Error: Too many requests have been made during a short time period so you have been blocked.
« Previous | Main | Next »

BBC Online and behavioural targeting

Post categories:

Seetha Kumar Seetha Kumar | 19:36 UK time, Friday, 15 May 2009

I am fortunate in being surrounded by people for whom creative technology is intuitive, exhilarating and extraordinarily vivid. A connected world is the world we help shape.

However for those for whom the internet feels like alien territory, anxieties around issues such as safety, security and privacy can stand in the way of making the most of what the web has to offer.

These concerns are real. Our public service ethos acts as a powerful motivator: we want to provide a safe environment within which people can enjoy our offer.

Recently, there have been a lot of column inches on the use of so-called 'behavioural targeting' - the delivery of adverts to audiences based on their internet activity. Phorm's behavioural targeting service, for instance, has received particularly widespread coverage.

I thought it worth sharing my thoughts. First, a recap on the main ways in which behavioural targeting works.

First-party targeting is where user behaviour is tracked by means of a cookie on a specific website. The data is kept by the website owner (or its contracted company), and targeted ads are served up whilst you're using the site. In a "network" advertising model a number of sites contract with each other to share the data about user journeys across a specified network of sites. The website's privacy policy should tell you how to opt out if you do not want your user journey site used in this way.

Of course, UK users are not served up ads on We are a public service offering - funded by the licence fee. However, we do use cookies in order to provide users with a more customised service. But, you as the user are in control - you have the option of setting your device to accept all cookies, to alert you when a cookie is issued or to opt out - i.e. not to receive cookies at any time. If you want to know more, check Section 13 of our Privacy Policy for more information on our use of cookies.

A commercial company cannot provide good free content on the web without relying on advertising revenues. In which case, the better targeted the marketing - the more sales that are generated. I believe thrives by being part of a bigger competitive landscape of amazing content providers - mostly funded by advertising.

Our commercial arm, BBC Worldwide, uses first-party targeting technology on its UK sites - such as - and the international facing, advertising funded website at, through a company called Audience Science. On our Privacy Policy we include a link for international users explaining more about the technology used and how to opt out of it. (You will find it at the top right hand corner of the privacy page). In a nutshell, Audience Science places a cookie that tracks the pages visited by international users of, forms a profile based on that activity, and serves up adverts based on that profile.

Ads can be specifically targeted to users falling within specific "segments" - and there is a user benefit in that. It can also generate revenues that can be reinvested into supporting our public service remit of creating useful propositions for our audiences, as well as new ways of delivering them. Naturally, as a user, you have the choice to opt out.

Then, there is a further type of targeted marketing - ISP based behavioural targeted advertising (such as Phorm) - which is different. Targeted marketing here works by putting their technology into the ISPs networks. They intercept all users' browsing activity using 'deep-packet inspection', putting each user into a 'bucket' that broadly and anonymously categorises them, and serves them ads based on which "bucket" they are in. Whilst this enhances the quality of the targeting (as it covers a broader range of sites) it is also more invasive than first-person or network targeting as it collects the user's entire web activity.

My understanding is that Phorm is not currently deployed on a UK ISP, though it has been trialled. So the jury is still out.

Some principles remain true. They are quite simple - the privacy of our user and the code we follow as a public service broadcaster. This means it is not appropriate for third parties to use the data profiles of the users of BBC services for commercial gain.
Your ISP should always give you the choice of opting into their use of this type of behavioural targeted advertising. This has been laid down by the Information Commissioner's Office (ICO) last year. As it's your ISP who decides whether or not to use this type of technology, it is worth knowing that there are steps you can take. In the case of Phorm, in particular, you can also opt out via their website.

Deep packet inspection is a big issue in Europe. So is the allied topic of users being in the driving seat and being able to give informed consent. The European Commission issued an action about a month ago against the UK Government querying whether the law here goes far enough to protect users.

We are watching this space closely and waiting for details of the Government's response, which is due around mid June.

I am keen to hear your thoughts. There's more coverage of the subject in the links below if you are after further information.

Seetha Kumar is Controller, BBC Online and the BBC's Online Access Champion.

"The Phorm Storm" from Open Rights Group
"Stop Phoul Play" website
"Phorm - one year on" from the BBC's
"Phorm controversy starts up again" from techblog

Error: Too many requests have been made during a short time period so you have been blocked.


  • Comment number 1.

    I'm actually stunned that you're even linking to the "Stop Phoul Play" website, which is demonstrably run by Phorm itself, and expends much of its energy deriding those who dare to question whether deep-packet inspection for the purposes of more targeted advertising is a good thing.

  • Comment number 2.

    You offer no justification whatsoever for your assertion that "A commercial company cannot provide good free content on the web without relying on advertising revenues".

    I think that's bunkum, and so invite you to now do so.

  • Comment number 3.

    Given that it is currently very unclear about how the opt out from Phorm and similar services will work for end users; but it is clear how websites can protext their user's privacy buy saying they wish to be excluded, what is the BBC's policy on opting out of Phorm?

  • Comment number 4.

    Any chance of a sneak preview of the answer to the FoI request below?

    "This means it is not appropriate for third parties to use the data profiles of the users of BBC services for commercial gain."

    Is that a hint?

  • Comment number 5.

    This comment has been referred for further consideration. Explain.

  • Comment number 6.

    Are you - the BBC - aware that you can block the entire BBC network of websites from being intercepted by Phorm by adding a Disallowed to your sites' robot.txt file?

    This is much more effective and proactive than telling the public to fiddle with cookie settings or try to work their way through the misleading approach of having ISPs like BT offer unnescessary but scare-mongering anti-phioshing software with these systems hidden inside.

    Not everyone in the UK is computer literate so it's not unreasonable to ask that a public funded body like the BBC take positive steps to protect their owners rather than posting advice on a relatively low-traffic blog.

    No company would leave security to the individual members of staff or the individual customer. This is an area where the BBC can look afeter all of their customers with one simple step rather than saying - "we told you".

  • Comment number 7.

    I too am very surprised that the BBC is carrying a link to the StopPhoulPlay site.

    In my opinion it is highly likely that BBC lawyers have had contact with the site owners over content regarding the BBC. Is it fair to link to a site that potentially libels those who cannot afford such a lawyer?

  • Comment number 8.


    Using the robot.txt file would indeed allow the BBC to block Phorm, thus preventing "third parties [to] use the data profiles of the users of BBC services for commercial gain."

    Unfortunately, Phorm have arranged things so that you also have to block Google as well in order to do this. Not a very good choice to have to make. It's almost as if it has been designed to be very difficult.

    Fortunately there are other ways for the BBC to opt-out and protect the licence payer.

  • Comment number 9.

    why has the BBC not taken action over phorms use of the name "WebWise"

    as it confuses the educational bbc webwise brand used by my children which is safe, with a webwise brand based on profiling, data collection and advertising?

    also does the BBC have any plans to opt-out the bbc wesites from being profiled by phorm?


  • Comment number 10.

    Amazon and Wikimedia (the wikipedia empire) have both used the alternative opt out route to protect their users and prevent the commercial exploitation of their content. There are many other sites following their lead.

    Here is how wiki did it.

  • Comment number 11.

    You say "Your ISP should always give you the choice of opting into their use of this type of behavioural targeted advertising." I think everyone agrees with you there.

    It is a pity that the ISP don't also provide some way of asking customers to opt in before they do the interception through the DPI system that checks whether or not you have opted into the advertising and takes a copy of all your requests to the internet and what you see in response. As it is currently, only https traffic is not intercepted by the DPI system.

    It seems rather meaningless for the ISP to be intercepting traffic without permission (RIPA anyone?) and then claiming to be so wonderful by offering people an opt in choice for targeted or default advertisements from the Webwise system. Who really want to give up all their privacy just so that a DPI system can record an opt in/out cookie? Other behaviour targeting networks use scripts to set these cookies and manage just fine without invading privacy by tracking you everywhere you surf.

    Ever asked yourself why Phorm only invites sites to have their content removed from being used in profiles while the ISP fails to provide a similar mechanism for the sites to not have their content mirrored and analysed in the first place?

    BBC's commercial sites are trying to earn income by sharing visitor data with Audience Science. Every visitor coming to the site through a DPI infected connection will be passing through to Phorm the same data that Audience Science is collecting and it will be Phorm and the ISP earning an income from that visitor, too. It sounds like the BBC is not happy about that.

    Does the BBC have Korean pages that will be sharing their visitor data and possible income with Phorm and their Korean ISP partners?

    Why is it that no one in the media is writing "Your ISP should always give you **and the websites you visit** the choice of opting into their use of this type of behavioural targeted advertising. Without an opt in from both parties to the communication there should be no DPI system performing the interception, no mirror copy infringing copyright, no forged webwise cookie claiming to be from the domain of every website visited, no profiling and OIX partner sites should only be able to deliver adverts based on tracking that happens when you visit other OIX partner sites, if you accept their cookies."

    Although, as most people won't understand that it is probably easier to ask why people complain about the Government wanting to have access to traffic data (not content) under the controls offered by RIPA and see that as a gross invasion of privacy but think that the same copying by the ISP of traffic data PLUS the content of pages viewed is OK and does not need any protection under RIPA because the interception and analysis and creation of a database for the profile kept by Phorm is only used to give the ISP a little more income.

  • Comment number 12.

    Please consider removing your link to the Stop Phoul Play site, which smears several of my fellow campaigners, and also publicly identifies individuals by linking their forum usernames and then speculating about their full names and identities. It has already been altered several times since it was first published. One page in particular was originally published with serious allegations about the BBC (all of which I have saved offline), now mysteriously disappeared. For a site which claims to be telling "the true story" it is strange that several of the claims originally made on Stop Phoul Play about the BBC, ORG, Dr. Richard Clayton, the Home Office, the Secretary of State for Culture, Media and Sport, and the No. 10 Downing St. petition site managers, have had to be removed or toned down. Surely the "truth" shouldn't need adjusting in this way? The Telegraph sums up the Stop Phoul Play site quite nicely.

  • Comment number 13.

    Actually, I'm in two minds about the link to Phorm's 'smear' site. On the one hand, the points made by previous posters about linking to a site where the BBC and other large organisations have already had to get claims removed or toned down are very valid. On the other hand, linking to this site rather the Phorm's main site does give a much more accurate impression of the type of company we are dealing with.

  • Comment number 14.

    I agree that, as you say, it is not appropriate for third parties to use the data profiles of the users of BBC services for commercial gain. To ensure that Phorm cannot do so, the BBC should opt all its domains out of the Phorm system, just as Amazon and others have done.

    I also suggest that all BBC sites that profile users should do better than offer them the chance to opt out: they should refrain from profiling unless the user decides to opt in.

  • Comment number 15.

    I strongly urge the BBC to opt out of the Phorm program for all of their websites. Privacy is a serious issue, especially in times where almost on a daily basis, confidential information is leaked in some or the other way (CDs, USB sticks, laptops, in buses, on trains etc.). Privacy is a basic human right. You don't have to opt-in to human rights, do you?
    Also there is the issue of the copyright on an individual's browsing history. As the creator of the Web, Sir Tim Berners-Lee said about his data and browsing history: "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return.".

  • Comment number 16.

    @ John Horb. Actually maybe you are right. If Phorm want to be judged by the standards of that site, then maybe we shoud let them be judged by it.

  • Comment number 17.

    seetha, when you say "Recently, there have been a lot of column inches on the use of so-called 'behavioural targeting' - the delivery of adverts to audiences based on their internet activity. Phorm's behavioural targeting service, for instance, has received particularly widespread coverage."

    which part of 'behavioural targeting' and the real Phorm story of "Deep Packet inspection/Interception" for commercial profit
    (apparently being willfully misreported by the BBC and other interested partys) dont you get ?

    one is legal and valuble to some sections of the UK and the world.

    one is totally illegal without a court order, and against several UK laws.

    do you really feel happy openly and freely here advocateing "DPI for commercial profit" ? and in doing so, influence the mases of BBC readership to totally ignore the illegal act of "wire tapping/DPI interception of their payed for internet connections.

  • Comment number 18.

    seetha, being in the position of high regard you are in today, would you kindly explain here and now in this thread...

    why you have NOT linked in ANY professional persons anti "DPI interception" quotes, and there are many.

    or for that matter given an interview or even just been in contact with and talked to such people as Mr Hanff of Privacy International ?

