Full Disclosure

[Barrie Dempster]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian Batten wrote:
<snip>
| Were such a web server to capture the Phorm ID and publish it next to
| each posting, who stands where, legally?
<snip>

There are a number of ways the 3rd party website can take this cookie
info and expose or gather information on the user.

One method I noticed while reading through the technical summary
provided by Richard Clayton was the potential for the 3rd party site to
take the cookie and then resubmit this in requests via a Phorm
participating provider. This would allow them to gain access to the data
~ held by Phorm on you. (By analysing the types of ads served from Phorms
servers).

This links your Phorm ID to the user ID on the 3rd party site and then
also leaks the info Phorm has gathered on you. So they know who you are
and what you like - even if Phorm don't. The current mechanism isn't
anywhere near as anonymous as Phorm would like it to be, or like us to
believe.

This cookie based implementation is bad.


- --
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

~              - http://reboot-robot.net -

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIFLnDsYtTQpYCX9ARAq01AKCsturiOtrIXu6W3OFiKif+AZS8FgCg8DeR
oETywWxlB8dXb5yI++HPw7Q=
=BiSw
-----END PGP SIGNATURE-----