Roland Perry wrote:
> In article <47D5977B.2020601-puGfsi27rH1aaemail@example.com>, Dave Howe
> <DaveHowe-puGfsi27rH1aafirstname.lastname@example.org> writes
>> Difficult to tell. Is it a legal interception in the course of
>> normal operations? That would require you to define normal
>> operations as examining your customer's traffic and modifying it
>> for your own profit (not your customers).
> Nonsense. The legal definition is nothing like that.
Which is the point, really. it can only be legal for the ISP to do it
if it is (a) by or on behalf of a person who provides a
telecommunications service and (b) it takes place for purposes connected
with the provision or operation of that service. Operating a web cache
to more efficiently deliver pages could reasonably be argued to fall
under (b), I doubt data-mining for targeting purposes would.
> Sounds plausible. And any site advertising to me may wish to only
> advertise those things I'm *most* interested in, which could cause
> quite a bit of natural churn.
I suspect it will be a tradeoff. The priorities would give them the
list of things you are most interested in, in order. Their own
commercial priorities may find that one channel is more profitable (or
has a higher percentage of as yet unshown ads that they cannot therefore
yet bill for) so while the ideal model would say that you would see
mostly what you most query for, then less of each lower priority item
down to items you rarely look at, commercial bias may cause less popular
items (that are still on your list) to be shown more often, in the hope
you will click though on one or more of them and so earn them more money.
Discount coupons from loyalty cards are seldom for the products you
buy, in the quantity you normally buy them - more usually, they are for
bulk packs or more expensive competing brands.
> Or maybe the advertisers' self interest will win over and everyone
> will get just adverts relevant for cbeebies (As that's the most
> prominent interest).
anything is possible. but outside of "whine" factor and except in the
run up to xmas, under 5's don't have much marketing pull, and as
cbeebies is unlikely to sign up for targeted advertising, what is more
likely is that the ebay and chatroom users will see a bunch of
advertising for kids stuff. The ebay user may well be interested in new
ways to keep the kids quiet, but the teens are less likely to be
influenced. Which is why I suspect that, in cases where the traffic
comes from more than one person *and* the person most likely to visit
partner sites such as /the guardian/ is unlikely to perform the bulk of
the web browsing, the targeting will be wildly inaccurate.
> I agree. And as a result I think both Phorm and the users will find
> that adverts aren't as tightly targeted as they expect.
Assuming venture (vulture?) capital, it is possible they don't care - if
they can make a convincing argument, they may be able to clear their
profit and get out before anyone realises its a losing bet.
>>> It's always a bit dangerous to impose one person's moral values
>>> on a whole bunch of others. Some of those adverts have statutory
>>> bans in any event (eg tobacco) but what about advertising to
>>> children - there are specific codes of practice here. Will they
>>> assume all users are children, or that none are? eg: Advertising
>>> soft drinks & high fat / sugar foods to children (which is in
>>> the ASA's code)
>> That's actually a more important question, and one that would be
>> extremely difficult to code in. Of course, it could be that said
>> foods (and alcohol) are also on the list. I can't recall ever
>> seeing an ad online for sugary foods or drinks, and rarely for
> I have most adverts blocked anyway, so am relatively unaware of what
> it is that gets thrust at "normal" users.
I tend to allow them but tune them out. Pop-ups/unders however annoy
me enough that I usually pull up the page source, find where they were
loaded from, and block the entire domain. If that catches a few banner
images as well, what the hell :)
> But they may not be illegally intercepting at all, and "consent"
> could be a red herring. In any event, if they "aren't looking at it",
> whatever that means in practice, then it's not "being made
> available" to even themselves (and that's assuming they are a
> [sufficiently 3rd party, ie not the ISP itself] person within the
> RIPA definitions).
>>> Of course, I could be wrong, but please say why, rather than
>>> continuing to ignore this as a proposition.
>> This would be because I, as a user, would not expect any
>> intermediary to be making queries on my behalf, and would firmly
>> assert my unwillingness for phorm (or anyone) to do so. That being
>> true, by the time they have intercepted my traffic and held a
>> conversation *with my browser* to obtain my opt out cookie, the
>> damage has been done. They have already, and explicitly against my
>> permission, intercepted my http get request (or whatever).
