Wikipedia Opts Out Of Phorm 98
ais523 writes "Wikipedia (and other websites run by Wikimedia) have requested to opt-out from Phorm; according to the email they sent, they 'consider the scanning and profiling of our visitors' behavior by a third party to be an infringement on their privacy.'"
Another reader points to this post on techblog.wikimedia.org which includes a confirmation from Phorm that those sites will be excluded.
Why not go one step better? (Score:3, Insightful)
More information please? (Score:2, Insightful)
Would it be too much to ask for the summary to give some clue about what "Phorm" is, or why Wikipedia would need to or want to "opt out" of it?
Re:where is the list ? (Score:5, Insightful)
The Open Rights Group is keeping a list of people it's asked to loudly and publicly tell Phorm to phuck off. Amazon opting out made lots of mainstream media a couple of days ago; looks like Wikimedia doing the same will get a bit of notice too.
The point is to publicise that Phorm (a) exists and (b) is a bad thing. Schemes like Phorm only get away with existing insofar as people aren't aware of them.
Re:where is the list ? (Score:5, Insightful)
Schemes like Phorm only get away with existing insofar as people aren't aware of them.
Wrong.
Schemes like Phorm exist because they are opt-out.
Numerous studies have shown that people are lazy and won't even do things that are in their best interest if they have to exert even minimal effort. That's why opt-out is so successful.
Screw opt-out, the RIGHT solution is HTTPS! (Score:1, Insightful)
Opting out as a web site or user is just a lame attempt to avoid implementing the even simpler, and vastly more effective solution: MAKE YOUR WEB SITES ACCESS VIA HTTPS WITH SSL SECURITY FOR ALL PAGES, ALWAYS!
That way nobody can easily "man in the middle" attack your page content for any purposes of deep inspection, advertising, user profiling, invasions of privacy like 3rd party traffic logging, et. al.
Notice that I said "nobody can" versus "PHORM cannot" -- this would protect against ANY 3rd party snooping or data tampering, which surely is a far more effective "one solution fits all" approach than JUST relying on PHORM's good hearted integrity to honor your request not to profile your traffic. HTTPS solves the problem once and for all for ANY such threat. It is something that your web servers already support. It would be trivial to enable this wholesale across thousands of web sites.
The benefits to users could extend far past advertising related snooping; it would help secure your users against even worse kinds of malicious or oppressive censoring / analysis of their web interactions.
The ONLY things that would be available for inspection / logging by a 3rd party would be:
a: some client's PC did a recusive DNS lookup of your domain such as en.wikipedia.org
b: some client's PC made a TCP connection to an IP address which happens to serve some particular set of sites, e.g. 22.33.44.55 = en.wikipedia.org, uk.wikipedia.org, some_other_virtual_server.com, et. al.
c: a certain amount of SSL encrypted traffic flowed back and forth from the client's PC and the site over SSL. Packet timing, packet group sizes could probably indirectly reveal some information via traffic analysis about what content may have been accessed, but this would be certainly far more difficult and less useful for a 3rd party like phorm to have to analyze / process.
Other than the small issue of paying for a SSL certificate for commercial domains, what exactly is the problem here? If your site is commercial / large traffic then presumably a modest annual cost is negligible compared to your existing server / IT / staff / security / bandwidth / electricity costs -- and you probably ALREADY have SSL certs anyway just for your login / e-commerce types of processes. If you have a low traffic / personal / non-profit type site, then just use self signed certs for free, and it'd be doing your users a big favor protecting them from 3rd party attacks / snoops on their traffic for basically zero cost to you.
Large / commercial sites presumably have hardware capability to handle SSL processing at the necessary speeds. Small sites presumably have small enough traffic that even a very modest personal desktop CPU that is already in use for the server could handle it at that throughput level with no problem.
If we're going to be petitioning sites to do SOMETHING to stop the harmful practices of 3rd party traffic logging / deep packet inspection, shouldn't we be asking them to do it the BEST and really the ONLY EFFECTIVE way? Anything less is a joke. *NICELY ASKING* a "malicious" would-be eavesdropper to not snoop on your totally unencrypted totally unsecured data stream is like wearing a t-shirt that says "please don't rob me" while you walk around with tons of expensive jewelry and electronics through dark alleys in bad neighborhoods. News-flash -- the people that would snoop on your / your users' data are doing it for PROFIT or CONTROL self-interest; if they CARED about being "nice" and respecting your / your users' privacy, THEY WOULDN'T BE DOING IT IN THE FIRST PLACE! Don't "ask nicely" for them to stop -- they'll do it anyway, and so will 10,000 others who YOU DON'T EVEN KNOW ABOUT -- PROACTIVELY PREVENT them from doing it, YOU HAVE THE TECHNOLOGY!
Re:The official post (Score:3, Insightful)
Re:where is the list ? (Score:4, Insightful)
Numerous studies have shown that people are lazy
Numerous studies have shown that people attempt to rationally allocate their time and attention.
There are millions of businesses in this world. It is not humanly possible to opt-out of all their marketing drivel even when there a cost-benefit in doing so.
Marketers steal the time and attention of many people to make a sale to one person and then act all surprised when those people get pissed. Spam is just the extreme example of that, unfortunately becoming less extreme all the time.
---
The USA is