    "Privacy International:we are pleased to announce a new addition to our team.

    Alexander Hanff, a social scientist and technologist who has led a long campaign against the use of Deep Packet Inspection for behavioural advertising models in the UK, will be taking the lead for Privacy International on these issues"

    its not hard, you can chat with him anytime on the open and https secure NoDPI website,

    another direct lik you did not include for this very story.

  • Comment number 19.

    I'm aware of the controversy surrounding the "Stop Phoul Play" website. But it's important to link to different sides of the argument and I trust that the readers of this blog will make their own judgements. Thanks for the useful links and comments so far and keep them coming.

  • Comment number 20.

    Nick, how much clearer can we readers make it for your BBC news and management teams ?

    YOU yourself STATE directly above "it's _important_ to _link_ to _different_ _sides_ of the argument"

    and yet, seetha (tat these questions are directed at unless you are infact seetha by another name OC ;)
    has seem fit to _NOT_ actually link to the different sides of the Deep Packet Inteception for commercial profit _story_ (rather than argument)

    but rather seetha knowingly, directly linked to a Phorm owned and PR run website.

    that on the face of it, appears to be setup purely to undermine the very same type of end users (admitedly people that have had no other choice but to inform themselves on this DPI subject due to lack of real indepth reporting) people they intend to DPI intecept and profit from, the so called other side of the story.

    seetha linked only to BBC off the cuff story writers that dont seem to even understand the the VERY Important difference between "DPI for commercial profit" use, and the wider subject of benine 'behavioural targeting' without these wiretapping DPI devices watching and potentially reporting to private 3rd party companys, everything you and your kids go and do in the future.

    seetha linked only to a very small under funded 'Open Rights Group' that virtually noone knows outside the informed phorm storm advocates, and finally

    a finally seetha has seen fit to link to one single FT page that covers some, but by no mean all the controversy ove rthe last 18 months+

    at no time so far did seetha, or yourself even reference Chris Williams

    of , the LEADING news provider of true and accurate information to the end users in this phorm/DPI/wire tapping matter.

    at no point so far, has any indepth mention in official BBC stories of sir bernard lee the inventor of the internet , or coverage of Mr Hanff's new high profile Privacy International position taking the lead for Privacy International on these DPI interception and related issues....

    so a direct question for you Nick, Please explain Here And Now, In this Thread.

    how EXACTLY is this story, and the wider BBC mandated of "fair and ballanced news coverage" , "showing both side of the story" etc.

    showing the readership that "it's important to link to different sides of the argument"

    when all the real informed "other side" links are placed in these stories talk back comments by the ordinary readership themselves (IF the Blog even has a pubic readers reply section activated, many dont OC), rather than inside the main stories copy where it NEEDS TO BE for all to see and judge on its merits.

    how can you say or even imply you are FULLY informing people so they can judge for themselves, when your clearly NOT including even official quotes from the worlds professional Anti DPI people SBL etc.

    never mind not bothering linking to these 3rd party indepth NODPI/PI and other sites covering these tech and legal points.

    but you happily link to the new official Phorm PR firms site setup to allegadly under mine ordinary informed people and small under financed action groups such as Open Rights Group that cant affort to take them to court for Defirmation Of Character etc....

    How exactly is that showing different sides of the argument?

  • Comment number 21.

    Whoever is doing the intercepting whether it be Phorm or the ISP's it matters not a jot. The act is illegal.

    In order to be legal the interception MUST have the consent of both parties, ie webbrowser ( in this case meaning the person browsing a site ) and the website owner or creator whose copyright the site content is.

    The consent of the webbrowser must be gained by an OPT IN system. The consent of the website creator MUST be obtained PRIOR to the interception and not during or after. The attempts by Phorm to circumvent the law by asking websites to OPT OUT using a special list is purely that,an attempt to circumvent the law and is meaningless.

    The breach of copyright that ensues by not following the law makes Phorm and the ISP's , regardless of who is in control of the system. liable as both are party to the illegal interception. Should a webbrowser be so ill informed as to actually opt in to this system the permission of the website visited is still required under the law. Copyright exists on the internet in the same manner as to printed and other material. Should the ISP's and Phorm use the connection of an opted in user to intercept a communication between the user and website they commit another illegal act by making the user party to the illegal interception.
    Making the interception from another juristiction makes no difference to the offence.
    The government departments so beloved of Phorm are now scuttling away into the dark places where they hide. They have been found wanting in their protection of the rights of users and are now distancing themselves at a rapid pace from the debacle that is Phorm. There will be no solice for Phorm ,no eleventh hour rescue,now that the collusion between the government and themselves has been brought into the open. They are to busy saving their own skins issuing denial after denial.
    Phorm failed because they thought that with a compliant government in tow they could ride roughshod over the rights of others, with complete disregard for privacy and copyright. The ICO failed because they took Phorm's word for everything and neglected to do their own research. The Home Office failed because it got to close to Phorm and its machinations for their own devious and underhand reasons. BERR failed because it denied and neglected it's responsibility at the whim of a corrupt self serving government. OFCOM failed because its chief touted the advertisers mantra of "moneytise the data stream", at every oppourtunity while completely failing to carry out his mandated responsibilities to protect the consumer. BT failed because they treated their customers as mere pawns in a scurrolous money making scheme they knew was a disgraceful betrayal of trust. The other ISP's involved failed because they too put greed before respect for their loyal customers. The City of London Police failed because they didnt understand the law and could not admit it. Instead they went to the very people who committed the act to ask if it was legal.
    Copyright was the final nail in the coffin of Phorm. Not one government department gave any thought to the rights of copyright holders caught up in this mess, or if they did they either thought it would go away or they could ignore it. After all these website owners weren't like the record or film industries, they dont have the political clout to make a fuss.
    No government department will admit to giving Phorm the all clear or will back them up in any statements of legality. The backing that Phorm thought it had gained from this shameful government has evaporated, there is nowhere for them to turn now. All that is left are bluster and the childish name calling of the playground.

  • Comment number 22.

