Forums
| BadPhorm - When good ISPs go bad! :: Forums :: Tips & Breaking News :: Media Sightings |
|
<< Previous thread | Next thread >> |
| Finally the 80/20 Thinking report | ||
| Go to page << | |
|
Moderators: Jim Murray, narcosis, felixcatuk, Sammy
|
| Author | Post | ||
| Paladine |
| ||
 Registered Member #181 Joined: Thu Mar 13 2008, 10:48PMPosts: 50 | Yes I read the ICO article earlier but it should be quoted in context really, they state they will be focusing on reducing risk rather than enforcement. So in theory, they should be focusing on things like banning Phorm in order to reduce risks. According to the patent, the advertiser will send the unique "anonymous" cookie ID to the OIX adserver to get the relevant ads (at least that is my understanding of it) which means they will have access to the cookie (via javascript as described in the patent application) so matching IP to cookie is a less than trivial task. Alexander Hanff Deny Phorm the right to intercept web pages and support the Deny Phorm Campaign Visit: http://denyphorm.blogspot.com/ | ||
| Back to top | | ||
| Oblonsky |
| ||
 Registered Member #132 Joined: Sat Mar 08 2008, 10:59AMPosts: 91 | Sorry, yes - I was playing Devils Advocate for a second to point out that whatever technical claims Phorm may make, the ad needs to get back to the target PC. The only way to avoid some link "leaking" out would be to "gift" the entire ad delivery system to the ISP too. Of course the ISP then having to manage all the changing demands of the advertisers... Oh yes, the ISP would "operate" the equipment but Phorm would be allowed to run it on a day-to-day basis. Come on HMG/ICO - you know enough, make the call. | ||
| Back to top | | ||
| EtherDreams |
| ||
| Registered Member #185 Joined: Fri Mar 14 2008, 09:27PMPosts: 33 | Technically, the ads *could* be pushed down to ad servers which are within the ISP and on the other side of an anonymizer so that the ad servers can't see the user's IP Address. You would also want the ID bearing cookie to be assigned to a domain that is unreachable from outside Phorm ISP networks in order to avoid "accidental" requests that effectively link an IP Address to the cookie. I have looked long and hard for evidence that Phorm is doing those things. I can't find any. I can't help but feel that Phorm is playing up and trying to keep the focus on protection mechanisms on the collection/profiling side and is purposely avoiding the disclosure of details about the ad serving side and some other things. | ||
| Back to top | | ||
| Paladine |
| ||
| Registered Member #181 Joined: Thu Mar 13 2008, 10:48PMPosts: 50 | Yeah but technicalities mean nothing here for two simple reasons: 1. Their patent application states it will be as I have described. 2. In order for the ads to be pushed from the ISP they would need to insert data into the stream, which Phorm have explicitly denied several times. Alexander Hanff Deny Phorm the right to intercept web pages and support the Deny Phorm Campaign Visit: http://denyphorm.blogspot.com/ | ||
| Back to top | | ||
| EtherDreams |
| ||
| Registered Member #185 Joined: Fri Mar 14 2008, 09:27PMPosts: 33 | Paladine wrote ... Yeah but technicalities mean nothing here for two simple reasons: 1. Their patent application states it will be as I have described. 2. In order for the ads to be pushed from the ISP they would need to insert data into the stream, which Phorm have explicitly denied several times. While there are excellent reasons to oppose the system regardless of technicalities (philosophical, the potential for misconfiguration or evolution/mutation, etc) I think it is important that we understand and shed as much light as possible on the technical aspects of the initial implementation. I understand your first point. Edit: No I don't. You said the *advertiser* will send the cookie. Did you mean the user's browser? I don't understand your second point. The hypothetical scenario I mentioned involves ads being pushed out to ISP network resident ad servers, and being pulled from those ad servers by the users' browsers. [ Edited Wed Mar 19 2008, 04:53PM ] | ||
| Back to top | | ||
| Paladine |
| ||
