« Notificarea pentru incalcarea securitatiiLegea Cookie-urilor »

MyClicknet - serviciul de interceptare a traficului de la Romtelecom

17/10/11

  18:59:32, by Bogdan, 1441 words  
Categories: Stiri - Romania, Pareri personale, Legislatie, Drept & Internet, Viata privata

MyClicknet - serviciul de interceptare a traficului de la Romtelecom

Romtelecom a lansat acum vreo 2 saptamani un serviciu numit MyClickNet ca pe un serviciu de “personalizare a Internetului.”

Ceea ce nu spune insa comunicatul oficial si sta ascuns prin Termenii si conditile site-ului este de fapt ceea ce face in realitate acest serviciu: Intercepteaza TOT traficul tau de Internet (pagini vizitate + cautari), pentru a te bombarda cu publicitate. Relevanta, evident. Totul gratuit si “anonim” :D

Astfel, Romtelecom a incheiat o afacere cu o companie numita Phorm cunoscuta pentru “serviciile” sale de publicitate bazate pe analiza traficului de Internet al ISP-istilor, motiv pentru care a fost data afara din UK, iar Marea Britanie este investigata de Comisia Europeana.

Sistemul este atit de anonim, incat ca nu cumva sa dispara optiunea ta cu privire la sistem “noi folosim un flash cookie pentru a stoca preferinţa dumneavoastră privind acordul.” (din documentul cu privacy).

Pentru cei interesati de detaliile tehnice, vedeti thread-ul inceput de georgica pe Softpedia, dar si documentatia facuta de Richard Clayton de la Univ. Cambbridge in anul 2008 cind sistemul era contestat in Marea Britanie (descriere si probleme).

Pentru chestiunile practice referitor la redirectarile pe care le face, vezi qbert sau m1ha1. Deja cazul are rasunet in strainatate: Forumul DPI, Paul Bernal iar dataprotection.ro a raspuns ca deja investigheaza cazul. (desi de fapt mai competent ar fi ANCOM catre care o sa trimitem maine o informare - aici am notat eronat initial, ANSPDCP este competenta pe articolul 4 - update 18.10)

In speranta ca Romtelecom o sa faca o fapta buna in ceasul al 13-lea si sa caute un serviciu serios de consultanta pe tema protectiei datelor personale (sa nu uitam ca anul trecut a avut un alt caz penibil legat cu accesul la baza de date de clienti de catre o companie de asigurari) iata citeva dispozitii legislative utile:

legea 506/2004 Art 4:

(1) Confidentialitatea comunicarilor transmise prin intermediul
retelelor publice de comunicatii electronice si a serviciilor de
comunicatii electronice destinate publicului, precum si confidentialitatea
datelor de trafic aferente sunt garantate.
(2) Ascultarea, inregistrarea, stocarea si orice alta forma de
interceptare ori supraveghere a comunicarilor si a datelor de trafic
aferente este interzisa, cu exceptia cazurilor urmatoare:
a) se realizeaza de utilizatorii care participa la comunicarea
respectiva;
b) utilizatorii care participa la comunicarea respectiva si-au dat,
in prealabil, consimtamantul scris cu privire la efectuarea acestor
operatiuni;
c) se realizeaza de autoritatile competente, in conditiile legii.

Cum in cazul nostru abonatii nu dau consimtamintul in scris, ci este vorba de un consimtamint implicit (detalii la m1ha1) este clar ca dispozitia respectiva nu este indeplinita.
Mai mult, in sensul acestui caz utilizatorul care participa la comunicarea respectiva este si site-ul cu care se incearca conexiunea respectiva si care, in niciun caz, nu este intrebat daca permite interceptarea acestei comunicatii.

Sistemul are si alte probleme - de la faptul ca sistemul de opt-out pare a nu functiona (vezi la m1ha1) pina la faptul ca exclude anumite tipuri de continul (asa cum scrie in documentele lor: subiecte delicate, precum conţinutul legat de tutun, pornografie, alcool, droguri, aspecte legate de sănătate, sau care vizează copiii sub vârsta de 14 ani.) indica faptul ca avem de a face un un Deep Packet Inspection (DPI) - adica o analiza detaliata a continutului fiecarui pachet trimis de catre utilizator prin ISP.

Colac peste pupaza, legea 161/2003 clasifica drept infractiune orice interceptare fara drept a comunicatiilor de date informatice:

Art. 43. - (1) Interceptarea, fără drept, a unei transmisii de date informatice care nu este publică şi care este destinată unui sistem informatic, provine dintr-un asemenea sistem sau se efectuează în cadrul unui sistem informatic constituie infracţiune şi se pedepseşte cu închisoare de la 2 la 7 ani.

Sintagma “fara drept” este definita in art 35 si ma indoiesc ca exista un contract cu ambii utilizatori (persoana care acceseaza site-ul + proprietarului site-ului) de catre Romtelecom in care sa scrie ca i se permite sa intercepteze traficul web in scopul afisarii de reclame. Faptul ca traficul este sters este irelevant cita vreme interceptarea este facuta, ba mai mult se creeaza un fel de rezumat al interceptarii(crearea unui sumar al paginilor în timp real cum scrie in documentele Romtelecom).

Deranjant este si faptul ca o companie in care statul roman are inca peste 40% isi poate permite sa faca asa ceva, intr-un mod total netransparent si profitind de lipsa de cunostinte a utilizatorilor obisnuiti de Internet. Mai mult, daca in UK s-a inceput cu niste teste si au fost discutii lungi cu autoritatile referitoare la legalitatea sistemului, la noi Romtelecom a considerat ca este un serviciu care trebuie servit utilizatorilor fara discutii si comentarii si uitind sa explice utilizatorilor si ca intercepteaza traficul, dar si ca folosind tehnologia Phorm (care apare undeva ascunsa in capitolul de Privacy).

