Phorm might be onto something
February 29 Mike Butcher
Since behavioural targeting company Phorm launched recently I’ve looked at the ins-and-outs of the system and it does look pretty interesting. Phorm is basically an add-on service for an ISP which looks at all your web surfing and attaches an anonymous cookie to your machine. ISPs trying to target advertising based on this packet data appeared way back in the first dotcom boom, but no-on could make it work. Phorm uses a technology called ‘deep packet inspection boxes’ to track EVERY website you visit. Normal cookies are tied to just the one web site they came from, or the ad-network, like DoubleClick’s. Phorm’s cookie looks at all of them - with some exceptions, like banks - and collects information on browser type, response to advertising, the URLs of some of the web pages viewed and search terms entered. Where the Phorm cookie sees a page with a Phorm advert tag on it, it serves an ad. So it wouldn’t, say, put an advert on the BBC web site because the BBC wouldn’t have put the Phorm tag into the page.
But despite this sounding like a privacy nightmare, the Phorm cookie is given a randomly generated ID number attached to a nameless profile of the categories sites a user appears to be interested in. This profile is then matched against advertisers to target ads against that user who’s actual identity (email addresses, surnames, street addresses etc) is not known. What information they do have - which is just the surfing habits of that PC - gets deleted after a few hours. Phorm’s privacy claims have been approved by Ernst & Young and Privacy International. The cookie doesn’t track you on sites like SSL or forms you fill in. Of course, data is secure as the companies that keep it - and it’s possible to de-anonomyse data. Phorm says it wouldn’t mix surfing data with, say, an ISP’s billing data on users.
Phorm’s system also alerts users to a list of blacklisted sites, in a scheme called Webwise. This is the carrot to keep people from switching off the Phorm cookie, which they are given access to and told it is watching them.
Phorm has so far launched in the UK with BT, TalkTalk, and Virgin Media.The Phorm cookie also recognises publishers signed up to Phorms ad system, so the partners for that are the FT.com; iVillage; Universal McCann; MGM OMD and Unanimis.
Comments
February 29th, 2008 at 4:07 pm
So - the value of a user to an ISP is what they do when they are NOT on the ISP’s website? I can see why non-specialist sites would use this technology, as it would boost their flagging CPMs. But sites that sit in a vertical shouldn’t touch this as it devalues their users.
Example: TalkTalk know that user X has been to an expert consumer electronics review site (which no doubt has/should have a premium CPM). On that basis TalkTalk - and any other sites in the Phorm network - get to serve an ad based on that knowledge. That is, they parasitically feed off the hard work that other sites put into developing vertical propositions.
This has no value if the specialists categories don’t sign up. And they’d be mad if they did, as it will only dilute their value.
This is asking non-ISPs to solve the ISP’s problem - generalism. I can understand why most of the sites listed above joined up, but the FT? Are they out of their strategic minds?
February 29th, 2008 at 5:50 pm
The problem is that ISPs should not be using any of our traffic data for targetting ads - I sign up with my ISP to move my bits around, not to watch what I’m doing. Breaking this division between carrier and content observer is dangerous and, to me, completely unacceptable. I don’t want to turn off the Phorm cookie - I do not want my ISP doing deep packet inspection.
And I don’t trust the people behind it - like Kent Ertegrul of spyware company PeopleOnPage: see http://www.p2pnet.net/story/15061
February 29th, 2008 at 5:58 pm
They could make this an opt-in service in combination with cheaper Internet access.
I still wouldn’t take it, but I am sure many people would.
February 29th, 2008 at 6:04 pm
So the conspiracy theorists believe that ernst & Young, and privacy international are lying when they confirm the anonymity behind that system?? And Martians are reading my mail….
In theory this system should enable ISP’s to offer fast speeds for zero cost as it will be subsidized by advertsing.
February 29th, 2008 at 6:19 pm
With my ‘will this company create market value’ hat on: Having looked at their documentation I can’t see a lot of different between what they do and what a site which I can give my ID to by registering, can then do once it has linked its cookie with my registration data. Phorm’s pitch is that it doesn’t even know who the ISP customer IS. Plus you can switch off the cookie with no degradation to the ISP service.
With my ‘will this company be evil’ hat on: Yes, there is no perfect system and if my ISP billing data could be linked to the Phorm cookie… well there you go.
90’s doctommer - I like your point. In theory, the vertical site could tag up its pages to activate the Phorm cookie and see if it improved it’s CPM etc. Hell, if a site made more cash, what’s the issue?
February 29th, 2008 at 7:34 pm
Bill
Your naive if you want to think that any large ISP won’t do DPI - for the sake of knowing what is going on within their network they’re bound to.
