Phorm – potentially unwanted adverts?

During the last few weeks I have been following a much heated discussion about a new advertising system developed by Phorm. Phorm has signed agreements with three of the biggest UK ISPs, BT, Carphone Warehouse and Virgin Media, to implement OIX (Open Internet Exchange), a new advertisement broker system into their networks. It seems like the project of integration, especially with BT systems has progressed to the final stages and that the OIX is ready to be rolled out in the next few weeks. The system will be presented to the end users as Webwise.

OIX is designed to match user’s browsing habits with the advertisements served when the user visits a web page participating in the OIX system. So if you keep browsing to football related web pages it is more likely that you will be presented with adverts for sports equipment as you visit pages participating in the Phorm’s advertising scheme. According to Phorm, this means that you will be more inclined to take an action and visit sites that offer relevant products. So, this is good for you and for the advertiser as the click through rate per advert will be much higher than the average. It is a win-win situation, on the paper.

So why all the noise if everybody benefits? Well, the whole system becomes much more problematic if we observe the way it actually works. This is well documented in this article published by The Register.

What follows is my understanding of how the system works and does not have to be fully correct. Phorm systems, hosted inside the ISPs environment, set a single special cookie for all sites visited by the browser (and therefore the user), regardless of site’s participation in OIX. The response of the visited web server is intercepted and analysed by Phorm and the page is classified as belonging to a certain group (for example travel or sport). The category of the page is then saved, together with the cookie and the timestamp of the visit in Phorm’s database while the rest of the data is discarded. This is how user’s browsing profile is built and browsing habits are tracked, though no identifiable sites or user data are stored on Phorm’s systems. The fact that no URLs or user identifiable information is stored is regarded as a “revolutionary step in privacy” by Kent Ertegrul, Phorm’s CEO. When the user visits a page that participates in the OIX the cookie is sent to the page and matched with categories of products that may interest the user. This is where OIX chooses which adverts are displayed. The site that displays the advert and the ISP that implements Webwise get a percentage of the advertising revenue.

An additional “free” benefit for the end users is an anti-fraud mechanism used to query real-time block lists listing sites and domains used for phishing although it is questionable how much additional benefits will this provide since similar anti-phishing mechanisms are already included with major web browsers IE7 and Firefox.

A worrying thing is that the information of every single page visited by the end user is accessed, inspected and classified by Phorm and the user’s browsing habits are tracked. Although Kent Ertegrul claims that no information is stored that is clearly not true. Cookies can be, with some effort, tracked to a particular browser (on a particular machine) and even to the actual user (or user’s ISP account) if the ISP’s systems get compromised. What disturbs even more is the fact that some trials have allegedly been conducted without the consent of end users during June 2007. This is a significant privacy problem, although not much worse than privacy leaks we are exposed to while browsing sites like Google or Amazon. This comes down to the question of trust. I will be more inclined to trust companies with good reputation such as Amazon than companies like Phorm whose practices are somewhat questionable and whose previous products included potentially unwanted applications.

So how can you prevent Phorm if you are user of one of the big UK ISPs? End users will have an opportunity to opt out from the system when it is launched and the way this is achieved is to set a special opt-out cookie that will signal that the user has opted out and the system will simply ignore their requests. If users delete all cookies from their system they will have to opt out from Phorm again. It is not clear if the opt-out page will be displayed only the first time users connect to the internet after the release or every time before a new Phorm cookie is to be set. Another way of preventing Phorm is by rejecting any cookies, which will make internet practically unusable and therefore unacceptable.

Questionable methods used by Phorm have triggered a media campaign against it, followed by a very strong end user reaction. An online petition has been created on the UK government E-petitions website where you can voice your concern, together with more than 4000 people that already signed it. The strong media and user response have already prompted CEO of Carphone Warehouse to reconsider the decision to implement the system. A sustained campaign may make other ISPs to reconsider their decisions as well.

The thing that puzzles me most about Phorm is their description of the Webwise system, which presents it primarily as an anti-fraud technology. This leaves an impression that its real purpose is somewhat hidden. I suppose this is because nobody really like adverts, especially not the ones intruding with the content of the page we wanted to see. Sophos has already classified Webwise domains as domains that serve adverts and the users of Sophos Web Appliance WS1000 may choose to block them if they are concerned about their privacy. We will be closely monitoring the Phorm’s practices and we will reclassify the domains if we find that Phorm is being misused.