Posts by Midnight_Voice

No Mistake at All

@Dervla - please tell me this is a joke on your part?

But in case it's not::

(i) Phorm has been tested three times by BT; twice illegally by stealth and once openly. But in any case, if the authorities have reason to believe that someone or some body is proposing to commit an illegal act or acts, then they can and must act to forestall it. This is the case here.

(ii) You forget the websites. A user may give permission to Phorm to read what he/she types in on the internet, but no user can give unilateral permission for Phorm to intercept the response from my website. And given that Phorm will use what it reads to, in effect, alert any of my competitors who use Phorm's OIX ad-serving system and try to wrench sales away from me, I don't *want* Phorm intercepting my responses. It's a very real privacy issue for me.

(iii) As it happens, we know *exactly* how Phorm is/was planned to be implemented. The details going forward may be done a little differently, but UK and EU law remain crystal clear on what is and what is not permitted. And currently, Phorm, rather than accepting those laws and trying to work within them, is in denial that they even apply to it.

Kent has suggested that us calling Phorm 'illegal' is 'emotive'. Which is very odd, as I doubt that he would regard the advice he purports to have sought as to Phorm's legality as 'emotive'.

Rather, he would think it an objective view; as indeed, is the FIPR's chapter-and-verse statement of the opposite view. IANAL, but their guy is.

But as I said above, we already have the laws we need; just not, apparently the will amongst the powers that be to enforce them. But if our new ally Viviene can administer the appropriate kick in the privates, perhaps they will learn that they should not expose themselves to this charge.

Settling their hash

If I were one of those big websites, I'd wait until an ISP had been running an in-ISP BT tracker for oh, about 30 seconds, establish that it was phorging cookies with my site's name in them, and get an instant High Court 'cease and desist' injunction against the ISP and whoever supplied them with the software that did that.

Sure all those big websites are using, or considering, BT of their own.

But you think they will just let some in-ISP pipsqueak upstart BT tracker come along and muscle in?

In the IIPUBTT's dreams...

Paris, because she certainly knows how to raise the bar...

Excellent News!

Phorm is illegal in about six different ways, but the UK government is deeply scared to act, lest the ruling given would also have the wider implication of scuppering their own plans for using DPI on all us law-abiding citizens.

So more power to the EU's elbow - right must triumph here.

Paris, because she knows all about being scuppered unexpectedly

@Luther - Phorm will never be both legal and viable

Luther, I think you may be making the common mistake of forgetting that RIPA requires consent from both sides - (a) the user browsing a website, and (b) the website being browsed.

While there are feasible technical changes that might satisfy (a), as long as it was drop-to-wire around all the Phorm equipment for users who declined to opt in, it will always be quite impracticable for Phorm to assume the consents required under (b).

The Home Office advice suggesting that there existed some kind of implied consent for this was demonstrably wrong on all levels.

So (b) also must require explicit opt-in, which very few websites outside of Phorm's advertising partners would want to give.

The bottom line is that any legal way of operating Phorm would be so restricted in scope that it would lose all purpose, and would simply not be viable.

Paris, because her consent could not be implied either

Slow light?

@Johnny Five

Quite right. That delay should be 3.5 minutes - 20 minutes, not 3.5 hours.

I might have worried that as a result NASA was embarking on an unnecessarily complicated project, but their press release has it right:

http://www.nasa.gov/home/hqnews/2008/nov/HQ_08-298_Deep_space_internet.html

It's just the journo who got it wrong.

Paris, because she likes to travel light as well

@RotoCyclic -In another article here on The Register I read the government's response to the EU.

Did you? Please give the reference, as I'd love to read it too. Are you sure you didn't just read a press release about it?

Apart from it stressing the importance of openness and transparency as to what Phorm do, we don't really know what it contains.

As the openness and transparency don't apparently extend to the letter itself.

Paris, because she at least knows about openness and transparency

What poll where?

How do we find this poll then? I can't find it on Toluna's site, even searching on Webwise, which gives no results.....

Paris, because you always get a result with her......

Non-Innovator?

I suppose this guy thinks BluRay invented itself, then?

Paris, because she gets Akers of news coverage for not very much as well

@Mark

Follow the money. If Phorm overwrote other people's ads, those other people would detect this, and have something to say about it, and fast.

i.e. it's not something that Phorm could keep secret from people who have a commercial interest in them not doing it.

