Phorm

From Wikipedia, the free encyclopedia

Phorm
Type Public (AIM: PHRM)
Founded 2003
Headquarters Delaware, USA
Area served United Kingdom
Key people Kent Ertugrul, Chairman and Chief Executive Officer
Industry Online advertising
Products PageSense
ProxySense
Open Internet Exchange (OIX)
Webwise
PeopleOnPage
ContextPlus
Apropos
Revenue £ 48.30 thousand (2007)
Net income £ -11.43 million (2007)
Website www.phorm.com

Phorm, formerly known as 121Media, is a digital technology company based in London, New York and Moscow. The company drew attention when it announced it was is in talks with some United Kingdom ISPs to deliver targeted advertising based on a user's browsing habits by using deep packet inspection.[1] It is one of several companies developing Behavioral Targeting advertising systems, seeking deals with ISPs to enable them to analyse customer's websurfing habits. Others include NebuAd and Front Porch.[2]

Contents

[edit] Overview of proposed service

Phorm is working with major British ISPs including British Telecom, Virgin Media and TalkTalk regarding a targeted advertisement service which would monitor browsing habits and serve relevant advertisements to the end user. Phorm say that these deals will give it access to the surfing habits of 70% of British households with broadband.[3]

A diagram showing how the Phorm system creates copies of its tracking cookie in each domain the end-user visits, based on the report published by Richard Clayton.
A diagram showing how the Phorm system creates copies of its tracking cookie in each domain the end-user visits, based on the report published by Richard Clayton.[4]

It would work by categorizing users' interests and matching them with advertisers who wish to target that type of user. "As you browse, we're able to categorize all of your Internet actions", said Virasb Vahidi, the chief operating officer of Phorm. "We actually can see the entire Internet."[3]

It is claimed that data collected would be completely anonymous, and that Phorm will never be aware of the identity of the user or what they have browsed. [5] By monitoring users' browsing, Phorm also offers protection against online fraud and phishing. If users try to access a phishing site that is listed on a database available to Phorm, a warning will appear on the browser, although phishing sites not on the database won't trigger any warning. Users will be able to opt-out of Phorm's service. However, according to a spokesman for Phorm, the way the opt-out works means the contents of the websites you visit will still be mirrored to its system.[6] All computers, all users, and all http applications used by each user of each computer will need to be configured (or supplemented with add ons) to opt out. [7]. It has since been declared by the Information Commissioner's Office that Phorm would only be legal under UK law if it were an opt-in service. [8]

[edit] Company history

121media, the former name of Phorm, has had its products described as spyware.[9] As 121Media it distributed a program called PeopleOnPage[10], which was classified as spyware by F-Secure.[11] PeopleOnPage was an application built around their advertising engine called ContextPlus. ContextPlus was also distributed as a root kit called Apropos[10][12], which used tricks to prevent the user from removing the application and sent information back to central servers regarding a user's browsing habits.[13]

In November 2005 the Center for Democracy and Technology in the US filed a complaint with the Federal Trade Commission over distribution of what it considered spyware, including ContextPlus. They stated that they had investigated and uncovered deceptive and unfair behaviour. This complaint was filed in concert with the Canadian Internet Policy and Public Internet Center, a group that was filing a similar complaint against Integrated Search Technologies with Canadian authorities.[14]

In May 2006 ContextPlus shut down its operations and stated "[Contextplus are] no longer able to ensure the highest standards of quality and customer care". The shutdown came after several major lawsuits against adware vendors had been launched.[15] Phorm has countered this with an admission of a company history in adware and the closing down of a multi-million dollar revenue stream as people confused adware with spyware.[13]

Kent Ertugrul - "The problem for newspapers is that a story headlined 'Two Dead in Baghdad' isn't very product-friendly" said Kent Ertugrul, chief executive of Phorm, a behavioral targeting company working with British newspapers. "But if you know who is looking at the page, that's where the opportunity is." [16]

