Posts by dephormation.org.uk

Huawei, Phorm

A Chinese spyware company (Huawei) that partnered with a US spyware company (Phorm).

You take your pick, you get spyware...

The UK needs a trusted domestic infrastructure provider.

https://www.theregister.co.uk/2010/12/01/huawei_phorm/

A long list of excuses.

Just another one to concatenate to a very long list of ICO excuses...

"We lost your complaint".

"We are not adequately funded".

"We don't have any enforcement powers".

"We are not IT experts".

"It was only a technical offence".

"There was implied consent for this processing (the processing no one was informed about)".

"It was a small scale trial".

"The solicitor with the Rolls Royce and Surrey mansion house told us he has no money to pay a fine, so we let him off with a £1 fine".

"The GPRS doesn't apply so 5p per offence is the best we can do"

Now

"We are going to fine the crooks! Unlimited cash! (but lets not rush into it eh? we have agreed to an extension so they can suggest a better excuse we can use)".

An endless charade

I have come to understand the Home Office and UK Judiciary (for they are not independent, whatever they might claim) strategy is a 'long game' of endless delay & obstruction.

Any contrary opinion with which they disagree is deemed "unclear".

While the current law is being challenged, a new law that is different is enacted... and the cycle starts again. RIPA > DRIPA > IPA >..

And Brexit? That neatly eliminate the risk of EU enforcement action.

In effect, unlawful UK mass surveillance carries on regardless.

Excuse me if I'm not cheering...

That would mean BT's fine for covertly using Phorm would be 79x nothing at all.

See, unfortunately, the ICO staff still get to choose which bunch of criminals get fined, and which don't.

And the ICO staff "are not technical experts", we are only "theory customers", and Phorm was only "a small trial [on thousands of people and thousands of businesses that served them over three years by a bunch of foreign spyware developers]".

Cybersecurity? BT? Phorm?

BT perhaps jumping the gun on the spying opportunities offered by the IP Bill?

Rematerialised, or never vanished?

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/514152/Sept_2015_National_DNA_Database_Strategy_Board_Minutes.pdf

???

Found via https://www.gov.uk/government/groups/national-dna-database-strategy-board#minutes

:)

Hopefully, Phorm stays suspended.

Why?

If this is about legitimizing the illegal things that the UK security services have already been doing, why is there a need to impose more cost on internet users?

The IPT?

Now there's a hollow sham of a regulator if ever I saw one.

Privacy International

If it helps you decide whether or not to post your personal information, keep in mind the current director of Privacy International (Gus Hosein) was a consultant to BT/Phorm.

Excellent.

Ecryption is essential to negate the effects of mass surveillance, and scams like Phorm.

What does it take to get the ICO to do actual work?

The excuses...

"We are not IT experts"

Then... "ICO are not IT experts and we lack the power to fine"

Then... "ICO are not IT experts and have the power to fine, but the fines are not big enough to make it worth bothering"

Then... "ICO are not IT experts and have the power to fine, and the fines are now big enough to hurt offenders, but we are still not going to do it because it might hurt offenders"

And now they wonder why, despite 97% public awareness of data protection, only 1% of respondents would bother complaining to the ICO when a data protection offence occurs.

The ICO are absolutely pointless. The truth is there is effectively no data protection in the UK at all. It doesn't matter what the law says any more. Doesn't matter what you think your rights are. No regulator will protect you. No law will be enforced.

Do not trust the ICO to defend your privacy rights against crooks. It never happens.

DNT is a mirage.

Begging the crooked frauds running the advertising industry not to track you is just micturating in the direction of the prevailing wind.

Even the ICO don't comply with DNT requests. So who are you going to complain to if the ad industry laugh in your face when you discover you've been taken for a fool?

Like the ludicrous cookie law.

There is a much simpler solution that the ad industry don't want... Outlaw the creation of surveillance databases of personal data & communications data without the explicit consent of data subjects.

"likely to cause annoyance, inconvenience or anxiety".

The only thing "likely to cause annoyance, inconvenience or anxiety" to the ICO data protection racket is the fear that they might actually have to do some proper work for a change.

Instead of photocopying boilerplate rejection letters fobbing off complainants, and always refusing to enforce the law.

