Phorm and Computer Misuse Act

Nicholas Bohm ukcrypto at chiark.greenend.org.uk
Fri, 21 Mar 2008 16:12:21 +0000 

Richard Clayton wrote:
...

> Anyway, here's one simple way of building the system, which fits with
> what's known so far:
> 
> You decide to attempt to access  http://www.example.com/mypage.html
> 
> they intercept this request, recording the URL and giving the request an
> identifier (8138138731, say). They then use their control of your
> traffic to send your request to a proxy-like machine that forges a
> response from www.example.com that says
> 
>         302 www.phorm.com/ident8138138731.html
> 
> ie: it is a redirect
> 
> Your browser will then automatically go to www.phorm.com (which may be
> "real" site, or just the proxy again), and -- since this is the standard
> thing to do (configuration permitting) -- will accompany the request it
> makes with phorm's cookie. It didn't give the cookie earlier because you
> only give phorm cookies to phorm, doubleclick cookies to doubleclick,
> gmail cookies to gmail etc.
> 
> Phorm can now links request 8138138731 with the "longlived" phorm
> identifier for you.
> 
> They now send a response
> 
>         302 www.example.com/mypage.html
> 
> and you fetch the page you wanted all along.
> 
> They can spot this second request (and avoid foolish looping) because it
> is the same IP address as before and the same page as before, so they
> let it go through to the right place (maybe they look at Referrer
> strings as well to avoid some possible confusion with load balancing,
> NAT etc). They then intercept the webpage coming back from example.com,
> work out by their textual analysis that it's all about "Dykes in
> Amsterdam" and then they serve you travel ads for a while...
> 
> So no messing with other people's cookies (which causes all sort of
> technical issues, leave alone the legal ones). Just getting the browser
> to do what it normally does, follow 302s, send cookies to appropriate
> domains etc.
> 
> I'm meeting with Phorm middle next week (with an ORG Advisory Council
> member hat on) and will be able to return and tell you whether my
> educated guesses (above) are correct :)

Meanwhile, it doesn't look as though anything is written to your machine 
that you haven't consented to, so no CMA angle.

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF