Phorm Goes On The Offensive To Defend Its Ad Program On Privacy Questions

from the but-do-you-believe-them dept

Last month, we wrote about the plan by a variety of UK-based ISPs to use all of your clickstream data to target ads to you as you surfed. That is, if you were surfing a golf site and then went and checked CNN, the system would still know that you liked golf and might serve up golf ads on CNN. At least that’s the benign version of it. There are some serious questions raised by this. First of all, many people are likely to be uncomfortable with the idea that their ISP is watching what they do and then using it to target ads. Even worse, the company that the ISPs were partnering with to do all of this had previously been known as a spyware firm.

Phorm is now aggressively defending its reputation, insisting once again that it will keep all of the data it collects anonymized. However, while it says this and explains how it will try to anonymize the data, the company fails to address the fact that just about every time a company has tried to create an anonymized data set, it doesn’t take long for someone to de-anonymize it. The company just assumes that it really can keep the data anonymous, when there are serious doubts as to whether or not that’s really possible.

To its credit, the company isn’t ignoring some of the complaints and has just done interviews with both the BBC and The Register to answer some of the concerns raised. Thankfully, both interviews do probe fairly deeply and ask some tough questions, and the Phorm execs answer each question directly. They claim that they were never “spyware” providers, only adware, but admit that the definition got blurred, which was why (they claim) they got out of the business. That sounds good until you look at some of the details about the company’s former products, and the fact that it made a rather nasty rootkit injector.

That said, the execs do answer a bunch of questions about the privacy issues, noting that they’re being audited by two separate firms to ensure they live up to the privacy promises. The clickstream data is immediately deleted and all the profiling is done at the ISP, not by Phorm, who is merely serving up the ads based on the profile kicked back by the ISP. While it’s good to see the execs from Phorm willing to answer these questions, the company’s history and the entire concept of what’s being done still seems rather questionable. Phorm’s insistence that this will actually decrease advertising seems like little consolation (and difficult to believe).

Filed Under: , ,
Companies: phorm

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Phorm Goes On The Offensive To Defend Its Ad Program On Privacy Questions”

Subscribe: RSS Leave a comment
Sam says:

I do not like spam eggs n ham

I would not like being stalked online. I’m sure others would not like it either. Hopefully there will be an ISP that provides a service that does not look over your shoulder.

Assuming they do gather info on surfing habits, exactly how do they intend to target you with the ads? Javascript?

Hopefully they use some method which is easily circumvented. So even if they do gather data, they can be stopped from spamming all over the browser.

Phorm Comms team (user link) says:


Hi Hellsvilla,

I know. It does sound completely counter-intuitive, but.. I’ll have a stab at fleshing the idea out..

What happens online at the moment and one of the things that really gets people’s goat is the flashing-emoticon-smiley-you’ve-won-click-here-punch-the-monkey ads. They are, by definition, untargeted. Those ads have to flash and generally drive you to distraction — literally — to get your attention. They are very very low value, high volume, chuck thousands of them out there and maybe one person will respond. With the OIX, ads are targeted and higher value so there are fewer of them. It’s pile-em-high, sell-em-cheap versus fewer high quality products.

Or, to put it another way (and to try to explain the privacy position), our system works like a distributor of leaflets on the street. The leaflets are for a milliner. The person distributing the leaflets only gives out flyers to people wearing hats. The distributor doesn’t know who the people are (why does he need to know? He just cares that they seem like they like hats) and after he gives them the leaflet, they pass on by and he still doesn’t care who they were or where they go. Advertising online today is like the distributors of London Lite or the London Paper (apologies for the London bias): they simply try to give the paper to anyone and everyone, regardless of who’s interested. It’s not an efficient or effective system.

I hope this makes some sense,if not, apologies..

Best wishes

Comms team

Jake says:


I would be reluctantly okay with this in certain circumstances; it really isn’t that much more sinister or intrusive than Amazon recommending items based on my previous purchases, and so long as they’re not storing data for longer than it takes the ad provider’s server to pick something I might like -or sending it between non-secure servers- then I might just consider this to be an acceptable trade-off between privacy and convenience. Barely.
I would however like to know a bit more about the data they’re using. Is it existing data that accumulates as a by-product of normal server operation, or will it be collected specially? Will there be an opt-out, and what security measures are they taking to ensure that no third parties obtain this information?

Anonymous Coward says:

Re: Hmmm...

Jake: The real question is will it be opt-in. Unless you are like me and love to change settings, this would be better if it were opt-in.

