Phorm over function

Reading Time: 4 minutes


There’s been plenty of buzz (more of the angry hornet variety rather than the just-inhaled-a-lungful-of-dope variety) about Phorm of late, precipitated by a press release that the company put out on Feb 14 in the UK, announcing partnerships with three major UK ISPs to provide a system “…which ensures fewer irrelevant adverts and additional protection against malicious websites”. Critics of the system  (led by noted UK cage-rattler, The Register) claim that the technology is little more than spyware by another name. The negative press around Phorm’s announcement has caused at least one of their ISP partners to back away from the deal, and cause their stock to plummet by more than 30%. It looks like this could be the latest in an increasingly long line of bungled targeting announcements from the industry (Beacon, anyone?). But what went wrong?

What is Phorm?

Phorm as a company is the new name for 121Media, a UK AIM-listed company who started out producing a browser toolbar which tracked your page usage to provide a social media environment, connecting you with other people who were looking at the same page. Ad-funded, the toolbar quickly picked up a reputation for being spyware (even though I agree with Phorm’s protestations that it was really adware, which is better, but still tarred with the same brush), so it was dropped and the company renamed Phorm.

The new service Phorm has launched is called Webwise (not to be confused with the BBC site of the same name). Essentially it is technology that ISPs install at their data centers which analyzes the URL and textual content of web pages being served and uses this information to place users into interest categories so that they can be served behaviorally-targeted ads. The technology does this by intercepting the page request and sending a copy of it to a “Profiling” server which extracts keywords and uses this information to assign users to interest groups:




The same technology has a function to alert the user to phishing web sites; since the URL and content is being examined, phishing sites can be spotted and blocked. This functionality forms a core part of Webwise’s value proposition to users.

The other part of the alleged value to users is that this profiling process does not permit the ISP to associate a user’s profile with their IP address; that means that the ISP (and any government agency who subpoenaed the ISP’s records) could not re-associate the Phorm data with a customer record (ISPs can tell which IP address was assigned to which customer at a particular time). The Phorm system does also not store any of the page information or extracted keywords; once the interest “channel” has been arrived at, all the rest of the data is deleted.

So Phorm claims that its system is a real step forward for user privacy on the Internet, whilst at the same time enabling advertisers to reach their audience more effectively. But the industry (and the public) haven’t really seen it like this.


Why all the fuss?

Phorm’s announcement was always bound to generate a certain amount of controversy, because it’s in the sensitive area of behavioral profiling & targeting.  But there has been a particularly virulent reaction in the UK, which, whilst started by sites like the Register, has now spread to the “mainstream” media.

Some of the reasons for the fuss are (comparatively) silly things – for example, the renaming of the company from 121Media, which has just made people nervous, especially given the previous company’s adware history, or the fact that the company operates out of serviced offices in the UK and doesn’t really have a physical address in the US.

A more serious blunder on Phorm’s part is their failure to anticipate the scrutiny that this kind of system would be placed under. In this kind of environment, given the firm’s history, absolute transparency is essential, and Phorm hasn’t provided this. There are still unanswered technical questions about Phorm’s system, such as how it manages the opt-out (does data still get collected, or not?), and there have been inconsistencies in the claims that Phorm has made about third-party privacy audits of their software.

Phorm has also made the mistake of launching prematurely, with many of their partnerships still only half-baked. At the moment there is no benefit to users being delivered, because none of the systems that Phorm has announced are actually live within ISPs, and so all the focus is on the downside. Phorm would have done much better to wait until the service was fully baked with at least one of their partners and they had some real users onboard who could testify to the increased relevance of ads and how comfortable they were with their privacy with Phorm, before making a big splash. The press release looks like the product of an over-zealous PR agency looking to ensure their monthly coverage targets were being hit. Well, they’ve certainly done that.


What can we learn?

The main problem here is a poorly thought-out balance of benefits for ‘costs’ in this offer. Phorm have claimed that this system protects user privacy, but it doesn’t really; it’s just an ad targeting system with a better-than-average approach to protecting privacy. Users who are opted into Phorm will still receive cookies and targeted ads from other ad networks, and their behavior will still be tracked by those other networks.

