Privacy Isn't Phorm's Biggest Problem


In an effort to soothe privacy concerns related to its online ad insertion service — and help ease its entry into the North American market — British startup Phorm conducted a call today to explain exactly what user data it collects and how that data is stored. But after listening in, I’m less worried about privacy violations than I am cautious about Phorm from a business perspective.

Phorm’s deep-packet inspection equipment assigns a cookie to a web browser and inserts ads based on previous web site visits. The URL of a specific site is not saved, only keywords that match an advertising profile.

There was no indication given as to how well UK advertisers are responding to Phorm’s service. Furthermore, I don’t really buy CEO Kent Ertugrul’s argument that Phorm delivers better ads. The contention is that if you visit lots of auto and finance sites, you would be receptive to those ads, even when you’re on sites focused on other topics. However, if I’m on Glamour’s site and an auto ad pops up, I won’t pay more attention to it. I’m not thinking about cars, I’m thinking about shoes.

Letting ads follow people onto social networks could add value, but I’m not sure if the social networks will want to participate in Phorm’s program. As for privacy details, Phorm stores a random number assigned to the cookie, a history of categories generated by the web sites a person’s visited and a time stamp for those visits. Ads for adult sites, medical conditions and others that could lead to potentially embarrassing disclosures aren’t in the system. Phorm’s privacy infringements are less than the data aggregated by major search engines and easier to opt out of.

If Phorm doesn’t succeed, it’s not because it violates privacy, but because it’s selling something of questionable value.


John Doe

And if you’re connected to BT / Phorm your UID Data leaks when connected to a HTTPS/SSL Website.

See FIPR Papers & Privacy, DPA Fraud Concerns!

The Ability to gather UID’s & therefore link this data to Personal E-mail Names etc , by any unscrupulous HTTP–>HTTPS Website makes this System Highly Suspect from a Privacy & Data Protection Perspective!

This is irrespective of the illegal mirroring of data, THIS REQUIRES THE CONSENT OF BOTH PARTIES & OR A PROPER LEGAL JUDGEMENT TO DO SO!


@jamie hunter
“You know what the difference between Phorm and Google, MSN, Yahoo, and eBay is? It’s been well documented elsewhere so I’ll summarise it here. CHOICE. I choose to use Google’s services. I choose to use MSN. I choose to use Yahoo and I choose to use eBay. There is no choice about Phorm. Don’t give me crap about cookies – Phorm as presented to UK ISPs meant my data (as Sir Tim said “It’s mine, you can’t have it”) went to you regardless of my consent. And I refuse consent. Clearly and explicitly.”

Hey, fella, choose to use another fcking ISP then !One that in future will not be subsidised by advertising. Pay over the odds for an inferior service and be happy in your smug little world.


@ jamie Hunter

you said “Phorm was rejected by The Guardian newspaper because it “didn’t fit with the values of the business”. You can’t get any more polite yet severe a condemnation as this. Phorm has been rejected because The Guardian does not trust it and does not like what it stands for. It knows Phorm’s previous history and it knows that its readership holds it to account for its decisions.”

And you know this how? You are on The Guardians board? or maybe just part of the decision making process? Complete and utter bollocks. Go back to your phorm-rival funded smear campaign…

privacy intentional

Phorm PR team.

You seem not to understand a few basic facts.

I dont want you anywhere near my traffic. I dont want my traffic allowed anywhere near any equipment you may have access to.

Just because I look at a topic on a particular site it doesnt mean I will welcome advertising about the topic.

The opt in/out situation shouldnt arise – the system should only require a positive opt in. This is something you are putting in the way of people

Fortunately My ISP charges me a realistic rate for my connection and has no need to bolsetr its income to support an unrealistically low price level

Adware… hmm wasnt there some involvment with “People on page”I seem to recall that being picked up as malware. Just because you put an EULA on a piece of malware/spyware that doesnt make it worthwhile, or desirable.

I know you guys have a living to make, but its a shame that you cant find something worthwhile to hawk instead of trying to legitimise this unwelcome and unwanted spyware

Phorm Comms team


To clarify the inaccuracies above — which you seem to be posting repeatedly across the boards:

1) 121Media was involved, fully transparently, in adware. Each programme had an EULA a user had to sign in order to use the programme. This is not a feature of spyware, as you must know.

2) We do not modify webpages as you describe by inserting adverts. Firstly, OIX ads only go into existing slots on websites we partner with. To make this plain: websites who decide to partner with us show OIX ads. We cannot show ads on pages that are not our partners. The reason websites would chose to do this is that they set a price for that slot which we then guarantee to beat — thus earning the website more money. In addition, we do not serve pop ups or pop unders.

