Ernst & Young audit overlooks Phorm's violation of its own privacy
policy
Peter Tomlinson
ukcrypto at chiark.greenend.org.uk
Fri, 01 Aug 2008 14:36:04 +0100
Reminds me of PA, who fielded a team of management but not technical
consultants, recently providing a document with technical content
(content that was flawed) to DfT for the ENCTS project, a document that
was published by DfT and then the ICO caused it to be withdrawn.
Peter
Richard Clayton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> <URL:http://blogs.law.harvard.edu/hroberts/2008/07/25/ernst-young-audit-
> overlooks-phorms-violation-of-its-own-privacy-policy/>
>
> <quote>
> I've been looking at deep packet inspection / targeted advertising
> company Phorm for the past couple of days and have found a clear and
> simple case of Phorm violating its own privacy policy in
> contradiction to Ernst & Young's audit of the company's systems.
>
> etc...
> </quote>
>
> I recommend reading the whole article :)
>
> For some time I (and others) have been pointing out that the Phorm ID
> can be obtained by any website that is visited (the Phorm system will
> attempt to remove it, but cannot succeed if the cookie value is
> transferred by https). This could lead to a trade (illegal under EU law
> of course) in matching Phorm IDs with other data...
>
> Hal Roberts has taken this further by pointing out that this explicitly
> infringes Phorm's own privacy policy -- as audited by Ernst and Young !
>
> He does ask "How did Ernst & Young not find this problem?" and discusses
> the shortcomings of the audit process generally.
>
> However, one of the reasons that occurs to me is that when Ernst & Young
> audited the system it worked differently! We know that it used to use
> HTTP Referrer fields (because they leaked data into logs all over the
> Internet) ... but then Ernst & Young don't mention that failing either,
> so maybe Hal's meta-analysis is all that really matters:
>
> <quote>
> But the report is completely opaque, so all we have to rely on is
> Ernst & Young's reputation. For that reputation to be valid, though,
> there has to be a strong feedback mechanism that discredits Ernst &
> Young when it produces a faulty report. In practice, what's that
> pushback? Is there any history of such audits being disproved to the
> disparagement of the auditing firm? In the face of only a vague
> threat of some sort reputation loss, the strong, direct incentive to
> produce positive reports to generate more business will win every
> time.
> </quote>
>
> - --
> richard richard.clayton @ h i g h w a y m a n . com
>
> "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPsdk version 1.7.1
>
> iQA/AwUBSJMJdZoAxkTY1oPiEQL0tQCePdNmW0BK6zjEy+irDW7/XcwAU7AAn1L+
> pV8OsjrPAEXvKoR/rVtQ+eZu
> =+WEo
> -----END PGP SIGNATURE-----
>
>
>
>