Of course that just reminds me of Linux v Windows. The only argument I see between those two is that Linux is opt-in and Windows is opt-out. But that’s for a different day.

Anyways, this is just bad. I honestly can’t wait till the day everyone gets used to the Internet and everyone has access to it. Then they can turn it into a public utility or better yet like the road system.

They always did call it the Information Super-Highway after all. The way I look at it, if I have to pay money to ‘use’ roads in a part of the county I _never_ go to, others should have to pay money for me to ‘use’ the Internet.

In my area, there are a lot of country roads outside of city limits that the State would have to, in theory, pay for. They break themselves down to counties so the county actually pays for it out of tax money.

Granted I think this tax money actually comes from the Federal Government rather than the State but still. Even as badly as I’m explaining it most people have to see how it makes sense.

Oblonsky says:

Technically flawed...

I’ve studied this and the information released to Ernst and Young is technically flawed but E&Y did not pick up on this. the report states opt-out will be by the precense of a cookie and actually correctly comments that people will be opted back in if this cookie is deleted.

All you techno’s out there will realise that there’s no such thing as a global cookie, or a TLD cross-site cookie. Check out the RFC2965. Simply put, all web browsers will ONLY transmit cookies relevant to the page visited or subdomains thereof the highest domain allowed being one below the TLD.

Phorm are being conveniently evasive about this point, but there is NO work-around for this. The “profiler” as they describe it does receive information about you and there’s no way system infrastructure can be prevented building a profile about you just by the precense of a cookie. Consider that HTTP requests are distributed in parallel and are asynchronous in nature. Even if they illegally injected a hidden iFRAME or Javascript into the stream they would not now for sure for any given page element whether the cookie was present.

Talk Talk, a British ISP, have allegedly responded to this by admitting they’re in discussions about provisions for opt out and ensuring that data is not processed at all when a customer opt-out.

BT and Virgin Media, the other two ISPs, have repeatedly refused requests for interview from reputable news sources. Wake up guys you’re about to introduce an INVASIVE infrastructure into all our systems that could be abused either now or some stage in the future.

Furthermore BOTH privacy endorsements Phorm claimed to have are been ripped apart under scrutiny. The E&Y audit I mention above an what was at first an endorsement from “Privacy International” has turned out to actually be a report which Phorm paid for from 80/20 thinking Ltd, the director of which also works for Privacy International. And one of the report writers, Simon Davies, clearly asserts in interview with the BBC:

Mr Davies said he remained opposed to services which required users to opt out.

He said: “If firms say this “enhances the user experience”, if that is true and users want it, then make it opt in.

This infrastructure, once installed, could be commercially or civilly abused and some point in the future. I’m leaving my ISP and searching for better deals – my ISP get alerted to this. IT’S JUST WRONG.

Phorm Comms team (user link) says:

Re: Technically flawed...

Hi Oblonsky,

Phorm Comms team here. There are a couple of things I can clarify and if you’d like to send more deeply technical questions to we’d be very happy to answer them. I am just a humble comms person and cannot answer some of the cookie questions in the detail you clearly require.

However, I should stress that regarding opt in or out each ISP will decide which one it offers when it launches the service. Either way, there will always be functionality to allow subscribers to opt in our out. Consumers are in control.

Have BT, VM and TT refused interviews? I have seen them quoted I think and certainly BT’s press officer started a thread on its own forums. All the ISPs have been open and engaging with customers and I hope you feel we have too. Again, as I’ve said on other boards, do mail us with questions or join our next webchat or come in and see us.

I am not sure about your comments ref E&Y, too techie for me. However I will clarify the point once more ref Simon Davies that I have articulated across the blogs (including PP, in response to your comment on this subject) on numerous occasions, most recently on netwars:

(Posted by me) Some clarity here:

Simon Davies, MD of 80/20 Thinking, a privacy consultancy, conducted a Privacy Impact Assessment into Phorm’s technology, systems and practices. Simon is a thirty year veteran of privacy advocacy and a Director of Privacy International.

He and a colleague from the London School of Economics, Gus Hosein, conducted the PIA and concluded:

“In our view, Phorm has implemented privacy as a key design component in the development of its system. In particular, Phorm has quite consciously avoided the processing of personally identifiable information.”

Best wishes, Comms Team

Posted by: comms team at phorm | March 8, 2008 4:42 PM

Yes. I was a little unclear exactly how to characterize the relationship between 80/20 and PI. 80/20 is a commercial organization run by a few of the same people who run PI. The two are separate.


