Phorm
For those who have missed it, Phorm, Inc have trialled and are proposing to roll out a new system in the UK that helps advertisers target advertising more precisely at participating internet users. Their goal is, according to their homepage at www.phorm.com is "to make online advertising more relevant, rewarding and valuable.". The basic principle is to gather information based on your internet browsing behaviour and use that information to target so called 'relevant ads'.
Who are Phorm? Originally, they were called 121Media. They produced a toolbar called PeopleOnPage, which, based on user's search criteria using the toolbar, 121Media built an ad server that displayed ads based on the search criteria. They subsequently built and bundled the toolbar with freeware applications - Phorm have been very up front about this.
Backround
How would a user participate? If all goes as planned, users will participate by default and have to opt out. How so? Participating UK ISPs (at the moment BT, Virgin Media and TalkTalk/Carphone Warehouse group are in the frame) will deploy this system at the ISP level, far out of the reach of their customers. Simply, anyone using that ISP will be subject to Phorm's service unless they opt out. That said, it looks like some ISPs are considering changing this to opt-in, which, while acknowledging customer's concerns, is not even close to addressing those concerns. Do a search for Phorm on the BBC or Guardian newspaper's websites for some public opinion on the matter.
What information is being monitored anyway? How does it all work? Phorm will assign a user's browser a unique ID, which, it is claimed, cannot be tied in to your IP address. Information on your surfing habits or interests (which is collected by scouring the sites you visit for keywords) is assigned to that ID. When you come across a page that is participating in Phorm's advertising network, you will see advertising based on the information collected about your surfing habits.
It is reassuring to know that Phorm do not store anything on their production system. However, bear in mind that information is written from the production to a research and debug log and kept for 14 days. The fact is, everything is still logged, even for a finite period of time.
What's the big deal?
Simply that user behaviour is being monitored and the quality and reliability of choices available to the user in opting out is questionable. One could argue that people are being used as subjects for cheap, real time market research.
To maximise the monetisation of this cheap, real time market research, the advertiser's intelligence on the target market must be accurate, therefore they need to know as much about as many internet users as possible. To do that they, users could install the service on their PC. However, who would do that voluntarily? Not many.
Another method would be to surreptitiously install software on user's machine. That may mean that the anti-spyware industry would analyse the software and distribution methods and possibly add the software into the detection database for removal from a user's machine. Not a great scenario.
The most efficient way of reaching as many users as possible and ensuring there is no interruption to the service or number of users attached to the service, is to go straight to the source of the user's internet connection - the ISP - and monitor at that level.
The advertiser's goal is to make as much money as quickly as possible for as long as possible at any acceptable cost. The cost of being classified as malware would be the loss of the status as a reputable business which translates to financial loss - no advertiser will do business with a company who can't help them make money. 121Media will know all about this.
The acceptable cost seems to be user privacy and ISP's integrity.
Phorm's Public Stance
Phorm are doing their best to persuade the public that their system's privacy controls are sound. Ernst & Young and 80/20 Thinking (a consulting business founded and run by Managing Director Simon Davies, who is also a director of Privacy International) were enlisted to assess their privacy controls.
I should state that the scope of Ernst & Young's report was defined by Phorm's assertion regarding their own privacy controls and commitments in their privacy policy. Ernst & Young then applied AICPA's Generally Accepted Privacy Principles to Phorm's privacy controls. Ernst & Young have absolutely done their job correctly. I am merely querying the scope of Phorm's assertions.
That said, I'm not sure how much the report's scope and the reliance on AICPA or American Institute of Certified Public Accountants' standards add up to make a convincing report. Plus, do American standards apply in the UK? For Phorm to use American standards in UK territory raises its own questions in terms of relying on such a report to counter UK critics' concerns. The report can be found at www.phorm.com/user_privacy/EY_Phorm_Exam.pdf
In any case, satisfying the scope of the report, however narrow or broad it may be, means that Phorm can name-check these prestigious companies which lends considerable weight to their claims of privacy integrity. That 80/20 Thinking's report has not yet been published muddies the waters somewhat but still, Phorm are using their name (and by association, Privacy International's name) and unpublished report to fend off critics.