3) As we have said previously the system is designed to offer either opt in or opt out. There is no default as you suggest. Each ISP will decide which option is best for their customers. Either way, it will always be easy for customers to opt in or opt out. It’s always a choice.

4) The system does not store URLs. Full stop.
What we store is: a product category, a random number and a timestamp.

5) I fail to understand your logic here.

6) I disagree — if you truly care about your privacy you should lobby for an industry standard of no storage of personal data, which is in fact what our system represents and delivers. Please see the following flash demo for more information:

Best wishes,


Greg Stuart

Like you, I will set aside the issue of privacy for the time being. However, I do have to say that your view of how advertising works is shortsighted.

My brain is quite capable of shifting from Shoes to Autos and back again and I’ll guess yours is too.. Often in seconds or split seconds. Sure context is helpful to advertising effectiveness, but never a requirement. Advertising itself often operates at the low involvement level and research shows that consumers are not about to introspect into their own reactions.

One way to understand this situation is to look at two ends of the spectrum in performance oriented online advertising. One is the standard banner ad click through performance, which is probably less than 1%, maybe even less than .5% click through. The other end is the search ad performance which according to sources I have seen suggests an average click through of 22% on those text listings. What your argument suggests is that given a better understanding of the consumer, we couldn’t improve on the .5% or 1% click rate, even in the light of the better consumer insight driven 22% of search. Performance is not binary, it’s a continuum.

One issue for advertising is that it is often considered negatively by consumers for the fact that it is not relevant to the consumer. Having better insight to consumer’s interests and needs can greatly improve the value of advertising for consumers, certainly for the advertiser and even the media company. Net, everyone wins.

The challenge is how do we collect and manage a better level of consumer insight.

Greg Stuart
Co-Author What Sticks, Why Advertising Fails and How to Guarantee Yours Succeeds

Gogi Gupta

Out of context ads based on behavioral targeting are shown to perform better than behavioral ads in-context.

  • Blue Lithium has a white paper on this.
Give Us Ya money

it must be a girl thing, a very blond moment infact.

you do know what “deep-packet inspection equipment” does dont you?

you do know that your govt needs to get a court order to use its capabilitys?

in the case of Phorm’s deep-packet inspection equipment, do you really trust them to not track every single one of your web based movements

Phorms head tech man said they can do exactly this to a US news site. and their commercial patent that discribes all the things they intend going with their DPI kit backed that quote up 100%

do you really want every single thing you do on your broadband line, collected,looked at ,sorted, select information that their interested in at the time picked out, then anonymised and sent to some interested buyer?

perhaps you dont spend your money buying stuff online and so they cant ever see your payment details , not that they would use them OC after all, they clerly see every single key press you make in that website, but promise to throw away everything, after a set No. right!

perhaps you think Phorm is wonderful, after all,who wouldnt want their own personal electronic guard, its like your personal minder ,seeing everything, and forgetting everything, except what you dont mind them remembering so they can make a few quid right.

your “Phorm deep-packet inspection equipment” is akin to your very own personal and yet invisable north korean minder, arnt you just so lucky,
and the Pr Phorm machine will be along any minute now, with a revamping of official propaganda ,just for you US girls and boys that theres nothig to see here , move along….

Jamie Hunter

Let’s play spot the real Phorm plant. Hey “deecee”, I’m talking to you. Misinformation? The only misinformation I’m seeing comes from Phorm and the people planted by them trying to spin the discussion in the face of intelligent and informed opposition.

Stop trying to involve Privacy International’s name. Simon Davies was asked as a director of 80/20 Thinking, NOT Privacy International. Privacy International have made it clear they have not endorsed anything since Phil Zimmerman’s PGP.

You know what the difference between Phorm and Google, MSN, Yahoo, and eBay is? It’s been well documented elsewhere so I’ll summarise it here. CHOICE. I choose to use Google’s services. I choose to use MSN. I choose to use Yahoo and I choose to use eBay. There is no choice about Phorm. Don’t give me crap about cookies – Phorm as presented to UK ISPs meant my data (as Sir Tim said “It’s mine, you can’t have it”) went to you regardless of my consent. And I refuse consent. Clearly and explicitly.

Phorm offers nothing of value to me. I don’t want it, I don’t need it and I’m damn well going to make sure everyone I know is clear on why they don’t need it either.

Can you show me someone as eminent as Sir Tim Berners-Lee advocating Phorm?

Will Phorm actually come out into the open and give honest, independently verifiable answers to the many questions posed in the various internet forums their PR machine has visited and failed to stem the flow of criticism?

Quit the spin. Answer the questions openly, honestly and completely or disappear.


Quote from the article:

“Phorm’s privacy infringements are less than the data aggregated by major search engines and easier to opt out of.”