You are quite right that you and I might not know it was happening, but the overwritten advertisers would.

While I wouldn't put anything past Phorm - or BT for that matter - I do think they are clever enough only to do things they think they can get away with. Not, of course, that they are quite clever enough to know when this will be true....

Re Adblock, though, why would you want to just block Phorm/OIX ads?

I block the lot, no matter where they come from.

Paris, because she can inspect my packet any time she likes

Parasitic Inphection

On BadPhorm, we were aware of this several weeks ago. On 14th March, I posted:

"I used to be in a six-person company called XYZ Ltd. (Not really XYZ, but that will protect their privacy). We'd been going for about 8 years, a small fish in a small pond, when a reporter called us up to ask about our involvement with the (Government) Department of Something-Or-Other's new XYZ initiative, which they were rolling out bigtime across the UK.

Not us, we said, and thought no more about it. But after the third reporter had called us, we got worried. When we talked to our solicitor, he was clear that even though we were XYZ Ltd and this was just a scheme called XYZ, they were infringing our rights. And worse, that if we did nothing, then once this scheme was widely public, they could (and probably would) come back and stop us using our name, on the grounds we were passing off.

Accordingly, our small provincial solicitor wrote a letter to the Department concerned, setting out our position, notably our claim to prior usage.

Back came a six-page reply from the biggest name in intellectual property protection, very serious London law firm heavyweights. The first five pages huffed and puffed, but on the sixth page they blew their own house down, instead of ours, and announced that the initiative would be choosing a new name. No conditions, no non-disclosure, no gagging clause; just total and utter capitulation.

You probably know that initiative - it appears in the press all the time - but I'm not going to name it.

The letter cost us £600, but this was peanuts compared to losing and having to change all our business paperwork, product documentation, and the sign outside our door, etc.

So if you guys at Phorm Design are watching (and I'm told you are), then make no mistake:

(i) you need to act unless you want to lose your company name;

(ii) Phorm may claim that no-one could accuse them of passing-off as you, but that isn't the issue;

(ii) you should expect to win, and relatively cheaply.

If you want to know any more, leave a message here, and I'll get in touch about this."

But they didn't :-(

Paris Hilton, as she could easily be conphused with a French hotel.....

The cracks are appearing...

Phorm say:

We think it is unethical of the Register to seek to undermine a technology that enhances online privacy - Phorm's system ensures that ads are served with no data storage - something that will benefit readers of the Register and other websites.

I say:

This rather intemperate response means they are rattled.

Keep up the pressure, El Reg, BadPhorm, DePhormation, and everybody else who cares about this.

And if you need further encouragement, read:

http://www.thespoof.com/editorials/index.cfm?eID=2564

for a perhaps insufficiently satirical look at where this will all end up if we don't keep up the pressure....

But I am sure we can. And I sincerely hope Kent Ertugrul's phlight back to the USA goes from Terminal 5.

Paris, because her baggage will always follow her around, no matter what

You missed...

Hi, UKMisInPhormation Team here, and we'd just like to say that reports of our technology being a bad thing are very wide of the mark. We're sure that if we could just work with Jesus, Buddha, and other religious leaders to show them how our system really operates, they'd lift this terrible plague of boils and pustules we've been infected with.

Also, reports that our US CEO was last seen climbing the Empire State building, beating his chest and fighting off biplanes, were slightly exaggerated; and our UK CEO has, we believe, just been nominated for the Nobel Peace prize for services to humanity, though that is still unconfirmed at the moment.

Paris, because a 'real butt' beats a 'rebuttal' any day of the week...

You can't run with the hare and hunt with the hounds

As we used to say until the government banned the latter anyway. But this is a proverb that Simon Davies might do well to master.

I'm sure that Ross Anderson and Richard Clayton are smart enough to know it; and to know that their respect in the field would melt like April snow if they were even to consider taking Phorm's shilling.

And what is the best they could they say anyway? "We've looked at this code, and the good news is the system is only as bad as we thought"? While the bad news is that's quite bad enough anyway.

But I also want to touch on an aspect of the system that Phorm seem to be keen to keep terribly quiet about, and it's one of the most disquieting.

