Phorm and Computer Misuse Act

Nicholas Bohm ukcrypto at chiark.greenend.org.uk
Sat, 22 Mar 2008 11:18:32 +0000 

Ian Batten wrote:
> 
>>
>> Because the browser needs to "believe", at the time the transaction 
>> finally
>> goes to the target web server, that it is back on the target domain,
>> otherwise any attempt by the target web server to set regular cookies 
>> in the
>> course of the transaction would fail under the rules defined in RFC2965.
>>
>> The Phorm servers, by imitating the target domain can place a cookie 
>> as the
>> target domain to provide linkage during the "final" part of the 
>> transaction
>> when the HTTP GET request finally goes all the way to the target server.
> 
> But surely this is illegal?  A proxy will pass you back byte-for-byte 
> what the original site would have served, modulo a few control headers.  
> A cache will do the same, but has slightly more risk of getting it 
> wrong.  In both cases, the authors and operators of the proxy/cache 
> strive for byte-for-byte equivalence, and ``the page was different'' or 
> ``the cookie behaviour was different'' would be bugs, pure and simple.
> 
> The intent here is to deceive, and to bypass mechanisms put in place to 
> provide security.  It's the moral equivalent of that grande dame of 
> every undergraduate of the early 1980s, the login simulator.    The 
> proxy you're forced to is explicitly trying to look like the origin 
> server, while behaving completely differently.  And this not done 
> without the consent of the site.
> 
> Suppose I have a website called ``we-do-not-track-your-behaviour.com'', 
> trademarked, and Phorm's proxy sits in front of it and tracks your 
> behaviour.  How is this not ``passing off'' in trademark terms?

If you have a registered trademark you can complain of trademark 
infringement.  If you have an unregistered trademark in which you can 
establish you have a public reputation, you can complain of passing off.

In either case I think that to found a complaint you would need to show 
that the use by the defendant of the mark was some sort of use as a 
trademark, to affect the minds of individuals to whose notice it came in 
some way adverse to you (e.g. to suggest that the person was getting 
service from you when in fact they were getting service from someone else).

The discussion here hasn't left me very clear who is thought to be doing 
what with cookies; but I don't recall ever having a cookie brought to my 
attention while browsing in such a way as to suggest that it was 
conveying any information to me of a trademark kind.  Nor, when I go out 
of my way to look at a cookie, do I find it suggesting anything to me of 
a trademark kind.  So I am doubtful whether this is a fruitful line of 
attack.

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF