Ernst & Young audit overlooks Phorm's violation of its own privacy policy

Richard Clayton ukcrypto at chiark.greenend.org.uk
Fri, 1 Aug 2008 14:02:45 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


<URL:http://blogs.law.harvard.edu/hroberts/2008/07/25/ernst-young-audit-
overlooks-phorms-violation-of-its-own-privacy-policy/>

<quote>
   I've been looking at deep packet inspection / targeted advertising
   company Phorm for the past couple of days and have found a clear and
   simple case of Phorm violating its own privacy policy in
   contradiction to Ernst & Young's audit of the company's systems. 

   etc...
</quote>

I recommend reading the whole article :)

For some time I (and others) have been pointing out that the Phorm ID
can be obtained by any website that is visited (the Phorm system will
attempt to remove it, but cannot succeed if the cookie value is
transferred by https).  This could lead to a trade (illegal under EU law
of course) in matching Phorm IDs with other data...

Hal Roberts has taken this further by pointing out that this explicitly
infringes Phorm's own privacy policy -- as audited by Ernst and Young !

He does ask "How did Ernst & Young not find this problem?" and discusses
the shortcomings of the audit process generally.

However, one of the reasons that occurs to me is that when Ernst & Young
audited the system it worked differently! We know that it used to use
HTTP Referrer fields (because they leaked data into logs all over the
Internet) ...  but then Ernst & Young don't mention that failing either,
so maybe Hal's meta-analysis is all that really matters:

<quote>
   But the report is completely opaque, so all we have to rely on is
   Ernst & Young's reputation. For that reputation to be valid, though,
   there has to be a strong feedback mechanism that discredits Ernst &
   Young when it produces a faulty report. In practice, what's that
   pushback? Is there any history of such audits being disproved to the
   disparagement of the auditing firm? In the face of only a vague
   threat of some sort reputation loss, the strong, direct incentive to
   produce positive reports to generate more business will win every
   time.
</quote>

- -- 
richard                     richard.clayton  @  h i g h w a y m a n . com

"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSJMJdZoAxkTY1oPiEQL0tQCePdNmW0BK6zjEy+irDW7/XcwAU7AAn1L+
pV8OsjrPAEXvKoR/rVtQ+eZu
=+WEo
-----END PGP SIGNATURE-----