- Ex-adware firm Phrom has done deals with lots of ISPs, particularly in the UK – installing monitoring services at these ISPs own installations for better targeting advertising at ISP customers.
Works by collecting information about how ISP clients use the Web.
To accomplish this Phrom sifts out keywords from requires and responses….. to determine which advertising will be served to the surfing ISP client.
We address this in some detail here
This is a serious issue for which we have also released information on how to protect oneself using a special add-on for Firefox, see here:
- CyTRAP Labs’ Choice – Free Tool – Protecting Yourself Against Russian Botnets
Phorm recently tied up a deal with the UK’s three biggest internet service providers – BT, Virgin Media and TalkTalk, who between them have more than 10 million customers.
The system works that data about what website the ISPs customer visits is being categorized in order to create a profile. When the client then visits a page whose adverts are sourced from the Open Internet Exchange (oix.net) set up by Phorm – the ISP’s client will see advertisements targeted to one’s profile (e.g., white goods, wash detergent, news, etc.).
While the browsing history is not retained, unfortunately the profile for the the cookie is refined as it learns more about the person’s browsing habits. Sites that join OIX are told they will get a better per-click payment than with other services. (Disclosure: The Guardian is one of a number of media websites that are signed up to OIX.
OUr Read
Not knowing a surfer’s exact ID does not stop one from profiling them and having a very good idea about what the person is doing. For instance, during August 2006 AOL released a ton of anonymized search requests with the user IDs replaced by random numbers. AOL had to withdraw this list quickly as it became embarrassingly obvious that users of its search engine could be identified from that information alone. We reported this here:
- Mashup sites and AOL – there goes your privacy
Some Issues that Need Clarification
1) What is a reasonable price for consenting to a degenerated Internet access provider that is most likely profiling all your internet traffic? Being served relevant advertisements in one’s browser?
2) Default used by Phorm is ‘opt-out’. Hence, a customer’s will take her information and use it commercially until she tells it not to. This is wrong according to European privacy regulation which requires that the consumer must be given a choice before the commercial proposition is being put in force.
3) “Opt-out” default of Phorm, where it’ll take your information and use it commercially until you tell it not to, is prima face wrong. If it’s got a commercial proposition for you, then its up to the company or its clients to present that commercial proposition for you to decide.
4) We can assume that a user explicitly consents that the search terms he uses, and the content of his email and of the social-networking sites he visits, will be among what is used to classify his interests for the purpose of targeted advertising. This is a necessary first step only.
We feel it is also necessary to get the consent of the web page owner whose web page the user visited. As well, so is getting the consent of those sending e-mail to the user
since those who host web-based email services have no authority to consent to interception on their users’ behalf (see Open Letter to the Information Commissioner (2008-03-17) Foundation for information policy research (FIPR)
Without this it seems that this interception is not lawful.
FINALLY
- I will add that the people behind Phorm have been developing and selling malware and adware for a number of years, and apparently made enough money off of an impossible to uninstall adware toolbar to fund this latest push into malware distribution. Their programmers are mostly Saint Petersburg based, home to the Russian Business Network [slashdot.org]. Their servers are kept only in Saint Petersburg and China, so no ISP customer data is ever stored in the UK. Any personally identifying information they obtain about UK citizens can never be seen or purged using existing UK Data Protection Laws. They run under dozens of different domain names, the name of the company has changed from PeopleOnPage to 121media and recently changed from sysip.net to Phorm. This is typical of a company that knows it will have to shed it’s tarnished brand every year to stay ahead of public outcry. I expect they already have their next brand lined up when they need to burn the Phorm brand. Some notes from the Phorm sales pitch
TidbitT he CEO of Phorm is quoted as saying:
- Our privacy claims have been audited by Ernst & Young; they have been through our system and seen that it does what we say it does,” he says. “Privacy International have done a privacy impact assessment, and they will be doing spot checks. We have spoken to the Information Commissioner’s Office. All of the privacy groups in the US, UK and Europe have been impressed by our approach.