Is Phorm really that bad?
Online ad-tracking service Phorm has found itself at the centre of a storm of negative publicity. The combination of secret BT trials, alleged over-enthusiastic editing of its own Wikipedia entry and a past embroiled in adware was always going to be a recipe for PR disaster. The media feeding frenzy, both in print and online, has been encouraged by privacy advocates and opinionated bloggers alike. The Foundation for Information Policy Research has even questioned the very legality of what Phorm does.
Behavioural targeting of online advertising is, in theory, a Holy Grail for both advertisers and consumers. After all, it should deliver advertising of far greater relevance than a randomly chosen banner ad. If you were reading this feature online at the PC Pro website, the marketing bods at Dennis Publishing could reasonably determine you have an interest in PCs, internet services and privacy, so you might be served adverts for a new PC, a new deal from an ISP or anonymous browsing software. That’s all well and good, but the targeting is highly assumptive and relies on a single piece of data: that you are reading this feature.
Behavioural targeting goes a step further: it looks at where you have been before arriving at the current page and delivers advertising based on this more precise pattern-matching data. So if you had been browsing reviews of digital cameras, price-comparison sites for new digital SLRs and online camera shops, then surely it makes more sense to throw an advert for digital cameras at you, instead of one for an ISP?
So, we ask, what is everyone complaining about?
The short arm of the law
The problems start when you ask how this can be done without impacting upon user privacy. Privacy advocates will tell you that it can’t, that there has to be some kind of deep-packet inspection of the web; that you have to stick your nose in where it doesn’t belong and where it’s most certainly not wanted.
And this is at the heart of the furore surrounding companies such as Phorm in the UK and NebuAd in the US, both of which stand accused of introducing their technologies by stealth. NebuAd has been trialled by a number of US ISPs that only mentioned the fact in their terms and conditions notices (and who reads those?). Phorm was tested in secret trials in 2006 and 2007 by BT, the UK’s biggest ISP. By not being totally up-front about the implementation or testing of such technology, the companies involved leave themselves wide open to criticism of having something to hide.
So how does the Phorm system, called Webwise, actually work? Traffic between the user and websites is copied using a Layer 7 switch concept, a kind of deep-packet inspection or policy-based routing that inspects data on port 80, the port used for web browsing via the HTTP protocol. All other traffic is ignored by Phorm, as is encrypted data.
The Layer 7 switch can redirect traffic to an ISP-based machine that checks for opting-in or -out conditions, and determines the unique identifier that labels the usage for Phorm. A profiler machine within the ISP’s network looks at individual web pages and breaks them down into word lists, such as “camera” for a digital camera site. After discarding digits and other non-relevant words and symbols, the remaining words are sorted by frequency on the page. The ten most commonly used then form the context of the page itself.