    "Some principles remain true. They are quite simple - the privacy of our user and the code we follow as a public service broadcaster. This means it is not appropriate for third parties to use the data profiles of the users of BBC services for commercial gain."

    Given this statement, did the BBC opt-out before the 2008 BT trial? That trial was announced in advance, the BBC knew it would happen and it was part of a commercial process.

    Were licence payers protected from profiling then? The serving of ads was not relevant, the profiling was.

  • Comment number 23.

    The issues of "profiling" and Ad-serving whilst clearly linked, are hardly the same. The profiling is functionally neutral, that is to say it could just as well be used to allocate you to a "potential terrorist" or "Anarchist trouble-maker" 'bucket' as to a "potential lawn-mower purchaser" or "Car enthusiast" one. Phorm wil presumably be happy to sell the relevant data to anybody who wants it, and will be required to supply the 'Intelligence' services by law.
    One major problem with these data is that if the information we are given about them is true, they can only be used inferentially: my interest in weedkiller or fertilizer may indicate that I am a gardener or Farmer, or that I am a terrorist. Of course if the data are indeed fully anonymised, then to be safe the worst assumption will be made. The more suspicious amongst us might suspect that there is anonymity and "anonymity", however.
    Of course irrespective of anything else I categorically DON'T WANT any targeted advertising aimed at me, so I want a simple one-time guaranteed method of fully opting-out of the whole shebang. Pigs, as they say.....

  • Comment number 24.

    Seetha - I'm not sure what more information you need before making a decision. If Audience Science can't be used on the UK BBC pages - stated reason being " is not appropriate for third parties to use the data profiles of the users of BBC services for commercial gain... " what is it that you need to know about Phorm/Webwise that you don't already know. Will this quote from their own website do?
    "The OIX is a revolutionary new technology platform that allows, for the first time, online advertising to be targeted using behavioural keyword data gathered at the ISP network level. This data allows for the most accurate user targeting, while completely protecting user privacy. Campaigns created in the OIX are served to ad spots on OIX-partner publishers and networks via an open exchange."

    Forget the complicated legal, technical and privacy debates for a moment. Just take hold of the fact that Phorm Webwise OIX is a commercial advertising network. It will gather data from ISP customer copies of your UK licence funded pages and use it for commercial gain. No one disputes that - not even Phorm. So on the basis of your own words there are no grounds for delaying a decision. You can come off the fence.

    Think of it this way. If I came to you with a scheme for displaying adverts on the UK BBC website pages, but didn't actually reveal the technical details, what would you say to me - would you be able to give me a decision? Of course you would - you would show me the door, and if the press wanted your response, you would give it - NO you are NOT going to show adverts on the UK licence payer funded pages of the site. The decision on Phorm Webwise OIX is just as simple and it is time it was made, and made publicly. No commercial exploitation of UK licence funded BBC content. Phorm not welcome. Using esactly the same criteria as you use to reject Audience Science profiling of your UK licence funded pages. Not the illegality of the model. Not the privacy argument. Not the complicated details of the technology. Just because " is not appropriate for third parties to use the data profiles of the users of BBC services for commercial gain... "
    Best wishes.

  • Comment number 25.

    Seetha - don't forget that Phorm announced 'imminent' trials in Korea some weeks ago. They may be running now (Phorm have been known to operate covertly).

    The BBC has a global audience so users of your web sites are possibly being profiled right now; all paid for by the licence payer.

    You do not really have the luxury of time, but need to act now, particularly if you allowed UK users to be profiled during the 2008 trials.

  • Comment number 26.

    To follow on from the above, Phorm have now announced that the Korean trials are in progress, so it IS time for the BBC to come off the fence on this, otherwise Korean 'phormed' visitors WILL have their interactions profiled.

  • Comment number 27.

    It's also worth noting that there is no real opt-out - all you ever have a is a promise that the data which gets collected will be destroyed (it's not even clear how the opt-out can effectively work, as it's cookie-based - not having the misfortune of being a BT customer, I can't join the trial to find out!)

    Once you're part of a group having your traffic being profiled (either as part of an explicit opt-in, as it should be, or something else, as it has been in the past), your normal web browsing traffic is -always- sent to the Phorm interception box situated on your ISP's network.

    Phorm tell us that if you've opted out, then the Phorm kit will just ignore your traffic. They tell us that they only profile web traffic. They tell us that it's anonymised and so on, and so forth, though it's trivial to build up a wider profile from the behavioural information that they have (as anybody who's done any behavioural analysis on one of their own sites will know).

    The fact is, though, Phorm have told us lots and lots of things, many of them which have proved to be untrue. Their response to any question is an ad-hominem attack or a re-assertion of their party line, as if repeating something often enough makes it true.

    Unless there are guarantees that the only people who's traffic goes anywhere *near* a Phorm box are those who explicitly (with proper knowledge of the consequences) gave an explicit opt-in to the service, Phorm can't possibly be legal under EU law (which is why the UK is being taken to court by the EU over this very issue).

    The problem for Phorm is that they know people don't want to opt-in to have their behaviour monitored just so that they can receive 'more accurately-targeted advertising', just as nobody wants to opt-in to install spyware if they know what it does. And, without the behavioural monitoring on a critical mass of people, their ad network is no better than anybody else's, and generally worth far less than anybody else's (especially in a world of ever-decreasing ad spend).

    *If* the law does its job then Phorm will go out of business because the core of it - the ad serving network - won't have a worthwhile USP. The snag is that the UK is reticent to enforce its own laws against Phorm and its partners and any action by the EU will take months, if not years, to complete.

  • Comment number 28.

    @Seetha Kumar

    Phorm have JUST announced commencement of a a Market Trial in Korea as such as a License Holder.
    (link below)

    I "request" that you protect "this post" & all other personal data belonging to your Organization & other "third parties" from this HIDDEN Profiling System!

  • Comment number 29.

    The BBC appears to be about to default on it's statutory obligations under the Freedom of Information Act 2000.

    I hope there is a night shift dealing with this.

  • Comment number 30.

    ".... the delivery of adverts to audiences based on their internet activity."

    Cyberstalking for commercial gain!

    Your funding model is supposed to allow you to rise above the commercial spin and uphold the public's interest.

    Defend us or get off the battlefield!