| Registered Member #181 Joined: Thu Mar 13 2008, 10:48PMPosts: 50 | No I never said the advertisers would send the cookie. I said the advertisers send the UID from the cookie to the OIX server and that they have access to the Phorm cookie via javascript. I should correct one thing though I actually meant the websites subscribed to the OIX platform which display the OIX ads not the advertisers themselves (although advertisers may also be using the OIX platform on their own websites of course). There is no ISP resident Ad Server, the only adservers are the OIX servers which to my knowledge it has never once been said they are on the ISP network, it has been said these servers are in China (and more recently this has been changed to being in the UK or US but it is just speculation). That aside, even if the adserver was on the ISP network, in order for the websites on the OIX platform not to be able to correlate IP to UID they would have to have no access to the cookie and the ISP would need to insert the ads directly into the datastream, which Phorm have stated on several occasions will not happen. They have vehemently defended that there will be no data injected into the HTTP stream by the ISPs. It has to be one way or another, either the websites using OIX will send for the ads based on the UID from the cookie (as described in the patent application) or the ISP will have to inject data into the stream. Further questions to be asked if the second is true, is how will BT get the UID in order to deliver the Ads? Will the Phorm cookie be sent with all HTTP requests and then removed from the datastream by the ISP between the user and the requested web site? Or will the cookie remain in the HTTP request to it's end point (the website)? Again if the latter then the website is able to correlate IP to UID. No matter which way you try to spin it it looks bad. The whole web of deceit on this issue just makes me want to vomit. Alexander Hanff Deny Phorm the right to intercept web pages and support the Deny Phorm Campaign Visit: http://denyphorm.blogspot.com/ | ||
| Back to top | | ||
| EtherDreams |
| ||
| Registered Member #185 Joined: Fri Mar 14 2008, 09:27PMPosts: 33 | Paladine wrote ... No I never said the advertisers would send the cookie. I said the advertisers send the UID from the cookie to the OIX server and that they have access to the Phorm cookie via javascript. I should correct one thing though I actually meant the websites subscribed to the OIX platform which display the OIX ads not the advertisers themselves (although advertisers may also be using the OIX platform on their own websites of course). Response: I believe the term for sites that display OIX targeted ads would be publishers. Paladine wrote ... There is no ISP resident Ad Server, the only adservers are the OIX servers which to my knowledge it has never once been said they are on the ISP network... Response: We absolutely must pin them down on this point and eliminate any presumptions on our part. If one's IP Address is not anonymized during the ad fetching phase as well, the risks/threats go up dramatically. Especially if the cookie is sent to the ad server (may or may not be, I haven't seen recent captures). Paladine wrote ... That aside, even if the adserver was on the ISP network, in order for the websites on the OIX platform not to be able to correlate IP to UID they would have to have no access to the cookie and the ISP would need to insert the ads directly into the datastream, which Phorm have stated on several occasions will not happen. They have vehemently defended that there will be no data injected into the HTTP stream by the ISPs. Response: To be honest, I don't think there is a 100% reliable way to protect against UID<->IP Address linking. The ISP is in a position to do so and Phorm could at any time serve up script that makes it happen. The system *could* be designed to "minimize" the chances of doing so. We have to ask the right questions to know if it is and if possible point out where it isn't. You talk about publishers being able to access the UID. They obviously shouldn't have access to the UID bearing cookie. I believe that is set for a domain other than theirs. I think someone reported that a.webwise.net/services was used. Hmmm... does that match the opt-in/opt-out and phorm status URLs? Wouldn't that be a kicker... you go to opt-out and in the process give them an IP Address to link with the data they previously collected about you. How are the publishers going to access the UID? Cross domain/frame exploit? I really wish someone had a comprehensive capture from recent trials, so we could rule in/out some things. We certainly can't take Phorm's word for anything. I'm working under the assumption that publishers will include some javascript in their pages that will enable or assist with the advertisement switching. I think there are a number of different ways that could be done, particularly in an