First point; search engines – I can easily choose which search engine I use and if I so choose I can use many search engines in order to spread around my browsing. This is in complete contrast to the system Phorm are proposing which being based at the ISP level will see the TOTALITY of my browsing. Changing ISP is not so easy to do.

Second Point: Quid Pro Quo – I have raised this time and time again on all the various news items and blogs. Web based email providers such as gmail, yahoo etc, provide a valuable service in return for being able to aggregate my data. They offer free, reliable, convenient email with large storage. Phorm offers nothing valuable in return. Their anti-phishing technology is nothing above that already offered in IE7 and Firefox already. More “relevant ads” is not valuable to me as I ignore online ads.

Third Point: “easy to opt out of” – this is absolute detritus. We should not have to opt-out in the first place. As the Foundation for Information Policy Research has already stated, in its letter to the information commissioner, the system should be an explicit opt-in so as to order to comply with the Regulation of Investigatory Powers Act. Secondly, even if you opt out you are only opting out of the ads. Your browsing is still mirrored to the Phorm profiler.

Just in case the Phorm PR people turn up here (and they really shouldnt as they should wake up and recognise that they are losing the battle here) lets deal with the new “spin” angle they have started putting out: namely that the internet and our Internet Providers could not survive without the revenue from online-advertising and that the money the ISPs get will be ploughed back into services.

Firstly, I believe most people, given the threat to privacy that this technology encompasses, would gladly pay a few more pounds a month to our Internet Providers if it meant they had nothing to do with Phorm. Secondly, I doubt the blood-money the Internet Providers will receive will be ploughed back into services one iota. It will go to service debt and to shareholders. Plain and simple.

My last comment, is reserved for the real villain in all this, the Internet Providers and specifically Virgin Media. The longer you stay silent on this. The longer you duck this issue the more militant people are becoming. Step up to the plate and start providing some answers and engage your customers in dialogue. Stop being so cowardly as to let Phorm take all the flak.

Jamie Hunter

“If Phorm doesn’t succeed, it’s not because it violates privacy”

Excuse me? What utter utter cobblers! Any half decent research will take you to website reports and forums where customers’ privacy are the driving concerns behind the backlash against Phorm.

The Register has investigated and reported extensively on this issue. A number of other blogs and forums have discussed this issue and asked direct questions of Phorm’s “Comms Team”, “Tech Team” or whatever name they choose to go by. Questions which these PR people have ignored and refused to answer, preferring to try and spin the discussion.

“Phorm’s privacy infringements are… easier to opt out of.”

Again, what utter utter cobblers. Any half decent research would have shown that Phorm as originally presented to the UK Internet Service Providers was not opt-out. Your data would go to Phorm whether you like it or not. It was customer pressure and the threat of mass migration to an ISP which was Phorm free that made Carphone Warehouse change its mind and decide that any implementation of Phorm would be opt-in: the data of those who opted out would go nowhere near Phorm.

Phorm was rejected by The Guardian newspaper because it “didn’t fit with the values of the business”. You can’t get any more polite yet severe a condemnation as this. Phorm has been rejected because The Guardian does not trust it and does not like what it stands for. It knows Phorm’s previous history and it knows that its readership holds it to account for its decisions.

“As you browse, we’re able to categorize all of your Internet actions,” said Virasb Vahidi, the chief operating officer of Phorm. “We actually can see the entire Internet.”

Phorm is being rejected by intelligent, informed customers. Phorm has done nothing whatsoever to prove that it is even slightly deserving of trust. Phorm has deliberately sidestepped direct questions, attempted to slap down those who challenge it, claim eminent people who reject it need re-educating and try to spin and bulls**t its way around internet forums.

That is the truth about Phorm.


It’s obvious plants like the comments by “ceedee” “phormwatch” that have created this confusion. As Simon Davis ( director of Privacy International) A lot of Phorms’ negative press have come about by competitors leaking information .

Tim Berners-Lee did not comment about Phorm directly – he made the point of if he’d been reading articles about Cancer treatment, he’d hate to find out his insurance company had increased his health premiums- this is of course nonsence as Phorm does not sell any user information to commerical companies- only to Ad agencies then as anonymous information.

I would suggest that the naive “phorm watch” would worry more about the mis information he/she is propogating than his privacy being invaded. ( I I assume they never use Google, MSN, Yahoo, ebay?)

So I think these NIMBY’s should worry less about their campaign against Phorm and worry more about who really is invading their privacy and how they are actually being manipulated by Phorms competitors.


The Phorm PR team has been all over the web distributing misleading and incomplete information about Phorm’s OIX technology and the way it works.

Phorm’s ‘CommTeams’ is currently comprised of five, yes, five PR outfits, including: Citigate Dewe Rogerson, Freud Communications and Manning Gottlieb OMD.