  • Comment number 31.

    Ah ... it's all about Audience Science and BBC Worldwide.

    Can you block Phorm and then justify continuing to use Audience Science?

    Well, they work in different ways. No black box in the ISP with AS for a start.

    But in all honesty I don't care about your revenue from Audience Science. I pay my licence fee.

    You should opt-out all your UK public service sites now.

    You should care more about what licence payers think about you than what commercial organisations may say about you.

  • Comment number 32.

    Quite apart from the ethics and legality of any company using the BBC's content for commercial gain without permission, why should Audience Science pay the BBC for using the BBC's content to profile (overseas) visitors, if you are going to permit other companies to do this for free? Also, having taken the decision NOT to allow Audience Science to profile UK visitors, it would be somewhat perverse to permit others to do so.

  • Comment number 33.

    Re the unpleasant Phorm website 'Stop_phoul_play' you have linked to. You rightly allow comments here to assist any readers make up their own mind about the company and the product they want to launch in the UK.

    The Phorm website is indeed very unpleasant, making nasty comments about individuals who oppose what Phorm are trying to do.

    As another comment here says, the so called 'Truth' the site attempts to expose is the truth only according to Phorm, which appears to change depending on the context of events at the time.

    Take this simple example. The Downing Street Petition Website shows a petition created 3 March 2008 which called for "the Prime Minister to investigate the Phorm technology and if found to breach UK or European privacy laws then ban all ISPs from adopting its use. Additionally the privacy laws should be reviewed to cover any future technologies such as Phorm."

    On April 28th 2009 Phorm launched their new website to 'expose the truth'.

    The site said this: "The website managers at 10 Downing Street recognised their mistake in allowing a misleading petition to appear on their site, and have since provided assurances to Phorm that they will not permit this to happen again"

    A freedom of information request was published on the WhatDoTheyKnow website, asking the Downing Street team or their website managers about the communication to Phorm saying the above. The answer to that question will no doubt follow but only shortly after it was published, Phorm removed their "version of the truth" and replaced the text quoted with... Nothing.

    My feelings are that Opt Out won't be enough if the system does go live in the UK. You will have to do more to repeatedly check and ensure the content is not used by Phorm. After what we have seen over the last few years, notwithstanding the crazy website issues (just one of many described above), can anyone actually TRUST Phorm?

    I call upon the BBC to do the right thing. Opt OUT of deep packet inspection systems that are designed to snoop on the activity of individuals to generate advertising income. Start this week with Phorm. And if the EU and UK Gov do not take legislative action to prevent this activity by Phorm or others, Opt Out whenever a new company comes along to do it.

    Do it now. I am a license payer and I ask that you do the right thing.

  • Comment number 34.

    just a recap of the way the Phorm cookies work care of

    April 7, 2008, 4:04 pm
    Phorms All-Seeing Parasite Cookie
    By Saul Hansell
    Phorm gets around these restrictions by piggybacking its cookies on the backs of those left by other sites.

    Phorm installs equipment at the I.S.P. that intercepts the users browser when it visits a Web site for the first time.

    It redirects the browser to Phorms own site. That way it can place and read its own cookie with a Phorm identification number.

    It then appends this number onto the cookie of the other site, say Google or Yahoo. It does this without the permission of that other site.

    The point of this odd exercise is to be able to monitor users but not slow them down. Once a users cookie from a given site, say Yahoo, is marked with Phorms own number, the next time the user visits Yahoo, Phorm can record that information without having to read its own cookie.

    (By the way, Phorm strips this extra number off of the cookie before it is sent back to Yahoo, so [b]sites dont know their cookies are being used this way.[/b] )

    If you follow all this, it raises troubling and heretofore unexplored questions about who has rights to do what with cookies. Is it acceptable for Phorm to ride, almost like a parasite, on a cookie set by another company without its permission?

    Kent Ertugrul, Phorms chief executive, says it is acceptable, because the users are notified about Phorms system and given the opportunity to opt out, and it is their computer on which these cookies reside.

    There are a couple of other interesting aspects of Phorms system that Ill get to in another post.

  • Comment number 35.

    its appears these long time officially released BT pictures outlining the dataflow of Phorm keep going missing, so grab them while you can ;)

    but upon inspection. these make it very clear that without exception , all your dataflow belongs to Phorm and their ISP partners ;)

  • Comment number 36.

    I find the discussion about Audience Science most interesting.

    Has the BBC asked Audience Science what it is doing to protect the data it collects from the BBC sites from being intercepted and used by Phorm for Phorm's own revenue? It matters little whether AS use a cookie or URL to process their tracking and profiling data, it will all be visible to the DPI system.

    Does AS expect the BBC to ensure that none of its sites are intercepted regardless of where the visitor comes from so that the investment AS is making in the BBC sites is protected? The question has been asked already: why should AS pay the BBC for the use of the BBC content if the BBC is giving it away to other ad networks?

    While there is no Korean language site for the BBC it is well known that many Koreans are masters of the English language. Is there a difference between the way the BBC treats its visitors from one country to the next? Will Korean visitors be reminded that their ISP may be putting forged cookies into their browsers and tracking what they read? Will the BBC be the first to break news about the new Qook package being based on DPI interception of communications? With Koreans having to prove their identity for so many online processes there is a high likelyhood of their personal data being processed many times over by Phorm.

    It is all down to the privacy policy: who else will be tracking visitors to any BBC website?

  • Comment number 37.

    Seetha, you being "Controller, BBC Online and the BBC's Online Access Champion." plus the fact this update is Directly accociated with this very thread, pperhaps you can explain this update as reported here
    Update: Phorm tells paidContent:UK its upcoming product launch would also benefit all websites, even non commercial sites like the BBC:

    In doing this, well also demonstrate how our system sets a higher standard for privacy online than existing interest-based advertising services, including those used by the BBC.

    We look forward to upcoming meetings with the BBC to show them how consumers, publishers, ISPs and advertisers will all benefit from our technology one that will give users a clear choice over their participation.

    "We look forward to upcoming meetings with the BBC" what meeting(s) are these exactly Seetha, when and were are these scheduled for, and who will be attending ,keeping notes and minutes of said meeting etc....

    is it to be assumed that these proposed meetings as outlined by the Phorm PR with the BBC, to be in the same vain as the many house of commons personel meetings, were payed for PR firms and "shillings" lawyers and other payed associates are in attendance ?,using the so called special expertise or training in the "Tricks of the trade" as has been seen by these payed for Phorm professionas to date ?

    have you in the past, or will you be personally attending any of these formal and informal meetings as regards Deep Packet Inteception For Profit Phorm type subject matter etc..

    id welcome your,Nicks, and other high ranking BBC legal etc personels direct feedback here ASAP as a show of "good faith" on the part of the BBC.

  • Comment number 38.

    Phorm:- "We look forward to upcoming meetings with the BBC to show them how consumers, publishers, ISPs and advertisers will all benefit from our technology one that will give users a clear choice over their participation."

    I certainly hope that the BBC take detailed minutes of those meetings.

  • Comment number 39.

    Not too sure if this is the correct place to make this comment.

    Yesterday (Monday) I was listening to the BBC World Service and the Analysis soundbite about Phorm and monitoring internet use. This made me realise just why there is so much confusion about the whole process.

    Monitoring internet use is performed by businesses like Experian/Hitwise, Nielsen Ratings and QuantCast. None of these businesses use deep packet inspection to monitor internet usage.

    By mentioning Phorm in the same soundbite as monitoring services and failing to mention deep packet inspection systems using layer-7 routers hosted within the ISP you are making it sound like Phorm is (could be) as protective of personal data as these other businesses.

    The layer-7 switch intercepts and makes a copy of the data stream. (In the majority of cases the content being copied is protected by copyright and making copies for commercial use is illegal in many countries.) It then processes this data which includes personal data and sensitive personal data. It includes the hidden web. It includes content which is protected behind logins.

    I was pleased to hear a snippet from Google and their considering of opting out of having their content processed by Phorm. As Phorm's USP is making use of search terms and sending these 'in the raw' to the profiler there is a great deal of room for personal data being processed by the channel server.

    When I use a search engine to research something I have no objection to the search engine processing that data (I am, after all, asking them to do so by using the service). What I don't expect is for the search engine to be allowing my searches to be identified to my actual browser and passed to a 3rd party who will now identify me and track all my surfing relative to that search. Even Google can't follow me once I leave their site.

    There is nothing to suggest that Phorm will be using search engine results in this extract from, just searching for Paris using a partner site (perhaps a price comparison site which everyone knows is only a site for displaying adverts)
    "BT Webwise also personalises the online advertising you see when browsing on participating websites by linking ads to your interests. For example, if you search for a weekend trip to Paris or visit pages related to Paris, BT Webwise would replace the standard ads that would normally appear with advertising relating to travel or hotels information. You won't see any more adverts than you normally do - they'll simply be more relevant."

    Nothing about 'the service' suggests interception and Layer-7 routers. Phorm just display themselves to be the same as any other ad network. While this is true for 100% of visitors to their network partner sites, it is not true for any user whose ISP is intercepting the data stream.

    Just how much Phorm fail to get what the BBC debate is all about is reflected in the quote attributed to them at "Phorm tells paidContent:UK its upcoming product launch would also benefit all websites, even non commercial sites like the BBC". Is Phorm really offering to pay the BBC a royalty for being allowed to intercept the visits from partner ISPs? It is on record that BT will not pay any such royalty/licence requests for the tests run during 2006, 2007 and 2008.

  • Comment number 40.

    actually "Experian" the credit reference agency DO infact use Deep Packet Interception layer7 hardware now.

    ill see if i can find the references for you when i get some time unless some others happen to have the information handy

  • Comment number 41.

    @ whydoi #40

    An interesting comment re Experian and Level7. They would only be able to do that with the collusion of the ISP or backbone provider. Experian and other credit reference agencies do seem to have been given a number of 'rights' by the UK government and they could well be slipping under the radar while Phorm take all the negative press.

    This issue has always been bigger than Phorm and there are lots of other players out there.

    The principle is interception of communications for the harvesting of personal and private data for the commercial gain of a 3rd party without the permission of those whose communication is being intercepted.

    I do hope that the BBC are looking at the wider picture too.

  • Comment number 42.

    See section 3.3 which appears to be being "selectively" ignored?

    The SafeGuards

    Data can only be obtained by a public authority when the interference with privacy that it will cause is proportionate;

    There is a statutory code of practice setting out how the legislation should be used and operated;

    There is external independent oversight of the application of the law; provided by the Interception of Communications Commissioner (currently Sir Paul Kennedy a former High Court judge);

    There is a right of complaint to the Investigatory Powers Tribunal if a member of the public believes that their data has been acquired unlawfully.

    Independent oversight would also continue to be provided by the Information Commissioner to ensure data protection principles were being observed.

    Furthermore, an additional safeguard is provided through the offences contained in the Data Protection Act 1998 and the Computer Misuse Act 1990. These would ensure that appropriate penalties would exist for anyone who sought to either gain unauthorised access to (hack) or modify any communications data held on a computer system, and that penalties also existed for those who tried to obtain or disclose, or procure the disclosure of, communications data in such a system without a lawful authorisation or notice under RIPA15 .

  • Comment number 43.

    regarding Experian and their Hitwise DPI for profit in relation to this thread subject matter "behavioural targeting" OC ;)

    it seems very clear after some little time researching it again, that the famous BBC in depth investigative reporting is perhaps called for ASAP, as the usual suspects and company names keep popping up in this very serious long term Deep Packet Interception for profit matter.

    as a start thry these links

    you might also note how the "Experian Real Time Marketing Bureau" part of Experian Marketing Services, seems to keep a VERY low online profile in anything related to DPI use , infact theres only one single PR PDF i can find with a cursory search

    the old usual names from the now defunct US NebuAd DPI (AKA now InsightReady in the UK) personel links have been associated with Hitwise/"Experian 'Real Time Marketing Bureau'"

    theres also an as yet uncomfirmed speculation that BT once again have yet more dealing with, and interact with the DPI for profit aspects of Hitwise/"Experian models.

    thats were the BBC are best placing their investigative reporters on the case ASAP, as BT have a proven track record of favouring all things DPI for profit, going all the way back the the BT executive thats now associated with Phorm OC.

    one has to wonder if theres also a direct (ex)executive link to the Hitwise/"Experian 'Real Time Marketing Bureau'" and other DPI vendors too?

    but given the current FOI reqest replys talk , it seems any (covert?) serious investigation by the global BBC investigative reporters into this massive global credit reference agency and related business's might be a long time coming, ? what do you think Seetha ?

