In part one of this Phorm series we covered the technology behind the Phorm implementation in the U.K. which could in turn be applied here in the United States if we become complacent about our privacy. This is part two, covering more general FAQ’s about Phorm and why we need to be concerned.
The Facts about Phorm & Co. from http://www.BadPhorm.co.uk
The purpose of this page is to set out the facts around this deal, without spin, marketing drivel or any other kind of distraction. Just facts, so you can make up your own mind. This page has been updated to reflect new information received since it was originally written.
Who is Phorm anyway?
Phorm is an Internet marketing company. They make money by selling advertising on web pages to various companies through their brokerage which they call the Open Internet Exchange (OIX). You can find out more about Phorm and the OIX from their website (http://www.phorm.com) but beware of the marketing-speak!
What’s so different about that, google has been doing it for years!
Google’s advertising relies solely on Google’s own database to ‘target’ it’s adverts. It does this based on the content of the page you’re viewing, and doesn’t use any kind of browsing history unless you specifically opt-in (by creating a Google account). Phorm on the other hand targets it’s advertising based solely on your browsing history, which it collects direct from your ISP. You can opt-out of Phorm’s tracking by allowing a cookie to be set on your PC.
So you’re saying I’m automatically opted in?
Yes. If your ISP is Virgin Media, BT or Talk Talk, your browsing details WILL be sent to Phorm by default, you will require to disable the Phorm system by opting out on every browser that uses your network connection. There is no way to ‘globally opt out’ of the Phorm system.
So what do they actually see?
Phorm doesn’t just see the URL of every page you visit, they see the entire content of every single web page (with the exception of encrypted pages). That means they can read your mail if you use most types of web-mail, view all the posts you make or read on web forums, obtain the content of most web-forms you complete, in fact just about anything you do on the web that is not encrypted can be hoovered up by Phorm. Phorm claim they do not store this information for more than 14 days.
What do they store?
According to their website, Phorm store an aggregate history of your browsing, not a detailed history of each page you visit. Even so, such a history would reveal considerable detail about your browsing and potentially about your personal life.
Can this history be tied to my identity?
Phorm claim they do not store any personally identifiable information (including IP addresses) or interface with any ISP systems that would allow them to identify you, however they assign each user a unique ‘tracking ID’ which relates directly to their browsing profile. If someone connected the ID to any piece of personally identifying information your browsing history would no longer be anonymous.
I heard Phorm was associated with a rootkit, is that true?
Phorm is not, however their predecessor company (121 Media) was. This has been confirmed by Phorm’s current CEO, who was also involved with 121 Media.
More info can be obtained hereat BadPhorm.
Hanff-“Yeah. Of course the ISPs involved were claiming that they’ve had legal advice, and they’re perfectly happy with the legal situation. They believe it’s legal. But a number of technical experts, a number of legal experts, peers in the House of Lords, people at the European Commission, MPs in our own government, all believe that this technology is currently, and certainly was during the covert trials, illegal without the informed, and it has to be the expressed informed, consent of the individuals involved. So it isn’t a case of they can bury the terms in some end-user license agreement or the terms and conditions. These must be explicit informed consent because it’s dealing with communications and issues around privacy.”
In the near future it may become important to pressure ISP’s to reject deep packet inspection systems like Phorm. Without ironclad assurances from U.S. ISP’s that can gaurentee privacy, security, legal, copyright, and technical concerns we will likely have to act to protect the integrity of the public communication systems carrying private citizens information. How we do that, time will only tell.