Phuck Oph!

Lots of Phorm activity today. First of all, BBC News reports that "Home Office 'colluded with Phorm'". Then there was the Phorm Phight Back (I can keep up with the 'Ph' thing all night 8-) with newspaper reports about the new anti-anti-Phorm site, "Stop Phoul Play", which attacks the people and organisations (The Register, Open Rights Group, NoDPI) opposing the interception and analysis of all your web traffic... sorry, the "privacy priates" (yes, it really calls us "prvacy pirates", no I don't understand it). A detailed history and references list is at View From Planet Jamie.

But why is this a threat? Why is there one side which says that this is a threat to privacy and one which says this is an improvement in privacy.

Firstly, I think we have to look at what Phorm/WebWise offers. According to BT's WebWise site, the service offers two features:

Checking the websites you want to visit against a phishing sites blacklist and warning you before you visit the site
Analysing your web history in order to provide adverts tailored you

There is no reason at all that these need to be combined - BT already do a very similar thing for blocking IWF blacklisted sites. In fact, there is very little added bonus for BT customers given that Firefox, Safari and Internet Explorer already offer anti-phishing technology. BT/Phorm are trying to scare people into accepting the technology by focusing on the anti-phishing aspect.

So, to the second part of the featureset. Again, the Webwise site gives details of how it works:

Phorm/Webwise analyses the websites you visit and assigns them to categories
Your interest in these categories is stored against a unique number stored in a cookie on your computer
When a Webwise/Phorm compatible website is visited, Phorm serves up adverts based on your interests

BT stresses that this system does not store details of which websites you visit, only which categories the websites fall into. BT also stresses that this data is stored against an identifier known only to your own computer (in the cookie).

This, then, seems to be their argument: you cannot take the name "Alex Lambert" (or associated BT identifier) and then identify which websites I've visited.

When considering breaches of privacy, it is important not just to consider data which is obtained through cracking, but also what information is being normally output by the system. In this case, the output is adverts tailored to the interests of anyone who uses the browser/account combination which has a cookie with the unique identifier in it.

So, what's so bad about that?

A husband wants to surprise his wife with a weekend break in the Cotswolds and Phorm/Webwise serves adverts about travel/holidays. Surprise ruined.
A person being abused by their partner is looking for advice about getting out of the situation they are in. The system notices that the person is interested in legal advice and shows adverts for solicitors tipping off the abusive partner.
A teenager struggling with their sexuality looks for support online. Phorm/Webwise notices the interest in Queer sites and serves adverts on that topic to homophobic parents.

That's privacy leakage from intended usage.

I've opted this website out of WebWise (well, I've had an automated response informing me that it will be checked for validity and I should have had a notice of failure by now if it was going to fail) thus joining amazon, wikipedia, livejournal and others.

Yours in privacy piracy,

Alex
x x

penwing.site

Popular Content

Today's:

Navigation

User login

Search

Who's online

Online users

Gallery

Activities

Recent Comments