Apart from the phishing protection (which is already baked into IE7 and Firefox anyway, and turned on by default), there’s nothing in the Phorm system which provides users with protection of their personal data across the Internet. The only way that Phorm’s entry into this market can elevate user privacy overall is if other providers of targeted ads who are storing more data decide to pack up and go home – which I doubt will happen.

The furore also highlights the challenges of partnering with ISPs for this kind of service. Because ISPs are the gatekeepers of the Internet (and because, for many people, switching ISPs is a pain in the a**), users are very sensitive to any perceived exploitation of this relationship by the ISPs. In the UK, ISPs are some of the best-known Internet brands, but also some of the least liked. Ironically the cause of this dislike (poor customer service) is a direct result of the price war that has precipitated ISPs’ interest in this kind of service, as they are receiving a cut of the revenues, of course.

Ultimately the tale makes clear how careful any company has to be in launching a service like this – the balance of benefits has to be clearly stacked in favor of the user. As Chris Williams of The Register said during an interview with Phorm’s CEO, Kent Ertegrul, said:

“a big difference I see between what you’re
doing and what Google does is that people feel that they’re getting a service from Google. I don’t think people feel they’ll be getting a service from you”

It will be interesting to see how the Phorm saga plays out. Perhaps one day it’ll find its way onto an online marketing MBA module syllabus.

9 thoughts on “Phorm over function”

  1. Thanks for clarifying this. I’m still not clear on how the ads are delivered though. Are they inserted into webpages I request automatically? If so, does that mean that content providers are having their ad inventory stolen by the ISP? If this is provided outside the requests I make, won’t I have to install software to opt in? Or will all the pages I request be returned with an advert frame above them, like when you visit Ask Jeeves search results?
    As a person who is deluged with spam by email, post and phone, I’m extremely averse to being profiled. I’m supportive of ad-funded content, but I’m already paying my ISP to deliver its service and my expectation is that they do this and respect my privacy – not profile me and sell my surfing identity to advertisers. It would be like the phone company dropping radio adverts into my phone calls, and still charging me for the call and line rental.
    I’m sure there has been a lot of over-reaction in the press, but I would change ISP if they forced ads and profiling on me. I can’t be the only one.

  2. Sean,
    Good to hear from you. The concern you raise is another reason why this announcement has been so terribly bungled by Phorm – they’ve not made it at all clear how the ads will be inserted.
    My educated guess on this is that the ISPs will use the ad exchange that is a part of Phorm’s offering to sell the targeting data to ad networks. This kind of data brokerage is becoming increasingly common in the targeted ad industry, though it’s got almost no public profile, partly because it seems very scary to explain it to anyone. Phorm may have judged that attempting to explain this too clearly may have a counter-productive effect, though staying quiet on it just seems slippery.
    It would be commercial suicide for the ISPs to use any other method (like frames, or ad replacement) to place the ads. Frames would drive users away in droves, and ad replacement would invite huge lawsuits from advertisers & networks.
    In Phorm’s defence (sort of), explaining this industry to people is a bit like explaining how nuclear power generation works – the more detail you reveal, the more scary it seems to a layperson:
    – “But what if the motor controlling the fuel rods breaks down?”
    – “We have lots of backup systems”
    – “But what if they all break down at the same time?”
    – “That would be very unlikely”
    – “Yes, but what if it happened?”
    – “There’d be a meltdown”
    – “Oh my God!”
    Still, at least we’re not in the GM foods industry, I suppose…

  3. I find this particularly interesting given your prior discussion “Trust me I work for Microsoft”. For the record, Tim Berners Lee is the latest individual to sound off on the topic, pushing for an opt-in clause so that individuals can make that decision.
    I still think that for the end user, Google/yourself would have a very difficult time getting people to allow you to collect data, or to opt into such an agreement. They may not care too much about it, or even be aware of it, but the value proposition for an end user is pretty weak from my point of view. For site managers/marketers/analysts it’s a different ball game since you offer me a clear cut value proposition in return for my data.
    In this case I think the principle cause of furor is that this software resides at the ISP level which is quite a bit different, plus it has gained an inordinate amount of press for some reason or another. In addition, I still don’t think that a sizable portion of the internet has any idea what Google analytics or other related products are, or do, which should keep the argument of whether people would opt in or not somewhat moot for quite a while.

