Phorm and the Computer Misuse Act...

David Biggins ukcrypto at chiark.greenend.org.uk
Thu, 24 Apr 2008 09:36:01 +0100 

It is common to ignore the CMA as a relatively out-of-date and perhaps
toothless piece of token legislation - after all, CMA prosecutions are
somewhat rare, yes?

Nevertheless, it appears to me that Phorm and the ISP may be in breach
of the CMA on this one.

I am not of course a Lawyer,  but I would welcome the opinion of the
Lawyers and others better informed on legal matters than me, on this.

Forgive me if I lay this on with a trowel and repeat myself - I'm still
working this out...

In planting a "first party" cookie on a computer, when "third party
cookies" are disabled either by the browser, the user's firewall or
other means, Phorm is writing data to a user's computer, in a way that
specifically bypasses a common security mechanism - the blocking of
third-party cookies. =20

In other words they are deliberately bypassing a common security
mechanism in order to modify data on a user's computer, that the user
has deliberately sought not to authorise, by seeking to ensure that only
the actual owner of any website that they visit should be able do this.

This appears to me to be a clear breach of:

	1(1) A person is guilty of an offence if:
		a) He/she causes a computer to perform=20
		any function with intent to secure access=20
		to any program or data held in a computer;=20

		b) the access he intends to secure is unauthorized; and=20

		c) he/she knows at the time when he causes=20
		the computer to perform the function that=20
		this is the case.=20

Data is being accessed on the user's computer.   It may be in the form
of a cookie.  But access is clearly taking place.

The fact that third party cookies are disabled, and only cookies from
the target website are enabled,  would appear to me to be a clear
indication that the intent of the owner of the computer is that such
access is unauthorised.

That Phorm are using advanced technical means to avoid a common security
measure, and deliberately bypassing the issue of third-party cookies
would seem to suggest that they are deliberately avoiding verifying that
they have such authorisation, knowing that it is significantly likely
that they do not.

Similarly

	3(1) A person is guilty of an offence if
		a) he/she does any act which causes the=20
		unauthorized modification of the contents=20
		of any computer; and=20

		b) at the time when he does the act he has=20
		the requisite intent and the requisite knowledge.=20

	3(2) for the purposes of subsection 3(1)b above the
	requisite intent is an intent to cause a modification=20
	of the contents of any computer and by so doing
		a) to impair the operation of any computer;=20
		b) to prevent or hinder access to any program=20
			or data held in any computer; or=20
		c) to impair the operation of any such program=20
			or the reliability of any such data.=20

In writing a first-party cookie, when Phorm is NOT the first party, and
when third-party cookies are blocked,  they are surely performing an
unauthorised modification of the contents of a user's computer,  and the
question of requisite intent and knowledge is, given the technical means
being employed, surely a given.

The purpose of this modification is to insert additional data (which as
others have pointed out, cannot always be removed before being sent to
the target website) which certainly may hinder access to ...  data held
in any (the target site's) computer, and may impair the consequent
reliability of program or data.

	17 Interpretation=20
		(2) A person secures access to any program or=20
		data held in a computer if by causing a computer=20
		to perform any function he-=20
			...
			(c) uses it; or=20
			(d) has it output from the computer in which=20
			it is held (whether by having it displayed or=20
			in any other manner);=20
			and references to access to a program or data=20
			(and to an intent to secure such access) shall=20
			be read accordingly.

Reading and writing of a cookie against the user's express statement in
policy that such cookies should only be written BY THE SITE OWNER is
both using the cookie and having it output from the computer "in any
other manner".

	(3) For the purposes of subsection (2)(c) above a person uses=20
	a program if the function he causes the computer to perform-=20
		(a) causes the program to be executed; or=20
		(b) is itself a function of the program.=20

Planting a cookie is a function of the browser, so clearly Phorm are
accessing the user's browser within the meaning of the act.

	(5) Access of any kind by any person to any program or=20
	data held in a computer is unauthorised if-=20
		(a) he is not himself entitled to control access=20
		of the kind in question to the program or data; and=20

It is difficult to believe that either Phorm or the ISP are entitled to
access first-party cookies for sites that they do not own, held on the
user's computer.

		(b) he does not have consent to access by him of the=20
		kind in question to the program or data from any person=20
		who is so entitled.=20

The blocking of third-party cookies would seem to be a sign that the
user has intended that only site owners should have cookie access to
their systems, so again, it would appear that Phorm do not have consent
in any form.

	(7) A modification of the contents of any computer takes place
if,=20
	by the operation of any function of the computer concerned or
any=20
	other computer-=20
		(a) any program or data held in the computer concerned
is=20
		altered or erased; or=20
		(b) any program or data is added to its contents;=20

In the case of the Phorm cookies, data is being added to the cookie
collection both by the operation of the browser and of Phorm's systems.

	and any act which contributes towards causing such a
modification=20
	shall be regarded as causing it.

Now we get to the real meat....

	(8) Such a modification is unauthorised if-=20
		(a) the person whose act causes it is not himself=20
		entitled to determine whether the modification should=20
		be made; and=20

Neither Phorm nor the ISP is entitled to determine whether it is
acceptable for them to write data to the user's machine.=20

		(b) he does not have consent to the modification from=20
		any person who is so entitled.=20

In particular, a third party writing data in the form of a third-party
cookie when third-party cookies are disabled, appears to be making a
deliberate attempt to write the data when they are not entitled to make
a decision to do so.

What does the team think?

Dave