Feeds

How Phorm plans to tap your internet connection

Under the hood of BT's data pimping machine

The smart choice: opportunity from uncertainty

Exclusive Internal BT documents obtained by The Register for the first time provide solid technical information on how data from millions of BT, Virgin Media and Carphone Warehouse customers will be pumped into a new advertising system.

It will not be "injecting" anything into your internet connection, as some commenters on our previous stories have suggested. Phorm's Open Internet Exchange (OIX) is an online advertising broker service that, just like DoubleClick, matches advertisers with publishers. For both these parties, the closer the match the better: advertisers reach the people they're most interested in, who are more likely to click on the ad, which means the publisher will get more money.

DoubleClick does matching using a cookie. Each time you visit a website running DoubleClick code, it can log that you've been there and build up a profile of what ads might be relevant to you. You can of course just kneecap the DoubleClick's system by refusing its cookies in the first place (at that level at least; it does targeting in the old school way too, by serving technology ads on The Register, for example).

Phorm is notably vague on its own website about how its system actually works, preferring to emphasise that the data it collects will be anonymised, and that it also offers anti-phishing warnings.

"With OIX and Webwise, consumers are in control: they can switch relevance 'off' or 'on' at any time at Webwise.com," it reassures. But are they just be switching off ad targeting, or can they stop their data being sent to Phorm?

Click image to enlarge

A presentation doing the rounds at BT suggests two possible scenarios. The first alternative is that "ACE" in these diagrams checks whether a user has opted out of their browsing history being used to target advertising, and the process ends there and a normal HTTP request is sent to the website the user is visiting. The second possibility is that the opt-out check is performed once the request has been diverted all the way to the Anonymiser. That would mean Phorm still knows what you're looking at.

We'll be asking Phorm's CIO Marc Burgess about that point next week. You can help us out with your own questions for him. Just click on the author's name or post in the comments.

Click image to enlarge

"ACE" is a piece of Cisco hardware - its Application Control Engine. Details on the kit are here. F5 hardware performs similar functions, more here.

For users who don't opt out, the way the system works is much more clear (see "Active mode" slide). Hit a link in your browser and the HTTP request will be intercepted by the ACE and rerouted to Phorm's Anonymiser. Having hijacked the request, the Anonymiser can then set a tracking cookie, which it keeps hold of.

Without a response, the browser resubmits its request for the web page you want to visit. It is again rerouted to Phorm, but only as far as the F5 hardware, which bounces it on to the website you originally wanted, but also sends a copy of the request to Phorm's profiler kit.

The website reruns the content you want, which is again intercepted by the ACE. A copy of the page contents is sent to the Profiler, this time with the cookie in tow. If the publisher of the page is a member of the OIX, keywords in the page can be used to target ads. Finally the page is served up on your screen, and if everything is worked correctly, the browser and the user should be none the wiser.

As the process iterates the cookie will sit there, gradually building up a profile of your interests as you browse. It doesn't matter if most of the websites you visit aren't members of the OIX - their content will go towards targeting adverts on those that are.

Click image to enlarge

We tapped Aaron Crane, The Register's Technical Overlord, for help bending our puny scribe's brain around these diagrams. He said: "Looking at this makes me damn glad my own internet connection is funded by what I pay for it, so the ISP doesn't have to engage in this sort of shady practice merely to cover costs.

"If I were using one of the ISPs concerned, I'd switch."

Phorm meanwhile claims its technology represents "a revolution in privacy". On this evidence, we're inclined to agree. ®

Bootnote

BT still hasn't bothered to explain why it told El Reg, and more importantly its own customer, that it had no relationship with Phorm last summer. Suspicious connections to Phorm domains were the result of spyware, BT told a BT Business subscriber. We asked why first thing on Tuesday morning.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
Microsoft unsheathes cheap Android-killer: Behold, the Lumia 530
Say it with us: I'm King of the Landfill-ill-ill-ill
All those new '5G standards'? Here's the science they rely on
Radio professor tells us how wireless will get faster in the real world
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
US freemium mobile network eyes up Europe
FreedomPop touts 'free' calls, texts and data
'Two-speed internet' storm turns FCC.gov into zero-speed website
Deadline for comments on net neutrality shake-up extended to Friday
Oh girl, you jus' didn't: Level 3 slaps Verizon in Netflix throttle blowup
Just hook us up to more 10Gbps ports, backbone biz yells in tit-for-tat spat
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.