    OC one might also think any Experian DPI operation and its executive might be welcoming all the focus on all things Phorm DPI for profit, so they can get on with the usual business of a private company ,collecting all YOUR data for their profit...

  • Comment number 44.

    just as a side but directly related "behavioural targeting" and your personal data and streams matter, when you say "Experian and other credit reference agencies do seem to have been given a number of 'rights' by the UK government and they could well be slipping under the radar while Phorm take all the negative press."

    that is what they want you to beleave, the reality is OC not true, take a read of this link i found

    "surlyBonds CRA thread is ALWAYS a good read to understand your/their legal standing

    remember its not just about "Defaults" its about their whole standing and your rights in law...

    "Defaults - a proposed method for removal and the full template letter


    Basic things to remember about this whole process:

    a) Remember that the three Credit Reference Agencies (CRAs), Experian, Equifax and CallCredit were not constituted by an Act of Parliament. They hold no official Govt. power even though they like to think they do.

    b) The CRAs are corporations who simply have the technology to store vast amounts of data and have been doing so for years.

    c) The banks and lenders supply them with information about your accounts not because they are legally allowed to, but simply because YOU agreed to it via your contract.

    d) CRAs are allowed to hold any data about you that is deemed in the public interest or in the public domain. Things like Bankruptcy Orders and Discharges, CCJs, IVAs, etc. are public information, and you cannot stop CRAs holding this information. You can ask them to mark them as settled, but they do have legal right to hold JUST these on their records because there are actual Laws that allow them to do so, and judges have signed the Orders in all these types of cases. However, agreement 'defaults' do NOT come under those Laws, unless they have been progressed to a CCJ, etc.

    e) Civil contract details cannot be stored unless you agree in writing. The Data Protection Act states clearly that your account information is personal data and only you have the right to determine who may collate, process and disclose it.

    f) When CRAs reply with its our legal right they are talking nonsense.
    You can see more about this in the copy of the Experian letter also here The legal to which they refer is simply the lawful right because you gave permission. That permission can be withdrawn at any time according to your rights under the Data Protection the sticky section, where thay actually admit that they have no legal authority and that there is no six year 'rule'.

    g) You are also allowed to tell any Data Controller (a company that processes or stores your data) to cease to process your data in any fully-automated process. The Data Protection Act states quite clearly that this includes processes that e.g. affect your creditworthiness. The actual clause is in the template letter.

    h) If you decide to opt-out of auto-processing, then you may opt back in again later.

    i) To ask a Data Controller to do anything you want them to do, including
    lots more good stuff... " ;) read it.

  • Comment number 45.

    Seetha said:"We are watching this space closely and waiting for details of the Government's response, which is due around mid June."

    "Deep packet inspection is a big issue in Europe. So is the allied topic of users being in the driving seat and being able to give informed consent. The European Commission issued an action about a month ago against the UK Government querying whether the law here goes far enough to protect users.

    We are watching this space closely and waiting for details of the Government's response, which is due around mid June.

    WhyDoI said:"why you have NOT linked in ANY professional persons anti "DPI interception" quotes, and there are many.

    or for that matter given an interview or even just been in contact with and talked to such people as Mr Hanff of Privacy International ?

    i note you still have not replyed on this question Seetha ?
    or apparently been in contact with Mr Hanff since my post#18 enquireing why not etc.

    this is just a small update to inform you, the BBC executive reading, and the users interested in this that :

    Mr Hanff of Privacy International has updated his site giving an overview of the last 18 months
    and informed readers that "he,and Jim Killock from the Open Rights Group will be meeting with Commissioner Vivian Reding about our ongoing problems for the last 15 months with regards to seeking enforcement action against Phorm and BT for thir covert trials in 2006/2007 (among other things)." tomorrow.

  • Comment number 46.

    See my comment here.

  • Comment number 47.

    A couple of quotes from BBC partners Audience Science about DPI and Phorm technology, and how it is fundamentally different, in scale and concept, as well as the detail, from website and cookie based BTA.,2817,2346361,00.asp?kc=PCRSS03069TX1K0001121
    No major ISP currently uses DPI in order to serve up more targeted ads, nor does Audience Science, Hirsch said.
    "We do not do any deep packet inspection because we don't believe that gives consumers the appropriate opportunity for disclosure or opt out," he said. "We don't track all consumer behavior across the Web just [that collected from] certain publishers that we work with."
    Do you think companies and technologies such as Nebuad and Phorm have any greater ability to abuse personal privacy rights than the large search companies?
    We believe that the disconnect between content and technology creates a potential gap in a consumers ability to know what they are opting in or out of in terms of data collection.

    And even Audience Science aren't allowed to collect data on the BBCUK licence funded pages - right now. So allowing Phorm to do so would be inexplicable, and I imagine Audience Science would be wondering why they paid for the privelige of access to the BBCWorldwide pages, when Phorm can get access to the whole site for nothing.

    I wonder what the Audience Science contract with BBCWW says about exclusivity? You see - it is a commercial issue, a Charter issue, a privacy issue, a copyright issue, a contractual issue, a fraud issue, a child protetion issue, a DPA issue, a PECR issue, a RIPA issue - and this is a difficult decision for the BBC to make? Seetha - I hope you return from your holidays refreshed, full of energy, and with a clear head - ready to take this very straightforward decision.

  • Comment number 48.

  • Comment number 49.

    A report on a meeting between campaigners and the EU Commissioner Redings staff in Brussels. It may help BBC to reflect on the Phorm debate a little further. Note that the EU would appear to be supportive of all the key arguments that campaigners have presented

    Informed versus Implied consent
    Web page serving as communication not broadcast
    What constitutes Personally Identifiable Data

    and finally the comment that "Mr Rudolf Strohmeier stated that in all his years working at the Commission there had only been 1 or 2 other issues which had generated such a high volume of written complaints from the public so they were taking the matter very seriously, which is why they initiated infringement action against the UK Government last month."