  4. By far the biggest difference between Phorm and Google is that of consent.
    Users are not automatically encouraged to use google, it is not thrust in their face when they use the internet. Phorm, when deployed as at least two of the three ISPs involved are apparently going to, will be.
    What of Google Analytics… it has nowhere near the sort of access Phorm will have. By Phorm’s own admission “As you browse, we’re able to categorize all of your Internet actions”. That’s their big marketing hook for advertisers – they see more than Google ever can.
    What benefit does this level of profiling bring the consumer? None whatsoever – all the benefit is for the advertisers. Anti-phishing – that’s merely a PR hook designed to camouflage the system from casual scrutiny. Modern browsers already have this technology, switched on and automatically updated, by default.
    Oh, and they also hijack your search terms, so even if you use a competitor you’re STILL being profiled by Phorm.
    All that is before we start on the subject of webmail, desktop applications other than web browsers or the fact that they are being given more access to your data that the authorities have without a court order!
    Perhaps now you see why there has been such a strong reaction to Phorm?

  5. If Phorm can satisfy me that if (when?) Homeland Security comes to them and says that “in the interests of National Security” they NEED to know about me, that Phorm’s answer will be, “Who? No Idea. No way we can help.”, then I will be happy. At that point, at a certain point of relevance advertising is a true service

  6. I have read the Phorm website info — sounds like they aren’t profiling “you” — it is more like a bear fishing for trout in a stream. A data stream comes by, there is a bear looking for trout and he swoops every time he sees one. The subjects (the trout) are on a list that advertisers pay for. The rest of the water is ignored, and more than that, once past, is “gone”. This all happens in real time. Anybody out there (more tech savvy than I am) who thinks I am not summarizing it correctly?

  7. I think the problem here, after a great analogy to the Nuclear industry, is that educated sections of the public and nuclear regulators alike understand the safeguards that are in place to protect from a meltdown. These safeguards can be inspected and there’s a high degree of confidence that they’ll work.
    Working for many years alongside various government departments I don’t have a single bit of confidence that any regulator even understands the technology, never mind how to put safeguards in place. Recent high profile data leaks from government will only reinforce the public’s intuitive distrust.
    I’ve read seemingly learned IT professionals arguing about how good/bad this is, is that analogous to Nuclear experts arguing whether there are sufficient safeguards in place to stop meltdown?
    Anyway, that aside, is targeted advertising really the goose everyone thinks it is? If someone’s been searching for holidays in Barbados surely this means they’re one of the proactive bunch who are also the least likely to be swayed by hard-sell. Anything they show an interest in they are likely to regard themselves as fairly discerning and knowledgable on such subjects.
    The best way to get at their disposable income is chance encounter. They’re searching for Barbados holidays but see an advert for a new bed which reminds them of their bad back… Facebook et al are already bombarding members with highly targeted ads and it will be interesting to see whether this proves successful.

  8. IAmTheLaw
    Comment No. 1013624
    March 26 15:57
    Phorm can maintain all it wants that it retains no information etc, but it doesnt make it true.
    infact their very own Coo to the us market, says the exact oposite as already pointed out in Charles tech blog.
    for those that didnt see the quote yet.
    “”As you browse, we’re able to categorize all of your Internet actions,” said Virasb Vahidi, the chief operating officer of Phorm. “We actually can see the entire Internet.”
    and their Patent confirmed this very same extensive capability.
    here is Phorm’s patent application toread for yourself
    for a change heres some less talked about facts:
    theres also the fact a customers key entrys and click stream data are their copyright property.
    its not for any ISPs or any profiling companys that think they can commercially use and own, without written permission or a signed contract.
    they are in law considered committing ‘commercial piracy’ if they use your date (and we are talking companys using these ISPs as well as home workers/users)to make profit,with all the implications that brings .
    then theres the ‘safe harbor’ question, did the UK ISPs in question, give up their legal protection in EU law by freely signing up and agreeing to ‘a general monitoring of the network’ in that contract for profit.
    …now back to the usual DPA, and RIPA comments…

Comments are closed.