[edit] Reaction

Initial reaction to the proposed service highlighted deep concerns with regards to individual privacy and property rights in data.[17] Phorm has defended its technology in the face of what it called “misinformation” from bloggers claiming it threatens users’ privacy.[18]

Security firms are split about whether they will classify Phorm's targeting cookies as adware. Kaspersky Lab, whose anti-virus engine is licensed to many other security vendors, said it would detect the cookie as adware. Trend Micro said there was a "very high chance" that it would add detection for the tracking cookies as adware. PC Tools echoed Trend's concerns about privacy and security, urging Phorm to apply an opt-in approach. Specialist anti-spyware firm Sunbelt Software also expressed concerns, saying Phorm's tracking cookies were candidates for detection by its anti-spyware software.

Ross Anderson, professor of security engineering at Cambridge University, said: "The message has to be this: if you care about your privacy, do not use BT, Virgin or Talk-Talk as your internet provider." He added that, historically, anonymising technology had never worked. Even if it did, he stressed, it still posed huge privacy issues.[17] During the week beginning March 10, 2008, privacy concerns began to have an impact on the stock price of the company, which dropped 30% [19], indicating that shareholders might also be concerned about the issues being raised. By 27 March 2008 the stock price had dropped 45% over the month, and as of May 17, 2008, Phorm's stock has fallen over 85%, effectively collapsing[20].

Phorm has engaged a number of public relations advisers including Freuds, Citigate Dewe Rogerson and ex-House of Commons media adviser John Stonborough in an attempt to save its reputation.[21], and has engaged with audiences via moderated online webchats. Full transcripts of these interviews can be found at http://www.webwise.com/how-it-works/chat.html.

In response to customer concerns, TalkTalk (The Carphone Warehouse) issued a statement[22] that its implementation will be "opt-in" only and won't use the same method as BT, meaning those that don't "opt-in" will have their traffic split, avoiding contact with a WebWise (Phorm) server.

The creator of the World Wide Web, Tim Berners-Lee, has criticized the idea of tracking his browsing history saying that "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return." He also said that he would change ISP if they introduced the Phorm system.[23]

Simon Davies, a privacy advocate and founding member of Privacy International, said "Behavioural advertising is a rather spooky concept for many people." In a separate role at 80/20 Thinking, a consultancy start-up, he was engaged by Phorm to look at the system.[24] He said: “We were impressed with the effort that had been put into minimising the collection of personal information.”[25]. He was subsequently quoted as saying "[Privacy International] DOES NOT endorse Phorm, though we do applaud a number of developments in its process." (original capitals) "The system does appear to mitigate a number of core privacy problems in profiling, retention and tracking... [but] we won’t as PI support any system that works on an opt-out basis.".[26]

Kent Ertugrul later claimed he was confused when he suggested Privacy International had endorsed Phorm. "This was my confusion I apologise. The endorsement was in fact from Simon Davies, the MD of 80 / 20 who is also a director of privacy international"[27].

[edit] BT trials

After initial denials that they had done so[28], BT confirmed they ran a small scale trial at one exchange of a "prototype advertising platform" in 2007 and are said to be developing an improved non-cookie based opt-out of Phorm, BT customers will be able to opt-out of the trial, but no decision has been made as to their post-trial approach.[29]

It was reported that BT ran an earlier secret trial in 2006, in which it intercepted and profiled the web browsing of 18,000 of its broadband customers. The technical report states that customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience.[30]

On Wednesday 4th June 2008 a copy of a 52 page report allegedly from inside BT titled "PageSense External Technical Validation" was uploaded to Wikileaks [31] the report angered many members of the public and there is some question regarding the involvement of charity ads for Oxfam, Make Trade Fair and SOS Children's Villages and whether or not they were made aware that their ads were being used in what many feel were highly illegal technical trials. The report also has data which shows over 18 million web page requests from customers had JavaScript embedded into the responses which has again raised questions regarding the legal standing of these trials.