De altfel tratarea Romaniei ca pe o tara bananiera de catre marile firme nu este nicidecum suprinzatoare, ceea ce sublinieaza cu atit mai mult necesitatea initiativei legislative de Neutralitate a Internetului care ar face orice caz de DPI ca fiind ilegal.

Pentru cei mai putin familiarizati cu notiunile tehnice, Richard are citeva comparatii sugestive ale sistemului Phorm in alte domenii:
- Posta decide sa iti deschida scrisorile, ca sa primesti publicitate mai legata de ce ai vrea sa cumperi tu
- Compania de CATV (sa zicem UPC) ar scana cartile si revistele citite, ca sa-ti dea reclame mai bine tintite
- Carrefour iti face automat un profil al cumparaturilor facute astfel incat atunci cind intri la McDonalds sa ti se dea direct meniul vegetarian. :)

PS: Multumesc lui Huitzilopochtli, care mi-a indicat subiectul in comentariul la insemnarea trecuta.

Update 18.10.2011 12:30 Am primit pe email si pozitia Romtelecom pe care o regasiti mai jos. Eu am insistat pe problema “interceptarii traficului” si astept o completare a pozitiei si pe tema asta.

“Cred ca unele aspecte ale proiectului MyClicknet nu au fost tocmai bine intelese si dorim sa precizam oficial in numele Romtelecom urmatoarele, avand in vedere ca nu ni s-a dat posibilitatea sa exprimam un punct de vedere inainte de publicarea postarii:

Dupa cum am precizat in comunicatul catre public din 28 septembrie 2011, MyClicknet este un serviciu optional si gratuit (link).

MyClicknet este oferit clientilor Romtelecom numai pe baza de opt-in (metoda agreata de legislatia nationala si europeana) – acestea sunt invitatiile mentionate in postarile citate in articolul tau. Inainte de a decide daca activeaza sau nu serviciul, clientul este informat despre scopul in care datele sale sunt procesate – acest lucru se face prin intermediul Termenilor si conditiilor (gasesti atasat documentul, informatiile sunt publicate vizibil pentru utilizatorii MyClicknet la adresa myclicknet.romtelecom.ro/terms) si a Politicii privind cookie-urile (gasesti atasat documentul, informatiile sunt publicate vizibil pentru utilizatorii MyClicknet myclicknet.romtelecom.ro/privacy).

Acest proces este diferit de cel aplicat in UK, unde intelegem ca s-a lucrat pe model opt-out. In reteaua Romtelecom, activarea se face numai in urma unei actiuni din partea utilizatorului (consimtamant expres) prin selectarea “butonului” DA. Mai mult, clientul isi poate modifica oricand, gratuit si imediat, optiunea (alegand sa activeze/dezactiveze daca doreste serviciul) accesand myclicknet.romtelecom.ro/status.

De asemenea, clientii au posibilitatea de a se informa despre drepturile lor in ceea ce priveste datele cu caracter personal prin intermediul unei sectiuni distincte care este prezenta pe pagina de start a serviciului. Astfel sectiunea “Protectia datelor cu caracter personal” (gasesti atasat documentul, informatiile sunt publicate vizibil pentru utilizatorii MyClicknet myclicknet.romtelecom.ro/privacy) ofera clientilor posibilitatea de a se informa despre drepturile lor conform Legii 677/2001.

Daca un client alege sa opteze pentru activarea serviciului, (deci dupa obtinerea consimtamantului sau) datele personale ale clientului (IP-ul sau) sunt anonimizate prin intermediul unui HashedID (o insiruire de 24 de caractere aleatorii). Scopul acestui HashedID nu este identificarea utilizatorului, ci diferentierea sa fata de alti utilizatori ai serviciului.

Practic, din acest moment, HashedID-ului se asociaza o serie de etichete legate de preferintele utilizatorului. Aceste etichete nu includ preferinte ale utilizatorului legate de subiecte sensibile (precum medicatie, tutun, materiale pentru adulti) sau orice preferinte exprimate in timpul accesarii conexiunilor securizate sau pe webmail, spre exemplu. In urma acestor asocieri, utilizatorul va vedea in spatiile de promovare ale partenerilor publisheri reclame personalizate. Nu este vorba despre livrarea de reclame care sa intrerupa navigarea pe web, ci pur si simplu despre o “personalizare” a spatiilor de promovare deja existente pe web si tocmai de aceea consideram serviciul unul de utilitate pentru clienti.

+

Cu privire la asigurarea confidentialitatii comunicatiilor, aceasta este asigurata prin folosirea acestui HashedID in loc de date ce pot identifica abonatul; astfel, sistemul nu foloseste date personale, ci acest HashedID. Astfel nu se identifica un client, ci un astfel de HashedID catre care se livreaza continut personalizat. Mai mult, acest HashedID este prelucrat intern si automat de catre aplicatie (nu prin interventie umana), nu se stocheaza istoricul lui si nu este comunicat catre terte parti. Subliniem inca o data ca analiza nu vizeaza site-uri securizate https, peer-to-peer sau continutul comunicarilor, ci doar domeniul de interes.”

42 comments

User ratings
5 star:
 
(10)
4 star:
 
(0)
3 star:
 
(1)
2 star:
 
(0)
1 star:
 
(0)
11 ratings
Average user rating:
4.8 stars
(4.8)
Comment from: gupi [Visitor]

Citeam inca din august despre cazuri (oarecum) similare la nivel global:

The five levels ov ISP evil
http://gigaom.com/broadband/the-five-levels-of-isp-evil/

17/10/11 @ 19:11
Comment from: Andreu [Visitor]
5 stars

Foarte bine scris articolul. Multumim

17/10/11 @ 20:06
Comment from: Huitzilopochtli [Visitor]

Multumesc Bogdan pentru ca te-ai tinut de cuvant si ai scris despre acest subiect.

