Since everyone is up in arms over Phorm, and as a security professional I believe there are many valid reasons to be concerned.  I have put together a very simple Q&A. People who know me know that I treat these Q&A sessions fair and square. I take no sides, simply ask the questions and post the responses. The party can even pass on the question.

Phorm has informed me they would decline the Q&A here or at Revenews. If they don’t like the venue I urge others to take the list of questions, make the same offer and add your own. You don’t have to be nasty, just demand to be heard. Here we go- some questions I, and other security professionals, have. I am really curious as to the answers.

Questions for Phorm

Question 1. Why did Phorm not responsibly advise British Telecom (BT) against doing the trials in secret without consent nor explaining it to BT support staff?

Question 2. Is Phorm’s WebWise system currently undergoing development that will make it stealthy?

Question 3. What are the time frames for the next trials, with whom and what should we expect to see?

Question 4. How will Phorm’s WebWise system ask for consent without first intercepting and/or modifying the user’s connections over the Internet?

Question 5. Are Phorm aware that their technology will force many users to switch ISP? Do they feel this is OK?

Question 6. Why do Phorm feel it’s OK to intercept traffic without opt-in consent for profit where officers of the law have to get court warrants for each case?

Question 7. Do Phorm believe that because interception of business e-mails within the same organization is allowed that it means that it’s OK to intercept anyone’s traffic?

Question 8. How will Phorm gain the trust of an entire population after what its done?

Question 9. Why, if Phorm is willing to be so transparent, do Phorm not make this software open source?

Question 10. What happens if the equipment gets hacked and repurposed by hackers?

Question 11. And what happens when exploits are found in third party software they may be using as part of this solution? For example, a regular expression exploit: http://www.securityfocus.com/bid/14620

Question 12. Who will police the solution to ensure Phorm will not only follow the privacy laws during the tests, but in ongoing updates too? Does Phorm understand it will need everything checked with any changes, ranging from source code checks to legal requirements checks, demanding a team of specialized people just to monitor their solution?

There you go Phorm. An even dozen. I am happy to post your replies, or you can ignore it all and hope it goes away. History has taught me differently.

ADDENDUM:

William of Ockham chimes in with this comment:

Chris Williams from The Register has been in contact with EU Information Commissioner Vivian Reding.

https://nodpi.org/?p=21

She is monitoring the situation closely and is asking for anyone who is concerned about the covert and potentially illegal trials to send her a letter as soon as possible:

Viviane Reding
Member of the European Commission
BE-1049 Brussels
Belgium

Her email address is available here:

http://ec.europa.eu/commission_barroso/reding/contact/index_en.htm

It is preferable if you send her a physical letter, though. Thanks!

Popularity: 5% [?]

Share This