On 13/03/2008 15:37, mike scott wrote:
On 13 Mar 2008 at 15:02, Harold Fuchs wrote:
On 13/03/2008 11:37, mike scott wrote:
Looking at the effect phorm's systems(*) will have on privacy of
documents, it appears windows users may have a potential problem
where linux users don't.
Just to clarify there - I meant 'users of OOo' specifically, not
'users' in general. Sorry if that misled anyone.
If OOo is used to open a document via http, it appears the windows
version (2.3.1/xp) sends a Mozilla user agent header. The linux
version (2.3/ubuntu) doesn't seem to send any user agent information.
Seems like that's a bug in the Ubuntu version; the user agent string is
more often useful than not given that different UAs behave in very
different ways in a number of important areas.
....
1) Where on Phorm's web site does it talk about checking the user agent?
I scanned its privacy policies and didn't see any mention of it. Of
course, I may need new spectacles ...
I doubt you need new specs :-) It's been said by phorm's rep in an
interview somewhere, I think. Can't remember where offhand. (And this
wonderful XP won't start a browser at present, so I can't check my
bookmarks :-{ )
2) Why does the privacy of a document, or the lack of it, depend on the
user agent? Or on whether or not Phorm checks the user agent?
Because phorm promise to have a whitelist of UAs that they check,
thereby ignoring private documents which they assert give a different
UA. Except it doesn't work quite that way in practice.
Where does Phorm say this? Where is the list? What's a "private" document?
3) Why should Windows users be more affected than Linux users? I may
have the wrong end of some stick but you seem to be suggesting that
Phorm will somehow respect a document's privacy if and only if the user
agent is other than IE. Browsers, including IE, let you block cookies by
domain; the Phorm web sites says OIX uses cookies. Ergo ..
It's the user agent thing. Using OOo to open a document from the web
(ie type "http://.........."; in the file open dialogue) does one of
two things: on XP it gives a UA of Mozilla; on ubuntu, it gives /no/
UA header. One would expect phorm to scan the document if opened from
XP as it's not distinguishable from a browsed page, /possibly/ not
when requested from ubuntu, but no-one's sure.
Depends on the logic of Phorm's code. It could be "scan if (UA in
whitelist or is not given) otherwise don't scan" or it could be "scan if
UA in whitelist otherwise don't scan". In the first case a missing UA
(Ubuntu) causes the document to be scanned; in the second a missing UA
causes the document to be skipped.
The scanning isn't a cookie issue - as far as anyone can tell from
the information supplied by phorm, your pages may be scanned
depending on UA; the cookie determines solely whether you get the
targetted ads or not. Hence the storm raging at present about privacy
invasion.
Hmmm. The cookie contains the "random number" by which Phorm identifies
you. So, if you block the cookie you block Phorm's ability to recognise
you and, thus you also block Phorm's ability to track your behaviour. If
Phorm can't track your behaviour it can't even target ads at you because
it doesn't know which ads might be of interest.
4) Phorm says you can opt out via something called Webwise. I went to
its web site: "not available in your area". Huh?
Yeh. People were using the BT webwise site to test anti-phorm code
for firefox. They think BT got wise - the arms race seems to have
started. Webwise /is/ phorm btw. The system corrupts the http data
stream, forcing a retry by the browser, and inserts its own cookies.
Totally illegal afaict, on multiple grounds.
a) Where did you find out that "the system corrupts the http data
stream, forcing a retry by the browser"? Why would Phorm do that?
b) What does "inserts its own cookies" mean - are you suggesting that
Phorm forces a cookie on you regardless of your browser settings?
<snip>
--
Harold Fuchs
London, England
Please reply *only* to [email protected]