The Phorm ‘CommTeam’ was formerly known as the Phorm ‘TechTeam’, until they were found to be unable to address the technical issues which were raised by technically-literate users. They should now just be honest and post as the Phorm ‘PR’ team instead.

In any case, the Phorm PR team are spreading cookie-cutter responses over the net, in blogs and web forums which sidestep the issues and mislead people.

For example, Phorm’s PR team states that the system is entirely voluntary, and that you can ‘opt-out’ if you wish. The problem is, you can’t, really. You can opt-out of targeted advertising, but your data will still be intercepted.

They also state that the intercepted data will be anonymised. Problem is, ‘anonymising’ data is no guarantee that the data can in no way be tracked back to users — the AOL debacle where the company published so-called ‘anonymous’ data shows this very clearly.

They claim that: ‘Phorm technology does not analyse SMTP mail or the content of webmail sites’. This is also nonsense: How will they know what websites are webmail sites? Only an intelligent human can determine that. They can block some of the bigger names, but there is no way you can possibly block every single webmail provider on the web.

Finally, Phorm uses Ernst & Young auditing as a badge of honour. Yet that fail to mention that FIPR judged the system intrusive and illegal. It is also noteworthy that Ernst & Young audited Enron, right before the Enron scandal and subsequent collapse of the company.

And so on, and so forth. The Phorm PR team has carried on obfuscating and misleading people like this all over the web. They are not to be trusted one bit.

  • Kent Ertugrul – CEO of Phorm – has been involved in distributing spyware/adware, as reported here:
    I would not wish to trust my Internet connection to a company led by someone with a previous history of Internet abuse.

  • It appears that the system modifies the web pages which are requested by inserting adverts. This constitutes tampering with the data stream between the end-user’s browser and the web server they are accessing. As a “man-in-the-middle” attack, this would not be legal.

  • The system requires an explicit “opt out” rather than an explicit “opt in”. This means that if I clear cookies at the end of my browser session then the next time I go online the Phorm system is switched on again.

The default setting for Phorm should be “opt out” and remain that way until a user explicitly asks to “opt in”. The cookie would then be set to switch on
the Phorm system, rather than switch it off.

  • The system stores URLs which have been accessed. If personal data is contained in a URL, for example in the form of variables from a submitted form, then this will be stored by Phorm.

  • The Phorm system could be attacked by hackers who could “reverse engineer” the stored data to expose personally identifiable information.

  • When the system was trialled last year by BT, users were lied to and their traffic was intercepted without their content. This indicates to me that Phorm and BT wish to act in an underhand way about their activities:


By the way, Kathleen, I need a cup of tea please. I’ve just got to wake up the wife to find out how many sugars I take.


Kathleen, don’t worry your pretty little head about the privacy issues, go and have a chat with Barbie.

They are practicing their strategy in the UK and coming to the US soon!

Tell your ISP’s you do not want them.

kathleen wiersch

Phorm is a great example of the many pitfalls inherent in most behavioral targeting practices today, beyond the privacy issue. Generating quality, contextual ads remains a struggle for all personalization solutions because they rely on historical profiles versus factoring a visitor’s intent, in the moment.

I agree about Phorm selling something of questionable value – don’t show me an ad about what you think I was interested in last month – that was sooo last month, even if I am on Glamour’s site looking at shoes. Please don’t show me boots, it is nearly May!


I think people should also be aware that Phorm recently changed their name from 121Media as 121Media was involved in spreading some of the worst SPYWARE ever seen, blacklisted by the likes of anti-virus companies Symantec and F-Secure.

How can anyone trust their data with these wolves?


“If Phorm doesn’t succeed, it’s not because it violates privacy, but because it’s selling something of questionable value.”

Are you kidding?

Phorm will ultimately fail because it’s already been rejected by a staggering number of UK internet users outraged at it’s implications for security of their personal data.

Even Sir Tim Berners-Lee said he’d dump an ISP that adopted Phorm because he believes that his data and web history belonged to him. Declaring, “It’s mine – you can’t have it.”

In the last week the respected FIPR (Foundation for Information Policy Research) reckons it’s actually illegal in the UK. Other researchers say that it’s almost certainly outlawed by EU privacy conventions.

What about the Guardian (the busiest UK newspaper’s website) doing a 180-degree uturn? They now won’t be taking part after “conversations we had internally about how this product sits with the values of our company”?

Check Phorm’s patent application and you’ll see it represents a very serious threat to how the internet currently operates, even going so far as to threaten participating ISPs’ Common Carrier status.

The enormous grassroots opposition to Phorm across the UK is almost purely due to concerns over privacy.
If the US online community gets active now, together we could knock this intrusive, unsafe and thoroughly unwelcome technology right back where it came from!

(For real information on Phorm, visit


I think their biggest problem is that their name looks too much like Porn! ;-)

Comments are closed.