Watch as they do nothing with their new powers, and find a new excuse for inaction.

Vodafone...?

The telco that allowed the Californian company Bluecoat to covertly monitor their UK network, engaged in replay attacks launched from Bluecoat's offices in California, and all done without knowledge or content from either party to the communications... that one?

See,

Vodastalk; Vodafone and Bluecoat Stalking Subscribers

https://nodpi.org/2011/06/22/vodastalk-vodafone-and-bluecoat-stalking-subscribers/

URLs are Content

They are the content of an HTTP GET request.

They are not addressing data. They also reveal the content of the likely response to the request.

Addressing data is the IP address (clue in the name) and nothing else.

That is, co-incidentally, how it was specified in the 'invalid' EC Data Retention mass surveillence regulations too.

BT: immune from ICO enforcement..

Some examples...

BT/Phorm - no ICO enforcement despite covert trials of Russian supplied spyware monitoring the content of customers' private/confidential web browsing, without consent from sender and recipient.

BT/ACS law - no ICO enforcement action despite BT sending an unencrypted email full of sensitive customer data, and despite a court order requiring that data to be encrypted and sent on physical media.

BT/email - again... no ICO enforcement action despite months of security failures that put customers at risk of identity theft.

I'm not sure what it would take to cause the ICO to enforce the Data Protection Act against BT.

Recalling that

... the ICO blamed BT's own customers for the Phorm affair (claiming there was a measure of "implied consent" for private/confidential telecommunications to be covertly intercepted & secretly sold to Phorm).

And also the same ICO that blamed ACS:Law for *receiving* unencrypted emails from a lawyer in BT (whereas BT were supposed to comply with a court order instructing them to encrypt the data *before sending* it via CD/media). Not that ACS:Law were blameless, but if the data had been encrypted as instructed by the judge, it would probably never have been hacked. BT escaped any penality in that instance too.

So sadly... I expect the ICO's conclusions to be that BT customers were somehow to blame... and BT Directors to be completely exhonerated :(

I call it Muffins Law (cf Tea & Muffins at the ICO).

Backdoors like WPAD?

For starters,

WPAD: The Internet Explorer Security Flaw that Threatens all UK Microsoft Users

https://nodpi.org/2013/05/09/wpad-the-internet-explorer-security-flaw-that-exposes-all-microsoft-users-in-the-uk/

Ultrasurf?

65.49.2.178 -> Sophidea -> Ultrasurf

"a product of Ultrareach Internet Corporation, originally created to help internet users in China find security and freedom online"

Would also be interested to know...

if Google have attempted to estimate how many Tbytes of data were pilfered by NSA/GCHQ without any legal authorisation at all.

"Fuck these guys" is apparently the proposed solution... Personally, I would opt for encryption.

These statistics are meaningless.

Undersea cables?

Vodafone: use Bluecoat to covertly tap UK telecoms and divert to California USA for analysis & replay attacks.

BT: used Phorm to covertly intercept, copy, and analyse the content of UK telecoms.

Looking for confirmation of US/UK economic espionage?

www.phorm.com.br

The clue is in the name. The .br bit stands for Brazil.

Does that help?

GCHQ are doing their job

When did it become GCHQ job to spy on *law abiding* citizens unencrypted, let alone encrypted, private/confidential communications?

Or rather, 'adversaries', to use the new colloquialism?

These revelations, or rather the fact of the corrupt co-operation between IT industry leaders and these fascists, will do huge damage to public trust in IT people & products.

Phorm

Don't think we've forgotten.

Both Livingston and Patterson oversaw the covert trials of Phorm in 2006, 2007, and 2008.

Ian Livingston & BT

The people who imposed Phorm mass surveillance on their subscribers, and the web sites that served them.

I don't trust either of them.

DNT is a mirage

We need to outlaw the unauthorized creation of personal profile databases/communications databases... or in the alternative.... face the unpleasant truth that evil people will create these databases regardless of any signal sent by a web browser if they think they can get away with it.

Why is regulation a bad thing?

Versus the alternative; unaccountable ISPs imposing opaque censorship restrictions on wholly lawful communications.