32 Comments

Summary:

In an effort to soothe privacy concerns related to its online ad insertion service — and help ease its entry into the North American market — British startup Phorm conducted a call today to explain exactly what user data it collects and how that data is […]

In an effort to soothe privacy concerns related to its online ad insertion service — and help ease its entry into the North American market — British startup Phorm conducted a call today to explain exactly what user data it collects and how that data is stored. But after listening in, I’m less worried about privacy violations than I am cautious about Phorm from a business perspective.

Phorm’s deep-packet inspection equipment assigns a cookie to a web browser and inserts ads based on previous web site visits. The URL of a specific site is not saved, only keywords that match an advertising profile.

There was no indication given as to how well UK advertisers are responding to Phorm’s service. Furthermore, I don’t really buy CEO Kent Ertugrul’s argument that Phorm delivers better ads. The contention is that if you visit lots of auto and finance sites, you would be receptive to those ads, even when you’re on sites focused on other topics. However, if I’m on Glamour’s site and an auto ad pops up, I won’t pay more attention to it. I’m not thinking about cars, I’m thinking about shoes.

Letting ads follow people onto social networks could add value, but I’m not sure if the social networks will want to participate in Phorm’s program. As for privacy details, Phorm stores a random number assigned to the cookie, a history of categories generated by the web sites a person’s visited and a time stamp for those visits. Ads for adult sites, medical conditions and others that could lead to potentially embarrassing disclosures aren’t in the system. Phorm’s privacy infringements are less than the data aggregated by major search engines and easier to opt out of.

If Phorm doesn’t succeed, it’s not because it violates privacy, but because it’s selling something of questionable value.

Related research

Subscriber Content
?
Subscriber content comes from Gigaom Research, bridging the gap between breaking news and long-tail research. Visit any of our reports to learn more and subscribe.
By Stacey Higginbotham
  1. I think their biggest problem is that their name looks too much like Porn! ;-)

    Share
  2. “If Phorm doesn’t succeed, it’s not because it violates privacy, but because it’s selling something of questionable value.”

    Are you kidding?

    Phorm will ultimately fail because it’s already been rejected by a staggering number of UK internet users outraged at it’s implications for security of their personal data.

    Even Sir Tim Berners-Lee said he’d dump an ISP that adopted Phorm because he believes that his data and web history belonged to him. Declaring, “It’s mine – you can’t have it.”

    In the last week the respected FIPR (Foundation for Information Policy Research) reckons it’s actually illegal in the UK. Other researchers say that it’s almost certainly outlawed by EU privacy conventions.

    What about the Guardian (the busiest UK newspaper’s website) doing a 180-degree uturn? They now won’t be taking part after “conversations we had internally about how this product sits with the values of our company”?

    Check Phorm’s patent application and you’ll see it represents a very serious threat to how the internet currently operates, even going so far as to threaten participating ISPs’ Common Carrier status.

    The enormous grassroots opposition to Phorm across the UK is almost purely due to concerns over privacy.
    If the US online community gets active now, together we could knock this intrusive, unsafe and thoroughly unwelcome technology right back where it came from!

    (For real information on Phorm, visit http://www.badphorm.co.uk)

    Share
  3. I think people should also be aware that Phorm recently changed their name from 121Media as 121Media was involved in spreading some of the worst SPYWARE ever seen, blacklisted by the likes of anti-virus companies Symantec and F-Secure.

    How can anyone trust their data with these wolves?

    Share
  4. Phorm is a great example of the many pitfalls inherent in most behavioral targeting practices today, beyond the privacy issue. Generating quality, contextual ads remains a struggle for all personalization solutions because they rely on historical profiles versus factoring a visitor’s intent, in the moment.

    I agree about Phorm selling something of questionable value – don’t show me an ad about what you think I was interested in last month – that was sooo last month, even if I am on Glamour’s site looking at shoes. Please don’t show me boots, it is nearly May!

