Phorm and Fraud Act?

Nicholas Bohm ukcrypto at chiark.greenend.org.uk
Mon, 24 Mar 2008 14:36:49 +0000 

Roland Perry wrote:
> In article <47E79CD4.6050401@ernest.net>, Nicholas Bohm 
> <nbohm@ernest.net> writes
>>>> But it's easy to see that when you put a forged 50p piece in the 
>>>> machine, you are representing it to be a genuine one;
>>>  And when you insert a cookie in a reply to an HTTP request, you are 
>>> at  the least representing that you are the site whose name appears 
>>> inside  the cookie.
>>
>> What makes this obvious to non-geeks?  As obvious as it is that 
>> putting a coin in a machine represents it to be genuine?
> 
> I'd take an approach that visualises as much as possible.
> 
> For example, I'm running a Firefox add-in that allows me to see the 
> cookies for *this* site, edit them, delete them and so on. That brings 
> cookies very much into the realm of "things on my desktop", rather than 
> "something mysterious under the hood".
> 
> And it illustrates very easily the concept that "all the cookies in play 
> at the moment are from *this* website".
> 
> [I'm assuming what follows is technically correct...]
> 
> Then describe what the cookies are for: "Have you ever wondered how a 
> website remembers your login details". "That's the sort of thing which 
> can be stored in a cookie - and your browser needs to know that any 
> website asking for that cookie is exactly who it purports to be".
> 
> "If a website could spoof who it is, it could get your browser to reveal 
> the login details for other websites". "Which I'm sure you can see would 
> be a BAD THING".

I don't think a prosecutor would stir an inch on the basis that 
something was a misrepresentation unless he or she could see how 
ordinary computer users, uninstructed by the sort of teaching you 
outline, were being misled.  That's what I was trying to convey when I 
said "obvious":  as apparent to native common sense as the example of 
the 50p coin.  Not dependent on using an add-in and watching for 
phenomena of whose existence most users are quite unaware, or having 
someone have to explain to them how they were being deceived.

You have to bear in mind how profoundly clueless prosecutors can be 
about the realities of technology.  An example can be seen in the CPS 
guidelines on how to decide whether to prosecute suppliers of security 
tools under CMA ss3A(2) at:

http://www.cps.gov.uk/legal/section12/chapter_s.pdf

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF