Phorm Targetted Advertising System Analysed, Found Wanting

Richard Clayton of the Security Research section of Cambridge University’s Computer Laboratory, and Becky Hogge of the Open Rights Group met with Phorm, creators of the Webwise targetted advertising system last week. Richard has since published his findings, and they make interesting reading, even if you (like me) don’t understand all the stuff about 307 redirects.

Richard’s analysis leads him to say:

Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.

Phorm’s blog fails to quote the negative majority of Richard’s article, and doesn’t link to the article itself. Instead it just quotes a single vaguely favourable paragraph. I commented on the blog, including a link to Richard’s full article – it’s currently awaiting moderation.

Richard also points out that while the system arguably protects the user data, and thus complies with the Data Protection Act, it is still in principle a way of snooping around in and analysing a user’s web browsing habits to figure out what they are looking at, to allow advertisers to throw ads at them based on their current browsing. This is different from a website inserting ads based on their content to help pay for bandwidth. The Phorm ad-feed is done by the ISP, and introduces a  couple of issues regarding the ability of the website owner to opt out of the system, let alone the web user avoiding the targetted ads.

One specific point that is made is that Phorm says that webmail sites will not be analysed, and they say that Webwise is aware of “over 25” of these sites already. My web host provides me with a webmail service for my own site’s email. I doubt Webwise is taking these types of webmail service into account.

In addition, what they claim is an opt-out is in fact only opting-out from seeing the ads, not from having your traffic sniffed.

To paraquote Sir Tim Berners-Lee (inventor of the WWW and Director of the W3C), an ISP should be an impartial provider of bandwidth and nothing more, like a gas or electricity provider. Or as ORG say, “Keep your mitts off my bits”.

Disclaimer: I volunteer from time to time with the Open Rights Group.