Gallery

Is Phorm really that bad?

Posted on 3 Sep 2008 at 12:54

According to security expert and FIPR member Dr Richard Clayton, who published an in-depth technical analysis of Phorm (www.pcpro.co.uk/links/168phorm1), this machine sees all the web sessions, and is aware of the IP address of the user. The profiler also chooses a random unique identifier to identify the person using the cookie that accompanies the request. This identifier, the ten-word list, search terms used and URL are passed on to an anonymiser machine, which, like the profiler, is controlled by the ISP. This, in turn, passes the information to a channel server controlled by Phorm.

The data is then processed against a database, which determines the advertising channels that match the analysis, based upon the keywords that advertisers are looking for. The URL, search terms and word list are discarded. When the user's browser fetches the advert image request from Webwise for display, it also sends the Webwise cookie containing the unique identifier. The request is routed through the anonymiser machine to the channel server, so the latter never knows the IP address. The channel server determines the appropriate advertising and instructs the anonymiser to serve it.

Privacy matters

In other words, there are two separate processes involved: ad-category matching and ad-serving. The ad-matching system stores a random number on your PC via a cookie: this distinguishes your browser from millions of others and doesn't contain any personally identifying information. Your browsing behaviour is matched against pre-defined advertising categories and keywords, with only those categories, the random number and a time stamp stored in the system. A Phorm spokesperson told us: "No browsing histories or IP addresses are retained, and the raw data used to make the match is deleted by the time the page loads." This, in effect, makes it impossible to know (or reverse-engineer) who you are or where you have been.

The ad-serving process decides which advert is most relevant by looking at the categories associated with the random number in the cookie. Phorm tells us it believes "online consumers should not have to make a trade-off between personalisation and privacy", and that its "approach to targeted advertising is uniquely privacy-sensitive, in that we don't, as many other systems do, need to go through identity to target relevant advertising".

So, again we ask, why the fuss? Could it be that with BT, TalkTalk and Virgin Media all working with Phorm, the reality is that 70% of all broadband users in the UK could soon find themselves exposed to behaviourally tracked advertising? David Clarke, British Computer Society (BCS) chief executive, says: "BCS members involved in work of this kind should think very carefully about the implications of these systems, and the BCS professional code of conduct they have agreed to. Failure to abide by that code could lead to expulsion. Members should always be mindful of current good practice such as opt-in, and their duty to the public, as they implement systems like this." And, talking to the BBC, the inventor of the World Wide Web himself, Sir Tim Berners-Lee, indicated he would change ISP if his introduced such a behavioural ad-tracking system. Referring to his browsing history and the associated data, Berners-Lee said: "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return."