    Just think about all that public concern coming the BBC's way soon?

    It rather looks like there might be more than just a few campaigners on this issue. Phorm's claims about a tinfoil hatwearing minority of angry activists are wearing a little thin in the face of the evidence.

  • Comment number 50.


    Of course, if you believe Phorm, all these people who wrote to the EU, the 21,000+ who signed the Downing Street petition, the ones who have written to MPs, taken part in numerous Internet polls, etc are actually all the same 6 people using different pseudonyms (and presumably different e-mail addresses, IP addresses, etc in order to multi-post/vote).

  • Comment number 51.

    Hi all,
    I have read the details regarding the recent meeting in Brussels. Here are a few of my choice quotes:

    The Commission stated that EU Law does not recognise implied consent and that consent must be explicit and informed and that all such services must be Opt-In.

    Am I to take it that the BBC has given explicit informed consent for the BBCUK websites to be scraped and its users profiled (whilst waiting for the outcome of the EU action)? I'm sure that you haven't impliedly given it. Either way it is against the BBC Charter. Trials are underway in Korea you know.

    Mr Rudolf Strohmeier stated that in all his years working at the Commission there had only been 1 or 2 other issues which had generated such a high volume of written complaints from the public so they were taking the matter very seriously, which is why they initiated infringement action against the UK Government last month.

    High volumes... hardly a minority of tin-foil-hat wearers then?

    EU Commission asked how things were going with the Crown Prosecution Service and were very interested to discover that the CPS have had the case since November but have not been seen to take any action.

    It would seem that all 'relevant authorities' in the UK are lethargic when it comes to taking action.

    The Commission also agreed that Privacy is one of the keystones of democracy and a failure to enforce privacy regulations is not only a danger to democracy itself but also begins to normalise the view that privacy doesnt matter to the current and future generations.

    Is that what the BBC is saying? privacy doesn't matter?

  • Comment number 52.

    Phoul Play by Phorm - Confimed by Downing Street?

    The above Freedom Of Information Request was sent following the launch of Phorm's Stop Phoul Play website where they "decided to expose the smears and set out the true story".

    As if anyone needed more evidence... Well, you can now "judge the facts for yourself" as recommended on the StopPhoulPlay website homepage itself.

    Do take the time to read the detail on WhatDoTheyKnow and consider who has the moral high ground, Phorm or the private individuals such as I?

    Come on BBC. You really should not be sitting on a fence. Opt out and do the right thing for the license payer.

  • Comment number 53.

    From what I can gather at the moment 3/6/2009 the just announced "webwisediscover" system enables Phorm to "monitor" the victim sorry Web Surfer via the Websites now as well as via the ISP.

    So if any Web Surfer happens onto a webdiscover hosted Website or multiples of such then they are cross-profiled by Phorm & any ISP DPI equipment enabled at the time (KOREA!)

    If the Victim sorry Web Surfer happen to be on an ISP using Phorm they are not only profiled by the ISP but more than likely a total round robin of Phorm & enlisted Advertisers.

    I once again ask you to OPT-OUT from the Phorm Profiling System, to ensure your content is only used by people you intend(as far as possible) & to help protect Web Users who use you Websites from unwanted data profiling.

  • Comment number 54.

    A correction to my Earlier Post #53

    It appears from other sources that "Web Discover" only works if the Web User is already on a Phorm/Webwise ISP.

  • Comment number 55.

    While launching the new "Webwise Discover" product yesterday, Kent Ertugrul of Phorm indicated that he would be meeting with the BBC - "We are going to be engaging shortly with the BBC, we look forward to explaining to them how our system works, and maybe dispelling some myths that have been propagated about what it does and doesn't do." (transcribed from an interview with Patrick Smith on the PaidContent site). Can I ask that if Mr Ertugrul gains access to the BBC to discuss the Phorm system, that the BBC also arrange to meet representatives of campaigners concerned about the use of Deep Packet Inspection as a method for delivering Behaviourally Targeted Advertising, to ensure a level playing field? We have been engaging with a number of bodies recently, including staff from the ICO, EU Commissioner Reding's office and various parliamentary bodies, and would value the opportunity of meeting with representatives of the BBC, to also add our understanding of how the Phorm "system" works, particularly the part installed in the heart of partner ISPs, as we too would like to dispel some of the myths that have been propagated about what it does and doesn't do.

  • Comment number 56.

    Hi Seetha,

    It's now almost one month since you wrote this blog. (Friday, 15 May 2009).
    Your last paragraph stated "I am keen to hear your thoughts."

    Well, many thoughts have been posted. When can we expect a response from you on these thoughts?

    I look forward to reading your responses and views soon.

  • Comment number 57.

    Well Seetha,

    It's been another week and still no response from yourself or the BBC et-al.
    Can we expect some dialogue soon?

    I am sure that all these people that have expressed their thoughts, as requested, are eagerly awaiting your thoughts.

    I still look forward to reading your responses and views should you decide to offer everyone the courtesy of a reply.

  • Comment number 58.

    PrivacyIsPriceless - thanks to you and to everyone for their comments on this thread. At the moment there's isn't anything more that Seetha can say on this subject. But I'm hopeful that when there is she will be posting again. Thanks for your patience.

  • Comment number 59.

    Does this affect the BBC's Policy, since Phorm are still using their DPI equipment in Korea?

    I respectfully ask that you Opt out of the Phorm Profiling System (in the absence of a proper court ruling), thereby protecting my data & all the other posters data from this profiler.

    Especially with regard to this information.

  • Comment number 60.

    Take a look at the latest revelation published this morning in the Guardian:

    So BT have decided to shelve the rollout of the controversial online technology.

    Perhaps it is time that the BBC climbed down off the fence (Virgin Media have been sat on it for many months and would like the legroom back) and blocked Phorm, especially as it will now be foreign ISP's doing all the data harvesting.

  • Comment number 61.

    Unfortunately all the "tiny individuals" who have been involved or concerned about the Phorm/Webwise saga will have noted the BBC's apparent inability to come to any kind of a decision.

  • Comment number 62.

    This comment was removed because the moderators found it broke the house rules. Explain.


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.