How Phorm plans to tap your internet connection
Under the hood of BT's data pimping machine
Exclusive Internal BT documents obtained by The Register for the first time provide solid technical information on how data from millions of BT, Virgin Media and Carphone Warehouse customers will be pumped into a new advertising system.
It will not be "injecting" anything into your internet connection, as some commenters on our previous stories have suggested. Phorm's Open Internet Exchange (OIX) is an online advertising broker service that, just like DoubleClick, matches advertisers with publishers. For both these parties, the closer the match the better: advertisers reach the people they're most interested in, who are more likely to click on the ad, which means the publisher will get more money.
DoubleClick does matching using a cookie. Each time you visit a website running DoubleClick code, it can log that you've been there and build up a profile of what ads might be relevant to you. You can of course just kneecap the DoubleClick's system by refusing its cookies in the first place (at that level at least; it does targeting in the old school way too, by serving technology ads on The Register, for example).
Phorm is notably vague on its own website about how its system actually works, preferring to emphasise that the data it collects will be anonymised, and that it also offers anti-phishing warnings.
"With OIX and Webwise, consumers are in control: they can switch relevance 'off' or 'on' at any time at Webwise.com," it reassures. But are they just be switching off ad targeting, or can they stop their data being sent to Phorm?
A presentation doing the rounds at BT suggests two possible scenarios. The first alternative is that "ACE" in these diagrams checks whether a user has opted out of their browsing history being used to target advertising, and the process ends there and a normal HTTP request is sent to the website the user is visiting. The second possibility is that the opt-out check is performed once the request has been diverted all the way to the Anonymiser. That would mean Phorm still knows what you're looking at.
We'll be asking Phorm's CIO Marc Burgess about that point next week. You can help us out with your own questions for him. Just click on the author's name or post in the comments.
For users who don't opt out, the way the system works is much more clear (see "Active mode" slide). Hit a link in your browser and the HTTP request will be intercepted by the ACE and rerouted to Phorm's Anonymiser. Having hijacked the request, the Anonymiser can then set a tracking cookie, which it keeps hold of.
Without a response, the browser resubmits its request for the web page you want to visit. It is again rerouted to Phorm, but only as far as the F5 hardware, which bounces it on to the website you originally wanted, but also sends a copy of the request to Phorm's profiler kit.
The website reruns the content you want, which is again intercepted by the ACE. A copy of the page contents is sent to the Profiler, this time with the cookie in tow. If the publisher of the page is a member of the OIX, keywords in the page can be used to target ads. Finally the page is served up on your screen, and if everything is worked correctly, the browser and the user should be none the wiser.
As the process iterates the cookie will sit there, gradually building up a profile of your interests as you browse. It doesn't matter if most of the websites you visit aren't members of the OIX - their content will go towards targeting adverts on those that are.
We tapped Aaron Crane, The Register's Technical Overlord, for help bending our puny scribe's brain around these diagrams. He said: "Looking at this makes me damn glad my own internet connection is funded by what I pay for it, so the ISP doesn't have to engage in this sort of shady practice merely to cover costs.
"If I were using one of the ISPs concerned, I'd switch."
Phorm meanwhile claims its technology represents "a revolution in privacy". On this evidence, we're inclined to agree. ®
BT still hasn't bothered to explain why it told El Reg, and more importantly its own customer, that it had no relationship with Phorm last summer. Suspicious connections to Phorm domains were the result of spyware, BT told a BT Business subscriber. We asked why first thing on Tuesday morning.
As soon as this is introduced, I'm dropping Virgin Media.
Why on Earth they would think that I would want to allow shady third parties to get hold of my browsing habits, I've no idea.
Oh, and as a VM affiliate, I will no longer be generating customers for them.
Phorm in a tea cup?
If you walk down the street and pop into a sex shop in broad daylight, you run the risk of being seen. So, you get yourself a dirty macintosh and turn your collar up and protect your privacy.
If you pop into a sex site on the Internet, it is a similar deal. You risk being seen. So you get yourself something to conceal your activities, if you are concerned about your privacy... if it makes you less electable as a member of Parliament.
Your ISP and therefore Phorm can't snoop SSL (HTTPS). If you read your mail over SSL, your mail is private. Charity Worker, make sure you read your mail over HTTPS. If you browse information that you do not want others to know about or associate with you, make sure it is over SSL.
In the past nobody much [that you were aware of] was watching your unencrypted activity and you may have been able to kid yourself that you could safely do the equivalent of hanging your house keys on the garden gate. We all need to wise up and be aware of what's public and what's private. That's all.
Sent an E-mail to Virgin Media asking for clarification as to why my personal details and browsing history is being diverted to a third party in China, which I consider to be an invasion of my privacy. My contract with Virgin is to Provide an access portal to the internet and nothing else. In the same way a person asks BT, Vodaphone, Orange, etc to provide a Telephone line for making Phone Calls. They would not expect all their telephone conversations to be sent to China for recording and dissemination for data.
Today I received a 'Feedback' questionnaire about my thoughts on their reply, which was a standard item saying basically they thought it would be better for me. The worst part about that is that although Virgin Media is a UK company providing a UK based ISP service and I sent an e-mail to that UK company; the questionnaire has come from the USA, which means Virgin have also sent my message to them as well. The US e-mail small print states:-
Satmetrix Systems, a leading provider of customer experience management solutions, will be conducting the survey on behalf of Virgin Media.
Satmetrix Systems does not use this information for any other purpose. If you'd like to find out more about how Satmetrix Systems will use your information, just click on the following link to see their privacy statement: http://www.satmetrix.com/company/privacy.htm. And if you want to contact Satmetrix Systems by mail, just write to them at Satmetrix Systems, 950 Tower Lane, Suite 500, Foster City, CA 94404
EU Respondents: The data collected from you may be transferred out of the European Economic Area (EEA) to be processed on behalf of and under the instruction of Virgin Media Corporation by a third party data processor based in the USA. Under the United States/European Union Data Protection Safe Harbor Agreement, Satmetrix will only process personal data for the purpose determined by Virgin Media.
So much for Personal Privacy when Virgin Media send your e-mail messages to them to one country and divert your internet usage history to the largest communist state in the world with a proven history of repression, who at any time can take the data from the companies computers for their own use. BIG BROTHERS are here and one's called Branson!
Rant over (for now Confused )