Posted by: Registered User Author Profile Page | March 8, 2008 5:46 PM

FYI wg is Wendy Grossman, who works with Simon at Privacy International. Jeez, if she’s confused, no wonder we all are! 😉

It’s an honest mistake and it is confusing Oblonsky, so is there any chance you can stop adding this particular issue to your posts? I will get you tech answers on the rest — promise.

Best wishes

Comms team

PhormUKPRteam (user link) says:

ON behalf of Phorm

Hi all
I work on behalf of Phorm here in the UK. To clarify a few of the points raised about. Firstly, choice is critical to Webwise. If you opt out no data is passed from the ISP to Phorm.

In response to the queries by Jake: there are two distinctly separate processes in the Phorm system: data capture and ad serving. The data capture system only stores one item of information on your computer — a random number. The random number is the only thing that distinguishes your browser from the millions of others on the internet. It does not contain any information about you or your computer. The only person able to make that connection is you, as you have that cookie in your browser.

As you browse your browsing behaviour is matched against pre-defined advertiser categories for everyday products eg travel or sport.

No urls, browsing histories or IP addresses are retained and the raw data used to make the match is deleted in real time – by the time the page loads. There is, in essence, no data other than the categories and the random number stored in the system and so it’s impossible to know (or indeed reverse engineer from that) who you are or where you’ve been.

In the ad serving phase, when your computer requests an advert from the OIX (because a website has included our tag in their page), the browser sends the random number and the categories are used to deliver the targeted ad, not the details of your browsing, or anything about you or your computer.

Hope this helps
Phorm UK PR team

Curious George says:

Re: ON behalf of Phorm


“The data capture system only stores one item of information on your computer — a random number” … “The only person able to make that connection is you, as you have that cookie in your browser. “

I do not allow cookies. Does this mean I can not opt out of the data capture? Also, the term random number is misused quite often. Just how random is this number?

“it’s impossible to know (or indeed reverse engineer from that) who you are or where you’ve been. “

Other firms have made similar claims only to be proven wrong.

“In the ad serving phase, when your computer requests an advert from the OIX”

How is this request generated and how is it sent? I do not allow the execution of arbitrary website code. Does this mean the targeted ad is not served?

Thanks in advance

Phorm Comms team (user link) says:

Re: Re: ON behalf of Phorm

Hi Curious George again, Phorm Comms here

Ok, to your questions:

CG: PhormUKPRteam,

“The data capture system only stores one item of information on your computer — a random number” … “The only person able to make that connection is you, as you have that cookie in your browser. “

CG: I do not allow cookies. Does this mean I can not opt out of the data capture?

Phorm: If you do not allow cookies you will not be part of the system, no data will be analysed. But more importantly, if you’re looking for an opt out mechanism that doesn’t rely on the presence of a cookie, we offer a browser-based opt out. Just set your browser (Firefox, IE and Opera) to block cookies from our ad-serving domain,

CG: Also, the term random number is misused quite often. Just how random is this number?

Phorm: Totally random — I will get you the length when the tech team wakes up.

Phorm: And just out of curiosity — can you tell me more of this random number misuse? Thanks

CG: “it’s impossible to know (or indeed reverse engineer from that) who you are or where you’ve been. “

CG: Other firms have made similar claims only to be proven wrong.

Phorm: Which firms are you thinking of? No other firm says ‘we don’t have the data’ — they all say: we have the data and it’s safe with us. That’s a very different argument. We’re not saying: trust us with your data, we’re saying: we don’t have the data.

CG: “In the ad serving phase, when your computer requests an advert from the OIX”

CG: How is this request generated and how is it sent? I do not allow the execution of arbitrary website code. Does this mean the targeted ad is not served?

Phorm: Exactly, if you are opted out or have blocked cookies, you are opted out no targeted ads are served from the OIX. You will still see ads as you browse, just as you do today, but they won’t be relevant to your browsing behaviour.

CG: Thanks in advance

Phorm: No problem.

Best wishes,

Phorm Comms team

Anonymous Coward says:

Re: Re: Re: ON behalf of Phorm

Phorm: If you do not allow cookies you will not be part of the system, no data will be analysed…..

it will not be analysed, but will it be collected – right?
I understand there are two, no – make that three parts to this, collect, analyse, target. I suspect there is no way to avoid the collect other than going to an ISP which does not participate.