They make much of 'the browsing data never leaving the ISP' and the 'equipment being physically at the ISP's premises'. But where is the profiled channel information associated with each unique user cookie being kept? Now that we know there is nothing in a Phorm cookie but that unique ID, the channel data must be elsewhere. And that means a path for data out of the ISP, to Phorm's servers.

OK, it's just the aggregated channel data, and not any of the actual browsing details, we are told. But it's worrying that the path is even there; this isn't the closed system within the ISP that Phorm would like us to believe. And indeed, can we be sure that the traffic is all one-way? And that it is, and will remain, only what Phorm say it is? After all, Phorm aren't going to let the ISPs see the Phorm code that's running on the servers inside the ISP systems.

Not sure this is how it's going to work? Check out this paragraph from the E&Y privacy audit:

"If you use your computer and usual browser in a country other than your home country to log on to the Internet via one of our partner ISPs in that other country, the data that Phorm holds in its system that is associated with that cookie may be automatically transferred to Phorm's systems in that other country."

So go abroad, start surfing via a Phorm-using ISP there, and the system is going to phone home for your UK channel information. Hmmm.

But hang on a minute; all it has is a supposedly 'random' UID that it can't trace you with. So how is it going to even know where 'home' is, if that is the case? Maybe this random UID is not so random after all?

Home Office Advice

I think the Home Office advice was quite clever.

While one suspects that the author was under a certain amount of pressure to come up wit the 'right' answer - one that would not leave BT wide open after last year's covert illegal trials of the Phorm technology - he has listed all the reasons why Phorm might be illegal, and the exact parts of RIPA that they fall under, effectively channelling Phorm into the one path of possible legality which requires the 'implied consent' of visited websites.

And then briefly suggests that this may be the case, and closes.

But as Professor Peter Sommer points out, and as the raft of 'denial of RIPA consent' headings on Phorm-aware websites is now making explicitly clear, such consent cannot be presumed.

So whither now, for Phorm?

Phorm and RIPA

Re the Home Office letter:

Paras 6 and 8 seem to confirm the view that Phorm are doing interception as defined under RIPA.

Para 9, I am guessing, applies to the non-processed data from opt-outs. But I don't think it is sound; the filter belongs to the 'person' (Phorm), and even though the person elects to do nothing with it, they could have processed it, so it has been made available to them. You'll notice that Phorm talk about 'our servers' at the ISP, and not about 'our software' on the ISP's servers.

Para 13 makes it clear that *both* ends must consent to the interception, for it to be authorised. So the subsequent OIX use for ad serving is entirely legal. But that is then what the letter goes on to talk about.

Instead, it should be considering the data collection at the ISP; *I* might consent to my end of a session with 'WebHost', but unless WebHost also consents, we have unauthorised interception.

The argument in para 15, for possible implied consent by WebHost, can be rapidly dismissed. Until I contact WebHost, they have no knowledge that a message is coming, and so cannot possibly have consented to its being intercepted unless they have issued some sort of blanket permission for this, in advance; and such permission could hardly be an implied permission.

We then hardly have to consider the second leg, where WebHost reply to me and the communication is again intercepted, without their knowledge. However, if we must, I need only point out that if what WebHost provide is a paid-for, password-protected, service, then the presumption of any implied consent to interception must also fail.

Re paras 16-18, I'd suggest that the lawful interception under 3(3) doesn't apply, as the Phorm data collection is clearly additional to the services needed to provide the ISP service. (Indeed, if it wasn't, then I couldn't be posting here now). And it's stretching the definition to breaking point to interpret it otherwise.

However, if what Phorm are planning is allowable under 3(3), then no sender or receiver permissions would be required. and the recommendation in para 20 would be just that - a recommendation. But it seems clearly wrong that this should be so, and para 20 should be enforceable in law, in my view.

Para 21 remains wrong about being able to assume the implied consent of web hosts. Especially, I would imagine, rival advertising services.

Para 22 I find wrong as well. However, I then have a difficulty in that the spam-blocking service provided by my other ISP, and which I have cheerfully opted into, would also seem to me not to be lawful interception under 3(3). And if not, I very much doubt that the spammers have given their consent, implied or otherwise, under section 2.

Anyone help me square this circle?

malPhormed name

Get Net Lurker!

Seems kind of apt, somehow......