More about phorm

[hazel]

Some of you may remember that I wrote to my MP about the phorm project. Well, I finally got an answer enclosing the report on phorm by the Information Commissioners Office (they're the people who police the Data Protection Act). You can find it
here

As you can see, they don't actually store your IP address, only a random ID number stored in a cookie. Presumably your ISP puts this cookie on your computer since I don't imagine anyone is going to go to phorm's site in order to get a tag slapped on them. The ISP is not supposed to be able to link this number with your address, which I find puzzling: do they receive the numbers from phorm in encrypted form?

Phorm also claim that they don't store your browsing history. Perhaps they don't keep it once they've profiled you but surely they must somehow store it until then.

Out of three ISPs, only BT is going ahead with a trial and only on an opt-in basis. I bet that wasn't the original plan!

[Jonathan183]

Thanks for the update Hazel ... good news about opt in rather than opt out

[kakariko81280]

Perhaps a dumb question, but I'm not sure how the method of operation squares with the scope of cookies.

First of all, as I understand cookies, when you visit a site you send all of the cookies associated with that domain. That site in turn can only set cookies for its own domain. That scope can be limited further, but not increased.

How can anyone set a unique cookie on my computer that gets sent with *every* request? Or do we end up with a per-site tracking cookie and, if so, how are they aggregated into a complete browsing picture?

Of course, my understanding of cookies might be wrong, they aren't exactly my speciality.

Chris...

[CookingFat]

You're right, cookies should be, and normally are, on a per domain basis, but BT and Phorm intercept your connection and monkey around with it. Amongst other things, they pretend to be the domain you want which allows them to do whatever they like with the cookies for that domain.

Dr Richard Clayton, a respect security researcher from Cambridge University, has done some analysis of the Phorm system and how it works. He went to Phorm and worked with them, so it's a view from the inside, so to speak, and he doesn't like what he sees.

His blog posts about it, which contain links to download his reports, are here: Light Blue Touchpaper

A forum that discuss the implications and ways to fight this system is at www.badphorm.co.uk, I've only posted once there and they seem like a nice helpful bunch and I'm sure they'll try and answer any specific questions you have.

[elija]

I'm of the opinion that Phorm is a gross invasion of privacy. As a result, I am urging people
to contact their ISP and let them know that if they use the Phorm technology even as opt in
they will close their account and move away.

Phorm snooping will only happen if we let it.

[Dephormation]

Perhaps a dumb question, but I'm not sure how the method of operation squares with the scope of cookies.

First of all, as I understand cookies, when you visit a site you send all of the cookies associated with that domain. That site in turn can only set cookies for its own domain. That scope can be limited further, but not increased.

How can anyone set a unique cookie on my computer that gets sent with *every* request? Or do we end up with a per-site tracking cookie and, if so, how are they aggregated into a complete browsing picture?

Of course, my understanding of cookies might be wrong, they aren't exactly my speciality.

Chris...

Hi there, CookingFat suggested I join up and chip in (excuse the pun).

Cookies would normally be private to a specific domain or host. There's no such thing as a 'global' cookie, for good reason (privacy and security).
What Phorm do is this; suppose you request a web page. Phorm intercept your request. If a user ID cookie has not been set for the given domain they intercept your page request, and respond with a redirect to their Webwise domain, the Webwise domain responds with a redirect back that includes the user ID, the request for the original site that now includes a user ID parameter is again used by Phorm to respond with a cookie setting instruction.

Finally your request is allowed to proceed to the target web site... and Phorm have implanted a cookie on your browser (one for each and every domain you visit) which allows them to uniquely identify you where ever you wander on the net.

That's why its being alleged a RIPA/Fraud/Computer Misuse offence... Phorm seriously interferes with the integrity of the communication between browsers and hosts, and in the process fakes host responses and cookies.

Now it gets really interesting when you look at their absurd cookie based opt out. They have to inspect your communications in the same way to determine whether you're opted out. So even if you're opted out, the same interference applies, and some have suggested Phorm still copy your traffic but (if you believe people who push spyware/adware and conducted illicit trials of this stuff twice) don't analyse it for profile data.

Its simply appalling.

It should be opt in for customers, where opt in means I do nothing and none of this affects me in any way, none of my traffic passes through their equipment.

It should be opt in for content creators and web site owners, where opt in means I do nothing and none of my content is ripped off, copied, processed and sold to create user profiles.

The only way to protect the privacy, security and integrity of your comms is a move to a Phorm free ISP.

Pete

PS. If you're with BT internet, you should be aware of this warning. If you visit webwise.bt.com, BT reveal your BT.com username and a security credential to Phorm as cookies.

PPS. If you want to write to your MP, I've made it easy for you. Click here - this page will find your MP's name, and write a brief letter for you. All you have to do is print it, and supply an envelope & stamp.

[Freston]

Thank you all for clarifying.

I may be proving my limited understanding of the technical mechanisms behind this highly concerning matter, but what stands in our way of doing:

Code:

ln -s /dev/null /path/to/phormcookie

[CookingFat]

If I remember correctly, blocking webwise.net from setting cookies effectively prevents you from using the internet. From my dodgy memory, I think it's covered in one of Dr Clayton's Posts/documents.

[kakariko81280]

What Phorm do is this; suppose you request a web page. Phorm intercept your request. If a user ID cookie has not been set for the given domain they intercept your page request, and respond with a redirect to their Webwise domain, the Webwise domain responds with a redirect back that includes the user ID, the request for the original site that now includes a user ID parameter is again used by Phorm to respond with a cookie setting instruction.

Ah, that answers the aggregating question. Thanks for clearing that up.

If I remember correctly, blocking webwise.net from setting cookies effectively prevents you from using the internet. From my dodgy memory, I think it's covered in one of Dr Clayton's Posts/documents.

This page on badphorm suggests that blocking webwise.net blocks phorm.

On the other hand I have no particular reason to trust them. Complaints to the ISP ahoy.

Chris...

[Jonathan183]

A genuine opt in system would be acceptable but does not look as though it will be implemented ... only option left if ISP implement is change ISP. Complaint to my ISP got a standard response telling me how they are looking after my interests and what a good idea this is