13 May 2008
There has been a great deal of commotion recently about Phorm, a company that aims to help advertisers better target consumers by monitoring their web browsing habits. At first glance, what Phorm is proposing seems absolutely outrageous and quite possibly illegal under UK data protection laws. Take a closer look, and Phorm’s technology is more subtle than it might appear , but no less dangerous and insidious for all that.
The fuss over Phorm comes from the fact that it is in partnership with three of the UK’s biggest ISPs - BT, Virgin Media and Talk Talk from the Carphone Warehouse - to use its service on their networks. It has also transpired that BT undertook small-scale trials of the technology last year without the consent of the customers involved, and without even bothering to inform them they were being used as guinea pigs.
Many online advertising services already track user behaviour to a certain extent, but most of the legitimate ones do little more than place a cookie onto the computer that is examined every time the user visits a web site serving ads from that company. The ad service therefore gains an idea of which kind of web sites people are visiting, and how often.
The Phorm service has the potential to be much, much more intrusive. It operates by having equipment installed in the ISP’s network that intercepts all web traffic passing along every customer’s broadband connection, and scans through it for key words that can be used to deliver targeted advertising.
The key phrase here is “deep packet inspection”. Phorm sifts through every packet traversing TCP Port 80 and analyses it minutely. The difference between other advert-tracking services and this approach can be likened to the difference between checking which phone numbers someone has called and actually listening in to every word of every conversation.
Not surprisingly, this has many privacy advocates up in arms. To be fair to Phorm, it contends that its service does not store any of the information it analyses, and it claims to operate in a way that does not identify individual users. From my understanding of the system, it generates a profile that is associated with a cookie on a particular user’s computer. When that user visits a web site affiliated with Phorm, adverts are delivered according to this profile.
However, I believe that this technology sets a worrying precedent that intercepting private communications is perfectly acceptable for commercial purposes. And once the facility to intercept traffic exists, who knows what it might be used for in future?
At the moment, there is no suggestion that Phorm might be used to snoop on business traffic, but that doesn’t mean that it won’t affect businesses. If any of your employees work from home with web-based applications, and their broadband is supplied by BT, Virgin Media or Talk Talk, then you are already facing the possibility that your data will be intercepted and analysed by Phorm in the near future.
Phorm thus represents an unacceptable security and privacy risk, and it may even have a negative impact on e-commerce once the wider public learns about it. After all, if you knew for sure that all of your web traffic was being scrutinised, wouldn’t you have second thoughts about entering your credit card or bank details into an online sales form?
And what happens if you are a victim of online fraud and your ISP is one of those signed up with Phorm? Would your bank or credit card company cite this as a risk you should have avoided - and therefore use it as an excuse to deny you compensation?
One thing is for sure - 2008 is already turning out to be a bad year for internet privacy and security.
You say Phorm uses one cookie. Actually, it uses one per domain visited (i.e the website you are actually visiting and every link that your browser chases to build the page you look at). And each of those cookies is phorged by Phorm to look as if it came from the domain in question.
Oh, and each one has your 'private and personal' UID embedded in it, making it trivially easy [1] for every website you visit to tie that up with your IP address.
Something Phorm say they don't do - but here they are, arrranging for every website you visit to be able to do it if they want to.
And it gets worse. Say you opt out. Phorm say that if you opt out, you are 'out 100 per cent'. But they only mean opted out of profiling. Would you believe that Phorm *still* writes a cookie for every domain you visit, even if you think you are opted out?
The only difference is that now the phorged cookies say you are opted out, rather than having the UID.
Funny sort of 'opt-out' though, isn't it?
[1] Phorm will tell you they eat that cookie before the website ever sees it. But this process has loopholes bigger than Berkshire in it, and getting the cookie is easy.
Posted by: Midnight_Voice 14 May 2008
One thing you neglected to mention in your excellent article was the past history of Phorm in spyware and rootkits.
Phorm, in its previous incarnation as 121media, was responsible for one of the nastiest pieces of spyware of 2005 and 2006; the Apropos rootkit. This spyware was a nightmare to uninstall. Just ask anyone who had to do so.
Add that to the fact that Phorm/BT already ran potentially criminally illegal secret trials in 2006 and 2007 without customers knowledge or consent and you have a company with a very nefarious history.
The real question is whether people should trust a company with such a history in spyware to intercept your communications. I don't and I doubt if other readers would if they were fully inphormed (sic) about its history and about the privacy implications.
Posted by: OF1975 13 May 2008
It's not just the user that has the problem. Any website that provides unencrypted page access to logged on users (millions of them) will have those pages scanned by Phorm due to the way Phorm intercepts the data. Google on the other hand cannot see these pages. Many of these pages are restricted for personal/business reasons.
There is no way I know that Phorm can avoid profiling these restricted pages and so the interception must be unlawful.
Posted by: thebarron 13 May 2008
Phorm & BT refuse to answer basic questions needed for any User to make any type of Informed decision.
For Example do BT regard the Master MAC; they are the Telco Company, as part of their Broadband Connection Service. If this is so then it is of no use moving to another ISP with a BT Line!
Also how are phorm planning to protect their UID/cookie from being read & used by Rogue Sites (non HTTP Sites)
The last question affects not only Privacy but fraud & DPA, since the IP address & other data can be linked to an individual user!
Posted by: Nemesis 13 May 2008
Have your say on this article
Newsletters
Latest stories from Privacy
Latest videos
You may also like
Privacy jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
