Phorm analysis out

Richard Clayton has now published his technical analysis of Phorm. There’s a good introduction to it on his Light Blue Touchpaper blog.

Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.

Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic — however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.

Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.

Read the rest here, or go straight to the technical analysis.

By coincidence, the Information Commisioner has released an updated statement on Phorm. From the looks of things, they have declined FIPR’s invitation to consider the lawfulness of Phorm’s data processing under legislation other than the Data Protection Act (such as RIPA). They have also failed to address the news that BT trialled Phorm without seeking consent from its users in 2006.