bbc.co.uk Navigation

Darren Waters

Phorm - one year on

  • Darren Waters
  • 4 Mar 09, 10:16 GMT

The controversial targeted advertising firm Phorm is to hold a second open Town Hall meeting, a year after it first met with the public to discuss plans to roll the technology out to Internet Service Providers.

Phorm works by doing deals with ISPs which allow it to scan and categorise certain web pages a user visits and then to allocate targeted adverts to users when they visit websites that have signed up to the technology and which align with those categories.
So far BT has committed to rolling out the technology, known as Webwise to consumers.

Phorm is controversial because some feel that monitoring users' web surfing habits is an invasion of privacy, while others feel that the way Phorm works breaks the law.

The company itself believes that targeted advertising can benefit the web industry as a whole and wrestle some power back from ad firms like Google and put it into the hands of smaller enterprises. For ISPS, Phorm believes it represents a potentially powerful new revenue stream.

The firm says the new meeting "follows on from last year where we engaged with the concerned, the curious and the enthusiasts".

I was at that meeting and while there were plenty of the first and some of the second, I certainly don't recall any of the third group.

The second meeting will take place at the London School of Economics on 7 April at 6.30pm.

So what has happened to Phorm over the last 12 months?

After controversy erupted over BT's trialling of the technology without informing customers, quite a lot has happened:

March

Phorm hits the headlines. And two privacy professionals give their first assessment of the technology.

The creator of the web, Sir Tim Berners-Lee, says he opposes web tracking technology.

April

BT is accused of conducting illegal trials of Phorm on its users.

The Information Commissioner in the UK says Phorm must be 'opt in'.

Phorm bosses meet with the public to explain the technology and foster discussion.

BT says it will start further trials of Phorm 'very soon'. But nothing happens for a further five months.

June

Dr Richard Clayton, a respected computer expert, says BT should be prosecuted for carrying out its first trials of Phorm without user consent.


July

Users hand a dossier of evidence to City of London police saying Phorm carried out 'illegal' trials with BT.

August


The EU steps into the Phorm debate
and asks the UK government to clarify if the technology breaches European data laws.

September

BT trialBT finally starts a small trial of Phorm. This time it informs customers and asks them to take part in the trial.

The UK government says Phorm can be rolled out in the UK, following questions from the EU. But any future deployments of the system must be done with consent and made easy for people to opt out.

The City of London police close the file on Phorm, saying no criminal offence had been committed.

December

Four of the directors stepped down from the firm, following what the Guardian called a disagreement over the direction of the business.

The UK chief executive of Phorm also steps down, reports The Guardian.

Comments

  • Comment number 1.

    * The firm says the new meeting "follows on from last year where we engaged with the concerned, the curious and the enthusiasts".

    * I was at that meeting and while there were plenty of the first and some of the second, I certainly don't recall any of the third group.

    While I was not there, I have talked to several who were. The impression I got was that while Phorm were interested in engaging with the curious and any enthusiasts, their "engagement" with the concerned consisted primarily of dismissing their concerns as irrelevant.

  • Comment number 2.

    Phorm still refuse to give any information on how web site owners can stop their content being scraped and used to profile the people who browse their sites.

    Their stock response so far seems to have been that if you block search engines from your site then they won't scrape you, but if you want to let search engines in to help people find your site then you are giving consent for anyone to use the material. They did reluctantly say that if you could prove you owned a site and did not want it profiling then you could request it be removed from ever being profiled but frankly they've lied so much about things that I doubt that this really is something they'll do.

    So in effect if you let Google in then you have to allow Phorm to "steal" your content - so they make money off your work. Comparisons to GoogleAds are disingenuous because if I run a website I get the money from the GoogleAds which are profile from MY content. If Phorm profile my users using my content then I do not get a penny.

    Is it right for the content published on the BBC (which as licence fee payers we've paid for) be used to profile people to earn money for a third party? I'd like to see the BBC pursue this angle because its something that just gets ignored over and over again.

  • Comment number 3.

    These guidelines seem relevant to the likes of Google and other "server side" trackers which rely purely on what they can learn from their visitors from what they do on affiliated sites, but seem wholly inadequate for ISP-based trackers, who can “see the whole internet” (to quote an industry senior exec in the Washington Post last year).

    The problem with ISP-based tracking is oversight over what the software actually does, not what the ad companies claim it does. Oversight to prevent backdoors and security exploits in what is a piece of software watching everything someone does online. These guidelines make no mention of the thorny issues of oversight and software validation for ad tracking software installed at the very heart of an ISP.

    True, it may only store pseudonymous snippets of information, but even this could be useful to a blackmailer (interests: leather, underwear, toys, rubber, restraints, Swindon club). Just this list could be embarrassing to me if my wife received it. Even if ISP-based advertisers claim to avoid adult themes, the context is important. Leather is not adult, rubber is not adult, restraints could be any number of non-adult. Put them together, he presto!

    Despite claims by some ISP-based ad tracking companies about the data being “anonymous” and stored against a “random” cookie, all implementations I’ve studied to date (3 from leading companies) actually link each profile to a single PC or to a hash of the connection identity (ISP account). So whilst the profile is not stored against a user’s real name and address, the link is there and could be followed given sufficient will. The data is not anonymous but pseudonymous: stored against a pseudonym as a basic means of protecting the individual’s identity. Nor is any cookie “random”. Firstly on a technical point – must computers can’t generate truly random numbers, well not without specialist hardware (thermal noise or other quantum effect). But secondly whilst the user pseudonym may be assigned on a pseudo-random basis, the use of the word random by these companies is in my mind deliberate to create an illusion of privacy.