    Share
  5. Kathleen, don’t worry your pretty little head about the privacy issues, go and have a chat with Barbie.

    They are practicing their strategy in the UK and coming to the US soon!

    Tell your ISP’s you do not want them.

    Share
  6. Phorm is BAD very bad and arguably not legal in UK and EU

    Share
  7. Really? So it makes perfect sense to you that a user is worth $75 CPM when they are on Linkedin, but the exact same person is worth only $0.13 CPM when they are looking at Myspace? No need to arbitrage between these numbers? Aight…

    cpm source: http://www.wired.com/techbiz/it/magazine/16-04/bz_socialnetworks

    Share
  8. By the way, Kathleen, I need a cup of tea please. I’ve just got to wake up the wife to find out how many sugars I take.

    Share
    • Kent Ertugrul – CEO of Phorm – has been involved in distributing spyware/adware, as reported here:
      http://blogs.zdnet.com/Spyware/?p=820
      I would not wish to trust my Internet connection to a company led by someone with a previous history of Internet abuse.

    • It appears that the system modifies the web pages which are requested by inserting adverts. This constitutes tampering with the data stream between the end-user’s browser and the web server they are accessing. As a “man-in-the-middle” attack, this would not be legal.

    • The system requires an explicit “opt out” rather than an explicit “opt in”. This means that if I clear cookies at the end of my browser session then the next time I go online the Phorm system is switched on again.

    The default setting for Phorm should be “opt out” and remain that way until a user explicitly asks to “opt in”. The cookie would then be set to switch on
    the Phorm system, rather than switch it off.

    • The system stores URLs which have been accessed. If personal data is contained in a URL, for example in the form of variables from a submitted form, then this will be stored by Phorm.

    • The Phorm system could be attacked by hackers who could “reverse engineer” the stored data to expose personally identifiable information.

    • When the system was trialled last year by BT, users were lied to and their traffic was intercepted without their content. This indicates to me that Phorm and BT wish to act in an underhand way about their activities:
      http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/

    Share
  9. The Phorm PR team has been all over the web distributing misleading and incomplete information about Phorm’s OIX technology and the way it works.

    Phorm’s ‘CommTeams’ is currently comprised of five, yes, five PR outfits, including: Citigate Dewe Rogerson, Freud Communications and Manning Gottlieb OMD.

    The Phorm ‘CommTeam’ was formerly known as the Phorm ‘TechTeam’, until they were found to be unable to address the technical issues which were raised by technically-literate users. They should now just be honest and post as the Phorm ‘PR’ team instead.

    In any case, the Phorm PR team are spreading cookie-cutter responses over the net, in blogs and web forums which sidestep the issues and mislead people.

    For example, Phorm’s PR team states that the system is entirely voluntary, and that you can ‘opt-out’ if you wish. The problem is, you can’t, really. You can opt-out of targeted advertising, but your data will still be intercepted.

    They also state that the intercepted data will be anonymised. Problem is, ‘anonymising’ data is no guarantee that the data can in no way be tracked back to users — the AOL debacle where the company published so-called ‘anonymous’ data shows this very clearly.

    They claim that: ‘Phorm technology does not analyse SMTP mail or the content of webmail sites’. This is also nonsense: How will they know what websites are webmail sites? Only an intelligent human can determine that. They can block some of the bigger names, but there is no way you can possibly block every single webmail provider on the web.

    Finally, Phorm uses Ernst & Young auditing as a badge of honour. Yet that fail to mention that FIPR judged the system intrusive and illegal. It is also noteworthy that Ernst & Young audited Enron, right before the Enron scandal and subsequent collapse of the company.

    And so on, and so forth. The Phorm PR team has carried on obfuscating and misleading people like this all over the web. They are not to be trusted one bit.

    Share
    1. Anderson audited Enron, hence, Anderson don’t exist anymore…

      Share

Comments have been disabled for this post