Phorm, privacy, RIPA and interception
Ian Batten
ukcrypto at chiark.greenend.org.uk
Wed, 27 Feb 2008 13:38:28 +0000
Disclaimer: I suspect that Phorm have more in common with Steorm than
just a similar name. But taking all of their claims to business at
face value:
On 27 Feb 08, at 1230, Caspar Bowden wrote:
>
> http://www.phorm.com/user_privacy/EY_Phorm_Exam.pdf
> (a target rich environment for EU DP folk)
>
It's one of those horrid password protected PDFs which we're not
supposed to be able to quote from, so I'm reduced to re-typing,
snarl, but the document says
``For as long as a user retains the Phorm opt-out cookie, the system
will not collect or store data on their browsing behaviour''.
That's pretty clear: it's not that it won't process, or even that it
won't store: it's won't collect. Interesting to see how
igb->bbc syn port 80
bbc->igb syn+ack
igb->bbc ack
igb->bbc data: GET / HTTP/1.1\n\n
[[ bulk transfer ]]
igb->bbc fin
bbc->igb ack
bbc->igb fin
igb->bbc ack
can interrogate a cookie in my browser without the co-operation of
the BBC.
One fun quote is on page 7 (the 9th physical page) about how using
your browser in another country may result in all Phorm's data
associated with that browser being transferred to that country.
That's surely illegal?
Let's assume that the police serve a search warrant on someone who
has not opted out of Phorm. The computer that is seized contains a
Phorm cookie. The police demand from Phorm the web browsing activity
associated with the random number in the cookie. Now what?
Let's assume that I look at my computer, and see that my wife has a
Phorm cookie. I take that cookie, and with the help of a corrupt
employee of Phorm convert it into a browser history. What's the DPA
implications?