Phorm: Totally random (number)

If you have discovered a method to economically create totally random numbers, then you are in the wrong business. Cryptology experts spend huge amounts of money in this field. Typical use of the term random number adds the word “pseudo” in order to clarify this point.

Phorm: Which firms are you thinking of? No other firm says ‘we don’t have the data’ …..

The most notable would be AOL. Search on AOL leaked data.
They also thought the data was anonymous. They were wrong.
Netflix, MySpace … the list goes on.

Phorm: … we don’t have the data.
Do you delete it? How soon after the analysis?

In summary, I think this is a very bad idea. I dont see the opt-in or opt-out having any affect upon the data capture element, it is only changes the analyse and target phase. To do otherwise would not be efficient. I will attempt to avoid doing business with an ISP that participates. That’s my choice and hopefully I will still have a choice in the future.

dr.sputnik says:

Re: Re: Re: Phorm, Random Numbers, and Identification.

Lets take a look at a little hypothetical scenario.

“Dave” is a bad man. He’s a hacker who likes to exploit peoples computers.

“John” is a person with a PC who browses the web. His ISP is one of the ones that is using Phorm’s targeted advertising.

Dave has exploited a bug in one or other application on John’s PC and now has access to all John’s files. Including a Phorm cookie with a pseudo-random number in it.

Dave can now put that cookie on his own machine and get ads that were targeted at John. Dave (having hacked John’s computer) can also access any personal information on John’s PC and therefore identify the random number with a person.

That’s not anonymous.

Granted, it’s not Phorm’s fault that John got hacked in the first place. But it does rather prove that Phorm’s anonymity promise is not built on anything more solid than thin air.

Jake says:

Re: ON behalf of Phorm

Thanks for the personal response. That answers most of my questions, and I suspect the opt-out/opt-in issue will be down to the individual ISPs. I am however going to be one of the opt-out crowd; there are measures I can take to prevent a security breach at Phorm’s end from doing me any harm, but they would be extremely inconvenient, and I’d rather avoid the problem altogether.

In any case, exposure to cable television from a quite young age has left me permanently ad-blind. 😉

Tse (profile) says:

Re: Firefox Advert Blocking

Send email to your representative (what that means varies from country to country of course) and demand a nice law about registries. We technically have one in Finland that prevents a company from keeping a registry of private information without the user’s knowledge. I don’t know how well it is upheld tho; with all this state-issued censorship stuff it might be that I soon have to move to Sweden 🙂

Really, allowing companies to collect this kind of data is the first step towards 1984, and I thought we’re 24 years past that already.

rawalex (user link) says:

Too many companies try to sneak in as legit.

As a website owner, I find products such as this to be a major annoyance. The product is the ultimate leech product, closely monitoring end users and replacing advertising on page with adverts of Phorm’s choosing. This means that I build the website, I product the content, and they make the money. That alone should make this product illegal – the intent of the product, no matter how the end user as agreed to it’s installation, it to usurp the publishers rights and to shift economic benefit from one party to another.

I understand that end users have the right to control their surfing experience, but there needs to be limitations on how others can profit from such tools. These sorts of products lower ad exposure rates and click thrus for publishers, which lowers income and cuts back their ability to produce new content.

That the Phorm people in the past were injecting rootkits and other such things shows their level of scruples: NONE.

In the end, data is collected, it is captured, from log files that would show connections to the number of ads served and such, all that data will be available. Phorm cannot operate a business of selling advertising without being able to count both views and clicks, therefore infomation is kept, like it or not, and likely sorted on keyworks and such.

NOTE TO ISPS: If you encourage this type of software or attempt to profit from it, the word will get out and your surfers may find themselves with a very restricted web experience. Can you imagine all major commercial websites blocking out BT subscribers because they have become leeches? Wake up and realize that if you are making money by stealing from others, they will not tolerate it.

Phorm Comms team (user link) says:

Re: Phorm partners with websites, does not inject ads

Hi Rawalex,

I’m part of the team at Phorm too. My colleague has logged off for the night so here I am…

I completely understand your indignation if our system were to insert its ads into your page. It doesn’t work like that. We partner with websites, we don’t hijack their pages. That would be, frankly, nuts, not to mention commercial suicide.

OIX uses an auction model. I’ll briefly explain how it’s a win-win for website publishers:

So let’s say you decide to partner with us, you as a website owner insert our tag into your page. You decide the minimum price for your ad slot (as an aside — all OIX ads go into the existing ad slots on sites, we don’t do pop ups or pop unders) and we ONLY serve an ad into that slot if we beat your threshold price. That means you can only make more money for that slot than you are making now. You can maximise revenue for all inventory types using different thresholds and give your users a better site experience with fewer irrelevant ads.