H
February 29th, 2008 at 8:07 pm
The Ernst and Young report addresses process, not implementation, and is in places technically illiterate. Phorm was spyware company 121, producers of the apropos rootkit and allied scumcode.
BT, VirginMedia and TalkTalk have really sold the pass on this one. The marketing bullshit they’ve come up with to promote it is truly truly nauseating.
February 29th, 2008 at 8:31 pm
If my ISP railroads me into this they can kiss my custom goodbye - I don’t like the insidious way in which this is getting rolled out, BT simply dumped some users onto it without even asking them and Virgin Media has made a small tweak to their T’s n C’s.
This is certainly something that should be opt-in so that those who don’t care can sign up to, it shouldn’t be an opt-out system.
This is also a business practice that appears to break many UK and EU laws relating to privacy, RIPA and the DPA.
This company is very murky and their data stream interception isn’t clear as to how it handles opt-outs - by the look of things it could well be processing your web traffic and then declining the advertising.
It’s causing a shitstorm over at the register, http://www.theregister.co.uk/2008/02/29/phorm_roundup/
A word from one of the many network admins - if your ISP picks this up, drop them as soon as you can.
Simply put, do. not. want.
February 29th, 2008 at 8:38 pm
oh, small note - it’s only port 80 that it is tracking.. which is where the “your net banking isn’t tracked” claim is made, yet it will still get the bank websites you visit if you go to their normal http site rather than their SSL one.
February 29th, 2008 at 8:40 pm
argh.. forgot to mention, the software they’re using was developed by Lebedev Institute and it’s interesting that their OIX servers (the ones that actually hold the advertising categories) are hosted in china.
Hardly groups known for their admiration of a persons right to privacy.
March 1st, 2008 at 5:05 pm
Down to the purpose of it all, how much use is targetted advertising anyway ? You search for new computer, broadband supplier & mobile, purchase & do contract. Next I suppose you’ll get all the ads for them ?
March 2nd, 2008 at 9:49 am
I’ve studied this and came to the conculsion that there’s no watertight way to prevent “de-anonymizing” the anonymous tracking ID. Phorm claims to take steps to anonymize the data stream before it reaches their “Profiler”, however the anonymizer just removes obvious email addresses, strings of digits etc. The last time I looked, my name didn’t have a string of digits in and it appears in plain text each time I visit Facebook and update my profile. This could render the system illegal under Data Protection legislation.
Furthermore, from what I can see, UK law is clear. The Regulatory of Investigatory Powers Act makes it a criminal offence for unauthorised agencies to intercept private communications. The ISP is routing traffic via a third-party system in order to profile data. This is not a function required to facilitate routing of data, therefore is an intercept, and could well be deemed unlawful if a case ever came to court.
Thirdly, because people by default are optted in, it could fall foul of the Human Rights act, under the right to a private life. Consider this - a couple use of a common computer. One partner spends some time researching weddings and engagement rings, and suddenly the game is given away when the other partner starts getting bombarded with wedding-related adverts. Just log into Facebook today and change your status to “engaged” and you will suddenly be bombarded with adverts for weddings, loans and rings.
Finally, trade secrets could be gleened from this potentially unlawful intercept of data. I run a business, we need to do some background research on a new business we’re launching - groundbreaking stuff, very hush hush. A company trading in the information game is tapping my internet connection, the secret is out already!
March 2nd, 2008 at 12:58 pm
Great as the idea may sound on first hearing it (at least if you’re an ISP) a moment’s thought should show just how flawed the concept really is, not least because of how many laws it’s going to break. Generally speaking, a business model that’s based on pretending that what you do is legal when it’s not is likely to under-perform, long term.
If I was holding Phorm stock, I’d get out now while there’s still time and a few suckers still think this is going to work. If it ever starts rolling it’s going to be hit with the biggest wall of litigation from angry users the ISP business has ever seen. I wouldn’t want to be holding the baby at that point.
March 3rd, 2008 at 12:55 pm
Mike - to come back at your comment:
>>In theory, the vertical site could tag up its pages to activate the Phorm cookie and see if it improved it’s CPM etc. Hell, if a site made more cash, what’s the issue?
The vertical site will not risk its premium CPM by belonging to Phorm network in the first place. What does FT have to gain? That its users also look at car websites, i.e. they want to bolster revenue from non-endemic advertisers? That’s strategic desperation: the FT have long had an excellent sales team and the sell is firstly contextual (you get the right people looking FT content by its very nature), secondly demographic (we have cast numbers of affluent individuals) and thirdly one of alignment (is your brand the FT of its sector?). This brand has way too much equity to have to rely on “and 20% of our advertisers also look at car websites within 48 hours of an FT visit”.
This solution is one for non-content brands. If you are a content publisher within a specific vertical, you should run so far in the opposite direction to this dumb idea.
