Full Disclosure

[Ian Batten]

It's widely believed that it's trivial for a webserver to obtain a  
user's Phorm ID, either by linking to an image served via https or via  
some Javascript (Bohm para 6).

There are many web servers which operate services that require a a  
pseudonym of some sort: blogs and forums.  And they're not _that_  
pseudononymous; it wouldn't require a genius to find the ID I've used  
for the last year or so on a couple of non-technology forums, for  
example.

Were such a web server to capture the Phorm ID and publish it next to  
each posting, who stands where, legally?

Yes, the web server that captured the pairs has been a bad boy  
morally, although it's hard to see what they've done wrong legally:  
they took a cookie that's legitimately in their domain and published  
the contents, contents that they're assured aren't personally  
identifiable.

What about Phorm?  They've sworn blind that the cookie isn't dangerous  
personally identifiable information, after all.

And what about the ISP?  They placed the original tracing cookie, but,  
again, it's not personally identifiable.

Ah, now suppose some porn site does the same thing, and routinely  
publishes a list of URLs accessed against Phorm IDs.   You can now map  
forum postings, which may well contain enough to track someone down,  
to taste in porn...

ian