17/10/11 @ 21:03
Comment from: tantzi [Visitor]

Foarte interesant articolul tau… sunt client clicknet. Stiu despre povestea asta pentru ca am vazut o pagina intermediara la un moment dat (semana cu aia de la mihai din articol), care ma intreba daca vreau sa folosesc serviciul sau nu. Am dat ca nu ma intereseaza si nu m-au mai bazait.

As avea nevoie de o lamurire, totusi: tu spui ca, in ciuda faptului ca am zis ca nu vreau, ei ma urmaresc sau pur si simplu ca nu au cerut voie?

17/10/11 @ 21:27
Comment from: [Member]

Nu tantzi, daca ai dat opt-out (ai zis ca nu vrei) nu intri in serviciul ala.

18/10/11 @ 10:48
Comment from: Keith [Visitor]  
5 stars

In normal browsing if you have not made a decision you will experience a ‘browser hi-jack’ and receive the ‘invitation page’ instead of the page you wished to visit.

If you do not choose the ‘network level opt-out’ then you will need to maintain an opt-out cookie on your computer. They use normal cookies and Flash LSO cookies. They may re-spawn normal cookies from the Flash ones.

If you lose these cookies then you will receive the ‘invitation page’ again.

I do not know about the ‘network level opt-out’ and how it might work but it is my belief that with the cookie based method they will continually have to redirect your browsing to one of their servers, a.oix.net or b.oix.net, in order to read your status cookie.

Even if you have opted-out of having your communications intercepted the interception must still occur in order to check that. Whether you are opted-out or opted-in then you will repeatedly see references to a.oix.net in your browser status bar as these redirects occur. On occasion the system may fail and you will be left looking at a blank page.

The following page from Brasil shows the network level opt-out on their version,

http://rainydayss.com/como-desativar-o-navegador-oi-phorm-invasao-de-privacidade/

If there is anyone who has experienced this service ‘live’ {tantzi?} then I would be interested to hear from you in order to better understand what they have implemented.

Multumesc.

18/10/11 @ 12:29
Comment from: [Member]

Keith, besides the cookies issues - which are too technical for 99% of the users to understand - we have the core problem: The Internet traffic is intercepted by the ISP (in this case Romtelecom) and they are looking in the content of what I see.

IMHO this is ilegal acccording to the Romanian law, which requires a “written consent” from the users of comunication for any electronic communication traffic interceptation(and the users are the Internet subscribed and the website).

18/10/11 @ 12:45
Comment from: Keith [Visitor]  

Bogdan, yes I agree. Your laws, 677/2001 and 506/2004 are transcribed from EC directives 95/46/EC and 2002/58/EC.

677/2001 should require ‘freely given and informed consent’. I believe you state in your article that the information pages presented by Romtelecom fall short of this because they do not give enough information for the user to make such an informed consent.

506/2004 again as you state requires that consent for the interception should follow the same lines and must be bi-lateral, from the user *and* the website. Phorm/Romtelecom are only getting uni-lateral consent from the user and as such it should be considered illegal.

A prime reason is that many websites are commercial entities and as such would not want Phorm/Romtelecom to make commercial use of their content. If my website sells things then I certainly do not need Phorm/Romtelecom spying on my customers and stealing them.

In addition copyright becomes an issue. I may request a page and it is offered for, one off, personal not for profit use. The site owner does not expect Phorm to silently ‘piggy-back’ off my connection to obtain their own unauthorised copy and profit from it. It may well be the case that as a ’subscribed’ user I am aiding copyright theft.

There are other issues that people more knowledgeable than myself will be aware of. You will have read some of them in the literature available from Richard Clayton and Nicholas Bohm.

You mention that MCSI is a 46% shareholder in Romtelecom which obviously raises concerns as to a conflict of interests. It may be the case that MCSI is, in part, responsible for enforcing some of the relevant legislation which would make the matter more worrisome. The associated Romanian authorities have recently been subject to action by the EC with regard to their independence.

I have just noticed the reply you have received from Romtelecom. It seems to me that they are still failing to answer the possible issues properly. They may also be misleading you by their description of events in the UK. Beyond Phorms general behaviour the issues went beyond a simple question of, uni-lateral, opt-in. Again Clayton and Bohm should offer a more detailed version of the issues and given Romanian law is transcribed from the same EC directives as those used to, incorrectly, implement UK law they should suffer similar problems. I am sure you are aware that the EC threatened court action against the UK Government for their failings.

Perhaps I am emotional but if I don’t want it here then I do not see why anyone else should have it forced on them. Beyond this there is the serious concern that should they establish themselves in Romania they will use this as justification to move into the rest of Europe.

As has been the case before; in the UK, in South Korea, in Japan and in Brasil Phorm have now set up shop in Romania first and will argue the legalities later.

They failed in the UK, they failed in South Korea, they failed in Japan and they are currently, hopefully, failing in Brasil. It is a waste of other peoples time and resources but they keep on doing it..

I think I may have gone into rant mode so I’ll shut up for the moment.

Multumesc

18/10/11 @ 13:51
Comment from: mADSLug [Visitor]
5 stars

It is good to read that Romanians have such a good understanding of what Phorm are doing. What a pity that Romtelecom have such ignorant people to speak on their behalf about the UK experience.

In 2006 Phorm used ISP bt.com to inject javascript into the source code delivered to the browser. Websites thought the server had been hacked. Users thought they had a virus on their computer.

In 2007 Phorm removed the javascript injection and tested the proxy mirror and 307 redirect - very little information has come into the public domain about how this worked. Even so the tests were noticed by a handful of users - who suspected malware.

In 2008 Phorm and BT tested the same ‘opt in/out’ screen which is being presented to Romtelecom customers.

UK law enforcement was found to be deficient - consent could be assumed rather than need to be explicit - and this gave rise to the EU becoming interested in the process and the UK having to change the privacy and interception laws to reflect this. To date the UK laws are on paper only and there is no way for UK users and websites to report interception infringements. As Phorm are not able to obtain consent before intercepting traffic they removed themselves from the UK market.

Since then a number of UK ISPs have begun to use DPI systems to intercept traffic. It is not known whether or not they use a proxy to mirror traffic between users and websites. What is seen by websites is a script that requests the content either before it is delivered to the user (BlueCoat) or a few seconds / minutes / hours after the user has visited (Huawei, Websense and many others).

What is known is that BlueCoat (USA based) delivers content from the proxy where it holds a cached copy so visitors will not appear in server logs.

Huawei (in partnership with OIX/Phorm with the iTarget profiling service) maintains a centralised cache which appears to be in China. This cache is used to analyse the content / relevance of all sites visited by the users of ISPs signed up to Huawei’s DPI service. The cache is also used to detect malware hosted by websites and to provide a blacklist for warning anyone visiting the URL after the malware has been detected. A malware free URL will be whitelisted for 24 hours.

Websites are able to protect their content and copyright by blocking the IP addresses used by the scripts.

Phorm have also been seen to use a script to scrape content - any site which completed the form to opt out of being profiled (this option was available in UK after numerous complaints from websites including Amazon and wikipedia, but not seen in the Korean, Brazilian or Romanian versions) was visited by the script within a few hours of opting out. Between Phorm using a proxy mirror and using its script it is able to capture 100% of the marketing intelligence from users and the sites visited.
The same opt-out list was to be used to exclude private mail servers from being intercepted along with all other port 80 traffic.

Perhaps Romtelecom will explain what controls are in place to ensure that mailservers are excluded from interception. If all they are doing is excluding ISP based and free services like hotmail and gmail then there are many users who will be unaware that their email service is being intercepted.

All that, just to say that Romtelecom have misrepresented the UK experience of Phorm.

18/10/11 @ 15:16
Comment from: Alexandru Nedelcu [Visitor]

Cateva precizari in legatura cu raspunsul de la Romtelecom …

Dansii spun ca IP-ul nu este stocat direct, ci trecut printr-o functie de hashing de unde rezulta un “HashedID (o insiruire de 24 de caractere aleatorii)".

Exprimarea este aiurea, caracterele NU SUNT aleatorii atata timp cat din acelasi IP se obtine intotdeauna acelasi HashedID; plus ca 24 de caractere sunt suficiente pentru a identifica orice utilizator de ClickNet. Desigur, metoda asta previne oarecum identificarea utilizatorilor prin acces neautorizat la baza lor de date, dar nu previne o identificare prin acces autorizat – cum ar fi fiecare Gigi care lucreaza la Romtelecom cu suficiente drepturi de acces.

Si este destul de simplu – daca ai algoritmul pentru functia asta de hashing, poti trece toate IP-urile posibile prin ea, operatie destul de banala de altfel – de unde poti afla ce HashedID corespunde unui IP dat, sau invers. Iar functia de hashing, chiar daca ar fi ascunsa, se poate afla (mai ales ca cele 24 de caractere nu-mi sugereaza o functie de hashing moderna).

Si serios, imi fac tricou cu propozitia asta – “scopul acestui HashedID nu este identificarea utilizatorului, ci diferentierea sa fata de alti utilizatori ai serviciului".

18/10/11 @ 15:55
Comment from: Max [Visitor]
5 stars

Bogdan,

Articolul este exceptional, iar comentariile sunt, ca de obicei, profi!

Cateva remarci personale:

1. RTC si-a documentat bine atat politica de Privacy (pe care am citit-o foarte atent), cat si raspunsul pe care ti l-a furnizat.

2. Chiar daca este vorba despre una si aceeasi companie (Phorm) care a fost subiectul unui scandal in UK, mi se pare ca de aceasta data ai nesocotit prezumtia de nevinovatie, bazandu-te doar pe reclama negativa asociata unui “trecut” de business discutabil.

3. Parerea mea este ca Serviciul este adresat DOAR CELOR CARE IL DORESC CU ADEVARAT, si nu este impus de RTC. In plus, asa cum s-a mai mentionat, utilizatorii se pot informa si pot decide daca si in ce fel vor beneficia (sau nu) de acest serviciu.

4. Argumentele de securitate mi se par deocamdata OK si eu, cel putin, din ce am citit, nu-i pot suspecta de rea-credinta.

5. Ai invocat Legea 506, dar stii foarte bine ca in lumea virtuala consimtamantul scris nu inseamna ca utilizatorul trebuie sa se prezinte la un ghiseu unde sa-si puna semnatura pe un act aditional sau vreun nou contract. Persoana bifeaza DA, iar asta tine loc de “in scris". Nu tine loc de semnatura electronica, intr-adevar. Dar, se poate aprecia ca sunt intrunite elementele necesare consimtamantului.

6.Tema cu “interceptarea” comunicatiilor este putin fortata! Atat timp cat un ISP iti furnizeaza un serviciu de comunicatii electronice de tip interactiune one-way, ex. vizualizare pagini web (protocol HTTP), este hilar sa pomenesti de interceptare! Mai ales ca respectiva comunicare este publica. Pur si simplu, nu poti spune ca ai interceptare in sensul Legii 161/2003, daca este vorba despre pagini web. Daca aveam, in schimb, de-a face cu webmail sau servicii care folosesc protocoale gen SMTP, POP, FTP sau iRC, atunci da! Dar, RTC spune ca nu are treaba cu asemenea continut !!!!! Atunci???

Sunt chiar foarte curios cum va raspunde ANSPDCP !

Apropo, ca utilizator de Google (Gmail) nu ai observat cumva ca dupa ce ai un schimb de mesaje pe o anumita tema, in coloana din dreapta incep (incet-incet) sa-ti apara “reclame” sau diverse advert-uri pe aceeasi tema sau similare ?????? Si, cand vorbim de Gmail, vorbim de corespondenta electronica, de continut…etc. Oare de ce acceptam aceasta “interceptare” din partea Google???

Poate gresesc, dar, cel putin din documentarea mea pe subiect, nu cred ca sunt elemente fundamentale care sa ne zburleasca parul…..:)


18/10/11 @ 16:31
Comment from: [Member]

@Keith - actually law 677 does not define consent at all (as the EU directive does), and this is why it would be quite complicated to go on this road. But law 504 (eprivacy) is very clear. I’ve pointed to Richard Clayton’s work in my post, I don’t know the Nicholas Bohm’ articles - but if you have the links, pls point them out.

@mADSLug - Thanks for the update. I’ve actually followed the UK Phorm issue only sporadically, so this is welcome

@Alexandru - interesanta idee. Dar nu ar putea fi o solutie facila la problema asta prin alocarea a n functii de hashing si utilizare lor in mod aleator de RTL ?
Anonimizarea este un subiect tricky, pt ca de multe ori poti recistiga accesul la datele respective fie prin procedeul invers (de-anonimizare), fie prin adaugarea de alte date (cum e cu un cookie hijacking de care a mai scris Clayton).

18/10/11 @ 16:31
Comment from: [Member]

@Max - thanks, ca intotdeauna util.

Da, probabil ca sunt deja subiectiv cind este vorba de Phorm, dar ei fac business pe un singur element - interceptarea traficului de ISP.

Diferenta intre Gmail si RTL, este ca cel din urma este un furnizor de comunicatii electronice caruia i se aplica legea 504 si de la care am niste asteptari de confidentialitate si securitate atit legal, cit si moral. Gmail nu este furnizor de comunicatii electronice.

Ref la pct 5 - nu sunt de acord cu tine. Toate legislatia din domeniul privacy cere consimtamint. (unde sunt de acord ca poate fi o bifa sau Sunt de acord) Insa doar in doua cazuri exprese se refera la consimtamint scris - iar ambele cazuri se refera la situatii exceptionale legate de confidentialitate (prelucrarea datelor personale legate de sanatate + interceptarea comunicatiilor). Deci scris in aceste cazuri se refera fie la o semnatura pe o hartie, fie electronic cu semnatura electronica extinsa (cum zice expres legea 455/2001 prin art 7 -In cazurile in care, potrivit legii, forma scrisa este ceruta ca o conditie de proba sau de validitate a unui act juridic, un inscris in forma electronica indeplineste aceasta cerinta daca i s-a incorporat, atasat sau i s-a asociat logic o semnatura electronica extinsa, bazata pe un certificat calificat si generata prin intermediul unui dispozitiv securizat de creare a semnaturii.)

Si raspund mai incolo pe legea 161.

18/10/11 @ 16:49
Comment from: Keith [Visitor]

Bogdan, again yes. It is hard for my mind to extract the salient points when jumping between various documents. I’m not going to try and quote things.

You are more qualified than me.

I will say that there appear to be differences, possible discrepancies, between the various documents, Romanian/EC. The English version of 677 does mention consent although perhaps not in the manner of the EC equivalent. 506 appears to be closer.

In the case of 677 consent is mentioned and in part informed consent is required. 506 should refer back to it in the same way that the EC documents refer back.

Given that consent is from the data subject and therefore unilateral then this is being offered. However I do not believe Phorm/Romtelecom are offering proper informed consent. As you suggest the argument might be complicated.

Naturally, showing my bias, Phorm relies on such things.

The legal analysis from Nicholas Bohm is here,

http://www.fipr.org/080423phormlegal.pdf

You will see that he discusses the possibility that by intercepting and processing particular web pages then Phorm/Romtelecom are likely to be processing the personal information of other data subjects from which consent has not been gained.

As you say 506, e-privacy, does appear to be very clear and again Bohm deals with many of the underlying issues and reasons for why it is, or should be, what it is.

Unfortunately there is still doubt because Phorm will claim, once again, that the internet is ‘published’ or ‘broadcast’ and therefore consent is not required from the website owner and so it will go on.

Once again they have arrived somewhere else to run the same game..

18/10/11 @ 17:53
Comment from: Keith [Visitor]  

http://economie.hotnews.ro/stiri-telecom-10455436-autoritatea-pentru-protectia-datelor-investiga-modul-care-sunt-folosite-datele-personale-intr-serviciu-internet-personalizat-romtelecom.htm

“Romtelecom sustine ca s-a consultat cu ANSPDCP inainte de lansarea acestui serviciu

Nu in cele din urma, oficialii Romtelecom au mai mentionat ca s-au consultat cu autoritatea nationala pentru protectia datelor inainte de lansarea acestui serviciu:

“Serviciul MyClicknet a fost prezentat ANSPDCP inainte de lansare. Reprezentantii Autoritatii nu s-au opus acestui tip de procesare si au oferit o serie de recomandari si indicatii pe care Romtelecom le-a urmarit intocmai la momentul implementarii", au mai precizat reprezentantii operatorului de comunicatii.”

Did they mention ‘interception of communications’ during that consultation or did they just discuss ‘data processing’ and hide the rest from the regulator?

I wonder how the regulator might feel if they have been deceived..

18/10/11 @ 21:53
Comment from: avocata [Visitor]

salut

Ce nu inteleg de la Bogdan este ce anume il afecteaza in mod direct (sau indirect)? Ce anume ii aduce vreun prejudiciu sau deranj? Daca plecam de la premisa ca cei de la Romtelecom Nu ii intercepteaza traficul si nu il mai deranjeaza cu nici un mesaj atata timp cat a refuzat serviciul atunci nu inteleg unde e problema lui? Poate eu sunt clienta romtelecom si VREAU acest serviciu? Tu (Bogdan) nu ai decat sa il refuzi. Personal nu cred ca Romtelecom, din moment ce a comunicat oficial ca nu intercepteaza traficul DECAT celor care au acceptat, isi permite sa nu respecte aceste reguli. Chiar mi se pare ca nu mai esti obiectiv in acest topic si o iei personal. Si in alta oridine de idei, de ce luam in considerare opiniile referitoare la myclicknet din partea unor personaje care nu au nici o legatura cu asta? care provin de peste mari si tari si la o prima vedere au papusi voodoo cu PHORM-ul si cu ace infipte in ele?

Si apropos de cookies : acest site nu mi-a permis sa postez un coment pt ca nu aveam accept cookies enabled :))

18/10/11 @ 22:16
Comment from: catalin [Visitor]

Sunt un nou client Romtelecom . Consider ca am i oregatire de specialitate medie spre ridicata , adica nu sunt nici un specialist dar nici un neavenit , probabil mai specialist decat 90% dintre clientii Romtelecom . Trebuie sa recunosc ca mi-a venit destul de greu sa inteleg mare parte dintre aspectele prezentate aici si cu atat mai mult o persoana normala ar intelege . Consider ca Opt out/in isi pierd total relevanta deoarece nu este nici o sansa ca persoana ce e utilizator al serviciului Clicknet sa dea acceptul in cunostinta de cauza deoarece lipsei unei transparente si intelegeri totale . Mai adaug ca ma pun in locul unui copil ce joaca un joc pe Facebook sau se uita la un desen animat pe trilulilu ; ce credeti ca va face daca-i apare o asemenea pagina - de aprobare -? Va da accept ca sa treaca mai departe , sa poata sa se joaca sau sa vada desenul . Este ok ca un astfel de sistem sa se bazeze pe asemenea cazuri? Nu cred ca este . Daca imi spuneti ca sunt cazuri izolate dati-mi voie sa ma indoiesc - la multe persoane nici macar nu le trece prin minte ca Romtelecom ar fi in stare de asa ceva si sub nici o forma nu ar fi de acord daca ar intelege despre ce e vorba.
Vad ca aceasta poveste m-a tinut treaz pana la ora 4 dimineata dar a insemnat o experienta deosebita pentru mine.

19/10/11 @ 04:00
Comment from: catalin [Visitor]

vad ca am destule greseli de formulare a frazelor si nu pot da edit . Imi cer public scuze . Am speranta ca mesajul a fost totusi inteles . Daca cei ce inteleg totul perfect si sunt foarte atenti pot spune “am acceptat pentru ca asa vreau eu ” , marea majoritate vor raspunde “habar nu am ca am acceptat ceva de genul acesta” sau “sunt povesti, domnilor!” .

19/10/11 @ 04:09
Comment from: [Member]

@Kio - problema nu este cookie-ul si cum il folosesc, ci ca se poate intercepta (sau observa) intreg traficul tau de Net, deci care nu este limitat la 1 sau 20 site-uri.

@Avocata. Mda, sunt un agent ascuns al BT pentru a scadea actiunile RTL pe bursa londoneza (asta apropo de vodoo). :-)
Daca nu intelegi de ce ma intereseaza drepturile fundamentale, n-am cum sa te conving. Pur si simplu incerc sa fiu o persoana onorabila. Daca esti avocata, intelegi termenul de interes public, nu ?

Ref la cookie-uri cred ca te afli intr-o eroare, am impresia ca poate confunzi captcha-ul livrat extern cu un cookie.

@Catalin - good point, de aceea nici in cazul reglementarii cookie-urilor nu sunt de acord cu sistemul de opt-in prin orice fel de avertisment pe ecran - pur si simplu utilizatorul apasa pe da fara sa citeasca. :-)

19/10/11 @ 11:16
Comment from: Alexandru Nedelcu [Visitor]

@Kio, @Bogdan …

Chiar daca am inteles gresit si identificarea se face printr-un cookie ce ce este generat aleator, tot e o problema.

Din cate am citit Phorm foloseste cookie-uri setate cu Flash. Si probabil nu se opresc aici, pt ca browserele moderne sunt capabile si de storage persistent si de alte chestii. Un cookie in zilele noastre este foarte greu de sters de un utilizator non-tehnic.

Daca vrei un exercitiu in frustrare, vezi aici: http://samy.pl/evercookie/

Important era citatul pe care l-am subliniat … identitatea este prin definitie diferentierea de alti oameni. Si ca sa dau un exemplu, daca esti vreo agentie guvernamentala si vrei sa afli exact ce persoane il critica pe Basescu, cu tot cu adresa lor din buletin, important este ca poti.

Desigur, nu doar Phorm / Romtelecom este problema, insa la nivel European Google deja a fost amendat pt maparea retelelor wireless, iar Facebook este deja in lumina reflectoarelor … http://www.identityblog.com/?p=1201

@Avocata …

Eu ca cetatean al Romaniei, platitor de taxe din care nu vad un retur al investitiei, ma astept de la guvern sa-mi pazeasca interesele personale.

Este motivul pentru care ma astept de la guvernul Romaniei sa-mi interzica sa ma vand ca sclav, sa-mi interzica sa-mi vand organele si sa ma protejeze in cazul in care ma imprumut de la camatari, chiar daca mi-am facut-o cu propria mana stiind foarte bine ce ma asteapta.

In alte tari legile cu privire la protectia datelor se iau foarte in serios. Si daca Phorm a avut probleme in Anglia unde sunt montate camere de luat vederi la fiecare colt de strada, mi se pare aiurea sa fim dobitocii care se apleaca si accepta orice fara semne de intrebare.

19/10/11 @ 13:15
Comment from: Keith [Visitor]  

It is my opinion that Romtelecom have presented their case to ANSPDCP for the system on the basis of 677/2001, processing of personal data, whereby unilateral consent to such a process is sufficient. This is evident from their statement here and the policies presented on the associated web pages.

I note that elsewhere Romtelecom state that they obtained approval for this from ANSPDCP.

It is my belief that in those discussions with ANSPDCP they deliberately failed to mention the involvement of Phorm and the use of Deep Packet Inspection, DPI, to perform ‘interception of communications’ which would be likely to be illegal under 506/2004.

If they would have done then it is likely that ANSPDCP would have refused the operation.

I would suggest that Romtelecom have acted to deceive ANSPDCP.

Given they claim to have been given approval by ANSPDCP it seems strange that ANSPDCP has decided to investigate further.

In response to my initial ‘warning’ that Romania/Romtelecom were likely to be a ‘target’ prior to the announcements by the companies concerned.

“No. 23059/27.09.2011

Dear Sir,

Referring to your requests submitted via e-mail and registered at the National Supervisory Authority for Personal Data Processing under no. 22098 of the 16th September 2011 and respectively no. 22239 of the 19th September 2011, we would like to inform you that until this date no processing of personal data carried out by the American company Phorm on Romanian territory has been brought to our attention.

Thank you for the interest shown with regard to the field of personal data protection.

Head of Complaints’ Dept.,”

ANSPDCP appears to be unaware of Phorms involvement.

In my response to my formal request for suspension of operations and an investigation.

“No. 25411/13.10.2011

Dear Sir,

Referring to your request submitted via e-mail and registered under no. 24942/10.10.2011, in which you request the investigation and suspension of the operations carried out by Phorm in collaboration with Romtelecom in connection with the use of the My Clicknet service to process personal data of Romotelecom’s internet users with the purpose of behavioural advertising, we would like to inform you of the following:

The verification of the announcement posted on Romtelecom’s web site to which you make reference reveals no information in connection to the Phorm Company related to Romtelecom SA providing of the My Clicknet service.

However, the National Supervisory Authority for Personal Data Processing will carry out an investigation in relation to this service provided by Romtelecom SA, within the limits of its competencies.

We hereby reply to your petitions, submitted via e-mail, registered under no. 24379/04.10.2011, 24501/05.10.2011, 24773/07.10.2011, 24945/10.10.2011, 24946/10.10.2011, 25105/11.10.2011. We would like to mention that any further petition from your part, with the same content, will be filed away in accordance with article 10 paragraph (2) of Government’s Ordinance no. 27/2002.

Thank you for your understanding.

Head of Complaints’ Dept.,”

Again, apparently, ANSPDCP has no knowledge of Phorms involvement, relevant information was linked. However Romtelecom appears to claim approval for the operation from ANSPDCP.

Once again I have to assume that Romtelecom have mislead ANSPDCP by withholding this and other information from that authority.

Multumesc

19/10/11 @ 15:52
Comment from: Florin Grozea [Visitor]
5 stars

Extraordinar! Chiar acum jumătate de oră am dat ’Nu, nu vreau internet optimizat’ :-)

Felicitări pentru acest articol, Bogdan!

19/10/11 @ 19:00
Comment from: Keith [Visitor]  

I have a website that sells ‘Russian Dolls’.

It is a family business with local employees producing our own designs.

I respect those who work for me.

They are artisans.

Romtelecom/Phorm watches you visiting my website and steals my customers.

19/10/11 @ 20:33
Comment from: Keith [Visitor]

MyClicknet is based on ‘free’ news feeds you can find for yourself.

http://www.overkill.talktalk.net/yahoo

19/10/11 @ 20:37
Comment from: [Member]

@Keith
There is a mistake there - it is the DPA they’ve asked not ANCOM, which is not competent.

Also the DPA can’t give an approval here, maybe an advice and that is based on what info are presented to them. In any case, it appears that the DPA will investigate the case only after 29.10, when they finish moving in a new HQ.

19/10/11 @ 22:42
Comment from: Keith [Visitor]  

@Bogdan

Understood.

You may be interested to know that ANSPDCP will be including Phorm in their investigations.

http://myclicknet.romtelecom.ro/privacy

Item 1) states that Romtelecom is the registered data processor. I doubt that Phorm is similarly registered.

“No. 26180/18.10.2011

Dear Sir,

Referring to your recent requests submitted via e-mail and registered under no. 25653/14.10.2011, no. 25953/18.10.2011, no. 25954/18.10.2011, in which you restate the same issues brought to our attention in your previous letters no. 23059/27.09.2011 and no. 25411/13.10.2011, we reaffirm that our institution has taken note of the issues you have mentioned and will carry out an investigation in relation to the service provided by Romtelecom SA within the limits of its legal competence.

Within this investigation verifications will also be carried out as to the extent in which Phorm Advertising & Company SRL is involved in this processing of personal data.

We would like to mention that any further petition from your part with the same content will be filed away in accordance with the provisions of article 10 paragraph (2) of Government’s Ordinance no. 27/2002.

Thank you for your understanding.

Head of Compliants’ Dept.,”

I should note that the majority of my ‘complaints’ are based around ‘interception of communications’ and 506/2004.

20/10/11 @ 08:57
Comment from: anamarenna [Visitor]
3 stars

Imi poate spune cineva daca /de ce/ nu as mai putea folos fie proxiuri, hidemyass de exemplu fie VPN sau daca nu vreu sa fiu “urmarita” ? Cu multumiri.

20/10/11 @ 16:29
Comment from: Keith [Visitor]  

@anamarenna

Unfortunately probably not,

http://img836.imageshack.us/img836/3048/dpisetup.png

It lives in your ISP (120/112) between you (110) and the internet (130)

http://www.overkill.talktalk.net/huaweiphorm

An encrypted VPN may work otherwise you have to use the ‘network level opt-out’ and ‘trust them’.

