Past EED rants


Live leaderboard

Poker leaderboard

Voice of EED

Tuesday 15 April 2008

Phorm, privacy, and the issue of cookies. [Brit]

Traditionally, a complicated web of session tracking and cookies is responsible for targeting you with supposedly relevant online ads. It will take only a moment surfing online to realise this approach is anything but effective - irrelevant ads appear regardless. Highly targeted and relevant delivery is however the next holy grail of online advertising, especially when advertisers are paying by the display and not by the clickthrough, or when the dictated Cost Per Acquisition figure (i.e. the amount of money it has been calculated must be spent for a user/consumer to reach a defined goal, like book a test drive) is high or linked to a high value product or service.

The only way you can deliver such highly targeted and relevant content is by having sufficient individual data capable of slotting a specific user into an equally highly granular profile, and the only way you can do that is by taking their surfing data from them... and herein lies the snag.

I expect you've all heard of Phorm. They're the company that has essentially developed the technology that allows the profiling of users by collecting their surfing data direct from their ISPs, munging it, and making it available to their online ad delivery platform. Now, it should be pointed out that according to the blurb, such data is delivered to them from the likes of BT in a totally anonymous fashion... online users really are nothing more than a number, and so everyone should be happy; users get adverts that are relevant to them, and advertisers get more effective ROI, and ISPs get a bit more revenue.

I could at this point talk about the whole privacy implications with regards anonymizing data and the fact its technically unsound or legally dubious or plain bonkers. But I won't, as its been covered to death (and still going strong) in all the mainstream press. Suffice to say, if you're a privacy advocate or other speaking head in the arena, you've probably hit the roof a number of times now.

What I am interested in however is the now increasingly out of date method for indicating optin/optout preference in terms of web delivered services - the humble cookie. For years these innocuous pieces of data have sat on our computers, helping out everything from shopping baskets to session management, from visual personalisation through to reminder notifications; they are _everywhere_.

However, they simply aren't up to the job any longer in terms of optin/optout or other privacy related activities because they're so perishable. I'm not talking about cookie expiration, but rather the fact that through no fault of their own a user can instantly opt back in to any number of services they may have opted out from, by deleting their cookies. In Microsoft Internet Explorer 7 for example, deleting all your web cookies is incredibly easy. There is a big fat "DELETE ALL" button on the popup dialog, and next to it, a link that says "About deleting browsing history"... to the uninitated or those not paying attention, the proximity of that link (and the word "history") next to the button "DELETE ALL" gives no indication that you are going to remove all your cookies too.

For Phorm to claim that users can opt out of their service is therefore a complete joke. Sure, you can set a cooke to say "no thank you", but if you're a regular browser history dumper and hit that "DELETE ALL" button, you're back on Phorm as soon as you like... after all, its your ISP thats made the decision to push your data through Phorm and not you. You've just got a tiny bit of control via a very dodgy switch.

I'd therefore like to see a more robust solution - call it Cookie+. For example, when you install Windows Server 2003, Microsoft Internet Explorer is by default set to "hardened mode". This means that when you come to download a file from a website, you're prompted to add it to your secure zone; if you delete your browser history, that secure zone list remains untouched - I see no reason why there couldn't be a similar sort of approach to Cookie+ whereby you set different types of cookies too... for example a special cookie specifically for opting in or opting out; that would call the Cookie+ dialog, whereas normal session cookies would be handled as they are now.

Either way, something needs to change - Phorm and BT are in a right old mess and the privacy issues around optin/optout are not only enough to make people leave BT, but potentially kill Phorm itself, and since I have no objection to relevant ads, I think a middle ground should be looked at.


  1. As I understand it, any permenant cookie solution won't actually help here. Phorm will still intercept your requests using layer 7 if you've got an opt out cookie or not, the presence of the cookie is merely a flag to them to say you wont be tracked and you have to trust them on that regard.

    I don't really get the need for persistant tracking. Google is extremely successful, and their system, as far as I'm aware, doesn't work by targetting based on your browsing history, but by what's on the current page. No history and no invasion.

    I guess it'll just move more people to https, which renders this kind of inspection worthless. I wonder if commercial proxy solutions will become more attractive too?