With regard to privacy and some of the comments above, there’s a concern (totally legitmate, it’s happened before with netflix and AOL) that we could leak data. What makes our system so unique is that we don’t store data, other than a random number, an everyday product category (eg sport or travel) and a timestamp. So even if we did leak that or a hacker broke into our system, all they would find is a collection of categories (sport travel etc) a bunch of random numbers and times. It’s impossible, from that information, to reverse engineer who you are or where you’ve been.

We understand the skepticism. Everyone’s become conditioned to think storing browsing histories, IP addresses and searches for months on end is OK. We don’t think it is.

Do email the techteam any questions at
or use that address for more questions on publishers, privacy or anything else.

Comms team

Phorm Comms team says:

Re: Re:

Hello Curious George,

I am not sure the public is in anyway ‘unsuspecting’ — the system is not live, we and our ISP partners deliberately left a lead time between announcement and any deployment so that the debate could start and everyone would be as fully informed as possible: via the press, blogs, forums (fora?), boards, our websites and so on.

Also, the system has been built so that you can opt out or opt in whenever you want:

It’s choice by design, not by concession.

If you care about your privacy online, this is the best thing to happen to you. This isn’t marketing tosh, it’s true. We’ve built a system, that, unlike other ad serving technologies or big search / advertising companies, stores no data on you. If you were to hack the system there would only be a bunch of product categories, random numbers and a timestamp. That’s it. No browsing history, no IP address, no personal information. No you.

We could not be put under pressure from anyone — govt included — to release the info, because it isn’t there. We don’t have it so we could never be forced to give it up or leak it. This is a world away from any the major online businesses who are fighting very hard to keep that data on you twelve months or more.

Phorm believes that the standard we’ve created — store no data: No PII, No IP address, No browsing histories — should be the standard for the industry.

We would be one of the few companies in our area to support the Article 29 proposal to classify IP addresses as personal information. I don’t need to tell you how unusual that is.

I’ll address your questions in the next comment as best I can.

Best wishes,

Comms team

Phorm Comms team says:

Your comments


We have posted on the adware vs spyware comment a lot. It has been covered in The Register and other publications you post on. I think that even in the context and spirit of bloggery you have gone way too far with your recent post, ie ‘The idea of trusting that a bunch of criminals has “reformed” is incredibly stupid.’

I would call on the editors and contributors to this site and anyone who is at all interested in dialogue and debate to not support even tacitly these kinds of inflammatory — and untrue — comments.

Phorm Comms team

The Other Steve says:

Re: Your comments

“We have posted on the adware vs spyware comment a lot. It has been covered in The Register and other publications you post on. I think that even in the context and spirit of bloggery you have gone way too far with your recent post, ie ‘The idea of trusting that a bunch of criminals has “reformed” is incredibly stupid.’

I would call on the editors and contributors to this site and anyone who is at all interested in dialogue and debate to not support even tacitly these kinds of inflammatory — and untrue — comments.”

You can call all you like, but I’m afraid that an open debate requires these issues to be kept in the open no matter how uncomfortable you are with them.

The fact that remains that 121Media is a former spyware distributor. No matter how many times you try to make the distinction between spyware and adware, you must remember that the distinction does not exist as far as most people are concerned.

121Media was responsible for installing software on peoples computers WITHOUT THEIR CONSENT, which then collected data about their browsing habits. This data was then used to pop up intrusive, hard to close, and often pornographic advertising on user’s machines. 121Media profited from this unscrupulous, often illegal, and certainly unwanted behaviour.

Go ahead, deny any of that, spin your weasel words around it. But don’t forget, the internet contains vast amounts of evidence of its truth, so you’re going to have to be VERY sure about what you know, think you know, or have been told by your superiors. And my own memory is not so short that I have forgotten having to remove your SPYWARE from people’s machines on a regular basis to stop the barrage of gambling and porn ads that they most definitely did not want to be exposed to, or have their children exposed to.

I second the point. Give me one good reason why I would hire a known former burglar to clean my house ? That would be pretty dumb. Would YOU hire one to clean YOUR house ?

AK says:

How safe is my website?