March 3rd, 2008 at 12:59 pm
This is a deeply flawed and insidious idea.
Let’s start with Phorm themselves. The company has a history that goes back to hacking, phishing and other illegal activities. Even the name Phorm (’Form’ with a hacker-ish ‘Ph’) smacks of Phishing.
They are based in the US, but many of the servers that process the data are based in China. If they are legit, why would they do that?
Second - RIPA
Intervention in electronic communications in this way is illegal in the UK.
Third - DPA
This is not the same as signing up to Google mail and having them put adverts on the Gmail web page. This is done with your choice. Instead, Phorm will analyse ALL your http web traffic, which does include plenty of personal data. The opt-out cookie (there’s no opt-in cookie - you are ALL opted in, like it or not) is inspected quite late on during the process, by which time they already have your data and you have to trust that a company with all the baggage I described above would then delete your data because you have an opt-out cookie. What happens when the cookie gets deleted, or you use another browser (you’ve rebuilt your PC for example). Unless you go through whatever opt-out process they make available again, you’ve just been opted back in again.
All the data is anonymised? Really? How do they decide which bits of a page with your personal details on it are personal or not?
And ask yourself this: What is the point of the exercise if all the data is anonymised if the purpose of the exercise is to direct targeted adverts at you? If they don’t know who you are, you can’t be identified on other sites, nor can they provide any measurement of how successful this all is.
Of course, there is an alternative to displaying adverts on other sites targetted at you - and that is to add the adverts back into your HTML stream coming back from the server - amend the page you’ve requested.
For all you on this site (including the author of this article) who think this is a good idea, think again. I for one will be leaving Virgin Media because of this.
March 3rd, 2008 at 2:04 pm
So Mike
Are you going to write an opinion piece on what a bad idea this is?
March 3rd, 2008 at 2:10 pm
Hi everyone - I’ve asked Phorm’s people to come back to answer these specific points either through me or by posting a comment. So we’ll see what they have to say I guess.
March 3rd, 2008 at 3:06 pm
Mike,
Watch out for lots of marketing speak selling the schemes ‘bonuses’ such as a phishing website filter and a complete lack of technical detail and the skirting of any privacy issues
March 3rd, 2008 at 5:54 pm
If your using Firefox, load this addin which should screwup some of the info phorm is trying to get from you.
http://mrl.nyu.edu/~dhowe/trackmenot/
Copied from From Mao on URL
http://www.virtualnorwood.com/forum/index.php?showtopic=5646
March 4th, 2008 at 6:41 pm
The register is still giving good coverage over this story
http://www.theregister.co.uk/2008/03/04/phorm_ripa/
I have contacted my ISP and given them a “if you implement this I’m off and I’m also warning as many people about this abuse of privacy, so expect a wave of people leaving your service” warning.
March 4th, 2008 at 7:12 pm
adam: BT are already taking this line
“when the majority of customers are informed about the security benefits of BT Webwise, they are happy to continue using it.”
BT and Virgin Media are being extremely shady about the whole sordid affair.
I, for one, look forward to the inevitable lawsuits that will ensue
March 4th, 2008 at 9:13 pm
Onto something!, I certainly hope not. The very idea that my ISP will forward the details of everything I browse to a third party horrifies me. Sure, there are the obvious ‘What about my naughty sites’ fears, but I’m more concerned about legit reasons as to why this should not be done. For example, I recently had a rather embarrassing medical condition and used the Internet to research an operation I needed to have done. I would not want the details of what I was searching for, or the web pages passed to a third party.
Surely the ISP’s have a duty of care when it comes to customers data. To be honest, even if the claims that it is completely private were true I would still have grave concerns about this. The problem is that I simply do not believe them, my limited understanding of the technology is that it intercepts your data, processes it, profiles it and then writes back to a cookie on your machine. If it writes back to your machine, then surely by definition it knows who you are, or at least what your computer is, I see this as meaning I am indeed uniquely identifiable.
The whole opt out scheme is even clouded in mystery, requiring the user to visit a website and click to opt out which writes a cookie, but does this stop the data intercepts and processing ? or does it just simply stop the advert targeting ? The whole thing is too vague and sinister for my liking.
I’m glad to see I’m not the only person with a deep dislike and mistrust of this technology as the following petition on 10 Downing Streets website shows:
http://petitions.pm.gov.uk/ispphorm/
March 5th, 2008 at 2:16 pm
I’ve been following this story on various websites and there are a couple fo points that I think need to be brought up here too.
1) If the scheme is Opt-in/Opt-out or whatever, You need to have informed BT or TalkTalk or your provider that this is the case so that when your browsers first request for a page gets diverted to Phorms system it knows that you don’t want their ‘targeted’ ads. NOTE: the opt-out does not opt you out of having your web traffic monitored, it simply stops them putting a cookie on your machine. YOU STILL NEED TO BE IDENTIFIED FOR THIS TO HAPPEN.