  2. I'm not opposed to targeted advertising but I think morally there ought to be something on the table. With, say, Google, you use their services because you know it's paid for by ads and the anonymous targetting works well. An actual interesting ad might appear.

    The problem here is that the ISPs want a slice of the ad action going on since they're shifting the data. So this is an innovative additional revenue stream for them, no wonder it's attractive.

    But up to this point what travels in the pipe between you and your chosen sites is considered by most people to be sacrosanct. Is it though? It's a public network. It's not fingered to you individually. There are only the same sort of privacy issues that exist with Google aren't there?

    Let me get this straight how it works though. Your ISP is peering into your HTTP protocol flow and pulling out some data. This is being passed to Phorm somehow. Phorm uses this in the same way that Google does so that adverts shown are relevant to you. However they don't know a thing about you personally.

    Also, the adverts you see will appear on web sites that you just happen to visit. Phorm looks to be trying to wedge into advertising networks so they'll use their system, somehow, to improve relevancy.

    So I'd ask the question, what is the real harm here?

    1. Peering into your HTTP stream

    It sounds like snooping. People wont necessarily understand it. It will probably compell regulators to act, certainly less informed will jump up and down and say things it's not.

    Performance issues in doing this? At the moment ISPs don't do anything but route packets. They're basically going to have to sniff everyone's connection.

    2. Passing data about you to Phorm

    They say you're a number but the ISP has to identify you to Phorm somehow. By IP address? How? Whether or not it's a unique anonymous handle, ultimately you are being identified. There now exists a trail.

    For example Phorm could just as easily know you're surfing nasty things. Now if they know this, they're legally obligated to inform the police. They might say they wont do this. After all they're matching various sites, not matching nasty sites. What happens when the government realises that basically a huge tracable Echelon system has just been put in place that CAN finger people doing dodgy shit. They're going to want to get into it. They're going to want to be told about illegal activity.

    There lies your rocky road. They don't know what your name is, but the ISP does. There's a chain here. I'm not convinced this is still a terrible thing but that depends on whether you're happy with your country's definition of what is illegal to look at on the web.

    Now maybe I'm missing stuff here, maybe that's not plausible. I don't understand how they're doing it or whatever. However it's this stuff that I'd be worried about.

    Ultimately if shitty CPM banners on sites all happened to be about things that I actually liked because I was visiting those sites. Well, I think as a consumer that's better. However also as a consumer if I thought my ISP was doing this, because of the above concerns and really a lack of transparency in how it's all going to work, I think I'd just jump ISP from anyone doing it. Wouldn't you?


  3. Make no mistake, this evil shit is still about.

    Steve Gibson gives a good rant about it on this weeks Security Now podcast. Phorm specific talk starts about half way through, but the whole thing is worth a listen as earlier on he has some good Gates annecdotes.

    You can block third party cookies in Firefox by setting network.cookie.cookieBehavior to 1 in about:config

  4. If BT Intercepted my traffic again & inject unwanted data into my data stream like in 2006 & 2007... well watch this Space...!We already have a perfectly Targeted Advertising System & all this Hype & distortion is Infuriating!If I want a Car, I look at Ads provided on a Car site...If I want to Travel I look at Travel Agents Sites..If I want a House I go to an Estate Agent siteIf I want a Pizza I go to a local restaurant Site..Get the Picture!I do not want "CAR ads "served at my PC when I'm looking for a PC, pizza, house etc the so called Magic Advertising bullet is all smoke & mirrors & it will always deliver "After" the Surfer has looked for a particular item, which is too late!Do you get the real picture yet!Stop wasting time Money & equipment trying to provide a false idea, which in fact is trying to destroy the real relevant advertising provided at exactly the right spot for the surfer to see.If a Surfer is forced to block Ads then the legitimate Website suffers along with all the fly by nights!Get the Picture YET!

  5. Please sign the Prime Minister website petition against this activity. Petition closes in a week. It says "We are against any ISP breaching customer privacy using advertising technologies" (or something like that)

    Over 20k signatures already but lots of room for more. So sign it today and ask your freinds and family to as well.