Phorm Trial Starts Tomorrow

Richard Clayton ukcrypto at chiark.greenend.org.uk
Mon, 29 Sep 2008 14:50:05 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <4F376FA3-F57F-44C9-A17E-B5F885E1C3A5@batten.eu.org>, Ian
Batten <igb@batten.eu.org> writes

>    See:
>
>    http://www2.bt.com/static/i/btretail/webwise/bt-webwise-trial.html
>
>
>    The wording doesn't strike me as approaching the requirements the 
>    ICO imposed, specifically it makes no mention of the systematic 
>    interception that is involved in `matching interests'.   It's also 
>    not at all clear how (to quote all the usual problems) the system 
>    pops up the initial interstitial without intercepting all traffic, 
>    nor how it prevents children improperly consenting to contracts 
>    (specifically changes to terms and conditions).

also the help page

    http://www2.bt.com/static/i/btretail/webwise/your-privacy.html

is still enamoured of the Ernst & Young privacy audit report (though
quite why people from the financial sector should be seen as trustworthy
this month rather escapes me).

Anyway, BT summarise the report as follows:

    Ernst & Young have determined that the unique fundamental design of
    this technology ensures that consumer privacy is protected and that,
    even under compulsion, no personally-identifying data or detailed
    browsing data can be retroactively provided to anyone.

Unfortunately for BT, for Ernst & Young, and indeed for BT's customers
this is just plain wrong :(  Unless of course Phorm have spent their
summer redesigning their system yet again -- if anyone gets on the trial
then do let me know, there's all sorts of useful traffic dumping and
experiments to be done!

Anyway, one fundamental error that Ernst & Young makes is to assume that
the personally identifying cookie is stripped out by the Phorm system --
but unfortunately that isn't always true :(

This is discussed at length, and various remarks made about the value of
this type of paid-for audit on Hal Robert's blog back in July.

<URL:http://blogs.law.harvard.edu/hroberts/2008/07/25/ernst-young-audit-
overlooks-phorms-violation-of-its-own-privacy-policy/>

It's a little disappointing that BT haven't taken note of these comments
(which are hardly from the most obscure of places) and amended their
descriptions accordingly.

Mind you it all seems a rush job (despite the months they've spent
getting it ready). Besides the complete failure to deal with issues such
as kids clicking on behalf of their parents which Ian Batten identifies,
they haven't even managed to proof-read their own T&Cs

See #18 of

    http://www2.bt.com/static/i/btretail/webwise/terms.html

which says

    If you or another user of the BT WebWise service switches the BT
    WebWise service off, you consent, and you agree to ensure that each
    user of the BT Webwise service consents to us carrying the technical
    operations necessary to prevent the BT WebWise service being
    provided to you or the other user of your broadband service. 

where "carrying the" is clearly meant to be "carrying out the" :(

They also manage to randomly spell WebWise with or without the second W
as a capital. I had always thought lawyers were the last group left
(outside of programmers) who were sticklers for detail -- seems not when
its more about getting hold of the money than anything else :(

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSODdDZoAxkTY1oPiEQLScwCg0BMiKRlkODe5TTutxNA+/hcwE3EAoNoU
yptpKTRGIpWQby8JsTp41n/P
=gTcd
-----END PGP SIGNATURE-----