Feeds

How Phorm plans to tap your internet connection

Under the hood of BT's data pimping machine

Security for virtualized datacentres

Exclusive Internal BT documents obtained by The Register for the first time provide solid technical information on how data from millions of BT, Virgin Media and Carphone Warehouse customers will be pumped into a new advertising system.

It will not be "injecting" anything into your internet connection, as some commenters on our previous stories have suggested. Phorm's Open Internet Exchange (OIX) is an online advertising broker service that, just like DoubleClick, matches advertisers with publishers. For both these parties, the closer the match the better: advertisers reach the people they're most interested in, who are more likely to click on the ad, which means the publisher will get more money.

DoubleClick does matching using a cookie. Each time you visit a website running DoubleClick code, it can log that you've been there and build up a profile of what ads might be relevant to you. You can of course just kneecap the DoubleClick's system by refusing its cookies in the first place (at that level at least; it does targeting in the old school way too, by serving technology ads on The Register, for example).

Phorm is notably vague on its own website about how its system actually works, preferring to emphasise that the data it collects will be anonymised, and that it also offers anti-phishing warnings.

"With OIX and Webwise, consumers are in control: they can switch relevance 'off' or 'on' at any time at Webwise.com," it reassures. But are they just be switching off ad targeting, or can they stop their data being sent to Phorm?

Click image to enlarge

A presentation doing the rounds at BT suggests two possible scenarios. The first alternative is that "ACE" in these diagrams checks whether a user has opted out of their browsing history being used to target advertising, and the process ends there and a normal HTTP request is sent to the website the user is visiting. The second possibility is that the opt-out check is performed once the request has been diverted all the way to the Anonymiser. That would mean Phorm still knows what you're looking at.

We'll be asking Phorm's CIO Marc Burgess about that point next week. You can help us out with your own questions for him. Just click on the author's name or post in the comments.

Click image to enlarge

"ACE" is a piece of Cisco hardware - its Application Control Engine. Details on the kit are here. F5 hardware performs similar functions, more here.

For users who don't opt out, the way the system works is much more clear (see "Active mode" slide). Hit a link in your browser and the HTTP request will be intercepted by the ACE and rerouted to Phorm's Anonymiser. Having hijacked the request, the Anonymiser can then set a tracking cookie, which it keeps hold of.

Without a response, the browser resubmits its request for the web page you want to visit. It is again rerouted to Phorm, but only as far as the F5 hardware, which bounces it on to the website you originally wanted, but also sends a copy of the request to Phorm's profiler kit.

The website reruns the content you want, which is again intercepted by the ACE. A copy of the page contents is sent to the Profiler, this time with the cookie in tow. If the publisher of the page is a member of the OIX, keywords in the page can be used to target ads. Finally the page is served up on your screen, and if everything is worked correctly, the browser and the user should be none the wiser.

As the process iterates the cookie will sit there, gradually building up a profile of your interests as you browse. It doesn't matter if most of the websites you visit aren't members of the OIX - their content will go towards targeting adverts on those that are.

Click image to enlarge

We tapped Aaron Crane, The Register's Technical Overlord, for help bending our puny scribe's brain around these diagrams. He said: "Looking at this makes me damn glad my own internet connection is funded by what I pay for it, so the ISP doesn't have to engage in this sort of shady practice merely to cover costs.

"If I were using one of the ISPs concerned, I'd switch."

Phorm meanwhile claims its technology represents "a revolution in privacy". On this evidence, we're inclined to agree. ®

Bootnote

BT still hasn't bothered to explain why it told El Reg, and more importantly its own customer, that it had no relationship with Phorm last summer. Suspicious connections to Phorm domains were the result of spyware, BT told a BT Business subscriber. We asked why first thing on Tuesday morning.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
'Serious flaws in the Vertigan report' says broadband boffin
Report 'fails reality test' , is 'simply wrong' and offers ''convenient' justification for FTTN says Rod Tucker
This flashlight app requires: Your contacts list, identity, access to your camera...
Who us, dodgy? Vast majority of mobile apps fail privacy test
Apple Watch will CONQUER smartwatch world – analysts
After Applelocalypse, other wristputers will get stuck in
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.