Phorm, privacy, RIPA and interception

[Ian Batten]

On 26 Feb 08, at 0526, Peter Fairbrother wrote:
> Of course (hah!) for  historical information this doesn't apply to  
> Phorm and the ISPs - ie it's information already delivered, so they  
> can sell it all?

I've been attempting to find out how this works, and I don't really  
quite see it.  I've seen muttering about javescript embedded in  
specific pages, and the opt-out mechanism is supposed to use cookies  
(a positive opt-out that requires a cookie is the stuff of the devil,  
too).

If it's done by sniffing the data stream looking for URLs, aside from  
any legal issues that's instantly the mechanism that the ISPs claimed  
was impractical for both data retention and IWF compliance.  And  
it'll lead to terribly bad ad targeting anyway, because it'll  
conflate all the traffic from a given customer, who may well have  
multiple users on multiple systems.  And the data protection act  
implications are serious, too.

I suspect, and I am quite happy to be wrong, that this will turn out  
to be one of those cases where a VC-funded startup makes stronger  
claims about what it's prospects plan to do than its prospects are  
actually in a position to agree to.   It's obviously the case that a  
stream of URLs accessed by a single end point aren't anonymous: names  
and other details are bound to be embedded in cgi-bin argument lists,  
along with search terms.  Any ISP that gathers and retains that data,  
nevermind supplies it to a third party without consent, does so at  
their peril.

ian