Digital rights lawyer Nicholas Bohm, of the Foundation for Information Policy Research, has said that trials of an online ad system carried out by BT involving more than 30,000 of its customers were potentially illegal. [32] Channel 4's Krishnan Guru-Murthy interviewed BT's head of value added services, Emma Sanderson, about their trials [33]

It has since been revealed that BT's 2007 trial involved some tens of thousands of end users.[34]

British Telecom is facing legal action over trials of Phorm which were carried out without user consent. [35]

BT's third trial of the webwise system has repeatedly slipped. The trial was to last for approximately two weeks on 10,000 subscribers, and was originally due to start in March 2008 then April 2008, and now the latest date of the end of May 2008 has passed.

[edit] Analysis

Richard Clayton, a Cambridge University security researcher and member of the Open Rights Group and FIPR, attended an on-the-record meeting with Phorm, and published his account of how their advertising system works.[36]

Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. [36]

[edit] Leaking UID Cookies

Richard Clayton notes in his analysis that Phorm's system stores a tracking cookie for each domain visited on the user's PC, each containing an identical copy of the user's unique Phorm tracking ID. And although where it can do so, Phorm's system strips its tracking cookies from http requests before they are forwarded across the internet to a website's server, it cannot prevent the Phorm UID being sent to websites using https. Allowing Websites to associate the Unique Phorm tracking ID to any details the website collects about the visitor. [37]

[edit] Advertisers

Advertisers which had initially expressed an interest about Phorm include: ft.com, The Guardian, Universal McCann, Myspace[38], iVillage, MGM OMD, Virgin Media[39] and Unanimis.[40]

The Guardian has withdrawn from its targeted advertising deal with Phorm. In an email to a reader, advertising manager Simon Kilby stated "It is true that we have had conversations with them [Phorm] regarding their services but we have concluded at this time that we do not want to be part of the network. Our decision was in no small part down to the conversations we had internally about how this product sits with the values of our company." [41]

In response to an article published in The Register on the 26 March 2008, Phorm has stated that Myspace has not joined OIX as a Publisher [41]

On 29 March 2008, Pete Clifton of the BBC confirmed that the company has "no plans to work with Phorm at this time".[citation needed]

[edit] Website's Perspective

Concerns have been raised about the financial impact Phorm's system could have on businesses such as online shops, since phorm will look at the content viewed by a visitor and add it to their user profile, allowing competing businesses to target advertisements at the user, based on the products that they have looked at on the shop's website, potentially diverting sales away from the original shop. [42].

Some web-masters plan to block or restrict users of Phorm's system, or ask them to opt-out, to protect their content, and have been developing systems to detect Phorm users.[43].

David Evans of the British Computer Society has questioned whether the act of publishing a website on the net is the same as giving consent for advertisers to make use of the site's content or to monitor the site's interactions with its customers.[44].

[edit] Questions over legality

The UK Home Office has indicated that Phorm's proposed service is only legal if users give explicit consent.[45] The Open Rights Group (ORG) raised questions about Phorm's legality and asked for clarification of how the service would work.[46] The Foundation for Information Policy Research (FIPR) has argued that Phorm's online advert system is illegal in the UK. Nicholas Bohm, general counsel at FIPR, said: "The need for both parties to consent to interception in order for it to be lawful is an extremely basic principle within the legislation, and it cannot be lightly ignored or treated as a technicality." His open letter to the Information Commissioner has been published on the FIPR web site.[47]

Conservative Peer David Carnegie, 14th Earl of Northesk, has questioned whether HM Government is taking any action on the targeted advertising service offered by Phorm in the light of the questions about its legality under the Data Protection and Regulation of Investigatory Powers Acts.[48] Richard Clayton, a Cambridge University security researcher, has produced a technical analysis (released on April 4th 2008) which confirms the FIPR's view that the final deployment of Phorm will be illegal on the grounds that no consent is obtained from webmasters to profile the pages sent to users.[4]

