Detail Analysis of Phorm Modus Operandi (technical and business)

Richard Clayton ukcrypto at chiark.greenend.org.uk
Thu, 20 Mar 2008 11:39:43 +0000 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <a9f4d96f0803191005u6d3b3f02h243f410b9e0716@mail.gmail.com>,
John Wilson <tugwilson@gmail.com> writes

>All the discussion I have read so far has resolved around browsers as
>clients. However it's now quite common for HTTP to be used by other
>programs for other purposes (XML-RPC, SOAP, REST clients, for
>example).

Buried away in the small print of their technical documents is that the
initial stage of Phorm's interference with your traffic involves looking
for a User-Agent string that they recognise...

>I think it's almost impossible to argue that intercepting the Atompub
>transaction I use to update my private Google calendar is legitimate.
>Or, indeed, to argue that Google implicitly gives permission for the
>conversation to be intercepted by exposing an endpoint for such a
>transaction.
>
>I wonder if the messing that Phorm does with the HTTP traffic could,
>in fact, stop some of these programs working.

... so if it's not a browser (or pretending really hard to be a browser)
then Phorm won't do HTTP magic to get a cookie response and will just
let the traffic proceed.  This should, in principle (there will be a lot
of detail in practice) mean that non-browsing traffic running over port
80 (and indeed non-HTTP traffic that is just trying to get through
simple-minded firewalls) will be unaffected.

Presumably (no document I have seen covers this point) they don't look
at the traffic coming back because they didn't understand the traffic
going out.

So provided that they have permission to inspect the particular
customer's traffic (which I would suggest means "informed opt-in") then
there is no interception and the system is lawful and (in principle
anyway) non-disruptive

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBR+JM/5oAxkTY1oPiEQLU7wCfR8lpPcaJNRMOXkfwUKZuKRITQIwAn0EJ
L9w9JsxJRIIdqfOo5BxhFHqD
=K/O6
-----END PGP SIGNATURE-----