Dear Phorm Comms Team,

I own and administer a phpBB support forum for people with a specific type of physical/mental health problem. Only members are allowed access to the (advert-free) forums. Am I right in saying that the Phorm software located at the ISP will be able to access the forums and log key words – which I presume would include usernames and aliases – from those forums? If so, then I feel this is a security risk, and my response would be – “All information located within my webforums is of a highly confidential nature. Phorm is not a member of the forums, nor do I give permission for Phorm to become a member, nor do I give permission for any Phorm software (located at members ISP’s or elsewhere) to access my forums”.

In other words, will there be any way to block any Phorm software from accessing my website and forums? If not, surely this breaches the DPA, and my responsibilities under the DPA?

Many thanks in advance for your response.


AK says:

Re: How safe is my website?

Still waiting for an answer on my above concrns. Is it going to be possible for website owners to opt-out? Forums that are visible to Member only ensure that no-one who isn’t a member gets access – including bots as I have a total bot exclusion in my robots.txt file. However, Phorm does not take any notice of robots.txt files. If Phorm accesses my forums without permission they are as far as I can tell, falling foul of the DPA, as am I by allowing a third party to access and process confidential personal information.

And what about members of social networking sites that have made their profiles friends only? If one of their friends use a Phorm enabled ISP, then Phorm has access to those private pages. Surely this falls foul of privacy laws?

Again, many thanks for any reply

Man Outraged says:

The facts and technical assumptions are bad enough

Instead of [as well as] focussing on colourful background, I saw this rather solid-looking technical piece and FROZE:

What about guys that NEED a regular DIRECT internet connection e.g. IT professionals testing software, companies who still use IP allow lists. Also Davew comment on above blog opens more cans of the proverbial than ever…

The Other Steve says:

Re: The facts and technical assumptions are bad en

I thought the tech was clear from the documents leaked, which is why I have not focussed on that. Also I suspect many (normal) people will find it difficult to grasp and Phorm’s horrid PR bots will make it sound like free chocolate anyway, watch for their canned response “That server belongs to your ISP, not to Phorm, etc, etc, ad nauseum”.

Although I agree it is of paramount importance for the technical information to make its way through the community, I also don’t want people to forget exactly who we’re dealing with here.

Even if Phorm can somehow sell it’s technical solution as uninvasive, which I for one find hard to imagine, but you’d be suprised, heck, even if Phorm’s tech solution DOES give out free chocloate, I want people to know who they are taking sweeties from.

I can’t help wondering how the readers of the Daily Mail will feel when they find out their ISP is about to crawl into bed with a company best known for gambling and porn popups. Hmm…there’s a thought 🙂

Duodave (user link) says:

This is why when i surf porn...

…I open a new tab or browser window, instead of surfing there directly from my employer’s web site. I’ve seen logs and I’m never quite sure if sites I browser to from a site is going to end up in a log somewhere.

This is data that’s already being collected, it just sounds to me like someone is trying to use it differently. I think this will go away when someone clicks through from a porn site to CNN and the CNN site runs a titty ad.

BILLinBCN (user link) says:

ISP's have dropped the ball on BT

ISPs, portals, and ad networks have dropped the ball. They have allowed the behavior targeting debate to spin out of their control, leaving the conversation in the hands of privacy evangelicals that represent only a vocal minority. As a result, most consumers and law-makers have concluded that ad targeting is a consumer protection issue.
My recommendation to ad networks, ISPs and portals is to take back the debate. With a modicum of marketing and consumer-friendly product offering, behavioral targeting can become the hero of its age, instead of the defiling villain.
Read the analysis at

Phorm Comms says:

Anonymisation Reversal - Post #28

Clickstream data is never stored. Therefore it cannot be ‘de-anonymised’. The AOL / Netflix situation cannot occur because the clickstream data has been deleted in real time as the page loads.

We don’t store any personally identifiable information, IP addresses or browsing histories so we can’t know who you are or where you’ve browsed. And you can choose to switch the service off or on at any time as explained in post #7

Jose (user link) says:

Shame on the ISPs!

The current plight of ISPs and portals is a direct result of blind opportunism. These companies generally viewed their customers as monetizable targets instead of people, and managed to piss just about everyone off outside of Silicon Valley.

The truth is that behavior targeting offers a rich portfolio of rewards for consumers – rewards that everyone agrees is best for consumers — and rewards for which consumers have long been asking. But instead of presenting the new technology as a boon to your users, you’ve gone to market with public declarations of how you’ll be able to squeeze more money out of each member.

There’s an excellent analysis at I suggest people take a look.

