Richard Clayton | 1 Aug 15:02 2008

Ernst & Young audit overlooks Phorm's violation of its own privacy policy


<URL:http://blogs.law.harvard.edu/hroberts/2008/07/25/ernst-young-audit-
overlooks-phorms-violation-of-its-own-privacy-policy/>

<quote>
   I've been looking at deep packet inspection / targeted advertising
   company Phorm for the past couple of days and have found a clear and
   simple case of Phorm violating its own privacy policy in
   contradiction to Ernst & Young's audit of the company's systems. 

   etc...
</quote>

I recommend reading the whole article :)

For some time I (and others) have been pointing out that the Phorm ID
can be obtained by any website that is visited (the Phorm system will
attempt to remove it, but cannot succeed if the cookie value is
transferred by https).  This could lead to a trade (illegal under EU law
of course) in matching Phorm IDs with other data...

Hal Roberts has taken this further by pointing out that this explicitly
infringes Phorm's own privacy policy -- as audited by Ernst and Young !

He does ask "How did Ernst & Young not find this problem?" and discusses
the shortcomings of the audit process generally.

However, one of the reasons that occurs to me is that when Ernst & Young
audited the system it worked differently! We know that it used to use
HTTP Referrer fields (because they leaked data into logs all over the
(Continue reading)

Peter Tomlinson | 1 Aug 15:36 2008
Picon

Re: Ernst & Young audit overlooks Phorm's violation of its own privacy policy

Reminds me of PA, who fielded a team of management but not technical 
consultants, recently providing a document with technical content 
(content that was flawed) to DfT for the ENCTS project, a document that 
was published by DfT and then the ICO caused it to be withdrawn.

Peter

Richard Clayton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> <URL:http://blogs.law.harvard.edu/hroberts/2008/07/25/ernst-young-audit-
> overlooks-phorms-violation-of-its-own-privacy-policy/>
>
> <quote>
>    I've been looking at deep packet inspection / targeted advertising
>    company Phorm for the past couple of days and have found a clear and
>    simple case of Phorm violating its own privacy policy in
>    contradiction to Ernst & Young's audit of the company's systems. 
>
>    etc...
> </quote>
>
> I recommend reading the whole article :)
>
> For some time I (and others) have been pointing out that the Phorm ID
> can be obtained by any website that is visited (the Phorm system will
> attempt to remove it, but cannot succeed if the cookie value is
> transferred by https).  This could lead to a trade (illegal under EU law
(Continue reading)

Richard Clayton | 1 Aug 16:27 2008

An incomplete PQ answer


<URL:http://www.publications.parliament.uk/pa/ld200708/ldhansrd/text/807
22w0002.htm#80722w0002.htm_spmin0>

22 July 2008 : Column WA230

Anti-terrorism, Crime and Security Act: Voluntary Retention of Data
The Earl of Northesk asked Her Majesty's Government:

   How many grants they have given to telephone companies and internet
   service providers to assist them in the voluntary retention of data
   under Section 106 of the Anti-terrorism, Crime and Security Act 2001;
   and what has been the total annual value of such grants in each year
   since 2001. [HL4469]

The Parliamentary Under-Secretary of State, Home Office (Lord West of
Spithead):

   Payments under Section 106 of the Anti-terrorism, Crime and Security
   Act 2001 (ATCSA) commenced after the code of practice for the
   retention of communications data was approved by Parliament in 2003,
   the first payments being in financial year 2004. In October 2007, the
   Data Retention (EC Directive) Regulations 2007 came into force and
   many former ATCSA grants payments are now made under those
   regulations.

-=-=-=-=-=-

If you think this doesn't especially fully answer the question then
you'd be right!!  Lord West (actually of course someone less senior)
(Continue reading)

Richard Clayton | 1 Aug 16:33 2008

UK implementation of Data Retention Directive


Despite suggestions that the Communications Data Bill is all about
implementing the Data Retention Directive  (and not about black boxes in
ISPs, centralised storage of comms data and so on), it turns out that
the Home Office will be using a boring old statutory instrument to bring
the Directive into effect (just as they did with the telcos last year).

Expect a consultation Real Soon Now :)  and the draft Bill to be
delayed...

However, Lord West seems to think that it will all be in force by the
1st April next year, which Brussels may be disappointed about, since
their deadline is the 15th March!

-=-=-=-=-=-=-=-

http://www.publications.parliament.uk/pa/ld200708/ldhansrd/text/80722w00
05.htm#80722w0005.htm_spmin4

22 July 2008 : Column WA246

The Earl of Northesk asked Her Majesty's Government:

   In light of the transposition of the data retention directive
   (2006/24/EC), as applied to telephone networks, into United Kingdom
   law by secondary legislation (SI 2007/2199), what plans they have to
   make similar provision in respect of the directive's application to
   the internet; and, if there are no plans for such implementation, how
   they intend to give legal force to these elements of the directive.
   [HL4464]
(Continue reading)

Mary Hawking | 2 Aug 20:52 2008
Picon
Picon

contract awarded for national ID card

Does this mean that the introduction of ID cards is inevitable - even if 
we get a change of government? [1]
http://www.computerweekly.com/Articles/2008/08/01/231727/thales-bags-18m-
deal-for-national-id-card-scheme.htm
and how is - if it is - the very accelerated consultation on allowing 
the SOS (not sure which) to change common and statuary law on data 
sharing associated?
Mary Hawking
[1] cancelling contracts is expensive - and may be impossible.
I had the impression that some services were privatised in a bit of a 
rush to prevent subsequent governments reversing them when it was clear 
that the risk of change of government was probable - or highly probable.
--

-- 
Mary Hawking

Peter Tomlinson | 2 Aug 21:56 2008
Picon

Re: contract awarded for national ID card

Thanks to Mary for the link, but not that big a contract, which is in 
line with predictions that the scheme is fading away.