environment where HTTP requests can be intercepted/redirected. Paladine wrote ... It has to be one way or another, either the websites using OIX will send for the ads based on the UID from the cookie (as described in the patent application) or the ISP will have to inject data into the stream. Response: It isn't the publishers who request the ads, it is the browser. Paladine wrote ... Further questions to be asked if the second is true, is how will BT get the UID in order to deliver the Ads? Will the Phorm cookie be sent with all HTTP requests and then removed from the datastream by the ISP between the user and the requested web site? Or will the cookie remain in the HTTP request to it's end point (the website)? Again if the latter then the website is able to correlate IP to UID. Response: The browser will only send the UID cookie in requests that are allowed per the cookie's domain/path. At this point I suspect that no cookies are artificially injected into any requests or responses... I think it is all intercept/redirect + javascript + iframe (if we assume they haven't figured out a way around the iframe yet). Paladine wrote ... No matter which way you try to spin it it looks bad. The whole web of deceit on this issue just makes me want to vomit. Response: Indeed, it is an impossible situation made that much worse by companies talking out of both sides of their mouths. | ||
| Back to top | | ||
| felixcatuk |
| ||
  Registered Member #95 Joined: Wed Mar 05 2008, 12:03AMPosts: 239 | To non-tech readers; if Phorm isn't opt in it isn't kosher. PhormUKPRteam wrote ... <snip> Among them, we have confirmed to 80/20 Thinking that Webwise does not track behaviours across sensitive sites; Show us the black list of sites, show us the white list of user agents. PhormUKPRteam wrote ... that anonymous cookies cannot be traced back to users; Show us sample data for your executive team. PhormUKPRteam wrote ... <snip> In the press, Mr Davies has openly commented: " <snip> I've read his words. I think you'll find he recommended Phorm should be opt in. PhormUKPRteam wrote ... <snip> Just in case of any re-emerging confusion: Privacy International, one of the leading privacy advocacy bodies, did not endorse us and do not endorse any companies. Err, didn't Kent Phorms CEO say precisely the opposite for weeks. I'm not confused, he told me Phorm was endorsed by Privacy International (who apparently deny the same). Which would make what he said untrue. PhormUKPRteam wrote ... <snip> For a cut+paste ninja like you, that's a weak effort PhormUKPRTeam... who isn't Phorm. Tell me, which of the 3 PR companies do you work for? Is it possible we could talk to a technologist rather than a spin doctor, y'know, someone who has expertise in the field... not a black belt in cut+paste? [ Edited Fri Mar 21 2008, 07:44AM ] ISP customers; you don't need Phorm, pure and simple. Don't be a passive recipient of Phorm cookies. Until Phorm can be stopped, use the Dephormation Firefox Add On. http://www.dephormation.org.uk The user called PhormUKPRTeam/PhormUKTechTeam is a PR consultant from Citigate Drew Rogerson. RIPA: ISPs HAVE NO CONSENT FOR INTERCEPTION OF THIS TRANSMISSION ;o) | ||
| Back to top | | ||
| SilverWave |
| ||
| Registered Member #101 Joined: Thu Mar 06 2008, 12:35AMPosts: 35 | http://blogs.guardian.co.uk/technology/2008/03/20/simon_davies_of_privacy_international_and_8020_thinking_on_phorm.html [quote] Second, the British Public, who apparently SO support PI, donate an average of £130 a year to us. We receive more from citizens of India, even during the height of the ID card battle. [quote] This is a little worrying - Are we being punished for not supporting PI? I didn't even know they exited before the Phorm thing. I don't think the work that Simon Davies has done for Phorm will make it more likely for PI to get more donations - completely the reverse tbh. I can see the need to make a living - but I didn't force Simon to to the work he does for PI for free - I appreciate anyone who do voluntary work for the good of society - I think he is very probably a lot better off financially than I am, but I may still have made a contribution if I had known it was needed. I just have a problem with the way the report was used by Phorm. If Simon didn't think Phorm would use the report in this way I think he is being unbelievably naive. Last point the "engagement" idea has been tried before I think its called appeasement. [ Edited Sat Mar 22 2008, 03:03PM ] | ||
| Back to top | | ||
| Go to page << | |
Powered by e107 Forum System