2) In addition, what happens when you’ve typed your personal details (or search query) into a form and then click ’send’ or ‘next’? That’s right, it gets diverted to Phorms system. They might not be looking at HTTPS traffic but they can certainly look at anything else. What happens to your privacy then?
3) The slight delay caused by your browsers first page request going to Phorm (more accurately the ACE system) and the host site sending you the page which is then also diverted, analysed (in order to more accurately target future ads) and possibly has the targeted ad inserted, under normal circumstances would be unnoticeable. What happens during busy periods or when Phorms system gets congested?
I’ve worked in Freedom of Information and Data Protection for over 2 years and this for me is possiblity the most worrying developement I’ve seen.
Now, where’s that petition?
March 5th, 2008 at 3:53 pm
Well, I’m off to go do a video interview the CEO of Phorm and put these questions to him, so watch the feed for an update later.
March 5th, 2008 at 4:24 pm
Virgin Media users beware, reports of the cookie for “OIX.net” (phorms ad profiling domain) being spotted in the wild by their customers.
And yet, VM claims that they are still “a long way off implementing the system”.
Could this mark the start of britains “web revolt” against our money grabbing ISP’s?
This is certainly making me look at my ideas about setting up a public wifi mesh network once again.
March 5th, 2008 at 5:59 pm
Mike, FYI: we’re running a story on this at the Guardian (Charles has been blogging about it over the past week or so)
http://www.guardian.co.uk/technology/2008/mar/05/privacy.internet.phorm
Disclosure: Our ad dept has signed up to use Phorm, though we didn’t know until we started investigating.
March 5th, 2008 at 6:18 pm
@Bobbie Johnson - thanks for the info. I’ve now done a video interview with the CEO and (assuming it encodes properly!) I’ll have it up ASAP. Hard to say if it will answer all the questions put by our commenters, but one can but try. At least you get to see the whites of his eyes (as it were).
March 6th, 2008 at 11:30 am
FYI - The video interview with Phorm is now live here:
http://uk.techcrunch.com/2008/03/06/video-phorm-ceo-rejects-allegations-of-big-brother-tracking/
March 6th, 2008 at 12:59 pm
“redefining online privacy”?
redefining it to non-existant I’m guessing.
Their claims about anti phishing services are pointless because, unless they have an algorithm to actively catch phishing sites as they come online, then they are stuck with the old method of waiting until the scam is discovered and then adding it to a database - something which many applications already do and you don’t have to sell out your privacy to use them.
Also, what’s to stop them from adding legit sites to “blocked content” should a request to filter them be made (think the great firewall of china here).
There’s interesting claims about the ability to throttle back a users net speed should they choose the opt-out option.
March 6th, 2008 at 6:16 pm
Kent Ertugrul - Phorm CEO online interview
There’s been quite a lot of interest and discussion following the announcement of the Open Internet Exchange (OIX) and Webwise from Phorm. The company’s CEO, Kent Ertugrul will be available to answer your questions in a live web chat via the Webwise site at http://www.webwise.com/chat on 6 March 2008.
Between 8.30 pm and 9.30 pm tonight, Kent will cover recent announcements from Phorm and give you a chance to ask the founder exactly how Phorm is revolutionising the Internet through more effective anti-fraud technology, more relevant advertising and a new gold standard in privacy. For further information, please visit http://www.webwise.com or http://www.phorm.com.
March 8th, 2008 at 10:20 pm
To PhormUKtechteam
A couple of ponts,
You are a PR company Please be open and honest about that fact.
No amount of spin will cover up that this is BAD.
Once a crook always a crook, In posts to other sites you post that the company was associated with Adware not spyware but forget the history of rootkits.
Remember you can fool some of the people some of the time. But not all of the people will be fooled.
If this system was a good one phorm would have used a tech company to investigate not an accountant.
How much money was payed to validate the privacy element? And was an independant free evaluation ever done.
Looking forward to an answer
And to everybody who thinks this is a bad idea sign the petition
http://petitions.pm.gov.uk/ispphorm/
March 12th, 2008 at 7:11 pm
Regarding the post infering that E&Y have stamped this. Here is what E&Y actually say about the phorm setup if you care to read it
quote:
Because of inherent limitations in controls, error or fraud may occur
and not be detected.
Furthermore, the projection of any conclusions, based on our findings,
to future periods is subject to the risk that the validity of such
conclusions may be altered because of changes made to the Service or
controls, the failure to make needed changes to the Service or
controls, or a deterioration in the degree of effectiveness of the
controls.
end quote