phorm never monitored IPs in the trials when the leaked report clearly shows that in fact they did, so it was more of a case of showing BT being less than upfront with the truth. I think everyone here will agree with you that the potential of PII data in the content of the data stream is a much more serious concern.

(Quick note to everyone else - I passed my exam )

Alexander Hanff

[Andrewcrawford23]

Congratulation Alex

BTW IP address can be used to identify a person and even identify where they live hence why it illegal to hack he he

[AlexanderHanff]

Quote:

Originally Posted by Andrewcrawford23

Congratulation Alex

BTW IP address can be used to identify a person and even identify where they live hence why it illegal to hack he he

Your sig would probably be classed as PII but I doubt very much that Phorm have implimented a "filter" for it. It would be impossible for Phorm to cover all the bases there are so many illnesses, disabilities, religions, sexual preferences, political preferences etc. etc. that it would literally be impossible to guarantee that no PII data would ever be picked up by the system.

(No offense by the way it was just a timely example to use; my missus is dyslexic to.)

Alexander Hanff

[icsys]

Quote:

Originally Posted by mark777

Make of this what you will. I have no evidence of any authenticity.

Yesterday evening whilst posting a few flyers under car wipers in the
local Tesco's, a chap came up to me with the flyer in his hand.

He claimed to know many BT managers and hinted that he was one himself.

From what he said he clearly knew about webwise and did not like it, telling me the following :-

1) The trial is likely to launch during the early stages of the Olympics, in an attempt to avoid the News "Silly Season".

2) It is likely that if the trial starts, at least 2 very damaging BT documents will leak. One of which will be from a BT group company outside BT Retail.

As I say, no evidence, but the next few days will tell.

I see no reason why this information should not be accepted at face value.
It is entirely possible that BT will start the trial whist reporting of the 'Games' deflects attention from it.

[AlexanderHanff]

Just had an email from another journalist who is putting together a story based around the EU Commission getting involved; I will be providing him with a commentary on the issues over the weekend and it goes to press on Tuesday/Wednesday next week. I will provide more details as I get them.

I will also be sending out an FOIA Request to BERR tomorrow for full disclosure of the letter they have received from Commissioner Reding (although we may get it sooner than that if things pan out as planned with another press contact who has contacts in the EU Commission - more on that at an appropriate time).

Alexander Hanff

---------- Post added at 16:03 ---------- Previous post was at 15:58 ----------

Oh and I almost forgot, been keeping this one under wraps but I am currently (with a few others) in the process of setting up a registered charity called Privacy Online and you will all be very pleased to hear that the Earl of Northesk has agreed to be on the Board of Trustees. NoDPI will become a Privacy Online campaign once everything is set up.

[mark777]

Quote:

Make of this what you will. I have no evidence of any authenticity.
{snip}
As I say, no evidence, but the next few days will tell.

As the original poster, could I suggest that people don't get drawn into a circular argument over this. Just wait and see.

Circular arguments benefit phorm and it's minions.

[phpscott]

That is good news Alex, both about the exam and the registerd charity. If there is anyway that I can be of help please let me know.
The longer this goes on the more a long term solution is needed, not just for DPI but for many other Privacy Issues as well.

[D_Advocate]

Quote:

Originally Posted by rryles

Philosophers would disagree, but that is way off topic.

I suspect that the majority of the 9 million plus broadband subscribers that will possibly be affected by Webwise/Phorm are not philosophers.

Quote:

I disagree. Sometimes it is advantageous to act on unverifiable information, especially if you have nothing to loose from the information being wrong. If we make ready for a trail beginning in the next week and it fails to materialize then what do we loose?

Credibility.

D_A