JoeUser says:

A few questions for Phorm guys…

It’s my understanding that traffic to the profiler is anonymized such that the profiler never sees the user’s IP Address. In order to correlate activity, a randomly generated (as in not a function of the user’s IP address) unique identifier is stored in a persistent cookie. Requests/responses are boiled down to data digests, and those data digests serve as input to the profiler, which updates profile information for the unique ID. The profile consists of behavioural keywords and/or other data that would be matched against the behavioural data specified by advertisers in order to determine the ad to show. Anything in that you’d like to correct or clarify?

Q: Are the ads served by servers that are also located within the ISP’s facility/network, or are they served from foreign servers?

Q: Is the cookie containing the unique ID effectively stripped from ALL requests that exit the ISPs network (including any requests to foreign ad servers, if that occurs)?

I’ll stop here for now. Thanks in advance.

Counter Evasion says:

Evasive and misleading answers

Phorm’s retained PR team are doing very well at providing polite and seemingly well put together answers that actually do their best to obfuscate the issues.

The key point here is that the participating ISPs will insert a ‘box’ into the network that ‘profiles’ _ALL_ traffic. The ISP owns and operates this profiler, so it comes under the ISP’s jurisdiction. This profiler then send ‘anonymised’ information to Phorm – a separate entity: or possibly doesn’t depending on an opt-out cookie or other opt in/out mechanism.

Now, the profiler will be running software supplied by Phorm. Phorm has a colourful history, and some people do not trust their motives.

I wish to make it crystal clear that I DO NOT WANT the ISP to be intercepting and analysing/profiling my traffic. It is of dubious, arguable legality in the first place, and as far as I am concerned simply the wrong thing to do in any case. My trust and privacy are being abused.

All this will do is increase the cost of hosting websites, as people will move towards using SSL or other end-to-end encryption routinely – with all the extra cpu power needed for that.

Phorm – go away and take your lame, exploitative business plan with you.


Phormic Acid says:

Phorm not hijacking BT WebSever Pages?


But they are hijacking MY WEB PAGES WITHOUT MY PERMISSION & THAT IS ILLEGAL, if it persists legal action & other perhaps punitive measures will be taken.

The Law is being turned into a MEDIA CIRCUS.

Everyone has a right to personal privacy as long as they are not acting against the public good!

These Phorm Web Servers are Inside the ISP Server System & they are providing my personal information to an organisation that I cannot condone or support in any way.

A ISP M.I.T.M attack on both the customer & the Server it connects to in inexcusable!

Inphormed choice says:

I am not a target market.

I am NOT a target market.

I dont wish to be advertsied at purely on the basis of my PRIVATE browsing activities to which this company has NO right of access to in any way – anonymous or not. I accept “generic” website advertising as a trade for the content, but once the assumption is made that I need “advertsising at” purely because I am reading about something then that relationship becomes (in my mind) “abusive”. My intention is that as far as is possible I will boycott the products and services of any company participating in the intrustion.

I often research things for other people who may not have access to the web, so my data is “tainted” anyhow.

I use webmail occasionally, that is private, but there seems to be no way to prevent these data leeches from trawling private messages remember ALL traffic for phorm infested ISPs seems to pass through thier taps by default. I pay my ISP to connect me to the web, I dont expect them to pimp my movements to the highest bidder as part of the deal, I do not consent to the data from my movements of indeed my web pages to be intercepted by these parasites and their malware equipped servers.

A lot has been mentioned about random number identifiers. heres a number for you – 6

This ficticious character summed it up for me perfectly
“I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.”

If My ISP sinks to this level they will lose my business, I also intend to raise this with my MEP as this seems to infringe upon the individuals right to privacy in personal life. Its bad enough with the state interfering, but private companies have no right to monitor our activities by default – whatever they may feel in thier bloated arrogance.

phormwatch (user link) says:

Interesting comment from a Slashdot user

Hello all. I came across this comment on Slashdot by a user named ‘Anticrypt’. It deals with various issues surrounding Phorm spyware. I thought the post was pretty interesting and insightful, so I’m going to reproduce it here.

The URL is here:

Here is the text:


Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people’s observations in the ensuing PR war. Phorm’s sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.

Phorm has hired a specialty PR company, Citigate Dewe Rogerson [] to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I’ve seen Dutch, German and French language follow-up posts in the last few weeks.