But I heard on the radio that 3 contracts have been let - anyone help 
with the others?

Peter

Mary Hawking wrote:
> Does this mean that the introduction of ID cards is inevitable - even 
> if we get a change of government? [1]
> http://www.computerweekly.com/Articles/2008/08/01/231727/thales-bags-18m-
> deal-for-national-id-card-scheme.htm
> and how is - if it is - the very accelerated consultation on allowing 
> the SOS (not sure which) to change common and statuary law on data 
> sharing associated?
> Mary Hawking
> [1] cancelling contracts is expensive - and may be impossible.
> I had the impression that some services were privatised in a bit of a 
> rush to prevent subsequent governments reversing them when it was 
> clear that the risk of change of government was probable - or highly 
> probable.

Richard Clayton | 4 Aug 13:40 2008

Re: An incomplete PQ answer


In article <GEuyX8MF1xkIFA7n@...>, Richard Clayton
<richard@...> writes

><URL:http://www.publications.parliament.uk/pa/ld200708/ldhansrd/text/807
>22w0002.htm#80722w0002.htm_spmin0>

the Home Office have now located the missing table of numbers... which
are certainly of interest....

>22 July 2008 : Column WA230
>
>Anti-terrorism, Crime and Security Act: Voluntary Retention of Data
>The Earl of Northesk asked Her Majesty's Government:
>
>   How many grants they have given to telephone companies and internet
>   service providers to assist them in the voluntary retention of data
>   under Section 106 of the Anti-terrorism, Crime and Security Act 2001;
>   and what has been the total annual value of such grants in each year
>   since 2001. [HL4469]
>
>The Parliamentary Under-Secretary of State, Home Office (Lord West of
>Spithead):

Payments under Section 106 of the Anti-terrorism, Crime and Security Act
2001 (ATCSA) commenced after the code of practice for the retention of
communications data was approved by Parliament in 2003, the first
payments being in financial year 2004. In October 2007, the Data
Retention (EC Directive) Regulations 2007 came into force and many
former ATCSA grants payments are now made under those regulations.
(Continue reading)

Ian Batten | 4 Aug 14:33 2008

Re: An incomplete PQ answer


>
>
>        2007            10          5,714,045     2,632,450

So each grant is of the order of 700 grand.   It depends on if the  
grants are capex one-off, capex on a depreciation basis or capex+opex,  
but for half a million quid a year over three years you could buy and  
operate a substantial fraction of a petabyte of disk in a MAID arrays,  
and a few hundred terabytes of conventional RAID (the power would get  
you).

ian

Ian Batten | 4 Aug 15:14 2008

Re: DNA database claims

>>
> My take is that if an organisation is not at least 27001 compliant  
> (compliance should be attested by certification...), then it will  
> not be easy to attest that due care is being taken of the  
> information they hold - never mind any higher levels of assurance  
> that may be required.

Quite so.  One of my personal bugbears is people who claim to be  
compliant to a standard, but don't hold registration.  If they're  
compliant, it shouldn't be hard to get registered.  If they can't get  
registered, they aren't compliant.

Moreover, it's one thing to be compliant on a given day.    
Registration carries with it an obligation to surveillance audit  
(twice per year in our case) and part of that audit is in turn an  
examination of the internal audit.  People who claim unregistered  
compliance simply don't have that.

We thought we were 27001 compliant.  When the time came to actually do  
the work, we found that there were a whole host of things that we  
didn't do completely, that seemed trivial, but were actually hugely  
beneficial.  As an example, correctly functioning management  
reporting.  As another, robust measures of effectiveness.

My next task is 25999, and again I've got agreement that although the  
driver is customers who want ``aligned to'', we're actually going to  
do registration.   Partly because registration means you're on the  
front foot whenever the legitimacy of your management system is  
questioned.  But mostly because if you're not registered, you're just  
making bold claims.
(Continue reading)

Richard Clayton | 4 Aug 21:09 2008

Re: An incomplete PQ answer


In article <2DA38795-0604-466B-B47D-D5B7C47D0515@...>, Ian
Batten <igb@...> writes

>>        2007            10          5,714,045     2,632,450
>
>So each grant is of the order of 700 grand.

In 2004 each grant was of the order of 16K...   so what you're seeing is
MUCH larger entities obtaining money for data retention.

Note that this is in the run up to the time when the mobile companies
and telcos had to move to retaining data for a year;  whereas one might
suspect that 2004 was all about tiny little ISPs ...

...  since I have no inside information :) I can speculate along with
everyone else :)

>   It depends on if the  
>grants are capex one-off, capex on a depreciation basis or capex+opex,  

capex one-off I believe -- again speaking from informed ignorance :) ...

I believe that the opex is supposed to be covered by the "per request"
that the authorities pay for making their 500K requests/annum.

>but for half a million quid a year over three years you could buy and  
>operate a substantial fraction of a petabyte of disk in a MAID arrays,  
>and a few hundred terabytes of conventional RAID (the power would get  
>you).
(Continue reading)


Gmane