Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 13
Some of you may remember that I wrote to my MP about the phorm project. Well, I finally got an answer enclosing the report on phorm by the Information Commissioners ...
  1. #1
    Linux Engineer hazel's Avatar
    Join Date
    May 2004
    Location
    Harrow, UK
    Posts
    949

    More about phorm

    Some of you may remember that I wrote to my MP about the phorm project. Well, I finally got an answer enclosing the report on phorm by the Information Commissioners Office (they're the people who police the Data Protection Act). You can find it
    here


    As you can see, they don't actually store your IP address, only a random ID number stored in a cookie. Presumably your ISP puts this cookie on your computer since I don't imagine anyone is going to go to phorm's site in order to get a tag slapped on them. The ISP is not supposed to be able to link this number with your address, which I find puzzling: do they receive the numbers from phorm in encrypted form?

    Phorm also claim that they don't store your browsing history. Perhaps they don't keep it once they've profiled you but surely they must somehow store it until then.

    Out of three ISPs, only BT is going ahead with a trial and only on an opt-in basis. I bet that wasn't the original plan!
    "I'm just a little old lady; don't try to dazzle me with jargon!"

  2. #2
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    2,940
    Thanks for the update Hazel ... good news about opt in rather than opt out

  3. #3
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    658
    Perhaps a dumb question, but I'm not sure how the method of operation squares with the scope of cookies.

    First of all, as I understand cookies, when you visit a site you send all of the cookies associated with that domain. That site in turn can only set cookies for its own domain. That scope can be limited further, but not increased.

    How can anyone set a unique cookie on my computer that gets sent with *every* request? Or do we end up with a per-site tracking cookie and, if so, how are they aggregated into a complete browsing picture?

    Of course, my understanding of cookies might be wrong, they aren't exactly my speciality.

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  4. #4
    Just Joined!
    Join Date
    Jun 2008
    Posts
    0
    You're right, cookies should be, and normally are, on a per domain basis, but BT and Phorm intercept your connection and monkey around with it. Amongst other things, they pretend to be the domain you want which allows them to do whatever they like with the cookies for that domain.

    Dr Richard Clayton, a respect security researcher from Cambridge University, has done some analysis of the Phorm system and how it works. He went to Phorm and worked with them, so it's a view from the inside, so to speak, and he doesn't like what he sees.

    His blog posts about it, which contain links to download his reports, are here: Light Blue Touchpaper

    A forum that discuss the implications and ways to fight this system is at www.badphorm.co.uk, I've only posted once there and they seem like a nice helpful bunch and I'm sure they'll try and answer any specific questions you have.

  5. #5
    Trusted Penguin elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    2,288
    I'm of the opinion that Phorm is a gross invasion of privacy. As a result, I am urging people
    to contact their ISP and let them know that if they use the Phorm technology even as opt in
    they will close their account and move away.

    Phorm snooping will only happen if we let it.
    If we hit that bullseye, the rest of the dominoes will fall like a house of cards. Checkmate! (Zapp Brannigan)


    My new blog. It's probably not as good as I think it is.

  6. #6
    Just Joined!
    Join Date
    Jun 2008
    Location
    I live in a free, democratic country. Or at least, used to.
    Posts
    0
    Quote Originally Posted by kakariko81280 View Post
    Perhaps a dumb question, but I'm not sure how the method of operation squares with the scope of cookies.

    First of all, as I understand cookies, when you visit a site you send all of the cookies associated with that domain. That site in turn can only set cookies for its own domain. That scope can be limited further, but not increased.

    How can anyone set a unique cookie on my computer that gets sent with *every* request? Or do we end up with a per-site tracking cookie and, if so, how are they aggregated into a complete browsing picture?

    Of course, my understanding of cookies might be wrong, they aren't exactly my speciality.

    Chris...
    Hi there, CookingFat suggested I join up and chip in (excuse the pun).

    Cookies would normally be private to a specific domain or host. There's no such thing as a 'global' cookie, for good reason (privacy and security).
    What Phorm do is this; suppose you request a web page. Phorm intercept your request. If a user ID cookie has not been set for the given domain they intercept your page request, and respond with a redirect to their Webwise domain, the Webwise domain responds with a redirect back that includes the user ID, the request for the original site that now includes a user ID parameter is again used by Phorm to respond with a cookie setting instruction.

    Finally your request is allowed to proceed to the target web site... and Phorm have implanted a cookie on your browser (one for each and every domain you visit) which allows them to uniquely identify you where ever you wander on the net.

    That's why its being alleged a RIPA/Fraud/Computer Misuse offence... Phorm seriously interferes with the integrity of the communication between browsers and hosts, and in the process fakes host responses and cookies.

    Now it gets really interesting when you look at their absurd cookie based opt out. They have to inspect your communications in the same way to determine whether you're opted out. So even if you're opted out, the same interference applies, and some have suggested Phorm still copy your traffic but (if you believe people who push spyware/adware and conducted illicit trials of this stuff twice) don't analyse it for profile data.

    Its simply appalling.

    It should be opt in for customers, where opt in means I do nothing and none of this affects me in any way, none of my traffic passes through their equipment.

    It should be opt in for content creators and web site owners, where opt in means I do nothing and none of my content is ripped off, copied, processed and sold to create user profiles.

    The only way to protect the privacy, security and integrity of your comms is a move to a Phorm free ISP.

    Pete

    PS. If you're with BT internet, you should be aware of this warning. If you visit webwise.bt.com, BT reveal your BT.com username and a security credential to Phorm as cookies.

    PPS. If you want to write to your MP, I've made it easy for you. Click here - this page will find your MP's name, and write a brief letter for you. All you have to do is print it, and supply an envelope & stamp.


  7. #7
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,047
    Thank you all for clarifying.

    I may be proving my limited understanding of the technical mechanisms behind this highly concerning matter, but what stands in our way of doing:
    Code:
    ln -s /dev/null /path/to/phormcookie
    Can't tell an OS by it's GUI

  8. #8
    Just Joined!
    Join Date
    Jun 2008
    Posts
    0
    If I remember correctly, blocking webwise.net from setting cookies effectively prevents you from using the internet. From my dodgy memory, I think it's covered in one of Dr Clayton's Posts/documents.

  9. #9
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    658
    Quote Originally Posted by Dephormation View Post
    What Phorm do is this; suppose you request a web page. Phorm intercept your request. If a user ID cookie has not been set for the given domain they intercept your page request, and respond with a redirect to their Webwise domain, the Webwise domain responds with a redirect back that includes the user ID, the request for the original site that now includes a user ID parameter is again used by Phorm to respond with a cookie setting instruction.
    Ah, that answers the aggregating question. Thanks for clearing that up.

    If I remember correctly, blocking webwise.net from setting cookies effectively prevents you from using the internet. From my dodgy memory, I think it's covered in one of Dr Clayton's Posts/documents.
    This page on badphorm suggests that blocking webwise.net blocks phorm.

    On the other hand I have no particular reason to trust them. Complaints to the ISP ahoy.

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  10. #10
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    2,940
    A genuine opt in system would be acceptable but does not look as though it will be implemented ... only option left if ISP implement is change ISP. Complaint to my ISP got a standard response telling me how they are looking after my interests and what a good idea this is

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •