Time to make SSL the standard rather than the exception
A gem from the audit by Ernst & Young:
"If a user deletes their opt-out cookie, then the co-opt status, which is contained in the cookie, is lost, and the user will be opted-back into the Phorm Service."
Let me get this straight: I'm subscribed by default *unless* I keep a specific cookie in my web-browser?
And how is it, pray tell, that my browser will know to include said cookie with *every* outgoing URL request, unless it's completely domain-unrestriced. In which case said cookie can be used to track me by all and sundry across the internet?
I see nothing about Phorm stripping this cookie out from my traffic as it leaves the ISP.
(Ironically, Phorm state that they use a cookie as part of the opt-out process, so my opt-out'ness can follow me around the countryside: "to ensure that such opt-out is effective no matter where the user should take his or her computer and is in other ways more protective of a user's identity". Gasp splutter on that last bit).