Phorm has addressed the main part of pesky privacy laws in Europe by “gifting” the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm’s technical team. If the equipment stays 5 years in the ISP’s premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn’t left their network should post-analysis show the customer has “opted-out” of passing the information to Phorm’s China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.

The Phorm collectors sit inside the ISP’s network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP’s network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.

The problem I, and others, had with Phorm’s plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.

As an example, let’s take an ordinary, un-intercepted session to The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can’t be tricked by slashdot’s servers to return cookies from digg or google.

With Phorm, the initial HTML request to gets intercepted by the Phorm equipment, which respond with a 302 redirect to, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for with the correct address for, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begins, the code can be just about anything, javascript, iframes, cross-site scripting attack, activeX exploits. The code can be used to read and set cookies, add some javascript in an iFrame to survive no matter where the user browses to, etc. It’s a malware writer’s wet dream, to have complete control over the TCP stream the browser sees before the user ever gets to the internet.

Once the browser has been sufficiently hijacked, another 302 temporary redirect can be injected into the browser session using the original HTTP request, so the user sees only a slight delay before reaching their intended website. Given the glacial speeds most UK networks operate at, an extra half second delay is not going to be noticed by non-technical types.

More fun is now to be had, as the page returned from the website can also be copied and analyzed by the Phorm intercept kit. If you log onto a private website, the Phorm kit can see the entire contents. This means a user checking their webmail on the local ISP’s server (without an SSL session since it isn’t going over the internet) can have the contents read and analyzed by Phorm.

Where the storm of controversy comes from is that technically apt people (like slashdot’s readership) are beginning to understand just what an internet stream hijack implies. It means that Phorm can not only read all your web traffic, they can intercept all the traffic near the headend of your broadband connection and read anything. They can read your IM sessions, they can read your email, they can get it all.

Now, at this point, the über-technically adept point out encryption, certificates, Man-in-the-Middle attacks and the like. True, https sessions, encrypted IM, TLS protected POP&IMAP and other protected protocols give some protection from snooping on the content, but not much “signals analysis” protection. They can still snoop on your DNS traffic, even if you run your own local caching server or use OpenDNS or AlterDNS. They can still see what the end points of your encrypted tunnels are. Sure, you could tunnel all your traffic to a remote VPN server, but how many of you do that now? How many average users would even bother?

I was going to insert a long analysis of how they analyze and claim to anonymize the data collected, but this post has gone way too long for slashdot. Maybe another post another time.

I will add that the people behind Phorm have been developing and selling malware and adware for a number of years, and apparently made enough money off of an impossible to uninstall adware toolbar to fund this latest push into malware distribution. Their programmers are mostly Saint Petersburg based, home to the Russian Business Network []. Their servers are kept only in Saint Petersburg and China, so no ISP customer data is ever stored in the UK. Any personally identifying information they obtain about UK citizens can never be seen or purged using existing UK Data Protection Laws. They run under dozens of different domain names, the name of the company has changed from PeopleOnPage to 121media and recently changed from to Phorm. This is typical of a company that knows it will have to shed it’s tarnished brand every year to stay ahead of public outcry. I expect they already have their next brand lined up when they need to burn the Phorm brand.

Sir Tim Berners-Lee has seen their presentation, and held a press conference yesterday to try to stop the practice cold. Even if Phorm is stopped dead tomorrow, the business conditions and legal loopholes are still present to encourage ISPs to try this again and again, and it will certainly be much worse in the US where there is absolutely no legal protections at all, and a ready market for personal data.

the AC

Visitor says:

Phorm, Random Numbers, and Identification

Nice research 🙂 Don’t you think that after “Dave has exploited a bug in one or other application on John’s PC and now has access to all John’s files” it doesn’t matter anymore if John has Phorm cookie or not. Or you still think that John’s privacy is not compromised yet (until Dave grab that mega-valuable phorm cookie) ?

Jonah says:

With the use of DPI Kit in the ISP anyone who has access to the Profiler could inject code rogue or otherwise into the communication stream. This mostly concerns the Surfer Web Browsing & Application Software but it could also be used to infect Servers if misused.

This practice of putting a “transparent” dpi proxy in between Surfer & Website is very open to abuse as my example shows, but Phorm were “NOT” very transparent especially if a Surfer ran without scripting or cookies enabled. Getting popups immediatley sent alarm bells to me that there was something going on at the ISP.
DIRECT INJECTION OF DATA into my Web Browser immediately I connected to the Web.

Until Phorm announce their so called “illegal” contract however, it was difficult to determine the reason why my ISP was doing this.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...