« Strikeout | Main | Techitics »

Phormal ware

In the last ten days or so a stormlet has broken out about the announcement that BT, Carphone Warehouse, and TalkTalk, who jointly cover about 70 percent of British Internet subscribers, have signed up for a new advertising service. The supplier, Phorm (previously, 121Media), has developed Open Internet Exchange (OIX), a platform to serve up "relevant" ads to ISPs' customers. Ad agencies and Web sites also sign up to the service which, according to Phorm's FAQ, can serve up ads to any Web site "in the regular places the website shows ads". Partners include most British national newspapers, iVillage, and MGM OMD.

A brief chat with BT revealed that the service, known to consumers as Webwise, will apply only to BT's retail customers, not its wholesale division. Consumers will be able to opt out, and BT is planning an educational exercise to explain the service.

Obviously all concerned hope Webwise will be acceptable to consumers, but to make it a little more palatable, not signing out of it gets you warnings if you land on suspected phishing sites. I don't think improved security should, ethically, be tied to a person's ad-friendliness, but this is the world we live in.

"We've done extensive research with our customer base," says BT's spokesman, "and it's very clear that when customers know what is happening they're overwhelmingly in favor of it, particularly in terms of added security."

But the Net folk are suspicious folk, and words like "spyware" and "adware" are circling, partly because Phorm's precursor, 121Media, was blocked by Symantec and F-Secure as spyware. Plus, The Register discovered that BT had been sharing data with Phorm as long ag as last summer, and, apparently, lying about it.

Phorm's PR did not reply to a request for an interview, but a spokeswoman contacted briefly last week defended the company. "We are absolutely not and in no way an adware product at all."

The overlooked aspect: Phorm called in Privacy International's new commercial arm, 80/20, to examine its system.

PI's executive director, Simon Davies, one of the examiners, says, "Phorm has done its very best to eliminate and minimise the use of personal information and build privacy into the core of the technology. In that sense, it's a privacy-friendly technology, but that does not get us away from the intrusion aspect." In general, the principle is that ads shouldn't be served on an opt-out basis; users should have to opt in to receive them.

Tailoring advertising to the clickstream of user interests is of course endemic online now; it's how Google does AdSense, and it's why that company bought DoubleClick, which more or less invented the business of building up user profiles to create personalized ads. Phorm's service, however, does not build user profiles.

A cookie with a unique ID is stored on the user's system - but does not associate that ID with an individual or the computer it's stored on. Say you're browsing car sites like Ford and Nissan. The ISP does not give Phorm personally identifiable information like IP addresses, but does share the information that the computer this cookie is on is looking at car sites right now. OIX serves up car ads. The service ignores niche sites, secure sites (HTTPS), and low-traffic sites. Firewalling between Phorm and the ISP means that the ISP doesn't know and can't deduce the information that the OIX platform knows about what ads are being served. Nothing is stored to create a profile. Phorm instead offers advertisers instead is the knowledge that they are serving ads that reflect users' interests in real time.

The difference to Davies is that Google, which came last in Privacy International's privacy rankings, stores search histories and browsing data and ties them to personal identifiers, primarily login IDs and IP addresses. (Next month, the Article 29 Group will report its opinion as to whether IP addresses are personal information, so we will know better then which way the cookie crumbles.)

"The potential to develop a profile covertly is extremely limited, if not eliminated," says Davies.

Phorm itself says, "We really think what our stuff does dispells the myth that in order to provide relevance you have to store data."

I hate advertising as much as the next six people. But most ISPs are operating on razor-thin margins if they make money at all, and they're looking at continuously increasing demand for bandwidth. That demand can only get worse as consumers flock to the iPlayer and other sources of streaming video. The pressure on pricing is steadily downward with people like TalkTalk and O2 offering free or extremely cheap broadband as an add-on to mobile phone accounts. Meanwhile, the advertising revenues go to everyone but them. Is it surprising that they'd leap at this? Analysts estimate that BT will pick up £85 million in the first year. Nice if you can get it.

We all want low-cost broadband and free content. None of us wants ads. How exactly do we propose all this free stuff is going to be paid for?

As for Phorm, it's going to take a lot to make some users trust them. I'd say, though, that the jury is still out. Sometimes people do learn from past mistakes.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).


TrackBack URL for this entry:

Listed below are links to weblogs that reference Phormal ware:

» Uninformed consent from net.wars
Apparently the US Congress is now being scripted by Jon Stewart of the Daily Show. In a twist of perfect irony, the House of Representatives has decided to hold its first closed session in 25 years to debate - surveillance.... [Read More]


Re Phorm and their claimed endorsement from Privacy International


"We have been pushing for Phorm to remove this content for quite some
time now. PI does not work for companies, nor do we endorse products.
Two of PI's staff members, in a private venture, advised Phorm of the
serious risks that their technology raised. We are pushing for Phorm
to disclose this risk assessment.
To avoid any conflict of interest, we have notified our Trustees and
International Advisory Board of this activity.

The reality is that PI's accounts are so weak that we must often fund
ourselves through other ventures."

Some clarity here:

Simon Davies, MD of 80/20 Thinking, a privacy consultancy, conducted a Privacy Impact Assessment into Phorm's technology, systems and practices. Simon is a thirty year veteran of privacy advocacy and a Director of Privacy International.

He and a colleague from the London School of Economics, Gus Hosein, conducted the PIA and concluded:

"In our view, Phorm has implemented privacy as a key design component in the development of its system. In particular, Phorm has quite consciously avoided the processing of personally identifiable information.”

Best wishes, Comms Team

Yes. I was a little unclear exactly how to characterize the relationship between 80/20 and PI. 80/20 is a commercial organization run by a few of the same people who run PI. The two are separate.


Simon Davis is also quoted as saying "we won’t as PI support any system that works on an opt-out basis."

Currently the only effective way to comprehensively and permanently opt out of Phorm is to leave any ISP that starts Phorming its customers.

Phorms cookie based opt out is demonstrably ineffective as a privacy/security protection measure.

To be effective, every computer, every user, every http application must be configured to present an opt out cookie. And when the cookie is deleted, or expires, it must be reinstated immediately to remain opted out.

Is that what anyone really thinks is a smart plan?

My own version of opting out is to subscribe to an ISP who is not involved in the scheme. AIUI Carphone Warehouse has now promised Phorm will be opt-in only.

80/20s interim privacy impact assessment, which is now available via Phorm's site, is worth a read - it predicts most, if not all, of the controversy about this.


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)