Phorm and consent

[Ian Batten]

On 11 Mar 08, at 0932, Roland Perry wrote:
>
> They will be sending it to the IP address of the Phorm platform.  
> Anyone looking at the logs will have to find a way of coping with  
> that, just like they cope with spiders, caches and any other "non- 
> person" accesses that seem to happen.

One difference is that most caches and spiders are operated by people  
you _want_ to access your website: caches are just users in disguise,  
spiders are usually search engines that (in general) you want to  
access your site.  If you're not a Phorm customer, Phorm are just  
bandwidth and resource leeches.

For example, if the implication that the URLs are spidered by Phorm  
offsite (ie not synchronous with the user access) anyone operating a  
UK website is going to need to double their bandwidth, as every page  
will be fetched twice.

The IP numbers of Phorm's servers will be trivial to locate: you just  
access a website you control from an infected ISP and look at your  
logs.  After that, blocking is easy.

One thing I'm concerned about is that we operate several low-security  
portals where we pass passwords in non-hhtps connections, with the  
source IP number thrown into the mix.  ie you have an account which is  
a username, a password, and a source IP number you need to come from.   
It's legacy ware, from back in the days when https was a resource  
pig.  Presumably Phorm are planning to capture passwords and fetch the  
URLs from our origin servers?

ian