The fact that Phorm have satisfied the requirements of some privacy controls guidelines ('guidelines' doesn't sound very reassuring. I would have preferred 'laws') regarding privacy is irrelevant. At the core of the matter is that user behaviour is being monitored. Sure, that's based on the user's consent, but it feels like Phorm are really only paying lip service to the notion of consent. Default 'opt in' is, at Lavasoft, something we don't agree with.
When journalists have pressed Phorm on their service, the normal exchange is:
Q: People don't like being monitored
A: Its OK, Ernst & Young, based on AICPA standards and 80/20 Thinking say we're doing everything right in terms of privacy control. Our reports are sound and investigators credentials are sound. Don't worry.
Q: Well, I still don't like it
A: That's OK, you can turn Phorm off
Q: I can do that, but how do I know I'm not being tracked or that the system is open to abuse?
A: Well, You can't know that, but trust us, Ernst & Young, 80/20 Thinking and your ISP to do the right thing
Q: But didn't your old company make a toolbar that serve ads based on information gathered about user's surfing preferences? Didn't the anti-malware industry consider it spyware?
A: Yes. But that was then, this is now. We've changed.
At this point the majority of us will accept Phorm's reasoning and forget about it. This is a pretty good strategy to employ. Get some eminent companies to endorse your privacy controls, wave the results about (or at least, one very short report) when anyone criticises the system and wait for the fuss to die down, then deploy the system. It doesn't hurt to drag the ISP into the firing line (by having them decide if their customers will be opt in or out by default) and let them take the ensuing flack. But to suggest that would be cynical.
Who benefits from this system anyway?
Financially, Phorm, advertisers and your ISP of course. There is absolutely no benefit to internet users, unless you like targeted advertising. Particularly galling is, despite the fact this service provides no real benefit to the consumer (who is essentially being coerced with specious reasons into giving up information that serves only to make more money for advertisers) is that Phorm persists in trying to 'sell' this concept to them.
Consumers are told that the service will enhance their internet experience because they will see more relevant ads. That doesn't make sense - people don't surf the net to look at ads. The especially don't surf the net to view ads that are generated as the result of a company monitoring their browsing behaviour.
Phorm claim that no private information will be retained or compromised (I can't quite forget that logs are kept for 14 days for research and debugging). I don't want anyone to monitor me and log my actions, whether it be my neighbour across the fence, advertisers, whoever. I also don't care what their justification is for monitoring me.
Phorm also claims the service will protect consumers from phishing. That sounds pretty good, until you realise that the phishing attempt will only be blocked if the site is on a blacklist. If the site isn't on the blacklist, Phorm can't protect you from it. Apart from that, IE7 has a feature that does that for you anyway, rendering this 'benefit', well, impotent.
The notion of being opted in by default is highly suspect. Even by opting out, Phorm will still have to set a cookie on your PC. At Lavasoft, we hammer companies who employ the 'opt in by default' strategy. The onus is on participating ISPs to sort this mess out. I know the ISP will benefit financially from this arrangement and deserve no sympathy, but they are being used by Phorm to further distance themselves from criticism on this particular matter. If your ISP is considering deploying this service and you have an opinion on the matter, contact them.
Conclusion
At the end of the day, user behaviour (which is logged and kept for 14 days) is being monitored for marketing purposes. While Phorm may adhere to the letter of the law, or should I say, guidelines of the AICPA, internet users will be used for cheap and real time market research if this system is deployed.
I would encourage you to read all you can about this subject and encourage others to do the same. Speak to your ISP and let them know how you feel, talk to other privacy advocates, discuss it with your friends. You may find that this story is more than just an argument with an advertising company. We at research will be keeping a very close eye on how this issue continues to evolve.
Edit: 30th April, 2008.
Phorm have contacted us to let us know that the 'research and debug logs' mentioned in the Ernst and Young audit are now referred to as 'system health and errors information'.
"As such, the blog now inaccurately describes our "research and debug logs". As stated in our document, these logs now only contain "system health and errors information""
- Graham Mosley, Phorm
Phorm have also pointed out that it was the AICPA, not Phorm, who set the scope of the Ernst & Young audit:
"Additionally, the scope of the E&Y audit was set by the AICPA standards"
- Graham Mosley, Phorm