20/10/11 @ 17:05
Comment from: Andrei [Visitor]

Nu inteleg de ce sa fie interceptare. RTC are acces la datele respective tocmai in calitatea sa de ISP.

21/10/11 @ 15:45
Comment from: Just Me [Visitor]

Faza interesanta: in interiorul MApN exista de prin 2007 si inca este in vigoare un ordin care impune folosirea exclusiva a romtelecom ca isp pentru unitatile militare, de obicei se foloseste serviciul clicknet adsl pentru asta.

ma intreb de ce nu a reactionat inca MApN, STS si/sau SRI la interceptarea asta en-gros a comunicatiilor.

22/10/11 @ 00:41
Comment from: mADSLug [Visitor]
5 stars

Two more articles which you may find useful to support your arguments.

http://www.fipr.org/0811SCLarticle.pdf - legal analysis

http://www.reed.com/dpr/docs/Papers/ReedDPIHearing.pdf - on the overall functioning and security of the web, as presented to the US Congress hearing of July 2008 by Dr. David P. Reed. Written in simple terms which explains in some detail why such systems should not be allowed anywhere on the network used to process Internet traffic.

24/10/11 @ 10:48
Comment from: Keith [Visitor]  

http://m1ha1.blogspot.com/2011/10/din-nou-romtelecom-ma-redirecteaza-spre.html

Legia 506/2004 Article 12) Unsolicited Communications.

27/10/11 @ 20:31
Comment from: romania inedit [Visitor]  
5 stars

Din cate citii si eu, Romtelecom a lansat MyClicknet profitand de nestiinta utilizatorilor si ii pacaleste atunci cand prezinta acest serviciu, pentru ca Romtelecom ar trebui sa declare ce face mai exact serviciul de interceptare a traficului de la Romtelecom si de unde stie Romtelecom care sunt subiectele care sunt de real interes pentru tine ca sa economiseşti timpul petrecut online, mergând direct la informatia pe care o cauti.
Ma bucur ca s-a gasit cineva sa scrie despre asta .

28/10/11 @ 21:27
Comment from: Stenson [Visitor]
5 stars

Be ready my Romanian friends.

Be ready for the backlash.

Phorm does not like those who complain about it. Phorm does not like people who say Phorm is wrong.

MyClicknet is BT Webwise in Romania.

Phorm in Romania is no different from Phorm in the UK.

Phorm will seek to discredit anyone who says they do wrong but wring, Phorm does do!

Google my firends, google these…

Try: “stopphoulplay”
Try: “Kent Ertugrul”

And try Wikipedia for “Phorm” and translate.

You must work on this, if you value privacy and secure communication with others.

Do not allow Kent Ertugrul to make money from you.

05/11/11 @ 18:53
Comment from: Numa Io [Visitor]

Ce nu inteleg eu de ce nu se aduna 100-200-300-1000-2000 de utilizatori care folosesc acest serviciu, sa se organizeze frumos si sa dea toti romtelecom in judecata. Ar putea face bani frumosi …

05/11/11 @ 21:21
Comment from: Keith [Visitor]  

Dephormation 4.0 available

Download

https://www.dephormation.org.uk/index.php?page=2

Release Notes

https://www.dephormation.org.uk/index.php?page=19

“Phorm are currently hi-jacking browser image requests to perform parasitic tracking. This will be addressed shortly.”

These are 307 redirects whereby picture requests and perhaps requests for other content on any web page will suffer interception and redirection to Phorms servers in the UK to check for and the status of the Phorm cookie.

This will be happening for Romtelecom users irrespective of whether the system is available to them or even if they have stated they do not want their browsing interfered with.

10/11/11 @ 12:14
Comment from: Florin [Visitor]
5 stars

Deci, pana la urma, ce se mai aude? Romtelecom va continua magaria asta cu Phorm? Eu nu am prins picior de dns hijacking pe tema asta, in afara de cel obisnuit, bineinteles, cand introduci un url inexistent. Cel putin pana acum. :) Sper ca nu a dat sotia accept deja, fiind o persoana non-tehnica. Sau nu mai conteaza daca accepti sau refuzi, tot iti intercepteaza traficul?

25/11/11 @ 11:12
Comment from: Cristi [Visitor]
5 stars

Instalarea de filtre DPI(deep packet inspection)in colaborare cu Phorm , nu aduce user-ului decit o “intirziere” a traficului(necesita timp , extragerea !!),chiar daca ai dat opt-out , tot vei fi “personalizat"(analizat). Nu sint servicii similare Ote Grecia sau Deutsche Telekom (are 30% Ote Grecia).Vidul legislativ si faptul ca sintem tara “bananiera” le permite asta .
Am intrebat si pe facebook de asta , comentariile au fost sterse , la fel si raspunsurile celor din UK . Incit ,am ales sa nu mai fiu “personalizat” , dupa sarbatori i-mi portez nr.

29/11/11 @ 16:29
Comment from: Keith [Visitor]

Bogdan

Do you have any information as to how the investigation by ANSPDCP is progressing on this matter?

Multumesc

Keith

16/12/11 @ 16:42
Comment from: Florin [Visitor]

Un rezumat cu ce s-a intamplat nu posteaza nimeni ?

26/01/13 @ 03:14


Form is loading...

Blog juridic al lui Bogdan Manolea cu informatii referitoare la legislatie, jurisprudenta, articole si stiri legate de domeniul Dreptului Tehnologiei Informatiei din Romania si strainatate.

Subscrie la acest blog pentru a primi actualizarile prin e-mail

Adresa de e-mail


Realizat de FeedBlitz

  XML Feeds

Search

February 2018
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28        

Multumesc

V-a fost util ceva de pe blog sau pe de site ?
De azi va permit sa imi lasati un multumesc
b2