On April 9, 2008, the Information Commissioner's Office ruled that Phorm would only be legal under UK law if it were an opt-in service. [49] The Office stated it will closely monitor the testing and implementation of Phorm, in order to ensure data protection laws are observed.[50]

The Register reported in May 2008 that Phorm's logo strongly resembled that of an unrelated company called Phorm Design. They quoted the smaller company's owner, Simon Griffiths: "I've had solicitors look at it and they say we'd have to go to court. [Phorm are] obviously a big player with a lot of clout. I'm a small design agency in Sheffield that employs three people."[51]

[edit] References

  1. ^ "Internet Providers Quietly Test Expanded Tracking of Web Use to Target Advertising", The Washington Post, 2008-04-04. Retrieved on 2008-04-08. 
  2. ^ "American ISPs already sharing data with outside ad firms", The Register, 2008/04/10. Retrieved on 2008-04-18. 
  3. ^ a b "A Company Promises the Deepest Data Mining Yet", The New York Times, 2008/03/20. Retrieved on 2008-03-23. 
  4. ^ a b Clayton, Richard (2008-04-04). The Phorm "Webwise" System (PDF). Cambridge University. Retrieved on 2008-04-07.
  5. ^ Phorm Service Privacy Policy. Retrieved on 2008-03-14.
  6. ^ Williams, Chris. "BT targets 10,000 data pimping guinea pigs", The Register, 2008-03-05. Retrieved on 2008-03-12. 
  7. ^ Phorm Frequently Asked Questions. Retrieved on 2008-03-29.
  8. ^ Phorm – Webwise and Open Internet Exchange. Information Commissioner's Office (2008-04-08). Retrieved on 2008-04-10.
  9. ^ Williams, Chris. "ISP data deal with former 'spyware' boss triggers privacy fears", The Register, 2008-02-25. Retrieved on 2008-03-10. 
  10. ^ a b Phorm Factor. F-Secure (2008-04-15). Retrieved on 2008-04-16.
  11. ^ F-Secure Spyware Information Pages: PeopleOnPage. F-Secure. Retrieved on 2008-04-16.
  12. ^ F-Secure Spyware Information Pages: Apropos. F-Secure. Retrieved on 2008-04-18.
  13. ^ a b Williams, Chris. "Phorm launches data pimping fight back", The Register, 2008-03-07. Retrieved on 2008-03-08. 
  14. ^ Schwartz, Ari. "Phorm launches data pimping fight back", CDT, 2005-11-03. Retrieved on 2008-04-16. 
  15. ^ Spyware, Rootkit Maker Stops Distribution. Eweek. Retrieved on 2008-04-17.
  16. ^ Whoriskey. "FCC scrutinizes behaviorial targeting of Internet ads", Pittsburgh Tribune, 2008-05-25. Retrieved on 2008-05-26. 
  17. ^ a b Armitage, Jim. "Web users angry at ISPs' spyware tie-up", Evening Standard, 2008-03-06. Retrieved on 2008-03-13. 
  18. ^ Edgecliffe-Johnson, Andrew; Philip Stafford. "Phorm seeks $65m for overseas expansion", The Financial Times, 2008-03-12. Retrieved on 2008-03-17. 
  19. ^ Arthur, Charles. "Phorm mystified by fall in share price; we interview its chief", Guardian Unlimited, 2008-02-11. Retrieved on 2008-02-17. 
  20. ^ Edgecliffe-Johnson, Andrew; Philip Stafford. "Phorm seeks $65m for overseas expansion", The Financial Times, 2008-03-12. Retrieved on 2008-03-17. 
  21. ^ O'Connor, Clare. "Web tool firm in PR fightback", PRWeek, 2008-03-30. Retrieved on 2008-03-30. 
  22. ^ Jackson, Mark. "TalkTalk (Carphone) ISP Makes Phorm Opt-In Only", ISPReview, 2008-03-11. Retrieved on 2008-03-12. 