> You may dislike what they are doing, but I suspect you are also using
> the word "intercept" in a rather imprecise non-RIPA way.
I would say it was accurate in a technical sense - they are redirecting
packets (labelled as destined for a specified webserver) to their own
box - and then holding a conversation with my browser in which they
pretend to be the target web server - at least to the extent of getting
a cookie. I would consider this a classic man-in-the-middle attack.
if it is RIPa unlawful interception is another matter - and I suspect it
isn't. They seem to be going to great lengths to avoid "making some or
all of the contents of the communication available, while being
transmitted, to a person other than the sender or intended recipient of
The article mentions that the ISP is making the data available to the
phorm "box" though, so it is possible that, if the court applies the
"person behind the machine" criteria that have been (mis)applied in some
online pornography cases, then it is *still* BT rather than phorm that
have performed the interception.
> By the way, what "damage" is done, if your browsing command is thrown
> away as soon as it's been translated into one of their categories?
the same as would be done if they chose to let themselves into my house
and take a look around while I wasn't there. the fact that they then see
a "phorm not welcome here!" sign and leave doesn't alter the fact they
decided to let themselves in in the first place.
> Or do you consider it interception that they say to themselves "guess
> what, Dave seems to be interested in ipods".
They claim not to get that far - however, I suppose one positive
benefit might be that more sites find reason to install https
I suspect that "this http page is about ipods" is sufficiently
specific to qualify as "some or all of the contents"; I would also
suspect that it doesn't matter though, given the box doesn't actually
come out and say that at any point but (presumably) just updates your
local cookie until it is modifying a page from a partner site, at which
point it also reads the cookie for purposes of targeted advertising.
>>> This is another key issue. Are the ISP exempt anyway because it's
>>> part of the way they deliver the service (of shipping port 80
>>> packets around), or might they be exempt because there's no
>>> relevant "making available" to a relevant "person".
>> I would suspect the latter. It would be massively difficult to
>> describe data mining and substitution based on content as being
>> part of the normal operation of a packet-shifting service,
> It would certainly clear the air if we could establish whether or not
> this was their 'defence'.
I would assume revealing your defences before you are attacked is as
poor a tactic in law as it would be in war games... The best weapon is
one you never have to reveal, as uncertainty is as good a deterrent as
any (and a lot better than most).
>> and also as being compatible with the "mere conduit" defences many
>> seem to raise when the Four Horsemen are waved in parliament by
>> publicity see... I mean concerned individuals.
> They are still being a mere conduit for the majority of the content.
I would argue that *all* traffic is being inspected, even if only a
small amount is modified. It can't be a defence to say "But we don't
look at the bits, we just push them down the tubes" if you DO look at
the bits. Or could they get away with "ok, so we DO look at the bits,
but only for marketing purposes, and we deliberately don't remember what
> I wonder if mere conduit status is something like virginity where if
> you lose it once, it's gone for ever; or if it's a defence against
> liability for specific pieces of data (eg specific web pages). As all
> the web pages that are being 'modified' are from customers of
> theirs, perhaps the contract says that the customer won't sue them as
> a result of the modification.
I know they don't have that in their T&C right now. I suspect it might
be highly dubious if you could retroactively give yourself permission to
do whatever is profitable by changing your T&C to suit. Regardless
though, I would be surprised if the conduit defence still works if you
look at (but usually don't modify) the bits you shift.
> I just tried it again, and it won't switch on, or leave me a cookie.
> Maybe my earlier experience was one of those mysterious glitches?
Its possible they have disabled it due to too many Reg readers and
UKCrypto readers going and clicking stuff - or it was another of those
inadequately specific masks retroactively repaired that we discussed
>> It might be interesting to see what happens if you perform a
>> paper-based opt-out - write a lawyergram to the ISP along the lines
>> of "I do not authorize and have not authorized the inspection or
>> modification of my internet traffic for the purposes of targeted
>> advertising and will consider any such action interception for the
>> purposes of the RIP act 2000" and see what they decide to do to
>> opt you out :)
> They might write back and say "we don't [consider it Interception]
> and we've told you the webpage to use to opt out".
They might, yes. However, I don't know many lawyers who would be happy
about something like that going out on paper before it was tested in