Latest WebWise (Phorm) Trials end - but presumably without a debriefing for the participants.

Richard Clayton ukcrypto at chiark.greenend.org.uk
Sun, 14 Dec 2008 09:54:35 +0000 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <n$hEdjOOsCRJFAAC@perry.co.uk>, Roland Perry <lists@internetp
olicyagency.com> writes

>In article 
><298c5f970812121008y757ce2d8ob6e57bc643402385@mail.gmail.com>, Alexander 
>Hanff <no2dpi@googlemail.com> writes
>>2.  These trial customers now have potentially thousands if not 10s of
>>thousands of WebWise cookies on their systems (one for every single
>>web site they visited during the 2.5 months the trial lasted).
>
>I thought there was just one "master" cookie, that got updated with the 
>user's scores in various categories. 

the "scores" are on a back-end database

>And some tracking cookies with a 
>life of three days.

It was never revealed to me (when I writing up their mechanisms) what
the intended lifetime of the per-site cookies was (and I don't recall
any mention of 3 days for anything Phorm related)

However, since cookies are essentially opaque, it is up to the owning
site to determine when they are discarded and since, as Alexander points
out, the "owner" is completely unaware of the forgery of cookies in
their name, it's not possible to say what will happen ...

>>Furthermore, ALL these cookies are now exposed to third parties as
>>they are no longer being stripped by the WebWise system during the
>>interception and modification phase of the WebWise system.
>
>Only for three days, perhaps.

I can't see any obvious mechanism for this to happen.

>>3.  And this is the big one.  If BT deploy WebWise throughout their
>>network, presumably ANY customer who opted into the trials will be
>>AUTOMATICALLY opted back in to WebWise once it is deployed as the
>>Opt-In cookies will already be present on their machines
>
>Wouldn't it be trivial to arrange that any new deployment would 
>recognise old opt-in cookies as old? 

I don't think Phorm do "trivial"

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSUTX25oAxkTY1oPiEQIqNACgqbqoLAJPGkSTUUWZCg6Eu7QPPdcAnjEB
E0u53QR4zKc11ztRevzfTUL7
=+JpK
-----END PGP SIGNATURE-----