  23. ^ Cellan-Jones, Rory. "Web creator rejects net tracking", BBC News, 2008-03-17. Retrieved on 2008-03-17. 
  24. ^ Waters, Darren. "Looking at the Phorm", 2008-03-06. Retrieved on 2008-03-17. 
  25. ^ Waters, Darren. "Ad system 'will protect privacy'", BBC News, 2008-03-06. Retrieved on 2008-03-12. 
  26. ^ "Your questions please for Kent Ertegrul, CEO of Phorm", Guardian Newspaper, 2008-03-06. Retrieved on 2008-03-29. 
  27. ^ Webwise Chat Transcript (2008-03-11). Retrieved on 2008-03-29.
  28. ^ "BT confesses lies over secret Phorm experiments", The Register, 2008-03-17. Retrieved on 2008-03-17. 
  29. ^ Liversage, Adam (2008-03-14). BT Develop non-cookie based opt-out. beta.bt.com. Retrieved on 2008-03-15.
  30. ^ Williams, Chris. "BT and Phorm secretly tracked 18,000 customers in 2006", The Register, 2008-04-01. Retrieved on 2008-04-01. 
  31. ^ Hanff, Alexander (2008-06-04). Leaked BT Report on covert 2006 PageSense trials. nodpi.org. Retrieved on 2008-06-05.
  32. ^ Waters, Darren. "BT advert trials were 'illegal'", BBC, 2008-04-01. Retrieved on 2008-04-01. 
  33. ^ Nzewku, Brigid. "BT 'spies' on customers", Channel 4 News, 2008-04-03. Retrieved on 2008-04-03. 
  34. ^ Williams, Chris. "BT's 'illegal' 2007 Phorm trial profiled tens of thousands", The Register, 2008-04-14. Retrieved on 2008-04-14. 
  35. ^ "BT confesses lies over secret Phorm experiments", The Register, 2008-03-17. Retrieved on 2008-03-17. 
  36. ^ a b Clayton, Richard (2008-04-04). The Phorm “Webwise” System. Light Blue Touchpaper. Retrieved on 2008-04-04.
  37. ^ Clayton, Richard (2008-04-22). Stealing Phorm Cookies. Light Blue Touchpaper. Retrieved on 2008-04-24.
  38. ^ Kiss, Jemima. "ISPs sign up to targeted ads deal", The Guardian, 2008-02-14. Retrieved on 2008-04-09. 
  39. ^ "Virgin Media distances itself from Phorm 'adoption' claims", The Register, May 1, 2008. Retrieved on 2008-05-18. 
  40. ^ Phorm press release. Phorm.com (2008-02-14). Retrieved on 2008-04-12.
  41. ^ a b "The Guardian ditches Phorm", The Register, 2008-03-26. Retrieved on 2008-03-26. 
  42. ^ Phorm and Webwise - research says they’re illegal PLUS how they will make your business go bankrupt (2008-04-30). Retrieved on 2008-05-02.
  43. ^ Server Side Countermeasures for Web Masters. Retrieved on 2008-05-02.
  44. ^ InPhormed consent not given (2008-05-08). Retrieved on 2008-05-08.
  45. ^ Arthur, Charles. "Home Office on Phorm: it's legal if users consent", Guardian Unlimited, 2008-03-12. Retrieved on 2008-03-12. 
  46. ^ "Open Rights Group questions Phorm", BBC News, 2008-03-12. Retrieved on 2008-03-12. 
  47. ^ Open Letter to the Information Commissioner (2008-03-17). Retrieved on 2008-03-17.
  48. ^ House of Lords Cumulative list of unanswered Questions for Written Answer. House of Lords publications (2008-03-17). Retrieved on 2008-04-02.
  49. ^ Phorm – Webwise and Open Internet Exchange. Information Commissioner's Office (2008-04-08). Retrieved on 2008-04-10.
  50. ^ Phorm warned about web data rules. bbc.co.uk (2008-04-09). Retrieved on 2008-04-10.
  51. ^ TheRegister: "Phorm in phormulaic logo phorm storm", 2 May 2008.

[edit] External links