    A second problem with ISP-based trackers is that they could actually be illegal under RIPA (Regulation of Investigatory Powers Act) unless they guarantee to filter out all private communications (email, Facebook chats, etc). But with new social networking sites being launched frequently and a myriad of private unencrypted web-based email services being used by companies, charities and hobbyists this type of filtering will be neigh-impossible. A further twist in the wording of RIPA is that it may be illegal even to look at the data stream for the purposes of determining whether it is something that you are allowed to profile – Catch 22!

    Why there hasn’t been a prosecution or transparent investigation into the UK ISP(s) who may have used ISP-based tracking to date is beyond me, but the failure of the police and authorities to uphold the law may lead to a flood of companies handling extremely sensitive personal information without due care.

  • Comment number 4.

    Let's see - recently on my BT Yahoo homepage, I started to get adverts which had only ever appeared on ONE other webpage that I visit.

    I had never agreed to any Phorm style tracking system. I had never been asked if I agreed to it. And yet, adverts that I only ever saw on one website were now popping up elsewhere. I found this curious and checked for Webwise cookies. Lo and behold, I found them on my PC.

    End result, one happy, new Sky Broadband customer who has a faster linespeed than BT said was possible.

    That's the results of Phorm with BT and they had better make note of it!

  • Comment number 5.

    How soon before the government use Phorm saying that web habits are a matter for national security? Yet they will do it on the quiet. Has any-one thought that the reason that the government says it is not a breach of civil liberties is to this end?

  • Comment number 6.

    I have no problem with this, as long as my information is treated appropriately.

    I'd far rather see adverts for something i would actually be interested in, than some of the inappropriate ads currently shown.

    Why haven't Sky, the cable networks and BT sent demographic data about who is watching their shows?

    I remember being shown ads for stair lifts and adjustable beds while watching Buffy the Vampire Slayer - surely a waste of advertiser's money.

    These days with TV we record and forwardwind through the adverts. Very occasionally we'll rewind and watch an interesting one.

    targetted ads should equal advertising things i might actually consider buying, and I want to see those ads. unfortunately i'm being shown so much irrelevant dross, i don't pay any attention to the others.

  • Comment number 7.

    One year on and it is interesting to note that nearly 21000 people have signed the petition I created on the PM's website. The petition has stayed in the top 5 on the 10 downing street website for almost a year (today is the last day to sign up). I hope this shows that there are a lot of concerned people out there.

    Those of us from the 'concerned' section are probably still no further forward. We still don't now if 'opt out' is really an opt out, or will they still monitor all of our web browsing, but just not send the adverts. We still seem to be dealing with a flawed cookie based opt in/out system whereby if you want to opt out you are required to have a cookie written to your machine, or modify your browser to refuse cookies from certain domains.

    We are still no further forward in anyone coming forward to explain why we should trust a company like Phorm who have alledged past links with spyware/adware products and who seem to operate very aggressively with regards to threatening people with legal action. Not the sort of company I want to trust with my browsing habits thankyou very much,

  • Comment number 8.

    "Is it right for the content published on the BBC (which as licence fee payers we've paid for) be used to profile people to earn money for a third party? I'd like to see the BBC pursue this angle because its something that just gets ignored over and over again."

    A very salient point, given that the BBC have, I understand, recently had to admit that they were giving personal information including postcodes and IP addresses to Omniture, a behavioural targetting company based in the US, without permission.

    Oddly enough, but not unexpectedly, I've not seen much coverage of the BBC's apology about this episode amongst all the hostile coverage of behavioural targetting by BBC technology reporters. But you can read about it on the Register here:

    http://www.theregister.co.uk/2009/02/06/bbc_omniture/

  • Comment number 9.

    At 12:30pm on 04 Mar 2009, Tidylenny wrote:

    * These guidelines seem relevant to the likes of Google and other "server side" trackers which rely purely on what they can learn from their visitors from what they do on affiliated sites, but seem wholly inadequate for ISP-based trackers, who can "see the whole internet" (to quote an industry senior exec in the Washington Post last year).

    * The problem with ISP-based tracking is oversight over what the software actually does, not what the ad companies claim it does.

    The other thing is what the guidelines VERY carefully do NOT say.

    What they say is:

    * Consent. A company collecting and using online data for behavioural advertising must provide a mechanism for users to decline behavioural advertising and where applicable seek a consumer's consent.

    Notice that there is ONLY a requirement to allow users to OPT OUT - not a specific requirement that they are given an informed choice and then have to OPT IN.

    And notice too that there is only a requirement to let them opt out of the advertising itself - there is no suggestion in the standards that users should have any right to opt out of the data collection, still less that this should also be opt in.

    This seems to me to be a magician's sleight of hand applied to OUR privacy.

    If the industry cannot clean its act up beyond such abusive and misleading "standards", legislation MUST be passed to ensure that data cannot be collected in this way without explicit consent.

  • Comment number 10.

    I am aware of the amount of data which can be collected on the internet and I am opposed to it. I would not willingly be involve with data collection of any sort.

  • Comment number 11.

    Phorm believe it can "wrestle some power back from ad firms like Google and put it into the hands of smaller enterprises."

    Now I'm no expert on this matter. I know little about the details of it. But don't Phorm make money from this? So shouldn't that statement read more to the likes of Phorm believing that power from ad firms like Google will actually be turned into the power of ad firms like Phorm.

 

The BBC is not responsible for the content of external internet sites

BBC.co.uk